Contents

Core infrastructure documentation

Understand and explore
What is Configuration Manager?
Microsoft Endpoint Configuration Manager FAQ
What happened to SCCM?
Introduction
Find help for Configuration Manager
Product feedback
How to use the docs
Accessibility features
Software Center user guide
How to use the console
How to use the console
Console notifications
Manage console extensions
Import console extensions
Console changes and tips
Fundamentals
Configuration Manager fundamentals
Sites and hierarchies
About upgrade, update, and install
Manage devices
Client management
Security
Role-based administration
Configuration Manager and Windows as a Service
Use cloud services
Cloud services overview
Configuration Manager on Azure FAQ
 FAQ for product and licensing
Which branch of Configuration Manager should I use?
Licensing and branches
Extended interoperability client
Long-term servicing branch
Long-term servicing branch overview
Supported configurations for the LTSB
Install the LTSB
Manage the LTSB
Upgrade the LTSB to the current branch
Plan and design
Get ready for Configuration Manager
Product changes
Features and capabilities
What's new in incremental versions
What's new in version 2111
What's new in version 2107
What's new in version 2103
What's new in version 2010
What's new in version 2006
What's changed from Configuration Manager 2012
Removed and deprecated
Removed and deprecated overview
Removed and deprecated features
Removed and deprecated for site servers
Removed and deprecated for clients
Supported configurations
Supported configurations
Site and site system prerequisites
Supported operating systems for site system servers
Supported operating systems for clients and devices
Support for Windows 11
 Support for Windows 10
Support for the Windows ADK
Supported operating systems for consoles
Support for SQL Server versions
Support for Active Directory domains
Support for Windows features and networks
Support for virtualization environments
Size, scale, and performance
Size and scale numbers
Recommended hardware
Site size and performance guidelines
FAQ for site sizing and performance
Choose a device management solution
Design a hierarchy of sites
Design a hierarchy
Plan for the SMS Provider
Plan for the site database
Plan for site system servers
Fundamental concepts for content management
Content management fundamentals
Use a pull-distribution point
The content library
Configure a remote content library
Flowchart - Manage content library
Content library cleanup tool
Peer Cache for Configuration Manager clients
Package Transfer Manager
Manage network bandwidth for content management
Security and privacy for content management
Data transfers between sites
Types of data transfer
File-based replication
 Database replication
How clients find resources and services
Security and privacy for site administration
Plan for network infrastructure
Network infrastructure considerations
Ports
Proxy server support
Internet access requirements
Active Directory schema
About schema extensions
Prepare the Active Directory schema
Prepare Windows Servers to support site systems
Websites for site system servers
Diagnostics and usage data
Overview of diagnostics and usage data
How Microsoft uses diagnostics and usage data
How Configuration Manager collects data
How to view diagnostics and usage data
Levels of diagnostics and usage data
Overview of levels
Data for version 2111
Data for version 2107
Data for version 2103
Data for version 2010
Data for version 2006
Configuration Manager tools
Frequently asked questions (FAQ)
Security and privacy for Configuration Manager
Plan for security
Configure security
Cryptographic controls technical reference
Certificates overview
 Plan for PKI certificates
CNG v3 certificates overview
PKI certificate requirements
Example PKI certificate deployment
Additional privacy information
Enable TLS 1.2
About enabling TLS 1.2
Enable TLS 1.2 on clients
Enable TLS 1.2 on site servers and remote site systems
Common issues when enabling TLS 1.2
Security documentation hub
Get started
Evaluate Configuration Manager in a lab
Lab overview
Set up your lab
Create a lab in Azure
Technical Preview
Technical Preview overview
2201 features
2112 features
2111 features
2110 features
Migrate data between hierarchies
Migration overview
Plan for migration
Planning for migration
Prerequisites for migration
Checklists for migration
Determine whether to migrate data
Planning the source hierarchy
Planning migration jobs
Planning client migration
 Planning for content deployment
Planning to migrate objects
Planning to monitor migration
Planning to complete migration
Configure source hierarchies and source sites
Operations for migrating
Security and privacy for migration
Deploy servers and roles
Deploy servers and roles
Install infrastructure
Get installation media
Before you run setup
Setup reference
Setup downloader
Prerequisite checker
Prerequisite checks
Installing sites
Prepare to install sites overview
Prepare to install sites
Prerequisites for installing sites
Use the setup wizard
Use a command-line
Command-line overview
Command-line options
Unattended setup script file keys
Install consoles
Upgrade an evaluation install
Upgrade to Configuration Manager
Scenarios to streamline your installation
Configure sites and hierarchies
Configure sites and hierarchies overview
Add site system roles
 Add site system roles overview
Install site system roles
About the service connection point
Configuration options for site system roles
Database replicas for management points
Site components
Publish site data
Manage content and content infrastructure
Content infrastructure overview
Install and configure distribution points
Deploy and manage content
Monitor content
Microsoft Connected Cache
Troubleshoot Microsoft Connected Cache
Run discovery
Discovery methods overview
About discovery methods
Select discovery methods
Configure discovery methods
Boundaries and boundary groups
Overview
Define boundaries
About boundary groups
Boundary group options
Distribution points
Software update points
Management points
Boundary group example
Procedures for boundary groups
High availability
High availability options
Site server high availability
 Flowchart - Passive site server setup
Flowchart - Promote site server (planned)
Flowchart - Promote site server (unplanned)
Prepare to use an availability group
Configure an availability group
Use a failover cluster instance
Custom locations for database files
Configure role-based administration
Configure Azure services
Uninstall and remove
Uninstall roles, sites, and hierarchies
Remove the CAS
Technical references
Accounts
Communications between endpoints
Enhanced HTTP
Hierarchy maintenance tool
International support
Interoperability between different versions
Language packs
About log files
Log file reference
Release notes
State messages
Unicode and ASCII support
Manage infrastructure
Management insights
Community hub
Use Community hub
Contribute to Community hub
Console extensions in Community hub
CMPivot
 CMPivot overview
Use CMPivot
CMPivot changes
CMPivot sample scripts
Troubleshooting CMPivot
Maintenance tasks
Maintenance tasks overview
Reference for maintenance tasks
Modify your infrastructure
Modify infrastructure
The CD.Latest folder
Upgrade on-premises infrastructure
Updates for Configuration Manager overview
Updates for Configuration Manager
In-console updates
Prepare for in-console updates
Install in-console updates
After the site updates
Optional features
In-console updates FAQ
Update reset tool
Test database upgrade
Flowchart - Download updates
Flowchart - Update replication
Pre-release features
Service windows for site servers
Use the service connection tool
Use the update registration tool
Use the hotfix installer
Checklist for installing update 2111
Checklist for installing update 2107
Checklist for installing update 2103
 Checklist for installing update 2010
Checklist for installing update 2006
Support for current branch versions
Backup and recovery
Back up sites
Recover sites
Unattended site recovery
Site failure impacts
Monitor infrastructure
Monitor hierarchy
Use the status system
Configure alerts
External notifications
Monitor scenario health
Health attestation
Replication infrastructure
Monitor replication
Troubleshoot SQL Server replication
Troubleshoot SQL Server replication
SQL Server replication
SQL Server configuration
SQL Server performance
SQL Server replication reinitialization (reinit)
Global data reinit
Site data reinit
Reinit missing message
Queries
Introduction to queries
How to manage queries
How to create queries
Security and privacy for queries
Reporting
 Introduction to reporting
Integrate with Power BI Report Server
Install Power BI sample reports
Plan for reporting
Plan for reporting
Prerequisites for reporting
List of reports
Configure reporting
Operations and maintenance for reporting
Create custom report models
Data warehouse
Support Center
Support Center overview
Quickstart guide
Support Center OneTrace
User interface reference
Customizations
Accessibility
Configuration Manager tools
Tools overview
CMTrace
Client Spy
Deployment Monitoring Tool
Policy Spy
Power Viewer Tool
Send Schedule Tool
DP Job Queue Manager
Collection Evaluation Viewer
Content Library Explorer
Content Library Transfer
Content Ownership Tool
Extend and migrate to Microsoft Azure
 Role-based Administration and Auditing Tool
Run Meter Summarization Tool
Manage high-risk deployments
Deploy clients
Planning for client deployment
Client installation methods
Prerequisites for deploying clients to Windows computers
Windows client prerequisites
Mobile device client prerequisites
Windows Firewall and port settings for clients
Determine the site system roles for clients
Security and privacy for clients
Recommendations for client deployment
Determine whether to block clients
Planning for client deployment to Mac computers
Client deployment to Windows Embedded devices
Planning for client deployment to Windows Embedded devices
Example scenario
Plan how to wake up clients
Manage VDI clients
Client deployment tasks
How to configure client communication ports
Configure clients to use DNS publishing
Configure client settings
How to configure client settings
About client settings
Device restart notifications
How to configure Wake on LAN
Deploy clients to Windows computers
How to deploy clients to Windows computers
Client installation properties
Client installation properties published to AD
 Prepare to deploy clients to Macs
How to deploy clients to Macs
How to assign clients to a site
How to configure client status
How to monitor client deployment status
Manage clients
Manage clients overview
Monitor clients
How to monitor clients
Client health dashboard
Client health checks
Surface device dashboard
Sync data to Azure Monitor
Manage clients
How to manage clients
Configure the client cache
Client notification
Maintain Mac clients
Collections
Introduction to collections
Prerequisites for collections
Best practices for collections
Collection evaluation
How to create collections
How to manage collections
How to use maintenance windows
How to view collection evaluation
Security and privacy for collections
Hardware inventory
Introduction to hardware inventory
How to extend hardware inventory
How to configure hardware inventory
 How to use Resource Explorer to view hardware inventory
Resource Explorer default classes
Security and privacy for hardware inventory
Software inventory
Introduction to software inventory
How to configure software inventory
How to use Resource Explorer to view software inventory
Security and privacy for software inventory
Asset Intelligence
Introduction
Prerequisites
Configure Asset Intelligence
Use Asset Intelligence
Security and privacy
Example validation state transitions
Example general license import file
Use the Product Lifecycle dashboard
Remote control
Introduction to remote control
Prerequisites for remote control
Configuring remote control
How to remotely administer a Windows client computer
How to audit remote control usage
Security and privacy for remote control
Power management
Introduction to power management
Prerequisites for power management
Best practices for power management
Administrator checklist for power management
Configuring power management
How to create and apply power plans
How to monitor and plan for power management
 Security and privacy for power management
Upgrade clients
How to upgrade clients
Test client upgrades in a pre-production collection
Exclude Windows clients from upgrades
Upgrade Windows clients
Upgrade Mac clients
Manage clients over the internet
Manage clients over the internet overview
Cloud management gateway (CMG)
Overview
Plan
Plan for CMG
CMG client authentication
CMG hierarchy design
Supported configurations for CMG
Performance and scale
Cost
Set up
Set up checklist
1. Server authentication certificate
2. Configure Azure Active Directory
3. Configure client authentication
4. Set up a CMG
5. Configure clients for CMG
Manage
Monitor a CMG
Modify a CMG
Reference
Manually register Azure AD apps for CMG
Security and privacy for CMG
FAQ for CMG
 Ports and data flow
Plan for internet-based client management
Install clients using Azure AD
Token-based authentication for CMG
Azure AD authentication workflow
Use a cloud-based distribution point
Install cloud-based distribution points
 What is Configuration Manager?
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Starting in version 1910, Configuration Manager is now part of Microsoft Endpoint Manager.

Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Microsoft brings
together Configuration Manager and Intune, without a complex migration, and with simplified licensing.
Continue to leverage your existing Configuration Manager investments, while taking advantage of the power of
the Microsoft cloud at your own pace.
The following Microsoft management solutions are all now part of the Microsoft Endpoint Manager brand:
Configuration Manager
Intune
Desktop Analytics
Autopilot
Other features in the Device Management Admin Console
For more information, see Microsoft Endpoint Configuration Manager FAQ.

Introduction
Use Configuration Manager to help you with the following systems management activities:
Increase IT productivity and efficiency by reducing manual tasks and letting you focus on high-value projects.
Maximize hardware and software investments.
Empower user productivity by providing the right software at the right time.
Configuration Manager helps you deliver more effective IT services by enabling:
Secure and scalable deployment of applications, software updates, and operating systems.
Real-time actions on managed devices.
Cloud-powered analytics and management for on-premises and internet-based devices.
Compliance settings management.
Comprehensive management of servers, desktops, and laptops.
Configuration Manager extends and works alongside many Microsoft technologies and solutions. For example,
Configuration Manager integrates with:
Microsoft Intune to co-manage a wide variety of mobile device platforms
Microsoft Azure to host cloud services to extend your management services
Windows Server Update Services (WSUS) to manage software updates
Certificate Services
Exchange Server and Exchange Online
Group Policy
DNS
Windows Automated Deployment Kit (Windows ADK) and the User State Migration Tool (USMT)
Windows Deployment Services (WDS)
Remote Desktop and Remote Assistance
Configuration Manager also uses:
Active Directory Domain Services and Azure Active Directory for security, service location, configuration, and
to discover the users and devices that you want to manage.
Microsoft SQL Server as a distributed change management database—and integrates with SQL Server
Reporting Services (SSRS) to produce reports to monitor and track management activities.
Site system roles that extend management functionality and use the web services of Internet Information
Services (IIS).
Delivery Optimization, Windows Low Extra Delay Background Transport (LEDBAT), Background Intelligent
Transfer Service (BITS), BranchCache, and other peer caching technologies to help manage content on your
networks and between devices.
To be successful with Configuration Manager in a production environment, thoroughly plan and test the
management features. Configuration Manager is a powerful management application, with the potential to
affect every computer in your organization. When you deploy and manage Configuration Manager with careful
planning and consideration of your business requirements, Configuration Manager can reduce your
administrative overhead and total cost of ownership.

User interfaces
The Configuration Manager console
After you install Configuration Manager, use the Configuration Manager console to configure sites and clients,
and to run and monitor management tasks. This console is the main point of administration, and lets you
manage multiple sites.
You can install the Configuration Manager console on additional computers, and restrict access and limit what
administrative users can see in the console by using Configuration Manager role-based administration.
For more information, see Use the Configuration Manager console.
Software Center
Software Center is an application that's installed when you install the Configuration Manager client on a
Windows device. Users use Software Center to request and install software that you deploy. Software Center lets
users do the following actions:
Browse for and install applications, software updates, and new OS versions
View their software request history
View device compliance against your organization's policies
You can also show custom tabs in Software Center to meet additional business requirements.
For more information, see the Software Center user guide.

Next steps
Before you install Configuration Manager, familiarize yourself with the basic concepts and terms:
If you're familiar with System Center 2012 Configuration Manager, see What's changed from System
Center 2012 Configuration Manager.
For a high-level technical overview of Configuration Manager, see Fundamentals of Configuration
Manager.
When you're familiar with the basic concepts, use this documentation library to help you successfully deploy
and use Configuration Manager. Start with the following articles:
Features and capabilities of Configuration Manager
Choose a device management solution
Evaluate Configuration Manager by building your own lab environment
Find help for using Configuration Manager
 What happened to System Center Configuration
Manager?
2/16/2022 • 2 minutes to read • Edit Online

Starting in version 1910, Configuration Manager current branch is now part of Microsoft Endpoint Manager.
Version 1906 and earlier are still branded System Center Configuration Manager. The Microsoft Endpoint
Manager brand will appear in the product and documentation over the coming months.
There's no change to the other components of the System Center suite.
Prior product versions, such as System Center 2012 Configuration Manager, aren't rebranded.
For more information, see the following articles:
What is Configuration Manager?
Microsoft Endpoint Configuration Manager FAQ
 Find help for using Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

There are several resources that you can use to find help with Configuration Manager. Whether you're just
getting started or an experienced administrator, use the following resources when you need assistance:
Send a smile or file a frown with product feedback
Search the product documentation
Follow the Configuration Manager team blog
Understand support options and community resources
For help with product accessibility, see Accessibility features.
To get support for co-management, tenant attach, and analytics features, see How to get support in Microsoft
Endpoint Manager admin center.

Product feedback
From the Configuration Manager console, you can share feedback directly to the Microsoft product group. In the
upper right corner of the console, select the smiley face icon. There are three types of feedback:

Send a smile : Send feedback on what you liked.

Send a frown : Send feedback on what you didn't like, and how Microsoft can improve it.
Send a suggestion : Open the Configuration Manager product feedback site to share your idea.
For more information, see Product feedback.

Product documentation
To access the most current product documentation, start at the library index.
For tips on searching, providing feedback, and more information about using the product documentation, see
How to use the docs.

Configuration Manager team blog

The engineering and partner teams use the Configuration Manager blog to provide you with technical
information and other news about Configuration Manager and related technologies. Our blog posts supplement
the product documentation and support information.

Support options and community resources

The following links provide information about support options and community resources:
Microsoft support
Configuration Manager forums on Microsoft Q&A
Configuration Manager Community: Configuration Manager (Current Branch) Survival Guide

Next steps
Product feedback
Accessibility features
How to use the docs
How to use the console
Software Center user guide
How to get support in Microsoft Endpoint Manager admin center
 Product feedback for Configuration Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

From the Configuration Manager console, you can share feedback directly to the Microsoft product group. In the
upper right corner of the console, select the feedback icon. There are three types of feedback:

Send a smile (ALT + SHIFT + 7 ): Send feedback on what you liked.

Send a frown (ALT + SHIFT + 8 ): Send feedback on what you didn't like, and how Microsoft can
improve it.
Send a suggestion (ALT + SHIFT + 9 ): Open the Configuration Manager product feedback website to
share your idea. For more information, see Send a suggestion.
There's also an option to Contact suppor t (ALT + SHIFT + 0 ), which opens the Microsoft support for business
portal.
When using the feedback wizard from the console, the following items are displayed where needed:
A description of the feedback is required
Select from a list of issue categories for the console workspace
It includes tips for how to write useful feedback
You can attach additional files
A summary page displays your feedback ID, and includes any error messages with suggestions to resolve
them.

NOTE
This wizard is in the Configuration Manager console. Support Center has a similar feedback experience.

Starting in version 2107, error messages include a link to Repor t error to Microsoft . This action opens the
standard send a frown window to provide feedback. It automatically includes details about the user interface
and the error to better help Microsoft engineers diagnose the error. Aside from making it easier to send a frown,
it also includes the full context of the error message when you share a screenshot.
Starting in Configuration Manager 2111, when you Repor t error to Microsoft the error information included
with the feedback can't be altered or removed.
Starting in Configuration Manager 2111, wizards and some property pages include an icon to provide feedback
allowing you to quickly send feedback right from your current activity.

Prerequisites
Update the Configuration Manager console to the latest version.
On the computer where you run the console, allow it to access the following internet endpoints to send
diagnostic data to Microsoft:
petrol.office.microsoft.com

ceuswatcab01.blob.core.windows.net

ceuswatcab02.blob.core.windows.net

eaus2watcab01.blob.core.windows.net

eaus2watcab02.blob.core.windows.net

weus2watcab01.blob.core.windows.net

weus2watcab02.blob.core.windows.net

umwatsonc.events.data.microsoft.com

*-umwatsonc.events.data.microsoft.com

Send a smile
To send feedback on something that you like about Configuration Manager:
1. In the upper-right corner of the Configuration Manager console, select the feedback icon. Choose Send a
smile .
2. On the first page of the Provide feedback wizard:
Tell us what you liked : Enter a detailed description of why you're filing this feedback.
You can contact me about this feedback : To allow Microsoft to contact you about this
feedback if necessary, select this option and specify a valid email address.
Include screenshot : Select this option to add a screenshot. By default it uses the full screen,
select Refresh to capture the latest image. Select Browse to select a different image file.
3. Select Next to send the feedback. You may see a progress bar as it packages the content to send.
4. When the progress is complete, select Details to see the transaction ID or any errors that occurred.

Send a frown
Before you file a frown, prepare your information:
If you have multiple issues, send a separate report for each issue. Don't include multiple issues in a single
report.
 Provide clear details on the issue. Share any research that you've gathered so far. More detailed
information is better to help Microsoft investigate and diagnose the issue.
Do you need immediate assistance? If so, contact Microsoft support for urgent issues. For more
information, see Support options and community resources.
Is this feedback a suggestion to improve the product? If so, share a new idea instead. For more
information, see Send a suggestion.
Is the issue with the product documentation? You can file feedback directly on the documentation. For
more information, see Doc feedback.
To send feedback on something that you didn't like about the Configuration Manager product:
1. In the upper-right corner of the Configuration Manager console, select the feedback icon. Choose Send a
frown .
2. On the first page of the Provide feedback wizard:
Issue categor y : Select a category that's most appropriate for your issue.
Describe your issue with as much detail as possible.
You can contact me about this feedback : To allow Microsoft to contact you about this
feedback if necessary, select this option and specify a valid email address.

3. On the Add more details page of the wizard:

Include screenshot : Select this option to add a screenshot. By default it uses the full screen,
select Refresh to capture the latest image. Select Browse to select a different image file.
Include additional files : Select Attach and add log files, which can help Microsoft better
understand the issue. To remove all attached files from your feedback, select Clear all . To remove
individual files, select the delete icon to the right of the file name.
4. Select Next to send the feedback. You may see a progress bar as it packages the content to send.
5. When the progress is complete, select Details to see the transaction ID or any errors that occurred.
If you don't have internet connectivity:
The Provide feedback wizard still packages your feedback and files.
The final summary page shows an error that it couldn't send the feedback.
Select the option to Save a copy of feedback and attachments . For more information on how to
send it to Microsoft, see Send feedback that you saved for later submission.
If the Provide feedback wizard successfully submits your feedback, but fails to send the attached files, use the
same instructions for no internet connectivity.

Send a suggestion
When you Send a suggestion , it opens the Feedback for Configuration Manager site.
For more information, including the different status values, see How Microsoft uses feedback.

Status messages
When you Send a smile or Send a frown , it creates a status message when you submit the feedback. This
message provides a record of:
When you submitted the feedback
Who submitted it
The feedback ID
The message ID identifies if the feedback submission was successful:
53900 : Success
53901 : Failed
You can use the built-in status message query, Feedback sent to Microsoft to easily display these status
messages. You can also display status messages in the Monitoring workspace, under System Status in the
Status Message Queries node. Start with the All Status Messages query and select your time frame. When
the messages load, select Filter messages , and filter for message ID 53900 or 53901. If you create feedback
that you save for later submission, the site doesn't create a status message.

Information sent with feedback

When you Send a smile or Send a frown , the feedback includes the following information:
OS build information
Configuration Manager support ID, also known as the hierarchy ID
Product build information
Language information
Device identifier: HKLM\SOFTWARE\Microsoft\SQMClient:MachineId

Send feedback that you saved for later submission

You can save your feedback locally and submit it later. Use this process if the current computer doesn't have
internet-access.
1. At the bottom of the Provide feedback window, select Save a copy of feedback and attachments .
2. Save the .zip file. If the local machine doesn't have internet access, copy the file to an internet-connected
machine.
3. If needed, copy the UploadOfflineFeedback folder from the site server located at
cd.latest\SMSSETUP\Tools\UploadOfflineFeedback\ .

NOTE
For more information about the cd.latest folder, see the CD.Latest folder.

4. On an internet-connected machine, open a command prompt.

5. Run the following command: UploadOfflineFeedback.exe -f c:\folder\location_of.zip
UploadOfflineFeedback tool usage
The UploadOfflineFeedback tool supports the following command-line parameters:
-f , --file(Required ): The path to the saved feedback file to send.
-t , --timeout : Timeout in seconds for sending the data. 0 is unlimited. Default is 30 .
-s , --silent : Don't log any output to the command prompt. You can't combine this parameter with
--verbose .
-v , --verbose : Log verbose output to the command prompt. You can't combine this parameter with
--silent .
--help : Display this usage information.
--version : Display the tool version.

The UploadOfflineFeedback utility supports the use of a proxy server. You can specify the following parameters:
-x , --proxy : Specify the proxy server address.
-o , --port : Specify the port for the proxy server.
-u , --user : Specify the user name to authenticate to the proxy server.
-w , --password : Specify the password for the specified user name. If you use an asterisk ( * ), the tool
prompts for the password. The password isn't displayed in the prompt. This value is recommended. Including
the password in plain text on the command line is less secure.
-i , --SkipConnectionCheck : Skips the network connection check, and just starts to upload the feedback with
the specified settings.

Confirmation of console feedback

When you send feedback, it shows a confirmation message. This message includes a Feedback ID , which you
can give to Microsoft as a tracking identifier.
In the Provide feedback window from the console, it displays the feedback ID on the final page. To copy it,
select the copy icon next to the ID, or use the CTRL + C key shortcut. This ID isn't stored on your
computer, so make sure to copy it before you close the window.
The status message includes the feedback ID.
The UploadOfflineFeedback command tool writes the FeedbackID to the console unless you use
--silent .

Feedback for Support Center

If you have feedback on Support Center, use the following instructions:
1. In the upper right corner of the application, select the smiley face.
2. In the drop-down menu, select Send a smile or Send a frown .
If you select Send a suggestion , you will be taken to the feedback portal. For more information, see
Send a suggestion.
3. Use the text box to explain what you liked or what you didn't like.
4. Choose if you would like to share your e-mail address and a screenshot.
5. Select Submit Feedback .

Feedback for PowerShell

If you have feedback on the Configuration Manager PowerShell cmdlets, use the same options in the
Configuration Manager console to send feedback.
When you send a frown, include the following additional information specific to PowerShell:
The exact script or command syntax that you used so that Microsoft can try to reproduce the issue.
What behavior you expected compared to the actual behavior.
The full output when you run it with the Verbose common parameter.
The version and path of the ConfigurationManager module. For example, include the output of the
following commands:

(Get-Module -Name ConfigurationManager).Version

(Get-Module -Name ConfigurationManager).Path

If a cmdlet returns an error, use the following command to get exception details:

$Error[0].Exception | Format-List * -Force

Next steps
How to use the docs
How to use the console
How to get support in Microsoft Endpoint Manager admin center
 How to use the docs
2/16/2022 • 7 minutes to read • Edit Online

This article provides resources and tips for using the Microsoft Endpoint Manager documentation library. It
applies to Configuration Manager, Microsoft Intune, and Autopilot, and covers the following areas:
How to search
Submitting doc bugs, enhancements, questions, and new ideas
How to get notified of changes
How to contribute to docs
For general help and support, see:
Find help for Configuration Manager
Get support in Microsoft Endpoint Manager

TIP
Also visit the Documentation node in the Community workspace of the Configuration Manager console. This node
includes up-to-date information about Configuration Manager documentation and support articles. For more
information, see Using the Configuration Manager console.

Information in this article also applies to the Configuration Manager PowerShell documentation in the sccm-
docs-powershell-ref repository.

Search
Use the following search tips to help you find the information that you need:
When using your preferred search engine to locate content, include a keyword along with your search
keywords. For example, ConfigMgr for Configuration Manager and Intune for Intune.
Look for results from docs.microsoft.com/mem. Results from docs.microsoft.com/previous-versions ,
technet.microsoft.com , or msdn.microsoft.com are for older product versions.

To further focus the search results to the current content library, include site:docs.microsoft.com
in your query to scope the search engine.
Use search terms that match terminology in the user interface and online documentation. Avoid unofficial
terms or abbreviations that you might see in community content. For example, search for:
"management point" rather than "MP"
"deployment type" rather than "DT"
"Intune management extension" rather than "IME"
To search within the current article, use your browser's Find feature. With most modern web browsers,
press Ctrl +F and then enter your search terms.
Each article on docs.microsoft.com includes the following fields to assist with searching the content:
Search in the upper right corner. To search all articles, enter terms in this field. Articles in this
content library automatically include one of the following search scopes: ConfigMgr , Intune , or
Autopilot .
 Filter by title above the left table of contents. To search the current table of contents, enter terms
in this field. This field only matches terms that appear in the article titles for the current node. For
example, Configuration Manager Core Infrastructure (
docs.microsoft.com/mem/configmgr/core ) or Intune Apps (
https://docs.microsoft.com/mem/intune/apps/ ). The last item in the search results gives you the
option to search for the terms in the entire content library.

Having problems finding something? File feedback! When you file an issue about search results, provide the
search engine you're using, the keywords you tried, and the target article. This feedback helps Microsoft
optimize the content for better search.
Add a custom search engine
With many modern web browsers, you can create a custom search engine. Use this feature to quickly and easily
search docs.microsoft.com . For example, with Microsoft Edge, version 77 and later, use the following process:
1. In Microsoft Edge, version 77 and later, open Settings .
2. In the left menu, select Privacy, search, and ser vices .
3. Scroll to the bottom of the Ser vices group and select Address bar and search .
4. Select Manage search engines .
5. Select Add and specify the following information:
Search engine : Enter a friendly name to identify it in the list of search engines. For example,
Microsoft docs .

Keyword : Specify a short term to use in the address bar to activate this search engine. For
example, memdocs .
URL with %s in place of quer y : For example,

https://docs.microsoft.com/en-us/search/index?search=%s&scope=ConfigMgr
 NOTE
This example is specific to the ConfigMgr scope. You can remove the scope variable to search all
docs.microsoft.com or use a different scope.

The Microsoft Docs search engine requires a locale in the address. For example, en-us . You can change
your entry to use a different locale.

After you add this search engine, type your keyword in the browser address bar, press Tab , then type your
search terms, and press Enter . It will automatically search Microsoft Docs for your specified terms using the
defined scope.

About feedback
Select the Feedback link in the upper right of any article to go to the Feedback section at the bottom. Feedback
is integrated with GitHub Issues. For more information about this integration with GitHub Issues, see the docs
platform blog post.

To share docs feedback about the current article, select This page . A GitHub account is a prerequisite for
providing documentation feedback. Once you sign in, there's a one-time authorization for the MicrosoftDocs
organization. It then opens the GitHub new issue form. Add a descriptive title and detailed feedback in the body,
but don't modify the document details section. Then select Submit new issue to file a new issue for the target
article in the MEMDocs GitHub repository.
To see whether there's already feedback for this article, select View all page feedback . This action opens a
GitHub issue query for this article. By default it displays both open and closed issues. Review any existing
feedback before you submit a new issue. If you find a related issue, select the face icon to add a reaction, add a
comment to the thread, or Subscribe to receive notifications.
Types of feedback
Use GitHub Issues to submit the following types of feedback:
Doc bug: The content is out of date, unclear, confusing, or broken.
Doc enhancement: A suggestion to improve the article.
Doc question: You need help with finding existing documentation.
Doc idea: A suggestion for a new article.
Kudos: Positive feedback about a helpful or informative article!
Localization: Feedback about content translation.
Search engine optimization (SEO): Feedback about problems searching for content. Include the search
engine, keywords, and target article in the comments.
If you create an issue for something not related to docs, Microsoft will close the issue and redirect you to a
better feedback channel. For example:
Product feedback for Configuration Manager or Intune
Product questions
Support requests for Configuration Manager or Microsoft Endpoint Manager
To share feedback on the fundamental docs.microsoft.com platform, see Docs feedback. The platform includes
all of the wrapper components such as the header, table of contents, and right menu. Also how the articles
render in the browser, such as the font, alert boxes, and page anchors.

Notifications
To receive notifications when content changes in the documentation library, use the following steps:
1. Use the docs search to find an article or set of articles.
Search for a single article by title, for example: What's new in Microsoft Intune.

TIP
To refine the search to a single article, use the full title that displays in the docs.microsoft.com search
results. You can also use a string from the first paragraph, as shown in this example.

This example results in the following RSS link:

https://docs.microsoft.com/api/search/rss?
search=%22What%27s+new+in+microsoft+intune%22%2B%22learn+what%27s+new%22&locale=en-
us&facet=&%24filter=scopes%2Fany%28t%3A+t+eq+%27Intune%27%29

NOTE
The above RSS feed URL example includes the &locale=en-us variable. The locale variable is required,
but you can change it to another supported locale. For example, &locale=ja-jp .

Search for any Configuration Manager article about BitLocker

NOTE
Use other keywords or the Docs search filters to further refine your search query.
2. At the bottom of the list of results, select the RSS link.

3. Use this feed in an RSS application to receive notifications when there's a change to any of the search
results. Refer to the RSS application's documentation on how to configure and tune it.

TIP
You can also Watch the MEMDocs repository on GitHub. This method can generate many notifications. It also doesn't
include changes from the private repository that Microsoft uses.

Contribute
The Microsoft Endpoint Manager documentation library, like most content on docs.microsoft.com, is open-
sourced on GitHub. This library accepts and encourages community contributions. For more information on
how to get started, see the Contributor Guide. The only prerequisite is to create a GitHub account.
Basic steps to contribute
1. From the target article, select Edit in the upper right corner. This action opens the source file in GitHub.
2. To edit the source file, select the pencil icon.

3. Make changes in the markdown source. For more information, see How to use Markdown for writing
Docs.
4. In the Propose file change section, enter the public commit comment describing what you changed. Then
select Propose file change .
5. Scroll down and verify the changes you made. Select Create pull request to open the form. Describe
why you made this change. Select Create pull request .
The writing team receives your pull request, and assigns it to the appropriate writer. The author reviews the text,
and does a quick edit pass on it. They'll either approve and merge the changes, or contact you for more
information about the update.
What to contribute
If you want to contribute, but don't know where to start, see the following suggestions:
Review an article for accuracy. Then update the ms.date metadata using mm/dd/yyyy format. This
contribution helps keep the content fresh.
 Add clarifications, examples, or guidance based on your experience. This contribution uses the power of
the community to share knowledge.

NOTE
Large contributions require signing a Contribution License Agreement (CLA) if you aren't a Microsoft employee. GitHub
automatically requires you to sign this agreement when a contribution meets the threshold. You only need to sign this
agreement once.

Contribution tips
Follow these general guidelines when you contribute:
Don't surprise us with large pull requests. Instead, file an issue and start a discussion. Then we can agree
on a direction before you invest a large amount of time.
Read the Microsoft style guide. Know the Top 10 tips for Microsoft style and voice.
Follow the GitHub Flow workflow.
Blog and tweet (or whatever) about your contributions, frequently!
(This list was borrowed from the .NET contributing guide.)
 Accessibility features in Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager includes features to help make it accessible for everyone.

NOTE
To improve the accessibility features of the Configuration Manager console, update .NET to version 4.7 or later on the
computer running the console.
For more information on the accessibility changes made in .NET 4.7.1 and 4.7.2, see What's new in accessibility in the .NET
Framework.

Keyboard shortcuts
Console workspaces
To access a workspace, use the following keyboard shortcuts:

K EY B O A RD SH O RTC UT W O RK SPA C E

Ctrl + 1 Assets and Compliance

Ctrl + 2 Software Library

Ctrl + 3 Monitoring

Ctrl + 4 Administration

Other console shortcuts

K EY B O A RD SH O RTC UT P URP O SE

Ctrl + M Set the focus on the main (central) pane.

Ctrl + T Set the focus to the top node in the navigation pane. If the
focus was already in that pane, the focus is set to the last
node you visited.

Ctrl + I Set the focus to the breadcrumb bar, below the ribbon.

Ctrl + L Set the focus to the Search field, when available.

Ctrl + D Set the focus to the details pane, when available.

Alt Change the focus in and out of the ribbon.

CMPivot shortcuts
Most web browser keyboard shortcuts will work in CMPivot.

K EY B O A RD SH O RTC UT P URP O SE

Ctrl + 1 Set the focus on the first tab.

Alt + < To back to the address

Collection relationship diagram shortcuts

When you view collection relationships in the Configuration Manager console, use the TAB key to change the
focus. By default, the focus is on the page number controls. When the focus is on the graph itself (navigator), use
the following keyboard shortcuts to navigate:

N AVIGATO R SH O RTC UT P URP O SE

Ctrl + W Scroll up

Ctrl + S Scroll down

Ctrl + A Scroll left

Ctrl + D Scroll right

Ctrl + + Zoom in

Ctrl + - Zoom out

Use the following keyboard shortcuts to quickly move focus to different areas of the window:

K EY B O A RD SH O RTC UT P URP O SE

Alt + P Dependent page

Alt + B Back

Alt + H Home

Alt + N Collection name

Alt + T Filter

Other accessibility features

To navigate the navigation pane, type the letters of a node name.
Keyboard navigation through the main view and the ribbon is circular.
Keyboard navigation in the details pane is circular. To return to the previous object or pane, use Ctrl + D,
then Shift + TAB.
After refreshing a Workspace view, the focus is set to the main pane of that workspace.
To access a workspace menu, select the Tab key until the Expand/Collapse icon is in focus. Then, select the
 Down arrow key to access the workspace menu.
To navigate through a workspace menu, use the arrow keys.
To access different areas in the workspace, use the Tab key and Shift+Tab keys. To navigate within an area
of the workspace, such as the ribbon, use the arrow keys.
To access the address bar when your focus is in the tree node, use Shift+Tab three times.
On a wizard or property page, you can move between the boxes with keyboard shortcuts. Select the Alt
key plus the underlined character (Alt+_) to select a specific box.
To navigate to the different nodes of a workspace, enter the first letter of the name of a node. Each key
press moves the cursor to the next node that begins with that letter. When you're using a screen reader,
the reader reads out the name of that node.

Next steps
For more information on the fundamentals of navigating Configuration Manager user interfaces, see the
following articles:
Using the Configuration Manager console
Software Center user guide

NOTE
The information in this article might apply only to users who license Microsoft products in the United States. If you
obtained this product outside of the United States, you can use the subsidiary information card that came with your
software package or visit the Microsoft Accessibility website for contact information for Microsoft support services. You
can contact your subsidiary to find out whether the type of products and services that are described in this section are
available in your area. Information about accessibility is available in other languages, including Japanese and French.
 Software Center user guide
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Your organization's IT admin uses Software Center to install applications, software updates, and upgrade
Windows. This user guide explains the functionality of Software Center for users of the computer.
Software Center is installed automatically on Windows devices that your IT organization manages. To get
started, see How to open Software Center.
General notes about Software Center functionality:
This article describes the latest features of Software Center. If your organization is using an older but still
supported version of Software Center, not all features are available. For more information, contact your IT
admin.
Your IT admin may disable some aspects of Software Center. Your specific experience may vary.
If multiple users are using a device at the same time, the user with the lowest session ID will be the only
one to see all available deployments in Software Center. For example, multiple users on a remote desktop
environment. Users with higher session IDs may not see some of the deployments in Software Center. For
example, the users with higher session IDs may see deployed Applications, but not deployed Packages or
Task Sequences. Meanwhile the user with the lowest session ID will see all deployed Applications,
Packages, and Task Sequences. The Users tab of Windows Task Manager shows all users and their
session IDs.
Your IT admin may change the color of Software Center, and add your organization's logo.

How to open Software Center

Software Center is installed automatically on Windows devices that your IT organization manages. For the
simplest method to start Software Center, go to Star t and type Software Center . You may not need to type the
entire string for Windows to find the best match.

To navigate the Start menu, look under the Microsoft Endpoint Manager group for the Software Center
icon.
 NOTE
The above Start menu path is for versions from November 2019 (version 1910) or later. In earlier versions, the folder
name is Microsoft System Center .

If you can't find Software Center in the Start menu, contact your IT administrator.

Applications

Select the Applications tab (1) to find and install applications that your IT admin deploys to you or this
computer.
All (2): Shows all available applications that you can install.
Required (3): Your IT admin enforces these applications. If you uninstall one of these applications,
Software Center reinstalls it.
Filters (4): Your IT admin may create categories of applications. If available, select the drop-down list to
filter the view to only those applications in a specific category. Select All to show all applications.
Sor t by (5): Rearrange the list of applications. By default this list sorts by Most recent . Recently
available applications display with a New banner that's visible for seven days.
Search (6): Still can't find what you're looking for? Enter keywords in the Search box to find it!
Switch the view (7): Select the icons to switch the view between list view and tile view. By default the
applications list shows as graphic tiles.

IC O N VIEW DESC RIP T IO N

Multi-select mode Install more than one application at a

time. For more information, see Install
multiple applications.

List view This view displays the application icon,

name, publisher, version, and status.
 IC O N VIEW DESC RIP T IO N

Tile view Your IT admin can customize the icons.

Below each tile displays the application
name, publisher, and version.

Install an application
Select an application from the list to see more information about it. Select Install to install it. If an app is already
installed, you may have the option to Uninstall .
Some apps may require approval before they install.
When you try to install it, you can enter a comment and then Request the app.

Software Center shows the request history, and you can cancel the request.

When an administrator approves your request, you can install the app. If you wait, Software Center
automatically installs the app during your non-business hours.
Install multiple applications
Install more than one application at a time instead of waiting for one to finish before starting the next. The
selected apps need to qualify:
The app is visible to you
The app isn't already downloading or installed
Your IT admin doesn't require approval to install the app
To install more than one application at a time:
1. Select the multi-select icon in the upper right corner:
2. Select two or more apps to install. Select the checkbox to the left of each app in the list.
3. Select the Install Selected button to start.
The apps install as normal, only now in succession.
Share an application
To share a link to a specific app, after you select the app, select the Share icon in the upper right corner:

Copy the string, and paste elsewhere, such as an email message. For example,
softwarecenter:SoftwareID=ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/Application_b9e438aa-f5b5-432c-9b4f-
6ebeeb132a5a
. Anyone else in your organization with Software Center can use the link to open the same application.

Updates

Select the Updates tab (1) to view and install software updates that your IT admin deploys to this computer.
All (2): Shows all updates that you can install
Required (3): Your IT admin enforces these updates.
Sor t by (4): Rearrange the list of updates. By default this list sorts by Application name: A to Z .
Search (5): Still can't find what you're looking for? Enter keywords in the Search box to find it!
To install updates, select Install All (6).
To only install specific updates, select the icon to enter multi-select mode (7): Check the updates to install, and
then select Install Selected .

Operating Systems

Select the Operating Systems tab (1) to view and install versions of Windows that your IT admin deploys to
this computer.
All (2): Shows all Windows versions that you can install
Required (3): Your IT admin enforces these upgrades.
Sor t by (4): Rearrange the list of updates. By default this list sorts by Application name: A to Z .
Search (5): Still can't find what you're looking for? Enter keywords in the Search box to find it!

Installation status
Select the Installation status tab to view the status of applications. You may see the following states:
Installed : Software Center already installed this application on this computer.
Downloading : Software Center is downloading the software to install on this computer.
Failed : Software Center wasn't able to install the software.
Scheduled to install after : Shows the date and time of the device's next maintenance window to install
upcoming software. Maintenance windows are defined by your IT admin.
The status can be seen in the All and the Upcoming tab.
You can install before the maintenance window time by selecting the Install Now button.

Device compliance
Select the Device compliance tab to view the compliance status of this computer.
Select Check compliance to evaluate this device's settings against the security policies defined by your IT
admin.

Options
Select the Options tab to view additional settings for this computer.
Work information
Indicate the hours that you typically work. Your IT admin may schedule software installations outside your
business hours. Allow at least four hours each day for system maintenance tasks. Your IT admin can still install
critical applications and software updates during business hours.
Select the earliest and latest hours that you use this computer. By default these values are from 5:00 AM
through 10:00 PM .
 Select the days of the week that you typically use this computer. By default Software Center only selects
the weekdays.
Specify whether you regularly use this computer to do your work. Your administrator might automatically install
applications or make additional applications available to primary computers. If the computer you're using is a
primary computer, select I regularly use this computer to do my work .
Power management
Your IT admin may set power management policies. These policies help your organization conserve electricity
when this computer isn't in use.
To make this computer exempt from these policies, select Do not apply power settings from my IT
depar tment to this computer . By default this setting is disabled and the computer applies power settings.
Computer maintenance
Specify how Software Center applies changes to software before the deadline.
Automatically install or uninstall required software and restar t the computer only outside of
the specified business hours : This setting is disabled by default.
Suspend Software Center activities when my computer is in presentation mode : This setting is
enabled by default.
When instructed by your IT admin, select Sync Policy . This computer checks with the servers for anything new,
such as applications, software updates, or operating systems.
Remote Control
Specify remote access and remote control settings for your computer.
Use remote access settings from your IT depar tment : By default, your IT department defines the settings
to remotely assist you. The other settings in this section show the state of the settings that your IT department
defines. To change any settings, first disable this option.
Level of remote access allowed
Do not allow remote access : IT administrators can't remotely access this computer to assist you.
View only : An IT administrator can only remotely view your screen.
Full : An IT administrator can remotely control this computer. This setting is the default option.
Allow remote control of this computer by administrators when I am away . This setting is Yes by
default.
When an administrator tries to control this computer remotely
Ask for permission each time : This setting is the default option.
Do not ask for permission
Show the following during remote control : These visual notifications are both enabled by default to
let you know that an administrator is remotely accessing the device.
Status icon in the notification area
A session connection bar on the desktop
Play sound : This audible notification lets you know that an administrator is remotely accessing the
device.
When session begins and ends : This setting is the default option.
Repeatedly during session
Never
Custom tabs
Your IT admin can remove the default tabs or add additional tabs to Software Center. Custom tabs are named by
your admin, and they open a web site that the admin specifies. For instance, you might have a tab called "Help
Desk" that opens your IT organization's help desk web site.

More information for IT administrators

More information is available for IT administrators on how to plan for and configure Software Center in the
following articles:
Plan for Software Center
Software Center client settings
Device restart notifications
Introduction to Remote Control
 How to use the Configuration Manager console
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Administrators use the Configuration Manager console to manage the Configuration Manager environment.
This article covers the fundamentals of navigating the console.

Open the console

The Configuration Manager console is always installed on every site server. You can also install it on other
computers. For more information, see Install the Configuration Manager console.
The simplest method to open the console on a Windows computer is to go to Star t and start typing
Configuration Manager console . You may not need to type the entire string for Windows to find the best match.

If you browse the Start menu, look for the Configuration Manager console icon in the Microsoft Endpoint
Manager group.

Connect to a site server

The console connects to your central administration site server or to your primary site servers. You can't connect
a Configuration Manager console to a secondary site. During installation, you specified the fully qualified
domain name (FQDN) of the site server to which the console connects.
To connect to a different site server, use the following steps:
1. Select the arrow at the top of the ribbon, and choose Connect to a New Site .

2. Type in the FQDN of the site server. If you've previously connected to site server, select the server from
the drop-down list.
3. Select Connect .

TIP
You can specify the minimum authentication level for administrators to access Configuration Manager sites. This feature
enforces administrators to sign in to Windows with the required level. For more information, see Plan for the SMS
Provider.

Navigation
Some areas of the console may not be visible depending on your assigned security role. For more information
about roles, see Fundamentals of role-based administration.
Workspaces
The Configuration Manager console has four workspaces :
Assets and Compliance
Software Librar y
Monitoring
Administration

Reorder workspace buttons by selecting the down arrow and choosing Navigation Pane Options . Select an
item to Move Up or Move Down . Select Reset to restore the default button order.
Minimize a workspace button by selecting Show Fewer Buttons . The last workspace in the list is minimized
first. Select a minimized button and choose Show More Buttons to restore the button to its original size.

Nodes
Workspaces are a collection of nodes . One example of a node is the Software Update Groups node in the
Software Librar y workspace.
Once you are in the node, you can select the arrow to minimize the navigation pane.

Use the navigation bar to move around the console when you minimize the navigation pane.

In the console, nodes are sometimes organized into folders. When you select the folder, it usually displays a
navigation index or a dashboard .
 NOTE
You can use PowerShell to manage console folders with the following cmdlets:
Get-CMFolder
New-CMFolder
Remove-CMFolder
Set-CMFolder

Ribbon
The ribbon is at the top of the Configuration Manager console. The ribbon can have more than one tab and can
be minimized using the arrow on the right. The buttons on the ribbon change based on the node. Most of the
buttons in the ribbon are also available on context menus.

Details pane
You can get additional information about items by reviewing the details pane. The details pane can have one or
more tabs. The tabs vary depending on the node.

Columns
You can add, remove, reorder, and resize columns. These actions allow you to display the data you prefer.
Available columns vary depending on the node. To add or remove a column from your view, right-click on an
existing column heading and select an item. Reorder columns by dragging the column heading where you
would like it to be.

At the bottom of the column context menu, you can sort or group by a column. Additionally, you can sort by a
column by selecting its header.

Reclaim lock for editing objects

If the Configuration Manager console stops responding, you can be locked out of making further changes until
the lock expires after 30 minutes. This lock is part of the Configuration Manager SEDO (Serialized Editing of
Distributed Objects) system. For more information, see Configuration Manager SEDO.
You can clear your lock on any object in the Configuration Manager console. This action only applies to your
user account that has the lock, and on the same device from which the site granted the lock. When you attempt
to access a locked object, you can now Discard Changes , and continue editing the object. These changes would
be lost anyway when the lock expired.

View recently connected consoles

You can view the most recent connections for the Configuration Manager console. The view includes active
connections and those connections that recently connected. You'll always see your current console connection in
the list and you only see connections from the Configuration Manager console. You won't see PowerShell or
other SDK-based connections to the SMS Provider. The site removes instances from the list that are older than
30 days.
Prerequisites to view connected consoles
Your account needs the Read permission on the SMS_Site object.
Configure the administration service REST API. For more information, see What is the administration
service?.
View connected consoles
1. In the Configuration Manager console, go to the Administration workspace.
2. Expand Security and select the Console Connections node.
3. View the recent connections, with the following properties:
User name
Machine name
Connected site code
Console version
Last connected time: When the user last opened the console
An open console in the foreground sends a heartbeat every 10 minutes, which shows in the Last
Console Hear tbeat column.

Start Microsoft Teams Chat from Console Connections

You can message other Configuration Manager administrators from the Console Connections node using
Microsoft Teams. When you choose to Star t Microsoft Teams Chat with an administrator, Microsoft Teams is
launched and a chat is opened with the user.
Prerequisites
For starting a chat with an administrator, the account you want to chat with needs to have been discovered
with Azure AD or AD User Discovery.
Microsoft Teams installed on the device from which you run the console. note
All prerequisites to view connected consoles
Start Microsoft Teams Chat
1. Go to Administration > Security > Console Connections .
2. Right-click on a user's console connection and select Star t Microsoft Teams Chat .
If the User Principal Name isn't found for the selected administrator, Star t Microsoft Teams Chat is
grayed out.
An error message, including a download link, appears if Microsoft Teams isn't installed on the device
from which you run the console.
If Microsoft Teams is installed on the device from which you run the console, it will open a chat with
the user.
Known issues
The error message notifying you that Microsoft Teams isn't installed won't be displayed if the following Registry
key doesn't exist:
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
To work around the issue, manually create the Registry key.

In-console documentation dashboard

The Documentation node in the Community workspace includes information about Configuration Manager
documentation and support articles. It includes the following sections:
Recommended : a manually curated list of important articles.
Troubleshooting ar ticles : guided walkthroughs to assist with troubleshooting Configuration Manager
components and features.
New and updated suppor t ar ticles : articles that are recently new or updated.
Troubleshooting connection errors
The Documentation node has no explicit proxy configuration. It uses any OS-defined proxy in the Internet
Options control panel applet. To retry after a connection error, refresh the Documentation node.

Connect via Windows PowerShell

The Configuration Manager console includes a PowerShell module with over a thousand cmdlets to interact
programmatically from the command line. Select the arrow at the top of the ribbon, and choose Connect via
Windows PowerShell .
For more information, see Get started with Configuration Manager cmdlets.

Command-line options
The Configuration Manager console has the following command-line options:

O P T IO N DESC RIP T IO N

/sms:debugview=1 A DebugView is included in all ResultViews that specify a

view. DebugView shows raw properties (names and values).

/sms:NamespaceView=1 Shows namespace view in the console.

/sms:ResetSettings The console ignores user-persisted connection and view

states. The window size isn't reset.

/sms:IgnoreExtensions Disables any Configuration Manager extensions.

/sms:NoRestore The console ignores previous persisted node navigation.

/server=[ServerName] Connect to a CAS or Primary site server by specifying the

fully qualified domain name (FQDN) or server name for that
site.

Next steps
Console notifications
Console tips
Accessibility features
Task sequence editor
 Configuration Manager console notifications
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Configuration Manager console notifies you for specific events that occur. You can configure some of the
event notifications for your Configuration Manager sites.
Non-configurable event notifications:
When an update is available for Configuration Manager itself
When lifecycle and maintenance events occur in the environment
Configurable event notifications:
Non-critical site health changes
Messages from Microsoft
This notification is a bar at the top of the console window below the ribbon. It replaces the previous experience
when Configuration Manager updates are available. These in-console notifications still display critical
information, but don't interfere with your work in the console. You can't dismiss critical notifications. The console
displays all notifications in a new notification area of the title bar.

About console notifications

Notifications follow the permissions of role-based administration. For example, if a user doesn't have
permissions to see Configuration Manager updates, they won't see those notifications.
Some notifications have a related action. For example, if the console version doesn't match the site version,
select Install the new console version . This action launches the console installer.
The following notifications reevaluate every five minutes:
Site is in maintenance mode
Site is in recovery mode
Site is in upgrade mode
The following notifications are most applicable to the technical preview branch:
Evaluation version is within 30 days of expiration (Warning): the current date is within 30 days of the
expiration date of the evaluation version
Evaluation version is expired (Critical): the current date is past the expiration date of the evaluation version
Console version mismatch (Critical): the console version doesn't match the site version
Site upgrade is available (Warning): there's a new update package available
Most console notifications are per session. The console evaluates queries when a user launches it. To see
changes in the notifications, restart the console. If a user dismisses a non-critical notification, it notifies again
when the console restarts if it's still applicable.
Dismissing or snoozing a notification is persistent for your user across consoles starting in version 2010.

Console notification improvements

Improvements starting in version 2010
Starting in Configuration Manager 2010, you have an updated look and feel for in-console notifications.
Notifications are more readable and the action link is easier to find. The age of the notification is displayed to
help you find the latest information. If you dismiss or snooze a notification, that action is now persistent for your
user across consoles.
Right-click or select ... on the notification to take one of the following actions:
Translate text : Launches Bing Translator for the text.
Copy text : Copies the notification text to the clipboard.
Snooze : Snoozes the notification for the specified duration:
One hour
One day
One week
One month
Dismiss : Dismisses the notification.
To see these improvements for notifications, update the Configuration Manager console to the latest version.
New notifications in version 2010
To help you manage security risk in your environment, you'll be notified in-console about devices with operating
systems that are past the end of support date and that are no longer eligible to receive security updates.

Environments with the following operating systems installed on client devices receive a notification:
Windows 7, Windows Server 2008 (non-Azure), and Windows Server 2008 R2 (non-Azure) without ESU.
Selecting More info takes you to the Management insights Security group to review the Update
clients running Windows 7 and Windows Ser ver 2008 rule.
Versions of Windows 10 Semi-Annual Channel that are past the end-of-support date for Enterprise and
Education and Home and Pro editions.
Selecting More info takes you to the Management insights Simplified Management group to
 review the Update clients to a suppor ted Windows 10 version rule.
You can also view the Product Lifecycle Dashboard to see information about which operating systems are out of
support. This information (such as the support lifecycle for Windows 10 versions) is provided for your
convenience and only for use internally within your company. You should not solely rely on this information to
confirm update compliance. Be sure to verify the accuracy of the information provided to you.
Improvements starting in version 2006
You have an option to receive Messages from Microsoft
If you configure Azure services to cloud-attach your site, you'll see notifications with an action to renew the
secret key. The site evaluates the state of the following alerts once per hour:
One or more Azure AD app secret keys will expire soon
One or more Azure AD app secret keys have expired

IMPORTANT
When you use an imported Azure AD app, you aren't notified of an upcoming expiration date from console notifications.

Configure a site to show non-critical notifications

You can configure each site to show non-critical notifications in the properties of the site.
1. In the Administration workspace, expand Site Configuration , then select the Sites node.
2. Select the site you want to configure for non-critical notifications.
3. In the ribbon, select Proper ties .
4. On the Aler ts tab, select the option to Enable console notifications for non-critical site health
changes .
If you enable this setting, all console users see critical, warning, and information notifications. This
setting is enabled by default.
If you disable this setting, console users only see critical notifications.

Configure a site to receive messages from Microsoft

Starting in version 2006, you can choose to receive notifications from Microsoft in the Configuration Manager
console. These notifications help you stay informed about new or updated features, changes to Configuration
Manager and attached services, and issues that require action to remediate.

NOTE
For push notifications from Microsoft to show in the console, the service connection point needs access to
configmgrbits.azureedge.net . It also needs access to this endpoint for updates and servicing, so you may have
already allowed it.

Configure notification settings for Microsoft messages

1. Navigate to Administration > Site Configuration > Sites .
2. Select a site, and then in the ribbon, select Proper ties .
3. In the Aler ts tab, enable the notifications by selecting Receive messages from Microsoft . You can
deselect any of the following notifications if you prefer not to receive them:
Prevent/fix : Known issues affecting your organization that may require you to take action.
Plan for change : Changes to Configuration Manager that may require you to take action.
 Stay informed : Informs you of new or updated features that are available.

Console extension installation notifications

(Introduced in version 2103)
Users are notified when console extensions are approved for installation. These notifications occur for users
when console extensions are approved and notifications are enabled from Administration > Over view >
Updates and Ser vicing > Console Extensions . When notifications are enabled, users within the security
scope for the extension receive the following prompts:
1. In the upper-right corner of the console, select the bell icon to display Configuration Manager console
notifications.

2. The notification will say New custom console extensions are available .

3. Select the link Install custom console extensions to launch the install.
4. When the install completes, select Close to restart the console and enable the new extension.

NOTE
When you upgrade to Configuration Manager 2107, you will be prompted to install the WebView2 console extension
again. For more information about the WebView2 installation, see the WebView2 installation section if the Community
hub article.

For more information, see Manage console extensions.

Log files
For more information and troubleshooting assistance, see the SmsAdminUI.log file on the console computer.
By default, this log file is at the following path:
C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\AdminUILog\SmsAdminUI.log .

Next steps
Use the console
Console tips
Accessibility features
 Manage Configuration Manager console extensions
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Starting in Configuration Manager 2103, the Console extensions node allows you to start managing the
approval and installation of console extensions used in your environment. Having extensions in the console
doesn't make them immediately available. From a high level, the steps are:
1. An administrator has to approve an extension for the site
2. The administrator has to enable notifications for the extension.
3. The console users can then install the extension to their local console.
After you approve an extension, when you open the console, you'll see a console notification. From the
notification, you can start the extension installer, or use the Install option from the Console extensions node.
After the installer completes, the console restarts automatically, and you can use the extension.
The old style of console extensions will start being phased out in favor of the new style since they're more
secure and centrally managed. The new style of console extensions has the following benefits:
Centralized management of console extensions for the site instead of manually placing binaries on individual
consoles.
A clear separation of console extensions from different extension providers.
The ability for admins to have more control over which console extensions are loaded and used in the
environment, to keep them more secure.
A hierarchy setting that allows for only using the new style of console extension.

IMPORTANT
If this setting is used, your old style extensions that aren't approved through the Console Extensions node will
no longer be able to be used. The setting, Only allow console extensions that are approved for the
hierarchy , is enabled by default if you installed from the 2103 baseline image. The setting remains disabled
by default, if you upgraded from a version prior to 2103. If the setting was enabled in error, disabling the setting
allows the old style extensions to be used again.

Prerequisites
The Configuration Manager console needs to be able to connect to the administration service and the
administration service needs to be functional.

About the Console Extensions node

(Introduced in version 2103)
The Console Extensions node is located under Administration > Over view > Updates and Ser vicing .
Actions for console extensions are grouped in the ribbon and the right-click menu. Console extensions
downloaded from Community hub will be shown here.
Actions for Console Extensions group:
Refresh : Refreshes the node
Impor t Console Extension : Launches the Import Console Extension wizard (added in 2111)
Actions for All Sites group:
Approve Installation : Approves the console extension for installation across all sites. An extension must be
approved before notifications are enabled.
Revoke Approval :
Revokes the ability to install the extension from the Console Extensions node.
Notifies then uninstalls existing instances of the extension across the hierarchy at the next launch of a
locally installed console.
Allows for reapproval of the extension at a later date.
Enable Notifications : Upon next launch of the console, notifies users within the security scope that the
extension can be installed.
Disable Notifications : Disables the console notification messages for the extension. Users within the
security scope can still install approved extensions from the Console Extensions node.
Require Extension (added in 2111): Automatically installs the extension for users within the security scope
on the next launch before connecting to the site. The user launching the console needs local administrator
privileges for the extension installation.
Make Optional (added in 2111): Removes the requirement for an extension. Console users can still install
the extension locally from the Console Extensions node.
Delete :
Revokes the ability to install the extension from the Console Extensions node.
Notifies then uninstalls existing instances of the extension across the hierarchy at the next launch of a
locally installed console.
Removes the extension from the Console Extensions node so it can't be reapproved later.
Classify group:
Set Security Scopes : Set the security scopes to secure the object and limit access.
Local Extension group:
Install : Installs the selected extension for the current local console
Uninstall : Uninstalls the selected extension from the current local console
 NOTE
The WebView2 console extension is approved by default to enable using Community hub. The files are automatically
downloaded from https://developer.microsoft.com/en-us/microsoft-edge/webview2/#download-section with
the other redistributable files.
When you upgrade to Configuration Manager 2107, you will be prompted to install the WebView2 console extension
again.

Enable hierarchy approved console extensions

1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration ,
and select Sites .
2. Select Hierarchy Settings from the ribbon.
3. On the General tab, enable or disable the Only allow console extensions that are approved for the
hierarchy option.
4. Select Ok when done to close the Hierarchy Settings Proper ties .

WARNING
If this setting is enabled , your old style extensions that aren't approved through the Console Extensions node will no
longer be able to be used. The setting, Only allow console extensions that are approved for the hierarchy , is
enabled by default if you installed from the 2103 baseline image. The setting remains disabled by default, if you
upgraded from a version prior to 2103. If the setting was enabled in error, disabling the setting allows the old style
extensions to be used again.

Get console extensions

There are three ways to get the new style of hierarchy approved console extensions into Configuration Manager:
An extension may come with Configuration Manager, such as WebView2
Download console extensions from Community hub
Import console extensions

Install and test an extension on a local console

1. Change the security scope for the extension. Changing the security scope is recommended for initial
testing of an extension.
a. Go to the Console Extensions node under Administration > Over view > Updates and
Ser vicing .
b. Select the extension, then select Set Security Scopes from the ribbon.
c. Remove the Default security scope and add a scope that only contains one or two admins for initial
testing.
d. Choose OK to save the security scope for the extension.
2. Approve the extension by selecting Approve Installation from the ribbon or right-click menu.
If the extension isn't approved, you won't be able to install it or enable in-console notifications for it.
If you restart your console at this point, a notification about the available extension won't occur since
you haven't enabled the option yet.
3. Install the extension on the local console by choosing Install .
4. Once the extension is installed, verify it displays and you can use it from the local console.
Enable user notifications for extension installation
1. If needed, modify the security scopes for the extension to allow access by more admins. These admins will be
targeted with the in-console notification for installing the extension.
2. Select Enable Notifications .
3. Launch a Configuration Manager console that doesn't have the extension installed. Ideally, use a test account
that you gave access to when you modified the security scope.
4. Verify that the notification for the extension occurs and that you can install the extension.

Allow unsigned console extensions for the hierarchy

(Applies to Configuration Manager version 2107 or later)
Starting in Configuration Manager version 2107, you can choose to allow unsigned hierarchy approved console
extensions. It's a best practice to always used signed extensions to minimize security risks and to confirm the
authenticity of a console extension. However, in some cases you may need to allow unsigned console extensions
due to an unsigned internally developed extension, or for testing your own custom extension in a lab. To allow
import and install of unsigned hierarchy approved console extensions, you'll enable a hierarchy setting.
1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration ,
and select Sites .
2. Select Hierarchy Settings from the ribbon.
3. On the General tab, enable the Hierarchy approved console extensions can be unsigned option.
4. Select Ok when done to close the Hierarchy Settings Proper ties .

NOTE
Currently, when an unsigned extension isn't enabled for user notification, in the Console Extensions node, the
Required column remains blank instead of populating a value of No .

Require installation of a console extension

(Introduced in 2111)
Starting in Configuration Manager version 2111, you can require a console extension to be installed before it
connects to the site. After you require an extension, it automatically installs for the local console the next time an
admin launches it. To require the installation of a console extension:
1. In the Configuration Manager console, go to the Administration workspace.
2. Expand Updates and Ser vicing and select the Console Extensions node.
3. Select the extension, then select Require Extension from either the right-click menu or the ribbon.
Selecting Make Optional for an extension removes the extension requirement. Console users can
still install it locally from the Console Extensions node.
4. The next time the console is launched by a user within the extension's security scope, installation starts
automatically.
The user launching the console needs local administrator privileges for the extension installation.

Console extension installation user notifications

Users are notified when console extensions are approved for installation. These notifications occur for users
when console extensions are approved and notifications are enabled from Administration > Over view >
Updates and Ser vicing > Console Extensions . When notifications are enabled, users within the security
scope for the extension receive the following prompts:
1. In the upper-right corner of the console, select the bell icon to display Configuration Manager console
notifications.

2. The notification will say New custom console extensions are available .

3. Select the link Install custom console extensions to launch the install.
4. When the install completes, select Close to restart the console and enable the new extension.

NOTE
When you upgrade to Configuration Manager 2107, you will be prompted to install the WebView2 console extension
again. For more information about the WebView2 installation, see the WebView2 installation section if the Community
hub article.

Status messages for console extensions

(Introduced in 2111)
Starting in version 2111, the site creates status messages for events related to console extensions. Status
messages improve the visibility and transparency of console extensions that are used with your site. Use these
status messages to make sure your site uses known and trusted console extensions. The status messages have
IDs from 54201 to 54208 . They all include the following information:
The user that made the change
The ID of the extension
The version of the extension
There are four categories of message events:
Required or optional
Approve or disapprove
 Enable or disable
Tombstone or untombstone
For example, the description of status message ID 54201 is User "%1" made console extension with ID
"%2" and version "%3" required .

Next steps
Console extensions from Community hub
Import console extensions
Configuration Manager console notifications
Console tips
 Import Configuration Manager console extensions
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Starting in Configuration Manager 2103, you can import console extensions to be used in your environment.
These extensions show up under the Console extensions node. Importing and just having extensions in the
console doesn't make them immediately available. An administrator still has to approve the extension for the
site and enable notifications. Then console users can install the extension to their local console. For more
information about managing and installing console extensions, see Manage Configuration Manager console
extensions.
Based on the version of Configuration Manager you're running, different import options are available. Initially,
only signed extensions could be imported through the administration service. Support for importing unsigned
extensions was added later. Then a wizard that could import both signed and unsigned extensions for you
without having to run a script was introduced in version 2111.

C O N F IGURAT IO N
M A N A GER VERSIO N 2103 2107 2111 O R L AT ER

Import a signed extension Yes Yes Yes

Import an unsigned No Yes, when you allow Yes, when you allow
extension unsigned unsigned

Import from the Yes, signed extensions only Yes Yes

administration service with
a PowerShell script

Import from the Impor t No No Yes

Console Extension wizard

How to import console extensions

To import console extensions, you'll follow four basic steps. Exactly how you can import will be determined by
the version of Configuration Manager you're using and if the extension is signed or not. To import and install a
hierarchy approved console extension, the high-level steps are:
1. Determine if you need to allow unsigned hierarchy approved console extensions (version 2107 and later).
2. Import the console extension using one of the following methods:
Import a signed console extension with a script (version 2103 and later)
Import an unsigned console extension with a script (version 2107 and later)
Use the Impor t Console Extension wizard (version 2111 and later)
3. Test the extension in a local console.
4. Enable notifications to allow console users to install the console extension.

Allow unsigned console extensions for the hierarchy

(Applies to Configuration Manager version 2107 or later)
Starting in Configuration Manager version 2107, you can choose to allow unsigned hierarchy approved console
extensions. It's a best practice to always used signed extensions to minimize security risks and to confirm the
authenticity of a console extension. However, in some cases you may need to allow unsigned console extensions
due to an unsigned internally developed extension, or for testing your own custom extension in a lab. To allow
import and install of unsigned hierarchy approved console extensions, you'll enable a hierarchy setting.
1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration ,
and select Sites .
2. Select Hierarchy Settings from the ribbon.
3. On the General tab, enable the Hierarchy approved console extensions can be unsigned option.
4. Select Ok when done to close the Hierarchy Settings Proper ties .

NOTE
Currently, when an unsigned extension isn't enabled for user notification, in the Console Extensions node, the
Required column remains blank instead of populating a value of No .

Import a signed console extension with a script

(Applies to Configuration Manager version 2103 or later)
When you have an extension packaged in a signed .cab file, you can import it into Configuration Manager.
You'll do this by posting it through the administration service using a PowerShell script. Once the extension is
inserted into the site, you can approve and install it locally from the Console Extensions node. To import, run
the following PowerShell script after editing the $adminServiceProvider and $cabFilePath :
$adminServiceProvider - The top-level SMSProvider server where the administration service is installed
$cabFilePath - Path to the extension's signed .cab file

$adminServiceProvider = "SMSProviderServer.contoso.com"
$cabFilePath = "C:\Testing\MyExtension.cab"
$adminServiceURL =
"https://$adminServiceProvider/AdminService/v1/ConsoleExtensionMetadata/AdminService.UploadExtension"
$cabFileName = (Get-Item -Path $cabFilePath).Name
$Data = Get-Content $cabFilePath
$Bytes = [System.IO.File]::ReadAllBytes($cabFilePath)
$base64Content = [Convert]::ToBase64String($Bytes)

$Headers = @{
"Content-Type" = "Application/json"
}

$Body = @{
CabFile = @{
FileName = $cabFileName
FileContent = $base64Content
}
} | ConvertTo-Json

$result = Invoke-WebRequest -Method Post -Uri $adminServiceURL -Body $Body -Headers $Headers -
UseDefaultCredentials

if ($result.StatusCode -eq 200) {Write-Host "$cabFileName was published successfully."}

else {Write-Host "$cabFileName publish failed. Review AdminService.log for more information."}

Import an unsigned console extension with a script

(Applies to Configuration Manager version 2107 or later)
Starting in Configuration Manager version 2107, you can choose to allow unsigned hierarchy approved console
extensions. It's a best practice to always used signed extensions to minimize security risks and to confirm the
authenticity of a console extension. However, in some cases you may need to allow unsigned console extensions
due to an unsigned internally developed extension, or for testing your own custom extension in a lab.
When you have the .cab file for an extension, you can test it in a Configuration Manager lab environment.
You'll do this by posting it through the administration service. Once the extension is inserted into the site, you
can approve it and install it locally from the Console Extensions node. To import, run the following PowerShell
script after editing the $adminServiceProvider and $cabFilePath :
$adminServiceProvider - The top-level SMSProvider server where the administration service is installed
$cabFilePath - Path to the extension's .cab file

$adminServiceProvider = "SMSProviderServer.contoso.com"
$cabFilePath = "C:\Testing\MyExtension.cab"
$adminServiceURL =
"https://$adminServiceProvider/AdminService/v1/ConsoleExtensionMetadata/AdminService.UploadExtension"
$cabFileName = (Get-Item -Path $cabFilePath).Name
$Data = Get-Content $cabFilePath
$Bytes = [System.IO.File]::ReadAllBytes($cabFilePath)
$base64Content = [Convert]::ToBase64String($Bytes)
$Headers = @{
"Content-Type" = "Application/json"
}
$Body = @{
CabFile = @{
FileName = $cabFileName
FileContent = $base64Content
}
AllowUnsigned = $true
} | ConvertTo-Json
$result = Invoke-WebRequest -Method Post -Uri $adminServiceURL -Body $Body -Headers $Headers -
UseDefaultCredentials
if ($result.StatusCode -eq 200) {Write-Host "$cabFileName was published successfully."}
else {Write-Host "$cabFileName publish failed. Review AdminService.log for more information."}

NOTE
Currently, when an unsigned extension isn't enabled for user notification, in the Console Extensions node, the
Required column remains blank instead of populating a value of No .

Import console extensions wizard

(Applies to Configuration Manager version 2111 or later)
Starting in version 2111, you can use the Impor t Console Extension wizard to import console extensions that
are managed for the hierarchy. You no longer need to use a PowerShell script to import a signed or unsigned
console extension. To import a console extension using the wizard:
1. From the Administration workspace, expand Updates and Ser vicing , then select the Console
Extensions node.
2. Select Impor t Console Extension from either the ribbon or the right-click menu.
3. When the wizard launches, select Browse and navigate to the extension's cab file.
4. If needed, select the option for Allow extension to be unsigned .
5. Select Next to review the import summary, then complete the wizard to import the extension.
 NOTE
To import unsigned extensions, the Hierarchy approved console extensions can be unsigned option needs to be
enabled in the Hierarchy Settings . For more information, see Allow unsigned hierarchy approved console extensions.

Install and test an extension on a local console

1. Change the security scope for the extension. Changing the security scope is recommended for initial
testing of an extension.
a. Go to the Console Extensions node under Administration > Over view > Updates and
Ser vicing .
b. Select the extension, then select Set Security Scopes from the ribbon.
c. Remove the Default security scope and add a scope that only contains one or two admins for initial
testing.
d. Choose OK to save the security scope for the extension.
2. Approve the extension by selecting Approve Installation from the ribbon or right-click menu.
If the extension isn't approved, you won't be able to install it or enable in-console notifications for it.
If you restart your console at this point, a notification about the available extension won't occur since
you haven't enabled the option yet.
3. Install the extension on the local console by choosing Install .
4. Once the extension is installed, verify it displays and you can use it from the local console.

Enable user notifications for extension installation

1. If needed, modify the security scopes for the extension to allow access by more admins. These admins will be
targeted with the in-console notification for installing the extension.
2. Select Enable Notifications .
3. Launch a Configuration Manager console that doesn't have the extension installed. Ideally, use a test account
that you gave access to when you modified the security scope.
4. Verify that the notification for the extension occurs and that you can install the extension.

Next steps
Manage console extensions
Console extensions from Community hub
Develop custom console extensions
 Configuration Manager console changes and tips
2/16/2022 • 14 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the information below to find out about changes to the Configuration Manager console and tips for using
the console:

General tips
Export to CSV
(Introduced in version 2111)
Starting in Configuration Manager 2111, you can export the contents of a grid view in the console along with
the column headers to a comma-separated values (CSV) file that can be used to import to Excel or other
applications. While you could previously cut and paste from a grid view, exporting to CSV makes extracting a
large number of rows faster and easier. You can export either all or selected items from the following nodes:
Device Collections
User Collections
Devices
Users
To export the information, select Expor t to CSV file from either the ribbon or the right-click menu. Choose
Expor t selected items to only export items you've already selected, or you can choose to Expor t all items .

Enhanced code editor

(Introduced in version 2107)
Starting in Configuration Manager 2107, you can edit scripts in an enhanced editor. The new editor supports
syntax highlighting, code folding, word wrap, line numbers, and find and replace. The new editor is available in
the console wherever scripts and queries can be viewed or edited. The enhanced editor improves the syntax
highlighting and code folding that was first introduced in version 2010.
Open the new code editor to view or edit scripts and queries from the following locations:
Configuration item
Scripts
SQL and WQL queries
Detection methods
Application detection scripts
Query statement properties
Create script wizard
Script properties
Orchestration group
pre-installation scripts
post-installation scripts
Task sequence
PowerShell scripts
Query WMI option
The new code editor supports the following features:
Editor mode with syntax highlighting and plain text toggle
Toggle word wrap and line numbers
Code folding
Language selection
Find, Find and Replace, and Go To line number
Font type and size selection
Zoom using buttons or with Ctrl + mouse wheel.
The information bar at the bottom displays:
Number of lines and characters in the script
Cursor position
 If the script is read-only
Persistent settings across instances for the code window, such as code folding, word wrap, and window size.
Syntax highlighting for scripting languages
(Introduced in version 2010)
To assist you when creating scripts and queries in the Configuration Manager console, you'll now see syntax
highlighting and code folding, where available.

Supported scripting languages for syntax highlighting

Supported languages for syntax highlighting include PowerShell, JavaScript/JScript, VBScript, and SQL/WQL.
The below chart shows which languages are supported for syntax highlighting in each area of the console:

C O N SO L E A REA P O W ERSH EL L VB SC RIP T JAVA SC RIP T / JSC RIP T SQ L / W Q L

Application scripts Yes Yes Yes -

Collection query - - - Yes

Configuration item Yes Yes Yes Yes

scripts

Task sequence scripts Yes - - -

Create scripts Yes - - -

Fixed-width font now used in some console areas

(Introduced in version 2010)
Various areas in the Configuration Manager console now use the fixed-width font Consolas. This font provides
consistent spacing and makes it easier to read. You'll see the Consolas font in the following places:
Application scripts
Configuration item scripts
WMI-based collection membership queries
CMPivot queries
Scripts
Run PowerShell Script
Run Command Line

Shortcuts to status messages

(Introduced in version 2010)
You now have an easier way to view status messages for the following objects:
Devices
Users
Content
Deployments
Monitoring workspace
Phased deployments (select Show Deployments from the Phased Deployments node)
 Deployments tab in the details pane for:
Packages
Task sequences
Select one of these objects in the Configuration Manager console, and then select Show Status Messages
from the ribbon. Set the viewing period, and then the status message viewer opens. The viewer filters the results
to the object you selected.
Your user account needs at least Read permission to these objects.
For more information, see Use the status system.
Improvements to console search
(Introduced in version 1910)
You can use the All Subfolders search option from the Driver Packages and Queries nodes. Starting
in version 2002, also use this option from the Configuration Items and Configuration Baselines
nodes.
When a search returns more than 1,000 results, select the OK button on the notice bar to view more
results.

TIP
The default limit on search results is 1,000. You can change this default value. In the Configuration Manager
console, go to the Search tab of the ribbon. In the Options group, select Search Settings . Change the Search
Results value. A larger number of search results might take longer to display.
By default, the upper maximum limit is 100,000. To change this limit, set the DWORD value
Quer yResultCountMaximum in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\ConfigMgr10\AdminUI

The in-console setting corresponds to the Quer yResultCountLimit value in the same key. An administrator can
configure these values in the HKLM hive for all users of the device. The HKCU value overrides the HKLM setting.

Role -based administration for folders

(Introduced in version 1906)
You can set security scopes on folders. If you have access to an object in the folder but don't have access to the
folder, you'll be unable to see the object. Similarly, if you have access to a folder but not an object within it, you
won't see that object. Right-click a folder, choose Set Security Scopes , then choose the security scopes you
want to apply.
Views sort by integer values
We've made improvements to how various views sort data. For example, in the Deployments node of the
Monitoring workspace, the following columns now sort as numbers instead of string values:
Number Errors
Number In Progress
Number Other
Number Success
Number Unknown
Move the warning for a large number of results
When you select a node in the console that returns more than 1,000 results, Configuration Manager displays the
following warning:

Configuration Manager returned a large number of results. You can narrow your results by using search. Or,
click here to view a maximum of 100000 results.

There's now additional blank space in between this warning and the search field. This move helps to prevent
inadvertently selecting the warning to display more results.
Send feedback
Submit product feedback from the console.
Send a smile : Send feedback on what you liked
Send a frown : Send feedback on what you didn't like
Send a suggestion : Takes you to the product feedback site to share your idea
For more information, see Product Feedback.

Assets and Compliance workspace

Co -management Eligible Devices collection
(Introduced in version 2111)
There's a new built-in device collection for Co-management Eligible Devices . The Co-management
Eligible Devices collection uses incremental updates and a daily full update to keep the collection up to date.
Collections tab
(Introduced in version 2111)
When you show the members of a device collection, and select a device in the list, switch to the Collections tab
in the details pane. This new view shows the list of collections of which the selected device is a member. It makes
it easier for you to see this information.

Navigate to collection
(Introduced in version 2107)
You can now navigate to a collection from the Collections tab in the Devices node. Select View Collection
from either the ribbon or the right-click menu in the tab.
Added maintenance window column
(Introduced in version 2107)
A Maintenance window column was added to the Collections tab in the Devices node.

Display assigned users

(Introduced in version 2107)
If a collection deletion fails due to scope assignment, the assigned users are displayed.
Copy discovery data from the console
(Introduced in version 2010)
Copy discovery data from devices and users in the console. Copy the details to the clipboard, or export them all
to a file. These actions make it easier for you to quickly get this data from the console. For example, copy the
MAC address of a device before you reimage it.
1. In the Configuration Manager console, go to the Assets and Compliance workspace. Open the
properties for a user or device.
2. On the General tab, in the Discover y data list, select one or more properties.
3. Right-click the selection, and choose one of the following actions:
Copy value : Copies just the value. You can also use the keyboard shortcut Ctrl + C .
Copy proper ty and value : Copies both the property name and the corresponding value. You can
also use the keyboard shortcut Ctrl + Shift + C .
Select all : Selects all properties and values. You can also use the keyboard shortcut Ctrl + A .
Save results as : Saves all properties and values to a comma-separated values (CSV) file that you
specify.
Real-time actions from device lists
(Introduced in version 1906)
There are various ways to display a list of devices under the Devices node in the Assets and Compliance
workspace.
In the Assets and Compliance workspace, select the Device Collections node. Select a device
collection, and choose the action to Show members . This action opens a subnode of the Devices node
with a device list for that collection.
When you select the collection subnode, you can now start CMPivot from the Collection group of the
ribbon.
In the Monitoring workspace, select the Deployments node. Select a deployment, and choose the View
Status action in the ribbon. In the deployment status pane, double-click the total assets to drill-through
to a device list.
When you select a device in this list, you can now start CMPivot and Run Scripts from the Device
group of the ribbon.
Collections tab in devices node
(Introduced in version 1906)
In the Assets and Compliance workspace, go to the Devices node, and select a device. In the details pane,
switch to the new Collections tab. This tab lists the collections that include this device.
 NOTE
This tab currently isn't available from a devices subnode under the Device Collections node. For example, when you
select the option to Show Members on a collection.
This tab may not populate as expected for some users. To see the complete list of collections a device belongs to, you
must have the Full Administrator security role. This is a known issue.

Add SMBIOS GUID column to device and device collection nodes

(Introduced in version 1906)
In both the Devices and Device Collections nodes, you can now add a new column for SMBIOS GUID . This
value is the same as the BIOS GUID property of the System Resource class. It's a unique identifier for the device
hardware.
Search device views using MAC address
You can search for a MAC address in a device view of the Configuration Manager console. This property is useful
for OS deployment administrators while troubleshooting PXE-based deployments. When you view a list of
devices, add the MAC Address column to the view. Use the search field to add the MAC Address search
criteria.
View users for a device
The following columns are available in the Devices node:
Primar y user(s)
Currently logged on user

NOTE
Viewing the currently logged on user requires user discovery and user device affinity.

For more information on how to show a non-default column, see How to use the admin console.
Improvement to device search performance
When searching in a device collection, it doesn't search the keyword against all object properties. When you're
not specific about what to search, it searches across the following four properties:
Name
Primary user(s)
Currently logged on user
Last logon user name
This behavior significantly improves the time it takes to search by name, especially in a large environment.
Custom searches by specific criteria are unaffected by this change.

Software Library workspace

Improvements to console search
(Introduced in version 2107)
You can use the All Subfolders search option for the following nodes:
Boot Images node
Operating System Upgrade Packages node
 Operating System Images node
Run software updates evaluation from deployment status
(Introduced in version 2107)
You can right-click and notify devices to run a software updates evaluation cycle from the software update
deployment status. You can target a single device under the Asset Details pane or select a group of devices
based on their deployment status.

1. In the Configuration Manager console, navigate to Monitoring > Over view > Deployments .
2. Select the software update group or software update for which you want to monitor the deployment status.
3. On the Home tab, in the Deployment group, select View Status .
4. Right-click on either a specific deployment status for the devices, or on a single device under Asset Details
pane.
5. Select Evaluate Software Update Deployments to send a notification to the selected devices to run an
evaluation cycle for software update deployments.
Import objects to current folder
(Introduced in version 2010)
When you import an object in the Configuration Manager console, it now imports to the current folder.
Previously, Configuration Manager always put imported objects in the root node. This new behavior applies to
applications, packages, driver packages, and task sequences.
See task sequence size in the console
(Introduced in version 2010)
When you view the list of task sequences in the Configuration Manager console, add the Size (KB) column. Use
this column to identify large task sequences that can cause problems. For more information, see Reduce the size
of task sequence policy.
Order by program name in task sequence
(Introduced in version 1906)
In the Software Librar y workspace, expand Operating Systems , and select the Task Sequences node. Edit a
task sequence, and select or add the Install Package step. If a package has more than one program, the drop-
down list now sorts the programs alphabetically.
Task sequences tab in applications node
(Introduced in version 1906)
In the Software Librar y workspace, expand Application Management , go to the Applications node, and
select an application. In the details pane, switch to the new Task sequences tab. This tab lists the task
sequences that reference this application.
Drill through required updates
(Introduced in version 1906)
1. Go to one of the following places in the Configuration Manager console:
Software Librar y > Software Updates > All Software Updates
Software Librar y > Windows Ser vicing > All Windows Updates
Software Librar y > Office 365 Client Management > Office 365 Updates
2. Select any update that is required by at least one device.
3. Look at the Summar y tab and find the pie chart under Statistics .
4. Select the View Required hyperlink next to the pie chart to drill down into the device list.
5. This action takes you to a temporary node under Devices where you can see the devices requiring the
update. You can also take actions for the node such as creating a new collection from the list.

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration
Manager console and supporting documentation while the console is being updated.

Maximize the browse registry window

1. In the Software Librar y workspace, expand Application Management , and select the Applications
node.
2. Select an application that has a deployment type with a detection method. For example, a Windows Installer
detection method.
3. In the details pane, switch to the Deployment Types tab.
4. Open the properties of a deployment type, and switch to the Detection Method tab. Select Add Clause .
5. Change the Setting Type to Registr y and select Browse to open the Browse Registr y window. You can
now maximize this window.
Edit a task sequence by default
In the Software Librar y workspace, expand Operating Systems , and select the Task Sequences node. Edit
is now the default action when opening a task sequence. Previously the default action was Proper ties .
Go to the collection from an application deployment
1. In the Software Librar y workspace, expand Application Management , and select the Applications
node.
2. Select an application. In the details pane, switch to the Deployments tab.
3. Select a deployment, and then choose the new Collection option in the ribbon on the Deployment tab. This
action switches the view to the collection that's the target of the deployment.
 This action is also available from the right-click context menu on the deployment in this view.

Monitoring workspace
Collection evaluation time
(Introduced in version 2111)
When viewing a collection, you could previously see the amount of time the site took to evaluate the collection
membership. This data is now also available in the Monitoring workspace. When you select a collection in
either subnode of the Collection Evaluation node, the details pane displays this collection evaluation time
data.

Correct names for client operations

(Introduced in version 1906)
In the Monitoring workspace, select Client Operations . The operation to Switch to next Software Update
Point is now properly named.
Show collection name for scripts
(Introduced in version 1906)
In the Monitoring workspace, select the Script Status node. It now lists the Collection Name and the ID.
Remove content from monitoring status
1. In the Monitoring workspace, expand Distribution Status , and select Content Status .
2. Select an item in the list, and choose the View Status option in the ribbon.
3. In the Asset Details pane, right-click a distribution point, and select the new option Remove . This action
removes this content from the selected distribution point.
Copy details in monitoring views
Copy information from the Asset Details pane for the following monitoring nodes:
Content Distribution Status
Deployment Status
Administration workspace
Status message shortcuts
(Introduced in version 2107)
Shortcuts to status messages were added to the Administrative Users node and the Accounts node. Select
an account, then select Show Status Messages .

Enable some security nodes to use the administration service

Starting in version 1906, you can enable some nodes under the Security node to use the administration
service. This change allows the console to communicate with the SMS Provider over HTTPS instead of via WMI.
For more information, see Set up the administration service.

Next steps
Use the console
Console notifications
Accessibility features
 Fundamentals of Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If you're new to Configuration Manager current branch, start with the fundamentals. Before you run setup to
install your first site, learn about the basic concepts of Configuration Manager. If you're already familiar with
System Center 2012 Configuration Manager, then start with What's changed from System Center 2012
Configuration Manager.
For information about supported operating systems and supported environments, hardware requirements, and
capacity information, see Supported configurations for Configuration Manager.
See the following articles to learn about fundamental concepts for Configuration Manager:
Fundamentals of sites and hierarchies
About upgrade, update, and install
Fundamentals of managing devices
Fundamentals of client management tasks
Fundamentals of security
Fundamentals of role-based administration
Fundamentals of content management
 Fundamentals of sites and hierarchies for
Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

A Configuration Manager deployment must be installed in an Active Directory domain. The foundation of this
deployment includes one or more Configuration Manager sites that form a hierarchy of sites. From a single site
to a multi-site hierarchy, the type and location of sites you install provide the ability to scale up (expand) your
deployment when necessary, and deliver key services to managed users and devices.

Hierarchies of sites
When you install Configuration Manager for the first time, the first Configuration Manager site that you install
determines the scope of your hierarchy. The first Configuration Manager site is the foundation from which you
will manage devices and users in your enterprise. This first site must be either a central administration site or a
stand-alone primary site.
A central administration site is suitable for large-scale deployments, provides a central point of administration,
and provides the flexibility to support devices that are distributed across a global network infrastructure. After
you install a central administration site, you will need to install one or more primary sites as child sites. This
configuration is necessary because a central administration site does not directly support management of
devices, which is the function of a primary site. A central administration site supports multiple child-primary
sites. The child-primary sites are used to directly manage devices, and to control network bandwidth when your
managed devices are in different geographical locations.
A stand-alone primary site is suitable for smaller deployments, and can be used to manage devices without
having to install additional sites. Although a stand-alone primary site can limit the size of your deployment, it
does support a scenario to expand your hierarchy at a later time by installing a new central administration site.
With this site expansion scenario, your stand-alone primary site becomes a child-primary site, and you can then
install additional child-primary sites below your new central administration site. You can then expand your initial
deployment for future growth of your enterprise.

TIP
A stand-alone primary site and a child-primary site are really the same type of site: a primary site. The difference in name
is based on the hierarchy relationship that is created when you also use a central administration site. This hierarchy
relationship can also limit the installation of certain site system roles that extend Configuration Manager functionality. This
limitation of roles occurs because certain site system roles can only be installed on the top-tier site of the hierarchy, a
central administration site, or a stand-alone primary site.

After you install your first site, you can install additional sites. If your first site was a central administration site,
then you can install one or more child-primary sites. After you install a primary site (stand-alone, or child-
primary), you can then install one or more secondary sites.
A secondary site can only be installed as a child site below a primary site. This site type extends the reach of a
primary site to manage devices in locations that have a slow network connection to the primary site. Even
though a secondary site extends the primary site, the primary site manages all of the clients. The secondary site
provides support for devices in the remote location. It provides support by compressing and then managing the
transfer of information across your network that you send (deploy) to clients, and that clients send back to the
site.
The following diagrams show some example site designs.

For more information, see the following topics:

Introduction to Configuration Manager
Design a hierarchy of sites for Configuration Manager
Install Configuration Manager sites

Site system servers and site system roles

Each Configuration Manager site installs site system roles that support management operations. The following
roles are installed by default when you install a site:
The site server role is assigned to the computer where you install the site.
The site database server role is assigned to the SQL Server that hosts the site database.
Other site system roles are optional, and are only used when you want to use the functionality that is active in a
site system role. Any computer that hosts a site system role is referred to as a site system server.
For a smaller deployment of Configuration Manager, you might initially run all of your site system roles directly
on the site server computer. Then, as your managed environment and needs grow, you can install additional site
system servers to host additional site system roles to improve the site's efficiency in providing services to more
devices.
For information about the different site system roles, see Site system roles in Plan for site system servers and
site system roles for Configuration Manager.

Publishing site information to Active Directory Domain Services

To simplify management of Configuration Manager, you can extend the Active Directory schema to support
details that are used by Configuration Manager, and then have sites publish their key information to Active
Directory Domain Services (AD DS). Then the computers that you want to manage can securely retrieve site-
related information from the trusted source of AD DS. The information clients can retrieve identifies available
sites, site system servers, and the services that those site system servers provide.
Extending the Active Directory schema is done only one time for each forest, and can be done before or after
you install Configuration Manager. When you extend the schema, you must create a new Active Directory
container named System Management in each domain. The container contains a Configuration Manager site
that will publish data for clients to find. For more information, see Prepare Active Directory for site publishing.
Publishing site data improves the security of your Configuration Manager hierarchy and reduces administrative
overhead, but is not required for basic Configuration Manager functionality.
 About upgrade, update, and install for site and
hierarchy infrastructure
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When managing Configuration Manager sites and hierarchy infrastructure, the terms upgrade, update, and
install are used to describe three separate concepts.

Upgrade
Upgrade or in-place upgrade, is used when converting your Configuration Manager 2012 site or hierarchy to
one that runs Configuration Manager current branch.
When you upgrade System Center 2012 Configuration Manager to Configuration Manager current branch, you
continue to use the same servers to host your sites and site servers, and you retain your existing data and
configurations for Configuration Manager. This is different from Migration which is a way to retain your
configurations and data about managed devices while using new Configuration Manager current branch sites
installed to new hardware.
For more details, see Upgrade to Configuration Manager.

Update
Update is used for installing in-console updates for Configuration Manager, and for out-of-band updates which
are updates that cannot be delivered from within the Configuration Manager console. In-console updates can
modify the version of your Current Branch site (or Technical Preview site) so that it runs a higher version. For
example, if your site runs version 1806, you can install an update for version 1810. Updates can also install fixes
for a known issue, without modifying the site version.
Typically, updates add security fixes, quality improvements, and new features to your existing deployment. If you
use the Technical Preview branch, an update can install a newer version of the Technical Preview.
You choose when to install the in-console update, starting at the top-tier site of your hierarchy.
You can install any update that is available from within the console. For example, if your site runs version
1802 and both 1806 and 1810 are offered, you should consider installing version 1810 because each version
includes the features that were first made available in previously released versions.
After a new update completes installation at your top-tier site, child primary sites automatically start the
process to update. However, you can set Service Windows to control the timing of updates.
Secondary sites do not automatically install updates. Instead, you manually start the update from within the
Configuration Manager console.
For more, see Updates for Configuration Manager, and Technical Preview for Configuration Manager.

Install
Install is used when creating a new Configuration Manager hierarchy from scratch, or adding additional sites to
an existing hierarchy.
When you install a new primary site or central administration site, the location of setup.exe and its related
source files that you use depends on your installation scenario.
For more, see Prepare to install sites.
 Fundamentals of managing devices with
Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager can manage two broad categories of devices:
Clients are devices like workstations, laptops, servers, and mobile devices where you install the
Configuration Manager client software. Some management functions, like hardware inventory, require
this client software.
Managed devices can include clients, but typically it's a mobile device where the Configuration Manager
client software isn't installed. On this kind of device, you manage by using the built-in on-premises
mobile device management in Configuration Manager.
You can also group and identify devices based on the user, not just the client type.

Managing devices with the Configuration Manager client

There are two ways to use the Configuration Manager client software to manage a device. The first way is to
discover the device on your network, and then deploy the client software to that device. The other way is to
manually install the client software on a new computer, and then have that computer join your site when it joins
your network. To discover devices where the client software is not installed, run one or more of the built-in
discovery methods. After a device is discovered, use one of several methods to install the client software. For
information on using discovery, see Run discovery for Configuration Manager.
After discovering the devices that are supported to run the Configuration Manager client software, you can use
one of several methods to install the software. After the software is installed and the client is assigned to a
primary site, you can begin to manage the device. Common installation methods include:
Client push installation
Software update-based installation
Group policy
Manual installation on a computer
Including the client as part of an OS image that you deploy
After the client is installed, you can simplify the tasks of managing devices by using collections. Collections are
groups of devices or users that you create so that you can manage them as a group. For example, you might
want to install a mobile device application on all mobile devices that Configuration Manager enrolls. If this is the
case, you can use the All Mobile Devices collection.
For more information, see these articles:
Choose a device management solution
Client installation methods
Introduction to collections
Client settings
When you first install Configuration Manager, all clients in the hierarchy are configured by using the default
client settings that you can change. The client settings include these configuration options:
How frequently the devices communicate with the site.
Whether the client is set up for software updates and other management operations.
Whether users can enroll their mobile devices so they're managed by Configuration Manager.
You can create custom client settings and then assign them to collections. Members of the collection are
configured to have the custom settings, and you can create multiple custom client settings that are applied in
the order that you specify (by numerical order). If there are conflicting settings, the setting that has the lowest
order number overrides the other settings.
The following diagram shows an example of how you create and apply custom client settings.

To learn more about client settings, see the following articles:

How to configure client settings
About client settings

Managing devices without the Configuration Manager client

Configuration Manager supports the management of some devices that have not installed the client software,
and aren't managed by Intune. For more information, see Manage mobile devices with on-premises
infrastructure in Configuration Manager and Manage mobile devices with Configuration Manager and
Exchange.

User-based management
Configuration Manager supports collections of Azure Active Directory and Active Directory Domain Services
users. When you use a user collection, you can install software on all computers that members of the collection
use. To make sure that the software you deploy only installs on the devices that are specified as a user's primary
device, set up user device affinity. A user can have one or more primary devices.
One of the ways that users can control their software deployment experience is to use the Software Center
client interface. The Software Center is automatically installed on client computers and is run from the
Windows Star t menu. The Software Center lets users manage their own software and do the following tasks:
Install software
Schedule software to automatically install outside working hours
Configure when Configuration Manager can install software on a device
Configure the access settings for remote control, if remote control is set up in Configuration Manager
Configure options for power management, if an administrator sets up this option
Browse for, install, and request software
Configure preference settings
When it's set up, specify a primary device for user device affinity
For more information, see the following articles:
Plan for Software Center
Link users and devices with user device affinity
Software Center user guide
 Fundamentals of client management tasks for
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install the Configuration Manager clients, there are several tasks that you run to manage the clients.
Some of the tasks are run from the Configuration Manager console. Other tasks are run from the Configuration
Manager client application. The Configuration Manager client application is installed with the Configuration
Manager client software.

Configuration Manager console tasks

In the Configuration Manager console, you can perform various client management tasks:
Deploy applications, software updates, maintenance scripts, and operating systems. Configure installation
for a specific date and time, make the software available for users to install when they are requested, or
configure applications to be uninstalled.
Help protect computers from malware and security threats, and notify you when problems are detected.
Define client configuration settings that you want to monitor, and remediate if they are out of compliance.
Collect hardware and software inventory information, which includes monitoring and reconciling license
information from Microsoft.
Troubleshoot computers by using remote control.
Implement power management settings to manage and monitor the power consumption of computers.
The Configuration Manager console monitors the previous tasks in near real time. Notification and status
information for each task is available in the Configuration Manager console. To capture data and historical
trending, use the integrated reporting capabilities of SQL Server Reporting Services. Clients submit details to
the site as client status. Client status information provides data about the health of the client and client activity,
and is viewed in the console or by using the built-in reports for Configuration Manager. This data helps identify
computers that are not responding and in some cases, problems are automatically remediated.
For more information about management tasks for clients, see How to manage clients. To learn about using
reports, see Introduction to reporting.

Configuration Manager client application

When you install the Configuration Manager client software, the Configuration Manager client application is
installed too. Unlike Software Center, the Configuration Manager client application is designed for the help desk
rather than for the end user. Some configuration options require local administrative permissions, and most
options require technical knowledge about how the Configuration Manager client application works. You can
use this application to perform the following tasks on a client:
View properties about the client, such as the build number, its assigned site, the management point it is
communicating with, and whether the client is using a public key infrastructure (PKI) certificate or a self-
signed certificate.
Confirm that the client has successfully downloaded a client policy after the client is installed for the first
time. Also confirm that the client settings are enabled or disabled as expected, according to the client
settings that are configured in the Configuration Manager console.
Start client actions. For example, download the client policy if there was a recent configuration change in
the Configuration Manager console, and you do not want to wait until the next scheduled time.
Manually assign a client to a Configuration Manager site or try to find a site. Then specify the Domain
Name System (DNS) suffix for management points that publish to DNS.
Configure the client cache that temporarily stores files. Then delete files in the cache if you require more
disk space to install software.
Configure settings for Internet-based client management.
View configuration baselines that were deployed to the client, initiate compliance evaluation, and view
compliance reports.
 Fundamentals of security for Configuration
Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article summarizes the following fundamental security components of any Configuration Manager
environment:
Security layers
Role-based administration
Securing client endpoints
Configuration Manager accounts and groups
Privacy

Security layers
Security for Configuration Manager consists of the following layers:
Windows OS and network security
Network infrastructure: firewalls, intrusion detection, public key infrastructure (PKI)
Configuration Manager security controls
SMS Provider
Site database permissions
Windows OS and network security
The first layer is provided by Windows security features for both the OS and the network. This layer includes the
following components:
File sharing to transfer files between Configuration Manager components.
Access Control Lists (ACLs) to help secure files and registry keys.
Internet Protocol Security (IPsec) to help secure communications.
Group policy to set security policy.
Distributed Component Object Model (DCOM) permissions for distributed applications, like the
Configuration Manager console.
Active Directory Domain Services to store security principals.
Windows account security, including some groups that Configuration Manager creates during setup.
Network infrastructure
Network security components, like firewalls and intrusion detection, help provide defense for the whole
environment. Certificates issued by industry standard public key infrastructure (PKI) implementations help
provide authentication, signing, and encryption.
Configuration Manager security controls
By default, only local administrators have rights to the files and registry keys that the Configuration Manager
console requires on computers where you install it.
SMS Provider
The next layer of security is based on access to the SMS Provider. The SMS Provider is a Configuration Manager
component that grants a user access to query the site database for information. The SMS Provider primarily
exposes access through Windows Management Instrumentation (WMI), but also a REST API called the
administration service.
By default, access to the provider is restricted to members of the local SMS Admins group. This group at first
contains only the user who installed Configuration Manager. To grant other accounts permission to the Common
Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group.
You can specify the minimum authentication level for administrators to access Configuration Manager sites. This
feature enforces administrators to sign in to Windows with the required level. For more information, see Plan
for the SMS Provider.
Site database permissions
The final layer of security is based on permissions to objects in the site database. By default, the Local System
account and the user account that you used to install Configuration Manager can administer all objects in the
site database. Grant and restrict permissions to other administrative users in the Configuration Manager console
by using role-based administration.

Role-based administration
Configuration Manager uses role-based administration to help secure objects like collections, deployments, and
sites. This administration model centrally defines and manages hierarchy-wide security access settings for all
sites and site settings.
An administrator assigns security roles to administrative users and group permissions. The permissions are
connected to different Configuration Manager object types, for example, to create or change client settings.
Security scopes include specific instances of objects that an administrative user is responsible to manage. For
example, an application that installs the Configuration Manager console.
The combination of security roles, security scopes, and collections define the objects that an administrative user
can view and manage. Configuration Manager installs some default security roles for typical management tasks.
Create your own security roles to support your specific business requirements.
For more information, see Fundamentals of role-based administration.

Securing client endpoints

Configuration Manager secures client communication to site system roles by using either self-signed or PKI
certificates, or Azure Active Directory (Azure AD) tokens. Some scenarios require the use of PKI certificates. For
example, internet-based client management, and for mobile device clients.
You can configure the site system roles to which clients connect for either HTTPS or HTTP client communication.
Client computers always communicate by using the most secure method that's available. Client computers only
fall back to using the less secure communication method if you have site systems roles that allow HTTP
communication.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

For more information, see Plan for security.

Configuration Manager accounts and groups
Configuration Manager uses the Local System account for most site operations. Some site operations allow the
use of a service account, instead of using the domain computer account of the site server. Some management
tasks might require you to create and maintain other accounts. For example, to join the domain during an OS
deployment task sequence.
Configuration Manager creates several default groups and SQL Server roles during setup. You might have to
manually add computer or user accounts to the default groups and SQL Server roles.
For more information, see Accounts used in Configuration Manager.

Privacy
Before you implement Configuration Manager, consider your privacy requirements. Although enterprise
management products offer many advantages because they can effectively manage lots of clients, this software
might affect the privacy of users in your organization. Configuration Manager includes many tools to collect
data and monitor devices. Some tools might raise privacy concerns in your organization.
For example, when you install the Configuration Manager client, it enables many management settings by
default. This configuration causes the client software to send information to the Configuration Manager site. The
site stores client information in the site database. The client information isn't directly sent to Microsoft. For more
information, see Diagnostics and usage data.

Next steps
Fundamentals of role-based administration
Plan for security
 Fundamentals of role-based administration for
Configuration Manager
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

With Configuration Manager, you use role-based administration to secure the access that administrative users
need to use Configuration Manager. You also secure access to the objects that you manage, like collections,
deployments, and sites.
The role-based administration model centrally defines and manages hierarchy-wide security access. This model
is for all sites and site settings by using the following items:
Security roles are assigned to administrative users to give them permission to Configuration Manager
objects. For example, permission to create or change client settings.
Security scopes are used to group specific instances of objects that an administrative user is responsible
to manage. For example, an application that installs the Configuration Manager console.
Collections are used to specify groups of users and devices that the administrative user can manage in
Configuration Manager.
With the combination of roles, scopes, and collections, you segregate the administrative assignments that meet
your organization's requirements. Used together, they define the administrative scope of a user. This
administrative scope controls the objects that an administrative user views in the Configuration Manager
console, and it controls the permissions that a user has on those objects.

Benefits
The following items are benefits of role-based administration in Configuration Manager:
Sites aren't used as administrative boundaries. In other words, don't expand a standalone primary site to
a hierarchy with a central administration site to separate administrative users.
You create administrative users for a hierarchy and only need to assign security to them one time.
All security assignments are replicated and available throughout the hierarchy. Role-based administration
configurations replicate to each site in the hierarchy as global data, and then are applied to all
administrative connections.

IMPORTANT
Intersite replication delays can prevent a site from receiving changes for role-based administration. For more
information about how to monitor intersite database replication, see Data transfers between sites.

There are built-in security roles that are used to assign the typical administration tasks. Create your own
custom security roles to support your specific business requirements.
Administrative users see only the objects that they have permissions to manage.
You can audit administrative security actions.
Security roles
Use security roles to grant security permissions to administrative users. Security roles are groups of security
permissions that you assign to administrative users so that they can do their administrative tasks. These security
permissions define the actions that an administrative user can do and the permissions that are granted for
particular object types. As a security best practice, assign the security roles that provide the least permissions
that are required for the task.
Configuration Manager has several built-in security roles to support typical groupings of administrative tasks.
You can create your own custom security roles to support your specific business requirements.
The following table summarizes all of the built-in roles:

NAME DESC RIP T IO N

Application administrator Combines the permissions of the Application deployment

manager and the Application author roles.
Administrative users in this role can also manage queries,
view site settings, manage collections, edit settings for user
device affinity, and manage App-V virtual environments.

Application author Can create, modify, and retire applications. Administrative

users in this role can also manage applications, packages,
and App-V virtual environments.

Application deployment manager Can deploy applications. Administrative users in this role can
view a list of applications. They can manage deployments for
applications, alerts, and packages. They can view collections
and their members, status messages, queries, conditional
delivery rules, and App-V virtual environments.

Asset manager Grants permissions to manage the Asset Intelligence

synchronization point, Asset Intelligence reporting classes,
software inventory, hardware inventory, and metering rules.

Company resource access manager Grants permissions to create, manage, and deploy company
resource access profiles. For example, Wi-Fi, VPN, Exchange
ActiveSync email, and certificate profiles.

Compliance settings manager Grants permissions to define and monitor compliance

settings. Administrative users in this role can create, modify,
and delete configuration items and baselines. They can also
deploy configuration baselines to collections, start
compliance evaluation, and start remediation for non-
compliant computers.

Endpoint protection manager Grants permissions to create, modify, and delete endpoint
protection policies. They can deploy these policies to
collections, create and modify alerts, and monitor endpoint
protection status.

Full administrator Grants all permissions in Configuration Manager. The

administrative user who installs Configuration Manager is
automatically granted this security role, all scopes, and all
collections.
 NAME DESC RIP T IO N

Infrastructure administrator Grants permissions to create, delete, and modify the

Configuration Manager server infrastructure and to run
migration tasks.

Operating system deployment manager Grants permissions to create OS images and deploy them to
computers, manage OS upgrade packages and images, task
sequences, drivers, boot images, and state migration
settings.

Operations administrator Grants permissions for all actions in Configuration Manager

except for the permissions to manage security. This role can't
manage administrative users, security roles, and security
scopes.

Read-only analyst Grants permissions to view all Configuration Manager

objects.

Remote tools operator Grants permissions to run and audit the remote
administration tools that help users resolve computer issues.
Administrative users in this role can run remote control,
remote assistance, and remote desktop from the
Configuration Manager console.

Security administrator Grants permissions to add and remove administrative users

and to associate administrative users with security roles,
collections, and security scopes. Administrative users in this
role can also create, modify, and delete security roles and
their assigned security scopes and collections.

Software update manager Grants permissions to define and deploy software updates.
Administrative users in this role can manage software
update groups, deployments, and deployment templates.

TIP
If you have permissions, you can view the list of all security roles in the Configuration Manager console. To view the roles,
go to the Administration workspace, expand Security , and then select the Security Roles node.

You can't modify the built-in security roles, other than add administrative users. You can copy the role, make
changes, and then save these changes as a new custom security role. You can also import security roles that
you've exported from another hierarchy like a lab environment. For more information, see Configure role-based
administration.
Review the security roles and their permissions to determine whether you'll use the built-in security roles, or
whether you have to create your own custom security roles.
Role permissions
Each security role has specific permissions for different object types. For example, the application author role
has the following permissions for applications:
Approve
Create
Delete
Modify
 Modify folder
Move object
Read
Run report
Set security scope
This role also has permissions for other objects.

For more information on how to view the permissions for a role, or change the permissions for a custom role,
see Configure role-based administration.
Plan for security roles
Use this process to plan for Configuration Manager security roles in your environment:
1. Identify the tasks that administrative users need to do in Configuration Manager. These tasks might relate
to one or more groups of management tasks. For example, deploying operating systems and settings for
compliance.
2. Map these administrative tasks to one or more of the built-in roles.
3. If some of the administrative users do the tasks of multiple roles, assign the users to the multiple roles.
Don't create a custom role that combines the permissions.
4. If the tasks that you identified don't map to the built-in security roles, create and test custom roles.
For more information, see Create custom security roles and Configure security roles.

Collections
Collections specify the users and devices that an administrative user can view or manage. For example, to
deploy an application to a device, the administrative user needs to be in a security role that grants access to a
collection that contains the device.
For more information about collections, see Introduction to collections.
Before you configure role-based administration, decide whether you have to create new collections for any of
the following reasons:
Functional organization. For example, separate collections of servers and workstations.
Geographic alignment. For example, separate collections for North America and Europe.
Security requirements and business processes. For example, separate collections for production and test
computers.
Organization alignment. For example, separate collections for each business unit.
For more information, see Configure collections to manage security.

Security scopes
Use security scopes to provide administrative users with access to securable objects. A security scope is a named
set of securable objects that are assigned to administrator users as a group. All securable objects are assigned to
one or more security scopes. Configuration Manager has two built-in security scopes:
All : Grants access to all scopes. You can't assign objects to this security scope.
Default : This scope is used for all objects by default. When you install Configuration Manager, it assigns
all objects to this security scope.
If you want to restrict the objects that administrative users can see and manage, create your own custom
security scopes. Security scopes don't support a hierarchical structure and can't be nested. Security scopes can
contain one or more object types, which include the following items:
Alert subscriptions
Applications and application groups
App-V virtual environments
Boot images
Boundary groups
Configuration items and baselines
Custom client settings
Distribution points and distribution point groups
Driver packages
Endpoint protection policies (all)
Folders
Global conditions
Migration jobs
OneDrive for Business profiles
OS images
OS upgrade packages
Packages
Queries
Remote connection profiles
Scripts
Sites
Software metering rules
Software update groups
Software updates packages
 Task sequences
User data and profiles configuration items
Windows Update for Business policies
There are also some objects that you can't include in security scopes because they're only secured by security
roles. Administrative access to these objects can't be limited to a subset of the available objects. For example,
you might have an administrative user who creates boundary groups that are used for a specific site. Because
the boundary object doesn't support security scopes, you can't assign this user a security scope that provides
access to only the boundaries that might be associated with that site. Because a boundary object can't be
associated to a security scope, when you assign a security role that includes access to boundary objects to a
user, that user can access every boundary in the hierarchy.
Objects that don't support security scopes include but aren't limited to the following items:
Active Directory forests
Administrative users
Alerts
Boundaries
Computer associations
Default client settings
Deployment templates
Device drivers
Migration site-to-site mappings
Security roles
Security scopes
Site addresses
Site system roles
Software updates
Status messages
User device affinities
Create security scopes when you have to limit access to separate instances of objects. For example:
You have a group of administrative users who need to see production applications and not test
applications. Create one security scope for production applications and another for test applications.
One group of administrative users requires Read permission to specific software update groups. Another
group of administrative users requires Modify and Delete permissions for other software update groups.
Create different security scopes for these software update groups.
For more information, see Configure security scopes for an object.

Next steps
Configure role-based administration for Configuration Manager
 Configuration Manager and Windows as a service
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager provides comprehensive control over feature updates for Windows. To fully adopt the
Windows as a service model, you also must adopt the Configuration Manager current branch model. To stay
current with Windows, requires that you stay current with Configuration Manager for the best experience. New
versions of Configuration Manager are required to take full advantage of the exciting new enterprise features
for Windows. This article is intended to be a landing page for the key articles required to adopt Configuration
Manager current branch. Configuration Manager current branch gets you on your way to Windows as a service.

Configuration Manager current branch

A RT IC L E DESC RIP T IO N

Overview of Configuration Manager current branch Provides a brief summary of the key points for the servicing
model for Configuration Manager current branch

Support lifecycle Explains the current branch support and servicing model.

Removed and deprecated items Provides early notice about future changes that might affect
your use of Configuration Manager.

Updates to Configuration Manager current branch Explains the easy in-console method of applying feature
updates to Configuration Manager.

Get available updates Explains the two modes available to get new Configuration
Manager feature updates.

Update checklist Provides update version-specific checklists, if applicable.

Install new Configuration Manager feature updates Explains the simple installation steps for feature updates.

Support for Windows 11 Provides a support matrix for Windows 11 versions.

Support for Windows 10 Provides a support matrix for Windows 10 versions.

Support for Windows ADK Provides a support matrix for the Windows Assessment and
Deployment Kit (Windows ADK).

Technical Previews for Configuration Manager Provides information about the Configuration Manager
technical preview program.

Windows as a service
A RT IC L E DESC RIP T IO N

Manage Windows as a service Explains how to use servicing plans to deploy Windows
feature updates.
 A RT IC L E DESC RIP T IO N

Upgrade Windows via task sequence The details of creating a task sequence to upgrade Windows
with additional recommendations.

Phased deployments Phased deployments automate a coordinated, sequenced

rollout of a task sequence across multiple collections.

Optimize Windows update delivery Use Configuration Manager to manage update content to
stay current with Windows.

Use Desktop Analytics Desktop Analytics allows you to assess and analyze the
readiness of devices in your environment for an upgrade to
Windows.

Windows Update for Business integration (optional) Explains how to define and deploy Windows Update for
Business (WUfB) policies using Configuration Manager.

Use co-management with Microsoft Intune and Windows Provides an overview of co-management.
Update for Business (optional)

Product lifecycle
Another important aspect of staying current with Windows and Configuration Manager is to monitor product
lifecycles. Configuration Manager has built-in features to help:
Be proactive with dashboards for planning:
Product lifecycle dashboard: View the Microsoft Lifecycle Policy for applicable products.
Windows servicing dashboard: Provides you with information about computers in your environment,
servicing plans, and compliance information.
Be reactive with notifications, management insights, and reports:
Configuration Manager console notifications: Look for in-console notifications about devices with
operating systems that are past the end of support date and that are no longer eligible to receive
security updates.
Management insights
Security: Identify clients with unsupported antimalware client versions or clients running earlier
versions of Windows that don't receive security updates by default.
Simplified management: Identify clients running an unsupported version of Windows or with
an earlier version of the Configuration Manager client.
Reports:
Data warehouse historical reporting: View computers that are missing software updates.
OS reports: View computers by OS versions and servicing details.
Software Updates compliance reports: View software update compliance details.
Power BI sample reports for software updates: Use Power BI to view software update compliance
status.

Next steps
In-place upgrade to Configuration Manager current branch from System Center 2012 Configuration
Manager
Plan for migration to Configuration Manager current branch
 Use cloud services with Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supports several cloud-based options. These can supplement your on-premises
infrastructure, and can help solve business problems like:
How to manage clients that roam onto the internet.
How to provide content resources to isolated clients or resources on the intranet, outside your firewall.
How to scale out infrastructure when physical hardware isn't available, or isn't logically placed to support
your needs.
Provisioning cloud resources isn't something you have to do before you deploy Configuration Manager. It can
be beneficial to understand these options before progressing too far in a hierarchy design plan. The use of cloud
resources might save you money and time, while solving business problems that on-premises infrastructure
can't.

Cloud-based resources
Each option has different requirements. Investigate each in greater depth to understand the unique
prerequisites, limitations, and potential for additional costs based on use.
Azure virtual machines for cloud-based infrastructure
Configuration Manager supports using computers that run in virtual machines in Azure. You can use Azure
virtual machines in the following scenarios:
Run Configuration Manager in a virtual machine and use it to manage clients installed in other cloud-
based virtual machines.
Run Configuration Manager in a virtual machine and use it to manage clients that aren't in Azure.
Run different Configuration Manager site system roles in Azure virtual machines. Run other roles in your
on-premises network. Configure appropriate network connectivity for communications.
The same requirements for networks, operating systems, and hardware requirements that apply to installing the
Configuration Manager on your on-premises network also apply to the installation of Configuration Manager in
Azure.
An Azure subscription is required to use Azure virtual machines. You incur charges based on the number of
virtual machines you use, their configuration, and use of cloud-based resources.
Additionally, Configuration Manager sites and clients that run in Azure virtual machines are subject to the same
license requirements as on-premises installations.
For more information, see Configuration Manager on Azure FAQ.
Azure services
You can connect the site to Azure for several scenarios:
Azure Active Directory authentication and discovery. For more information, see Configure Azure services.
Cloud management gateway to manage internet-based clients. For more information, see Cloud
 management gateway overview.
Deploy apps from the Microsoft Store for Business and Education. For more information, see Manage apps
from the Microsoft Store for Business and Education.
Use Windows data to gain insights into apps and drivers to help upgrade devices to Windows 10. For more
information, see What is Desktop Analytics?.
Microsoft Endpoint Manager tenant attach
These are different than using an Azure virtual machine, on which you deploy a site system role.
Run as a service in Azure, not on a virtual machine.
Automatically scale to meet increased content requests from clients.
Support clients on the internet and the intranet.
An Azure subscription is required for these scenarios. You incur charges based on the amount of data that
transfers to and from the service.
Additional Configuration Manager capabilities
Some Configuration Manager capabilities can connect to cloud-based services, like:
Windows Server Update Services (WSUS)
Download updates for Configuration Manager
These additional capabilities don't require you to have an Azure subscription. You don't have to set up specific
connections, certificates, or services in the cloud. Instead, they are automatically managed by Configuration
Manager for you. All you need to do is ensure applicable site systems and devices can access the internet-based
URLs.

Security for cloud-based services

Configuration Manager uses certificates to provision and access your content in Azure, and to manage the
services that you use. Configuration Manager encrypts the data that you store in Azure, but doesn't introduce
additional security or data controls beyond those that Azure provides.
For more information, see the details for the different cloud-based resource scenarios. Also see an Introduction
to Azure security.
 Which branch of Configuration Manager should I
use?
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch & technical preview branch) & System Center Configuration
Manager (long-term servicing branch)
There are three branches of Configuration Manager available:
Current branch
Long-term servicing branch
Technical preview branch
Use this article to help you choose the right branch.

TIP
All sites in a hierarchy must run the same branch. It isn't supported to have a hierarchy with different branches at
different sites.

Current branch
This branch is licensed for use in a production environment. Use this branch to get the latest features and
functionalities. If you have one of the following licenses, you can use this branch:
System Center Datacenter
System Center Standard
System Center Configuration Manager
Equivalent subscription rights
For more information about Software Assurance and licensing options, see Licensing and branches for
Configuration Manager and Frequently asked questions for Configuration Manager branches and licensing.
Microsoft plans to release updates for Configuration Manager current branch a few times per year. Each update
version remains in support for 18 months from its general availability (GA) release date. Technical support is
provided for the entire period of support. However, our support structure is dynamic, evolving into two distinct
servicing phases that depend on the availability of the latest current branch version. (For more information, see
Support for Configuration Manager current branch versions. Updates to newer versions are available as in-
console updates.
To install the current branch as a new site, use baseline media. Also use baseline media to upgrade from System
Center 2012 Configuration Manager with Service Pack 2 or System Center 2012 R2 Configuration Manager
with Service Pack 1. Access to this media depends on how your organization licenses Configuration Manager.
You can also use the baseline media to install a new site that is an evaluation edition of the current branch. The
evaluation edition doesn't require a license. You can use the evaluation edition for 180 days. It supports upgrade
to a licensed edition of the current branch. To install only an evaluation edition, get it from the Evaluation Center.
 NOTE
Use baseline media to install sites for a new Configuration Manager hierarchy. If you previously installed a baseline
version, use in-console updates to update your sites to a new version.
Sites that are updated using in-console updates result in sites that are the same as the new site installed using the
baseline media.
For more information, see Updates for Configuration Manager.

Features of the current branch

Receives in-console updates that make new features available for use.
Receives in-console updates that deliver security and quality fixes to existing features.
Supports out-of-band updates when necessary. For more information, see Use the update registration tool or
Use the hotfix installer.
Integrates with cloud-based services.
Supports migration of data to and from other Configuration Manager installations.
Supports upgrade from previous versions of Configuration Manager.
Supports installation as an evaluation edition, from which you can later upgrade to a fully licensed
installation.
Microsoft recommends that you update to the newest version soon after its release. You can wait up to 18
months before updating to a newer version. You can also skip an update to install the newest version available.
Because each version is cumulative, if you skip over an update and install the newest version, you still get access
to all features and improvements from previous versions.
For more information, see Support for current branch versions.
Current branch update options
With active Software Assurance, you can install in-console updates for current branch versions.
There's no option to convert the current branch to a technical preview branch. Technical preview branches are
separate installations that don't require a license.
There's no option to convert your current branch to the long-term servicing branch (LTSB). You must
uninstall the current branch and then install the LTSB as a new installation.

Long-term servicing branch

This branch is licensed for use in production for Configuration Manager customers who are using the current
branch and have allowed their Configuration Manager Software Assurance (SA) or equivalent subscription
rights to expire after October 1, 2016. For more about Software Assurance and licensing options, see Licensing
and branches for Configuration Manager and Frequently asked questions for Configuration Manager branches
and licensing.
The LTSB is based on version 1606. This branch doesn't receive in-console updates that deliver new features or
update existing capabilities. However, critical security fixes are provided. To install the LTSB, you must use the
version 1606 baseline media that you get with System Center 2016. Later baseline versions don't support install
of the LTSB.
To install the LTSB as a new site or as an upgrade from a supported System Center 2012 Configuration Manager
site, use the version 1606 baseline media that you get with System Center 2016. You can use baseline media to
install a new site that runs version 1606 of the current branch, or a new site that runs the long-term servicing
branch.
 TIP
To learn about System Center 2016, see System Center 2016 documentation. This documentation also identifies how to
get System Center 2016, which requires a Microsoft license agreement or similar rights.
To find Configuration Manager version 1606 in the Volume Licensing Service Center (VLSC), go to the Downloads and
Keys tab of the VLSC, search for System Center 2016 , and then select either System Center 2016 Datacenter or
System Center 2016 Standard .
You can also get an evaluation edition of System Center 2016 from the Evaluation Center.

Features of the LTSB

Receives in-console updates that deliver critical security fixes.
Provides an installation option when your SA agreement or equivalent rights to Configuration Manager have
expired.
Supports upgrade (conversion) to the current branch when you have a current SA agreement or equivalent
rights to Configuration Manager.
LTSB limitations
The LTSB is based on the current branch version 1606 and has the following limitations:
The LTSB is supported for 10 years of critical security updates after its general availability (October 2016),
after which, support for this branch expires. For more information about the support lifecycle, see Microsoft
Lifecycle Policy.
Supports a limited set list of server and client operating systems and related technologies, like SQL Server
versions. For more information, see Supported configurations for the long-term servicing branch.
Doesn't receive updates for new features
Doesn't support the following capabilities:
Cloud-attached features like co-management or Desktop Analytics
On-premises MDM
The Windows servicing dashboard, servicing plans, or Windows release channels
Future releases of Windows 10 LTSB and Windows Server
Asset intelligence
Any pre-release features
LTSB update options
You can convert your LTSB install to a current branch installation. Conversion to the current branch is
supported before or after support for the LTSB expires.
To convert, you must have an active Software Assurance agreement with Microsoft. For more
information, see the following articles:
Upgrade the long-term servicing branch to the current branch
Licensing and branches for Configuration Manager
Baseline and update versions
There's no option to convert the LTSB to a technical preview branch. Technical preview branches are
separate installations that don't require a license.
You can't upgrade an evaluation edition of the current branch to an LTSB installation.

Technical preview branch

The technical preview branch is for use in a lab environment. Learn about and try out the newest features being
developed for Configuration Manager. It isn't supported in a production environment, and doesn't require you to
have a Software Assurance license agreement.
To install a new site that runs the technical preview branch, use the latest baseline media for the technical
preview branch. After you install the technical preview branch, new versions are available as in-console updates
each month.
Features of the technical preview branch
Based on recent baseline versions of the current branch
Receives in-console updates that update your installation to the latest technical preview branch version
Includes new features that are being developed, and for which Microsoft wants your feedback
Receives updates that apply only to the technical preview branch
Technical preview limitations
Support is limited, including only a single primary site and up to 10 clients.
You can't upgrade or migrate it to a current branch or LTSB installation.
Doesn't support the following behaviors:
Use migration to import or export data to another Configuration Manager installation
Upgrade from a previous version of Configuration Manager
Install as an evaluation edition
Features that are first introduced in a technical preview branch are often added to the current branch in a later
update. Each new technical preview branch version includes the features from previous technical preview
branches, even after those features have been added to the current branch.
For more information, see the Technical preview for Configuration Manager.
Technical preview update options
You can install any in-console update for a new technical preview branch version.
There's no option to convert a technical preview branch to the current branch or LTSB.

Identify your version and branch

Version
To check the version of your site, in the console go to About Configuration Manager at the upper-left corner
of the console. This dialog displays the Site version . For a list of site versions, see Baseline and update versions.
Branch
To confirm the branch of your site, in the console go to Administration > Site Configuration > Sites , and
open Hierarchy Settings . If there's an active option to convert to the current branch, the site runs the LTSB
version. When the site runs the current branch, the console disables this option.
For more information about the different versions of Configuration Manager, see Baseline and update versions.
 Licensing and branches for Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch), & System Center Configuration Manager (long-term
servicing branch)
Use this article to learn about the licensing requirements for the installation options available with
Configuration Manager. These installation options include the following branches:
Current branch
Long-term servicing branch (LTSB)
Evaluation installation of the current branch
Technical preview branch

Licensing overview
Customers with active Software Assurance (SA) on Configuration Manager licenses or with equivalent
subscription rights as of October 1, 2016 have rights to use the October 2016 version 1606 release of
Configuration Manager. Customers with rights to Configuration Manager on or after October 1, 2016 will find
two licensed options upon installation: current branch and long-term servicing branch (LTSB).
For the complete terms and conditions for the products you purchase through Microsoft Volume Licensing
programs, see Licensing Terms and Documentation.

Licensed branches
This article references the Software Assurance agreement or equivalent subscription rights. This Microsoft
licensing agreement grants rights to install and use Configuration Manager.
Current branch
The current branch requires an active Software Assurance agreement or equivalent rights to Configuration
Manager. For more information, see Software Assurance and the Current Branch.
This branch is supported for use in production environments that want to receive regular quality and feature
updates from Microsoft. It provides access to use all features and improvements.
Beginning with the 1710 release, each update version remains in support for 18 months from its general
availability release date. For more information, see Support for Configuration Manager current branch versions.
Long-term servicing branch (LTSB )
The LTSB requires a current Software Assurance agreement with Microsoft as of October 1, 2016. For more
information, see Software Assurance and the LTSB.
This branch is supported for use in production environments. It's intended for use by customers that have let
their Software Assurance (SA) or equivalent subscriptions rights to Configuration Manager expire after October
1, 2016. This branch is limited when compared to the Current Branch.
Critical security updates for Configuration Manager are made available to this branch but no new features are
made available.
Evaluation installation of the current branch
The evaluation version doesn't require a Software Assurance agreement with Microsoft. Evaluation installs are
always the current branch, and you can use them for 180 days.
You can upgrade the evaluation installation to a full installation of the current branch. You can't upgrade an
evaluation installation to the long-term servicing branch.
Technical preview branch
The technical preview branch is also available. This branch is a limited build of Configuration Manager that lets
you try out new features. You install the technical preview using different media than the licensed versions. For
more information, see Technical Preview.

Software Assurance agreements

The status of Software Assurance on your Configuration Manager licenses, or equivalent subscription rights, on
or after October 1, 2016, determines the branch you can install and use.
Software Assurance and the current branch
Rights to use Configuration Manager current branch can be provided by:
System Center : Customers with active SA on System Center Standard or Datacenter licenses can install
and use the current branch option of Configuration Manager.
System Center Configuration Manager : Customers with active SA on Configuration Manager
licenses, or with equivalent subscription rights, can install and use the current branch option of
Configuration Manager.
If you have active SA on Configuration Manager licenses or equivalent subscription rights on or after October 1,
2016:
You can install and use the current branch.
If you allow SA or subscription to lapse, you must uninstall the current branch.
Software Assurance and the LTSB
If you have an active SA on Configuration Manager licenses or equivalent subscription rights on or after October
1, 2016:
You can install and use the LTSB. Customers who have perpetual rights to Configuration Manager, or who
allow their SA or subscription to lapse, can install the version of Configuration Manager LTSB that's current at
the time of lapse.
LTSB is based on current branch version 1606, and has the following limitations:
There's no support to convert a current branch to the LTSB. If you currently have a current branch site,
you must install the LTSB as a new site.
LTSB doesn't support all the capabilities of the current branch. For more information, see Introduction to
the long-term servicing branch. These limitations include a limited feature set, limited upgrade options,
and a separate product support lifecycle.
Software Assurance expiration date
Beginning with the October 2016 release of the version 1606 baseline media for Configuration Manager, you
can specify the expiration date of your Software Assurance agreement. The Software Assurance expiration
date is an optional value as a convenient reminder. Add it when you run Configuration Manager setup or later
from within the Configuration Manager console.
 NOTE
Microsoft doesn't validate the expiration date you specify, and doesn't use this date for license validation. Use it as a
reminder of your expiration date. This value is useful when Configuration Manager periodically checks for new software
updates offered online. Your Software Assurance license status should be current to be eligible to use these additional
updates.

To specify the Software Assurance expiration date

When you run Setup from the Configuration Manager media, specify the value on the Product Key page
of the Setup wizard.
In the Configuration Manager console, in Hierarchy Settings , specify the value on the Licensing tab.

Licensing resources
To learn more about product licensing details, use the following resources.
Microsoft Volume Licensing Service Center (VLSC )
Overview of VLSC
Microsoft Volume Licensing Product Terms
Volume license customers can get a summary of their licenses from the Volume License Service Center.
Go to the Licenses menu, and select Licenses Summar y .
VLSC videos
For training videos on how VLSC works, go to Microsoft Volume Licensing Service Center training and
resources and select How-to videos .
Where to look up your active Software Assurance agreement (starting at 43 seconds)
How to get permissions for VLSC. You can delegate VLSC read and write permissions to other people in
your organization.

Next steps
Frequently asked questions for Configuration Manager branches and licensing
 Use the Configuration Manager client software for
extended interoperability with future versions of a
Current Branch site
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Business requirements might not allow you to regularly update the Configuration Manager client on some
devices. For example, you need to follow change management policies, or the device is mission-critical.
Accommodate these needs by installing a new client for long-term use, called the extended interoperability
client (EIC). Only use the EIC for specific devices that can't be frequently updated, like kiosk or point-of-sale
devices. Continue to use automatic client upgrade for most of your clients.

How it works
Typically, when you install a new in-console update for Configuration Manager, clients automatically update their
client software so they can use those new features. With this scenario, you still update to the current branch
receiving the new features and updates. Most devices update the Configuration Manager client software with
each version update you install. However, on a subset of critical systems that you don't want to receive client
software updates, you install the extended interoperability client. These clients don't install new client software
until you explicitly deploy a new version of the client software to them.

Supported versions
The following table lists the versions of the Configuration Manager client that are supported for this scenario:

VERSIO N AVA IL A B IL IT Y DAT E SUP P O RT EN D DAT E

2103 April 5, 2021 No earlier than April 2023

5.00.9049

1902 March 27, 2019 March 27, 2022

5.00.8790

TIP
The EIC is supported for at least two years from the date of release. For more information on release dates, see Support
for Configuration Manager current branch versions.

Plan to update the extended interoperability client on devices that you manage with the current branch before
support for the client expires. To do so, download a new version of the client from Microsoft, and then deploy
that updated client software to your devices that use the current extended interoperability client.

How to use the EIC

1. Add these devices to a collection, and exclude that collection from automatic client upgrades. For more
information, see How to exclude clients from upgrade.
2. Obtain a supported version of the EIC from the \SMSSETUP\Client folder of the Configuration Manager
update installation media. Make sure that you copy the entire contents of the folder.
3. Manually install the EIC on those devices. For more information, see Manually install the client.

Limitations
Updates for the extended interoperability client software aren't available by using in-console updates. For
more information on how to update the EIC, see How to upgrade an excluded client.
The EIC only supports the following features:
Software updates
Hardware and software inventory
Packages and programs

Next steps
How to exclude clients from upgrade
To make sure that clients are installed correctly on the devices you want, see How to monitor clients.
 Introduction to the long-term servicing branch of
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: System Center Configuration Manager (Long-Term Servicing Branch)

The long-term servicing branch (LTSB) of Configuration Manager is a distinct branch that's designed as an install
option available to all customers. However, it's the only option for customers who let lapse their Software
Assurance (SA) or equivalent subscription rights for Configuration Manager.
Based on Configuration Manager version 1606, the LTSB has reduced functionality when compared to the
current branch of Configuration Manager.

TIP
The Configuration Manager LTSB isn't related to the System Center suite long-term servicing channel (LTSC). For more
information, see Overview of System Center release options.

Features that aren't available

The current branch of Configuration Manager supports the following functionality that isn't available when you
use the LTSB:
In-console updates that add new features and improvements.
Support for newly released operating systems to use as site servers and clients.
On-premises MDM
The Windows servicing dashboard and servicing plans, including support for recent Windows versions.
Support for future releases of Windows Server and Windows 10 LTSB
Asset Intelligence
Cloud-based distribution points
Exchange Online as an Exchange Connector
Although support for these features isn't available with the LTSB, some features remain visible in the
Configuration Manager console, but can't be selected or used.
Cloud integrations, as well as any features included with Configuration Manager current branch version 1610 or
later, aren't available to the LTSB. These features include, but aren't limited to the following:
Co-management
Desktop Analytics
Cloud management gateway
Azure Active Directory integration
Apps from the Microsoft Store for Business

Find LTSB documentation

The LTSB is based on current branch version 1606. Use the current branch documentation, with caveats and
limitations that are specific to the LTSB. Those caveats and limitations are identified in the following articles:
 Install the LTSB
Upgrade the LTSB to the current branch
Supported configurations for the LTSB
Manage the LTSB of Configuration Manager
When you reference current branch documentation for the LTSB, details that apply to version 1606 or earlier
also apply to the LTSB. Features or details that are introduced with version 1610 or later aren't supported by the
LTSB.

Licensing overview for the LTSB

Customers with active Software Assurance (SA) on Configuration Manager licenses, or with equivalent
subscription rights as of October 1, 2016, have rights to use the October 2016 version 1606 release of
Configuration Manager. Customers with rights to Configuration Manager on or after October 1, 2016, will find
two licensed options upon installation: current branch and long-term servicing branch (LTSB).
Customers that have perpetual rights to System Center Configuration Manager, or that allow SA or subscription
to lapse after October 1, can install the version of System Center Configuration Manager LTSB that is current at
the time of lapse.
For more information about these licenses, see the Complete terms and conditions for the products you
purchase through Microsoft Volume Licensing programs.
For more information about licensing for Configuration Manager branches, see Configuration Manager
licensing and branches.

Next Steps
If you decide that the Configuration Manager LTSB is the correct branch for your environment, install a new
LTSB site as part of a new hierarchy, or upgrade a System Center 2012 Configuration Manager site and
hierarchy.
 Supported Configurations for the Long-Term
Servicing Branch of System Center Configuration
Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: System Center Configuration Manager (Long-Term Servicing Branch)

Use the information in this topic to understand what operating systems and product dependencies are
supported by the Long-Term Servicing Branch (LTSB) of Configuration Manager. If not stated otherwise in this or
the LTSB specific topics, the same configurations and limitations that apply to the Current Branch version 1606
apply to the LTSB. When conflicts occur, use the information that applies to the edition you are using. Typically,
the LTSB is more limited than the Current Branch.

General statement of support

The following products and technologies are supported by this branch of Configuration Manager. However, their
inclusion in this content does not express an extension of support for any product or version beyond that
product's individual support lifecycle. Products that are beyond their support lifecycle are not supported for use
with Configuration Manager. For more information, visit the Microsoft Support Lifecycle website and read the
Microsoft Support Lifecycle Policy FAQ.
Additionally, products and product versions that are not listed in the following topics are not supported unless
they have been announced on the Enterprise Mobility + Security Blog.
Limitations for future suppor t: The LTSB has limited support for future server and client operating systems
and product dependencies. The platforms list for the LTSB is fixed for the life of the release:
Windows:
Only quality and security updates for Windows are supported.
No support is added for current branches (CB), current branches for business (CBB), or LTSB of Windows 10.
No support for new major versions of Windows Server.
SQL Ser ver :
Only quality and security updates, or minor upgrades like service packs, is supported for SQL Server.
No support for new major versions of SQL Server.

Site systems and servers

The LTSB supports the use of the following Windows computer operating systems as site systems. Each
operating system has the same requirements and limitations as the same entry in Supported operating systems
for site system servers. For example, the Server Core installation of Windows 2012 R2 must be an x64 version,
is only supported to host a distribution point, and does not support PXE or Multicast.
Suppor ted operating systems:
Windows Server 2016
Windows Server 2012 R2 (x64): Standard, Datacenter
Windows Server 2012 (x64): Standard, Datacenter
 Windows 10 Enterprise 2015 LTSB (x86, x64)
Windows 10 Enterprise 2016 LTSB (x86, x64)
Windows 8.1 (x86, x64): Professional, Enterprise
The Server Core installation of Windows Server 2012
The Server Core installation of Windows Server 2012 R2

Client management
The following sections identify the client operating systems that you can manage with the LTSB. The LTSB does
not support the addition of new operating systems as supported clients.
Windows computers
You can use the LTSB to manage the following Windows computer operating systems with the Configuration
Manager client software that is included with Configuration Manager. For more information, see How to deploy
clients to Windows computers.
Suppor ted operating systems:
Windows Server 2016
Windows Server 2012 R2 (x64): Standard, Datacenter (Note 1)
Windows Server 2012 (x64): Standard, Datacenter (Note 1)
Windows Storage Server 2012 R2 (x64)
Windows Storage Server 2012 (x64)
Windows 10 Enterprise 2015 LTSB (x86, x64)
Windows 10 Enterprise 2016 LTSB (x86, x64)
Windows 8.1 (x86, x64): Professional, Enterprise
The Server Core installation of Windows Server 2012 R2 (x64) (Note 2)
The Server Core installation of Windows Server 2012 (x64) (Note 2)
(Note 1) Datacenter releases are supported but not certified for Configuration Manager.
(Note 2) To support client push installation, the computer that runs this operating system version must run the
File Server role service for the File and Storage Services server role. For information about installing Windows
features on a Server Core computer, see Install Server Roles and Features on a Server Core Server.
Windows Embedded
You can use the LTSB to manage the following Windows Embedded devices by installing the client software on
the device. For more information, see Planning for client deployment to Windows Embedded devices.
Requirements and limitations:
All client features are supported on supported Windows Embedded systems that do not have write filters
enabled.
Clients that use one of the following are supported for all features except power management:
Enhanced Write Filters (EWF)
RAM File-Based Write Filters (FBWF)
Unified Write Filters (UWF)
Before you can monitor detected malware on Windows Embedded devices based on Windows XP, you
must install the Microsoft Windows WMI scripting package on the embedded device. Use Windows
Embedded Target Designer to install this package. The WBEMDISP.DLL and WBEMDISP.TLB files must exist
and be registered in the %windir%\System32\WBEM folder on the embedded device to ensure that
 detected malware is reported.
Suppor ted operating systems:
Windows 10 Enterprise 2016 LTSB (x86, x64)
Windows 10 Enterprise 2015 LTSB (x86, x64)
Windows Embedded 8.1 Industry (x86, x64)

Exchange Server connector

The LTSB supports limited management of devices that connect to your Exchange Server instance, without
installing client software. For more information, see Manage mobile devices with Configuration Manager and
Exchange.
Requirements and limitations:
Configuration Manager offers limited management for mobile devices. Limited management is available
when you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that
connect to a server running Exchange Server or Exchange Online.
For more information about the management functions that Configuration Manager supports for mobile
devices that the Exchange Server connector manages, see Choose a device management solution for
Configuration Manager.
Suppor ted versions of Exchange Ser ver :
Exchange Server 2010 SP1
Exchange Server 2010 SP2
Exchange Server 2013

NOTE
The LTSB does not support the management of devices that connect through an online service, like Exchange Online
(Microsoft 365).

Configuration Manager console

The LTSB supports the following operating systems to run the Configuration Manager console. Each computer
that hosts the console must have a minimum .NET Framework version of 4.5.2 except for Windows 10, which
requires a minimum of .NET Framework 4.6.
Suppor ted operating systems:
Windows Server 2016
Windows Server 2012 R2 (x64): Standard, Datacenter
Windows Server 2012 (x64): Standard, Datacenter
Windows 10 Enterprise 2016 LTSB (x86, x64)
Windows 10 Enterprise 2015 LTSB (x86, x64)
Windows 8.1 (x86, x64): Professional, Enterprise

SQL Server versions supported for the site database and reporting
point
The LTSB supports the following versions of SQL Server to host the site database and reporting point. For each
supported version, the same configuration requirements and limitations that appear in Support for SQL Server
versions for the current branch apply to the LTSB. This support includes the use of a SQL Server Always On
failover cluster instance or an availability group.
Suppor ted versions:
SQL Server 2016: Standard, Enterprise
SQL Server 2014 SP2: Standard, Enterprise
SQL Server 2014 SP1: Standard, Enterprise
SQL Server 2012 SP3: Standard, Enterprise
SQL Server 2008 R2 SP3: Standard, Enterprise, Datacenter
SQL Server 2016 Express
SQL Server 2014 Express SP2
SQL Server 2014 Express SP1
SQL Server 2012 Express SP3

Support for Active Directory domains

All LTSB site systems must be members of a supported Windows Active Directory domain. Support for Active
Directory domains has the same requirements and limitations as those that appear in Support for Active
Directory domains, but is limited to the following domain functional levels:
Suppor ted levels:
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2

Additional support topics that apply to the Long-Term Servicing

Branch
The information in the following Current Branch topics apply to the LTSB:
Size and scale numbers
Site and site system prerequisites
High availability options
Recommended hardware
Support for Windows features and networks
Support for virtualization environments
 Install and upgrade with the version 1606 baseline
media
2/16/2022 • 6 minutes to read • Edit Online

Applies to: System Center Configuration Manager (long-term servicing branch)

When you run setup from the version 1606 baseline media for Configuration Manager, you can install a long-
term servicing branch site of System Center Configuration Manager.
The baseline media is available on DVD as part of Microsoft System Center 2016, or from the System Center
Configuration Manager long-term servicing branch version 1606. To learn about baseline media, see Baseline
and update versions.
When you use the version 1606 baseline media, the site you install or upgrade to is:
A Current Branch site that is equivalent to a site that was first installed using the 1511 baseline media, and
then updated to version 1606 plus the 1606 hotfix rollup - KB3186654.
An LTSB site that is equivalent to the Current Branch site that runs version 1606 plus the 1606 hotfix rollup -
KB3186654. The baseline media already includes the hotfix rollup. But, the LTSB does not support all of the
features or capabilities available with the Current Branch, as detailed in Introduction to the Long-Term
Servicing Branch of System Center Configuration Manager.
If you are not familiar with the different branches of Configuration Manager, see Which branch of Configuration
Manager should I use.

Changes to Setup with the 1606 baseline media

The 1606 baseline media introduces the following changes to Setup for Configuration Manager.
Branch and edition
When you run Setup, you are now presented with a Licensing page where you can select the branch of
Configuration Manager you want to install. You can choose either the Current Branch or LTSB as a licensed
installation, or you can choose an Evaluation edition of the Current Branch as a non-licensed installation.
For more information, see Licensing and branches for Configuration Manager.
Software Assurance expiration
During Setup, you have the option to enter the Software Assurance expiration date value. This is an
optional value that you can specify as a convenient reminder.

NOTE
Microsoft does not validate the expiration date you enter and will not use this date for license validation. Instead, you can
use it as a reminder of your expiration date. This is useful because Configuration Manager periodically checks for new
software updates offered online, and your software assurance license status should be current to be eligible to use these
additional updates.

You can specify the date value on the Product Key page of the Setup Wizard when you run Setup from the
Configuration Manager version 1606 baseline media.
You can also specify this date by selecting Hierarchy Settings Proper ties > Licensing in the
Configuration Manager console.
For more information, see "Software Assurance agreements" in Licensing and branches for Configuration
Manager.
Additional pre -upgrade configurations
Prior to starting an upgrade of System Center 2012 Configuration Manager to the LTSB, you must take the
following additional steps as part of pre-upgrade checklist.
Uninstall the site system roles that the LTSB does not support:
Asset Intelligence synchronization point
Microsoft Intune connector
Cloud-based distribution points
For more information, see Upgrade to Configuration Manager.
New scripted installation options
The version 1606 baseline media supports a new unattended script file key for scripted installations of a new
top-level site. This applies to installing a new stand-alone primary site or adding a central administration site as
part of a site expansion scenario.
When using an unattended script to install a licensed branch, you must add the following section, key names,
and values to the Options section of your script. You don't need to use these values to script the install of an
Evaluation edition of the Current Branch:
SABranchOptions
Key Name: SAActive
Values: 0 or 1.
Details: 0 installs a non-licensed Evaluation edition of Current Branch, and 1 installs a licensed edition.
CurrentBranch
Values: 0 or 1.
Details: 0 installs the Long-Term Servicing Branch, and 1 installs the Current Branch.
For example, to install a licensed Current Branch edition you would use:
Key Name: SABranchOptions
SAActive = 1
CurrentBranch = 1

IMPORTANT
SABranchOptions only works with Setup from the baseline media. It does not apply when you run Setup from the
CD.Latest folder of a site you previously installed using the version 1606 baseline media.
SABranchOptions does not apply to scripted upgrades from System Center 2012 Configuration Manager and always
results in the Current Branch.

For more information, see Use a command line to install Configuration Manager sites.

Install a new site

When you use the 1606 baseline media to install a new site of either branch, use the site planning, preparation,
and installation procedures documented in the Installing Configuration Manager sites topic with the addition of
the following considerations for Setup:
 During Setup you must choose the branch of Configuration Manager that you want to install, and you can
specify details for your Software Assurance agreement.
All sites in the same hierarchy must run the same branch. It is not supported to have a hierarchy with a mix
of LTSB and Current Branch at different sites.
New scripted installation. For more information, see "New scripted installation options" earlier in this article.

Expand a stand-alone primary site

You can expand a stand-alone primary site that runs the LTSB. The process is no different than that used for a
Current Branch site with one caveat:
When installing the new central administration site you must use Setup from the original source media you
used to install the LTSB site. Running Setup from the CD.Latest folder for this scenario is not supported.
For more information about expanding a site, see "Expand a stand-alone primary site" in Install a site using the
Setup Wizard.

Upgrade from System Center 2012 Configuration Manager

When you upgrade from System Center 2012 Configuration Manager, use the site planning, preparation, and
procedures as documented in the Upgrade to Configuration Manager topic, but with the following changes:
Upgrade to the Current Branch:
During Setup, you must choose the Current Branch, and you can specify details for your Software Assurance
agreement.
New scripted installation. For more information, see "New scripted installation options" earlier in this article.
Upgrade to the LTSB:
Additional steps to following in the pre-upgrade checklist.
During Setup you must choose the LTSB, and you can specify details for your Software Assurance agreement.
You can only upgrade a site that runs System Center 2012 Configuration Manager with Service Pack 1,
System Center 2012 Configuration Manager with Service Pack 2, System Center 2012 R2 Configuration
Manager with Service Pack 1, or System Center 2012 R2 Configuration Manager with no service pack.
In-place upgrade paths for the 1606 baseline media
You can use the 1606 baseline media to upgrade the following to a licensed edition of Configuration Manager:
System Center 2012 R2 Configuration Manager with Service Pack 1
System Center 2012 R2 Configuration Manager with no service pack (this requires the use of the baseline
media for version 1606 that was rereleased on December 15th, 2016.)
System Center 2012 Configuration Manager with Service Pack 2
System Center 2012 Configuration Manager with Service Pack 1 (this requires the use of the baseline media
for version 1606 that was rereleased on December 15th, 2016.)
You can also use this media to upgrade a non-licensed Evaluation edition of Current Branch to a fully licensed
version of the Current Branch.
This media does not support the upgrade of:
Other versions of System Center 2012 Configuration Manager.
Configuration Manager 2007 or earlier.
A release candidate installation of Configuration Manager.
About the CD.Latest folder and the LTSB
The following are limitations on using the media that Configuration Manager creates in the CD.Latest folder on
the site server. These limits apply to sites that run the LTSB:
Media in the CD.Latest folder is supported for:
Site recovery.
Site maintenance.
Installing additional child primary sites.
Media in the CD.Latest folder is not supported for:
Installing a central administration site as part of a site expansion scenario.
For more information, see the CD.Latest folder.

Backup, recovery, and site maintenance for the LTSB

To back up, recover, or run site maintenance on a site that runs the LTSB, use the guidance and procedures from
Backup and recovery for Configuration Manager.
Use Configuration Manager Setup from the CD.Latest folder of the backup of your LTSB site.
 Manage the Long Term Servicing Branch of
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: System Center Configuration Manager (Long-Term Servicing Branch)

When you use the Long-Term Servicing Branch (LTSB) of System Center Configuration Manager, the following
can help you understand important changes that affect how you manage your infrastructure.
Because the LTSB is equivalent to Current Branch version 1606 (with some exceptions like Intune integration
and cloud-related features), most tasks you use for planning, deployment, configuration, and day-to-day
management are the same.
For example, the LTSB supports the same number of sites, site types, clients, and general infrastructure as the
Current Branch. Therefore, you use the guidance found in the site and hierarchy planning and design topics for
the Current Branch. Similarly, for features with the LTSB that are supported by both branches, like Software
Updates or Operating System Deployment, use the guidance found in those sections of the Current Branch
documentation with the caveats of not having access to feature changes introduced after version 1606 of the
Current Branch.
The following sections provide information about manage tasks that are not similar.

Updates and servicing

Only critical security updates are made available as in-console updates in the LTSB.
Information about regular updates for the subsequent Current Branch releases are visible in the console, but are
not made available to the LTSB. They are not downloaded and cannot be installed.
To support in-console updates for critical security fixes, an LTSB site requires the use of the service connection
point. You can configure this site system role in offline or online mode, as is done for the Current Branch. The
LTSB collects and submits the same telemetry and usage data as the Current Branch.
The LTSB supports the use of the Hotfix Installer and the Update Registration tool, as documented for the
Current Branch.
For general information about updates and servicing, see Updates for Configuration Manager.

Changes for site expansion and the CD.Latest folder

When you run the LTSB and are expanding a stand-alone primary site by installing a new central administration
site, you must use Setup and the source files from the version 1606 baseline media. For the Current Branch, you
run Setup and use source files from the CD.Latest folder.
Although you do not run Setup for site expansion from the CD.Latest folder, you continue to use the CD.Latest
folder for site recovery, and to install a new child primary site when your first LTSB site was a central
administration site.
For more information about site expansion, see Expand a stand-alone primary site. For more information about
the CD.Latest folder, see The CD.Latest folder.

Recovery
When you recover a site, you must restore the site or site database to its original branch. You cannot recover a
Current Branch site database to a LTSB installation, or vice versa.
 Upgrade the long-term servicing branch to the
current branch
2/16/2022 • 2 minutes to read • Edit Online

Applies to: System Center Configuration Manager (Long-Term Servicing Branch)

Use this topic to learn how to upgrade (convert) a site and hierarchy that runs the Long-Term Servicing Branch
(LTSB) of Configuration Manager to the Current Branch.
When you have a current Software Assurance agreement (or similar licensing rights) that grants you rights to
use the Current Branch, you can convert your installation from the LTSB to the Current Branch. This is a one-way
conversion because there is no support for converting a Current Branch site to the LTSB.
If you have multiple sites, you only need to convert the top-tier site of your hierarchy. After the top-tier site is
converted:
Child primary sites automatically convert.
You must manually update secondary sites from within the Configuration Manager console.

Run setup to convert the Long-Term Servicing Branch

On the top-tier site of your hierarchy, you can run Configuration Manager setup from qualifying baseline media
and select Site maintenance . Then, when presented with the licensing page, select the option for the Current
Branch and complete the wizard.
When your site has converted to the Current Branch, previously unavailable features and capabilities will be
available for use.

NOTE
Qualifying baseline media is a media that has a version that is equal to or later than your LTSB installation.

For example, because the LTSB is based on version 1606, you cannot use the baseline 1511 media to convert to
the Current Branch. Instead, you run setup from the same version 1606 baseline media that you used to install
the LTSB site, and choose the licensing option for the Current Branch. Alternately, if a later baseline of the
Current Branch has been released, you can run setup from that baseline media.
For a list of baseline versions, see Baseline and update versions in Updates for Configuration Manager.

Use the Configuration Manager console to convert the long-term

servicing branch
If your site runs the LTSB, you can use the following option in the Configuration Manager console to convert to
the Current Branch:
1. In the console, go to Administration > Site Configuration > Sites , and then open Hierarchy
Settings .
2. In Hierarchy Settings , switch to the Licensing tab. Select the option to Conver t to Current Branch ,
and then choose Apply .
When your site has converted to the Current Branch, previously unavailable features and capabilities will be
available for use.
 Get ready for Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the information in the following topics when you're ready to start planning your Configuration Manager
deployment:
Design a hierarchy of sites for Configuration Manager
Fundamentals of role-based administration for Configuration Manager
Fundamental concepts for content management
Understand how clients find site resources and services for Configuration Manager
Prepare your network environment for Configuration Manager
Supported configurations for Configuration Manager
 Features and capabilities of Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article summarizes the primary management features of Configuration Manager. Each feature has its own
prerequisites, and how you use each might influence the design and implementation of your Configuration
Manager hierarchy. For example, if you want to deploy software updates to devices in your hierarchy, you need a
software update point site system role.

Co-management
Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the
Microsoft 365 cloud. It enables you to concurrently manage Windows devices by using both Configuration
Manager and Microsoft Intune. Co-management lets you cloud-attach your existing investment in Configuration
Manager by adding new functionality like conditional access. For more information, see What is co-
management?

Desktop Analytics
Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides
insight and intelligence for you to make more informed decisions about the update readiness of your Windows
clients. It combines data from your organization with data aggregated from millions of devices connected to
Microsoft cloud services. For more information, see What is Desktop Analytics?

Cloud-attached management
Use features like the cloud management gateway and Azure Active Directory to manage internet-based clients.
For more information, see the following articles:
Cloud management gateway overview
Plan for Azure AD
Azure services

Real-time management
Use CMPivot to immediately query online devices, then filter and group the data for deeper insights. Also use
the Configuration Manager console to manage and deploy Windows PowerShell scripts to clients. For more
information, see CMPivot and Create and run PowerShell scripts.

Application management
Helps you create, manage, deploy, and monitor applications to a range of different devices that you manage.
Deploy, update, and manage Microsoft 365 Apps from the Configuration Manager console. Additionally,
Configuration Manager integrates with the Microsoft Store for Business and Education to deliver cloud-based
apps. For more information, see Introduction to application management.

OS deployment
Deploy an in-place upgrade of Windows, or capture and deploy OS images. Image deployment can use PXE,
multicast, or bootable media. It can also help redeploy existing devices using Windows AutoPilot. For more
information, see Introduction to OS deployment.

Software updates
Manage, deploy, and monitor software updates in the organization. Integrate with Windows Delivery
Optimization and other peer caching technologies to help control network usage. For more information, see
Introduction to software updates.

Company resource access

Lets you give users in your organization access to data and applications from remote locations. This feature
includes Wi-Fi, VPN, email, and certificate profiles. For more information, see Protect data and site infrastructure.

Compliance settings
Helps you to assess, track, and remediate the configuration compliance of client devices in the organization.
Additionally, you can use compliance settings to configure a range of features and security settings on devices
you manage. For more information, see Ensure device compliance.

Endpoint Protection
Provides security, antimalware, and Windows Firewall management for computers in your organization. This
area includes management and integration with the following Windows Defender suite features:
Windows Defender Antivirus
Microsoft Defender for Endpoint
Windows Defender Exploit Guard
Windows Defender Application Guard
Windows Defender Application Control
Windows Defender Firewall
For more information, see Endpoint Protection.

Inventory
Helps you identify and monitor assets.
Hardware inventory
Collects detailed information about the hardware of devices in your organization. For more information, see
Introduction to hardware inventory.
Software inventory
Collects and reports information about the files that are stored on client computers in your organization. For
more information, see Introduction to software inventory.
Asset Intelligence
Provides tools to collect inventory data and monitor software license usage in your organization. For more
information, see Introduction to Asset Intelligence.

On-premises mobile device management

Enrolls and manages devices by using the on-premises Configuration Manager infrastructure with the
management functionality built into the device platforms. (Typical management uses a separately installed
Configuration Manager client.) This feature currently supports managing Windows 10 Enterprise and Windows
10 Mobile devices. For more information, see Manage mobile devices with on-premises infrastructure.

Power management
Manage and monitor the power consumption of client computers in the organization. Configure power plans,
and use Wake-on-LAN to do maintenance outside of business hours. For more information, see Introduction to
power management.

Remote control
Provides tools to remotely administer client computers from the Configuration Manager console. For more
information, see Introduction to remote control.

Reporting
Use the advanced reporting capabilities of SQL Server Reporting Services from the Configuration Manager
console. This feature provides hundreds of default reports. For more information, see Introduction to reporting.

Software metering
Monitor and collect software usage data from Configuration Manager clients. You can use this data to determine
whether software is used after it's installed. For more information, see Monitor app usage with software
metering.

Next steps
For more information about how to plan and install Configuration Manager to support these management
capabilities in your environment, see Get ready for Configuration Manager.
 What's new in Configuration Manager incremental
versions
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager uses an in-console updates and servicing process. This update process makes it easy to
discover and install Configuration Manager updates. There are no more service packs or cumulative update
versions to track and install. You don't have to search for the download of the most recent release or updates.
To update the product to a new version of the current branch, use the Configuration Manager console install
then. A few times each year, Microsoft releases new versions that include product updates. Each version also
introduces new features. When you install an update with new features, you can choose to use those features.
For more information, see Prepare to install in-console updates for Configuration Manager.
Different update versions are identified by year and month. For example, version 1511 identifies November
2015 (the month when Configuration Manager current branch was first released to manufacturing). Later
updates have version names like 2103, which indicates an update that was created in March 2021. These update
versions are key to understanding the incremental version of your Configuration Manager installation, and what
features are available to enable in your environment.

Supported versions
Use the following links to discover what's new with each supported version:
What's new in version 2111
What's new in version 2107
What's new in version 2103
What's new in version 2010
What's new in version 2006
Each update version remains in support for 18 months from its initial availability date. Stay current with the
most recent update version. For more information, see Support for Configuration Manager current branch
versions.

See also
Release notes
 What's new in version 2111 of Configuration
Manager current branch
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Update 2111 for Configuration Manager current branch is available as an in-console update. Apply this update
on sites that run version 2006 or later. This article summarizes the changes and new features in Configuration
Manager, version 2111.
Always review the latest checklist for installing this update. For more information, see Checklist for installing
update 2111. After you update a site, also review the Post-update checklist.
To take full advantage of new Configuration Manager features, after you update the site, also update clients to
the latest version. While new functionality appears in the Configuration Manager console when you update the
site and console, the complete scenario isn't functional until the client version is also the latest.

Application management
Improvements to application groups

TIP
Starting with this release, app groups are no longer a pre-release feature.

This release includes the following improvements to application groups:

Now when you deploy an app group as required to a device or user collection, you can specify that it
automatically uninstalls when the resource is removed from the collection.
More app approval behaviors are now supported with app groups.
For more information, see Create application groups.
Implicit uninstall for user collections
In Configuration Manager current branch version 2107, you can enable an application deployment to support
implicit uninstall.
Starting in this release, this behavior also applies to deployments to user collections. If a user is in a collection,
the application installs. Then when you remove the user from the collection, the application uninstalls.
For more information, see implicit uninstall.

Software updates
Approvals for orchestration group scripts

TIP
Starting with this release, orchestration groups are no longer a pre-release feature.

Pre and post-scripts for orchestration groups now require approval to take effect. If you select a script from a
file, author, or modify your own script, approval for the script is required from another admin. When selecting an
approved script from the Scripts library, no other approval is needed. To assist you with script approval, the
following two tabs were added to the details pane for Orchestration Groups :
Summar y : Contains information about the selected orchestration group, including the Approval State of
scripts.
Scripts : Lists information about pre and post-scripts, including the timeout, approver, and approval state for
each script.
For more information, see Approvals for orchestration group scripts.
Improvements to ADR search criteria
We've added the following options in the Date Released or Revised search criteria for automatic deployment
rules:
Older than 30 days
Older than 60 days
Older than 90 days
Older than 6 months
Older than 1 year
For more information, see Automatically deploy software updates.
Enable update notifications from Microsoft 365 Apps
You can now configure the end-user experience for Microsoft 365 Apps updates. This client setting allows you to
enable or disable notifications from Microsoft 365 Apps for these updates. The new Enable update
notifications from Microsoft 365 Apps option has been added to the Software Updates group of client
settings.
For more information, see About client settings in Configuration Manager.

Cloud-attached management
Simplified cloud attach configuration
We've simplified the process to cloud attach your Configuration Manager environment. You can now choose to
use a streamlined set of recommended defaults when cloud attaching your environment. By using the
recommended default settings, your eligible devices will be cloud attached and you'll enable capabilities like rich
analytics, cloud console, and real-time device querying.
For more information, see the Overview for cloud attach and Enable cloud attach.
Improvements to cloud management gateway
Starting in this release, cloud management gateway (CMG) deployments with a virtual machine scale set
support Azure US Government cloud environments.
For more information, see CMG - Virtual machine scale sets.

Site infrastructure
Improvements to external notifications
Starting in Configuration Manager current branch version 2107, you could enable the site to send notifications
to an external system or application. This feature used a PowerShell script to manage the status filter rules and
subscriptions.
This release adds support in the Configuration Manager console to create or edit a subscription for external
notifications. It supports events for status filter rules and application approval requests.
For more information, see External notifications.
.NET version 4.6.2 prerequisite check is an error
Configuration Manager current branch version 2107 has a warning prerequisite rule that checks for Microsoft
.NET Framework version 4.6.2. This version of .NET is required on site servers, specific site systems, clients, and
the Configuration Manager console.
Starting in this release, this prerequisite rule for .NET 4.6.2 is an error. Until you upgrade .NET, you can't continue
installing or updating the site to this version of Configuration Manager.
For more information, see List of prerequisite checks for Configuration Manager.

IMPORTANT
When the Configuration Manager client updates to version 2111 or later, client notifications are dependent upon .NET
4.6.2 or later. Until you update .NET to version 4.6.2 or later, and restart the device, users won't see notifications from
Configuration Manager. Other client-side functionality may be affected until the device is updated and restarted. For more
information, see More details about Microsoft .NET.

Improvements to VPN boundary types

If you use the VPN boundary type, you can now match the start of a connection name or description instead of
the whole string. Some third-party VPN drivers dynamically create the connection, which starts with a
consistent string but also has a unique connection identifier. For example, Virtual network adapter #19 . When
you use the Connection name or Connection description options, also use the new Star ts with option.
For more information, see Define network locations as boundaries.
Status messages for console extensions
To improve the visibility and transparency of console extensions, the site now creates status messages for
related events. These status messages have IDs from 54201 to 54208 .
For more information, see Manage Configuration Manager console extensions.

Client management
Improvements to client health dashboard
This release includes multiple improvements to the Client health dashboard .
 New actions in the ribbon:
Choose Default Collection : Set a persistent user preference
Client Status Settings : Configure the periods of time to evaluate client health
More prominent Overall client health tile
Filters condensed on a single tile
The Combined (All) and Combined (Any) scenarios are replaced by a new tile, Clients with any
failure
New tile for Health trends by scenario
For more information, see Client health dashboard.

Software Center
Software Center notifications display with logo
If you enable Software Center customizations, the logo that you specify for Windows notifications is separate
from the Software Center logo. This logo helps users to trust these notifications. When you deploy software to a
client, the user sees notifications with your logo. For example:

For more information, see About client settings: Software Center and Plan for Software Center.

OS deployment
Task sequence check for TPM 2.0
To help you better deploy Windows 11, the Check Readiness step in the task sequence now includes checks for
TPM 2.0.
For more information, see Task sequence steps: Check Readiness.
Improvements to the Windows servicing dashboard
We now display a Windows 11 Latest Feature Updates chart in the Windows Ser vicing dashboard. The
new chart makes it easier to determine how many of your Windows 11 clients are on the latest feature update.
To display the dashboard, go to Software Librar y > Over view > Windows Ser vicing .
For more information, see The Windows servicing dashboard.

Configuration Manager console

Custom properties for devices in the console
In Configuration Manager current branch version 2107, you can use the administration service to set custom
properties on devices. These custom properties let you add external data to a device to help with deployment
targeting, collection building, and reporting.
Starting in this release, you can create and edit these custom properties in the Configuration Manager console.
This new user interface makes it easier to view and edit these properties. You can still use the administration
service interface to automate the process from an external system.
For more information, see Custom properties for devices.
Export to CSV
You can now export the contents of a grid view in the console along with the column headers to a comma-
separated values (CSV) file that can be used to import to Excel or other applications. While you could previously
cut and paste from a grid view, exporting to CSV makes extracting a large number of rows faster and easier.
For more information, see Configuration Manager console changes and tips.
Import console extensions wizard
There's a new wizard for importing console extensions that are managed for the hierarchy. You no longer need
to use a PowerShell script to import a signed or unsigned console extension.
For more information, see Import Configuration Manager console extensions.
Require installation of a console extension
You can now require a console extension to be installed before it connects to the site. After you require an
extension, it automatically installs for the local console the next time an admin launches it.
For more information, see Manage Configuration Manager console extensions.
Send product feedback from wizard and property dialogs
Wizards and some property pages now include an icon to provide feedback. When you select the feedback icon,
the Send a smile and Send a frown options are displayed in the drop-down menu. The other feedback
locations allow you to quickly send feedback right from your current activity. The feedback icon in the admin
console's ribbon has also been updated to the new icon.
For more information, see Product feedback for Configuration Manager.
Power BI sample reports
The following reports were recently added to the Configuration Manager Sample Power BI Repor ts :
Client Status
Content Status
Microsoft Edge Management
For more information, see Install Power BI sample reports.
Console improvements
In this release we've made the following improvements to the Configuration Manager console:
Independent Software Vendors (ISVs) can create applications that extend Configuration Manager. They
can use Configuration Manager to assign a certificate to an ISV proxy, which enables custom
communication with the management point. To simplify the management of these ISV proxy certificates,
you can now copy its GUID in the Configuration Manager console. For more information, see ISV proxy
solutions and PKI certificates.
When you show the members of a device collection, and select a device in the list, switch to the
Collections tab in the details pane. This new view shows the list of collections of which the selected
device is a member. It makes it easier for you to see this information. For more information about
improvements to the console, see Configuration Manager console changes and tips.
When viewing a collection, you could previously see the amount of time the site took to evaluate the
collection membership. This data is now also available in the Monitoring workspace. When you select a
collection in either subnode of the Collection Evaluation node, the details pane displays this collection
evaluation time data. For more information about improvements to the console, see Configuration
Manager console changes and tips.
There's a new built-in device collection for Co-management Eligible Devices . The Co-management
Eligible Devices collection uses incremental updates and a daily full update to keep the collection up to
date. For more information about improvements to the console, see Configuration Manager console
changes and tips.

Tools
Options for Support Center Data Collector and Client Tools
New command-line options have been added to the Support Center Data Collector and Client Tools. The
following options were added:
Launch as current user without elevation
Specify machine name
Disable integrated authentication
Display help
For more information, see Support Center.
Improvements to Support Center Log File Viewer and OneTrace
The Support Center Log File Viewer and OneTrace now display status messages in an easy to read format.
Entries starting with >> are status messages that are automatically converted into a readable format when a
log is opened. Search or filter on the >> string to find status messages in the log.
For more information, see Support Center log file viewer and Support Center OneTrace.

Deprecated features
Learn about support changes before they're implemented in removed and deprecated items.
The following features are deprecated. You can still use them now, but Microsoft plans to end support in the
future.
Managing apps from the Microsoft Store for Business and Education with Configuration Manager
Asset intelligence
 On-premises MDM
For more information, see Removed and deprecated features for Configuration Manager.
As previously announced, version 2111 drops support for the following features:
Third-party add-ons that use Microsoft .NET Framework version 4.6.1 or earlier, and rely on Configuration
Manager libraries. Such add-ons need to use .NET 4.6.2 or later. For more information, see External
dependencies require .NET 4.6.2.

Other updates
Starting with this version, the following features are no longer pre-release:
Application groups
Orchestration groups
Similarly, the Microsoft Connected Cache in Configuration Manager is now generally available for production
use.
For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see version
2111 release notes.
Aside from new features, this release also includes other changes such as bug fixes. For more information, see
Summary of changes in Configuration Manager current branch, version 2111.

Next steps
As of December 15, 2021, version 2111 is globally available for all customers to install.
When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for
installing update 2111.

TIP
To install a new site, use a baseline version of Configuration Manager.
Learn more about:
Installing new sites
Baseline and update versions

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.
 What's new in version 2107 of Configuration
Manager current branch
2/16/2022 • 16 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Update 2107 for Configuration Manager current branch is available as an in-console update. Apply this update
on sites that run version 2002 or later. This article summarizes the changes and new features in Configuration
Manager, version 2107.

NOTE
To better align with other releases within Microsoft Endpoint Manager, starting this year the current branch version
names will be 2103, 2107, and 2111. They will still release every four months, and release at the same time of the year.

Always review the latest checklist for installing this update. For more information, see Checklist for installing
update 2107. After you update a site, also review the Post-update checklist.
To take full advantage of new Configuration Manager features, after you update the site, also update clients to
the latest version. While new functionality appears in the Configuration Manager console when you update the
site and console, the complete scenario isn't functional until the client version is also the latest.

Cloud-attached management
Cloud attach your environment during site update
Microsoft Endpoint Manager is an integrated solution for managing all of your devices. Cloud attach brings
together Configuration Manager and Intune into a single console called Microsoft Endpoint Manager admin
center . Starting with this release, sites that aren't already onboarded to Microsoft Endpoint Manager will be
prompted to optionally cloud attach as part of the upgrade wizard. Environments are considered cloud attached
if at least one of the following features are already enabled:
Tenant attach
Co-management
Endpoint analytics
For more information, see Install in-console updates.
Convert a CMG to virtual machine scale set
Starting in current branch version 2010, you could deploy the cloud management gateway (CMG) with a virtual
machine scale set in Azure. This support was primarily to unblock customers with a Cloud Solution Provider
(CSP) subscription.
In this release, any customer with a CMG that uses the classic cloud service deployment can convert to a virtual
machine scale set. Microsoft recommends that new CMG deployments use a virtual machine scale set.
For more information, see Plan for CMG: virtual machine scale set and Modify a CMG: Convert.
Select VM size for CMG
When you deploy a CMG with a virtual machine scale set, you can now choose the virtual machine (VM) size.
The following three options are available:
 Lab (B2s)
Standard (A2_v2). This size continues to be the default setting.
Large (A4_v2)
This control gives you greater flexibility with your CMG deployment. You can adjust the size for test labs or if
you support large environments. For example, the smaller Lab size is ideal for testing with a smaller number of
clients at less cost. For production deployments, either use the default Standard size or add more capacity with
the Large size.
For more information, see Cost of CMG: Virtual machine scale set.
Tenant attach: BitLocker recovery keys
Get BitLocker recovery keys for a tenant-attached device from the Microsoft Endpoint Manager admin center.
For example, a help desk technician who doesn't have access to Configuration Manager could use the web-
based admin center to help an end user get a recovery key for their device.
For more information, see Tenant attach: BitLocker recovery keys.
Tenant attach support for US Government cloud
United States Government customers can now use the following Microsoft Endpoint Manager tenant attach
features in the US Government cloud:
Account onboarding
Tenant sync to Intune
Device sync to Intune
Device actions in the Microsoft Endpoint Manager admin center
For more information, see Microsoft Endpoint Manager tenant attach: Prerequisites.
Renamed Co -management node to Cloud Attach
To better reflect the other cloud services that Configuration Manager offers, the Co-management node has
been renamed to the Cloud Attach node. Other changes you may notice include the ribbon button being
renamed from Configure Co-management to Configure Cloud Attach and the Co-management
Configuration Wizard was renamed to Cloud Attach Configuration Wizard .
For more information, see Co-management, Tenant attach, and Endpoint analytics.

Desktop Analytics
Support for the Windows diagnostic data processor configuration
Desktop Analytics now supports the new Windows diagnostic data processor configuration. This configuration
provides you greater control of your Windows diagnostic data. Microsoft acts as a data processor, processing
Windows diagnostic data for the controller.
For more information, see What's new in Desktop Analytics.

Site infrastructure
Support for Windows Server 2022 and the ADK for Windows 11
Configuration Manager now supports Windows Server 2022 as site systems and clients. For more information,
see the following articles:
Supported operating systems for site system servers
Supported OS versions for clients
Upgrade on-premises infrastructure
It also supports the Windows ADK for Windows 11 and Server 2022. For more information, see Support for
Windows ADK.

TIP
Configuration Manager supports Windows Insider builds, which is a great way to test the latest version of Windows 11
with Configuration Manager version 2107.

Microsoft .NET requirements

Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site servers, specific site
systems, clients, and the console. Before you run setup to install or update the site, first update .NET and restart
the system. If possible in your environment, install the latest version of .NET version 4.8.
There's also a new management insight to recommend site systems that don't yet have .NET version 4.8 or later.
For more information, see the following articles:
Site and site system prerequisites
Prerequisites for deploying clients to Windows computers
Install the Configuration Manager console
Updated Visual C++ prerequisite
The Configuration Manager client and several server components require the Microsoft Visual C++
Redistributable component ( vcredist_x*.exe ). During Configuration Manager installation, if the VCRedist
doesn't already exist, it automatically installs. Starting in this release, Configuration Manager now uses the
Microsoft Visual C++ 2015-2019 redistributable version 14.28.29914.0. This version improves stability in
Configuration Manager operations.
For more information on client and site system prerequisites, see the following articles:
Prerequisites for deploying clients to Windows computers
Site and site system prerequisites
New prerequisite check for SQL Server 2012
When you install or update the site, it now warns for the presence of SQL Server 2012. The support lifecycle for
SQL Server 2012 ends on July 12, 2022. Plan to upgrade database servers in your environment, including SQL
Server Express at secondary sites.
For more information, see Removed and deprecated for site servers: SQL Server.
External notifications
In a complex IT environment, you may have an automation system like Azure Logic Apps. Customers use these
systems to define and control automated workflows to integrate multiple systems. You could integrate
Configuration Manager into a separate automation system through the product's SDK APIs. But this process can
be complex and challenging for IT professionals without a software development background.
You can now enable the site to send notifications to an external system or application. This feature simplifies the
process by using a web service-based method. You configure subscriptions to send these notifications. These
notifications are in response to specific, defined events as they occur. For example, status message filter rules.
For more information, see External notifications.
Internet access requirements
Before you update to version 2107, if you restrict internet access, confirm that the site system that hosts the
service connection point role can communicate with the following internet endpoint:
configmgrbits.azureedge.net . This endpoint was already required, but its use is expanded in this release. The site
system can't download version 2107 or later unless your network allows traffic to this URL.
For more information, see internet access requirements for the service connection point.

Real-time management
Simplified CMPivot permissions requirements
We've simplified the CMPivot permissions requirements. The new permissions are applicable for CMPivot
standalone and CMPivot in the on-premises console. The following changes have been made:
CMPivot no longer requires SMS Scripts read permission
The SMS Provider still requires this permission if the administration service falls back to it because of
a 503 (Service Unavailable) error, as seen in the CMPivot.log.
The default scope permission isn't required.
For more information, see permissions for CMPivot.
Improvements to CMPivot
We've made the following improvements to CMPivot:
Added a Key value to the Registry entity
Added a new RegistryKey entity that returns all registry keys matching the given expression
Added maxif and minif aggregators that can be used with the summarize operator
Improvements to query autocomplete suggestions in the query editor
For more information, see Changes to CMPivot and CMPivot overview.

Client management
Support for Windows 11
Starting with version 2107, Configuration Manager supports Windows 11. For more information, see Support
for Windows 11.
Custom properties for devices
Many customers have other data that's external to Configuration Manager but useful for deployment targeting,
collection building, and reporting. This data is typically non-technical in nature, not discoverable on the client,
and comes from a single external source. For example, a central IT Infrastructure Library (ITIL) system or asset
database, which has some of the following device attributes:
Physical location
Organizational priority
Category
Cost center
Department
You can use the administration service to set this data on devices. The site stores the property's name and its
value in the site database as the new Device Custom Proper ties class. You can then use the custom
properties in Configuration Manager for reporting or to create collections.
For more information, see Custom properties for devices.
Client encryption uses AES -256
Starting in this release, when you enable the site to Use encr yption , the client uses the AES-256 algorithm.
This setting requires clients to encrypt inventory data and state messages before it sends to the management
point.
For more information, see Cryptographic controls technical reference.
Clients store Configuration Manager self-signed certificates in hardware TPM
Configuration Manager uses self-signed certificates for client identity and to help protect communication
between the client and site systems. When you update the site and clients to version 2107, the client stores its
certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the trusted
platform module (TPM). The certificate is also marked non-exportable.
If the client also has a PKI-based certificate, it continues to use that certificate for TLS HTTPS communication. It
uses its self-signed certificate for signing messages with the site.
For more information, see Certificates overview.
Hardware inventory for client log settings
You can now inventory client log file settings such as log levels and size. This behavior allows you to track
settings that you change by the Client Diagnostics actions. This new inventory class isn't enabled by default.
For more information, see About log files.
Support for macOS Big Sur
Configuration Manager now supports the macOS Big Sur version 11. For more information, see Supported OS
versions for clients and devices.

Software Center
Support for enhanced HTTP
When you enable the site for enhanced HTTP, Software Center and the Company Portal now prefer secure
communication over HTTPS to get user-available applications from the management point.
For more information, see Plan for Software Center and Use the Company Portal app on co-managed devices.

Application management
Implicit uninstall of applications
Many customers have lots of collections because for every application they need at least two collections: one for
install and another for uninstall. This practice adds overhead of managing more collections, and can reduce site
performance for collection evaluation.
Starting in this release, you can enable an application deployment to support implicit uninstall. If a device is in a
collection, the application installs. Then when you remove the device from the collection, the application
uninstalls.
For more information, see Uninstall applications.

OS deployment
Support layered keyboard driver during OS deployment
This release adds support for layered keyboard drivers during OS deployment. This driver specifies other types
of keyboards that are common with Japanese and Korean languages.
For more information, see Task sequence steps - Apply OS Image.

Protection
Audit mode for potentially unwanted applications
An Audit option for potentially unwanted applications (PUA) was added in the Antimalware policy settings.
Use PUA protection in audit mode to detect potentially unwanted applications without blocking them. PUA
protection in audit mode is useful if your company is conducting an internal software security compliance check
and you'd like to avoid any false positives.
For more information, see real-time protection settings.

Software updates
Run software updates evaluation from deployment status
You can now right-click and notify devices to run a software updates evaluation cycle from the software update
deployment status. You can target a single device under the Asset Details pane or select a group of devices
based on their deployment status.
For more information, see Configuration Manager console changes and tips.
Management insights rule for TLS/SSL software update points
Management insights has a new rule to detect if your software update points are configured to use TLS/SSL. To
review the Configure software update points to use TLS/SSL rule, go to Administration >
Management Insights > All Insights > Software Updates .
For more information, see the Management insights software updates group.
List third-party update catalogs
To help you find custom catalogs that you can import for third-party software updates, there's now a
documentation page with links to catalog providers. Choose More Catalogs from the ribbon in the Third-
par ty software update catalogs node. Right-clicking on Third-Par ty Software Update Catalogs node
also displays a More Catalogs menu item. Selecting More Catalogs opens a link to a documentation page
containing a list of third-party software update catalog providers.
For more information, see Third-party software updates and list of third-party software update catalog
providers.
Improvements for managing automatic deployment rules
The following items were added to help you better manage your automatic deployment rules (ADRs):
Deployment types for automatic deployment rules
You can now specify the deployment type for the software update deployment created by an ADR. Select
Required to create a mandatory software update deployment or select Available to create an optional
software update deployment.
For more information, see Create an automatic deployment rule.
Updated Product parameter for New-CMSoftwareUpdateAutoDeploymentRule cmdlet
The -Product parameter for New-CMSoftwareUpdateAutoDeploymentRule was updated. When there are multiple
products with the same name, -Product now selects all of them.
Script to apply deployment package settings for automatic deployment rule
If you create an ADR with the No deployment package option, you're unable to go back and add one later. To
help you resolve this issue, we've uploaded a script into Community hub.
For more information, see Automatic deployment rules.

Community hub
Publish query to Community hub from CMPivot
You can now publish a CMPivot query to the Community hub directly from the CMPivot window. Submitting
your queries directly through CMPivot makes contributing to the Community hub easier.
For more information, see Contribute to Community hub and CMPivot.
Support for console extensions in Community hub
When you use Configuration Manager version 2103 or later, you can now download console extensions from
the Community hub and have it applied to all consoles connected to a hierarchy. Manage the approval and
installation of console extensions used in your environment from the Console extensions node.
For more information, see Console extensions from Community hub.

Configuration Manager console

Enhanced code editor
Building on improvements in Configuration Manager 2010 for syntax highlighting and code folding, you can
now edit scripts in an enhanced editor. The new editor supports syntax highlighting, code folding, word wrap,
line numbers, and find and replace. The new editor is available in the console wherever scripts and queries can
be viewed or edited.
For more information, see the enhanced code editor.
Send product feedback from error windows
Previously, if the Configuration Manager console reported an error in a separate window, you had to go back to
the main console window to send feedback. In some cases, this action isn't possible with other console windows
open.
Starting in this release, error messages include a link to Repor t error to Microsoft . This action opens the
standard "send a frown" window to provide feedback. It automatically includes details about the user interface
and the error to better help Microsoft engineers diagnose the error. Aside from making it easier to send a frown,
it also lets you include the full context of the error message when you share a screenshot.
For more information, see Product feedback.
Hierarchy approved console extensions don't require signing
Starting in this release, you can choose to allow unsigned hierarchy approved console extensions. You may need
to allow unsigned console extensions because of an unsigned internally developed extension, or for testing your
own custom extension in a lab.
For more information, see Allow unsigned console extensions in the hierarchy.
Console improvements
In this release we've made the following improvements to the Configuration Manager console:
Status message shortcuts: Shortcuts to status messages were added to the Administrative Users node
and the Accounts node. Select an account, then select Show Status Messages .
Navigate to collection: You can now navigate to a collection from the Collections tab in the Devices
node. Select View Collection from either the ribbon or the right-click menu in the tab.
Added maintenance window column: A Maintenance window column was added to the Collections
tab in the Devices node.
Display assigned users: If a collection deletion fails because of scope assignment, the assigned users are
displayed.
You can now use the All Subfolders search option from the Boot Images , Operating System
Upgrade Packages , and Operating System Images nodes.
For more information about improvements to the console, see Configuration Manager console changes and
tips.

Tools
Improvements to Support Center
Starting in this release, the Content view in the Suppor t Center Client Tools has been renamed to
Deployments . From Deployments , you can review all of the deployments currently targeted to the device. The
new view is grouped by Categor y and Status . The view can be sorted and filtered to help you find the
deployments you're interested in. Select a deployment in the results pane to display more information in the
details pane.
For more information, see Support Center Client Tools user interface reference.
Improvements to CMTrace
This release includes multiple performance improvements to the CMTrace log viewer. If you have a copy of
CMTrace in a non-default location, consider removing it and using a copy in one of the default paths. If it's in a
custom location that meets your business requirements, then make sure you have a process to keep it up to
date. A script is available in the Community Hub to help you locate and update versions of CMTrace to the latest
version.
For more information, see CMTrace.
RBAViewer location change
RBAViewer has moved from <installdir>\tools\servertools\rbaviewer.exe . It's now located in the Configuration
Manager console directory. After you install the console, RBAViewer.exe will be in the same directory. The default
location is C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\rbaviewer.exe .
For more information, see Configuration Manager tools.

Deprecated features
Learn about support changes before they're implemented in removed and deprecated items.
The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new
CDP instances. To provide content to internet-based devices, enable the CMG to distribute content.
The support lifecycle for SQL Server 2012 ends on July 12, 2022. Plan to upgrade database servers in
your environment, including SQL Server Express at secondary sites.
As previously announced, version 2107 drops support for the following features:
Log Analytics connector for Azure Monitor. This feature was called the OMS Connector in the Azure Services
node.

Other updates
Starting with this version, the following features are no longer pre-release:
Cloud management gateway (CMG) with virtual machine scale set
For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see version
2107 release notes.
Aside from new features, this release also includes other changes such as bug fixes. For more information, see
Summary of changes in Configuration Manager current branch, version 2107.
The following update rollup (11121541) is available in the console starting on October 27, 2021: Update rollup
for Configuration Manager current branch, version 2107.
Hotfixes
The following additional hotfixes are available to address specific issues:

ID T IT L E DAT E IN - C O N SO L E

12636660 Client update for Microsoft December 2, 2021 No

Endpoint Configuration
Manager version 2107

Next steps
As of August 23, 2021, version 2107 is globally available for all customers to install.
When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for
installing update 2107.

TIP
To install a new site, use a baseline version of Configuration Manager.
Learn more about:
Installing new sites
Baseline and update versions

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.
 What's new in version 2103 of Configuration
Manager current branch
2/16/2022 • 16 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Update 2103 for Configuration Manager current branch is available as an in-console update. Apply this update
on sites that run version 1910 or later. When installing a new site, it will also be available as a baseline version
soon after global availability. This article summarizes the changes and new features in Configuration Manager,
version 2103.

NOTE
To better align with other releases within Microsoft Endpoint Manager, starting this year the current branch version
names will be 2103, 2107, and 2111. They will still release every four months, and release at the same time of the year.

Always review the latest checklist for installing this update. For more information, see Checklist for installing
update 2103. After you update a site, also review the Post-update checklist.
To take full advantage of new Configuration Manager features, after you update the site, also update clients to
the latest version. While new functionality appears in the Configuration Manager console when you update the
site and console, the complete scenario isn't functional until the client version is also the latest.

Microsoft Endpoint Manager tenant attach

Display all applications for a device in Microsoft Endpoint Manager admin center
The Applications view for a tenant attached device in Microsoft Endpoint Manager admin center now displays
more applications from Configuration Manager. Displayed applications include applications that are:
Deployed to the device
Deployed to a user that's logged in to the device, primary user of the device, and applications previously
installed for the user
The option, An administrator must approve a request for this application on the device , is no longer
required to be set on the device available deployment for applications to be listed in the admin center. This
improvement allows you to review when application installations are expected to occur on a device.
For more information, see Tenant attach: Install an application from the admin center.
Antivirus policy exclusions merge
When a tenant attached device is targeted with two or more antivirus policies, the settings for antivirus
exclusions will merge before being applied to the client. This change results in the client receiving the exclusions
defined in each policy, allowing for more granular control of antivirus exclusions.
For more information, see antivirus policies.
User discovery prerequisite simplification
The discovery prerequisite for user accounts accessing tenant attach features within Microsoft Endpoint
Manager admin center was simplified. The hybrid identity needs to be discovered by one of the following
discovery methods instead of both:
 Azure Active Directory user discovery
Active Directory user discovery
For more information, see Tenant attach prerequisites.
Application details
When tenant attach is enabled, the applications pane in the Microsoft Endpoint Manager admin center will show
an Error Description if the application status is Failed .
For more information on the error code and troubleshooting steps, see Application installation common error
codes reference.

Site infrastructure
New prerequisite checks
When you install or update to version 2103, there are several new warning prerequisite checks.
Enable the site for HTTPS-only or enhanced HTTP
If your site is configured to allow HTTP communication without enhanced HTTP, you'll see this warning. To
improve the security of client communications, in the future Configuration Manager will require HTTPS
communication or enhanced HTTP. Plan to configure the site for HTTPS only or to Use Configuration
Manager-generated cer tificates for HTTP site systems . For more information, see the description of this
prerequisite check.
Deprecated Azure Monitor connector
We continue to see broad adoption of native Azure Monitor log query groups as customers shift more of their
workloads to the cloud. Because of this reason, starting in November 2020, the Configuration Manager feature
to synchronize collections to Azure Monitor was deprecated.
When you update to this release, this check warns about the presence of the Log Analytics connector for Azure
Monitor. (This feature is called the OMS Connector in the Azure Services wizard.) This connector is deprecated,
and will be removed from the product in a future release. At that time, this check will be an error that blocks
upgrade.
SQL Server Express version
If you have a secondary site that uses SQL Server Express edition, this check warns if the version is earlier than
SQL Server 2016 with service pack 2 (13.0.5026.0).
Microsoft recommends that you keep SQL Server Express up to date. For more information, see Security for site
administration.
Allow exclusion of organizational units (OU ) from Active Directory User Discovery
You can now exclude OUs from Active Directory User Discovery.

Collections
Improvements to the collection relationships viewer
Starting in version 2010, you can view dependency relationships between collections in a graphical format. The
relationships for a collection were presented as two hierarchical trees, one for dependents and the other for
dependencies. In this release, you can view both parent and child relationships together in a single graph. This
change allows you to quickly see an overview of all the relationships of a collection at once and then drill down
into specific related collections. It also includes other filtering and navigation improvements.
For more information, see Manage collections: View collection relationships.
Improvements to query preview
You now have more options when using the collection query preview. The following improvements have been
made to previewing collection queries:
Limit the number of rows returned
Your limit can be between 1 to 10,000 rows. The default is 5000 rows.
Omit duplicate rows from the result set
If the Omit duplicate rows option isn't selected, the original query statement will be executed as is,
even if the query contains the word distinct .
When the Omit duplicate rows option is selected, if the query already contains the word distinct ,
then the query runs as it is. When the query doesn't contain the word distinct , it's added to the query
for the preview (mean override).
Review statistics for the query preview such as number of rows returned and elapsed time.
For more information, see How to create collections.
Improvements to collection evaluation view
The following improvements were made to the collection evaluation view:
The central administration site (CAS) now displays a summary of collection evaluation status for all the
primary sites in the hierarchy
Drill through from collection evaluation status queue to a collection
Copy text to the clipboard from the collection evaluation page
Configure the refresh interval for the collection evaluation statistics page
For more information, see How to view collection evaluation.

Software Center
Change foreground color for Software Center branding
Software Center already provides various controls for you to customize the branding to support your
organization's brand. For some customers, their brand color doesn't work well with the default white font color
for a selected item. To better support these customers and improve accessibility, you can now configure a
custom color for the foreground font.
For more information, see About client settings - Software Center.
Improved user experience and security with Software Center custom tabs
Since current branch version 1906, you can add up to five custom tabs to Software Center. These custom tabs let
you give your users easy access to common web apps and other sites. Previously, to display websites Software
Center used the Windows built-in Internet Explorer browser control.
Starting in this release, Software Center can now use the Microsoft Edge WebView2 browser control. The
WebView2 browser control provides improved security and user experience. For example, more websites should
work with these custom tabs without displaying script errors or security warnings.
For more information, see About client settings - Software Center.

Application management
Disable application deployments
You can now disable application deployments. Other objects already have similar behaviors:
Software update deployments: Disable the deployment
Phased deployments: Suspend the phase
 Package: Disable the program
Task sequence: Disable the task sequence
Configuration baseline: Disable the baseline
For device-based deployments, when you disable the deployment or object, use the client notification action to
Download Computer Policy . This action immediately tells the client to update its policy from the site. If the
deployment hasn't already started, the client receives the updated policy that the object is now disabled.
For more information, see Disable and delete application deployments.

OS deployment
Windows 10 Servicing dashboard changes
We've simplified the Windows 10 Servicing dashboard to make it more relevant. The new Quality Update
Versions chart displays the top five revisions of Windows 10 across your devices. The Latest Feature Update
chart shows the number of devices that installed the latest feature update. The Windows 10 Usage chart,
showing the distribution of Windows 10 major releases, was renamed to Feature Update Versions . Servicing
plan and Windows 10 ring information were removed from the dashboard.
For more information, see Windows 10 servicing dashboard.
Deploy a feature update with a task sequence
You can now upgrade a client's Windows OS by using a feature update deployed with a task sequence. This
integration combines the simplicity of Windows servicing with the flexibility of task sequences. Servicing uses
content that you synchronize through the software update point. This process simplifies the need to manually
get, import, and maintain the Windows image content used with a standard task sequence to upgrade Windows.
The size of the servicing ESD file is generally smaller than the OS upgrade package and WIM image file. You can
also use Windows features such as Dynamic Update and Delivery Optimization.
This type of task sequence extends support to Windows 10 on ARM64 devices.
For more information, see the following articles:
For scenario guidance and planning, see Upgrade Windows to the latest version.
For prerequisites, see Create a task sequence to upgrade an OS.
For the new setting on the task sequence step, see About task sequence steps: Upgrade OS.
Task sequence error shows more check readiness details
The task sequence progress can now display more information about readiness checks. If a task sequence fails
because the client doesn't meet the requirements configured in the Check readiness task sequence step, the
user can now see more details about the failed prerequisites.

For more information, see User experiences for OS deployment.

Encryption algorithm to capture and restore user state
The task sequence steps to Capture User State and Restore User State always encrypt the USMT state store.
Previously, Configuration Manager configured USMT to use the 3DES algorithm. Starting in this release, both
steps now use the highest supported encryption algorithm, AES 256 .

IMPORTANT
If you have any active user state migrations, before you update the Configuration Manager client on those devices,
restore the user state. Otherwise, the updated client will fail to restore the user state when it tries to use a different
encryption algorithm.

For more information, see About task sequence steps.

Improvements to OS deployment
This release includes the following improvements to OS deployment:
Task sequence conditions now include a not like operator. This operator applies to task sequence
variable conditions. It's also used in the Set Dynamic Variable task sequence step.
The Check Readiness task sequence step now also checks free space on disks without partitions.
The following PowerShell cmdlets now have an Index parameter:
New-CMOperatingSystemImage: When you run this cmdlet with the new Index parameter, it creates a
new single-index image file in the same source folder.
New-CMOperatingSystemInstaller (alias New-CMOperatingSystemUpgradePackage ): When you
run this cmdlet with the new Index parameter, it replaces the original image file in the source folder
with a single-index image file.
The following new cmdlets are available to get the list of existing hardware IDs in the site database:
Get-CMDuplicateHardwareIdGuid
Get-CMDuplicateHardwareIdMacAddress
These new cmdlets supplement the existing cmdlets to add and remove duplicate IDs. For more
information, see Version 1910 PowerShell release notes.

Protection
Improvements to BitLocker management
In current branch version 2010, you can manage BitLocker policies and escrow recovery keys over a cloud
management gateway (CMG). This support included a couple of limitations.
Starting in this release, BitLocker management policies over a CMG support the following capabilities:
Recovery keys for removable drives
TPM password hash, otherwise known as TPM owner authorization
For more information on BitLocker management over CMG, see Deploy BitLocker management.
This release also provides support for the following features:
Enhanced HTTP
The recovery service on management points that use a database replica.
For more information, see Plan for BitLocker management.
Software updates
Approved scripts for orchestration groups
You can now select from scripts that have already been approved when configuring pre and post-scripts for an
orchestration group. When in the Create Orchestration Group Wizard , you'll see a new page called Script
Picker . Select your pre and post scripts from your list of scripts that are already approved. You can still add
scripts manually on the pre and post-script pages. Additionally, you can also edit scripts that you pre-populated
from the Script Picker .
For more information, see Orchestration groups.
Change default maximum run time for software updates
Configuration Manager sets the following maximum run time for these categories of software updates:
Feature updates for Windows : 120 minutes
Non-feature updates for Windows : 60 minutes
Updates for Microsoft 365 Apps (Office 365 updates): 60 minutes
All other software updates outside these categories, such as third-party updates, were given a maximum run
time of 10 minutes. Starting in Configuration Manager 2103, the default maximum run time for these updates is
60 minutes rather than 10 minutes. The new maximum run time will only apply to new updates that are
synchronized from Microsoft Update. It doesn't change the run time on existing updates.
For more information, see Plan for software updates.
TLS certificate pinning for devices scanning HTTPS -configured WSUS servers
Further increase the security of HTTPS scans against WSUS by enforcing certificate pinning. To fully enable this
behavior:
Ensure your software update points are configured to use TLS/SSL
Add the certificates for your WSUS servers to the new WindowsServerUpdateServices certificate store on your
clients
Verify the Enforce TLS cer tificate pinning for Windows Update client for detecting updates
software updates client setting is set to Yes (default).
For more information, see Configure a software update point to use TLS/SSL with a PKI certificate and Client
settings for software updates.

Community hub
Download Power BI report templates from Community hub
Community hub now supports contributing and downloading Power BI report template files. This integration
allows administrators to easily share and reuse Power BI reports. Contributing and downloading Power BI report
template is also available for current branch versions of Configuration Manager.
For more information, see Power BI report templates in Community hub and Using Community hub.
Download configuration items and configuration baselines from Community hub
You can now download configuration items and configuration baselines from Community hub.
For more information, see Using Community hub.
Access the top queries shared in the Community hub from CMPivot
You can now access the top CMPivot queries shared in the Community hub from on-premises CMPivot. By
leveraging pre-created CMPivot queries shared by the broader community, CMPivot users gain access to a
wider variety of queries. On-premises CMPivot accesses the Community hub and returns a list of the top
downloaded CMPivot queries. Users can review the top queries, customize them, and then run on-demand. This
improvement gives a wider selection of queries for immediate usage without having to construct them and also
allows information sharing on how to build queries for future reference.
For more information, see Changes to CMPivot in version 2103.

Configuration Manager console

Centralized management of console extensions
Configuration Manager now supports a new style of console extensions that have the following benefits:
1. Centralized management of console extensions for the site from the console instead of manually placing
binaries on individual consoles.
2. A clear separation of console extensions from different extension providers.
3. The ability for admins to have more control over which console extensions are loaded and used in the
environment, to keep them more secure.
4. A hierarchy setting that allows for only using the new style of console extension.
The old style of console extensions may start being phased out in favor of the new style, which is more secure
and centrally managed.
For more information, see Console extensions for Configuration Manager.
Add a report as a favorite
Configuration Manager ships with several hundred reports by default, and you may have added more to that
list. Instead of continually searching for reports you commonly use, you can now make a report a favorite. This
action allows you to quickly access it from the new Favorites node.
For more information, see Operations and maintenance for reporting.
Improvements to the product lifecycle dashboard
This release includes improvements to the product lifecycle dashboard to make it more actionable for you.
Customize the timeframe on the charts for your preference.
Search, sort, and filter the data.
View a list of devices with products that are near or at end of support, and you need to update.

For more information, see product lifecycle dashboard.

Support Center
Improvements to Support Center
Support Center is now split into the following tools:
Suppor t Center Client Data Collector : Collects data from a device to view in the Support Center
Viewer. This separate tool encompasses the existing Support Center action to Collect selected data .
Suppor t Center Client Tools : The other Support Center troubleshooting functionality, except for
Collect selected data .
The following tools are still a part of Support Center:
Suppor t Center Viewer
Suppor t Center OneTrace
Suppor t Center Log File Viewer
For more information, see Support Center.
OneTrace support for jump lists
Support Center OneTrace now supports jump lists for recently opened files. Jump lists let you quickly go to
previously opened files, so you can work faster.
There are now three methods to open recent files in OneTrace:
Windows taskbar jump list
Windows Start menu recently opened list
In OneTrace from File menu or Recently opened tab.
For more information, see Support Center OneTrace.

PowerShell
Starting in version 2103, the ConfigurationManager PowerShell module requires Microsoft .NET version 4.7.2 or
later.
Known issue with updateable PowerShell help
Starting in version 2010, you could use the Update-Help cmdlet to download the latest information for the
Configuration Manager PowerShell module.
Because of a change in how the updateable content is structured and published with the release of version 2103,
don't use Update-Help on a version 2010 site. Update the site to version 2103, and then update the local help
content.
The cmdlet will successfully download content on a version 2010 console, but Get-Help will only return default
usage information. Before the release of version 2103, if you used Update-Help with a version 2010 site, you
can continue to use Get-Help now.
For more information, see PowerShell version 2103 release notes.

Deprecated features
Learn about support changes before they're implemented in removed and deprecated items.
The following features are now deprecated:
Microsoft Edge legacy browser profiles. For more information, see New Microsoft Edge to replace
Microsoft Edge Legacy with April’s Windows 10 Update Tuesday release
 The following compliance settings for Company resource access :
Certificate profiles
VPN profiles
Wi-Fi profiles
Windows Hello for Business settings
Email profiles
This deprecation includes the co-management resource access workload. Use Microsoft Intune to deploy
resource access profiles.
Sites that allow HTTP client communication. Configure the site for HTTPS or Enhanced HTTP. For more
information, see Enable the site for HTTPS-only or enhanced HTTP.

Other updates
Starting with this version, the following features are no longer pre-release:
Remove the central administration site
For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see version
2103 release notes.
Aside from new features, this release also includes additional changes such as bug fixes. For more information,
see Summary of changes in Configuration Manager current branch, version 2103.
The following update rollup (10036164) is available in the console starting on June 11, 2021: Update rollup for
Configuration Manager current branch, version 2103.
Hotfixes
The following additional hotfixes are available to address specific issues:

ID T IT L E DAT E IN - C O N SO L E

9833643 Console update for May 11, 2021 No

Microsoft Endpoint
Configuration Manager
version 2103

Next steps
As of April 19, 2021, version 2103 is globally available for all customers to install.
When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for
installing update 2103.

TIP
To install a new site, use a baseline version of Configuration Manager.
Learn more about:
Installing new sites
Baseline and update versions

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.
 What's new in version 2010 of Configuration
Manager current branch
2/16/2022 • 17 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Update 2010 for Configuration Manager current branch is available as an in-console update. Apply this update
on sites that run version 1906 or later. This article summarizes the changes and new features in Configuration
Manager, version 2010.
Always review the latest checklist for installing this update. For more information, see Checklist for installing
update 2010. After you update a site, also review the Post-update checklist.
To take full advantage of new Configuration Manager features, after you update the site, also update clients to
the latest version. While new functionality appears in the Configuration Manager console when you update the
site and console, the complete scenario isn't functional until the client version is also the latest.

Microsoft Endpoint Manager tenant attach

Troubleshooting portal lists a user's devices based on usage
The troubleshooting portal in Microsoft Endpoint Manager admin center allows you to search for a user and
view their associated devices. Starting in this release, tenant attached devices that are assigned user device
affinity automatically based on usage will now be returned when searching for a user.
For more information, see Tenant attach: ConfigMgr client details in the admin center.
Enhancements to applications in Microsoft Endpoint Manager admin center
We've made improvements to applications for tenant attached devices. Administrators can now do the following
actions for applications in the Microsoft Endpoint Manager admin center:
Uninstall an application
Repair installation of an application
Re-evaluate the application installation status
Reinstall an application has replaced Retr y installation
For more information, see Tenant attach: Install an application from the admin center.

Cloud-attached management
Cloud management gateway with virtual machine scale set for CSP
Cloud management gateway (CMG) deployments can now use a virtual machine scale set in Azure to support
Cloud Solution Provider (CSP) subscriptions. This feature is currently pre-release. At this time, it's intended only
for CSP customers that don't already have a CMG in another subscription.
For more information, see CMG topology design: virtual machine scale sets.
Disable Azure AD authentication for onboarded tenants
You can now disable Azure Active Directory (Azure AD) authentication for tenants not associated with users and
devices. When you onboard Configuration Manager to Azure AD, it allows the site and clients to use modern
authentication. Currently, Azure AD device authentication is enabled for all onboarded tenants, whether or not it
has devices. For example, you have a separate tenant with a subscription that you use for compute resources to
support a cloud management gateway. If there aren't users or devices associated with the tenant, disable Azure
AD authentication.
For more information, see Configure Azure services.
Validate internet access for the service connection point
If you use Desktop Analytics or tenant attach, the service connection point now checks important internet
endpoints. These checks help make sure that the cloud-connected services are available. It also helps you
troubleshoot issues by quickly determining if network connectivity is a problem.
For more information, see About the service connection point.

Desktop Analytics
For more information on the monthly changes to the Desktop Analytics cloud service, see What's new in
Desktop Analytics.
Support for new Windows 10 diagnostic data levels
Microsoft is increasing transparency by categorizing the diagnostic data that Windows 10 collects:
Basic diagnostic data is recategorized as Required
Full is recategorized as Optional
If you previously configured devices for Enhanced or Enhanced (Limited) , in an upcoming release of
Windows 10, they'll use the Required level. This change may impact the functionality of Desktop Analytics.
For more information, see Enable data sharing.
Support for Windows 10 Enterprise LTSC 2019
The Windows 10 long-term servicing channel (LTSC) was designed for devices where functionality and features
don't change over time. This servicing model prevents Windows 10 Enterprise LTSC devices from receiving the
usual feature updates. It provides only quality updates to make sure that device security stays up to date. Some
customers want to shift from LTSC to the semi-annual servicing channel, to have access to new features,
services, and other major changes. You can now use Configuration Manager to enroll LTSC devices to Desktop
Analytics. Once you enroll these devices, you can evaluate them in your deployment plans.
For more information, see Desktop Analytics prerequisites

Site infrastructure
Monitor scenario health
You can now use Configuration Manager to monitor the health of end-to-end scenarios. Monitoring scenario
health enhances awareness of system latency and component backlogs which are critical for cloud service-
attached features. Configuration Manager simulates activities to expose performance metrics and failure points.
These synthetic activities are similar to methods that Microsoft uses to monitor some components in its cloud
services. Use this additional data to better understand timeframes for activities. If failures occur, it can help focus
your investigation.
This release includes the following two scenarios:
SQL Ser ver Ser vice Broker : The service broker is a required configuration for the site database. Many
of the core subsystems in Configuration Manager use the service broker.
Client action health : Monitor the health of the fast channel used for client actions. If your environment
is tenant attached with devices uploaded, this feature helps you see potential issues with client actions
from the Microsoft Endpoint Manager admin center. You can also use this feature for on-premises client
 actions. For example, CMPivot, run scripts, and device wake-up.
For more information, see Monitor scenario health.
Report setup and upgrade failures to Microsoft
If the setup or update process fails to complete successfully, you can now report the error directly to Microsoft. If
a failure occurs, the Repor t update error to Microsoft button is enabled. When you use the button, an
interactive wizard opens allowing you to provide more information to us. In technical previews, this button is
always enabled even when the setup completes successfully.
For more information, see Install in-console updates.
Delete Aged Collected Diagnostic Files task
You now have a new maintenance task available for cleaning up collected diagnostic files. Delete Aged
Collected Diagnostic Files uses a default value of 14 days when it looks for diagnostic files to clean up. This
task doesn't affect regular collected files. The new maintenance task is enabled by default.
For more information, see the following articles:
Client diagnostic section of the Client notification article
Reference for maintenance tasks in Configuration Manager.
Improvements to the administration service
The Configuration Manager REST API, the administration service, requires a secure HTTPS connection. With the
previous methods to enable HTTPS, enabling IIS on the SMS Provider was a prerequisite.
Starting in this release, you no longer need to enable IIS on the SMS Provider for the administration service.
When you enable the site for enhanced HTTP, it creates a self-signed certificate for the SMS Provider, and
automatically binds it without requiring IIS.
For more information, see Prerequisites for the administration service.
Improvements to the Azure migration tool
The tool to extend and migrate an on-premises site to Microsoft Azure now includes the following
improvements:
Support environments with virtual networks other than ExpressRoute
Support a hierarchy
Support a site with a collocated site database
For more information, see Extend and migrate on-premises site to Microsoft Azure.

Client management
Wake machine at deployment deadline using peer clients on the same remote subnet
Wake on LAN (WoL) has always posed a problem in complex, subnetted networks. Good networking best
practice reduces the size of broadcast domains to mitigate against the risk of broadcast traffic adversely
affecting the network. The most common way to limiting network broadcast is by not allowing broadcast
packets to be routed between subnets. Another option is to enable subnet directed broadcasts but most
organizations don't allow the magic packet to traverse internal routers.
In version 1810, the introduction of peer wake-up allowed an administrator to wake a device or collection of
devices, on demand using the client notification channel. Overcoming the need for the server to be in the same
broadcast domain as the client.
This latest improvement allows the Configuration Manager site to wake devices at the deadline of a deployment.
Instead of the site server issuing the magic packet directly, the site uses the client notification channel. It finds an
online machine in the last known subnet of the target device. It then instructs the online client to issue the WoL
packet for the target device.
For more information, see How to configure Wake on LAN.
Improved Windows Server restart experience for non-administrator accounts
For a low-rights user on a device that runs Windows Server, by default they aren't assigned the user rights to
restart Windows. When you target a deployment to this device, this user can't manually restart. For example,
they can't restart Windows to install software updates.
Starting in this release, you can now control this behavior as needed. In the Computer Restar t group of client
settings, enable the following setting: When a deployment requires a restar t, allow low-rights users to
restar t a device running Windows Ser ver .
For more information, see Device restart notifications: Client settings.

Collections
Collection query preview
You can now preview the query results when you're creating or editing a query for collection membership.
Preview the query results from the query statement properties dialog. When you select Edit Quer y
Statement , select the green triangle on the query properties for the collection to show the Quer y Results
Preview window. Select Stop if you want to stop a long running query.
For more information, see Configure a query rule.
Collection evaluation view
We've integrated the functionality of Collection Evaluation Viewer into the Configuration Manager console. This
change provides administrators a central location to view and troubleshoot the collection evaluation process.
For more information, see Collection evaluation view.
View collection relationships
You can now view dependency relationships between collections in a graphical format. It shows limiting, include,
and exclude relationships.

If you want to change or delete collections, view the relationships to understand the impact of the proposed
change. Before you create a deployment, look at the potential target collection for any include or exclude
relationships that might affect the deployment.
For more information, see How to manage collections.

Application management
Improvements to available apps via CMG
An internet-based, domain-joined device that isn't joined to Azure Active Directory (Azure AD) and
communicates via a cloud management gateway (CMG) can now get apps deployed as available. The Active
Directory domain user of the device needs a matching Azure AD identity. When the user starts Software Center,
Windows prompts them to enter their Azure AD credentials. They can then see any available apps.
For more information, see Prerequisites to deploy user-available applications.

OS deployment
Deploy an OS over CMG using bootable media
Starting in current branch version 2006, the cloud management gateway (CMG) supported running a task
sequence with a boot image when you start it from Software Center. With this release, you can now use
bootable media to reimage internet-based devices that connect through a CMG. This scenario helps you better
support remote workers. If Windows won't start so that the user can access Software Center, you can now send
them a USB drive to reinstall Windows.
For more information on this scenario and other related scenarios, see the new article to Deploy a task sequence
over the internet.
Deploy a task sequence deployment type to a user collection
You can now deploy an application with a task sequence deployment type to a user-based collection. A user-
targeted deployment still runs in the context of the local System account.
For more information, see Task sequence deployment type.
Manage task sequence size
Large task sequences cause problems with client processing. To further help manage the size of task sequences,
this release continues to iterate on improvements.
Starting in this release Configuration Manager restricts actions for a task sequence that's greater than 2
MB in size. For example, the task sequence editor will display an error if you try to save changes to a large
task sequence.
When you view the list of task sequences in the Configuration Manager console, add the Size (KB)
column. Use this column to identify large task sequences that can cause problems.
For more information, see Reduce the size of task sequence policy.
Analyze SetupDiag errors for feature updates
With the release of Windows 10, version 2004, the SetupDiag diagnostic tool is included with Windows Setup. If
there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure.
Configuration Manager now gathers and summarizes SetupDiag results from feature update deployments with
Windows 10 servicing.
For more information, see Manage Windows as a service.
Improvements to task sequence performance settings
Starting in Configuration Manager version 1910, to improve the overall speed of the task sequence, you could
activate the Windows power plan for High Performance . Starting in this release, you can now use this option
on devices with modern standby and other devices that don't have that default power plan.
For more information, see Performance improvements for power plans.

Protection
Improvements to BitLocker management
You can now manage BitLocker policies and escrow recovery keys over a cloud management gateway (CMG).
This change also provides support for BitLocker management via internet-based client management (IBCM).
There's no change to the setup process for BitLocker management. This improvement supports domain-joined
and hybrid domain-joined devices.
For more information, see Plan for BitLocker management.
Expanded Windows Defender Application Control management
Windows Defender Application Control enforces an explicit list of software allowed to run on devices. In this
release, we've expanded Windows Defender Application Control policies to support devices running Windows
Server 2019 or later.
For more information, see Windows Defender Application Control management with Configuration Manager.

Software updates
Enable user proxy for software update scans
Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. By
default, a client that scans for updates against an HTTP-based WSUS can't use a user proxy. If you still require a
user proxy despite the security trade-offs, a new software updates client setting is available to allow these
connections. For more information about the changes for scanning WSUS, see September 2020 changes to
improve security for Windows devices scanning WSUS. To make sure that the best security protocols are in
place, use the TLS protocol. This protocol helps to secure your software update infrastructure.
For more information about enabling a proxy for software update scans, see Client settings for software
updates.
Notifications for devices no longer receiving updates
To help you manage security risk in your environment, you'll be notified in-console about devices with operating
systems that are past the end of support date. These devices may no longer receive security updates.
Additionally, a new Management Insights rule was added to detect Windows 7, Windows Server 2008, and
Windows Server 2008 R2 without Extended Security Updates (ESU).
For more information, see Management insights and Console notifications.
Immediate distribution point fallback for clients downloading software update delta content
There's a new client setting for software updates. If delta content is unavailable from distribution points in the
current boundary group, you can allow immediate fallback to a neighbor or the site default boundary group
distribution points. This setting is useful when using delta content for software updates since the timeout setting
per download job is five minutes.
For more information, see Client settings for software updates.

Configuration Manager console

Categorize Community hub content
Community hub content is grouped into a Microsoft, curated, or unreviewed category to allow admins to
choose the types of content their environment displays. Admins can choose from the different categories of
content that are provided in the Community hub to match their risk profile and their willingness to share and
use content from those outside Microsoft and outside their own company.
For more information, see Community hub.
Community hub on Windows Server operating systems
You can now display the Community hub on Windows Server operating systems. The Configuration Manager
console will notify you to install the console extension to enable Windows Server 2012 and later to load the
Community hub.
For more information, see Community hub.
Product feedback
The Configuration Manager console has a new wizard for sending feedback. The redesigned wizard improves
the workflow with better guidance about how to submit good feedback.

There's also a new status message query, Feedback sent to Microsoft . Use this query to easily find feedback
status messages.
For more information, see Product feedback.
Improvements to in-console notifications
You now have an updated look and feel for in-console notifications. Notifications are more readable and the
action link is easier to find. Additionally, the age of the notification is displayed to help you find the latest
information. If you dismiss or snooze a notification, that action is now persistent for your user across consoles.
For more information, see Improvements to Configuration Manager console notifications.
Improvements to the Configuration Manager console
You can now copy discovery data from devices and users in the console. Copy the details to the clipboard,
or export them all to a file. These new actions make it easier for you to quickly get this data from the
console. For example, copy the MAC address of a device before you reimage it.
Various areas in the Configuration Manager console now use the fixed-width font Consolas. This font
provides consistent spacing and makes it easier to read.
 You now have an easier way to view status messages for objects. Select an object in the Configuration
Manager console, and then select Show Status Messages from the ribbon.
Now when you import an object in the Configuration Manager console, it imports to the current folder.
Previously, Configuration Manager always put imported objects in the root node. This new behavior
applies to applications, packages, driver packages, and task sequences.
To assist you when creating scripts and queries in the Configuration Manager console, you'll now see
syntax highlighting and code folding, where available.
For more information, see Configuration Manager console changes and tips.

Content management
Improvements to client data sources dashboard
The client data sources dashboard now offers an expanded selection of filters to view information about where
clients get content. These new filters include:
Single boundary group
All boundary groups
Internet clients
Clients not associated with a boundary group
The dashboard also includes a new tile for Content downloads using fallback source . This information
helps you understand how often clients download content from an alternate source.

For more information, see Monitor content: Client Data Sources dashboard.
Improvements to the content library cleanup tool
If you remove content from a distribution point while the site system is offline, an orphaned record can exist in
WMI. Over time, this behavior can eventually lead to a warning status on the distribution point. To mitigate the
issue in the past, you had to manually remove the orphaned entries from WMI. The content library cleanup tool
in delete mode can now remove these orphaned content records from WMI.
For more information, see the Content library cleanup tool.

PowerShell
Update PowerShell help
You can now use the Update-Help cmdlet to get the latest information for the Configuration Manager
PowerShell module. This content is the same as what's published on docs.microsoft.com for the
ConfigurationManager module.
For more information, see Configuration Manager PowerShell cmdlets: Update help.

WARNING
Because of a change in how the updateable content is structured and published with the release of version 2103, don't
use Update-Help on a version 2010 site. Update the site to version 2103, and then update the local help content.
For more information, see PowerShell version 2103 release notes.

Support for PowerShell version 7

The Configuration Manager PowerShell cmdlet library now offers support for PowerShell 7. For more
information, see Get started with Configuration Manager cmdlets.
Improvements to cloud management gateway cmdlets
With more customers managing remote devices now, this release includes several new and improved Windows
PowerShell cmdlets for the cloud management gateway (CMG). You can use these cmdlets to automate the
creation, configuration, and management of the CMG service and Azure Active Directory (Azure AD)
requirements.
For more information, see Configuration Manager version 2010 PowerShell release notes.

Deprecated features
Learn about support changes before they're implemented in removed and deprecated items.
The following features are now deprecated:
The collection evaluation viewer
Connector for Azure Monitor

Other updates
For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see version
2010 release notes.
Aside from new features, this release also includes additional changes such as bug fixes. For more information,
see Summary of changes in Configuration Manager current branch, version 2010.
Hotfixes
The following additional hotfixes are available to address specific issues:
 ID T IT L E DAT E IN - C O N SO L E

4594177 Client notifications sent to January 12, 2021 Yes

all collection members in
Configuration Manager
current branch, version
2010

4600089 Update Rollup for Microsoft March 8, 2021 Yes

Endpoint Configuration
Manager current branch,
version 2010

Next steps
As of December 11, 2020, version 2010 is globally available for all customers to install.
When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for
installing update 2010.

TIP
To install a new site, use a baseline version of Configuration Manager.
Learn more about:
Installing new sites
Baseline and update versions

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.
 What's new in version 2006 of Configuration
Manager current branch
2/16/2022 • 16 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Update 2006 for Configuration Manager current branch is available as an in-console update. Apply this update
on sites that run version 1810 or later. This article summarizes the changes and new features in Configuration
Manager, version 2006.
Always review the latest checklist for installing this update. For more information, see Checklist for installing
update 2006. After you update a site, also review the Post-update checklist.
To take full advantage of new Configuration Manager features, after you update the site, also update clients to
the latest version. While new functionality appears in the Configuration Manager console when you update the
site and console, the complete scenario isn't functional until the client version is also the latest.

Microsoft Endpoint Manager tenant attach

Scripts from the admin center
Bring the power of the Configuration Manager on-premises Run scripts feature to the Microsoft Endpoint
Manager admin center. Allow additional personas, like Helpdesk, to run PowerShell scripts from the cloud
against an individual Configuration Manager managed device in real time. This gives all the traditional benefits
of PowerShell scripts that have already been defined and approved by the Configuration Manager admin to this
new environment. For more information, see Tenant attach: Scripts from the admin center.
Device timeline in the admin center
When Configuration Manager synchronizes a device to Microsoft Endpoint Manager through tenant attach,
you'll be able to see a timeline of events. This timeline shows past activity on the device that can help you
troubleshoot problems. For more information, see Tenant attach: Device timeline in the admin center.
Resource explorer in the admin center
From the Microsoft Endpoint Management admin center, you can view hardware inventory for uploaded
Configuration Manager devices by using resource explorer. For more information, see Tenant attach: Resource
explorer in the admin center.
CMPivot from the admin center
Bring the power of CMPivot to the Microsoft Endpoint Manager admin center. Allow additional personas, like
Helpdesk, to be able to initiate real-time queries from the cloud against an individual ConfigMgr managed
device and return the results back to the admin center. This gives all the traditional benefits of CMPivot, which
allows IT Admins and other designated personas the ability to quickly assess the state of devices in their
environment and take action.
For more information about CMPivot from the admin center, see Tenant attach: Launch CMPivot from the admin
center, CMPivot overview, and CMPivot sample scripts.
Microsoft Defender Antivirus policies in the Microsoft Endpoint Manager admin center
You can now create Microsoft Defender antivirus policies in the Microsoft Endpoint Manager console and deploy
them to Configuration Manager collections. For more information including detailed instructions and available
settings, see the following articles:
 Tenant attach: Onboard Configuration Manager clients to Microsoft Defender for Endpoint from the admin
center (preview)
Tenant attach: Deploy endpoint security Antivirus policy from the admin center (preview)
Settings for Microsoft Defender Antivirus policy for tenant attached devices in Microsoft Intune.
Settings for Windows Security experience Antivirus policy for tenant attached devices
Install applications from the admin center
You can initiate an application install in real time for a tenant attached device from the Microsoft Endpoint
Manager admin center. Starting with Configuration Manager version 2006, the list of applications available for
the device also includes applications deployed to the device's currently logged on user. For more information,
see Tenant attach: Install an application from the admin center.
Import previously created Azure AD application during tenant attach onboarding
During a new onboarding, an administrator can specify a previously created application during onboarding to
tenant attach. For more information, see Microsoft Endpoint Manager tenant attach: Device sync and device
actions.

Endpoint analytics
Endpoint analytics data collection enabled by default
The Enable Endpoint analytics data collection client setting is now enabled by default. This setting allows
your managed endpoints to send data, such as startup performance insights, to your Configuration Manager
site server. This change affects local data collection only. Endpoint analytics data isn't uploaded to the Microsoft
Endpoint Manager admin center until you enable data upload in Configuration Manager. The new default value
applies to the default client settings and any custom client settings created after upgrading to version 2006.
If you're upgrading from version 2002 to version 2006, existing custom client settings values are retained.
The default value for Enable Endpoint analytics data collection in Configuration Manager version 2002
is No .
If you're upgrading to version 2006 from Configuration Manager version 1910 or prior, any pre-existing
custom client settings that contain the Computer Agent group of settings inherits the new default of Yes
for Enable Endpoint analytics data collection .
For more information, see Configure Endpoint analytics data collection in Configuration Manager.

Site infrastructure
VPN boundary type
To simplify managing remote clients, you can now create a new boundary type for VPNs. Previously, you had to
create boundaries for VPN clients based on the IP address or subnet. This configuration could be challenging or
not possible because of the subnet configuration or the VPN design.
Now when a client sends a location request, it includes additional information about its network configuration.
Based on this information, the server determines whether the client is on a VPN.
For more information, see Define boundaries.
Management insights to optimize for remote workers
This release adds a new group of management insights, Optimize for remote workers . These insights help
you create better experiences for remote workers and reduce load on your infrastructure. The insights in this
release primarily focus on VPN:
Define VPN boundar y groups
Configure VPN connected clients to prefer cloud based content sources
 Disable peer to peer content sharing for VPN connected clients
For more information, see Management insights.
Improved support for Azure Virtual Desktop
The Windows 10 Enterprise multi-session platform is available in the list of supported OS versions on
objects with requirement rules or applicability lists.
For more information on Configuration Manager's support for Azure Virtual Desktop, see Supported OS
versions for clients and devices.
Intranet clients can use a CMG software update point
Intranet clients can now access a CMG software update point when it's assigned to a boundary group. For more
information, see Configure boundary groups.

Cloud-attached management
Use the Company Portal app on co -managed devices
The Company Portal is now the cross-platform app portal experience for Microsoft Endpoint Manager. By
configuring co-managed devices to also use the Company Portal, you can provide a consistent user experience
on all devices.
For more information, see Use the Company Portal app on co-managed devices.
Use Microsoft Azure China 21Vianet for co -management
You can now select the Azure China Cloud as your Azure environment when enabling co-management. For
more information, see How to enable co-management.
Notification for Azure AD app secret key expiration
If you configure Azure services to cloud-attach your site, the Configuration Manager console now displays
notifications for the following circumstances:
One or more Azure AD app secret keys will expire soon
One or more Azure AD app secret keys have expired
For more information, see Renew secret key.
Desktop Analytics
For more information on the monthly changes to the Desktop Analytics cloud service, see What's new in
Desktop Analytics.
Change to diagnostic data labels
To better align with the Desktop Analytics requirements for Windows diagnostic data, these settings have new
labels:

VERSIO N 2006 A N D L AT ER VERSIO N 2002 A N D EA RL IER

Required Basic

Optional (limited) Enhanced (Limited)

N/A Enhanced

Optional Full

If you previously configured any devices at the Enhanced level, when you upgrade to version 2006, they'll
revert to Optional (limited) . They will then send less data to Microsoft. This change shouldn't impact what you
see in Desktop Analytics.
For more information, see Enable data sharing for Desktop Analytics.

Real-time management
Improvements to CMPivot
The following improvements have been made in CMPivot:
CMPivot from the console and CMPivot standalone have been converged
Run CMPivot from an individual device or multiple devices without having to select or create a collection
From CMPivot query results, you can select an individual device or multiple devices then launch a separate
CMPivot instance scoped to your selection.
For more information, see CMPivot starting in version 2006.

Client management
Install and upgrade the client on a metered connection
Previously, if the device was connected to a metered network, new clients wouldn't install. Existing clients only
upgraded if you allowed all client communication. For devices that are frequently roaming on a metered
network, they would be unmanaged or on an older client version. Starting in this release, you can install and
upgrade the client when you set the client setting Client communication on metered internet
connections to Allow or Limit . With this setting, you can allow the client to stay current, but still manage the
client communication on a metered network.
To define the behavior for a new client installation, there's a new ccmsetup parameter /AllowMetered . When
you allow client communication on a metered network for ccmsetup, it downloads the content, registers with
the site, and downloads the initial policy. Any further client communication follows the configuration of the
client setting from that policy.
For more information, see the following articles:
About client settings
About client installation parameters and properties
Improvements to managing device restarts
Configuration Manager provides many options to manage device restarts and restart notifications. You can now
configure a client setting to prevent devices from automatically restarting when a deployment requires it. This
setting gives you more control in unique situations. By default, the client setting Configuration Manager can
force a device to restar t is enabled, so Configuration Manager can still force devices to restart. This setting
only applies to application, software update, and package deployments that require a restart.
For more information, see device restart notifications.

Application management
Improvements to available apps via CMG
This release fixes an issue with Software Center and Azure Active Directory (Azure AD) authentication. For a
client detected as on the intranet but communicating via the cloud management gateway (CMG), previously
Software Center would use Windows authentication. When it tried to get the list of user-available apps, it would
fail. It now uses Azure Active Directory (Azure AD) identity for devices joined to Azure AD. These devices can be
cloud-joined or hybrid-joined.
For more information, see Prerequisites to deploy user-available apps.
Microsoft 365 Apps for enterprise
Office 365 ProPlus was renamed to Microsoft 365 Apps for enterprise on April 21, 2020. Starting in version
2006, the following changes have been made:
The Configuration Manager console has been updated to use the new name.
This change also includes update channel names for Microsoft 365 Apps.
A banner notification was added to the console to notify you if one or more automatic deployment rules
reference obsolete channel names in the Title criteria for Microsoft 365 Apps updates.
For more information, see Microsoft 365 Apps channel names and Microsoft 365 Apps readiness dashboard.

OS deployment
Task sequence media support for cloud-based content
Task sequence media can now download cloud-based content. For example, you send a USB key to a user at a
remote office to reimage their device. Or an office that has a local PXE server, but you want devices to prioritize
cloud services as much as possible. Instead of further taxing the WAN to download large OS deployment
content, boot media and PXE deployments can now get content from cloud-based sources. For example, a cloud
management gateway (CMG) that you enable to share content.

NOTE
The device still needs an intranet connection to the management point.

For more information, see Bootable media support for cloud-based content.
Improvements to task sequences via CMG
This release includes the following improvements to deploy task sequences to devices that communicate via a
cloud management gateway (CMG):
Support for OS deployment: With a task sequence that uses a boot image to deploy an OS, you can
deploy it to a device that communicates via CMG. The user needs to start the task sequence from
Software Center. For more information, see Supported configurations for CMG.
This release fixes the two known issues from Configuration Manager current branch version 2002. You
can now run a task sequence on a device that communicates via CMG in the following circumstances:
A workgroup device that you register with a bulk registration token
You configure the site for Enhanced HTTP and the management point is HTTP
Improvements to BitLocker task sequence steps
You can now specify the disk encryption mode on the Enable BitLocker and Pre-provision BitLocker task
sequence steps. By default, the steps continue to use the default encryption method for the OS version.
The Enable BitLocker step also now includes a setting to Skip this step for computers that do not have a
TPM or when TPM is not enabled . When you enable this setting, the step logs an error on a device without a
TPM or a TPM that doesn't initialize, and the task sequence continues. This setting makes it easier to manage the
task sequence behavior on devices that can't fully support BitLocker.
For more information, see Task sequence steps.
Management insight rules for OS deployment
When the size of the task sequence policy exceeds 32 MB, the client fails to process the large policy. The client
then fails to run the task sequence deployment. To help you manage the policy size of task sequences, this
release includes the following management insights:
Large task sequences may contribute to exceeding maximum policy size
Total policy size for task sequences exceeds policy limit

TIP
These rules are in a new group for Operating System Deployment . The existing rule for Unused boot images is
now in this group too.

For more information, see management insight.

Improvements to OS deployment
This release includes the following additional improvements to OS deployment:
Use a task sequence variable to specify the target of the Format and Partition Disk step. This new variable
option supports more complex task sequences with dynamic behaviors. For example, a custom script can
detect the disk and set the variable based on the hardware type. Then you can use multiple instances of
this step to configure different hardware types and partitions.
The Check Readiness step now includes a check to determine if the device uses UEFI. It also includes a
new read-only task sequence variable, _TS_CRUEFI .
If you enable the task sequence progress window to show more detailed progress information, it now
doesn't count enabled steps in a disabled group. This change helps make the progress estimate more
precise.
Previously, during a task sequence to upgrade a device to Windows 10, a command prompt window
opened during one of the final Windows configuration phases. The window was on top of the Windows
out-of-box experience (OOBE), and users could interact with it to disrupt the upgrade process. Now the
SetupCompleteTemplate.cmd and SetupRollbackTemplate.cmd scripts from Configuration Manager
include a change to hide this command prompt window.
Some customers build custom task sequence interfaces using the IProgressUI::ShowMessage method,
but it doesn't return a value for the user's response. This release adds the IProgressUI::ShowMessageEx
method. This new method is similar to the existing method, but also includes a new integer result
variable, pResult .

Protection
CMG support for endpoint protection policies
While the cloud management gateway (CMG) has supported endpoint protection policies, devices required
access to on-premises domain controllers. Starting in this release, clients that communicate via a CMG can
immediately apply endpoint protection policies without an active connection to Active Directory.
For more information, see Supported configurations for CMG.
BitLocker management support for hierarchies
You can now install the BitLocker self-service portal and the administration and monitoring website at the
central administration site.
For more information, see Set up BitLocker portals.

Configuration Manager console

Community hub and GitHub
(First introduced in June 2020)
The IT admin community has developed a wealth of knowledge over the years. Rather than reinventing items
like scripts and reports from scratch, we've built a Configuration Manager Community hub where you can
share with each other. By leveraging the work of others, you can save hours of work. The Community hub
fosters creativity by building on others' work and having other people build on yours. GitHub already has
industry-wide processes and tools built for sharing. Now, the Community hub will leverage those tools directly
in the Configuration Manager console as foundational pieces for driving this new community. For the initial
release, the content made available in the Community hub will be uploaded only by Microsoft.
For more information, see Community hub and GitHub.
Direct links to Community hub items
You can easily navigate to and reference items in the Configuration Manager console Community hub node with
a direct link. For more information, see Direct links to Community hub items.
Notifications from Microsoft
You can now choose to receive notifications from Microsoft in the Configuration Manager console. These
notifications help you stay informed about new or updated features, changes to Configuration Manager and
attached services, and issues that require action to remediate.
For more information, see Configure a site to receive messages from Microsoft.
Power BI sample reports
(First introduced in June 2020)
When you integrate Power BI Report Server with Configuration Manager reporting, there are now sample
Power BI reports available. Download and install the following sample reports:
Software Update Compliance Status
Software Update Deployment Status
For more information, see Install Power BI sample reports.

Deprecated operating systems

Learn about support changes before they're implemented in removed and deprecated items.
As first announced in version 1906, version 2006 drops support for the following client OS versions:
Windows CE 7.0
Windows 10 Mobile
Windows 10 Mobile Enterprise

Other updates
For more information on changes to the Windows PowerShell cmdlets for Configuration Manager, see
PowerShell version 2006 release notes.
For more information on changes to the administration service REST API, see Administration service release
notes.
Aside from new features, this release also includes additional changes such as bug fixes. For more information,
see Summary of changes in Configuration Manager current branch, version 2006.
The following revised update rollup (4575789) is available in the console starting on November 30, 2020:
Revised update rollup for Microsoft Endpoint Configuration Manager current branch, version 2006.
Note this revision supersedes the original release of KB 4578605 Update rollup for Microsoft Endpoint
Configuration Manager version 2006.
Hotfixes
The following additional hotfixes are available to address specific issues:

ID T IT L E DAT E IN - C O N SO L E

4580678 Tenant attach rollup for September 18, 2020 Yes

Configuration Manager
current branch, version
2006

4584759 Clients report Desktop October 2, 2020 Yes

Analytics configuration
errors in Configuration
Manager, version 2006

4575786 Configuration Manager November 12, 2020 Yes

console terminates
unexpectedly on
Configuration Manager
current branch, version
2006

4575787 Co-management November 12, 2020 No

enrollment takes longer
than expected for
Configuration Manager
clients

4575785 November 2020 Update for November 18, 2020 No

Asset Intelligence
authentication certificate in
Configuration Manager

4575790 Client setup is unable to November 20, 2020 Yes

download contents from a
cloud distribution point in
Configuration Manager
current branch, version
2006

Next steps
As of August 31, 2020, version 2006 is globally available for all customers to install.
When you're ready to install this version, see Installing updates for Configuration Manager and Checklist for
installing update 2006.
 TIP
To install a new site, use a baseline version of Configuration Manager.
Learn more about:
Installing new sites
Baseline and update versions

For known significant issues, see the Release notes.

After you update a site, also review the Post-update checklist.
 What's changed from System Center 2012
Configuration Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The current branch of Configuration Manager introduces important changes from System Center 2012
Configuration Manager. This article identifies significant changes and new capabilities found in the original
baseline version 1511 of Configuration Manager current branch. To learn about changes introduced in recent
updates for Configuration Manager, see What's new in Configuration Manager incremental versions.

NOTE
Since October 2019, Configuration Manager is part of Microsoft Endpoint Manager. For more information, see Microsoft
Endpoint Configuration Manager FAQ.

The December 2015 release (version 1511) of Configuration Manager was the initial release of the current
Configuration Manager product from Microsoft. It's typically referred to as Configuration Manager current
branch. Current branch indicates this version supports incremental updates to the product. It also provides a
way to distinguish between this release and previous releases of Configuration Manager.
Configuration Manager current branch:
Doesn't use a year or product identifier in the product name, unlike past versions such as Configuration
Manager 2007 or System Center 2012 Configuration Manager.
Supports incremental, in-product updates, also called update versions. The initial release was version
1511. Later versions are released several times a year as in-console updates, like version 1910.
Is installed using a baseline version. While 1511 was the original baseline version, new baseline versions
are also released from time to time, like 2103. Baseline versions can be used to install a new
Configuration Manager site and hierarchy, or to upgrade from a supported version of System Center
2012 Configuration Manager.

In-console updates
Configuration Manager uses an in-console service method called Updates and Ser vicing that makes it easy
to locate and install recommended updates.
Some versions are only available as updates for existing sites from within the Configuration Manager console.
You can't use these updates to install a new Configuration Manager site. For example, the 1910 update is only
available from within the Configuration Manager console. It's used to update a site that already runs a
supported version of Configuration Manager.
Periodically, an update version is also released as a new baseline version. For example, update version 2103 is
also a baseline. Use a baseline version to install a new site or hierarchy. Don't start with an older baseline
version like 2002, and upgrade your way to the most current version. Always use the latest baseline.
For more information, see the following articles:
Updates for Configuration Manager
Baseline and update versions
Service connection point
Configuration Manager current branch includes a new site system role, the ser vice connection point :
A point of contact for many cloud-enabled features
Downloads updates for your site
Uploads diagnostics and usage data about your site to the Microsoft cloud
This site system role supports both online and offline modes of operation. For more information, see About the
service connection point.

Diagnostics and usage data

Configuration Manager collects diagnostics and usage data about your sites and infrastructure. This information
is compiled and submitted to the Microsoft cloud service by the service connection point. Configuration
Manager requires this data to download updates that are applicable for your environment. When you set up the
service connection point, you can specify both the level of data that it collects, and whether automatically
(online) or manually (offline) submits the data.
For more information, see Diagnostics and usage data.

Deprecated functionality
Some features, like native Support for Intel Active Management Technology (AMT) based-computers, are
removed from the Configuration Manager console. Other features, like Network Access Protection, are removed
entirely. Additionally, some older Microsoft products like Windows Vista, Windows Server 2008, and SQL Server
2008, are no longer supported.
For a list of deprecated features, see Removed and deprecated items.
For details about supported products, operating systems, and configurations, see Supported configurations.
Support for Intel Active Management Technology (AMT )
Configuration Manager current branch removes native support for AMT-based computers from within the
Configuration Manager console. AMT-based computers remain fully managed when you use the Intel SCS Add-
on for Microsoft Configuration Manager. The add-on provides you access to the latest capabilities to manage
AMT, while removing limitations introduced until Configuration Manager could incorporate those changes.
The removal of integrated AMT for Configuration Manager includes out-of-band management. The out-of-band
management point site system role is no longer available.

NOTE
This change doesn't affect out-of-band management in System Center 2012 Configuration Manager.

Changes in functionality
The following sections summarize some of the significant changes in feature areas between System Center
2012 R2 Configuration Manager and the version 1511 version of Configuration Manager current branch. For
more information on more recent changes in functionality, see What's new in incremental versions.
Client deployment
Configuration Manager introduces a new feature for testing new versions of the Configuration Manager client
before upgrading the rest of site with the new software. You can set up a pre-production collection in which to
pilot a new client. Once you're satisfied with the new client software in pre-production, you can promote the
client to automatically upgrade the rest of the site with the new version.
For more information on how to test clients, see How to test client upgrades in a pre-production collection.
OS deployment
Be aware of the following changes to OS deployment:
In the Create Task Sequence Wizard, a new task sequence type is available: Upgrade an operating
system from upgrade package . It creates the steps to upgrade computers from an earlier version of
Windows to Windows 10 or later. For more information, see Upgrade Windows to the latest version.
Windows PE peer cache is now available when you deploy operating systems. Computers that run a task
sequence to deploy an OS can use Windows PE peer cache to obtain content from a peer cache source,
instead of downloading content from a distribution point. This behavior helps minimize WAN traffic in
branch office scenarios where there's no local distribution point. For more information, see Prepare
Windows PE peer cache to reduce WAN traffic.
You can now view the state of Windows as a service in your environment. You can also create servicing
plans to form deployment rings, and make sure that Windows 10 or later computers are kept up to date
when new builds are released. Additionally, you can view alerts when Windows clients are near the end of
support for their build. For more information, see Manage Windows as a service.
Application management
Be aware of the following changes to application management:
Configuration Manager lets you deploy Universal Windows Platform (UWP) apps for devices running
Windows 10 and later. For more information, see Creating Windows applications.
Software Center has a new, modern look. User-available apps that previously only appeared in the
application catalog now appear in Software Center under the Applications tab. This behavior makes these
deployments more discoverable, and makes it unnecessary for users to refer to the separate application
catalog. Additionally, a Silverlight-enabled browser is no longer required. For more information, see Plan
for and configure application management.
The new Windows Installer through MDM application type lets you create and deploy Windows Installer-
based apps to enrolled PCs that run Windows 10 or later. For more information, see Creating Windows
applications.
In Configuration Manager 2012, to specify a link to an app in the Windows Store, you could either specify
the link directly, or browse to a remote computer that had the app installed. In Configuration Manager
current branch, you can still enter the link directly, but now, instead of browsing to a reference computer,
you can browse the store for the app directly from the Configuration Manager console.
Software updates
Be aware of the following changes to software updates:
Configuration Manager can now detect the difference between software update management methods
for computers. Specifically, it can differentiate between a Windows computer that connects to Windows
Update for Business (WUfB), and a computer connected to WSUS. The UseWUSer ver attribute is new,
and specifies whether the computer is managed with WUfB. You can use this setting in a collection to
remove these computers from software update management. For more information, see Integration with
Windows Update for Business.
You can now schedule and run the WSUS clean-up task from the Configuration Manager console. In
Software Update Point Component properties, when you select to run the WSUS clean-up task, it
 runs at the next software updates synchronization. The expired software updates are set to a status of
declined on the WSUS server, and the Windows Update Agent on computers no longer scans these
software updates. For more information, see Schedule and run the WSUS clean up task.
Compliance settings
Be aware of the following changes to compliance settings:
Configuration Manager improves the workflow for creating configuration items. Now, when you create a
configuration item, and select supported platforms, only the settings relevant to that platform are
available. See Get started with compliance settings.
The Create Configuration Item wizard now makes it easier to choose the configuration item type you
want to create. Additionally, new and updated configuration items are available for:
Windows 10 or later devices managed with the Configuration Manager client
mac OS X devices managed with the Configuration Manager client
Windows desktop and server computers managed with the Configuration Manager client
Windows 8.1 and Windows 10 or later devices managed without the Configuration Manager client
For more information, see How to create configuration items.
Support for managing settings on macOS X computers that are managed without the Configuration
Manager client.
On-premises mobile device management
You can now manage mobile devices by using on-premises Configuration Manager infrastructure. All device and
management data are handled on-premises, and isn't part of Microsoft Intune or other cloud services. This type
of device management doesn't require client software. Configuration Manager manages devices with
functionality that's built into the device OS.
For more information, see Manage mobile devices with on-premises infrastructure.

Next steps
What's new in incremental versions
 Removed and deprecated items for Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes how to use the information about features, products, and operating systems that are
removed from support for Configuration Manager. Items that are deprecated will be removed in a future update.
These articles provide early notice about future changes that might affect your use of Configuration Manager.
This information is subject to change with future releases, and might not include each deprecated feature,
product, or OS.

How to use this information

When a feature, product, or OS is first listed as deprecated, support for using it with Configuration Manager is
scheduled to be removed in a future update. This information is provided to help you plan for alternatives to
using that feature, product, or OS. When the first version of Configuration Manager releases in which that
support is removed, this article is updated to indicate that specific version.

NOTE
Unless noted otherwise, a feature, product, or OS that's deprecated in Configuration Manager typically continues to be
fully supported, available, and usable.

When support is removed for a feature or OS, the feature or OS remains supported when you use a previous
version of Configuration Manager, as long as that version of Configuration Manager remains in support.
However, when you use a version of Configuration Manager released after the date or version indicated, that
version of Configuration Manager doesn't provide support.
For example, if a feature was scheduled to have its support removed with the first update released after
September 2019, support for that feature would no longer be included in update 1910, which released in
November of 2019.
With Update 1910, the feature is no longer supported.
The article is updated to indicate support was removed with version 1910.
However, if you continue to use an earlier version that supports the feature, like version 1906, you can continue
to use that feature until the version you use drops out of support.

See also
Microsoft Support Lifecycle
Support for current branch versions of Configuration Manager

Next steps
Items that are removed or deprecated are split between three categories:
Removed and deprecated features
Removed and deprecated items for site servers
Removed and deprecated items for clients
 Removed and deprecated features for
Configuration Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article lists the features that are deprecated or removed from support for Configuration Manager.
Deprecated features will be removed in a future update. These future changes might affect your use of
Configuration Manager.
This information is subject to change with future releases. It might not include each deprecated Configuration
Manager feature.

Deprecated features
The following features are deprecated. You can still use them now, but Microsoft plans to end support in the
future.

F EAT URE DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

The Configuration Manager client for January 2022 December 31, 2022
macOS and Mac client management.
For more information, see Supported
clients: Mac computers. Migrate
management of macOS devices to
Microsoft Intune. For more
information, see Deployment guide:
Manage macOS devices in Microsoft
Intune.

The site system roles for on-premises January 2022 December 31, 2022
MDM and macOS clients: enrollment
proxy point and enrollment point .

The Microsoft Store for Business November 2021 The first release after March 1, 2023
and Education . For more
information, see Manage apps from
the Microsoft Store for Business and
Education with Configuration
Manager.

Asset intelligence . For more November 2021 The first release after November 1,
information, see Introduction to asset 2022
intelligence.

On-premises MDM . For more November 2021 The first release after November 1,
information, see On-premises MDM in 2022
Configuration Manager.

Desktop Analytics . For more November 2021 November 30, 2022

information, see What's new in
Desktop Analytics.
F EAT URE DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

The ability to deploy a cloud September 2021 The first release after March 1, 2022
management gateway (CMG) as a
cloud ser vice (classic) . All CMG
deployments should use a virtual
machine scale set.

Azure Active Directory (Azure AD) July 2021 June 30, 2022
Graph API and Azure AD
Authentication Library (ADAL), which
is used by Configuration Manager for
some cloud-attached scenarios. If you
use cloud-attached features such as
co-management, tenant attach, or
Azure AD discovery, starting June 30,
2022, these features may not work
correctly in Configuration Manager
version 2107 or earlier. Stay current
with Configuration Manager to make
sure these features continue to work.
For more information, see CMG FAQ.

The BitLocker management March 2021 The first release after May 2022
implementation for the recovery
service has changed. The legacy
MBAM-based service is replaced by
the messaging processing engine on
the management point.

Desktop Analytics data for Windows 7, July 2021 January 31, 2022
Windows 8, and earlier versions of
Windows 10 that don't support the
Windows diagnostic data processor
configuration.

Older style of console extensions that April 2021 TBDNo te 1

haven't been approved in the
Console Extension node, will no
longer be supported. For more
information about new console
extensions, see Manage console
extensions.

The following compliance settings for March 2021 The first release after March 1, 2022
Company resource access :
Certificate profiles, VPN profiles, Wi-Fi
profiles, Windows Hello for Business
settings, and email profiles. This
deprecation includes the co-
management resource access
workload. Use Microsoft Intune to
deploy resource access profiles.

Sites that allow HTTP client March 2021 The first release after November 1,
communication. Configure the site for 2022
HTTPS or Enhanced HTTP. For more
information, see Enable the site for
HTTPS-only or enhanced HTTP.
 F EAT URE DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

The geographical view in the Site August 2020 TBD

Hierarchy node of the Monitoring
workspace in the Configuration
Manager console.

The implementation for sharing February 2019 The first release after October 5, 2022
content from Azure has changed. Use
a content-enabled cloud management
gateway. Starting in version 2107, you
can't create a traditional cloud
distribution point.

Cloud management gateway and November 2018 The first release after October 5, 2022
cloud distribution point deployments
with Azure Service Manager using a
management certificate. For more
information, see Plan for CMG.

Note 1: Support removed TBD

The specific timeframe is to be determined (TBD). Microsoft recommends that you change to the new process or
feature, but you can continue to use the deprecated process or feature for the near future.

Unsupported and removed features

The following features are no longer supported. In some cases, they're no longer in the product.

F EAT URE DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

Third-party add-ons that use September 2021 Version 2111

Microsoft .NET Framework version
4.6.1 or earlier, and rely on
Configuration Manager libraries. Such
add-ons need to use .NET 4.6.2 or
later. For more information, see
External dependencies require .NET
4.6.2.

Log Analytics connector for Azure November 2020 Version 2107

Monitor. This feature is called the OMS
Connector in the Azure Services node.

Microsoft Edge legacy browser profiles. March 2021 April 2021

For more information, see New
Microsoft Edge to replace Microsoft
Edge Legacy with April’s Windows 10
Update Tuesday release

The collection evaluation viewer, which November 2020 Version 2103

was integrated in version 2010. The
standalone tool is still available with
the System Center 2012 R2
Configuration Manager Toolkit.

Desktop Analytics tile and page for December 2020 March 2021
Security Updates
F EAT URE DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

Desktop Analytics option to View May 2020 July 2020

recent data for device enrollment
and security updates. For more
information, see Data latency.

Windows Analytics and Upgrade October 14, 2019 January 31, 2020
Readiness integration. For more
information, see KB 4521815:
Windows Analytics retirement on
January 31, 2020.

Device health attestation assessment July 3, 2019 Version 1910

for conditional access compliance
policies For more information, see
What happened to hybrid MDM.

The Configuration Manager Company May 21, 2019 Version 1910

Portal app

The application catalog, including both May 21, 2019 Version 1910
site system roles: the application
catalog website point and web service
point. For more information, see
Remove the application catalog.

Certificate-based authentication with December 2017 Version 1910

Windows Hello for Business settings in
Configuration Manager
For more information, see Windows
Hello for Business settings.

System Center Endpoint Protection for October 2018 December 31, 2018
Mac and Linux
For more information, see End of
support blog post.

On-premises conditional access January 30, 2019 September 1, 2019

For more information, see What
happened to hybrid MDM.

Hybrid mobile device management August 14, 2018 September 1, 2019

(MDM)
For more information, see What
happened to hybrid MDM.

Starting with the 1902 Intune service

release, expected at the end of
February 2019, new customers can't
create a new hybrid connection.

Security Content Automation Protocol September 2018 Version 1810

(SCAP) extensions.
The previous certified version is still
available on the Microsoft Download
Center.
F EAT URE DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

The Silverlight user experience for August 11, 2017 Version 1806
the application catalog website point is
no longer supported. Users should use
the new Software Center. For more
information, see Configure Software
Center.

The previous version of Software December 13, 2016 Version 1802

Center.

For more information about the new

Software Center, see Plan for and
configure application management.

Management of Virtual Hard Disks January 6, 2017 Version 1710

(VHDs) with Configuration Manager.

This deprecation includes removal of

options to create a new VHD or
manage a VHD using a task sequence,
and the removal of the Virtual Hard
Disks node from the Configuration
Manager console.

Existing VHDs are not deleted, but are

no longer accessible from within the
Configuration Manager console.

Task sequences: November 18, 2016 Version 1710

- Convert Disk to Dynamic
- Install Deployment Tools

Upgrade Assessment Tool September 12, 2016 July 11, 2017

The Upgrade Assessment Tool

depends on both Configuration
Manager and the Application
Compatibility Toolkit (ACT) 6.x. The
final version of ACT was shipped in the
Windows 10 v1511 ADK. As there are
no further updates to ACT, support for
the Upgrade Assessment Tool is
discontinued. Deprecation notice was
added to the download page for UAT
on September 12, 2016.

Software update points with a network February 27, 2016 Version 1702
load balancing (NLB) cluster
 F EAT URE DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

Task sequences: June 20, 2016 Version 1606

- OSDPreserveDriveLetter

During an operating system

deployment, by default, Windows
Setup now determines the best drive
letter to use (typically C:). If you want
to specify a different drive to use, you
can change the location in the Apply
Operating System task sequence step.
Go to the Select the location
where you want to apply this
operating system setting. Select
Specific logical drive letter and
choose the drive that you want to use.

Network Access Protection (NAP) - as July 10, 2015 Version 1511

found in System Center 2012
Configuration Manager

Out of Band Management - as found October 16, 2015 Version 1511

in System Center 2012 Configuration
Manager

WINS
Windows Internet Name Service (WINS) is a legacy computer name registration and resolution service. It's a
deprecated service. You should replace WINS with Domain Name System (DNS). For more information, see
Windows Internet Name Service (WINS).
Out of Band Management
With Configuration Manager, native support for AMT-based computers from within the Configuration Manager
console has been removed.
AMT-based computers remain fully managed when you use the Intel SCS Add-on for Configuration
Manager. The add-on provides you access to the latest capabilities to manage AMT, while removing
limitations introduced until Configuration Manager could incorporate those changes.
Out of Band Management in System Center 2012 Configuration Manager is not affected by this change.
Network Access Protection
Configuration Manager has removed support for Network Access Protection. The feature has been deprecated
in Windows Server 2012 R2, and is removed from Windows 10.
For network access protection alternatives, see the Deprecated functionality section of Network Policy and
Access Services Overview.

See also
Removed and deprecated
Microsoft Support Lifecycle
Support for current branch versions of Configuration Manager
 Removed and deprecated for Configuration
Manager site servers
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes products and operating systems that are removed from support for Configuration
Manager site servers, or will be removed in a future update (deprecated). It provides early notice about future
changes that might affect your use of Configuration Manager.
This information may change in the future. It might not include each deprecated feature, product, or OS.

Server OS
O P ERAT IN G SY ST EM S DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

Windows Server 2008 R2 with SP1 July 2015 Version 1702

Windows Server 2008 with SP2 July 2015 Version 1511

SQL Server
SQ L SERVER VERSIO N S DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

SQL Server 2012 July 2021 The first release after July 1, 2022

SQL Server 2008 R2 July 2015 Version 1702

SQL Server 2008 July 2015 Version 1511

If you need to upgrade your version of SQL Server, we recommend the following methods, from easy to more
complex:
1. Upgrade SQL Server in-place (recommended).
2. Install a new version of SQL Server on a new computer. Then to point your site server at the new SQL
Server, use the database move option of Configuration Manager setup.
3. Use backup and recovery.

NOTE
Make sure to also upgrade versions of SQL Server Express at secondary sites.

Next steps
For more information, see the following articles:
Removed and deprecated
Microsoft Support Lifecycle
Support for current branch versions of Configuration Manager
 Removed and deprecated items for Configuration
Manager clients
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes products and operating systems that are removed from support for Configuration
Manager clients, or will be removed in a future update (deprecated). It provides early notice about future
changes that might affect your use of Configuration Manager.
This information may change in the future. It might not include each deprecated feature, product, or operating
system.

Deprecated client operating systems

Unless noted otherwise, each supported OS is supported as a Configuration Manager client until the extended
support end date of that OS version. For more information about extended support end dates, see the Microsoft
Support Lifecycle. If Configuration Manager support for an OS ends before the extended support end date, this
article lists a deprecation date and support removal date for that OS.
The following OS versions are deprecated as a Configuration Manager client. You can still use them now, but
Microsoft plans to end support in the future.

O S VERSIO N DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

macOS (all versions) January 2022 December 31, 2022

Unsupported client operating systems

The following OS versions are no longer supported.

O S VERSIO N DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

Windows CE 7.0 July 19, 2019 Version 2006

Windows 10 Mobile July 19, 2019 Version 2006

Windows 10 Mobile Enterprise July 19, 2019 Version 2006

Windows 7 January 14, 2020

Windows Server 2008 January 14, 2020

Windows Server 2008 R2 January 14, 2020

Linux and UNIX March 22, 2018 Version 1902

Windows 8: Professional, Enterprise January 12, 2016 Version 1802

 O S VERSIO N DEP REC AT IO N F IRST A N N O UN C ED SUP P O RT REM O VED

Windows Embedded 8 Pro January 12, 2016 Version 1802

Windows Embedded 8 Industry January 12, 2016 Version 1802

Windows XP Embedded July 10, 2015 Version 1702

Includes all XP-based embedded

operating systems

Windows Vista July 10, 2015 Version 1511

Windows Server 2003 R2 July 10, 2015 Version 1511

Windows Server 2003 July 10, 2015 Version 1511

Windows XP July 10, 2015 Version 1511

macOS X 10.6 - 10.8 July 10, 2015 Version 1511

Windows Mobile 6.0 - 6.5 July 10, 2015 Version 1511

Nokia Symbian Belle July 10, 2015 Version 1511

Windows CE 5.0 - 6.0 July 10, 2015 Version 1511

See also
For more information, see the following articles:
Supported OS versions for clients and devices
Microsoft Support Lifecycle
Support for current branch versions of Configuration Manager
 Supported configurations for Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

As an on-premises solution, Configuration Manager makes use of your servers, clients, network configurations,
and other products like Microsoft Intune, SQL Server, and Azure.
This information can help you identify key configurations, requirements, and limitations. Use it to plan, deploy,
and maintain a functional Configuration Manager deployment. This information is specific to the infrastructure
for Configuration Manager sites, hierarchies, and managed devices.
When a Configuration Manager feature or capability requires more specific configurations, see the feature-
specific documentation. It's supplemental to the more general configuration details.
The products and technologies described in these articles are supported by Configuration Manager. However,
their inclusion in this content doesn't imply an extension of support for any product beyond that product's
individual support lifecycle. Products that are beyond their support lifecycle aren't supported for use with
Configuration Manager. This statement includes any products that are covered under the Extended Security
Updates (ESU) program. For more information about Extended Security Updates in Configuration Manager, see
Supported OS versions for clients and devices for Configuration Manager.

NOTE
For more general information, see the Microsoft Support Lifecycle.

Products and product versions that aren't listed in these articles aren't supported with Configuration Manager
unless they're announced on the Configuration Manager blog. The content on this blog may precede an update
to this documentation.
Site and site system prerequisites: Learn about required configurations on a Windows Server to support
different site types and site system roles.
Supported operating systems for site system servers: Learn about which operating systems you can use
as a site server or site system server.
Supported operating systems for clients and devices: Learn about which operating systems you can
manage with Configuration Manager. These include Windows, Windows Embedded, macOS, and mobile
devices.
Support for Windows 11 and Support for Windows 10: Learn about the Windows 11 and Windows 10
versions that are supported as clients.
Support for the Windows ADK: Learn about the Windows Assessment and Deployment Kit (Windows
ADK) version that are supported with Configuration Manager current branch for OS deployment.
Supported operating systems for the console: Learn about which operating systems can host the
Configuration Manager console.
Support for SQL Server versions: Learn about which versions of SQL Server can host the site database
and reporting database. It also includes required and optional configurations that you can use with SQL
 Server.
High-availability options: Learn about the options you can implement when designing your environment
to help maintain a high level of available service for Configuration Manager.
Support for Active Directory domains: Learn about the supported Active Directory domain configurations
that Configuration Manager requires and supports.
Support for Windows features and networks: Learn about supported Windows technologies and
limitations for use with Configuration Manager. For example, Windows BranchCache and data
deduplication.
Support for virtualization environments: Learn more about how to use supported virtual machine
technologies.
FAQ for Configuration Manager on Azure: Answers to common questions about using Configuration
Manager on an Azure environment.
Use the following articles to understand Configuration Manager size, scale, and performance:
Size and scale numbers: Learn about how many sites, roles per site, and clients are supported in different
hierarchy designs.
Recommended hardware: Learn about guidelines that can help you identify the right hardware and
configurations to host your Configuration Manager sites and key services.
Site size and performance guidelines: Site size-related performance test results, methodology, and
guidance.
Site size and performance FAQ: Answers to common Configuration Manager questions about site sizing
and performance.
 Site and site system prerequisites for Configuration
Manager
2/16/2022 • 18 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Windows-based computers require specific configurations to support their use as Configuration Manager site
system servers.
For some products, like Windows Server Update Services (WSUS) for the software update point, you need to
refer to the product documentation to identify additional prerequisites and limitations for use. Only
configurations that directly apply for use with Configuration Manager are included here.

General requirements and limitations

The following requirements apply to all site system servers:
Each site system server must use a 64-bit OS. The only exception is the distribution point site system role,
which you can install on some 32-bit operating systems.
Site systems aren't supported on Server Core installations of any OS. An exception is that Server Core
installations are supported for the distribution point. For more information, see Supported operating
systems for Configuration Manager site system servers.
After a site system server is installed, it's not supported to change:
The domain name of the domain where the site system computer is located (also called a domain
rename ).
The domain membership of the computer.
The name of the computer.
If you must change any of these items, first remove the site system role from the computer. Then
reinstall the role after the change is complete. For changes affecting the site server, first uninstall
the site. Then reinstall the site after the change is complete.
Site system roles aren't supported on an instance of a Windows Server cluster. The only exception is the
site database server. For more information, see Use a SQL Server Always On failover cluster instance for
the site database.
The Configuration Manager setup process doesn't block installation of the site server role on a computer
with the Windows role for Failover Clustering. SQL Server Always On availability groups require this role,
so previously you couldn't colocate the site database on the site server. With this change, you can create a
highly available site with fewer servers by using an availability group and a site server in passive mode.
For more information, see High availability options.
It's not supported to change the startup type or "Log on as" settings for any Configuration Manager
service. If you do, you might prevent key services from running correctly.

.NET version requirements

Starting in version 2107, site servers and specific site systems require Microsoft .NET Framework version 4.6.2.
Before you run setup to install or update the site, first update .NET and restart the system. If possible in your
environment, install the latest version of .NET version 4.8.

NOTE
.NET Framework version 4.6.2 is preinstalled with Windows Server 2016. Later versions of Windows are preinstalled with a
later version of the .NET Framework.
.NET Framework version 4.8 isn't supported on some OS versions.
For more information, see .NET Framework system requirements.

Site server
If the site server doesn't have any collocated roles that require .NET, it still requires .NET, but setup doesn't
automatically install it. Make sure the site server itself has at least .NET version 4.6.2. If possible, install .NET 4.8.
Site systems
During Configuration Manager setup, if site systems have a version earlier than 4.6.2, you'll see a prerequisite
check warning. This check is a warning instead of an error, because setup will install version 4.6.2. When .NET
updates, it usually requires Windows to restart. Site systems will send status message 4979 when a restart is
required. Configuration Manager suppresses the restart; the system doesn't restart automatically.
The behavior will differ for different types of site roles that require .NET:
The following site system roles support in-place upgrade of .NET. After upgrading .NET, if a restart is
required, it sends status message 4979. The role keeps running with the earlier .NET version. After
Windows restarts, the role starts using the new .NET version.
Asset Intelligence synchronization point
Management point
Service connection point
Data warehouse service point
The following site systems roles uninstall and reinstall when .NET is upgraded. During site update, site
component manager removes the role, and then updates .NET. If a restart is required, it sends status
message 4979. After restart, site component manager reinstalls the role with the new .NET version. The
role could be unavailable while it waits for you to restart the server.
SMS Provider for the administration service
Certificate registration point
Enrollment point
Enrollment proxy point
Reporting services point
Software update point

NOTE
Currently, you still need to enable the Windows feature for .NET Framework 3.5 on site systems that require it.

If site systems have at least version 4.6.2 but earlier than version 4.8, you'll also see a prerequisite check
warning. We recommend that you install the latest version of .NET version 4.8 to get the latest performance and
security improvements. Configuration Manager setup doesn't automatically install .NET version 4.8. A later
version of Configuration Manager will require .NET version 4.8.
There's also a new management insight to recommend site systems that don't yet have .NET version 4.8 or later.
Managing system restarts for .NET updates
Whether you update .NET before updating the site, or setup updates it, .NET may require a restart to complete
its installation. After .NET Framework is installed, it may require other updates. These updates may also require
the server to restart.
If you need to manage the device restarts before you update the site, use the following recommended process:
1. Install the latest baseline .NET version. For example, install .NET version 4.8.
2. Restart the server.
3. Scan for software updates and install the latest .NET cumulative update.
4. Restart the server.
5. Update the site to the latest current branch version.

Central administration site and primary site servers

For more information on all prerequisites including permissions, see Prerequisites for installing a primary site
or a CAS. The following sections detail the prerequisite components that you need to install or enable.
Windows Server roles and features for the site server
.NET Framework 3.5
Remote Differential Compression
When you use a software update point on a server other than the site server, install the WSUS
Administration Console on the site server.
.NET Framework for the site server
Enable the Windows feature for .NET Framework 3.5.
Install a supported version of the .NET Framework. For more information, .NET version requirements.
Windows ADK for the site server
Before you install or upgrade a central administration site or primary site, install the version of the
Windows Assessment and Deployment Kit (ADK) that's required by the version of Configuration Manager
you're installing or upgrading to. For more information, see Support for the Windows ADK.
For more information about this requirement, see Infrastructure requirements for OS deployment.
Visual C++ Redistributable for the site server
Starting in version 2107, Configuration Manager installs the Microsoft Visual C++ 2015-2019
redistributable package (14.28.29914.0) on each computer that installs a site server. In version 2103 and
earlier, it installs the Visual C++ 2013 version (12.0.40660.0).
The CAS and primary sites require both the x86 and x64 versions of the applicable redistributable file.
SQL Server Native Client for the site server
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Secondary site server

Windows Server roles and features for the secondary site server
.NET Framework 3.5
 Remote Differential Compression
.NET Framework for the secondary site server
Enable the Windows feature for .NET Framework 3.5.
Install a supported version of the .NET Framework. For more information, .NET version requirements.
Visual C++ Redistributable for the secondary site server
Starting in version 2107, Configuration Manager installs the Microsoft Visual C++ 2015-2019
redistributable package (14.28.29914.0) on each computer that installs a secondary site server. In version
2103 and earlier, it installs the Visual C++ 2013 version (12.0.40660.0).
Secondary sites require only the x64 version.
Default site system roles for the secondary site server
By default, a secondary site installs a management point and a distribution point . Make sure that the
secondary site server meets the prerequisites for these site system roles.
SQL Server Native Client for the secondary site server
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Database server
Remote Registry service for the site database server
During installation of the Configuration Manager site, enable the Remote Registr y service on the computer
that hosts the site database.
SQL Server for the site database server
Before you install a CAS or primary site, install a supported version of SQL Server to host the site
database. For more information, see Supported SQL Server versions.
Before you install a secondary site:
You can install a supported version of SQL Server.
You can choose to have Configuration Manager install SQL Server Express. Make sure that the
server meets the requirements to run SQL Server Express.
SQL Server Native Client for the site database server
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

SMS Provider server

Windows ADK for the SMS Provider
The server where you install an instance of the SMS Provider must have a supported version of the
Windows ADK. For more information, see Support for the Windows ADK.
For more information about this requirement, see Infrastructure requirements for operating system
deployment.
Windows Server roles and features for the SMS Provider
Web Server (IIS): Every provider attempts to install the administration service. This service has a dependency on
IIS to bind a certificate to HTTPS port 443. Configuration Manager uses IIS APIs to check this certificate
configuration. If you configure the site for Enhanced HTTP, Configuration Manager uses IIS APIs to bind the site-
generated certificate. Unless the server already has a PKI-based certificate, the site automatically uses the site's
self-signed certificate.
.NET Framework for the SMS Provider
If you're using the administration service, the server that hosts the SMS Provider role requires .NET 4.5 or later.
Starting in version 2107, this role requires .NET version 4.6.2, and version 4.8 is recommended. For more
information, .NET version requirements.
SQL Server Native Client for the SMS Provider
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Asset Intelligence synchronization point

IMPORTANT
Starting in November 2021, this feature of Configuration Manager is deprecated. For more information, see Introduction
to asset intelligence in Configuration Manager.

.NET Framework for the AISP

Install a supported version of the .NET Framework. For more information, .NET version requirements.
SQL Server Native Client for the AISP
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Certificate registration point

Windows Server roles and features for the CRP
.NET Framework
HTTP Activation
IIS configuration for the CRP
Application Development:
ASP.NET 3.5 (and automatically selected options)
ASP.NET 4.5 (and automatically selected options)
IIS 6 Management Compatibility:
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
.NET Framework for the CRP
Install a supported version of the .NET Framework. For more information, .NET version requirements.
SQL Server Native Client for the CRP
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Data warehouse service point

For more information on the prerequisites for this role, see The data warehouse service point.
.NET Framework for the DWSP
Install a supported version of the .NET Framework. For more information, .NET version requirements.
SQL Server for the DWSP
The data warehouse database requires SQL Server 2012 or later. The edition can be Standard, Enterprise, or
Datacenter. The SQL Server version for the data warehouse doesn't need to be the same as the site database
server or the reporting services point.

Distribution point
Windows Server roles and features for the DP
Remote Differential Compression

NOTE
When the distribution point transfers content, it transfers using the Background Intelligent Transfer Ser vice (BITS)
built into Windows. The distribution point role doesn't require the optional BITS IIS Server Extension feature to be
installed, because the client doesn't upload information to it.

IIS configuration for the DP

Application Development:
ISAPI Extensions
Security:
Windows Authentication
IIS 6 Management Compatibility:
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
By default, IIS uses request filtering to block several file name extensions and folder locations from access by
HTTP or HTTPS communication. On a distribution point, this configuration prevents clients from downloading
packages that have blocked extensions or folder locations. For more information, see IIS request filtering for
distribution points.
Distribution points require that IIS allows the following HTTP verbs:
GET
HEAD
PROPFIND
Visual C++ Redistributable for the DP
 Starting in version 2107, Configuration Manager installs the Microsoft Visual C++ 2015-2019
redistributable package (14.28.29914.0) on each computer that hosts a distribution point. In version 2103
and earlier, it installs the Visual C++ 2013 version (12.0.40660.0).
The version that's installed depends on the computer's platform (x86 or x64).
Add PXE support for the DP
There are two options to support PXE on a distribution point:
Enable the Configuration Manager PXE responder without Windows Deployment Service.
Install and configure the Windows Deployment Services (WDS) Windows Server role.

NOTE
WDS installs and configures automatically when you enable a distribution point to support PXE.

For more information, see Install and configure distribution points.

Add multicast support for the DP
Install and configure the Windows Deployment Services (WDS) Windows Server role.

NOTE
WDS installs and configures automatically when you enable a distribution point to support multicast.

Make sure the SQL Server Native Client is installed and up to date. For more information, see
Prerequisite checks - SQL Server Native Client.

Endpoint Protection point

Windows Server roles and features for the endpoint protection point
.NET Framework 3.5
Windows Defender features (Windows Server 2016 or later)
SQL Server Native Client for the endpoint protection point
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Enrollment point
IMPORTANT
With the deprecation of on-premises MDM and the Configuration Manager client for macOS, this site system role is also
deprecated. For more information, see Removed and deprecated features for Configuration Manager.

Windows Server roles and features for the enrollment point

.NET Framework 3.5
HTTP Activation (and automatically selected options)
 ASP.NET 4.5
Windows Communication Foundation (WCF) Services
IIS configuration for the enrollment point
Common HTTP Features:
Default Document
Application Development:
ASP.NET 3.5 (and automatically selected options)
.NET Extensibility 3.5
ASP.NET 4.5 (and automatically selected options)
.NET Extensibility 4.5
IIS 6 Management Compatibility:
IIS 6 Metabase Compatibility
.NET Framework for the enrollment point
Enable the Windows feature for .NET Framework 3.5.
Install a supported version of the .NET Framework. For more information, .NET version requirements.
Computer memory for the enrollment point
The computer that hosts this site system role must have a minimum of 5% of the computer's available
memory free to enable the site system role to process requests.
When this site system role is collocated with another site system role that has this same requirement, this
memory requirement for the computer doesn't increase, but remains at a minimum of 5%.
SQL Server Native Client
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Enrollment proxy point

IMPORTANT
With the deprecation of on-premises MDM and the Configuration Manager client for macOS, this site system role is also
deprecated. For more information, see Removed and deprecated features for Configuration Manager.

Windows Server roles and features for the enrollment proxy point
.NET Framework 3.5
IIS configuration for the enrollment proxy point
Common HTTP Features:
Default Document
Static Content
Application Development:
 ASP.NET 3.5 (and automatically selected options)
ASP.NET 4.5 (and automatically selected options)
.NET Extensibility 3.5
.NET Extensibility 4.5
Security:
Windows Authentication
IIS 6 Management Compatibility:
IIS 6 Metabase Compatibility
.NET Framework for the enrollment proxy point
Enable the Windows feature for .NET Framework 3.5.
Install a supported version of the .NET Framework. For more information, .NET version requirements.
Computer memory for the enrollment proxy point
The computer that hosts this site system role must have a minimum of 5% of the computer's available
memory free to enable the site system role to process requests.
When this site system role is colocated with another site system role that has this same requirement, this
memory requirement for the computer doesn't increase, but remains at a minimum of 5%.

Fallback status point

Windows Server roles and features for the FSP
Depending upon the version of Windows Server, enable one of the following features:
BITS Server Extensions and the automatically selected options
Background Intelligent Transfer Services (BITS) and the automatically selected options
IIS configuration
The default IIS configuration is required with the following additions:
IIS 6 Management Compatibility:
IIS 6 Metabase Compatibility

Management point
Windows Server roles and features for the MP
Depending upon the version of Windows Server, enable one of the following features:
BITS Server Extensions and the automatically selected options
Background Intelligent Transfer Services (BITS) and the automatically selected options
IIS configuration for the MP
Application Development:
ISAPI Extensions
Security:
Windows Authentication
IIS 6 Management Compatibility:
 IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
To make sure that clients can successfully communicate with a management point, make sure IIS allows the
following HTTP verbs:
GET
POST
CCM_POST
HEAD
PROPFIND
.NET Framework for the MP
Install a supported version of the .NET Framework. For more information, .NET version requirements.
SQL Server Native Client for the MP
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Reporting services point

.NET Framework for the RSP
Install a supported version of the .NET Framework. For more information, .NET version requirements.
SQL Server Reporting Services for the RSP
Install and configure at least one instance of SQL Server to support SQL Server Reporting Services.
The instance that you use for SQL Server Reporting Services can be the same instance you use for the
site database.
The instance that you use can be shared with System Center products. The System Center products can't
have restrictions for sharing the instance of SQL Server.
SQL Server Native Client for the RSP
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Service connection point

.NET Framework for the SCP
Enable the Windows feature for .NET Framework 3.5.
Install a supported version of the .NET Framework. For more information, .NET version requirements.
Visual C++ Redistributable for the SCP
Starting in version 2107, Configuration Manager installs the Microsoft Visual C++ 2015-2019 redistributable
package (14.28.29914.0) on the service connection point. In version 2103 and earlier, it installs the Visual
C++ 2013 version (12.0.40660.0).
SQL Server Native Client for the SCP
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

Software update point

Windows Server roles and features for the SUP
.NET Framework 3.5
The default IIS configuration is required.
.NET Framework for the SUP
Enable the Windows feature for .NET Framework 3.5.
Install a supported version of the .NET Framework. For more information, .NET version requirements.
Windows Server Update Services (WSUS ) for the SUP
Install the WSUS server role. For more information, see Plan for software updates.

NOTE
When you use a software update point on a remote site system, install the WSUS Administration Console on the site
server.

SQL Server Native Client for the SUP

When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.

State migration point

Windows Server roles and features for the SMP
.NET Framework 3.5
HTTP Activation (and automatically selected options)
ASP.NET 4.5
IIS configuration for the SMP
Common HTTP Features:
Default Document
Application Development:
ASP.NET 3.5 (and automatically selected options)
.NET Extensibility 3.5
ASP.NET 4.5 (and automatically selected options)
.NET Extensibility 4.5
IIS 6 Management Compatibility:
IIS 6 Metabase Compatibility
.NET Framework for the SMP
Enable the Windows feature for .NET Framework 3.5.
Install a supported version of the .NET Framework. For more information, .NET version requirements.
SQL Server Native Client for the SMP
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Make sure this component is up to date. For more information, see Prerequisite checks - SQL Server
Native Client.
 Supported operating systems for Configuration
Manager site system servers
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article details the Windows versions that you can use to host a Configuration Manager site or site system
role.

Windows Server 2022

Applies to Datacenter: Azure Edition, Standard and Datacenter editions
Starting in version 2107, this OS version is supported for the following servers.
Site servers:
Central administration site
Primary site
Secondary site
Site system servers:
Asset Intelligence synchronization point
Certificate registration point
Cloud management gateway connection point
Data warehouse service point
Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
Software update point
State migration point

NOTE
If you're installing a new site, you can use the latest baseline version 2103 on a Windows Server 2022 site server, and
then immediately update the site to version 2107.

Windows Server 2019

Applies to Standard and Datacenter editions
Site servers:
Central administration site
Primary site
Secondary site
Site system servers:
Asset Intelligence synchronization point
Certificate registration point
Cloud management gateway connection point
Data warehouse service point
Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
Software update point
State migration point

Windows Server 2016

Applies to Standard and Datacenter editions
Site servers:
Central administration site
Primary site
Secondary site
Site system servers:
Asset Intelligence synchronization point
Certificate registration point
Cloud management gateway connection point
Data warehouse service point
Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
 Software update point
State migration point

Windows Storage Server 2016

Site system server:
Distribution point Note 1

Windows Server 2012 R2

Applies to Standard and Datacenter editions
Site servers:
Central administration site
Primary site
Secondary site
Site system servers:
Asset Intelligence synchronization point
Certificate registration point
Cloud management gateway connection point
Data warehouse service point
Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
Software update point
State migration point

Windows Server 2012

Applies to Standard and Datacenter editions
Site servers:
Central administration site
Primary site
Secondary site
Site system servers:
Asset Intelligence synchronization point
Certificate registration point
Cloud management gateway connection point
Data warehouse service point
 Distribution point Note 1
Endpoint Protection point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Reporting services point
Service connection point
Site database server Note 2
SMS Provider
Software update point
State migration point

Client OS versions
The following client OS versions are supported for use as a distribution point Note 1:
Windows 11 (starting in Configuration Manager version 2107)
For more information on supported build versions and editions, see Support for Windows 11.
Windows 10 (x86, x64)
For more information on supported build versions and editions, see Support for Windows 10.
Windows 8.1 (x86, x64): Professional and Enterprise
This support has the following limitation:
Distribution points on this OS don't support PXE or multicast with the default Windows Deployment Services.
You can PXE-enable a distribution point on this OS with the option to Enable a PXE responder without
Windows Deployment Ser vice . For more information, see Install and configure distribution points.

Server core installations

The server core installation of the following server OS versions is supported for use as a distribution point :
Windows Server 2022
Windows Server 2019
Windows Server, version 1809
Windows Server, version 1803
Windows Server, version 1709
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
This support has the following limitation:
Distribution points on this OS don't support PXE or multicast with the default Windows Deployment Services.
You can PXE-enable a distribution point on this OS with the option to Enable a PXE responder without
Windows Deployment Ser vice . For more information, see Install and configure distribution points.

General notes
Note 1: Distribution points
Distribution points support several different configurations that each have different requirements. In some
cases, these configurations support installation not only on servers, but on client operating systems. For more
information, see Manage content and content infrastructure.
Note 2: Site database servers
Site database servers aren't supported on a read-only domain controller (RODC). For more information, see
SQL Server security considerations: Installing SQL Server on a domain controller.
Additionally, secondary site servers aren't supported on any domain controller.

Next steps
Supported SQL Server versions
See also:
Recommended hardware
Site and site system prerequisites
Size and scale numbers
 Supported OS versions for clients and devices for
Configuration Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supports installing client software on Windows and macOS computers.

General requirements and limitations

Review the following requirements and limitations for all clients:
Changing the startup type or Log on as settings for any Configuration Manager service isn't supported. This
change can prevent key services from running correctly.

Windows computers
To manage the following Windows OS versions, use the client that's included with Configuration Manager. For
more information, see How to deploy clients to Windows computers.
Supported client OS versions
Windows 11 (starting in Configuration Manager version 2107)

NOTE
You can continue to use Microsoft Endpoint Manager to manage devices running Windows 11 the same as with
Windows 10. For more information, including some known issues, see Support for Windows 11.

Windows 10
For more information, see Support for Windows 10.
Windows 8.1 (x86, x64): Professional, Enterprise
For more information on the versions of the Windows Assessment and Deployment Kit (Windows ADK) that
Configuration Manager current branch supports, see Support for the Windows ADK.
Azure Virtual Desktop
Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft Azure. You can use
Configuration Manager to manage these virtual devices running Windows in Azure.
Similar to a terminal server, some of these virtual devices allow multiple concurrent active user sessions. To help
with client performance, Configuration Manager disables user policies on any device that allows these multiple
user sessions. Even if you enable user policies, the client disables them by default on these devices, which
include Windows Enterprise multi-session and terminal servers.
The client only disables user policy when it detects this type of device during a new installation. For an existing
client of this type that you update to this version, the previous behavior persists. On an existing device, it
configures the user policy setting even if it detects that the device allows multiple user sessions.
If you require user policy in this scenario, and accept any potential performance impact, use client settings to
enable user policy. In the Client Policy group, configure the following setting: Enable user policy for
multiple user sessions .
Starting in version 2006, the Windows 10 Enterprise multi-session platform is available in the list of
supported OS versions on objects with requirement rules or applicability lists. Starting in version 2107, the
Windows 11 Enterprise multi-session platform is available.

NOTE
If you previously selected the top-level platform, this action automatically selected all child platforms. New platforms aren't
automatically selected. For example, if you want to add Windows 10 Enterprise multi-session , manually select it
under the Windows 10 platform.

For more information, see the following articles:

Support for virtualization environments
Manage Configuration Manager clients in a virtual desktop infrastructure (VDI)
Supported server OS versions
Windows Ser ver 2022 : Standard, Datacenter Note 1 (starting in Configuration Manager version 2107)
Windows Ser ver 2019 : Standard, Datacenter Note 1
Windows Ser ver 2016 : Standard, Datacenter Note 1
Windows Storage Ser ver 2016 : Workgroup, Standard
Windows Ser ver 2012 R2 (x64): Standard, Datacenter Note 1
Windows Storage Ser ver 2012 R2 (x64)
Windows Ser ver 2012 (x64): Standard, Datacenter Note 1
Windows Storage Ser ver 2012 (x64)
Server Core
The following versions specifically refer to the Server Core installation of the OS. Note 3
Windows Server semi-annual channel versions are Server Core installations, such as Windows Server, version
1809. As a Configuration Manager client, they're supported the same as the associated Windows 11 or
Windows 10 semi-annual channel version. For more information, see Support for Windows 11 or Support for
Windows 10.
Windows Ser ver 2022 (x64) Note 2 (starting in version 2107)
Windows Ser ver 2019 (x64) Note 2
Windows Ser ver 2016 (x64) Note 2
Windows Ser ver 2012 R2 (x64) Note 2
Windows Ser ver 2012 (x64) Note 2
Note 1
Configuration Manager tests and supports Windows Server Datacenter editions, but isn't officially certified for
Windows Server. Configuration Manager hotfix support isn't offered for issues that are specific to Windows
Server Datacenter Edition. For more information on the Windows Server certification program, see Windows
Server Catalog.
Note 2
To support client push installation, add the File Server service of the File and Storage Services server role. For
more information about installing Windows features on Server Core, see Install roles, role services, and features
by using Windows PowerShell cmdlets.
Note 3
The Software Center app isn't supported on any version of Windows Server Core.

Windows Embedded computers

Manage Windows Embedded devices by installing the Configuration Manager client on the device. For more
information, see Planning for client deployment to Windows Embedded devices.
Requirements and limitations
All client features are supported on Windows Embedded systems that don't have write filters enabled.
Clients that use one of the following are supported for all features except power management:
Enhanced Write Filters (EWF)
RAM File-Based Write Filters (FBWF)
Unified Write Filters (UWF)
Supported OS versions
Windows 11 Enterprise
Windows 11 IoT Enterprise Note 4
Windows 10 Enterprise (x86, x64)
Windows 10 IoT Enterprise (x86, x64) Note 4
Windows Embedded 8.1 Industr y (x86, x64)
Windows Embedded 8 Standard (x86, x64)
Note 4: Windows IoT Enterprise
This version includes the long-term servicing channel (LTSC). For more information, see Overview of Windows
10 IoT Enterprise.

Extended Security Updates and Configuration Manager

The Extended Security Updates (ESU) program is a last resort option for customers who need to run certain
legacy Microsoft products past the end of support. For example, Windows 7. It includes Critical and/or
Important security updates (as defined by the Microsoft Security Response Center (MSRC)) for a maximum of
three years after the product's End of Extended Support date.
Products that are beyond their support lifecycle aren't supported for use with Configuration Manager. This
includes any products that are covered under the ESU program. Security updates released under the ESU
program will be published to Windows Server Update Services (WSUS). These updates will appear in the
Configuration Manager console. While products that are covered under the ESU program are no longer
supported for use with Configuration Manager, the latest released version of Configuration Manager current
branch can be used to deploy and install Windows security updates released under the program. The latest
released version can also be used to deploy a supported version of Windows to devices running Windows 7.
Client management features not related to Windows software update management or OS deployment will no
longer be tested on the operating systems covered under the ESU program and we don't guarantee that they'll
continue to function. It's highly recommended to upgrade or migrate to a current version of the operating
systems as soon as possible to receive client management support.
 TIP
Starting in Configuration Manager 2010, you'll be notified in-console about devices with operating systems that are past
the end of support date and that are no longer eligible to receive security updates. For more information, see Console
notifications. This information is provided for your convenience and only for use internally within your company. You
should not solely rely on this information to confirm update or license compliance. Be sure to verify the accuracy of the
information provided to you.

Mac computers
IMPORTANT
Starting in January 2022, this feature of Configuration Manager is deprecated. The macOS client installation package isn't
available for new deployments, but existing deployments are supported until December 31, 2022.
Migrate management of macOS devices to Microsoft Intune:
1. First, uninstall the Configuration Manager client for macOS. For more information, see Uninstalling the Mac client.
2. Then enroll the device to Intune. For more information, see Deployment guide: Manage macOS devices in Microsoft
Intune.

Manage Apple Mac computers with the Configuration Manager client for macOS.
For more information, see How to deploy clients to Macs.
Requirements and limitations for macOS
Installing or running the Configuration Manager client for macOS on computers under an account other than
root isn't supported. Doing so can prevent key services from running correctly.
Supported versions
macOS Big Sur (11) (requires Configuration Manager client for macOS version 5.0.9000.1002 or later)
macOS Catalina (10.15) (requires Configuration Manager client for macOS version 5.0.8742.1000 or
later)
macOS Mojave (10.14)

On-premises MDM
IMPORTANT
Starting in November 2021, this feature of Configuration Manager is deprecated.

Configuration Manager has built-in capabilities for managing mobile devices that are on-premises without
installing client software. For more information, see Manage mobile devices with on-premises infrastructure.
Supported operating systems
Windows 10 Pro (x86, x64)
Windows 10 Enterprise (x86, x64)
Windows 10 IoT Enterprise (x86, x64) This version includes the long-term servicing channel (LTSC).
For more information, see Overview of Windows 10 IoT Enterprise.
Windows 10 Team for Surface Hub
Exchange Server connector
Configuration Manager supports limited management of devices that connect to your Exchange Server, without
installing the Configuration Manager client. For more information, see Manage mobile devices with
Configuration Manager and Exchange.
Supported versions of Exchange Server
Exchange Online (Microsoft 365) : This version includes Business Productivity Online Standard Suite
Exchange Ser ver 2016
Exchange Ser ver 2013
Exchange Ser ver 2010 SP1 or Exchange Ser ver 2010 SP2
 Support for Windows 11 in Configuration Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Learn about the Windows 11 versions that Configuration Manager supports as a client.
For more information about support for the Windows Assessment and Deployment Kit (ADK) for Windows 11,
see Support for the Windows ADK.

NOTE
You can continue to use Microsoft Endpoint Manager to manage devices running Windows 11 the same as with Windows
10. If another article doesn't explicitly reference Windows 11, assume that feature support for Windows 10 also includes
Windows 11. This article lists some known issues.

Windows 11 versions
Configuration Manager attempts to provide support as a client for each new Windows 11 version soon after it
becomes available. Because the products have separate development and release schedules, the support that
Configuration Manager provides depends on when each becomes available.
A Configuration Manager version drops from the matrix after support for that version ends. Similarly,
Configuration Manager doesn't support Windows 11 versions when their support lifecycle ends.
The latest version of Configuration Manager current branch receives both security and critical updates,
which can include fixes for Windows 11-specific features. When Microsoft releases a new version of
Configuration Manager current branch, prior versions only receive security updates. For more
information, see Support for Configuration Manager current branch versions.

NOTE
The best way to stay current with Windows 11 is to stay current with Configuration Manager. For more
information, see Configuration Manager and Windows as a Service.

This information supplements Supported operating systems for clients and devices.
The following table lists the versions of Windows 11 that you can use as a client with different versions of
Configuration Manager.

W IN DO W S 11 C O N F IGM GR C O N F IGM GR C O N F IGM GR C O N F IGM GR C O N F IGM GR

VERSIO N 2006 2010 2103 2107 2111

21H2
(10.0.22000)

For more information on Windows lifecycle, see the Windows lifecycle fact sheet and Windows release
information.
 K EY

= Suppor ted

= Not suppor ted

Support notes
Support for Windows 11 versions includes the following editions: Enterprise, Pro, Education, Pro
Education, and Pro for Workstation.
Windows 11 reports the Operating System property as Microsoft Windows NT Workstation 10.0 , which
is identical to Windows 10. To distinguish devices running Windows 11, use the Operating System
Build device property for build number 10.0.22000 or later.
OS deployment images and upgrade packages for Windows 11 show the image name as Windows 10.
For more information, see Using deployment tools with Windows 11 images.
The 32-bit versions of Windows PE (WinPE) in the WinPE add-ons for Windows 11 and Windows Server
2022 aren't supported. The last supported version of 32-bit WinPE is available in the WinPE add-on for
Windows 10, version 2004 . For more information, see Download and install the Windows ADK.
Configuration Manager supports the use of older versions of Windows PE as boot images, but you can't
customize them in the Configuration Manager console. For more information, see Customize boot
images with Configuration Manager.

Windows 11 on ARM64
Configuration Manager version 2107 with the update rollup supports the client on Windows 11 ARM64 devices.
The All Windows 11 (ARM64) platform is available in the list of supported OS versions on objects with
requirement rules or applicability lists.
OS deployment isn't supported, except for a feature update task sequence. You can deploy a task sequence with
a feature update to a Windows 11 on ARM64 device. For more information, see Upgrade Windows to the latest
version.

Support for Windows Insider

You can update and service Windows Insider builds. This ability is provided as a convenience to our customers.
While this functionality should work, its support is best effort. Configuration Manager might not issue a hotfix
for this functionality if it doesn't work.
To provide feedback on Windows Insider, use the Windows Feedback Hub.

Known issues
Desktop Analytics
Desktop Analytics doesn't support Windows 11. For information about Windows 11 hardware readiness,
Microsoft recommends that you enable tenant attach and Endpoint analytics.
Windows servicing dashboard
The Windows Ser vicing dashboard currently includes Windows 11 devices with the latest version of Windows
10. It doesn't yet distinguish a version for Windows 11. For more information on this dashboard, see Manage
Windows as a service using Configuration Manager.
Software Center notifications don't display during quiet period
By default, Windows 11 enables focus assist for the first hour after a user signs on for the first time. For more
information, see Reaching the Desktop and the Quiet Period.
Software Center notifications are currently suppressed during this time. For more information, see Turn Focus
assist on or off in Windows.
Pre -provisioning BitLocker during task sequence doesn't own TPM
Applies to: Windows ADK for Windows 11
When you use a Windows 11-based boot image with an OS deployment task sequence that includes the Pre-
provision BitLocker step, the step might fail. You'll see errors similar to the following strings in the smsts.log:

'TakeOwnership' failed (2147942402)

pTpm->TakeOwnership(sOwnerAuth), HRESULT=80070002
Failed to take ownership of TPM. Ensure that Active Directory permissions are properly configured
The system cannot find the file specified. (Error: 80070002; Source: Windows)
Process completed with exit code 2147942402
Failed to run the action: Pre-provision BitLocker. Error -2147024894

To work around this issue, add a Run Command Line step to the task sequence before the Pre-provision
BitLocker step. Run the following command:
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD /d 2 /f

For more information on this registry key, see Change the TPM owner password.
Configuration Manager console with Windows Hello for Business authentication
Applies to: Azure Active Directory (Azure AD)-joined devices
If you configure the authentication level for the site to require Windows Hello for Business authentication ,
the Configuration Manager console on a Windows 11 device can't connect to the site. The adminui.log file on the
devices shows the following errors:

Description = "Current thread is not authenticated with the minimal allowed level.";
ErrorCode = 2185761792;

Use one of the following options to work around this issue:

Update the device to Windows 11 OS build 22000.282 . For more information, see October 21, 2021—
KB5006746 (OS Build 22000.282) Preview.
Install the console on a device running another version of Windows.
Add users to the authentication exclusion list. For more information, see Configure SMS Provider
authentication.
Offline servicing
When you apply software updates to an image for Windows 11, the process will fail. You'll see errors similar to
the following entries in the offline servicing log file, OfflineServicingMgr.log :

InstallUpdate returned code 0x8007007b

Failed to install update with ID 16787962 on the image. ErrorCode = 123

This issue is because DISM doesn't support the .cab files.

To work around this issue, you can manually service the image:
1. Download the update directly from the Microsoft Update Catalog. For example,
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5007215
2. Use DISM to manually inject the downloaded .msu update file into the Windows 11 image. For more
information, see Add updates to a Windows image.
3. Manually update the image file in the package source. Then update it on distribution points.

Next steps
Support for the Windows ADK
 Support for Windows 10 in Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Learn about the Windows 10 versions that Configuration Manager supports as a client. For more information
about support for later versions of Windows, see Support for Windows 11.
For more information about support for the Windows Assessment and Deployment Kit (ADK) for Windows 10,
see Support for the Windows ADK.

TIP
Windows Server builds as a client are supported the same as the associated Windows 10 version. For example, Windows
Server 2016 is the same build version as Windows 10 LTSB 2016, and Windows Server version 1803 is the same build
version as Windows 10, version 1803.
For more information on Windows Server as a site system, see Supported operating systems for Configuration Manager
site system servers.

Windows 10 versions
Configuration Manager attempts to provide support as a client for each new Windows 10 version as soon as
possible after it becomes available. Because the products have separate development and release schedules, the
support that Configuration Manager provides depends on when each becomes available.
A Configuration Manager version drops from the matrix after support for that version ends. Similarly, support
for Windows 10 versions like the Enterprise 2015 LTSB or 1511 drops from the matrix when they're removed
from support.
The latest version of Configuration Manager current branch receives both security and critical updates,
which can include fixes for issues with Windows 10 versions. When Microsoft releases a new version of
Configuration Manager current branch, prior versions only receive security updates. For more
information, see Support for Configuration Manager current branch versions.

NOTE
The best way to stay current with Windows 10 is to stay current with Configuration Manager. For more
information, see Configuration Manager and Windows as a Service.

This information supplements Supported operating systems for clients and devices.
If you use the long-term servicing branch of Configuration Manager, see Supported configurations for
the long-term servicing branch.
The following table lists the versions of Windows 10 that you can use as a client with different versions of
Configuration Manager.
 W IN DO W S 10 C O N F IGM GR C O N F IGM GR C O N F IGM GR C O N F IGM GR C O N F IGM GR
VERSIO N 2006 2010 2103 2107 2111

21H2
(10.0.19044)

Enterprise
LTSC 2021
(10.0.19044)

21H1
(10.0.19043)

20H2 No te
(10.0.19042)

2004
(10.0.19041)

1909
(10.0.18363)

All currently supported versions of Configuration Manager current branch support the following Windows 10
LTSB/LTSC editions:
Enterprise 2015 LTSB
Enterprise 2016 LTSB
Enterprise LTSC 2019
For more information on Windows lifecycle, see the Windows lifecycle fact sheet and Windows 10 release
information.

K EY

= Suppor ted

= Not suppor ted

Support notes
Support for Windows 10 semi-annual channel versions includes the following editions: Enterprise, Pro,
Education, Pro Education, and Pro for Workstation.
OS deployment media shows the build number from the base version. For example, 10.0.19041 . When
Windows is installed, it applies an enablement package, which updates the build number to what's in the
above table. You can use the revision ID to distinguish the media:

M EDIA VERSIO N W IN DO W S VERSIO N

10.0.19041.1288 Windows 10, version 21H2

10.0.19041.844 Windows 10, version 21H1

10.0.19041.508 Windows 10, version 20H2

Windows 10 on ARM64
Configuration Manager supports the client on Windows 10 ARM64 devices.
The All Windows 10 (ARM64) platform is available in the list of supported OS versions on objects with
requirement rules or applicability lists.

NOTE
If you previously selected the top-level Windows 10 platform, this action automatically selected both All Windows 10
(64-bit) and All Windows 10 (32-bit) . If you want to add All Windows 10 (ARM64) , manually select it in the list.

OS deployment isn't supported, except for a feature update task sequence. Starting in version 2103, you can
deploy a task sequence with a feature update to a Windows 10 on ARM64 device. For more information, see
Deploy a feature update with a task sequence.

Support for Windows Insider

You can update and service Windows Insider builds. This ability is provided as a convenience to our customers.
While this functionality should work, the support for it is best effort. Configuration Manager might not issue a
hotfix for this functionality if it ceases to function.
To provide feedback on Windows Insider, use the Feedback Hub.

Sysprep and Windows 10, version 20H2

If you manually customize a reference computer that runs Windows 10, version 20H2, and then use capture
media, Windows Sysprep fails with the following entry in the sysprep.log:
Failed to clean the package repository database: 0x80070005. This issue happens when you sign in to the
device and create a user profile.
To work around this issue, choose one of the following options:
Use the default image file (install.wim) from the installation media. Use the task sequence to apply
configurations at run time.
Create a task sequence to capture an OS
Remove appx packages for the signed-in user before you use capture media. For more information, see
Sysprep fails after you remove or update Microsoft Store apps that include built-in Windows images.
Manually run Sysprep, and then boot to the capture media to capture the image.

Next steps
Support for the Windows ADK
Support for Windows 11
 Support for the Windows ADK in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you deploy operating systems with Configuration Manager, the Windows Assessment and Deployment
Kit (ADK) is a required external dependency. For more information, see the following articles:
Infrastructure requirements for OS deployment
Download the Windows ADK

IMPORTANT
Windows PE is a separate installer. Make sure to download both the Windows ADK and the Windows PE add-
on for the ADK .

Windows ADK versions

The following table lists the versions of the Windows ADK that you can use with different versions of
Configuration Manager.

W IN DO W S A DK C O N F IGM GR C O N F IGM GR C O N F IGM GR C O N F IGM GR C O N F IGM GR

VERSIO N 2006 2010 2103 2107 2111

Windows 11
(10.1.22000)

Windows
Ser ver 2022
(10.1.20348)

Windows 10,
version 2004
(10.1.19041)

Windows 10,
version 1903
(10.1.18362)

K EY

= Suppor ted
This table only shows Windows ADK supportability in relation to the version of Configuration Manager. Microsoft
recommends using the Windows ADK that matches the version of Windows you're deploying. Use the latest Windows ADK
version when deploying the latest Windows version. The latest Windows ADK version may support deployment of older OS
versions, such as Windows 8.1. For more information on Windows ADK component supportability, see DISM supported
platforms, USMT requirements, and Choose the right ADK for your scenario.
 K EY

= Backward compatible
This combination isn't tested but should work. We'll document any known issues or caveats.

= Not suppor ted

Support notes
Configuration Manager only supports x86 and amd64 components of the Windows ADK. It doesn't
currently support ARM or ARM64 components.
Windows Server builds have the same Windows ADK requirement as the associated Windows client
version. For example, Windows Server 2016 is the same build version as Windows 10 LTSB 2016.
If you're deploying both Windows 11 and Windows Server 2022, use the Windows ADK for Windows 11,
which is the latest version. If you're deploying Windows Server 2022 and not Windows 11, you can use
either Windows ADK for Windows Server 2022 or Windows 11.
The 32-bit versions of Windows PE (WinPE) in the WinPE add-ons for Windows 11 and Windows Server
2022 aren't supported. The last supported version of 32-bit WinPE is available in the WinPE add-on for
Windows 10, version 2004 . For more information, see Download and install the Windows ADK.
Configuration Manager supports the use of older versions of Windows PE as boot images, but you can't
customize them in the Configuration Manager console. For more information, see Customize boot
images with Configuration Manager.

Known issues
Pre -provisioning BitLocker during task sequence doesn't own TPM
Applies to: Windows ADK for Windows 11
When you use a Windows 11-based boot image with an OS deployment task sequence that includes the Pre-
provision BitLocker step, the step might fail. You'll see errors similar to the following strings in the smsts.log:

'TakeOwnership' failed (2147942402)

pTpm->TakeOwnership(sOwnerAuth), HRESULT=80070002
Failed to take ownership of TPM. Ensure that Active Directory permissions are properly configured
The system cannot find the file specified. (Error: 80070002; Source: Windows)
Process completed with exit code 2147942402
Failed to run the action: Pre-provision BitLocker. Error -2147024894

To work around this issue, add a Run Command Line step to the task sequence before the Pre-provision
BitLocker step. Run the following command:
reg.exe add HKLM\SOFTWARE\Policies\Microsoft\TPM /v OSManagedAuthLevel /t REG_DWORD /d 2 /f

For more information on this registry key, see Change the TPM owner password.

Next steps
Support for Windows 11
Support for Windows 10
Supported OS versions for clients
 Supported OS versions for Configuration Manager
consoles
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supports the installation of the console on the following Windows OS versions:
Windows Ser ver 2022 : Standard, Datacenter (starting in version 2107)
Windows Ser ver 2019 : Standard, Datacenter
Windows Ser ver 2016 : Standard, Datacenter
Windows Ser ver 2012 R2 (x64): Standard, Datacenter
Windows Ser ver 2012 (x64): Standard, Datacenter
Windows 11 (x64): Pro, Enterprise
Windows 10 (x86, x64): Pro, Enterprise
Windows 8.1 (x86, x64): Professional, Enterprise
For more information about the Configuration Manager console, see the following articles:
Install consoles
Using the console
 Supported SQL Server versions for Configuration
Manager
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Each Configuration Manager site requires a supported SQL Server version and configuration to host the site
database.

SQL Server instances and locations

Central administration site and primary sites
The site database must use a full installation of SQL Server.
SQL Server can be located on:
The site server computer.
A computer that is remote from the site server.
The following instances are supported:
The default or named instance of SQL Server.
Multiple instance configurations.
A SQL Server Always On failover cluster instance. For more information, see Use a SQL Server Always On
failover cluster instance for the site database.
A SQL Server Always On availability group. For more information, see Prepare to use a SQL Server
Always On availability group.
Secondary sites
The site database can use the default instance of a full installation of SQL Server or SQL Server Express.
SQL Server must be located on the site server computer.
Limitations to support
The following configurations aren't supported:
A failover cluster instance in a Network Load Balancing (NLB) cluster configuration
A failover cluster instance on a Cluster Shared Volume (CSV)
SQL Server database mirroring technology, and peer-to-peer replication
SQL Server transactional replication is supported only for replicating objects to management points that are
configured to use database replicas.

Supported versions of SQL Server

In a hierarchy with multiple sites, different sites can use different versions of SQL Server to host the site
database. So long as the following items are true:
Configuration Manager supports the versions of SQL Server that you use.
 The SQL Server versions you use remain in support by Microsoft.
SQL Server supports replication between the two versions of SQL Server. For more information, see SQL
Server replication backward compatibility.
For SQL Server 2016 and prior, support for each SQL Server version and service pack follows the Microsoft
Lifecycle Policy. Support for a specific SQL Server service pack includes cumulative updates unless they break
backward compatibility to the base service pack version. Starting with SQL Server 2017, service packs won't be
released since it follows a modern servicing model. The SQL Server team recommends ongoing, proactive
installation of cumulative updates as they become available.
Unless specified otherwise, the following versions of SQL Server are supported with all active versions of
Configuration Manager. If support for a new SQL Server version is added, the Configuration Manager version
that adds that support is noted. Similarly, if support is deprecated, look for details about affected versions of
Configuration Manager.

IMPORTANT
When you use SQL Server Standard for the database at the central administration site, you limit the total number of
clients that a hierarchy can support. See Size and scale numbers.

SQL Server 2019: Standard, Enterprise

You can use this version with cumulative update 5 (CU5) or later, as long as your cumulative update version is
supported by the SQL Server lifecycle. CU5 is the minimum requirement for SQL Server 2019 as it resolves an
issue with scalar UDF inlining.
You can use this version of SQL Server for the following sites:
A central administration site
A primary site
A secondary site
SQL Server 2017: Standard, Enterprise
You can use this version with cumulative update version 2 or higher, as long as your cumulative update version
is supported by the SQL Server lifecycle. You can use this version of SQL Server for the following sites:
A central administration site
A primary site
A secondary site
SQL Server 2016: Standard, Enterprise
You can use this version with the minimum service pack and cumulative update supported by the SQL Server
lifecycle. You can use this version of SQL Server for the following sites:
A central administration site
A primary site
A secondary site
SQL Server 2014: Standard, Enterprise
You can use this version with the minimum service pack and cumulative update supported by the SQL Server
lifecycle. You can use this version of SQL Server for the following sites:
A central administration site
A primary site
A secondary site
SQL Server 2012: Standard, Enterprise
You can use this version with the minimum service pack and cumulative update supported by the SQL Server
lifecycle. You can use this version of SQL Server for the following sites:
A central administration site
A primary site
A secondary site

IMPORTANT
Starting in version 2107, support for SQL Server 2012 is deprecated. Its support lifecycle ends in July 2022. Plan to
upgrade all database servers before that time. For more information, see SQL Server.

SQL Server 2017 Express

You can use this version with cumulative update version 2 or higher, as long as your cumulative update version
is supported by the SQL Server lifecycle. You can use this version of SQL Server for the following sites:
A secondary site
SQL Server 2016 Express
You can use this version with the minimum service pack and cumulative update supported by the SQL Server
lifecycle. You can use this version of SQL Server for the following sites:
A secondary site
SQL Server 2014 Express
You can use this version with the minimum service pack and cumulative update supported by the SQL Server
lifecycle. You can use this version of SQL Server for the following sites:
A secondary site
SQL Server 2012 Express
You can use this version with the minimum service pack and cumulative update supported by the SQL Server
lifecycle. You can use this version of SQL Server for the following sites:
A secondary site

IMPORTANT
Starting in version 2107, support for SQL Server 2012 is deprecated. Its support lifecycle ends in July 2022. Plan to
upgrade all database servers before that time. For more information, see SQL Server.

Required configurations for SQL Server

The following configurations are required by all installations of SQL Server that you use for a site database,
including SQL Server Express. When Configuration Manager installs SQL Server Express as part of a secondary
site installation, it automatically creates these configurations.
SQL Server architecture version
Configuration Manager requires a 64-bit version of SQL Server to host the site database.
Database collation
At each site, both the instance of SQL Server that's used for the site and the site database must use the following
collation: SQL_Latin1_General_CP1_CI_AS .
Configuration Manager supports two exceptions to this collation for the China GB18030 standard. For more
information, see International support.
Database compatibility level
Configuration Manager requires that the compatibility level for the site database is no less than the lowest
supported SQL Server version for your Configuration Manager version.
When you upgrade a site database from an earlier version of SQL Server, the database keeps its existing
cardinality estimation level, if it's at the minimum allowed for that instance of SQL Server. When you upgrade
SQL Server with a database at a compatibility level lower than the allowed level, it automatically sets the
database to the lowest compatibility level allowed by SQL Server.
The following table identifies the recommended compatibility levels for Configuration Manager site databases:

SQ L SERVER VERSIO N SUP P O RT ED C O M PAT IB IL IT Y L EVEL S REC O M M EN DED L EVEL

SQL Server 2019 150, 140, 130, 120, 110 150

SQL Server 2017 140, 130, 120, 110 140

SQL Server 2016 130, 120, 110 130

SQL Server 2014 120, 110 110

To identify the SQL Server cardinality estimation compatibility level in use for your site database, run the
following SQL query on the site database server:

SELECT name, compatibility_level FROM sys.databases

For more information on SQL Server Compact Edition (CE) compatibility levels and how to set them, see ALTER
DATABASE Compatibility Level (Transact-SQL).
SQL Server features
Only the Database Engine Ser vices feature is required for each site server.
Configuration Manager database replication doesn't require the SQL Ser ver replication feature. However, this
SQL Server configuration is required when you use database replicas for management points.
Windows authentication
Configuration Manager requires Windows authentication to validate connections to the database.
SQL Server instance
Use a dedicated instance of SQL Server for each site. The instance can be a named instance or the default
instance .
SQL Server memory
Reserve memory for SQL Server by using SQL Server Management Studio. Set the Minimum ser ver
memor y setting under Ser ver Memor y Options . For more information about how to configure this setting,
see SQL Server memory server configuration options.
For a database ser ver that you install on the same computer as the site ser ver : Limit the
memory for SQL Server to 50 to 80 percent of the available addressable system memory.
For a dedicated database ser ver that's remote from the site ser ver : Limit the memory for SQL
Server to 80 to 90 percent of the available addressable system memory.
 For a memor y reser ve for the buffer pool of each SQL Ser ver instance in use :
For a central administration site: Set a minimum of 8 GB.
For a primary site: Set a minimum of 8 GB.
For a secondary site: Set a minimum of 4 GB.
SQL Server nested triggers
SQL Server nested triggers must be enabled. For more information, see Configure the nested triggers server
configuration option
SQL Server CLR integration
The site database requires SQL Server common language runtime (CLR) to be enabled. This option is enabled
automatically when Configuration Manager installs. For more information about CLR, see Introduction to SQL
Server CLR Integration.
SQL Server Service Broker (SSB )
The SQL Server Service Broker is required both for intersite replication as well as for a single primary site.
TRUSTWORTHY setting
Configuration Manager automatically enables the SQL TRUSTWORTHY database property. This property is
required by Configuration Manager to be ON .

Optional configurations for SQL Server

The following configurations are optional for each database that uses a full SQL Server installation.
SQL Server service
You can configure the SQL Server service to run using:
A low rights domain user account:
This configuration is a best practice and might require you to manually register the service principal
name (SPN) for the account.
The local system account of the computer that runs SQL Server:
Use the local system account to simplify the configuration process.
When you use the local system account, Configuration Manager automatically registers the SPN for
the SQL Server service.
Using the local system account for the SQL Server service isn't a SQL Server best practice.
When the computer running SQL Server doesn't use its local system account to run the SQL Server service,
configure the SPN of the account that runs the SQL Server service in Active Directory Domain Services. (When
the system account is used, the SPN is automatically registered for you.)
For information about SPNs for the site database, see Manage the SPN for the site database server.
For information about how to change the account that is used by the SQL Server service, see SCM Services -
Change the service startup account.
SQL Server Reporting Services
SQL Server Reporting Services is required for installing a reporting services point that lets you run reports.
Configuration Manager supports the same versions of SQL Server for reporting as it does for the site database.
For more information, see Prerequisites for reporting in Configuration Manager.
 IMPORTANT
After you upgrade SQL Server from a previous version, you might see the following error: Report Builder Does Not Exist.
To resolve this error, you must reinstall the reporting services point site system role.

Data warehouse service point

The data warehouse uses a separate database. You can host it on the site database server, or a separate SQL
Server. For more information, see The data warehouse service point for Configuration Manager.
SQL Server ports
For communication to the SQL Server database engine and for intersite replication, you can use the default SQL
Server port configurations or specify custom ports:
Intersite communications use the SQL Server Service Broker, which uses port TCP 4022 by default.
Intrasite communications between the SQL Server database engine and various Configuration
Manager site system roles use port TCP 1433 by default. The following site system roles communicate
directly with the SQL Server database:
Management point
SMS Provider computer
Reporting services point
Site server
When a computer running SQL Server hosts a database from more than one site, each database must use a
separate instance of SQL Server. Also, each instance must be configured to use a unique set of ports.

WARNING
Configuration Manager doesn't support dynamic ports. Because SQL Server named instances by default use dynamic
ports for connections to the database engine, when you use a named instance, you must manually configure the static
port that you want to use for intrasite communication.

If you have a firewall enabled on the computer that is running SQL Server, make sure that it's configured to
allow the ports that are being used by your deployment and at any locations on the network between
computers that communicate with the SQL Server.
For an example of how to configure SQL Server to use a specific port, see Configure a server to listen on a
specific TCP port.

Upgrade options for SQL Server

If you need to upgrade your version of SQL Server, use one of the following methods, from easy to more
complex:
Upgrade SQL Server in-place (recommended)
Install a new version of SQL Server on a new computer, and then use the database move option of
Configuration Manager setup to point your site server to the new SQL Server
Use backup and recovery. Using backup and recovery for a SQL Server upgrade scenario is supported.
You can ignore the SQL Server versioning requirement when reviewing Considerations before recovering
a site.
 Support for Active Directory domains in
Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

All Configuration Manager site systems must be members of a supported Active Directory domain.
Configuration Manager client computers can be domain members or workgroup members.

Requirements and limitations

Domain membership also applies to site systems that support internet-based client management in a
perimeter network. (These networks are also known as a DMZ, demilitarized zone, and screened subnet).
It's not supported to change the following configurations for a computer that hosts a site system role:
Domain membership, including if you remove a site system from the domain, and then rejoin the
same domain.
Domain name
Computer name
Before making these changes, uninstall the site system role. To make these changes to a site server,
uninstall the site first. You can also consider creating a site server in passive mode to help manage this
change on a site server.
Configuration Manager supports domain and forest functional level of Windows Server 2008 R2 or later.

Disjoint namespace
You can install Configuration Manager site systems and clients in a domain that has a disjoint namespace.
In a disjoint namespace, the primary DNS suffix of a computer doesn't match the Active Directory DNS domain
name of that computer. Another disjoint namespace scenario occurs if the NetBIOS domain name of a domain
controller doesn't match the Active Directory DNS domain name.
Disjoint scenarios
The following sections identify the supported scenarios for a disjoint namespace.
Scenario 1
The primary DNS suffix of the domain controller differs from the Active Directory DNS domain name.
Computers that are members of the domain can be either disjoint or not disjoint.
The domain controller is disjoint in this scenario. Computers that are members of the domain, such as site
servers and computers, can have a primary DNS suffix that either matches:
The primary DNS suffix of the domain controller
The Active Directory DNS domain name
Scenario 2
A member computer in an Active Directory domain is disjoint, even though the domain controller isn't disjoint.
In this scenario, the primary DNS suffix of a site system differs from the Active Directory DNS domain name.
The primary DNS suffix of the domain controller is the same as the Active Directory DNS domain name.
Member computers that are Configuration Manager clients can have a primary DNS suffix that either matches:
The primary DNS suffix of the disjoint site system server
The Active Directory DNS domain name
Configure disjoint namespace
To allow a computer to access domain controllers that are disjoint, change the msDS-AllowedDNSSuffixes
Active Directory attribute on the domain object container. Add both DNS suffixes to the attribute.
To make sure that the DNS suffix search list contains all the DNS namespaces in the organization, configure the
search list for each computer in the disjoint domain. Include the following suffixes in the list of namespaces:
The primary DNS suffix of the domain controller
The DNS domain name
Any additional namespaces for other servers that Configuration Manager might communicate with
You can use group policy to configure the Domain Name System (DNS) suffix search list.

IMPORTANT
When you reference a computer in Configuration Manager, enter the computer by using its primary DNS suffix. This suffix
should match the fully qualified domain name that's registered as the dnsHostName attribute in the Active Directory
domain and the service principal name that's associated with the system.

Single label domains

Configuration Manager supports site systems and clients in a single label domain when the following criteria
are met:
Configure the single label domain in Active Directory Domain Services with a disjoint DNS namespace
that has a valid top-level domain.
For example: The single label domain of Contoso is configured to have a disjoint namespace in DNS of
contoso.com. When you specify the DNS suffix in Configuration Manager for a computer in the Contoso
domain, you specify "Contoso.com" and not "Contoso".
The distributed component object model (DCOM) connections between site servers in the system context
must be successful by using Kerberos authentication.
 Support for Windows features and networks in
Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article identifies Configuration Manager support for common Windows and networking features.

BranchCache
Use Windows BranchCache with Configuration Manager when you enable it on distribution points, and
configure clients to use it in distributed cache mode.
Configure the BranchCache settings on a deployment type for applications, on the deployment for a package,
and for task sequences. BranchCache is enabled by default.
When the requirements for BranchCache are met, this feature enables clients in remote locations to obtain
content from local clients that have a current cache of the content.
For example, when the first BranchCache-enabled client requests content from a distribution point that's
configured as a BranchCache server, the client downloads and caches the content. This content is then made
available for clients on the same subnet that requested this content.
These clients also cache the content. Other clients on the same subnet don't have to download content from the
distribution point. The content is distributed across multiple clients for future transfers.
Requirements to support BranchCache with Configuration Manager
Configure distribution points
Add the Windows BranchCache feature to the site system server that's configured as a distribution point.
Distribution points on servers that are configured to support BranchCache require no additional
configuration.
You can't add Windows BranchCache to a content-enabled cloud management gateway. CMGs do
support the download of content by clients that are configured for Windows BranchCache.
Configure clients
The clients that can support BranchCache must be configured for BranchCache distributed cache mode.
The OS setting for BITS client settings must be enabled to support BranchCache.
For information, see configure clients for BranchCache in the Windows documentation.
All Configuration Manager supported versions of Windows support BranchCache by default.
For more information, see BranchCache for Windows in the Windows Server documentation.

Computers in workgroups
Configuration Manager provides support for clients in workgroups.
Configuration Manager supports moving a client from a workgroup to a domain or from a domain to a
workgroup. For more information, see How to install Configuration Manager clients on workgroup
computers.
 NOTE
Although clients in workgroups are supported, all site systems must be members of a supported Active Directory domain.

Data deduplication
Configuration Manager supports the use of data deduplication with distribution points on Windows Server
2012 or later.

IMPORTANT
The volume that hosts package source files can't be marked for data deduplication. This limitation is because data
deduplication uses reparse points. Configuration Manager doesn't support using a content source location with files
stored on reparse points.

For more information, see the following posts:

Configuration Manager distribution points and Windows Server 2012 data deduplication on the
Configuration Manager team blog
Data deduplication overview in the Windows Server documentation

DirectAccess
Configuration Manager supports the DirectAccess feature for communication between clients and site server
systems.
When all the requirements for DirectAccess are met, it enables Configuration Manager clients on the
internet to communicate with their assigned site as if they were on the intranet.
For server-initiated actions, such as remote control and client push installation, the initiating computer
must be running IPv6. This protocol must be supported on all intervening networking devices.
Configuration Manager doesn't support the following functionality over DirectAccess:
OS deployment
Communication between Configuration Manager sites
Communication between Configuration Manager site system servers within a site

Dual-boot computers
Configuration Manager can't manage more than one OS on a single computer. If there's more than one OS on a
computer to manage, adjust the site's discovery and client installation methods to ensure that the Configuration
Manager client is installed only on the OS that has to be managed.

IPv6
In addition to Internet Protocol version 4 (IPv4), Configuration Manager supports Internet Protocol version 6
(IPv6), with the following exceptions:

F UN C T IO N EXC EP T IO N TO IP V6 SUP P O RT
 F UN C T IO N EXC EP T IO N TO IP V6 SUP P O RT

Cloud management gateway IPv4 is required to support Microsoft Azure and the cloud
management gateway.

Network Discovery IPv4 is required when you configure a DHCP server to

search in Network Discovery.

OS deployment Capturing or setting static IP addresses during the task

sequence requires IPv4.

Wake-up proxy communication IPv4 is required to support the client wake-up proxy
packets.

Network Address Translation

Network Address Translation (NAT) isn't supported in Configuration Manager, unless the site supports clients
that are on the internet and the client detects that it's connected to the internet. For more information about
internet-based client management, see Plan for managing internet-based clients.

Specialized storage technology

Configuration Manager works with any hardware that's certified on the Windows Hardware Compatibility List
for the version of the OS that the Configuration Manager component is installed on.
Site server roles require NTFS, so that Configuration Manager can set directory and file permissions.
Configuration Manager assumes that it has complete ownership of a logical drive. Site systems that run on
separate computers can't share a logical partition on any storage technology. However, each computer can use a
separate logical partition on the same physical partition of a shared storage device.
Support considerations
Storage Area Network : A Storage Area Network (SAN) is supported when a supported Windows-
based server is attached directly to the volume that's hosted by the SAN.
Single Instance Storage : Configuration Manager doesn't support configuration of distribution point
package and signature folders on a Single Instance Storage (SIS)-enabled volume.
Additionally, the cache of a Configuration Manager client isn't supported on a SIS-enabled volume.
Removable disk drive : Configuration Manager doesn't support the installation of Configuration
Manager site systems or clients on a removable disk drive.

Next steps
Support for virtualization environments with Configuration Manager
 Support for virtualization environments with
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supports installing the client and site system roles on supported operating systems that
run as a virtual machine (VM) in certain virtualization environments. This support exists even when the virtual
host (virtualization environment) isn't supported as a client or site server.
For example, you use Microsoft Hyper-V Server 2016 to host a VM that runs Windows Server 2019. You can
install the client or site system roles on the VM running Windows Server 2019. You can't install the client on the
host running Microsoft Hyper-V Server 2016.

Virtualization environments
Windows Server 2022 (starting in version 2107)
Windows Server 2019
Windows Server 2016 Note 1
Microsoft Hyper-V Server 2016 Note 1
Windows Server 2012 R2
Microsoft Hyper-V Server 2012
Windows Server 2012

NOTE
Configuration Manager doesn't support nested virtualization, which is new with Windows Server 2016.

Virtualization environment support

Each virtual computer needs the same or greater hardware and software requirements that you would use for a
physical Configuration Manager computer.
To validate that Configuration Manager supports your virtualization environment, use the Server Virtualization
Validation Program. It includes an online Virtualization Program Support Policy Wizard. For more information,
see Windows Server Virtualization Validation Program.
Configuration Manager can't manage VMs if they're offline. The Configuration Manager client on the host
computer can't manage an offline VM image. For example, it can't install software updates or collect hardware
inventory.
In general, Configuration Manager gives no special consideration to VMs. For example, if you stop a VM, and
don't save its state, Configuration Manager might not determine if it has to reinstall a software update.
To help with Configuration Manager client performance in virtual environments that support multiple user
sessions, it disables user policy by default. Starting in version 1910, you can enable user policy in this scenario.
For more information, see About client settings - Enable user policy for multiple user sessions.

Microsoft Azure VMs

Configuration Manager can run on infrastructure as a service (IaaS) VMs in Azure just as it runs on-premises
within your data center. Use Configuration Manager with Azure VMs in the following scenarios:
Scenario 1 : Run Configuration Manager on an Azure VM. Use it to manage clients on other Azure VMs.
Scenario 2 : Run Configuration Manager on an Azure VM. Use it to manage clients that aren't running on
Azure.
Scenario 3 : Run different Configuration Manager site system roles on Azure VMs. Run other roles in
your on-premises data center, properly connected to Azure.

NOTE
These scenarios also apply to IaaS VMs on Azure Stack Hub.

The same Configuration Manager requirements for networks, supported configurations, and hardware
requirements also apply to Azure VMs.
For more information, see Configuration Manager on Azure FAQ.

IMPORTANT
Configuration Manager sites and clients that run on Azure VMs are subject to the same license requirements as on-
premises installations.

Azure Virtual Desktop

Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft Azure. Use
Configuration Manager to manage these virtual devices running Windows in Azure. For more information, see
Supported operating systems for clients and devices.

Next steps
Manage Configuration Manager clients in a virtual desktop infrastructure (VDI)
 Size and scale numbers for Configuration Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Each Configuration Manager deployment has a maximum number of sites, site system roles, and devices that it
can support. These numbers vary depending on your hierarchy structure, what types and numbers of sites you
use, and the site system roles that you deploy. The information in this article can help you determine the
number of site system roles and sites that you need to support the devices you expect to manage.
For more information, see the following articles:
Recommended hardware
Supported operating systems for site system servers
Supported operating systems for clients and devices
Site and site system prerequisites
These support numbers are based on using the recommended hardware for Configuration Manager. They're
also based on the default settings for all available Configuration Manager features. When you don't use the
recommended hardware or use more aggressive custom settings, the performance of site systems can degrade.
The site systems might not meet the stated levels of support. (An example of more aggressive client settings is
running hardware or software inventory more frequently than the defaults of once every seven days.)

Site types
Central administration site
A central administration site supports up to 25 child primary sites.
Primary site
Each primary site supports up to 250 secondary sites.
The number of secondary sites per primary site is based on continuously connected and reliable wide
area network (WAN) connections. For locations that have fewer than 500 clients, consider a distribution
point instead of a secondary site.
For information about the number of clients and devices that a primary site can support, see Client
numbers for sites and hierarchies.
Secondary site
Secondary sites don't support child sites.

Site system roles

Cloud management gateway
Unless otherwise noted, this guidance is the same for all deployment models and VM sizes.
You can install multiple instances of the cloud management gateway (CMG) at primary sites, or the
central administration site (CAS).
 TIP
In a hierarchy, create the CMG at the CAS.

One CMG supports up to 16 virtual machine (VM) instances in the Azure cloud service.
Simultaneous client connections per each CMG VM instance depend upon the deployment model and
VM size:
Cloud ser vice (classic) : 6,000
Vir tual machine scale set (version 2010 and 2103 for Cloud Service Provider (CSP)
subscriptions): 2,000
Vir tual machine scale-set (version 2107 or later)
Lab (B2s) : 10
Standard (A2_v2) : 6,000
Large (A4_v2) : 10,000

IMPORTANT
The Lab (B2s) size VM is only intended for lab testing and small proof-of-concept environments. They
aren't intended for production use with the CMG. The B2s VMs are low cost and low performing. The
Configuration Manager technical preview branch only supports 10 clients, which is why this size supports
that number of clients.

When the CMG is under high load with more than the supported number of clients, it still handles
requests but there may be delay.
For more information, see CMG Performance and scale.
Cloud management gateway connection point
This guidance is the same for all deployment models and VM sizes.
You can install multiple instances of the CMG connection point at primary sites.
One CMG connection point can support a CMG with up to four VM instances. If the CMG has more than
four VM instances, add a second CMG connection point for load balancing. A CMG with 16 VM instances
should be linked with four CMG connection points.

NOTE
When considering hardware requirements for the CMG connection point, see Recommended hardware for remote site
system servers.

For more information, see CMG Performance and scale.

Distribution point
Distribution points per site:
Each primary and secondary site supports up to 250 distribution points.
Each primary and secondary site supports up to 2000 additional distribution points that are
configured as pull-distribution points. For example , a single primary site supports 2250
distribution points when 2000 of those distribution points are configured as pull-distribution
 points.
Each distribution point supports connections from up to 4,000 clients.
A pull-distribution point acts like a client when it accesses content from a source distribution point.
Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the
distribution points at the primary site and all the distribution points that belong to the primary site's child
secondary sites.
Each distribution point supports a combined total of up to 10,000 packages and applications.

WARNING
The actual number of clients that one distribution point can support depends on the speed of the network and the
hardware configuration of the server.
The number of pull-distribution points that one source distribution point can support similarly depends on the speed of
the network and the hardware configuration of the source distribution point. But this number is also affected by the
amount of content that you've deployed. This effect is because, unlike clients that typically access content at different
times during a deployment, all pull-distribution points request content at the same time. Pull-distribution points can
request all available content, not just the content that is applicable to them. When you place a high processing load on a
source distribution point, there can be unexpected delays in distributing the content to the target distribution points.

Fallback status point

Each fallback status point can support up to 100,000 clients.
Management point
Each primary site supports up to 15 management points.

TIP
Don't install management points on servers that are across a slow link from the primary site server or the site
database server.

Each secondary site supports a single management point that must be installed on the secondary site
server.
For information about the number of clients and devices that a management point can support, see the
Management points section.

NOTE
If you enable the management point to support a cloud management gateway, it services internet-based client requests
per normal. Sizing guidance for a management point doesn't change whether it services on-premises or internet-based
clients.

Software update point

Use the following recommendations as a baseline. This baseline helps you determine the information for the
software updates capacity planning that is appropriate to your organization. The actual capacity requirements
might vary from the recommendations listed in this article depending on the following criteria:
Your specific networking environment
The hardware that you use to host the software update point site system
The number of managed clients
 The other site system roles installed on the server

NOTE
If you enable the software update point to support a cloud management gateway, it services internet-based client
requests per normal. Sizing guidance for a software update point doesn't change whether it services on-premises or
internet-based clients.

Capacity planning for the software update point

The number of supported clients depends on the version of Windows Server Update Services (WSUS) that runs
on the software update point. It also depends on whether the software update point site system role coexists
with another site system role:
The software update point can support up to 25,000 clients when WSUS runs on the software update
point server, and the software update point coexists with another site system role.
The software update point can support up to 150,000 clients when a remote server meets WSUS
requirements, WSUS is used with Configuration Manager, and you configure the following settings:
IIS Application Pools:
Increase the WsusPool Queue Length to 2000
Increase the WsusPool Private Memory limit x4 times, or set to 0 (unlimited). For example, if the
default limit is 1,843,200 KB, increase it to 7,372,800. For more information, see WSUS best
practices.
For more information about hardware requirements for the software update point, see
Recommended hardware for site systems.
Capacity planning for software updates objects
Use the following capacity information to plan for software updates objects:
Limit of 1000 software updates in a deployment -Limit the number of software updates to 1000
for each software update deployment. When you create an automatic deployment rule (ADR), specify
criteria that limits the number of software updates. The ADR fails when the specified criteria returns more
than 1000 software updates. Check the status of the ADR from the Automatic Deployment Rules node
in the Configuration Manager console. When you manually deploy software updates, don't select more
than 1000 updates to deploy.
Also limit the number of software updates to 1000 in a configuration baseline. For more information, see
Create configuration baselines.
Limit of 580 security scopes for automatic deployment rules - Limit the number of security
scopes on automatic deployment rules (ADRs) to less than 580. When you create an ADR, the security
scopes that have access to it are automatically added. If there are more than 580 security scopes set, the
ADR will fail to run and an error is logged in ruleengine.log.
SMS Provider
Each instance of the SMS Provider supports simultaneous connections from multiple requests. The only
limitations on these connections are the number of server connections that are available to Windows, and the
available resources on the server to service the connection requests.
For more information, see Plan for the SMS Provider.
The administration service is a REST API on every instance of the SMS Provider. It supports up to 5,000 requests
per second, and 200 requests per client IP address.
Client numbers for sites and hierarchies
Use the following information to determine how many clients and which types of clients you can support at a
site or in a hierarchy.
Hierarchy with a central administration site
A central administration site supports a total number of devices that includes up to the number of devices listed
for the following three groups:
700,000 Windows desktops. Also see support for embedded devices.
25,000 devices that run macOS
100,000 devices that you manage by using on-premises mobile device management (MDM)
For example, in a hierarchy you can support 700,000 desktops, up to 25,000 macOS devices, and up to 100,000
devices managed by on-premises MDM. This hierarchy supports a total of 825,000 devices.

IMPORTANT
In a hierarchy where the central administration site uses a Standard edition of SQL Server, the hierarchy supports a
maximum of 50,000 desktops and devices. To support more than 50,000 desktops and devices, you must use an
Enterprise edition of SQL Server. This requirement applies only to a central administration site. It doesn't apply to a stand-
alone primary site or a child primary site. The edition of SQL Server you use for a primary site doesn't limit its capacity to
support the stated number of clients.

The edition of SQL Server that is in use at a stand-alone primary site doesn't limit that site's capacity to support
up to the stated number of clients.
Child primary site
Each child primary site in a hierarchy with a central administration site supports the following number of clients:
150,000 total clients and devices that aren't limited to a specific group or type, as long as support doesn't
exceed the number that is supported for the hierarchy. Also see, support for embedded devices.
For example, a primary site supports 25,000 macOS devices. That number is the limit for a hierarchy. This
primary site can then support an additional 125,000 desktop computers. The total number of supported devices
for the child primary site is the supported maximum limit of 150,000.
Stand-alone primary site
A stand-alone primary site supports the following number of devices:
175,000 total clients and devices, not to exceed:
150,000 Windows clients. Also see, support for embedded devices.
25,000 devices that run macOS
50,000 devices that you manage by using on-premises MDM
For example, a stand-alone primary site that supports 150,000 desktops and 10,000 Macs can only support an
additional 15,000 mobile devices managed by on-premises MDM.
Primary sites and Windows Embedded devices
Primary sites support Windows Embedded devices that have File-Based Write Filters (FBWF) enabled. When
embedded devices don't have write filters enabled, a primary site can support a number of embedded devices
up to the allowed number of devices for that site. When embedded devices have FBWF or Unified Write Filters
(UWF) enabled, a primary site can support a maximum of 10,000 Windows embedded devices. These devices
must be configured with the exceptions listed in the important note found in the Planning for client deployment
to Windows Embedded devices. A primary site supports only 3,000 Windows Embedded devices that have EWF
enabled and that are not configured for the exceptions.
Secondary sites
Secondary sites support the following number of devices:
15,000 Windows clients
Management points
Each management point can support the following number of devices:
25,000 total clients and devices, not to exceed:
25,000 Windows clients
One of the following (not both):
10,000 devices that are managed by using on-premises MDM
10,000 devices that run macOS
 Recommended hardware for Configuration
Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following recommendations are guidelines to help you scale your Configuration Manager environment to
support more than a very basic deployment of sites, site systems, and clients. They aren't intended to cover all
possible site and hierarchy configurations.
Use the information in the following sections as a guide to help you plan for hardware. Make sure your
hardware can meet the processing loads for clients and sites that use the available Configuration Manager
features.

Site systems
This section provides recommended hardware configurations for Configuration Manager site systems. Use
these recommendations to support the maximum number of clients and use most or all Configuration Manager
features. If your environment supports less than the maximum number of clients, and doesn't use all available
features, it might require less resources. In general, the following key factors limit performance of the overall
system:
1. Disk I/O performance
2. Available memory
3. CPU
For best performance, use RAID 10 configurations for all data drives and a 1-Gbps Ethernet network.
Site servers
M EM O RY A L LO C AT IO N F O R
SIT E C O N F IGURAT IO N C P U ( C O RES) M EM O RY ( GB ) SQ L SERVER ( % )

Stand-alone primary site 16 96 80

server with a database site
role on the same server
No te 1

Stand-alone primary site 8 16 -

server with a remote site
database

Remote database server for 16 72 90

a stand-alone primary site

Central administration site 20 128 80

server with a database site
role on the same server
No te 1
 M EM O RY A L LO C AT IO N F O R
SIT E C O N F IGURAT IO N C P U ( C O RES) M EM O RY ( GB ) SQ L SERVER ( % )

Central administration site 8 16 -

server with a remote site
database

Remote database server for 16 96 90

a central administration site

Child primary site with a 16 96 80

database site role on the
same server

Child primary site server 8 16 -

with a remote site database

Remote database server for 16 72 90

a child primary site

Secondary site server 8 16 -

Note 1: Collocated SQL

When you install the site server and SQL Server on the same computer, the deployment supports the maximum
sizing and scale numbers for sites and clients. This configuration can limit high availability options, like using a
SQL Server Always On failover cluster instance. If you have a larger environment, because of the higher I/O
requirements to support both roles on the same computer, consider using a remote SQL Server.
Remote site system servers
The following guidance is for computers that hold a single site system role. Plan to adjust when you install
multiple site system roles on the same computer.

SIT E SY ST EM RO L E C P U ( C O RES) M EM O RY ( GB ) DISK SPA C E ( GB )

Management point 4 8 50

Distribution point 2 8 As required by the OS and

to store content that you
deploy

Software update point No te 8 16 As required by the OS and

2 to store updates that you
deploy

All other site system roles 4 8 50

Note 2: WSUS configurations

The computer that hosts a software update point requires the following configurations for IIS application pools:
Increase the WsusPool Queue Length to 2000 .
Increase the WsusPool Private Memor y limit by four times, or set it to 0 (unlimited).
Disk space for site systems
Disk allocation and configuration contribute to the performance of Configuration Manager. Because each
Configuration Manager environment is different, the values that you implement can vary from the following
guidance.
For the best performance, place each object on a separate, dedicated RAID volume. For all data volumes for
Configuration Manager and its database files, use RAID 10 for the best performance.

700, 000
C L IEN T S
( C EN T RA L
M IN IM UM 25, 000 50, 000 100, 000 150, 000 A DM IN IST RAT
DATA USA GE DISK SPA C E C L IEN T S C L IEN T S C L IEN T S C L IEN T S IO N SIT E)

Configuration 25 GB 50 GB 100 GB 200 GB 300 GB 200 GB

Manager
application
and log files

Site database 75 GB for 75 GB 150 GB 300 GB 500 GB 2 TB

.mdf file every 25,000
clients

Site database 25 GB for 25 GB 50 GB 100 GB 150 GB 100 GB

.ldf file every 25,000
clients

Temp As needed As needed As needed As needed As needed As needed

database files
(.mdf and .ldf)

For the Windows system disk, see sizing guidance for the installed OS version.
For content on distribution points, it depends upon your deployments. This guidance doesn't include the disk
space required for the content library on the site server or distribution points. For more information, see The
content library.
When you plan for disk space requirements, consider the following guidelines:
Each client requires about 5-10 MB of space in the database. This number depends upon the hierarchy
type, the configuration, and the number of clients. The size can be less for larger environments. Smaller
sites have greater database usage per client.
For the primary site's temp database, plan for a combined size that is 25% to 30% of the site database
.mdf file. The actual size can be smaller or larger. It depends on the performance of the site server and the
volume of incoming data over both short and long periods of time.

NOTE
When you have 50,000 or more clients at a site, plan to use four or more temp database .mdf files.

The temp database size for a central administration site is typically much smaller than for a primary site.
If you use SQL Server Express for the secondary site database, it limits the database size to 10 GB.

Clients
This section provides recommended hardware configurations for computers that you manage by using
Configuration Manager client software.
Client for Windows computers
The following minimum requirements are for Windows-based computers that you manage by using
Configuration Manager, including embedded editions:
Processor and memor y: Refer to the processor and RAM requirements for the OS.
Disk space: 500 MB of available disk space, with 5 GB recommended for the Configuration Manager
client cache. If you use customized settings to install the Configuration Manager client, less disk space is
required.
Use the client.msi property SMSCACHESIZE to set a cache size smaller than the default of 5120
MB. The minimum size is 1 MB. The following example creates a 2-MB cache:
CCMSetup.exe SMSCACHESIZE=2

For more information, see About client installation properties.

TIP
Installing the client with minimal disk space is useful for Windows Embedded devices that typically have
smaller disk sizes than standard Windows computers.

The following minimum hardware requirements are for optional functionality in Configuration Manager:
OS deployment: At least 384 MB of RAM
Software Center : At least a 500-MHz processor
Remote Control: For an optimal experience, at least a Pentium 4 Hyper-Threaded 3 GHz (single core) or
comparable CPU, with at least 1-GB RAM.

Configuration Manager console

The following minimum hardware requirements apply to each computer that runs the Configuration Manager
console:
Intel i3 or comparable CPU
2 GB of RAM
2 GB of disk space

DP I SET T IN G M IN IM UM RESO L UT IO N

96 / 100% 1024 x 768

120 /125% 1280 x 960

144 / 150% 1600 x 1200

196 / 200% 2500 x 1600

Lab deployments
Use the following minimum hardware recommendations for lab and test deployments of Configuration
Manager. These recommendations apply to all site types, up to 100 clients:
 RO L E C P U ( C O RES) M EM O RY ( GB ) DISK SPA C E ( GB )

Site and database server 2-4 8 - 12 100

Site system server 1-4 2-4 50

Client 1-2 1-3 30

Next steps
Site size and performance guidelines
Site size and performance FAQ
 Configuration Manager site size and performance
guidelines
2/16/2022 • 17 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager leads the industry in scale and performance. Other documentation covers maximum
supported scale limits and hardware guidelines for running sites at the largest environment sizes. This article
gives supplemental performance guidance for environments of all sizes. This guidance can help you more
accurately estimate the hardware you need to deploy Configuration Manager.
This article focuses on the largest contributor to Configuration Manager performance bottlenecks: the disk
input/output subsystem or IOPS.
Presents details and test results focused on IOPS
Documents how to reproduce the tests with your own environments and hardware
Suggests disk IOPS requirements for various size environments

Performance test methodology

You can deploy Configuration Manager in many unique ways, but it's important to understand a few variables in
any sizing discussions. One variable is feature interval, such as an inventory cycle. Another variable is the
number of users, software deployments, or other objects the system references or deploys. Performance testing
applies these variables as part of a load. The load generates objects at a typical rate for enterprise customers
using production deployments in different size environments.

NOTE
Customer usage data allows for testing current branch builds with the most common scenarios, configurations, and
settings for most customers. The recommendations in this article are based on these averages. Your experiences may vary
based on your environment size and configuration. In general, Configuration Manager requires common sense when it
comes to objects and intervals. Just because you can collect every file on a system, or set the interval for a cycle to one
minute, doesn't mean you should.

The following sections highlight some key settings and configurations to use when testing and modeling
processing needs for large enterprises. These guidelines help set basic system performance expectations for the
suggested hardware sizes.
Feature intervals settings
Most testing should use default intervals for the key cycles in the system. For example, hardware inventory
testing occurs once per week with a larger than default .mof file. Some recurring feature intervals, especially
hardware and software inventory cycles, can have significant effects on an environment's performance
characteristics. Environments that enable aggressive default intervals for data collection need oversized
hardware in direct proportion to the increase in activity. For example, say you have 25,000 desktop clients and
want to collect hardware inventory two times faster than the default interval. Start by sizing your site's hardware
as if you had 50,000 clients.
Objects
Tests should use the upper average of the objects that large enterprises tend to use with the system. Typical
values are thousands of collections and applications, which are deployed to hundreds of thousands of users or
systems. Tests should run simultaneously on all objects in the system at these limits. Many customers use
several features, but don't generally use all features of the product at these upper limits. Testing with all product
features helps ensure the best possible system-wide performance, and allows a buffer for features that some
customers may use above average.
Loads
Tests should also run on greater than standard average day loads, by doing simulations that generate peak
usage demands on the system. One example is simulating Patch Tuesday rollouts, to make sure the system can
return update compliance data promptly during these days of peak activity. Another example is simulating site
activity during a widespread malware outbreak, to ensure timely notification and response are possible.
Although deployed machines of the recommended size may be underused on any given day, more extreme
situations require some processing buffer.
Configurations
Run testing on a range of physical, Hyper-V, and Azure hardware, with a mixture of supported operating systems
and SQL Server versions. Always validate the worst cases for the supported configuration. In general, Hyper-V
and Azure return comparable performance results to equivalent physical hardware when configured similarly.
Current server operating systems tend to have performance that's equal to or better than earlier OS versions.
While all supported platforms meet the minimum requirements, usually the latest versions of supporting
products like Windows and SQL Server produce even better performance.
The largest variation comes from the SQL Server versions in use. For more information about SQL Server
versions, see What version of SQL Server should I run?.

Key performance determinants

You can test and measure Configuration Manager performance with different kinds of settings, in different ways,
and at different site sizes. The following settings and objects can dramatically affect performance. Be sure to
consider them when testing and modeling performance in your environment.
Cau t i on

While few aspects of Configuration Manager have official maximums or user interface limits that prevent
excessive usage, going beyond the guidelines can have significant adverse effects on a site's performance.
Exceeding recommended levels or ignoring sizing guidance typically requires larger hardware, and may render
your environment unmaintainable until you reduce the frequency or count of various objects.
Hardware inventory
To test baseline performance, set hardware inventory collection to once per week, with the default .mof file size
plus approximately 20% other properties. Don't enable all properties, and collect only properties you actually
need. Pay special attention when collecting properties, such as available virtual memory, that will always change
with every inventory cycle. Collecting these properties can cause excessive churn on every inventory cycle from
every client.
Software inventory
To test baseline performance, set software inventory collection to once per week, with product only details.
Collecting many files can place a significant strain on the inventory subsystem. Avoid specifying filters that
could end up collecting thousands of files across many clients, such as *.exe or *.dll .
Collections
Baseline performance testing can include several thousand collections with different kinds of scope, size,
complexity, and update settings. Site performance isn't a direct function of the sheer number of collections on a
site. Performance is also a cross-product of collections' query complexity, full and incremental updates and
change frequency, dependencies among collections, and numbers of clients in the collections.
Where possible, minimize collections that have expensive or complicated dynamic rule queries. For collections
that require these types of rules, set appropriate update intervals and update times to minimize the affect of
collection re-evaluation on the system. For example, update at midnight instead of 8:00 AM.
Enabling incremental updates on collections ensures quick and timely updates to collection membership. But
even though incremental updates are efficient, they still put load on the system. Balance the change frequency
you expect with the need for near real-time updates on membership. For example, say you expect heavy churn
in collection members, but you don't require near real-time membership updates. It's more efficient and
produces less load on the system to update the collection with a scheduled full update at some interval, than to
enable incremental updates.
When you enable incremental updates, reduce any scheduled full updates on the same collections. They're only
a backup method of evaluation, since incremental updates should keep your collection membership updated in
near real time. Best practices for collections recommends a maximum number of total collections for
incremental updates, but as the article points out, your experience can vary based on many factors.
Collections with only direct membership rules and with a limiting collection that isn't doing incremental updates
don't need scheduled full updates. Disable update schedules for these types of collections to prevent
unnecessary load on the system. If the limiting collection uses incremental updates, collections with only direct
membership rules may not reflect membership updates for up to 24 hours, or until a scheduled refresh takes
place.
While not a best practice, some organizations create hundreds or even thousands of collections as part of
various business processes. If you use automation to create collections, it's important to enable any needed
incremental updates correctly. Minimize and spread out any full update schedules to avoid hot spots of
collection evaluation during a single time period. Establish a regular grooming process to delete unused
collections, especially if you automatically create collections that you no longer need after some time.
Remember that Configuration Manager creates policies for all objects in your collections when you target tasks
like deployments to them. Membership changes, either through scheduled refresh or incremental updates, can
create much more work for the whole system. The latest current branch builds have special policy optimizations
for the All Systems and All Users collections. When targeting your entire enterprise, use the built-in collections
instead of a clone of these built-in collections.
To investigate collection performance even deeper, view collection evaluation in the console. For more
information, see How to view collection evaluation.
Discovery methods
For baseline performance testing, run server-based discovery methods once a week, enabling delta discovery as
appropriate to keep the data fresh during the week. The tests should discover an object quantity proportional to
the simulated enterprise size. The performance baseline test for heartbeat discovery should also run once a
week.
Discovery data is global data. A common performance-related problem is to misconfigure server-based
discovery methods in a hierarchy, causing duplicate discovery of the same resources from multiple primary
sites. Carefully configure discovery methods to optimize communication with the target service, such as Active
Directory domain controllers, while avoiding duplication of the same discovery scope on multiple primary sites.

General sizing guidelines

Based on the preceding performance test methodology, the following table gives general minimum hardware
requirement guidelines for specific numbers of managed clients. These values should allow most customers
with the specified number of clients to process objects fast enough to administer the specified site. Computing
power continues to decrease in price every year, and some of the requirements below are small for modern
server hardware configurations. Hardware that exceeds the following guidelines proportionally increases
performance for sites that require more processing power, or have special product usage patterns.
 SQ L
SERVER STO RA GE
M EM O RY IO P S: IO P S: SQ L SPA C E
DESK TO P SIT E C O RES N OT E M EM O RY A L LO C AT IO IN B O XES SERVER REQ UIRED
C L IEN T S T Y P E/ RO L E 1 ( GB ) N N OT E 2 N OT E 3 N OT E 3 ( GB ) N OT E 4

25k Primary or 6 24 65% 600 1700 350

CAS with
database
site role on
the same
server

25k Primary or 4 8 600 100

CAS

Remote 4 16 70% 1700 250

SQL Server

50k Primary or 8 32 70% 1200 2800 600

CAS with
database
site role on
the same
server

50k Primary or 4 8 1200 200

CAS

Remote 8 24 70% 2800 400

SQL Server

100k Primary or 12 64 70% 1200 5000 1100

CAS with
database
site role on
the same
server

100k Primary or 6 12 1200 300

CAS

Remote 12 48 80% 5000 800

SQL Server

150k Primary or 16 96 70% 1800 7400 1600

CAS with
database
site role on
the same
server

150k Primary or 8 16 1800 400

CAS
 SQ L
SERVER STO RA GE
M EM O RY IO P S: IO P S: SQ L SPA C E
DESK TO P SIT E C O RES M EM O RY A L LO C AT IO IN B O XES SERVER REQ UIRED
C L IEN T S T Y P E/ RO L E ( GB ) N ( GB )

Remote 16 72 90% 7400 1200

SQL Server

700k CAS with 20+ 128+ 80% 1800+ 9000+ 5000+

database
site role on
the same
server

700k CAS 8+ 16+ 1800+ 500+

Remote 16+ 96+ 90% 9000+ 4500+

SQL Server

5k Secondary 4 8 500 - 200

Site

15k Secondary 8 16 500 - 300

Site

Notes on general sizing guidelines

Note 1: Cores
Configuration Manager runs many simultaneous processes, so needs a certain minimum number of CPU cores
for various site sizes. While cores get faster each year, it's important to ensure that a certain minimum number
of cores work in parallel. In general, any server-level CPU produced after 2015 meets the basic performance
needs for the cores specified in the table. Configuration Manager takes advantage of other cores beyond the
recommendations. Once you have the minimum suggested cores, prioritize CPU resource investment to
increase the speed of existing cores. Don't add more, slower cores. For example, Configuration Manager has
better performance on key processing tasks with 16 fast cores than with 24 slower cores. This performance
assumes that there are enough other system resources like disk IOPS.
The relationship between cores and memory is also important. In general, having less than 3-4 GB of RAM per
core reduces the total processing capability on your SQL Servers. You need more RAM per core when SQL
Server is colocated with the site server components.

NOTE
All testing sets machine power plans to allow maximum CPU power consumption and performance.

Note 2: SQL Server memory allocation

Use this value to configure the Maximum ser ver memor y (in MB) in the properties of the SQL Server. It's the
percentage of the total amount of memory available on the server.
Don't configure the minimum and maximum values the same. This guidance is specifically for the maximum
memory that you should allow SQL Server to allocate.
Note 3: IOPS: Inboxes and IOPS: SQL
These values refer to the IOPS needs for the Configuration Manager and SQL Server logical drives. The IOPS:
Inboxes column shows the IOPS requirements for the logical drive with the Configuration Manager inbox
directories. The IOPS: SQL column shows the total IOPS needs for the logical drive(s) that various SQL Server
files use. These columns are different because the two drives should have different formatting. For more
information and examples on suggested SQL Server disk configurations and file best practices, including details
on splitting files across multiple volumes, see the Site sizing and performance FAQ.
Both of these IOPS columns use data from the industry-standard tool, Diskspd . See How to measure disk
performance for instructions on duplicating these measurements. In general, once you meet basic CPU and
memory requirements, the storage subsystem has the largest affect on site performance, and improvements
here will give the most payback on investment.
Note 4: Storage space required
These real-world values may differ from other documented recommendations. We provide these numbers only
as a general guideline; individual requirements could vary widely. Carefully plan for disk space needs before site
installation. Assume that some amount of this storage remains as free disk space most of the time. You may use
this buffer space in a recovery scenario, or for upgrade scenarios that need free disk space for setup package
expansion. Your site may require more storage for large amounts of data collection, longer periods of data
retention, and large amounts of software distribution content. You can also store these items on separate, lower-
throughput volumes.

How to measure disk performance

You can use the industry-standard tool Diskspd to provide standardized suggestions for the IOPS that various-
sized Configuration Manager environments require. While not exhaustive, the following test steps and
command lines provide a simple and reproducible way to estimate your servers' disk subsystem throughput.
You can compare your results to the minimum recommended IOPS in the general sizing guidelines table.
For test results from different kinds of hardware configurations in lab environments, see Example disk
configurations. You can use the data for a rough starting point when designing the storage subsystem for a new
environment from scratch.
How to test disk IOPS
1. Download the Diskspd utility.
2. Make sure you have at least 100 GB of free disk space. Disable any apps that might interfere or cause
extra load on the disk, such as active antivirus scanning of the directory, SQL, or SMSExec.
3. Run Diskspd from an elevated command prompt.
Run the tool twice in sequence for the volume that you want to test. The first test at 64k size with random
write operations for one minute. This test validates controller cache loading and disk space allocation, in
case the volume is dynamically expanding. Discard the results of the first test. The second test should
immediately follow the first test, and do the same load for five minutes.
For example, use the following specific command lines to test the G: volume.

DiskSpd.exe -r -w100 -t8 -o8 -b64K -c100G -d60 -h -L G:\\test\testfile.dat

del G:\\test\testfile.dat

DiskSpd.exe -r -w100 -t8 -o8 -b64K -c100G -d300 -h -L G:\\test\testfile.dat

4. Review the output from the second test to find the total IOPS in the I/O per s column. In the following
example, the total IOPS are 3929.18 .
 Total IO
| thread | bytes | I/Os | MB/s | I/O per s | AvgLat | LatStdDev |
|--------|-------------|---------|--------|-----------|--------|-----------|
| 1 | 9651814400 | 147275 | 30.68 | 490.92 | 16.294 | 10.210 |
| 2 | 9676652544 | 147654 | 30.76 | 492.18 | 16.252 | 9.998 |
| 3 | 9638248448 | 147068 | 30.64 | 490.23 | 16.317 | 10.295 |
| 4 | 9686089728 | 147798 | 30.79 | 492.66 | 16.236 | 10.072 |
| 5 | 9590931456 | 146346 | 30.49 | 487.82 | 16.398 | 10.384 |
| 6 | 9677242368 | 147663 | 30.76 | 492.21 | 16.251 | 10.067 |
| 7 | 9637330944 | 147054 | 30.64 | 490.18 | 16.319 | 10.249 |
| 8 | 9692577792 | 147897 | 30.81 | 492.99 | 16.225 | 10.125 |
| Total: | 77250887680 | 1178755 | 245.57 | 3929.18 | 16.286 | 10.176 |

Example disk configurations

The following tables show results from running the test steps in How to measure disk performance with various
test lab configurations. Use this data for a rough starting point when designing the storage subsystem for a new
environment from scratch.
Physical machines and Hyper-V
Hardware is always improving. Expect newer generations of hardware and different hardware combinations, like
SSDs and SANs, to exceed the performance stated below. These results are a basic starting point to consider
when designing a server or discussing with your hardware vendor.
The following table shows the test results across various disk subsystems, including spindle and SSD-based
hard drives, in various test lab configurations. All configurations format the disks with 64k clusters and attach
them to an enterprise class disk controller. In addition to the RAID array disk count, they each have at least one
spare disk.

DISK C O UN T, N OT
DISK T Y P E IN C L UDIN G +1 SPA RE DISK RA ID IO P S M EA SURED

15k SAS 2 1 620

15k SAS 4 10 1206

15k SAS 6 10 1751

15k SAS 8 10 2322

15k SAS 10 10 2882

15k SAS 12 10 3476

15k SAS 16 10 4236

15k SAS 20 10 5148

15k SAS 30 10 7398

15k SAS 40 10 9913

SSD SATA 2 1 3300

SSD SATA 4 10 5542

 DISK C O UN T, N OT
DISK T Y P E IN C L UDIN G +1 SPA RE DISK RA ID IO P S M EA SURED

SSD SATA 6 10 7201

SSD SAS 2 1 7539

SSD SAS 4 10 14346

SSD SAS 6 10 15607

The following table lists the specific devices used in this example. This information isn't a recommendation for
any specific hardware model or manufacturer.

C A C H E M EM O RY A N D
DISK T Y P E M O DEL RA ID C O N T RO L L ER C O N F IGURAT IO N

15k RPM SAS HD HP EH0300JDYTH Smart Array P822 2 GB, 20% Read / 80%
Write

SSD SATA ATA MK0200GCTYV Smart Array P420i 1 GB, 20% Read / 80%
Write

SSD SAS HP MO0800 JEFPB Smart Array P420i 1 GB, 20% Read / 80%
Write

Azure machine and disk performance

Azure disk performance depends on several factors, such as the size of the Azure VM, and the number and type
of disks it uses. Azure is also constantly adding new machine types and disk speeds that are different from the
following chart. For more information about Configuration Manager running on Azure, and additional
information on understanding disk I/O on Azure, see Configuration Manager on Azure frequently asked
questions.
All disks are formatted NTFS 64k cluster size, and rows with more than one disk are configured as striped
volumes via the Windows Disk Management utility.

AVA IL A B L E L IM IT IN G
A Z URE VM A Z URE DISK DISK C O UN T SPA C E IO P S M EA SURED FA C TO R

DS2/DS11 P20 1 512 GB 965 Azure VM size

DS2/DS11 P20 2 1024 GB 996 Azure VM size

DS2/DS11 P30 1 1024 GB 996 Azure VM size

DS2/DS11 P30 2 2048 GB 996 Azure VM size

DS3/DS12/F4S P20 1 512 GB 1994 Azure VM size

DS3/DS12/F4S P20 2 1024 GB 1992 Azure VM size

DS3/DS12/F4S P30 1 1024 GB 1993 Azure VM size

 AVA IL A B L E L IM IT IN G
A Z URE VM A Z URE DISK DISK C O UN T SPA C E IO P S M EA SURED FA C TO R

DS3/DS12/F4S P30 2 2048 GB 1992 Azure VM size

DS4/DS13/F8S P20 1 512 GB 2334 P20 disk

DS4/DS13/F8S P20 2 1024 GB 3984 Azure VM size

DS4/DS13/F8S P20 3 1536 GB 3984 Azure VM size

DS4/DS13/F8S P30 1 1024 GB 3112 P30 disk

DS4/DS13/F8S P30 2 2048 GB 3984 Azure VM size

DS4/DS13/F8S P30 3 3072 GB 3996 Azure VM size

DS5/DS14/F16 P20 1 512 GB 2335 P20 disk

S

DS5/DS14/F16 P20 2 1024 GB 4639 P20 disk

S

DS5/DS14/F16 P20 3 1536 GB 6913 P20 disk

S

DS5/DS14/F16 P20 4 2048 GB 7966 Azure VM size

S

DS5/DS14/F16 P30 1 1024 GB 3112 P30 disk

S

DS5/DS14/F16 P30 2 2048 GB 6182 P30 disk

S

DS5/DS14/F16 P30 3 3072 GB 7963 Azure VM size

S

DS5/DS14/F16 P30 4 4096 GB 7968 Azure VM size

S

DS15 P30 1 1024 GB 3113 P30 disk

DS15 P30 2 2048 GB 6184 P30 disk

DS15 P30 3 3072 GB 9225 P30 disk

DS15 P30 4 4096 GB 10200 Azure VM size

For more information on the currently available disks, see Select a disk type for Azure IaaS VMs.

See also
Site sizing and performance FAQ
Configuration Manager on Azure frequently asked questions
Size and scale numbers
Recommended hardware
 Choose a device management solution
2/16/2022 • 3 minutes to read • Edit Online

Microsoft offers different solutions for managing PCs, servers, and devices. These solutions are available on-
premises, cloud-based, or a combination of both. Choose the solution that's right for the business requirements
of your organization. Base your decision on the device platforms you need to manage and the management
functionality you need.

Overview
There are several Microsoft solutions that might work best for you in different scenarios. You don't need to
choose just one.
For a small organization, a tool like the Windows administration center may be a great fit.
Approximately 75% of IT organizations use Configuration Manager to manage their devices.
Microsoft Azure provides various solutions from the cloud or on-premises with Azure Stack that primarily
target server management.
Microsoft Intune provides cloud management of clients.
You can combine Configuration Manager and Intune with co-management.
Use the following table to help compare these management technologies:

C LO UD- O N LY C LO UD- AT TA C H ED O N - P REM ISES DISC O N N EC T ED

Hyper-V host Not applicable - Azure Stack - Azure Stack - Azure Stack
- Windows Admin - Windows Admin - Windows Admin
Center Center Center
- Virtual Machine - Virtual Machine - Virtual Machine
Manager Manager Manager

Windows Ser ver - Azure management - Azure management - Azure management Configuration
- Configuration - Configuration - Configuration Manager
Manager Manager Manager

Linux Ser ver Azure management Azure management Azure management

Windows 10/11 - Intune - Intune - Intune Configuration

- Configuration - Configuration - Configuration Manager
Manager Manager Manager

Windows 7 or 8.1 Configuration Configuration Configuration Configuration

Manager Manager Manager Manager

Azure Vir tual Configuration Not applicable Not applicable Not applicable
Desktop Manager

For more information, see the following articles:

What is Azure Stack?
What is Windows Admin Center?
What is Virtual Machine Manager?
 Azure management products
What is Azure Virtual Desktop?
For more information on the Configuration Manager and Intune solutions, continue to the next section.

Client management
This section compares the following four client management solutions:
Configuration Manager client
On-premises mobile device management (MDM) with Configuration Manager
Co-management with Microsoft Intune
Microsoft Exchange
You can use these solutions by themselves or in combination with each other. For example, use the client-based
management approach to manage the computers and servers in your organization, and also use co-
management to manage internet-based laptops. By combining approaches this way, you can cover all of your
device management needs.
There are also two tables that compare the management solutions by the following factors:
Compare by supported platforms
Compare by management functionality
Configuration Manager client
This option requires installation of the Configuration Manager client on devices. It provides the most features for
managing PCs, servers, and other devices in your environment.
For more information, see Client installation methods.
On-premises MDM
This option uses the device management capabilities built into Windows 10 or later. While not as full-featured as
client-based management, on-premises MDM provides a lighter touch approach to management. It uses on-
premises Configuration Manager resources to manage devices.
For more information, see Manage mobile devices with on-premises infrastructure.
Co -management with Microsoft Intune
Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the
Microsoft 365 cloud. It enables you to concurrently manage Windows devices by using both Configuration
Manager and Microsoft Intune. Co-management lets you cloud-attach your existing investment in Configuration
Manager by adding new functionality.
For more information, see What is co-management?.
Microsoft Exchange
This option uses the Exchange Server connector to connect multiple Exchange servers to Configuration
Manager. It centralizes management of devices that can connect to Exchange ActiveSync. You can configure
Exchange mobile device management features from the Configuration Manager console. Example features
include remote device wipe and the settings control for multiple Exchange servers.
For more information, see Manage mobile devices with Configuration Manager and Exchange.
Compare solutions by supported platforms
 C O N F IGURAT IO N
C O N F IGURAT IO N M A N A GER W IT H
P L AT F O RM M A N A GER C L IEN T O N - P REM ISES M DM EXC H A N GE IN T UN E

Android Yes Yes

iOS Yes Yes

macOS X Yes Yes Yes

Windows 10/11 Yes Yes Yes Yes

Windows 10 Mobile Yes Yes Yes

Windows (previous Yes Yes

versions)

Windows Server Yes Yes

Windows Embedded Yes

For a complete list of supported platforms, see the following articles:

Supported operating systems for clients and devices for Configuration Manager
Intune supported configurations
Microsoft recommends using Intune to manage Android, iOS, and Windows 10/11 mobile devices. For more
information, see What is Microsoft Intune?.
Compare solutions by management functionality
C O N F IGURAT IO N
M A N A GEM EN T C O N F IGURAT IO N M A N A GER W IT H
F UN C T IO N A L IT Y M A N A GER C L IEN T O N - P REM ISES M DM EXC H A N GE

Certificate-based mutual Yes Yes

authentication

Client installation Yes

Support over the internet Yes

Discovery Yes Yes

Hardware inventory Yes Yes Yes

Software inventory Yes Yes

Settings Yes Yes Yes

Software deployment Yes Yes

Software update Yes

management
 C O N F IGURAT IO N
M A N A GEM EN T C O N F IGURAT IO N M A N A GER W IT H
F UN C T IO N A L IT Y M A N A GER C L IEN T O N - P REM ISES M DM EXC H A N GE

OS deployment Yes

Block from Configuration Yes Yes

Manager

Quarantine and block from Yes

Exchange Server (and
Configuration Manager)

Remote wipe Yes Yes

 Design a hierarchy of sites for Configuration
Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before installing the first site of a new Configuration Manager hierarchy, it's a good idea to understand:
The available topologies for Configuration Manager
The types of available sites and their relationships with each other
The scope of management that each type of site provides
The content management options that can reduce the number of sites you need to install
Then plan a topology that efficiently serves your current business needs and can later expand to manage future
growth.
When planning, keep in mind limitations for adding additional sites to a hierarchy or a stand-alone site:
Install a new primary site below a central administration site, up to the supported number of primary
sites for the hierarchy.
Expand a standalone primary site to install a new central administration site, to then install additional
primary sites.
Install new secondary sites below a primary site, up to the supported limit for the primary site and
overall hierarchy.
You can't add a previously installed site to an existing hierarchy to merge two standalone sites.
Configuration Manager only supports installation of new sites to an existing hierarchy of sites.

NOTE
When planning a new installation of Configuration Manager, be aware of the release notes, which detail current issues in
the active versions. The release notes apply to all branches of Configuration Manager. When you use the technical preview
branch, find issues specific to that branch in the documentation for each version of the technical preview.

Hierarchy topology
Hierarchy topologies range from:
Simplest: A single standalone primary site
Most complex: A group of connected primary and secondary sites with a central administration site at the
top-level site of the hierarchy
The key driver of the type and count of sites that you use in a hierarchy is usually the number and type of
devices you must support.
Standalone primary site
Use a standalone primary site when it can support management of all devices and users. For more information,
see Sizing and scale numbers. This topology is also successful when your company's geographic locations can
be served by a single primary site. To help manage network traffic, use multiple management points in
boundary groups, and a carefully planned content infrastructure. For more information, see Configure boundary
groups and Fundamental concepts for content management.
This topology provides the following benefits:
Simplified administrative overhead
Simplified client site assignment and discovery of available resources and services
Elimination of possible delays introduced by database replication between sites
Option to expand a standalone primary site into a larger hierarchy with a central administration site. This
option enables you to then install new primary sites to expand the scale of your deployment.
Central administration site with one or more child primary sites
Use this topology when you require more than one primary site to support management of all your devices and
users. It's required when you need to use more than a single primary site.
This topology provides the following benefits:
It supports up to 25 primary sites that enable you to extend the scale of your hierarchy.
You always use the central administration site, unless you reinstall your sites. This option is permanent.
You can't detach a child primary site to make it a standalone primary site.

Determine when to use a central administration site

Use a central administration site to configure hierarchy-wide settings and to monitor all sites and objects in the
hierarchy. This site type doesn't manage clients directly. It coordinates site-to-site data replication, which
includes the configuration of sites and clients throughout the hierarchy.
The following information can help you decide when to install a central administration site:
The central administration site is the top-level site in a hierarchy.
When you configure a hierarchy that has more than one primary site, install a central administration site.
If you immediately need two or more primary sites, install the central administration site first.
When you already have a primary site, and want to then install a central administration site,
expand the stand-alone primary site to install the central administration site.
The central administration site supports only primary sites as child sites.
The central administration site can't have clients assigned to it.
The central administration site doesn't support site system roles that directly support clients, such as
management points and distribution points.
Manage all clients in the hierarchy and perform all site management tasks from the Configuration
Manager console that is connected to the central administration site. These tasks include installing
management points or other site system roles at child primary or secondary sites.
When you use a central administration site, it's the only place where you see site data from all sites in
your hierarchy. This data includes information such as inventory data and status messages.
Configure discovery operations throughout the hierarchy from the central administration site. From the
central administration site, assign discovery methods to run at individual primary sites.
Manage security throughout the hierarchy by assigning different security roles, security scopes, and
 collections to different administrative users. These configurations apply at each site in the hierarchy.
Configure replication to control communication between sites in the hierarchy. Schedule database
replication for site data, and managing the bandwidth for the transfer of file-based data between sites.

Determine when to use a primary site

Use primary sites to manage clients. Install a primary site as a child site below a central administration site, or as
the first site of a new hierarchy. A primary site that's the first site of a hierarchy creates a standalone primary
site. Both child primary sites and standalone primary sites support secondary sites.
Consider adding additional primary sites for the following reasons:
To increase the number of devices, manage with a single hierarchy.
To meet organizational management requirements. For example, you might install a primary site at a
remote location to manage the transfer of deployment content across a low-bandwidth network.
Consider instead using options to throttle the network bandwidth when transferring data to a
distribution point. That content management capability can replace the need to install additional sites.
The following information can help you decide when to install a primary site:
A primary site can be a standalone primary site or a child primary site in a larger hierarchy. When a
primary site is a member of a hierarchy with a central administration site, the sites use database
replication to replicate data between the sites. Unless you need to support more clients and devices than
a single primary site supports, consider installing a standalone primary site. After you install a standalone
primary site, expand it if needed in the future to report to a new central administration site to scale up
your deployment.
A primary site supports only a central administration site as a parent site.
A primary site supports only secondary sites as child sites, and supports multiple secondary sites.
Primary sites are responsible for processing all client data from their assigned clients.
Primary sites use database replication to communicate directly to their central administration site. This
behavior is configured automatically when a new site installs.

Determine when to use a secondary site

Use secondary sites to manage the transfer of deployment content and client data across low-bandwidth
networks.
You manage a secondary site from a central administration site or the secondary site's direct parent primary
site. Secondary sites are attached to a primary site. You can't move them to a different parent site without
uninstalling them and then reinstalling them as a child site below the new primary site.
However, you can route content between two peer secondary sites to help manage the file-based replication of
deployment content. To transfer client data to a primary site, the secondary site uses file-based replication. A
secondary site also uses database replication to communicate with its parent primary site.
Consider installing a secondary site if any of the following conditions apply:
You don't require a local point of connectivity for an administrative user.
You're required to manage the transfer of deployment content to sites lower in the hierarchy.
You're required to manage client information that's sent to sites higher in the hierarchy.
If you don't want to install a secondary site, and you have clients in remote locations, consider the following
options:
Use peer-to-peer technologies such as Windows BranchCache
Enable distribution points for bandwidth control and scheduling
Use these content management options with or without secondary sites. They help reduce the size of your
Configuration Manager infrastructure. For more information about content management options in
Configuration Manager, see Determine when to use content management options.
The following information can help you decide when to install a secondary site:
If a local instance of SQL Server isn't available, secondary site servers automatically install SQL Server
Express during site installation.
Secondary site installation is initiated from the Configuration Manager console, instead of running setup
directly on a computer.
Secondary sites use a subset of the information in the site database. This behavior reduces the amount of
data that SQL Server replicates between the parent primary site and secondary site.
Secondary sites support the routing of file-based content to other secondary sites that have a common
parent primary site.
Secondary site installations automatically install the management point and distribution point site system
roles on the secondary site server.

Determine when to use content management options

If you have clients in remote network locations, consider using one or more content management options
instead of a primary or secondary site. The following options often remove the need to install a site:
Windows Delivery Optimization
Configuration Manager peer cache
Windows BranchCache
Configure distribution points for bandwidth control
Manually copy content to distribution points (prestage content)
If any of the following conditions apply, consider deploying a distribution point instead of installing another site:
Your network bandwidth is sufficient for client computers at the remote location to communicate with a
management point at the primary site. Clients communicate with a management point to download
client policy, send inventory, send reporting status, and send discovery information.
Background Intelligent Transfer Service (BITS) doesn't provide sufficient bandwidth control for your
network requirements.
For more information about content management options in Configuration Manager, see Fundamental concepts
for content management.

Beyond hierarchy topology

Along with your initial hierarchy topology, also consider the following questions:
Which site system roles provide services or capabilities from different sites in the hierarchy?
 How are you managing hierarchy-wide configurations and capabilities in your infrastructure?
The following common considerations are covered in separate articles. This information is important to
influence or be influenced by your hierarchy design:
When you're preparing to Manage computers and devices, consider whether the devices are on-premises,
in the cloud, or include user-owned devices (BYOD). Additionally, consider how you'll manage devices that
support multiple management options. For example, manage Windows devices with Configuration
Manager or though integration with Microsoft Intune. For more information, see Choose a device
management solution.
Understand how your available network infrastructure might affect the flow of data between remote
locations. For more information, see Prepare your network environment. Also consider the geographic
location of your users and devices, and whether they access your infrastructure through your on-
premises network or the internet.
Plan for a content infrastructure to efficiently distribute the content you deploy to devices you manage.
This content may be applications, software updates, or operating systems. For more information, see
Manage content and content infrastructure.
Determine which features and capabilities of Configuration Manager you plan to use. Different features
require different site system roles or Windows infrastructure. In a multiple site hierarchy, decide where
you deploy them for the most efficient use of your network and server resources.
Consider security for data and devices, including the use of a public key infrastructure (PKI). For more
information, see PKI certificate requirements.

Next steps
Review the following articles for site-specific configurations:
Plan for the SMS Provider
Plan for the site database
Plan for site system servers and site system roles
Plan for security
Managing network bandwidth when deploying content within a site
Consider configurations that span sites and hierarchies
High availability options for sites and hierarchies
Extend the Active Directory schema and configure sites to publish site data
Data transfers between sites
Fundamentals of role-based administration
Manage clients on the internet
 Plan for the SMS Provider
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To manage Configuration Manager, you use a Configuration Manager console that connects to an instance of the
SMS Provider . By default, an SMS Provider installs on the site server when you install a central administration
site (CAS) or primary site.

About
The SMS Provider is a Windows Management Instrumentation (WMI) provider that assigns read and write
access to the Configuration Manager database at a site.
Each CAS and primary site require at least one SMS Provider. You can install more providers as needed.
The SMS Admins security group provides access to the SMS Provider. Configuration Manager
automatically creates this group on the site server, and on each computer where you install an instance of
the SMS Provider. For more information, see SMS Admins.
Secondary sites don't support the SMS Provider role.
Configuration Manager administrative users use an SMS Provider to access information that's stored in the
database. To do so, admins can use the Configuration Manager console, Resource Explorer, tools, and custom
scripts. The SMS Provider doesn't interact with Configuration Manager clients. When a Configuration Manager
console connects to a site, it queries WMI on the site server to locate an instance of the SMS Provider to use.
The SMS Provider helps enforce Configuration Manager security. It returns only the information that the console
user is authorized to view.
The SMS Provider also provides API interoperability access over HTTPS, called the administration ser vice .
This REST API can be used in place of a custom web service to access information from the site. For more
information, see What is the administration service?.

IMPORTANT
When each instance of the SMS Provider for a site is offline, Configuration Manager consoles can't connect to the site.

For more information about how to manage the SMS Provider, see Manage the SMS Provider.

Prerequisites
The SMS Provider has the following prerequisites:
In the same domain as the site server and the site database site systems
Can't have a site system role from a different site
Can't already have an SMS Provider from any site
Run a supported OS version
At least 650 MB of free disk space to support the Windows ADK components. For more information
about Windows ADK and the SMS Provider, see OS deployment requirements.
 For the administration service REST API:
Starting in version 2107, the SMS Provider requires .NET version 4.6.2, and version 4.8 is
recommended. In version 2103 and earlier, this role requires .NET 4.5 or later. For more
information, Site and site system prerequisites.
In version 2006 and earlier, enable the Windows server role Web Ser ver (IIS) . Starting in version
2010, this role is no longer required.

NOTE
Every SMS Provider attempts to install the administration service, which requires a certificate. This service
has a dependency on IIS to bind that certificate to HTTPS port 443. If you enable Enhanced HTTP, then
the site binds that certificate using IIS APIs. If your site uses PKI, you need to manually bind a PKI
certificate in IIS on the SMS Provider. Unless the server already has a PKI-based certificate, the site
automatically uses the site's self-signed certificate.

Locations
When you install a site, you automatically install the first SMS Provider for the site. You can specify any of the
following supported locations for the SMS Provider:
The site server
The site database server
Another server, which meets the installation prerequisites
To view the locations of each SMS Provider for a site:
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and then select the Sites node.
2. Select a site from the list, and then choose Proper ties in the ribbon.
3. On the General tab of the site Proper ties , view the SMS Provider location field.
Each SMS Provider supports simultaneous connections from multiple requests. The only limitations on these
connections are the number of server connections that are available to Windows, and the available resources on
the server to service the connection requests.
After you install a site, you can run Configuration Manager setup on the site server again. Use setup to change
the location of an existing SMS Provider, or to install more SMS Providers at that site. Install only one SMS
Provider on a computer. A computer can't host an SMS Provider from more than one site.
Choosing a location
The following sections describe the advantages and disadvantages of installing an SMS Provider on each
supported location:
Configuration Manager site server
Advantages:
The SMS Provider doesn't use the system resources of the site database computer.
This location can provide better performance than an SMS Provider located on a computer other
than the site server or site database computer.
Disadvantages:
 The SMS Provider uses system and network resources that could be dedicated to site server
operations.
SQL Server that hosts the site database
Advantages:
The SMS Provider doesn't use system resources on the site server.
This location can provide the best performance of the three locations, if sufficient server resources
are available.
Disadvantages:
The SMS Provider uses system and network resources that could be dedicated to site database
operations.
When the site database is hosted on a clustered instance of SQL Server, you can't use this location.
Computer other than the site server or site database server
Advantages:
SMS Provider doesn't use site server or site database system resources.
This type of location lets you deploy more SMS Providers to provide high availability for
connections.
Disadvantages:
The SMS Provider performance might be reduced. This behavior is because of the more network
activity that it requires to coordinate with the site server and the site database computer.
This server must be always accessible to the site database server, and to all computers with the
Configuration Manager console installed.
This location can use system resources that would otherwise be dedicated to other services.

Authentication
You can specify the minimum authentication level for administrators to access Configuration Manager sites. This
feature enforces administrators to sign in to Windows with the required level before they can access
Configuration Manager. It applies to all components that access the SMS Provider. For example, the
Configuration Manager console, SDK methods, and Windows PowerShell cmdlets.
Configuration Manager supports the following authentication levels:
Windows authentication : Require authentication with Active Directory domain credentials. This setting
is the previous behavior, and the current default setting.
Cer tificate authentication : Require authentication with a valid certificate that's issued by a trusted PKI
certificate authority. You don't configure this certificate in Configuration Manager. Configuration Manager
requires the administrator to be signed into Windows using PKI.
Windows Hello for Business authentication : Require authentication with strong two-factor
authentication that's tied to a device and uses biometrics or a PIN. For more information, see Windows
Hello for Business.
 IMPORTANT
When you select this setting, the SMS Provider and administration service require the user's authentication token
to contain a multi-factor authentication (MFA) claim from Windows Hello for Business. In other words, a user of
the console, SDK, PowerShell, or administration service has to authenticate to Windows with their Windows Hello
for Business PIN or biometric. Otherwise the site rejects the user's action.
This behavior is for Windows Hello for Business, not Windows Hello.

For more information on how to configure this setting, see Configure SMS Provider authentication.

SMS Provider languages

The SMS Provider operates independently of the display language of the server where you install it.
When an administrative user or Configuration Manager process requests data by using the SMS Provider, it
attempts to return that data in a format that matches the OS language of the requesting computer.
The way it attempts to match the language is indirect. The SMS Provider doesn't translate information from one
language to another. When it returns data for display in the Configuration Manager console, the display
language of the data depends on the source of the object and type of storage.
When Configuration Manager stores data for an object in the database, the available languages depend on the
following factors:
Configuration Manager stores objects that it creates by using support for multiple languages. It stores the
object in the site database by using the languages that you configure for the site when you run setup. The
Configuration Manager console displays these objects in the display language of the requesting
computer, when that language is available for the object. If the console can't display the object in the
display language of the requesting computer, it displays the object in the default language, which is
English.
Configuration Manager stores objects that an administrative user creates by using the language that was
used to create the object. These objects display in the Configuration Manager console in this same
language. The SMS Provider can't translate them, and they don't have multiple language options.

Use multiple SMS Providers

After a site completes installation, you can install more SMS Providers for the site. To install more SMS
Providers, run Configuration Manager setup on the site server.
Consider installing more SMS Providers when any of the following are true:
Many administrative users need to use the Configuration Manager console and connect to a site at the
same time.
You use the Configuration Manager SDK, or other products, that might introduce frequent calls to the
SMS Provider.
You have a business requirement for high availability of the SMS Provider.
When you install multiple SMS Providers at a site, and a connection request is made, the site randomly assigns
each new connection request to use an installed SMS Provider. You can't specify the SMS Provider to use with a
specific connection session.
 NOTE
Consider the advantages and disadvantages of each SMS Provider location. For more information, see Locations. Balance
these considerations with the information that you can't control which SMS Provider is used for each new connection.

When you first connect a Configuration Manager console to a site, the connection queries WMI on the site
server. This query identifies an instance of the SMS Provider that the console uses. This specific instance of the
SMS Provider remains in use by the console until the session ends. If the session ends because the SMS
Provider server is unavailable on the network, when you reconnect the console to the site, it repeats the initial
query. It's possible the site assigns the same SMS Provider instance that's not available. If this behavior occurs,
attempt to reconnect the console until the site returns an available SMS Provider.

SMS Provider namespace

The Configuration Manager WMI schema defines the structure of the SMS Provider. Schema namespaces
describe the location of Configuration Manager data within the SMS Provider schema. The following table
contains some of the common namespaces that the SMS Provider uses:

N A M ESPA C E DESC RIP T IO N

Root\SMS\site_<site code> The SMS Provider, which is extensively used by the

Configuration Manager console, Resource Explorer,
Configuration Manager tools, and scripts.

Root\SMS\SMS_ProviderLocation The location of the SMS Provider computers for a site.

Root\CIMv2 The location inventoried for WMI namespace information

during hardware and software inventory.

Root\CCM Configuration Manager client configuration policies and

client data.

Root\CIMv2\SMS The location of inventory reporting classes that the

inventory client agent collects. Clients compile these settings
during computer policy evaluation. These settings are based
on the client settings configuration for the computer.

OS deployment requirements
The computer where you install an instance of the SMS Provider requires a supported version of the Windows
ADK.
For more information about this requirement, see Infrastructure requirements for OS deployment and Support
for the Windows ADK.
When you manage OS deployments, the Windows ADK allows the SMS Provider to complete various tasks, such
as:
View WIM file details
Add driver files to existing boot images
Create boot ISO files
The Windows ADK installation can require up to 650 MB of free disk space on each computer that installs the
SMS Provider. This high disk space requirement is necessary for Configuration Manager to install the Windows
PE boot images.

Administration service
The SMS Provider provides API interoperability access over an HTTPS OData connection, called the
administration ser vice . This REST API can be used in place of a custom web service to access information
from the site.
For more information, see What is the administration service?

Next steps
Manage the SMS Provider
Configure authentication for the SMS Provider
Plan for the site database
 Plan for the site database for Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The site database server is a computer that runs a supported version of Microsoft SQL Server. SQL Server is
used to store information for Configuration Manager sites. Each site in a Configuration Manager hierarchy
contains a site database and a server that is assigned the site database server role.
For central administration sites and primary sites, you can install SQL Server on the site server, or you
can install SQL Server on a computer other than the site server.
For secondary sites, you can use SQL Server Express instead of a full SQL Server installation. The
database server must, however, be run on the secondary site server.
For SQL Server Always On availability groups, set the database recovery model to FULL.
For non-availability group configurations, set the database recovery model to SIMPLE.
Further information on SQL Server Recovery Modes can be found in Recovery Models (SQL Server).
The following SQL Server configurations can be used to host the site database:
The default instance of SQL Server
A named instance on a single computer running SQL Server
A named instance on a failover cluster instance of SQL Server
A SQL Server Always On availability group
To host the site database, the SQL Server must meet the requirements detailed in Support for SQL Server
versions for Configuration Manager.

Remote database server location considerations

If you use a remote database server computer, ensure that the intervening network connection is a high-
availability, high-bandwidth network connection. The site server and some site system roles must constantly
communicate with the remote server that is hosting the site database.
The amount of bandwidth required for communications to the database server depends on a
combination of many different site and client configurations. Therefore, the actual bandwidth required
cannot be adequately predicted.
Each computer that runs the SMS Provider and that connects to the site database increases network
bandwidth requirements.
The computer that runs SQL Server must be located in a domain that has two-way trust with the site
server and all computers running the SMS Provider.
You can't use a failover cluster instance of SQL Server for the site database server when the site database
is co-located with the site server.
Typically, a site system server supports site system roles from only a single Configuration Manager site. You can,
however, use different instances of SQL Server to host a database from different Configuration Manager sites. To
support databases from different sites, configure each instance of SQL Server to use unique ports for
communication.
 Plan for site system servers and site system roles in
Configuration Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Each Configuration Manager site you install includes a site server that's a site system ser ver . The site can also
include additional site system servers on computers that are remote from the site server. Site system servers
(the site server or a remote site system server) support site system roles .

Site system servers

When you install a site system role on a computer, that computer becomes a site system server. At each site, you
can install one or more additional site system servers. You don't have to install additional site system servers,
and can choose to run all site system roles directly on the site server computer. Each site system server supports
one or more site system roles. Additional servers can help expand the capabilities and capacity of a site by
sharing the processing load that site system roles place on a server.
When considering the addition of a site system server, ensure the server meets prerequisites for the intended
use. Also add it on a network location that has sufficient bandwidth to communicate with expected endpoints.
These endpoints include the site server, domain resources, a cloud-based location, site system servers, and
clients.

Site system roles

Install site system roles on a server to provide additional capabilities to the site. Examples include:
Additional management points so that the site can support more devices, up to the site's supported
capacity.
Additional distribution points to expand your content infrastructure, improving the performance of
content distributions to devices.
One or more feature-specific site system roles. For example, a software update point lets you manage
software updates for managed devices. A reporting services point lets you run reports to monitor,
understand, and share information about your environment.
Different Configuration Manager sites can support different sets of site system roles. The supported set of site
system roles depends on the type of site. (The types of sites include a central administration site, primary sites,
or secondary sites.) The topology of your hierarchy can limit the placement of some roles at certain site types.
For example, the service connection point is only supported at the top-tier site of the hierarchy. The top-tier site
might be a central administration site or a standalone primary site. This role isn't supported at a child primary
site or at secondary sites.
After a site installs, you can move the location of some site system roles from their default location on the site
server to another server. For example, the management point or distribution point roles install by default on a
primary or secondary site server. Also install additional instances of some site system roles to expand the
capabilities of your site, and to meet your business requirements. Some roles are required, while others are
optional.
Configuration Manager site server
This role identifies the server where Configuration Manager setup is run to install a site, or the server on which
you install a secondary site. You can't move or uninstall this role until the site is uninstalled.
Configuration Manager site system
This role is assigned to any computer on which you either install a site or install a site system role. You can't
move or uninstall this role until you remove the last site system role from the computer.
Configuration Manager component site system role
This role identifies a site system that runs an instance of the SMS Executive service. It's required to support
other roles, like management points. You can't move or uninstall this role until you remove the last applicable
site system role from the computer.
Configuration Manager site database server
The site assigns this role to site system servers that hold an instance of the site database. Only move this role to
a new server by running setup to modify the site to use a different instance of SQL Server to host the site
database.
SMS Provider
The site assigns this role to each computer that hosts an instance of the SMS Provider. The provider is the
interface between a Configuration Manager console and the site database. By default, this role automatically
installs on the site server of a central administration site and primary sites. Install additional instances at each
site to provide access to additional administrative users or for redundancy.
To install additional providers, run Configuration Manager setup to Manage the SMS Provider. Then install
additional providers on additional computers. Only install one instance of the SMS Provider on a computer. That
computer must be in the same domain as the site server.
Asset Intelligence synchronization point

IMPORTANT
Starting in November 2021, this feature of Configuration Manager is deprecated. For more information, see Introduction
to asset intelligence in Configuration Manager.

A site system role that connects to Microsoft to download information for the Asset Intelligence catalog. This
role also uploads uncategorized titles, so that Microsoft can consider them for future inclusion in the catalog. A
hierarchy supports only a single instance of this role at the top-tier site of your hierarchy. If you expand a
standalone primary site into a larger hierarchy, uninstall this role from the primary site. Then install it at the
central administration site.
For more information, see Asset Intelligence in Configuration Manager.
Certificate registration point
A site system role that communicates with a server that runs the Network Device Enrollment Service (NDES).
This role manages device certificate requests that use the Simple Certificate Enrollment Protocol (SCEP). This
role is supported only at primary sites and the central administration site.
Although a single certificate registration point can provide functionality to an entire hierarchy, you may want to
install multiple instances of this role at a site, and at multiple sites in the same hierarchy. This design helps with
load balancing. When multiple instances exist in a hierarchy, clients are randomly assigned to one of the
certificate registration points.
Each certificate registration point requires access to a separate NDES instance. You can't configure two or more
certificate registration points to use the same NDES instance. Additionally, don't install the certificate registration
point on the same server that runs NDES.
Cloud management gateway connection point
A site system role for communicating with the cloud management gateway.
Data warehouse service point
Use the data warehouse service point to store and report on long-term historical data in your Configuration
Manager environment. For more information, see Data warehouse.
Distribution point
A site system role that contains source files for clients to download, for example:
Application content
Software packages
Software updates
OS images
Boot images
By default, this role installs on the site server when you install a new primary or secondary site. This role isn't
supported at a central administration site. Install multiple instances of this role at a supported site, and at
multiple sites in the same hierarchy. For more information, see Fundamental concepts for content management,
and Manage content and content infrastructure.
Endpoint Protection point
A site system role that Configuration Manager uses to accept the Endpoint Protection license terms, and to
configure the default membership for Cloud Protection Service. A hierarchy only supports a single instance of
this role, and that must be at the top-tier site. If you expand a standalone primary site into a larger hierarchy,
uninstall this role from the primary site, and then install it at the central administration site. For more
information, see Endpoint Protection in Configuration Manager.
Enrollment point

IMPORTANT
With the deprecation of on-premises MDM and the Configuration Manager client for macOS, this site system role is also
deprecated. For more information, see Removed and deprecated features for Configuration Manager.

A site system role that uses PKI certificates for Configuration Manager to enroll mobile devices and macOS
computers. Although this role is supported only at primary sites, you can install multiple instances of this role at
a site, or at multiple sites in the same hierarchy.
If a user enrolls mobile devices by using Configuration Manager, and the user's Active Directory account is in a
forest that's untrusted by the site server's forest, install an enrollment point in the user's forest. Then
Configuration Manager can authenticate the user.
Enrollment proxy point

IMPORTANT
With the deprecation of on-premises MDM and the Configuration Manager client for macOS, this site system role is also
deprecated. For more information, see Removed and deprecated features for Configuration Manager.

A site system role that manages Configuration Manager enrollment requests from mobile devices and macOS
computers. Although this role is supported only at primary sites, you can install multiple instances of this role at
a site, or at multiple sites in the same hierarchy.
When you support mobile devices on the internet, install an enrollment proxy point in a perimeter network, and
install one on the intranet.
Exchange Server connector
For information about this role, see Manage mobile devices with Configuration Manager and Exchange.
Fallback status point
A site system role that helps you monitor client installation. It identifies clients that are unmanaged because they
can't communicate with their management point. Although this role is supported only at primary sites, you can
install multiple instances of this role at a site, and at multiple sites in the same hierarchy.
Management point
A site system role that provides policy and service location information to clients. It also receives configuration
data from clients.
By default, this role installs on the site server when you install a new primary or secondary site. Primary sites
support multiple instances of this role. Secondary sites support a single management point. Also referred to as
a proxy management point, this role at a secondary site provides a local point of contact for clients to obtain
computer and user policies.
Set up management points to support either HTTP or HTTPs. They can also support mobile devices that you
manage with Configuration Manager on-premises mobile device management (MDM). To help reduce the
processing load placed on the site database server by management points as they service requests from clients,
use Database replicas for management points.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Reporting services point

A site system role that integrates with SQL Server Reporting Services to create and manage reports for
Configuration Manager. This role is supported at primary sites and the central administration site, and you can
install multiple instances of this role at a supported site. For more information, see Planning for reporting.
Service connection point
A site system role that uploads usage data from your site, and is required to make updates for Configuration
Manager available in the console. A hierarchy only supports a single instance of this role, and that must be at
the top-tier site of your hierarchy. If you expand a standalone primary site into a larger hierarchy, uninstall this
role from the primary site, and then install it at the central administration site. For more information, see About
the service connection point.
Software update point
A site system role that integrates with Windows Server Update Services (WSUS) to provide software updates to
Configuration Manager clients. This role is supported at all sites:
Install this site system at the central administration site to synchronize with WSUS.
Set up each instance of this role at child primary sites to synchronize with the central administration site.
When data transfer across the network is slow, consider installing a software update point in secondary
sites.
For more information, see Plan for software updates.
State migration point
When you migrate a computer to a new operating system, this site system role stores user state data. This role is
supported at primary sites and at secondary sites. Install multiple instances of this role at a site, and at multiple
sites in the same hierarchy. For more information about storing user state when you deploy an OS, see Manage
user state.

Next steps
Some Configuration Manager site system roles require connections to the internet. If your environment requires
internet traffic to use a proxy server, configure these site system roles to use the proxy. For more information,
see Proxy server support.
 Fundamental concepts for content management in
Configuration Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supports a robust system of tools and options to manage software content. Software
deployments such as applications, packages, software updates, and OS deployments all need content.
Configuration Manager stores the content on both site servers and distribution points. This content requires a
large amount of network bandwidth when it's being transferred between locations. To plan and use the content
management infrastructure effectively, first understand the available options and configurations. Then consider
how to use them to best fit your networking environment and content deployment needs.

TIP
For more information about the content distribution process and to find help in diagnosing and resolving general content
distribution problems, see Understanding and Troubleshooting Content Distribution in Microsoft Configuration Manager.

The following sections are key concepts for content management. When a concept requires additional or
complex information, links are provided to direct you to those details.

Accounts used for content management

The following accounts can be used with content management:
Network access account
Used by clients to connect to a distribution point and access content. If allowed, the client first tries anonymous
authentication. Then it tries Windows-integrated authentication with the computer account or network access
account. For more information, see Client to distribution point communication.
This account is also used by pull-distribution points to download content from a source distribution point in a
remote forest.
Some scenarios no longer require a network access account. You can enable the site to use Enhanced HTTP with
Azure Active Directory authentication.
For more information, see Network access account.
Package access account
By default, Configuration Manager grants access to content on a distribution point to the generic access
accounts Users and Administrators. However, you can configure additional permissions to restrict access.
For more information, see Package access account.

Bandwidth throttling and scheduling

Both throttling and scheduling are options that help you control when content is distributed from a site server
to distribution points. These capabilities are similar to, but not directly related to bandwidth controls for site-to-
site file-based replication.
For more information, see Manage network bandwidth.
Binary differential replication
Configuration Manager uses binary differential replication (BDR) to update content that you previously
distributed to other sites or to remote distribution points. To support BDR's reduction of bandwidth usage, install
the Remote Differential Compression feature on distribution points. For more information, see Distribution
point prerequisites.
BDR minimizes the network bandwidth used to send updates for distributed content. It resends only the new or
changed content instead of sending the entire set of content source files each time you change those files.
When BDR is used, Configuration Manager identifies the changes that occur to source files for each set of
content that you previously distributed.
When files in the source content change, the site creates a new incremental version of the content. It then
replicates only the changed files to destination sites and distribution points. A file is considered changed
if you renamed or moved it, or if you changed the contents of the file. For example, if you replace a single
driver file for a driver package that you previously distributed to several sites, only the changed driver file
is replicated.
Configuration Manager supports up to five incremental versions of a content set before it resends the
entire content set. After the fifth update, the next change to the content set causes the site to create a new
version of the content set. Configuration Manager then distributes the new version of the content set to
replace the previous set and any of its incremental versions. After the new content set is distributed, later
incremental changes to the source files are again replicated by BDR.
BDR is supported between each parent and child site in a hierarchy. BDR is supported within a site between the
site server and its regular distribution points. However, pull-distribution points and content-enabled cloud
management gateways don't support BDR to transfer content. Pull-distribution points support file-level deltas,
transferring new files, but not blocks within a file.
Applications always use binary differential replication. BDR is optional for packages and isn't enabled by default.
To use BDR for packages, enable this functionality for each package. Select the option Enable binar y
differential replication when you create or edit a package.
BDR or delta replication
The following lists summarize the differences between binary differential replication (BDR) and delta replication.
Summary of binary differential replication
Configuration Manager's term for Windows Remote Differential Compression
Block-level differences
Always enabled for apps
Optional on legacy packages
If a file already exists on the distribution point, and there's a change, the site uses BDR to replicate the block-
level change instead of the entire file. This behavior only applies when you enable the object to use BDR.
Summary of delta replication
File-level differences
On by default, not configurable
When a package changes, the site checks for changes to the individual files instead of the entire package.
If a file changes, use BDR to do the work
If there's a new file, copy the new file

Peer caching technologies

Configuration Manager supports several options for managing content between peer devices on the same
network:
BranchCache
Delivery Optimization
Configuration Manager peer cache
Use the following table to compare major features of these technologies:

F EAT URE P EER C A C H E DEL IVERY O P T IM IZ AT IO N B RA N C H C A C H E

Across subnets Yes Yes No

Throttle bandwidth Yes (BITS) Yes (native) Yes (BITS)

Partial content Yes Yes Yes

Control cache size on disk Yes Yes Yes

Peer source discovery Manual (client setting) Automatic Automatic

Peer discovery Via management point DO cloud service Broadcast

using boundary groups

Reporting Client data sources Client data sources Client data sources
dashboard dashboard dashboard

WAN usage control Boundary groups DO GroupID Subnet only

Supported content All ConfigMgr content Windows updates, drivers, All ConfigMgr content
store apps

Policy control Client agent settings Client agent settings Client agent settings
(partial)

Recommendations
Modern management: If you're already using modern tools such as Intune, implement Delivery
Optimization
Configuration Manager and co-management: Use a combination of peer cache and Delivery
Optimization. Use peer cache with on-premises distribution points, and use Delivery Optimization for
cloud scenarios.
Existing BranchCache implemented: Use all three technologies in parallel. Use peer cache and Delivery
Optimization for scenarios that aren't supported by BranchCache.

BranchCache
BranchCache is a Windows technology. Clients that support BranchCache, and have downloaded a deployment
that you configure for BranchCache, then serve as a content source to other BranchCache-enabled clients.
For example, you have a distribution point that runs Windows Server 2012 or later, and is configured as a
BranchCache server. When the first BranchCache-enabled client requests content from this server, the client
downloads that content and caches it.
That client then makes the content available for additional BranchCache-enabled clients on the same subnet
that also cache the content.
 Other clients on the same subnet don't have to download content from the distribution point.
The content is distributed across multiple clients for future transfers.
For more information, see Support for Windows BranchCache.

Delivery Optimization
You use Configuration Manager boundary groups to define and regulate content distribution across your
corporate network and to remote offices. Windows Delivery Optimization is a cloud-based, peer-to-peer
technology to share content between Windows 10 or later devices. Configure Delivery Optimization to use your
boundary groups when sharing content among peers. Client settings apply the boundary group identifier as the
Delivery Optimization group identifier on the client. When the client communicates with the Delivery
Optimization cloud service, it uses this identifier to locate peers with the content. For more information, see
delivery optimization client settings.
Delivery Optimization is the recommended technology to optimize Windows update delivery of express
installation files for Windows quality updates. Internet access to the Delivery Optimization cloud service is a
requirement to utilize its peer-to-peer functionality. For information about the needed internet endpoints, see
Frequently asked questions for Delivery Optimization. Optimization can be used for all Windows updates. For
more information, see optimize Windows update delivery.

Microsoft Connected Cache

You can install a Microsoft Connected Cache server on your distribution points. By caching this content on-
premises, your clients can benefit from the Delivery Optimization feature, but you can help to protect WAN links.

NOTE
This feature was previously known as Delivery Optimization In-Network Cache.

This cache server acts as an on-demand transparent cache for content downloaded by Delivery Optimization.
Use client settings to make sure this server is offered only to the members of the local Configuration Manager
boundary group.
This cache is separate from Configuration Manager's distribution point content. If you choose the same drive as
the distribution point role, it stores content separately.
For more information, see Microsoft Connected Cache in Configuration Manager.

Peer cache
Client peer cache helps you manage deployment of content to clients in remote locations. Peer cache is a built-in
Configuration Manager solution that enables clients to share content with other clients directly from their local
cache.
First deploy client settings that enable peer cache to a collection. Then members of that collection can act as a
peer content source for other clients in the same boundary group.
Client peer cache sources can divide content into parts. These parts minimize the network transfer to reduce
WAN utilization. The management point provides more detailed tracking of the content parts. It tries to
eliminate more than one download of the same content per boundary group.
For more information, see Peer cache for Configuration Manager clients.

Windows PE peer cache

When you deploy a new OS with Configuration Manager, computers that run the task sequence can use
Windows PE peer cache. They download content from a peer cache source instead of from a distribution point.
This behavior helps minimize WAN traffic in branch office scenarios where there's no local distribution point.
For more information, see Windows PE peer cache.

Windows LEDBAT
Windows Low Extra Delay Background Transport (LEDBAT) is a network congestion control feature of Windows
Server to help manage background network transfers. For distribution points running on supported versions of
Windows Server, enable an option to help adjust network traffic. Then clients only use network bandwidth when
it's available.
For more information on Windows LEDBAT in general, see the New transport advancements blog post.
For more information on how to use Windows LEDBAT with Configuration Manager distribution points, see the
setting to Adjust the download speed to use the unused network bandwidth (Windows LEDBAT)
when you Configure the general settings of a distribution point.

Client locations
The following are locations that clients access content from:
Intranet (on-premises):
Distribution points can use HTTP or HTTPs.
Only use a content-enabled cloud management gateway for fallback when on-premises
distribution points aren't available.
Internet :
Requires internet-facing distribution points to accept HTTPS.
Can use a content-enabled cloud management gateway.
Workgroup :
Requires distribution points to accept HTTPS.
Can use a content-enabled cloud management gateway.

Content source priority

When a client needs content, it makes a content location request to the management point. The management
point returns a list of source locations that are valid for the requested content. This list varies depending upon
the specific scenario, technologies in use, site design, boundary groups, and deployment settings. For example,
when a task sequence runs, the full Configuration Manager client isn't always running, so the behaviors may
differ.
The following list contains all of the possible content source locations that the Configuration Manager client can
use, in the order in which it prioritizes them:
1. The distribution point on the same computer as the client
2. A peer source in the same network subnet
3. A distribution point in the same network subnet
4. A peer source in the same boundary group
5. A distribution point in the current boundary group
 6. A distribution point in a neighbor boundary group configured for fallback
7. A distribution point in the default site boundary group
8. The Windows Update cloud service
9. An internet-facing distribution point
10. A content-enabled cloud management gateway in Azure
Delivery Optimization isn't applicable to this source prioritization. This list is how the Configuration Manager
client finds content. The Windows Update Agent downloads content for Delivery Optimization. If the Windows
Update Agent can't find the content, then the Configuration Manager client uses this list to search for it.
BranchCache applies to this list only when you enable a distribution point for BranchCache. For example, if a
client gets to option #3 in the prioritization list, it first asks the distribution point for BranchCache metadata. The
BranchCache-enabled distribution point is what provides the client information for BranchCache peer discovery.
The client will download content from a BranchCache peer if it can. If it can't download the content via
BranchCache, it then tries the distribution point itself, before continuing down the list of content sources. This
behavior applies at any point in the priority list where the client uses a BranchCache-enabled distribution point.
The configuration of boundary group options can modify the sort order of this priority list.

Content library
The content library is the single-instance store of content in Configuration Manager. This library reduces the
overall size of content that you distribute.
Learn more about the content library.
Use the content library cleanup tool to remove content that is no longer associated with an application.

Distribution points
Configuration Manager uses distribution points to store files that are required for software to run on client
computers. Clients must have access to at least one distribution point from which they can download the files
for content that you deploy.
The basic (non-specialized) distribution point is commonly referred to as a standard distribution point. There are
two variations on the standard distribution point that receive special attention:
Pull-distribution point : A variation of a distribution point where the distribution point obtains content
from another distribution point (a source distribution point). This process is similar to how clients
download content from distribution points. Pull-distribution points can help you avoid network
bandwidth bottlenecks that occur when the site server must directly distribute content to each
distribution point. For more information, see Use a pull-distribution point.
Content-enabled cloud management gateway : A variation of a distribution point that's installed on
Microsoft Azure. For more information, see Cloud management gateway overview.
Standard distribution points support a range of configurations and features:
Use controls such as schedules or bandwidth throttling to help control this transfer.
Use other options, including prestaged content , and pull-distribution points to minimize and
control network consumption.
BranchCache , peer cache , and Deliver y Optimization are peer-to-peer technologies to reduce the
network bandwidth that's used when you deploy content.
There are different configurations for OS deployments, such as PXE and Multicast
 Options for mobile devices
Cloud and pull distribution points support many of these same configurations, but have limitations that are
specific to each distribution point variation.

Distribution point groups

Distribution point groups are logical groupings of distribution points that can simplify content distribution.
For more information, see Manage distribution point groups.

Distribution point priority

The distribution point priority value is based on how long it took to transfer previous deployments to that
distribution point.
This value is self-tuning. It's set on each distribution point to help Configuration Manager more quickly
transfer content to more distribution points.
When you distribute content to multiple distributions points at the same time, or to a distribution point
group, the site first sends the content to the server with the highest priority. Then it sends that same
content to a distribution point with a lower priority.
Distribution point priority doesn't replace the distribution priority for packages. Package priority remains
the deciding factor of when the site sends different content.
For example, you have a package that has a high package priority. You distribute it to a server with a low
distribution point priority. This high priority package always transfers before a package that has a lower priority.
The package priority applies even if the site distributes lower priority packages to servers with higher
distribution point priorities.
The high priority of the package ensures that Configuration Manager distributes that content to distribution
points before it sends any packages with a lower priority.

NOTE
Pull-distribution points also use a concept of priority to order the sequence of their source distribution points.
The distribution point priority for content transfers to the server is distinct from the priority that pull-distribution
points use. Pull-distribution points use their priority when they search for content from a source distribution point.
For more information, see Use a pull-distribution point.

Fallback
Several things have changed with Configuration Manager current branch in the way that clients find a
distribution point that has content, including fallback.
Clients that can't find content from a distribution point that's associated with their current boundary group fall
back to use content source locations associated with neighbor boundary groups. To be used for fallback, a
neighbor boundary group must have a defined relationship with the client's current boundary group. This
relationship includes a configured time that must pass before a client that can't find content locally includes
content sources from the neighbor boundary group as part of its search.
The concepts of preferred distribution points are no longer used, and settings for Allow fallback source
locations for content are no longer available or enforced.
For more information, see Boundary groups.
Network bandwidth
To help manage the amount of network bandwidth that's used when you distribute content, you can use the
following options:
Prestaged content : Transferring content to a distribution point without distributing the content across
the network.
Scheduling and throttling : Configurations that help you control when and how content is distributed
to distribution points.
For more information, see Manage network bandwidth.

Network connection speed to content source

Several things have changed with Configuration Manager current branch in the way that clients find a
distribution point that has content. These changes include the network speed to a content source.
Network connection speeds that define a distribution point as Fast or Slow are no longer used. Instead, each
site system that's associated with a boundary group is treated the same.
For more information, see Boundary groups.

On-demand content distribution

On-demand content distribution is an option for individual application and package deployments. This option
enables on-demand content distribution to preferred servers.
To enable this setting for a deployment, enable: Distribute the content for this package to
preferred distribution points .
When you enable this option for a deployment, and a client requests that content but the content isn't
available on any of the client's preferred distribution points, Configuration Manager automatically
distributes that content to the client's preferred distribution points.
Although this triggers Configuration Manager to automatically distribute the content to that client's
preferred distribution points, the client might obtain that content from other distribution points before
the preferred distribution points for the client receive the deployment. When this behavior occurs, the
content will then be present on that distribution point for use by the next client that seeks that
deployment.
For more information, see Boundary groups.

Package transfer manager

Package transfer manager is the site server component that transfers content to distribution points on other
computers.
For more information, see Package transfer manager.

Prestage content
Prestaging content is a process of transferring content to a distribution point without distributing the content
across the network.
For more information, see Manage network bandwidth.
 Use a pull-distribution point with Configuration
Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you distribute content to a standard distribution point in the Configuration Manager console, the site
server pushes the content to the distribution point. A pull-distribution point gets content by downloading it
from a source location like a client.
When you distribute content to many distribution points, pull-distribution points help reduce the processing
load on the site server. They can also speed the content transfer to each server. Normally the distribution
manager component on the site server sends content to each distribution point. Instead, the site offloads the
process of transferring the content to the pull-distribution points.
You configure individual distribution points to be pull-distribution points. For each pull-distribution point,
specify one or more source distribution points from which it can get content. A pull-distribution point can only
download content from a distribution point that you specify as a source distribution point.
When you distribute content to a pull-distribution point in the console, the site server sends it a notification. The
pull-distribution point then downloads the content from a source distribution point. A pull-distribution point
manages the content transfer by downloading from a distribution point that already has a copy of the content.
Pull-distribution points support the same configurations and functionality as typical distribution points. For
example, a pull-distribution point supports:
Multicast and PXE configurations
Content validation
On-demand content distribution
HTTP or HTTPS communications from clients
The same certificate options as other distribution points
Manage individually or as a member of a distribution point group
Configure a pull-distribution point when you install the distribution point. After you create a distribution point,
configure it as a pull-distribution point by editing the role properties. For more information on how to enable a
distribution point as a pull-distribution point, see Pull-distribution point.
Remove the configuration to be a pull-distribution point by editing the properties of the distribution point.
When you remove the configuration as a pull-distribution point, it returns to normal operation. The site server
manages future content transfers to the distribution point.

Distribution process
When you distribute content to a pull-distribution point, the following sequence of events occurs:
Once you distribute content to a pull-distribution point in the console, the Package Transfer Manager
component on the site server checks the site database to confirm if the content is available on a source
distribution point. If it can't confirm that the content is on a source distribution point for the pull-
distribution point, it repeats the check every 20 minutes until the content is available.
When the Package Transfer Manager confirms that the content is available, it notifies the pull-distribution
point to download the content. If this notification fails, it retries based on the Software Distribution
 component Retr y settings for pull-distribution points. When the pull-distribution point receives this
notification, it tries to download the content from its source distribution points.
While the pull-distribution point downloads the content, the Package Transfer Manager polls the status
based on the Software Distribution component Status polling settings for pull-distribution points.
When the pull-distribution point completes the download of content, it submits this status to a
management point.

Configure site component settings

When you use a pull-distribution point, review and configure the following site component settings:
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the site. In the ribbon, select Configure Site Components , and select Software Distribution .
3. Switch to the Pull Distribution Point tab.
4. In the Retr y settings group, review the following values:
Number of retries : The number of times that the Package Transfer Manager tries to notify the
pull-distribution point to download the content. After it tries this number of times, the Package
Transfer Manager cancels the transfer. This value is 30 by default.
Delay before retr ying (minutes) : The number of minutes that the Package Transfer Manager
waits between attempts. This value is 20 by default.
5. In the Status polling settings group, review the following values:
Number of polls : The number of times that the Package Transfer Manager contacts the pull-
distribution point to retrieve the job status. If it tries this number of times before the job
completes, the Package Transfer Manager cancels the transfer. This value is 72 by default.
Delay before retr ying (minutes) : The number of minutes that the Package Transfer Manager
waits between attempts. This value is 60 by default.

NOTE
When the Package Transfer Manager cancels a job because it exceeds the number of polling retries, the pull-
distribution point continues to download the content. When it finishes, the pull-distribution point sends the
appropriate status message, and the console reflects the new status.

Limitations
You can't configure a content-enabled cloud management gateway as a pull-distribution point.
You can't configure the distribution point role on a site server as a pull-distribution point.
The prestage content configuration overrides the pull-distribution point configuration. If you turn on the
option to Enable this distribution point for prestaged content on a pull-distribution point, it waits
for the content. It doesn't pull content from the source distribution point. Like a standard distribution
point enabled for prestaged content, it doesn't receive content from the site server. For more information,
see Prestaged content.
A pull-distribution point doesn't use schedule or rate limit configurations. When you configure a
previously installed distribution point to be a pull-distribution point, configurations for schedule and rate
limits are saved, but not used. If you later remove the pull-distribution point configuration, the schedule
 and rate limit configurations are implemented as previously configured.

NOTE
The Schedule and Rate Limits tabs aren't visible in the properties of the distribution point.

Pull-distribution points don't use the settings on the General tab of the Software Distribution
Component Proper ties for each site. These settings include Concurrent distribution and Multicast
retr y .
To transfer content from a source distribution point in a remote forest, install the Configuration Manager
client on the pull-distribution point. Also configure a network access account that can access the source
distribution point. If you enable the site option to Use Configuration Manager-generated
cer tificates for HTTP site systems , then you don't need a network access account.
If the pull-distribution point is also a Configuration Manager client, the client version must be the same as
the Configuration Manager site that installs the pull-distribution point. The pull-distribution point uses
the CCMFramework that is common to both the pull-distribution point and the Configuration Manager
client.

About source distribution points

When you configure the pull-distribution point, specify one or more source distribution points:
The wizard only displays distribution points that qualify to be source distribution points.
A pull-distribution point can be specified as a source distribution point for another pull-distribution point.
Only distribution points that support HTTP can be specified as source distribution points when you use
the Configuration Manager console.
To use a source distribution point that's configured for HTTPS, install the Configuration Manager client on
the pull-distribution point.
If your remote offices have a better connection to the internet, or to reduce load on your WAN links, use a
content-enabled cloud management gateway (CMG) in Microsoft Azure as the source. The pull-
distribution point needs internet access to communicate with Microsoft Azure. The content must be
distributed to the source CMG.

NOTE
This feature does incur charges to your Azure subscription for data storage and network egress. For more
information, see the Cost of CMG.

TIP
When a pull-distribution point downloads content from a source distribution point, that pull-distribution point is counted
as a client in the Client Accessed (Unique) column of the Distribution point usage summar y report.

Source priorities
Assign a separate priority to each source distribution point, or assign multiple source distribution points
to the same priority.
The priority determines the order in which the pull-distribution point requests content from its source
distribution points.
 Pull-distribution points initially contact a source distribution point with the lowest value for priority. If
there are multiple source distribution points with the same priority, the pull-distribution point randomly
selects one of the sources with that priority.
If the content isn't available on a selected source, the pull-distribution point then tries to download the
content from another distribution point with that same priority.
If none of the distribution points with a given priority has the content, the pull-distribution point tries to
download the content from a source distribution point with the next priority level. It continues this search
until the content is located.
If none of the assigned source distribution points have the content, the pull-distribution point waits for 30
minutes, and then starts the process again.

Inside the pull-distribution point

To manage the transfer of content, pull-distribution points use the CCMFramework component. The
Configuration Manager client includes this component.
When you enable the pull-distribution point, the site installs pulldp.msi . This installer also adds the
CCMFramework component. The framework doesn't require the Configuration Manager client.
After the pull-distribution point is installed, it primarily uses the CCMExec service to function.
When the pull-distribution point transfers content, it uses the Background Intelligent Transfer
Ser vice (BITS) built into Windows. A pull-distribution point doesn't require that you install the BITS
Extension for IIS Server.

NOTE
If you install a pull-distribution point on a workstation OS, the client enables BITS with the default settings. This
behavior happens even if the client settings are set to disable BITS. These default settings may not be optimum for
a pull-distribution point. Review the client settings and group policies for BITS that you apply to devices that you
enable as a pull-distribution point.

For operational details, see the following log files on the pull-distribution point:
DataTransferSer vice.log
PullDP.log

TIP
If you see HTTP 403 errors in the log files after you add up a pull-distribution point, make the following change:
1. On the source distribution point, set the following registry value:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL, ClientAuthTrustMode = 2 (REG_DWORD)
2. Restart the source distribution point server.
Then the pull distribution point should start downloading content from the source. For more information on this registry
key, see Overview of TLS - SSL (Schannel SSP).

See also
Fundamental concepts for content management
 The content library in Configuration Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The content library is a single-instance store of content in Configuration Manager. The site uses it to reduce the
overall size of the combined body of content that you distribute. The content library stores all content files for
software deployments, for example: software updates, applications, and OS deployments.
The site automatically creates and maintains a copy of the content library on each site server and each
distribution point.
Before Configuration Manager adds content files to the site server or copies the files to distribution
points, it verifies whether each content file is already in the content library.
If the content file is available, Configuration Manager doesn't copy the file. It instead associates the
existing content file with the application or package.
On distribution point servers, configure the following options:
One or more disk drives on which you want to create the content library.
A priority for each drive that you use.
Configuration Manager copies content files to the drive with the highest priority until that drive contains less
than a minimum amount of free space that you specify.
You configure the drive settings during the distribution point installation.
You can't configure the drive settings in the distribution point properties after the installation has
finished.
For more information about how to configure the drive settings for the distribution point, see Manage content
and content infrastructure.

NOTE
To move the content library to a different location on a distribution point after the installation, use the Content Librar y
Transfer tool in the Configuration Manager tools. For more information, see the Content Library Transfer tool.

About the content library on the CAS

By default, Configuration Manager creates a content library on the central administration site (CAS) when the
site is installed. The content library is placed on the drive of the site server that has the most free disk space.
Because you can't install a distribution point on the CAS, you can't prioritize the drives for use by the content
library. Similar to the content library on other site servers and on distribution points, when the drive that
contains the content library runs out of available disk space, the content library automatically spans to the next
available drive.
Configuration Manager uses the content library on the CAS in the following scenarios:
You create content on the CAS.
You migrate content from another Configuration Manager site, and assign the CAS as the site that
 manages that content.

NOTE
When you create content at a primary site, and then distribute it to a different primary site or a secondary site below a
different primary site, the CAS temporarily stores that content in its scheduler inbox. It doesn't add that content to its
content library.

Use the following options to manage the content library on the CAS:
To prevent the content library from being installed on a specific drive, create an empty file named
NO_SMS_ON_DRIVE.SMS . Copy it to the root of the drive before the content library is created.
After the content library has been created, use the Content Librar y Transfer tool from the
Configuration Manager tools to manage the location of the content library. For more information, see the
Content Library Transfer tool.

NOTE
Content-enabled cloud management gateways don't use single-instance storage. The site encrypts packages before
sending to Azure, and each package has a unique encrypted key. Even if two files were identical, the encrypted versions
wouldn't be the same.

Inside the content library

WARNING
The following section is provided for informational purposes only. Don't alter, add, or remove any files or folders in the
content library. Doing so could corrupt packages, contents, or the content library as a whole. If you suspect any missing,
corrupt, or otherwise invalid data, use the validation feature in the Configuration Manager console to detect such issues.
Then redistribute the affected content to correct the issues.

By default, the content library is stored on the root of a drive in a folder called SCCMContentLib . This folder is
shared by default as SCCMContentLib$ . The folder and share have restricted permissions to prevent
accidental damage. All changes should be made from the Configuration Manager console. Within this folder are
the following objects:
The package library (PkgLib folder): Information about what packages are present on the distribution
point.
The data library (DataLib folder): Information about the original structure of the packages.
The file library (FileLib folder): The original files in the package. This folder is typically what uses the bulk
of the storage.
 TIP
Use the Content Librar y Explorer tool from the Configuration Manager tools to browse the contents of the content
library. You can't use this tool to modify the contents. It provides insight into what's present, as well as allowing validation
and redistribution. For more information, see the Content Library Explorer.

Package library
The package library folder, PkgLib , includes one file for each package distributed to the distribution point. The
file name is the package ID, for example, ABC00001.INI . In this file under the [Packages] section is a list of
content IDs that are part of the package, as well as other information such as the version. For example,
ABC00001 is a legacy package at version 1 . The content ID in this file is ABC00001.1 .
Data library
The data library folder, DataLib , includes one file and one folder for each of the contents in each package. For
example, this file and folder are named ABC00001.1.INI and ABC00001.1 , respectively. The file includes
information for validation. The folder recreates the folder structure from the original package.
The files in the data library are replaced by INI files with the name of the original file in the package. For
example, MyFile.exe.INI . These files include information about the original file, such as the size, time modified,
and the hash. Use the first four characters of the hash to locate the original file in the file library. For example,
the hash in MyFile.exe.INI is DEF98765 , and the first four characters are DEF9 .
File library
If the content library spans across multiple drives, the package files could be in the file library folder, FileLib , on
any of these drives.
Locate a specific file using the first four characters from the hash found in the data library. Inside the file library
folder are many folders, each with a four-character name. Find the folder that matches the first four characters
from the hash. Once you find this folder, it includes one or more sets of three files. These files share the same
name, but one has the extension INI, one has the extension SIG, and one has no file extension. The original file is
the one with no extension whose name is equal to the hash from the data library.
For example, folder DEF9 includes DEF98765.INI , DEF98765.SIG , and DEF98765 . DEF98765 is the original
MyFile.exe . The INI file includes a list of "users" or content IDs that share the same file. The site doesn't remove
a file unless all of these contents are also removed.
Drive spanning
The content library can be spanned across multiple drives. You choose these drives when creating the
distribution point. By default, Configuration Manager automatically chooses the drives when spanning the
content library.
When you choose the drives, select a primary and secondary drive. The site stores all metadata on the primary
drive. It only spans the file library across to the secondary drive. The folder's share name for secondary drives
includes the drive letter. For example, if D: and E: are secondary drives for the content library, the share names
are SCCMContentLibD$ and SCCMContentLibE$ .
If you chose the Automatic option, Configuration Manager selects the drive with the most available free space
as its primary drive. It stores all of the metadata on this drive. The site only spans the file library across to
secondary drives.
You specify a reserve space amount during configuration. Configuration Manager attempts to use a secondary
disk once the best available disk has only this reserve space amount left free. Each time a new drive is selected
for use, the drive with the most available free space is selected.
You can't specify that a distribution point should use all drives except for a specific set. Prevent this behavior by
creating an empty file on the root of the drive, called NO_SMS_ON_DRIVE.SMS . Place this file before Configuration
Manager selects the drive for use. If Configuration Manager detects this file on the root of the drive, it doesn't
use the drive for the content library.

Troubleshoot
The following tips may help you troubleshoot issues with the content library:
Review the logs on the site server (distmgr.log and PkgXferMgr.log ) and the distribution point
(smsdpprov.log ) for any pointers to the failures.
Use the Content Library Explorer tool.
Check for file locks by other processes, such as antivirus software. Exclude the content library on all
drives from automatic antivirus scans, as well as the temporary staging directory, SMS_DP$ , on each
drive.
To see if there are any hash mismatches, validate the package from the Configuration Manager console.
As a last option, redistribute the content. This action should resolve most issues.
For more in-depth information, see Understand and troubleshoot content distribution.

Next steps
Configure a remote content library for the site server
Flowchart - Manage content library
 Configure a remote content library for the site
server
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To configure site server high availability or to free up hard drive space on your central administration or primary
site servers, relocate the content library to another storage location. Move the content library to another drive
on the site server, a separate server, or fault-tolerant disks in a storage area network (SAN). A SAN is
recommended, because it's highly available, and provides elastic storage that grows or shrinks over time to
meet your changing content requirements. For more information, see High availability options.
A remote content library is a prerequisite for site server high availability.
This action only moves the content library on the site server. It doesn't impact the location of the content library
on distribution points.

TIP
Also plan for managing package source content, which is external to the content library. Every software object in
Configuration Manager has a package source on a network share. Consider centralizing all sources to a single share, but
make sure this location is redundant and highly available.
If you move the content library to the same storage volume as your package sources, you can't mark this volume for data
deduplication. While the content library supports data deduplication, the package sources volume doesn't support it. For
more information, see Data deduplication.

Prerequisites
The site server computer account needs Full control permissions to the network path to which you're
moving the content library. This permission applies to both the share and the file system. No components
are installed on the remote system.
The site server can't have the distribution point role. The distribution point also uses the content library,
and this role doesn't support a remote content library. After moving the content library, you can't add the
distribution point role to the site server.

NOTE
The Manage Content Librar y option isn't available if the distribution point role exists on the site server. To
enable the option, remove the distribution point role from the site server.

The remote system for the content library needs to be in a trusted domain.

IMPORTANT
Don't reuse a shared network location between multiple sites. For example, don't use the same path for both a central
administration site and a child primary site. This configuration has the potential to corrupt the content library, and require
you to rebuild it.
Manage the content library
1. Create a folder in a network share as the target for the content library. For example,
\\server\share\folder .

WARNING
Don't reuse an existing folder with content. For example, don't use the same folder as your package sources.
Before copying the content library, Configuration Manager removes any existing content from the location you
specify.

2. In the Configuration Manager console, switch to the Administration workspace. Expand Site
Configuration , select the Sites node, and select the site. On the Summar y tab at the bottom of the
details pane, notice a new column for the Content Librar y .
3. Select Manage Content Librar y on the ribbon.
4. In the Manage Content Library window, the Current Location field shows the local drive and path. Enter
a valid network path for the New Location . This path is the location to which the site moves the content
library. It must include a folder name that already exists on the share, for example, \\server\share\folder
. Select OK .
5. Note the Status value in the Content Library column on the Summary tab of the details pane. It updates
to show the site's progress in moving the content library.
While In progress , the Move Progress (%) value displays the percentage complete.

NOTE
If you have a large content library, you may see 0% progress in the console for a while. For example, with
a 1 TB library, it has to copy 10 GB before it shows 1% . Review distmgr.log , which shows the number of
files and bytes copied. The log file also shows an estimated time remaining.

If there's an error state, the status displays the error. Common errors include access denied or
disk full .
When complete it displays Complete .
See the distmgr.log for details. For more information, see Site server and site system server logs.

NOTE
Starting in version 2010, you can enable verbose logging to troubleshoot the content library move process. Set
the following registry key on the site server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP, LibraryMoveVerboseLog = 1 (REG_DWORD) .

For more information on this process, see Flowchart - Manage content library.
The site actually copies the content library files to the remote location. This process doesn't delete the content
library files at the original location on the site server. To free up space, an administrator must manually delete
these original files.
If the original content library spans two drives, it's merged into a single folder at the new destination.
During the copy process, the Despooler and Distribution manager components don't process new packages.
This action makes sure that content isn't added to the library while it's moving. Regardless, schedule this change
during a system maintenance.
If you need to move the content library back to the site server, repeat this process, but enter a local drive and
path for the New Location . It must include a folder name that already exists on the drive, for example,
D:\SCCMContentLib . When the original content still exists, the process quickly moves the configuration to the
location local to the site server.

TIP
To move the content to another drive on the site server, use the Content Librar y Transfer tool. For more information,
see the Content Library Transfer tool.

Support untrusted domains

If your environment has distribution points in untrusted domains, you need to make other configuration
changes.
1. On the computer that will host the distribution point role in the untrusted domain:
a. Create a local user account.
b. When you add the distribution point role to this computer, use this local account as the site system
installation account. For example, COMPUTER.UNTRUSTEDDOMAIN\LocalAccount .
2. On the server that hosts the remote content library for the site, create a local user account. This account
should have the same name and password as the account in the first step.
When the distribution manager component distributes content to the server in the untrusted domain, it will use
the local user account. During content distribution, this component gets the files from the content library server
in the context of the distribution point's local account. Since this same account exists on the content library
server, distribution manager can authenticate to read the content files and copy to the remote distribution point.

Next steps
Flowchart - Manage content library
 Flowchart - Manage content library
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This flowchart diagram shows the process by which the site moves the content library to a remote location. For
more information, see the following articles:
The content library
Site server high availability
 Content library cleanup tool
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the content library cleanup command-line tool to remove content that's no longer associated with an object
on a distribution point. This type of content is called orphaned content. This tool replaces older versions of
similar tools released for past Configuration Manager products.
The tool only affects the content on the distribution point that you specify when you run the tool. The tool can't
remove content from the content library on the site server.
If you remove content from a distribution point while the site system is offline, an orphaned record can exist in
WMI. Over time, this behavior can eventually lead to a warning status on the distribution point. To mitigate the
issue in version 2006 and earlier, you had to manually remove the orphaned entries from WMI. Making a
mistake during this process could cause more severe issues with the server. Starting in version 2010, the tool
can also remove orphaned content records from the WMI provider on a distribution point.
Find ContentLibrar yCleanup.exe in CD.Latest\SMSSETUP\TOOLS\ContentLibraryCleanup on the site server. For
more information on this location, see The CD.Latest folder.

Requirements
Only run the tool against a single distribution point at a time.
Run it directly on the server that hosts the distribution point to clean up, or remotely from another
computer.
The tool doesn't support removing content from the site server, which has a single content library. When
the site server also has the distribution point role, if a package isn't targeted to the server, the package is
still in the single content library.
The tool doesn't support a content-enabled cloud management gateway.
The user account that runs the tool must have permissions the same as the Full Administrator security
role in Configuration Manager.

Modes of operation
Run the tool in the following two modes: What-if and Delete.

TIP
Start with the what-if mode. When you're satisfied with the results, then run the tool in delete mode.

What-if mode
If you don't specify the /delete parameter, the tool runs in what-if mode. This mode identifies the content that
would be deleted from the distribution point.
When run in this mode, the tool doesn't delete any data.
The tool writes to the log file information about the content that it would delete. You're not prompted to
confirm each potential deletion.
Delete mode
When you run the tool with the /delete parameter, the tool runs in delete mode.
When run in this mode, orphaned content that it finds on the specified distribution point can be deleted
from the distribution point's content library.
Starting in version 2010, it can also remove orphaned content records from the WMI provider on the
distribution point.
Before deleting each file, confirm that the tool should delete it. Select Y for yes, N for no, or Yes to all to
skip further prompts and delete all orphaned content.
Log file
When the tool runs in either mode, it automatically creates a log file. It names the file with the following
information:
The mode the tool runs in
The name of the distribution point
The date and time of operation
When the tool finishes, it automatically opens the log file in Windows.
By default, the tool writes the log file to the temp folder of the user account that runs the tool. This location is on
the computer where you run the tool, which isn't always the target of the tool. Use the /log parameter to
redirect the log file to another location, including a network share.

Run the tool

To run the tool:
1. Open a command prompt as an administrator. Change directory to the folder that contains
ContentLibrar yCleanup.exe .
2. Enter a command line that includes the required command-line parameters, and any optional parameters
you want to use.

Command-line parameters
Use these command-line parameters in any order.
Required parameters
PA RA M ET ER DETA IL S

/dp <distribution point FQDN> Specify the fully qualified domain name (FQDN) of the
distribution point to clean.

/ps <primary site FQDN> Required only when cleaning content from a distribution
point at a secondary site. The tool connects to the parent
primary site to run queries against the SMS Provider. These
queries let the tool determine what content should be on
the distribution point. It can then identify the orphaned
content to remove. This connection to the parent primary
site must be made for distribution points at a secondary site
because the required details aren't available directly from the
secondary site.
 PA RA M ET ER DETA IL S

/sc <primary site code> Required only when cleaning content from a distribution
point at a secondary site. Specify the site code of the parent
primary site.

Example: Scan and log what content it would delete (what-if )

ContentLibraryCleanup.exe /dp server1.contoso.com

Example: Scan and log content for a DP at a secondary site

ContentLibraryCleanup.exe /dp server1.contoso.com /ps siteserver1.contoso.com /sc ABC

Optional parameters
PA RA M ET ER DETA IL S

/delete Use this parameter when you're ready to delete content

from the distribution point. It prompts you before it deletes
content.

When you don't use this parameter, the tool logs results
about what content it would delete. Without this parameter,
it doesn't actually delete any content from the distribution
point.

/q This parameter runs the tool in a quiet mode that

suppresses all prompts. These prompts include when it
deletes content. It also doesn't automatically open the log
file.

/ps <primary site FQDN> Optional only when cleaning content from a distribution
point at a primary site. Specify the FQDN of the primary site
that the distribution point belongs to.

/sc <primary site code> Optional only when cleaning content from a distribution
point at a primary site. Specify the site code of the primary
site that the distribution point belongs to.

/log <log file directory> Specify the location where the tool writes the log file. This
location can be a local drive or a network share.

When you don't use this parameter, the tool places the log
file in the user's temp directory on the computer where the
tool runs.

Example: Delete content

ContentLibraryCleanup.exe /dp server1.contoso.com /delete

Example: Delete content without prompts

ContentLibraryCleanup.exe /q /dp server1.contoso.com /delete

Example: Log to local drive

ContentLibraryCleanup.exe /dp server1.contoso.com /log C:\Users\Administrator\Desktop

Example: Log to network share

ContentLibraryCleanup.exe /dp server1.contoso.com /log \\server\share

Known issue
In version 2103 and earlier, when any package or deployment has failed, or is in progress, the tool might return
the following error:
System.InvalidOperationException: This content library cannot be cleaned up right now because package
<packageID> is not fully installed.

To work around this issue, update the site to version 2107. The tool can't reliably identify orphaned files, but will
display a warning and continue.
 Peer cache for Configuration Manager clients
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use peer cache to help manage deployment of content to clients in remote locations. Peer cache is a built-in
Configuration Manager solution that enables clients to share content with other clients directly from their local
cache.

Overview
Definitions:
Peer cache client : Any Configuration Manager client that downloads content from a peer.
Peer cache source : A Configuration Manager client that you enable for peer cache, and that has content
to share with other clients.
Use client settings to enable clients to be peer cache sources. You don't need to enable peer cache clients. When
you enable clients as peer cache sources, the management point includes them in the list of content location
sources. For more information on this process, see Operations.
A peer cache source must be a member of the current boundary group of the peer cache client. The
management point doesn't include peer cache sources from a neighbor boundary group in the list of content
sources it provides the client. It only includes distribution points from a neighbor boundary group. For more
information about current and neighbor boundary groups, see Boundary groups.
The Configuration Manager client uses peer cache to serve to other clients every type of content in the cache.
This content includes:
Microsoft 365 Apps for enterprise files
Express installation files
Peer cache doesn't replace the use of other solutions like Windows BranchCache or Delivery Optimization. Peer
cache works along with other solutions. These technologies give you more options for extending traditional
content deployment solutions such as distribution points. Peer cache is a custom solution with no reliance on
BranchCache. If you don't enable or use BranchCache, peer cache still works.

NOTE
Windows BranchCache is always enabled on deployments. If the distribution point supports it, and it's enabled in client
settings, clients use BranchCache. For more information, see Configure BranchCache.

Operations
To enable peer cache, deploy the client settings to a collection. Then members of that collection act as a peer
cache source for other clients in the same boundary group.
A client that operates as a peer content source submits a list of available cached content to its
management point using state messages. A peer content source client also sends a state message to the
management point when it removes content from its local cache.
 NOTE
For the list of applicable peer content source state messages, see State messages in Configuration Manager.
Specifically those with state message IDs of 7200, 7201, 7202, and 7203.

Another client in the same boundary group makes a content location request to the management point.
The server returns the list of potential content sources. This list includes each peer cache source that has
the content and is online. It also includes the distribution points and other content source locations in that
boundary group. For more information, see Content source priority.
As usual, the client that's seeking the content selects one source from the provided list. The client then
attempts to get the content.
Boundary groups include settings to give you more control over content distribution in your environment. For
more information, see Boundary group options for peer downloads.

NOTE
If the client falls back to a neighbor boundary group for content, the management point doesn't add the peer cache
sources from the neighbor boundary group to the list of potential content source locations.

Choose only clients best suited as peer cache sources. Evaluate client suitability based on attributes such as
chassis type, disk space, and network connectivity. For more information that can help you select the best clients
to use for peer cache, see this blog by a Microsoft consultant.

NOTE
By default, if the first 25 peer cache sources are offline or unreachable, a peer cache client may fail to download the
content. You can configure this setting with the site definition properties SuperPeerLocationCount and
SuperPeerLocationCountMax . Their default values are 25 and 50 . For more information, see How to read and write to
the site control file by using WMI.
You can also reduce these values, for example, 5 and 10 . This configuration causes the client to more quickly fall back
to other content locations. For more information, see Content source priority.

Limited access to a peer cache source

A peer cache source rejects requests for content when it meets any of the following conditions at the time a peer
requests content:
Low battery mode
Processor load exceeds 80%
Disk I/O has an AvgDiskQueueLength that exceeds 10
There are no more available connections to the computer

TIP
Configure these settings using the client configuration server WMI class for the peer source feature (
SMS_WinPEPeerCacheConfig ) in the Configuration Manager SDK.

When the peer cache source rejects a request for the content, the peer cache client continues to seek content
from its list of content source locations.
Requirements
Peer cache supports all Windows versions listed as supported in Supported operating systems for clients
and devices. Non-Windows operating systems aren't supported as peer cache sources or peer cache
clients.
A peer cache source must be a domain-joined Configuration Manager client. However, a client that's not
domain-joined can get content from a domain-joined peer cache source.
Clients can only download content from peer cache sources in their current boundary group.

NOTE
Configuration Manager determines if a peer cache source has roamed to another location. This behavior makes
sure the management point offers it as a content source to clients in the new location and not the old location.

A network access account isn't required with the following exception:

Configure a network access account in the site when a peer cache-enabled client runs a task
sequence from Software Center, and it reboots to a boot image. When the device is in Windows PE,
it uses the network access account to get content from the peer cache source.
When required, the peer cache source uses the network access account to authenticate download
requests from peers. This account requires only domain user permissions for this purpose.
Before attempting to download content, the management point first validates that the peer cache source
is online. This validation happens via the "fast channel" for client notification, which uses TCP port 10123.

NOTE
To take advantage of new Configuration Manager features, first update clients to the latest version. While new
functionality appears in the Configuration Manager console when you update the site and console, the complete scenario
isn't functional until the client version is also the latest.

Client settings
For more information about the peer cache client settings, see Client cache settings.
For more information on configuring these settings, see How to configure client settings.
On peer cache-enabled clients that use the Windows Firewall, Configuration Manager configures the firewall
ports that you specify in client settings.

Partial download support

Client peer cache sources can divide content into parts. These parts minimize the network transfer to reduce
WAN usage. The management point provides more detailed tracking of the content parts. It tries to eliminate
more than one download of the same content per boundary group.
Example scenario
Contoso has a single primary site with two boundary groups: Headquarters (HQ) and Branch Office. There's a
30-minute fallback relationship between the boundary groups. The management point and distribution point
for the site are only in the HQ boundary. The branch office location has no local distribution point. Two of the
four clients at the branch office are configured as peer cache sources.
1. You target a deployment with content to all four clients in the branch office. You only distributed the
content to the distribution point.
2. Client3 and Client4 don't have a local source for the deployment. The management point instructs the
clients to wait 30 minutes before falling back to the remote boundary group.
3. Client1 (PCS1) is the first peer cache source to refresh policy with the management point. Because this
client is enabled as a peer cache source, the management point instructs it to immediately start
downloading part A from the distribution point.
4. When Client2 (PCS2) contacts the management point, as part A is already in progress but not yet
complete, the management point instructs it to immediately start downloading part B from the
distribution point.
5. PCS1 finishes downloading part A, and immediately notifies the management point. As part B is already
in progress but not yet complete, the management point instructs it to start downloading part C from the
distribution point.
6. PCS2 finishes downloading part B, and immediately notifies the management point. The management
point instructs it to start downloading part D from the distribution point.
7. PCS1 finishes downloading part C, and immediately notifies the management point. The management
point informs it that there are no more parts available from the remote distribution point. The
management point instructs it to download part B from its local peer, PCS2.
8. This process continues until both client peer cache sources have all of the parts from each other. The
management point prioritizes parts from the remote distribution point before instructing the peer cache
sources to download parts from local peers.
9. Client3 is the first to refresh policy after the 30-minute fallback period expires. It now checks back with
the management point, which informs the client of new local sources. Instead of downloading the content
in full from the distribution point across the WAN, it downloads the content in full from one of the client
peer cache sources. Clients prioritize local peer sources.
 NOTE
If the number of client peer cache sources is greater than the number of content parts, then the management point
instructs the additional peer cache sources to wait for fallback like a normal client.

Configure partial download

1. Set up boundary groups and peer cache sources per normal.
2. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select Sites . Select Hierarchy Settings in the ribbon.
3. On the General tab, enable the option to Configure client peer cache sources to divide content
into par ts .
4. Create a required deployment with content.

NOTE
This functionality only works when the client downloads content in the background, such as with a required
deployment. On-demand downloads, such as when the user installs an available deployment in Software Center,
behaves as usual.

To see them handling the download of content in parts, examine the ContentTransferManager.log on the
client peer cache source and the MP_Location.log on the management point.

Guidance for cache management

Peer cache relies on the Configuration Manager client cache to share content. Consider the following points for
managing the client cache in your environment:
The Configuration Manager client cache isn't like the content library on a distribution point. While you
manage the content that you distribute to a distribution point, the Configuration Manager client
automatically manages the content in its cache. There are settings and methods to help control what
content is in the cache of a peer cache source. For more information, see Configure the client cache.
Size and maintenance of the cache applies to peer cache sources. For more information, see Configure
client cache size. Consider the size of larger content such as OS upgrade packages or Windows express
update files. Compare your need for this content against the available disk space on peer cache sources.
The peer cache source client updates the last referenced time of content in the cache when a peer
downloads it. The client uses this timestamp when it automatically maintains its cache, removing older
content first. So it should wait to remove content that peer cache clients more frequently download, if at
all.
If necessary, during an OS deployment task sequence, use the SMSTSPreser veContent variable to keep
content in the client cache. For more information, see Task sequence variables.
If necessary, when creating the following software, use the option to Persist content in the client
cache :
Applications
Packages
OS images
OS upgrade packages
Boot images
Monitoring
To help you understand the use of peer cache, view the Client Data Sources dashboard. For more information,
see Client data sources dashboard.
Also use reports to view peer cache use. In the console, go to the Monitoring workspace, expand Repor ting ,
and select the Repor ts node. The following reports all have a type of Software Distribution Content :
Peer cache source content rejection : How often the peer cache sources in a boundary group reject a
content request.

NOTE
Known issue : When drilling down on results like MaxCPULoad or MaxDiskIO, you might receive an error that
suggests the report or details can't be found. To work around this issue, use the other two reports that directly
show the results.

Peer cache source content rejection by condition : Shows rejection details for a specified boundary
group or rejection type.

NOTE
Known issue : You can't select from available parameters and instead must enter them manually. Enter the values
for Boundary Group Name and Rejection Type as seen in the Peer cache source content rejection report. For
example, for Rejection Type you might enter MaxCPULoad or MaxDiskIO.

Peer cache source content rejection details : Show the content that the client was requesting when
rejected.

NOTE
Known issue : You can't select from available parameters and instead must enter them manually. Enter the value
for Rejection Type as displayed in the Peer cache source content rejection report. Then enter the Resource ID
for the content source about which you want more information.
To find the Resource ID of the content source:
1. Find the computer name that displays as the Peer cache source in the results of the Peer cache source
content rejection by condition report.
2. Go to the Assets and Compliance workspace, select the Devices node, and search for that computer's
name. Use the value from the Resource ID column.

Next steps
Microsoft Connected Cache in Configuration Manager
Support for Windows BranchCache
Peer caching technologies
 Package Transfer Manager in Configuration
Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

In a Configuration Manager site, the Package Transfer Manager is a component of the SMS_Executive service
that manages the transfer of content from a site server computer to remote distribution points in a site. (A
remote distribution point is one that is not located on the site server computer.) The Package Transfer Manager
does not support configurations by the admin, but understanding how it operates can help you plan your
content management infrastructure. It can also help you resolve problems with content distribution.
When you distribute content to one or more remote distribution points at a site, the Distribution Manager
creates a content transfer job. It then notifies the Package Transfer Manager on primary and secondary site
servers to transfer the content to the remote distribution points.
Package Transfer Manager logs its actions in the pkgxfermgr.log file on the site server. The log file is the only
location where you can view the activities of the Package Transfer Manager.

NOTE
In previous versions of Configuration Manager, the Distribution Manager manages the transfer of content to a remote
distribution point. Distribution Manager also manages the transfer of content between sites. With the Configuration
Manager, Distribution Manager continues to manage the transfer of content between two sites. However, the Package
Transfer Manager now manages the transfer of content to large numbers of distribution points. This helps to increase the
overall performance of content deployment both between sites and to distribution points within a site.

To transfer content to a standard distribution point, Package Transfer Manager operates the same as the
Distribution Manager operates in previous versions of Configuration Manager. That is, it actively manages the
transfer of files to each remote distribution point. However, to distribute content to a pull-distribution point, the
Package Transfer Manager notifies the pull-distribution point that content is available. The pull-distribution point
then takes over the transfer process.
The following information describes how Package Transfer Manager manages the transfer of content to
standard distribution points, and to distribution points configured as pull-distribution points:
1. Admin deploys content to one or more distribution points at a site.
Standard distribution point: Distribution Manager creates a content transfer job for that
content.
Pull-distribution point: Distribution Manager creates a content transfer job for that content.
2. Distribution Manager runs preliminar y checks.
Standard distribution point: Distribution Manager runs a basic check to confirm that each
distribution point is ready to receive the content. After this check, Distribution Manager notifies
Package Transfer Manager to start the transfer of content to the distribution point.
Pull-distribution point: Distribution Manager starts Package Transfer Manager, which then
notifies the pull-distribution point that there is a new content transfer job. Distribution Manager
does not check on the status of remote distribution points that are pull-distribution points,
 because each pull-distribution point manages its own content transfers.
3. Package Transfer Manager prepares to transfer content.
Standard distribution point: Package Transfer Manager examines the single instance content
store of each specified remote distribution point. The purpose of this is to identify any files that are
already on that distribution point. Then, Package Transfer Manager queues up for transfer only
those files that are not already present.

NOTE
To copy each file in the distribution to the distribution point, even if the files are already present in the
single instance store of the distribution point, use the Redistribute action for content.

Pull-distribution point: For each pull-distribution point in the distribution, Package Transfer
Manager checks the pull-distribution points source distribution points, to confirm if the content is
available.
When the content is available on at least one source distribution point, Package Transfer
Manager sends a notification to that pull-distribution point. The notification directs that
distribution point to begin the process of transferring content. The notification includes file
names and sizes, attributes, and hash values.
When the content is not yet available, Package Transfer Manager does not send a
notification to the distribution point. Instead, it repeats the check every 20 minutes until the
content is available. Then, when the content is available, Package Transfer Manager sends
the notification to that pull-distribution point.

NOTE
For the pull-distribution point to copy each file in the distribution to the distribution point, even if the files
are already present in the single instance store of the pull-distribution point, use the Redistribute action
for content.

4. Content begins to transfer.

Standard distribution point: Package Transfer Manager copies files to each remote distribution
point. During the transfer to a standard distribution point:
By default, Package Transfer Manager can simultaneously process three unique packages,
and distribute them to five distribution points in parallel. Collectively, these are called
Concurrent distribution settings . To set up concurrent distribution, in the Software
Distribution Component Proper ties for each site, go to the General tab.
Package Transfer Manager uses the scheduling and network bandwidth configurations of
each distribution point when transferring content to that distribution point. To configure
these settings, in the Proper ties of each remote distribution point, go to the Schedule and
Rate Limits tabs. For more information, see Manage content and content infrastructure for
Configuration Manager.
Pull-distribution point: When a pull-distribution point receives a notification file, the
distribution point begins the process to transfer the content. The transfer process runs
independently on each pull-distribution point:
a. The pull-distribution identifies the files in the content distribution that it does not already
have in its single instance store, and prepares to download that content from one of its
 source distribution points.
b. Next, the pull-distribution point checks with each of its source distribution points, in order,
until it locates a source distribution point that has the content available. When the pull-
distribution point identifies a source distribution point with the content, it begins the
download of that content.

NOTE
The process to download content by the pull-distribution point is the same as that used by Configuration
Manager clients. For the transfer of content by the pull-distribution point, concurrent transfer settings
aren't used. Scheduling and throttling options that you configure for standard distribution points aren't
used either.

5. Content transfer completes.

Standard distribution point: After the Package Transfer Manager is done transferring files to
each designated remote distribution point, it verifies the hash of the content on the distribution
point. Then it notifies Distribution Manager that the distribution is complete.
Pull-distribution point: After the pull-distribution point completes the content download, the
distribution point verifies the hash of the content. Then it submits a status message to the site
management point to indicate success. If, after 60 minutes, this status is not received, the Package
Transfer Manager wakes up again. It checks with the pull-distribution point to confirm whether the
pull-distribution point has downloaded the content. If the content download is in progress, the
Package Transfer Manager sleeps for another 60 minutes before it checks with the pull-distribution
point again. This cycle continues until the pull-distribution point completes the content transfer.
 Manage network bandwidth for content
2/16/2022 • 5 minutes to read • Edit Online

To help you manage network bandwidth that is used for the content management process of Configuration
Manager, you can use built-in controls for scheduling and throttling. You can also use prestaged content. The
following sections describe these options in more detail.

Scheduling and throttling

When you create a package, change the source path for the content, or update content on the distribution point,
the files are copied from the source path to the content library on the site server. Then, the content is copied
from the content library on the site server to the content library on the distribution points. When content source
files are updated, and the source files have already been distributed, Configuration Manager retrieves only the
new or updated files, and then sends them to the distribution point.
You can use scheduling and throttling controls for site-to-site communication, and for communication between
a site server and a remote distribution point. If network bandwidth is limited even after you set up the
scheduling and throttling controls, you might consider prestaging the content on the distribution point.
In Configuration Manager, you can set up a schedule and specify throttling settings on remote distribution
points that determine when and how content distribution is performed. Each remote distribution point can have
different configurations that help address network bandwidth limitations from the site server to the remote
distribution point. The controls for scheduling and throttling to the remote distribution point are similar to the
settings for a standard sender address. In this case, the settings are used by a new component, called Package
Transfer Manager.
Package Transfer Manager distributes content from a site server, as a primary site or secondary site, to a
distribution point that is installed on a site system. The throttling settings are specified on the Rate Limits tab,
and the scheduling settings are specified on the Schedule tab, for a distribution point that is not on a site
server. The time settings are based on the time zone from the sending site, not the distribution point.

IMPORTANT
The Rate Limits and Schedule tabs are displayed only in the properties for distribution points that are not installed on
a site server.

For more information, see Install and configure distribution points for Configuration Manager.

Prestaged content
You can prestage content to add the content files to the content library on a site server or distribution point,
before you distribute the content. Because the content files are already in the content library, they do not
transfer over the network when you distribute the content. You can prestage content files for applications and
packages.
In the Configuration Manager console, select the content that you want to prestage, and then use the Create
Prestaged Content File Wizard . This creates a compressed, prestaged content file that contains the files and
associated metadata for the content. Then, you can manually import the content at a site server or distribution
point. Note the following points:
When you import the prestaged content file on a site server, the content files are added to the content
 library on the site server, and then registered in the site server database.
When you import the prestaged content file on a distribution point, the content files are added to the
content library on the distribution point. A status message is sent to the site server that informs the site
that the content is available on the distribution point.
You can optionally configure the distribution point as prestaged to help manage content distribution. Then,
when you distribute content, you can choose whether you want to:
Always prestage the content on the distribution point.
Prestage the initial content for the package, and then use the standard content distribution process when
there are updates to the content.
Always use the standard content distribution process for the content in the package.
Determine whether to prestage content
Consider prestaging content for applications and packages in the following scenarios:
To address the issue of limited network bandwidth from the site ser ver to a distribution
point. If scheduling and throttling aren't enough to satisfy your concerns about bandwidth, consider
prestaging the content on the distribution point. Each distribution point has the Enable this
distribution point for prestaged content setting that you can choose in the distribution point
properties. When you enable this option, the distribution point is identified as a prestaged distribution
point, and you can choose how to manage the content on a per-package basis.
The following settings are available in the properties for an application, package, driver package, boot
image, operating system installer, and image. These settings let you choose how content distribution is
managed on remote distribution points that are identified as prestaged:
Automatically download content when packages are assigned to distribution points :
Use this option when you have smaller packages, and the scheduling and throttling settings
provide enough control for content distribution.
Download only content changes to the distribution point : Use this option when you expect
future updates to the content in the package to be generally smaller than the initial package. For
example, you might prestage an application like Microsoft 365 Apps, because the initial package
size is over 700 MB and is too large to send over the network. However, content updates to this
package might be less than 10 MB, and are acceptable to distribute over the network. Another
example might be driver packages, where the initial package size is large, but incremental driver
additions to the package might be small.
Manually copy the content in this package to the distribution point : Use this option when
you have large packages, with content such as an operating system, and you never want to use the
network to distribute the content to the distribution point. When you select this option, you must
prestage the content on the distribution point.

IMPORTANT
The preceding options are applicable on a per-package basis, and are only used when a distribution point is
identified as prestaged. Distribution points that have not been identified as prestaged ignore these settings. In
this case, content always is distributed over the network from the site server to the distribution points.

To restore the content librar y on a site ser ver. When a site server fails, information about packages
and applications that is contained in the content library is restored to the site database as part of the
restore process, but the content library files are not restored as part of the process. If you do not have a
file system backup to restore the content library, you can create a prestaged content file from another site
that contains the packages and applications that you have to have. You can then extract the prestaged
content file on the recovered site server. For more information about site server backup and recovery, see
Backup and recovery for Configuration Manager.
 Security and privacy for content management in
Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article contains security and privacy information for content management in Configuration Manager.

Security guidance
Advantages and disadvantages of HTTPS or HTTP for intranet distribution points
For distribution points on the intranet, consider the advantages and disadvantages of using HTTPS or HTTP. In
most scenarios, using HTTP and package access accounts for authorization provides more security than using
HTTPS with encryption but without authorization. However, if you have sensitive data in your content that you
want to encrypt during transfer, use HTTPS.
When you use HTTPS for a distribution point: Configuration Manager doesn't use package access
accounts to authorize access to the content. The content is encrypted when it's transferred over the
network.
When you use HTTP for a distribution point: You can use package access accounts for authorization. The
content isn't encrypted when it's transferred over the network.
Consider enabling Enhanced HTTP for the site. This feature allows clients to use Azure Active Directory (Azure
AD) authentication to securely communicate with an HTTP distribution point. For more information, see
Enhanced HTTP.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Protect the client authentication certificate file

If you use a PKI client authentication certificate rather than a self-signed certificate for the distribution point,
protect the certificate file (.pfx) with a strong password. If you store the file on the network, secure the network
channel when you import the file into Configuration Manager.
When you require a password to import the client authentication certificate that the distribution point uses to
communicate with management points, this configuration helps to protect the certificate from an attacker. To
prevent an attacker from tampering with the certificate file, use server message block (SMB) signing or IPsec
between the network location and the site server.
Remove the distribution point role from the site server
By default, Configuration Manager setup installs a distribution point on the site server. Clients don't have to
communicate directly with the site server. To reduce the attack surface, assign the distribution point role to other
site systems and remove it from the site server.
Secure content at the package access level
The distribution point share allows read access to all users. To restrict which users can access the content, use
package access accounts when the distribution point is configured for HTTP. This configuration doesn't apply to
content-enabled cloud management gateways, which don't support package access accounts.
For more information, see Package access accounts.
Configure IIS on the distribution point role
If Configuration Manager installs IIS when you add a distribution point site system role, remove HTTP
redirection and IIS Management Scripts and Tools when the distribution point installation is complete. The
distribution point doesn't require these components. To reduce the attack surface, remove these role services for
the web server role.
For more information about the role services for the web server role for distribution points, see Site and site
system prerequisites.
Set package access permissions when you create the package
Because changes to the access accounts on the package files become effective only when you redistribute the
package, set the package access permissions carefully when you first create the package. This configuration is
important when the package is large or distributed to many distribution points, and when the network
bandwidth capacity for content distribution is limited.
Implement access controls to protect media that contains prestaged content
Prestaged content is compressed but not encrypted. An attacker could read and modify the files that are
downloaded to devices. Configuration Manager clients reject content that's tampered with, but they still
download it.
Import prestaged content with ExtractContent
Only import prestaged content by using the ExtractContent.exe command-line tool. To avoid tampering and
elevation of privileges, use only the authorized command-line tool that comes with Configuration Manager.
For more information, see Deploy and manage content.
Secure the communication channel between the site server and the package source location
Use IPsec or SMB signing between the site server and the package source location when you create applications,
package, and other objects with content. This configuration helps to prevent an attacker from tampering with
the source files.
Remove default virtual directories for custom website with the distribution point role
If you change the site configuration option to use a custom website rather than the default website after
installing a distribution point role, remove the default virtual directories. When you switch from the default
website to a custom website, Configuration Manager doesn't remove the old virtual directories. Remove the
following virtual directories that Configuration Manager originally created under the default website:
SMS_DP_SMSPKG$

SMS_DP_SMSSIG$

NOCERT_SMS_DP_SMSPKG$

NOCERT_SMS_DP_SMSSIG$

For more information about using a custom website, see Websites for site system servers.
For content-enabled cloud management gateways, protect your Azure subscription details and certificates
When you use content-enabled cloud management gateways (CMGs), protect the following high-value items:
The user name and password for your Azure subscription
The secret keys for Azure app registrations
The server authentication certificate
Store the certificates securely. If you browse to them over the network when you configure the CMG, use IPsec
or SMB signing between the site system server and the source location.
For service continuity, monitor the expiry date of the CMG certificates
Configuration Manager doesn't warn you when the imported certificates for the CMG are about to expire.
Monitor the expiry dates independently from Configuration Manager. Make sure that you renew and then
import the new certificates before the expiry date. This action is important if you acquire a server authentication
certificate from an external, public provider, because you might need more time to acquire a renewed certificate.
If a certificate expires, the Configuration Manager cloud services manager generates a status message with ID
9425 . The CloudMgr.log file contains an entry to indicate that the certificate is in expired state, with the expiry
date also logged in UTC.

Security considerations
Clients don't validate content until after it's downloaded. Configuration Manager clients validate the hash
on content only after it's downloaded to their client cache. If an attacker tampers with the list of files to
download or with the content itself, the download process can take up considerable network bandwidth.
Then the client discards the content when it finds the invalid hash.
When you use content-enabled cloud management gateways:
It automatically restricts access to the content to your organization. You can't restrict it further to
selected users or groups.
The management point first authenticates the client. Then the client uses a Configuration Manager
token to access cloud storage. The token is valid for eight hours. This behavior means that if you
block a client because it's no longer trusted, it can continue to download content from cloud
storage until this token expires. The management point won't issue another token for the client
because it's blocked.
To avoid a blocked client from downloading content within this eight-hour window, stop the cloud
service. In the Configuration Manager console, go to the Administration workspace, expand
Cloud Ser vices , and select the Cloud Management Gateway node.

Privacy information
Configuration Manager doesn't include any user data in content files, although an administrative user might
choose to do this action.

Next steps
Fundamental concepts for content management
Security and privacy for application management
Security and privacy for software updates
Security and privacy for OS deployment
 Data transfers between sites
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager uses file-based replication and database replication to transfer different types of
information between sites. Learn about how Configuration Manager moves data between sites, and how you
can manage the transfer of data across your network.

Types of replication
File -based replication
Configuration Manager uses file-based replication to transfer file-based data between sites in your hierarchy.
This data includes applications and packages that you want to deploy to distribution points in child sites. It also
handles unprocessed discovery data records that the site transfers to its parent site and then processes.
For more information, see File-based replication.
Database replication
Configuration Manager database replication uses SQL Server to transfer data. It uses this method to merge
changes in its site database with the information from the database at other sites in the hierarchy.
For more information, see Database replication.
For help with troubleshooting SQL Server replication, see Troubleshoot SQL Server replication.

See also
Monitor replication
 File-based replication
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager uses file-based replication to transfer file-based data between sites in your hierarchy.
This data includes applications and packages that you want to deploy to distribution points in child sites. It also
handles unprocessed discovery data records that the site transfers to its parent site and then processes.
File-based communication between sites uses the server message block (SMB) protocol on TCP/IP port 445. To
control the amount of data the site transfers across the network, specify bandwidth throttling and pulse mode.
Use schedules to control when to send data across the network.

Routes
The following information can help you set up and use file replication routes.
File replication route
Each file replication route identifies a destination site to which a site transfers file-based data. Each site supports
one file replication route to a specific destination site.
To manage a file replication route, go to the Administration workspace. Expand the Hierarchy Configuration
node, and then select File Replication .
You can change the following settings for file replication routes:
File replication account
This account connects to the destination site, and writes data to that site's SMS_Site share. The receiving site
processes the data written to this share. By default, when you add a site to the hierarchy, Configuration Manager
assigns the new site server's computer account as its file replication account. It then adds this account to the
destination site's SMS_SiteToSiteConnection_<sitecode> group. This group is local to the computer that grants
access to the SMS_Site share. You can change this account to be a Windows user account. If you change the
account, make sure you add the new account to the destination site's SMS_SiteToSiteConnection_<sitecode>
group.

NOTE
Secondary sites always use the computer account of the secondary site server as the File Replication Account .

Schedule
Set the schedule for each file replication route. This action restricts the type of data and time when data can
transfer to the destination site.
Rate limits
Specify rate limits for each file replication route. This action controls the network bandwidth the site uses when
it transfers data to the destination site:
Pulse mode : Specify the size of the data blocks that the site sends to the destination site. You can also
specify a time delay between sending each data block. Use this option when you must send data across a
low-bandwidth network connection to the destination site.
For example, you have constraints to send 1 KB of data every five seconds, but not 1 KB every three
 seconds. This constraint is regardless of the speed of the link or its usage at a given time.
Limited to maximum transfer rates by hour : The site sends data to a destination site by using only
the percentage of time that you specify. Configuration Manager doesn't identify the network's available
bandwidth. It divides the time it can send data into slices of time. It then sends the data in a short block of
time, which is followed by blocks of time when it doesn't send data.
For example, you set the maximum rate to 50% . Configuration Manager transmits data for an amount of
time followed by an equal period of time when it doesn't send any data. It doesn't manage the actual size
of the data block that it sends. The site only manages the amount of time during which it sends data.
Cau t i on

By default, a site can use up to three concurrent sendings to transfer data to a destination site. When
you enable rate limits for a file replication route, it limits the concurrent sendings to that site to one.
This behavior applies even when the Limit available bandwidth (%) is set to 100% . For example, if
you use the default settings for the sender, this reduces the transfer rate to the destination site to be one-
third of the default capacity.
Routes between secondary sites
Configure a file replication route between two secondary sites to route file-based content between those sites.
Sender
Each site has one sender. The sender manages the network connection from one site to a destination site. It can
establish connections to multiple sites at the same time. To connect to a site, the sender uses the file replication
route to the site and identifies the account it uses to establish the network connection. The sender also uses this
account to write data to the destination site's SMS_Site share.
By default, the sender writes data to a destination site by using multiple concurrent sendings , or a thread.
Each thread can transfer a different file-based object to the destination site. When the sender begins to send an
object, it continues to write blocks of data for that object until it sends the entire object. After it sends all the data
for the object, a new object can begin to send on that thread.
To manage the sender for a site, go to the Administration workspace, and expand the Site Configuration
node. Select the Sites node, and then select Proper ties for the site you want to manage. Switch to the Sender
tab to change the sender settings.
You can change the following settings for a sender:
Maximum concurrent sendings
By default, each site uses five concurrent sendings (threads). Three threads are available for use when it sends
data to any one destination site. When you increase this number, you can increase the throughput of data
between sites. More threads mean that Configuration Manager can transfer more files at the same time.
Increasing this number also increases the demand for network bandwidth between sites.
Retry settings
By default, each site retries a problem connection two times, with a one-minute delay between connection
attempts. You can modify the number of connection attempts the site makes, and how long to wait between
attempts.

Next steps
Database replication
 Database replication
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager database replication uses SQL Server to transfer data. It uses this method to merge
changes in its site database with the information from the database at other sites in the hierarchy.
Note the following points about database replication:
All sites share the same information.
When you install a site in a hierarchy, Configuration Manager automatically establishes database
replication between the new site and its parent site.
When the site installation finishes, database replication automatically starts.
When you add a new site to a hierarchy, Configuration Manager creates a generic database at the new site. The
parent site creates a snapshot of the relevant data in its database. It then transfers the snapshot to the new site
using file-based replication. The new site then uses the SQL Server Bulk Copy Program (BCP) to load the
information into its local copy of the Configuration Manager database. After the snapshot loads, each site
conducts database replication with the other site.
To replicate data between sites, Configuration Manager uses its own database replication service. The database
replication service uses SQL Server change tracking to monitor the local site database for changes. It then
replicates the changes to other sites by using SQL Server Service Broker (SSB). By default, this process uses TCP
port 4022.

Replication groups
Configuration Manager groups data that replicates by database replication into different replication groups.
Each replication group has a separate, fixed replication schedule. The site uses this schedule to determine how
frequently it replicates changes to other sites.
For example, a change to a role-based administration configuration replicates quickly to other sites. This
behavior makes sure that the other site can quickly enforce these changes. A lower-priority configuration
change, such as a request to install a new secondary site, replicates with less urgency. It can take several minutes
for a new site request to reach the destination primary site.

Settings
You can modify the following settings for database replication:
Database replication links : Control when specific traffic traverses the network.
Distributed views : When a central administration site (CAS) requests selected site data, it can access the
data directly from the database at a child primary site.
Schedules : Specify when a replication link is used, and when different types of site data replicate.
Summarization : Change settings for data summarization about network traffic that traverses replication
links. By default, summarization occurs every 15 minutes. It's used in reports for database replication.
Database replication thresholds : Define when the site reports links as degraded or failed. You can
 also configure when Configuration Manager raises alerts about replication links that have a degraded or
failed status.

Types of data
Configuration Manager primarily classifies the data that it replicates as either global data or site data. When
database replication occurs, the site transfers changes to global data and site data across the database
replication link. Global data replicates to a parent or child site. Site data replicates only to a parent site. A third
data type, local data, doesn't replicate to other sites. Local data is information that other sites don't require.
Global data
Global data is administrator-created objects that replicate to all sites throughout the hierarchy. Secondary sites
only receive a subset of global data, as global proxy data. You create global data at the CAS and primary sites.
This type includes the following data:
Software deployments
Software updates
Collection definitions
Role-based administration security scopes
Site data
Site data is operational information created by Configuration Manager primary sites and their assigned clients.
Site data replicates to the CAS, but not to other primary sites. Site data is only viewable at the CAS and at the
primary site where the data originates. You can only modify site data at the primary site where you created it.
This type includes the following data:
Hardware inventory
Status messages
Alerts
The results of query-based collections
All site data replicates to the CAS. The CAS does administration and reporting for the entire site hierarchy.

Database replication links

When you install a new site in a hierarchy, Configuration Manager automatically creates a database replication
link between the parent site and the new site. It creates a single link to connect the two sites.
To control the transfer of data across the replication link, change settings for each link. Each replication link
supports separate configurations. Each database replication link includes the following controls:
Stop the replication of selected site data from a primary site to the CAS. This action causes the CAS to
access this data directly from the database of the primary site.
Schedule selected site data to transfer from a child primary site to the CAS.
Define the settings that determine when a database replication link has a degraded or failed status.
Specify when to raise alerts for a failed replication link.
Specify how frequently Configuration Manager summarizes data about the replication traffic that uses
the replication link. It uses this data in reports.
To configure a database replication link, in the Configuration Manager console, go to the Monitoring
workspace. Select the Database Replication node, and edit the properties for the link. This node is also in the
Administration workspace, under the Hierarchy Configuration node. Edit a replication link from either the
parent site or the child site of the replication link.

TIP
You can edit database replication links from the Database Replication node in either workspace. However, when you
use the Database Replication node in the Monitoring workspace, you can also view the status of database replication.
It also provides access to the Replication Link Analyzer tool. Use this tool to help investigate problems with database
replication.

For more information about how to configure replication links, see Site database replication controls. For more
information about how to monitor replication, see Monitor database replication.

Distributed views
Through distributed views, when you make a request at the CAS for selected site data, it directly accesses the
database at the child primary site. This direct access replaces the need to replicate site data from the primary
site to the CAS. Because each replication link is independent from other replication links, you can use distributed
views on the replication links that you choose. You can't use distributed views between a primary site and a
secondary site.
Distributed views provide the following benefits:
Reduce the CPU load to process database changes at the CAS and primary sites
Reduce the amount of data that transfers across the network to the CAS
Improve the performance of the SQL Server that hosts the CAS database
Reduce the disk space used by the CAS database
Consider using distributed views when a primary site is closely located to the CAS on the network, the two sites
are always on, and always connected. Distributed views replace the replication of the selected data between the
sites with direct connections between the site database servers at each site. The CAS makes a direct connection
each time you request this data.
The site requests distributed view data in the following example scenarios:
When you run reports or queries
When you view information in Resource Explorer
Collection evaluation for collections that include site data-based rules
By default, distributed views are turned off for each replication link. When you turn on distributed views, you
select site data that won't replicate to the CAS across that link. The CAS accesses this data directly from the
database of the child primary site that shares the link. You can configure the following types of site data for
distributed views:
Hardware inventor y data from clients
Software inventor y and software metering data from clients
Status messages from clients, the primary site, and all secondary sites
When you view data in the Configuration Manager console or in reports, distributed views are operationally
invisible to you. When you request data that's enabled for distributed views, the CAS site database server
directly accesses the child primary site's database to retrieve the information.
For example, you use a Configuration Manager console connected to the CAS. You request information about
hardware inventory from two primary sites: ABC and XYZ. You only enabled hardware inventory for distributed
views at site ABC. The CAS retrieves inventory information for XYZ clients from its own database. The CAS
retrieves inventory information for ABC clients directly from the database at site ABC. This information appears
in the Configuration Manager console or in a report without identifying the source.
If a replication link has a type of data enabled for distributed views, the child primary site doesn't replicate that
data to the CAS. When you turn off distributed views for a type of data, the child primary site resumes normal
data replication to the CAS. Before this data is available at the CAS, the replication groups for this data must
reinitialize between the primary site and the CAS. After you uninstall a primary site that has distributed views
turned on, the CAS must complete reinitialization of its data before you can access data that you enabled for
distributed views on the CAS.

IMPORTANT
When you use distributed views on any replication link in the site hierarchy, before you uninstall any primary site, turn off
distributed views for all replication links. For more information, see Uninstall a primary site that uses distributed views.

Prerequisites and limitations for distributed views

Only use distributed views on replication links between the CAS and a primary site.
The CAS must use SQL Server Enterprise edition. The primary site doesn't have this requirement.
The CAS can have only one instance of the SMS Provider. Install that single instance on the site database
server. This configuration supports Kerberos authentication. The SQL Server at the CAS requires Kerberos
to access the SQL Server at the child primary site. There are no limitations on the SMS Provider at the
child primary site.
You can only install one reporting services point at the CAS. Install SQL Server Reporting Services on the
site database server. This configuration supports Kerberos authentication. The SQL Server at the CAS
requires Kerberos to access the SQL Server at the child primary site.
You can't host the site database on a SQL Server Always On failover cluster instance.
The computer account of the CAS database server requires Read permissions on the primary site
database.

IMPORTANT
Distributed views and schedules for when data can replicate are mutually exclusive settings for a database replication link.

Schedule transfers of site data

To help you control the network bandwidth that's used to replicate site data from a child primary site to the CAS,
schedule when a replication link is used. Then specify when different types of site data replicate. You can control
when the primary site replicates status messages, inventory, and metering data. Database replication links from
secondary sites don't support schedules for site data. You can't schedule the transfer of global data.
When you configure a database replication link schedule, you can restrict the transfer of selected site data from
the primary site to the CAS. You can also configure different times to replicate different types of site data.

IMPORTANT
Distributed views and schedules for when data can replicate are mutually exclusive configurations for a database
replication link.

Summarization of traffic
Each site periodically summarizes data about the network traffic that traverses database replication links for the
site. The site uses summarized data in reports for database replication. Both sites on a replication link
summarize the network traffic that traverses the replication link. The site database server summarizes the data.
After it summarizes data, the information replicates to other sites as global data.
By default, summarization occurs every 15 minutes. To modify the frequency of summarization for network
traffic, in the properties of the database replication link, edit the Summarization inter val . The frequency of
summarization affects the information that you view in reports about database replication. You can choose an
interval from 5 to 60 minutes. When you increase the frequency of summarization, you increase the processing
load on the SQL Server at each site on the replication link.

Database replication thresholds

Database replication thresholds define when Configuration Manager reports the status of a database replication
link as either degraded or failed. By default, it sets a link as degraded when any one replication group fails to
complete replication for 12 consecutive attempts. It sets the link as failed when any replication group fails to
replicate in 24 consecutive attempts.
You can specify custom values for degraded or failed status. If you adjust these values, you can more accurately
monitor the health of database replication across the links.
One or more replication groups can fail to replicate while other replication groups continue to successfully
replicate. Plan to review the replication status of a link when it first reports as degraded.
Consider modifying the retry values for the degraded or failed status of the link in the following situations:
There are recurring delays for specific replication groups, and their delay isn't a problem
The network link between sites has low available bandwidth
When you increase the number of retries before the site sets the link to degraded or failed, you can eliminate
false warnings for known issues. This action lets you more accurately track the status of the link.
To understand how frequently replication of that group occurs, consider the replication sync interval for each
replication group. To view the Synchronization Inter val for replication groups, go to the Monitoring
workspace in the Configuration Manager console. In the Database Replication node, select the Replication
Detail tab of a replication link.
For more information about how to monitor database replication, including how to view the replication status,
see Monitor database replication.

Site database replication controls

To help you control the network bandwidth used for database replication, change the settings for each site
database. The settings apply only to the site database in which you configure the settings. The settings are
always used when the site replicates any data by database replication to any other site.
You can modify the following replication controls for each site database:
The SSB port
The period of time to wait before replication failures trigger the site to reinitialize its copy of the site
database
Compress the data that a site replicates. It only compresses the data for transfer between sites, and not
for storage in the site database at either site.
To change the settings for the replication controls for a site database, in the Configuration Manager console, on
the Database Replication node, edit the properties of the site database. This node appears under the
Hierarchy Configuration node in the Administration workspace, and also appears in the Monitoring
workspace. To edit the properties of the site database, select the replication link between the sites, and then open
either Parent Database Proper ties or Child Database Proper ties .

TIP
You can configure database replication controls from the Database Replication node in either workspace. However,
when you use the Database Replication node in the Monitoring workspace, you can also view the status of database
replication for a replication link, and access the Replication Link Analyzer tool to help you investigate problems with
replication.

See also
Monitor replication
Troubleshoot SQL Server replication
 How clients find site resources and services
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager clients use a process called service location to locate site system servers. Clients can
communicate with these servers and they provide services that clients can use. To better configure your sites to
successfully support client tasks, you need to understand how and when clients use service location to find site
resources. These configurations can require the site to interact with domain and network configurations like
Active Directory Domain Services and DNS. They can also require you to configure more complex alternatives.
Some examples of site system roles that provide services include:
The core site system server for clients.
The management point.
Other site system servers that the client can communicate with, like distribution points and software update
points.

Fundamentals of service location

When a client uses service location to find a management point to communicate with, it evaluates the following
aspects:
Current network location
Communication protocol preference
Assigned site
Client communication with a management point
A client communicates with a management point (MP) to:
Download information about other management points for the site. It then builds a list of known
management points for future service location cycles. This list is also known as the MP list.
Upload configuration details, like inventory and status.
Download a policy that sets configurations on the client, informs it of software to install, and other related
tasks.
Request information about other site system roles that provide services that the client can use. For
example, distribution points for software that the client can install, or a software update point for
metadata about software updates.
Client service location requests
A Configuration Manager client makes a service location request:
Every 25 hours of continuous operation.
When the client detects a change in its network configuration or location.
When the ccmexec.exe service on the computer starts. This Windows service is the core client service.
When the client needs to locate a site system role that provides a required service.
Client requests for site system roles
When a client attempts to find servers that host roles, it uses service location. It tries to find a role that supports
its communication protocol, either HTTP or HTTPS. By default, clients use the most secure method available to
them.
To use HTTPS, you need a public key infrastructure (PKI) and install PKI certificates on clients and servers.
For more information, see PKI certificate requirements for Configuration Manager.
For roles that use IIS and support client communication, you configure them for HTTP or HTTPS. If you
use HTTP, also consider signing and encryption choices. For more information, see Planning for signing
and encryption.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Determine assigned management point

Primary sites support multiple management points. Each client independently identifies a management point as
its default. When a client first assigns to a primary site, it selects its default management point. This default
management point then becomes that client's assigned management point.

TIP
You can use client installation properties to set the assigned management point for a client. For more information, see
Client installation properties.

A client selects a management point to communicate with based on the client's current network location and
boundary group configurations. Even though it has an assigned management point, this server may not be the
management point that the client uses.

NOTE
A client always uses the assigned management point for registration messages and certain policy messages. This behavior
happens even when other communications are sent to a proxy or local management point.

You can use preferred management points. Preferred management points are management points from a
client's assigned site that are associated with a boundary group that the client uses to find site system servers. A
preferred management point's association with a boundary group is similar to how distribution points or state
migration points are associated with a boundary group. If you enable preferred management points for the
hierarchy, when a client uses a management point from its assigned site, it tries to use a preferred management
point before using other management points from its assigned site.

TIP
You can configure management point affinity with a registry key configuration on the client. Management point affinity
overrides the default behavior for assigned management points and lets the client use one or more specific management
points. For more information, see this blog post from a Microsoft Premier engineer.

Each time a client needs to contact a management point, it first checks the MP list. The client creates an initial MP
list when it installs. The client then periodically updates the list with details about each management point in the
hierarchy.
When the client can't find a valid management point in its MP list, it searches the service location sources. It uses
the following sources in order, until it finds a management point that it can use:
1. Management point
2. Active Directory Domain Services (AD DS)
3. DNS
After a client successfully locates and contacts a management point, it downloads the current list of available
management points. It then updates its own local MP list.
This process is the same for all clients. For example, when a Configuration Manager client that's on the internet
connects to an internet-based management point, the management point sends that client a list of available
internet-based management points. A client that's not on the internet only gets a list of internal management
points.

The MP list
The MP list is the preferred service location source for a client. It's a prioritized list of management points that
the client previously identified. The client sorts its MP list based on its current network location. It stores the list
locally in WMI.
Build the initial MP list
During installation of the client, the client uses the following rules to build its initial MP list:
Include management points specified during client installation. For example, when you use the SMSMP
property or /mp parameter.
Query AD DS for published management points. The client identifies management points from AD DS
that are in its assigned site and the same product version.
If it doesn't get any management points from the first two rules, the client checks DNS for published
management points.
MP list categories
Clients organize their list of management points by using the following categories:
Proxy : A management point at a secondary site.
Local : Any management point that's associated with the client's current network location, as defined by
site boundaries.
When a client belongs to more than one boundary group, it determines the list of local
management points from the union of all boundaries that include the current network location of
the client.
Local management points are typically a subset of a client's assigned management points. Unless
the client is in a network location that's associated with another site with management points
servicing its boundary groups.
Assigned : Any management point that's in the client's assigned site.
You can use preferred management points. Management points at a site that aren't associated with a boundary
group, or that aren't in a boundary group associated with a client's current network location, aren't considered
preferred. The client uses these management points when it can't find an available preferred management point.
Select a management point to use
For typical communications, a client tries to use a management point in the following order, based on the client's
network location:
1. Proxy
2. Local
3. Assigned
The client always uses the assigned management point for registration messages and certain policy messages.
This behavior happens even when it sends other communication to a proxy or local management point.
Within each category, the client attempts to use a management point based on preferences, in the following
order:
1. When the client is configured for HTTPS communication:
a. HTTPS-capable in a trusted or local forest
b. HTTPS-capable not in a trusted or local forest
2. HTTP-capable in a trusted or local forest
3. HTTP-capable not in a trusted or local forest
From the set of management points sorted by preference, the client attempts to use the first management point
on the list. This sorted list of management points is otherwise randomized and can't be ordered any further. The
order of the list can change each time the client updates its MP list.
When a client can't contact the first management point, it tries each successive management point on its list. It
tries each preferred management point in the category before trying the non-preferred management points. If a
client can't successfully communicate with any management point in the category, it attempts to contact a
preferred management point from the next category, until it finds a management point to use.
After a client establishes communication with a management point, it continues to use that same management
point until:
25 hours have passed.
The client is unable to communicate with the management point for five attempts over a period of 10
minutes.
The client then randomly selects a new management point to use.

Active Directory
Domain-joined clients can use AD DS for service location. This behavior requires sites to publish data to Active
Directory.
A client can use AD DS for service location when all the following conditions are true:
You extended the Active Directory schema.
You configured the Active Directory forest for publishing, and you configured the Configuration Manager
site to publish.
The client computer is a member of an Active Directory domain and can access a global catalog server.
If a client can't find a management point to use for service location from AD DS, it attempts to use DNS.

DNS
Clients on the intranet can use DNS for service location. This behavior requires at least one site in a hierarchy to
publish information about management points to DNS.
Consider using DNS for service location when any of the following conditions are true:
 You haven't extended the AD DS schema to support Configuration Manager.
Clients on the intranet are in a forest that you haven't enabled for Configuration Manager publishing.
You have clients on workgroup computers, and you haven't configured those clients for internet-only
client management. A workgroup client configured for the internet communicates only with internet-
facing management points and won't use DNS for service location.
You can configure clients to find management points from DNS.
When a site publishes service location records for management points to DNS:
Publishing is applicable only to management points that accept client connections from the intranet.
Publishing adds a service location resource record (SRV RR) in the DNS zone of the management point
server. That server needs a corresponding host entry in DNS.
By default, domain-joined clients search DNS for management point records from the client's local domain. You
can configure a client installation property to specify another domain suffix.
For more information, see How to configure client computers to find management points by using DNS
publishing.
Publish management points to DNS
To publish management points to DNS, the following two conditions must be true:
Your DNS servers support service location resource records, by using a version of BIND that's at least
8.1.2.
The specified intranet FQDNs for the management points in Configuration Manager have host entries (A
records) in DNS.

IMPORTANT
Configuration Manager DNS publishing doesn't support a disjointed namespace. If you have a disjointed namespace, you
can manually publish management points to DNS. You can also use one of the other service location methods.

DNS configuration scenarios

T h e D N S se r v e r su p p o r t s a u t o m a t i c u p d a t e s

You can configure Configuration Manager to automatically publish management points on the intranet to DNS,
or you can manually publish these records to DNS. When Configuration Manager publishes management points
to DNS, it adds their intranet FQDN and port number in the service location (SRV) record. You configure DNS
publishing in the site's Management Point Component Proper ties . For more information, see Site
components - Management point.
T h e D N S z o n e i s se t t o " Se c u r e o n l y " fo r d y n a m i c u p d a t e s

With default permissions, only the first management point can successfully publish to DNS.
If only one management point can successfully publish and change its DNS record, clients can get the full MP list
from that management point. As long as that one published management point is healthy, clients can then find
their preferred management point.
T h e D N S se r v e r d o e sn' t su p p o r t a u t o m a t i c u p d a t e s b u t su p p o r t s se r v i c e l o c a t i o n r e c o r d s

In this scenario, manually publish management points to DNS. Manually configure the service location resource
record (SRV RR). Configuration Manager supports RFC 2782 for service location records. These records have
the following format: _Service._Protocol.Name TTL Class SRV Priority Weight Port Target
To publish a management point to Configuration Manager, specify the following values:
 _Ser vice : _mssms_mp_<sitecode> . For example, _mssms_mp_xyz
._Protocol : ._tcp
.Name : Specify the DNS suffix of the management point, for example contoso.com
TTL : Use 14400 for four hours.
Class : Specify IN for RFC 1035.
Priority : Configuration Manager doesn't use this field.
Weight : Configuration Manager doesn't use this field.
Por t : Specify the port number that the management point uses. For example, 443 by default for HTTPS.
Target : Specify the intranet FQDN of the site system server with the management point role.
Configure Windows Server DNS
If you use Windows Server DNS, use the following procedures to enter this DNS record for intranet
management points.
C o n fi g u r e a u t o m a t i c p u b l i sh i n g fo r a si t e

1. In the Configuration Manager console, go to the Administration workspace, expand Site

Configuration , and select the Sites node.
2. Select the site to configure publishing. In the ribbon, select Configure Site Components and choose
Management Point .
3. Select the management points that you want to publish. This selection applies to publishing for AD DS
and DNS.
4. Enable the option to Publish selected intranet management points in DNS .
M a n u a l l y p u b l i sh m a n a g e m e n t p o i n t s t o D N S o n W i n d o w s Se r v e r

1. In the DNS management console, select the DNS zone for the management point computer.
2. Verify that there's a host record (A or AAAA ) for the intranet FQDN of the site system. If this record
doesn't exist, create it.
3. Select New Other Records , choose Ser vice Location (SRV) , and then choose Create Record .
4. Specify the following information, and then select Done :
Domain : If necessary, enter the DNS suffix of the management point, for example contoso.com .
Ser vice : _mssms_mp_<sitecode> . For example, _mssms_mp_xyz
Protocol : ._tcp
Priority : Configuration Manager doesn't use this field.
Weight : Configuration Manager doesn't use this field.
Por t : Specify the port number that the management point uses. For example, 443 by default for
HTTPS.
Host offering this ser vice : Specify the intranet FQDN of the site system server with the
management point role.
Repeat these steps for each management point on the intranet that you want to publish to DNS.
 Security and privacy for site administration in
Configuration Manager
2/16/2022 • 21 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article contains security and privacy information for Configuration Manager sites and the hierarchy.

Security guidance for site administration

Use the following guidance to help you secure Configuration Manager sites and the hierarchy.
Run setup from a trusted source and secure communication
To help prevent someone from tampering with the source files, run Configuration Manager setup from a trusted
source. If you store the files on the network, secure the network location.
If you do run setup from a network location, to help prevent an attacker from tampering with the files as they're
transmitted over the network, use IPsec or SMB signing between the source location of the setup files and the
site server.
If you use the Setup Downloader to download the files that are required by setup, make sure that you secure the
location where these files are stored. Also secure the communication channel for this location when you run
setup.
Extend the Active Directory schema and publish sites to the domain
Schema extensions aren't required to run Configuration Manager, but they do create a more secure
environment. Clients and site servers can retrieve information from a trusted source.
If clients are in an untrusted domain, deploy the following site system roles in the clients' domains:
Management point
Distribution point

NOTE
A trusted domain for Configuration Manager requires Kerberos authentication. If clients are in another forest that doesn't
have a two-way forest trust with the site server's forest, these clients are considered to be in an untrusted domain. An
external trust isn't sufficient for this purpose.

Use IPsec to secure communications

Although Configuration Manager does secure communication between the site server and the computer that
runs SQL Server, Configuration Manager doesn't secure communications between site system roles and SQL
Server. You can only configure some site systems with HTTPS for intrasite communication.
If you don't use additional controls to secure these server-to-server channels, attackers can use various spoofing
and man-in-the-middle attacks against site systems. Use SMB signing when you can't use IPsec.
 IMPORTANT
Secure the communication channel between the site server and the package source server. This communication uses SMB.
If you can't use IPsec to secure this communication, use SMB signing to make sure that the files aren't tampered with
before clients download and run them.

Don't change the default security groups

Don't change the following security groups that Configuration Manager creates and manages for site system
communication:
SMS_SiteSystemToSiteSer verConnection_MP_<SiteCode>
SMS_SiteSystemToSiteSer verConnection_SMSProv_<SiteCode>
SMS_SiteSystemToSiteSer verConnection_Stat_<SiteCode>
Configuration Manager automatically creates and manages these security groups. This behavior includes
removing computer accounts when a site system role is removed.
To make sure service continuity and least privileges, don't manually edit these groups.
Manage the trusted root key provisioning process
If clients can't query the global catalog for Configuration Manager information, they must rely on the trusted
root key to authenticate valid management points. The trusted root key is stored in the client registry. It can be
set by using group policy or manual configuration.
If the client doesn't have a copy of the trusted root key before it contacts a management point for the first time,
it trusts the first management point it communicates with. To reduce the risk of an attacker misdirecting clients
to an unauthorized management point, you can pre-provision the clients with the trusted root key. For more
information, see Planning for the trusted root key.
Use non-default port numbers
Using non-default port numbers can provide additional security. They make it harder for attackers to explore the
environment in preparation for an attack. If you decide to use non-default ports, plan for them before you install
Configuration Manager. Use them consistently across all sites in the hierarchy. Client request ports and Wake On
LAN are examples where you can use non-default port numbers.
Use role separation on site systems
Although you can install all the site system roles on a single computer, this practice is rarely used on production
networks. It creates a single point of failure.
Reduce the attack profile
Isolating each site system role on a different server reduces the chance that an attack against vulnerabilities on
one site system can be used against a different site system. Many roles require the installation of Internet
Information Services (IIS) on the site system, and this need increases the attack surface. If you must combine
roles to reduce hardware expenditure, combine IIS roles only with other roles that require IIS.

IMPORTANT
The fallback status point role is an exception. Because this site system role accepts unauthenticated data from clients,
don't assign the fallback status point role to any other Configuration Manager site system role.

Configure static IP addresses for site systems

Static IP addresses are easier to protect from name resolution attacks.
Static IP addresses also make the configuration of IPsec easier. Using IPsec is a security best practice for securing
communication between site systems in Configuration Manager.
Don't install other applications on site system servers
When you install other applications on site system servers, you increase the attack surface for Configuration
Manager. You also risk incompatibility issues.
Require signing and enable encryption as a site option
Enable the signing and encryption options for the site. Ensure that all clients can support the SHA-256 hash
algorithm, and then enable the option to Require SHA-256 .
Restrict and monitor administrative users
Grant administrative access to Configuration Manager only to users that you trust. Then grant them minimum
permissions by using the built-in security roles or by customizing the security roles. Administrative users who
can create, modify, and deploy software and configurations can potentially control devices in the Configuration
Manager hierarchy.
Periodically audit administrative user assignments and their authorization level to verify required changes.
For more information, see Configure role-based administration.
Secure Configuration Manager backups
When you back up Configuration Manager, this information includes certificates and other sensitive data that
could be used by an attacker for impersonation.
Use SMB signing or IPsec when you transfer this data over the network, and secure the backup location.
Secure locations for exported objects
Whenever you export or import objects from the Configuration Manager console to a network location, secure
the location and secure the network channel.
Restrict who can access the network folder.
To prevent an attacker from tampering with the exported data, use SMB signing or IPsec between the network
location and the site server. Also secure the communication between the computer that runs the Configuration
Manager console and site server. Use IPsec to encrypt the data on the network to prevent information
disclosure.
Manually remove certificates from failed servers
If a site system isn't uninstalled properly, or stops functioning and can't be restored, manually remove the
Configuration Manager certificates for this server from other Configuration Manager servers.
To remove the peer trust that was originally established with the site system and site system roles, manually
remove the Configuration Manager certificates for the failed server in the Trusted People certificate store on
other site system servers. This action is important if you reuse the server without reformatting it.
For more information, see Cryptographic controls for server communication.
Don't configure internet-based site systems to bridge the perimeter network
Don't configure site system servers to be multi-homed so that they connect to the perimeter network and the
intranet. Although this configuration allows internet-based site systems to accept client connections from the
internet and the intranet, it eliminates a security boundary between the perimeter network and the intranet.
Configure the site server to initiate connections to perimeter networks
If a site system is on an untrusted network, such as a perimeter network, configure the site server to initiate
connections to the site system.
By default, site systems initiate connections to the site server to transfer data. This configuration can be a
security risk when the connection initiation is from an untrusted network to the trusted network. When site
systems accept connections from the internet, or reside in an untrusted forest, configure the site system option
to Require the site ser ver to initiate connections to this site system . After the installation of the site
system and any roles, all connections are initiated by the site server from the trusted network.
Use SSL bridging and termination with authentication
If you use a web proxy server for internet-based client management, use SSL bridging to SSL, by using
termination with authentication.
When you configure SSL termination at the proxy web server, packets from the internet are subject to inspection
before they're forwarded to the internal network. The proxy web server authenticates the connection from the
client, terminates it, and then opens a new authenticated connection to the internet-based site systems.
When Configuration Manager client computers use a proxy web server to connect to internet-based site
systems, the client identity (GUID) is securely contained within the packet payload. Then the management point
doesn't consider the proxy web server to be the client.
If your proxy web server can't support the requirements for SSL bridging, SSL tunneling is also supported. This
option is less secure. The SSL packets from the internet are forwarded to the site systems without termination.
Then they can't be inspected for malicious content.

WARNING
Mobile devices that are enrolled by Configuration Manager can't use SSL bridging. They must use SSL tunneling only.

Configurations to use if you configure the site to wake up computers to install software
If you use traditional wake-up packets, use unicast rather than subnet-directed broadcasts.
If you must use subnet-directed broadcasts, configure routers to allow IP-directed broadcasts only from
the site server and only on a non-default port number.
For more information about the different Wake On LAN technologies, see Planning how to wake up clients.
If you use email notification, configure authenticated access to the SMTP mail server
Whenever possible, use a mail server that supports authenticated access. Use the computer account of the site
server for authentication. If you must specify a user account for authentication, use an account that has the least
privileges.
Enforce LDAP channel binding and LDAP signing
The security of Active Directory domain controllers can be improved by configuring the server to reject Simple
Authentication and Security Layer (SASL) LDAP binds that do not request signing or to reject LDAP simple binds
that are performed on a clear text connection. Starting in version 1910, Configuration Manager supports
enforcing LDAP channel binding and LDAP signing. For more information, see 2020 LDAP channel binding and
LDAP signing requirements for Windows.

Security guidance for the site server

Use the following guidance to help you secure the Configuration Manager site server.
Install Configuration Manager on a member server instead of a domain controller
The Configuration Manager site server and site systems don't require installation on a domain controller.
Domain controllers don't have a local Security Accounts Management (SAM) database other than the domain
database. When you install Configuration Manager on a member server, you can maintain Configuration
Manager accounts in the local SAM database rather than in the domain database.
This practice also lowers the attack surface on your domain controllers.
Install secondary sites without copying the files over the network
When you run setup and create a secondary site, don't select the option to copy the files from the parent site to
the secondary site. Also don't use a network source location. When you copy files over the network, a skilled
attacker could hijack the secondary site installation package and tamper with the files before they're installed.
Timing this attack would be difficult. This attack can be mitigated by using IPsec or SMB when you transfer the
files.
Instead of copying the files over the network, on the secondary site server, copy the source files from media
folder to a local folder. Then, when you run setup to create a secondary site, on the Installation Source Files
page, select Use the source files at the following location on the secondar y site computer (most
secure) , and specify this folder.
For more information, see Install a secondary site.
Site role installation inherits permissions from drive root
Make sure to properly configure the system drive permissions before you install the first site system role to any
server. For example, C:\SMS_CCM inherits permissions from C:\ . If the root of the drive isn't properly secured,
then low rights users may be able to access or modify content in the Configuration Manager folder.

Security guidance for SQL Server

Configuration Manager uses SQL Server as the back-end database. If the database is compromised, attackers
could bypass Configuration Manager. If they access SQL Server directly, they can launch attacks through
Configuration Manager. Consider attacks against SQL Server to be high risk and mitigate appropriately.
Use the following security guidance to help you secure SQL Server for Configuration Manager.
Don't use the Configuration Manager site database server to run other SQL Server applications
When you increase the access to the Configuration Manager site database server, this action increases the risk to
your Configuration Manager data. If the Configuration Manager site database is compromised, other
applications on the same SQL Server computer are then also put at risk.
Configure SQL Server to use Windows authentication
Although Configuration Manager accesses the site database by using a Windows account and Windows
authentication, it's still possible to configure SQL Server to use SQL Server mixed mode. SQL Server mixed
mode allows additional SQL Server sign-ins to access the database. This configuration isn't required and
increases the attack surface.
Update SQL Server Express at secondary sites
When you install a primary site, Configuration Manager downloads SQL Server Express from the Microsoft
Download Center. It then copies the files to the primary site server. When you install a secondary site and select
the option that installs SQL Server Express, Configuration Manager installs the previously downloaded version.
It doesn't check whether new versions are available. To make sure that the secondary site has the latest versions,
do one of the following tasks:
After you install the secondary site, run Windows Update on the secondary site server.
Before you install the secondary site, manually install SQL Server Express on the secondary site server.
Make sure that you install the latest version and any software updates. Then install the secondary site,
and select the option to use an existing SQL Server instance.
Periodically run Windows Update for all installed versions of SQL Server. This practice makes sure that they have
the latest software updates.
Follow general guidance for SQL Server
Identify and follow the general guidance for your version of SQL Server. However, take into consideration the
following requirements for Configuration Manager:
The computer account of the site server must be a member of the Administrators group on the computer
that runs SQL Server. If you follow the SQL Server recommendation of "provision administrator
principals explicitly", the account that you use to run setup on the site server must be a member of the
SQL Server Users group.
If you install SQL Server by using a domain user account, make sure that the site server computer
account is configured for a Service Principal Name (SPN) that's published to Active Directory Domain
Services. Without the SPN, Kerberos authentication fails and Configuration Manager setup fails.

Security guidance for site systems that run IIS

Several site system roles in Configuration Manager require IIS. The process of securing IIS enables
Configuration Manager to operate correctly and reduces the risk of security attacks. When practical, minimize
the number of servers that require IIS. For example, run only the number of management points that you
require to support your client base, taking into consideration high availability and network isolation for internet-
based client management.
Use the following guidance to help you secure the site systems that run IIS.
Disable IIS functions that you don't require
Install only the minimum IIS features for the site system role that you install. For more information, see Site and
site system prerequisites.
Configure the site system roles to require HTTPS
When clients connect to a site system by using HTTP rather than by using HTTPS, they use Windows
authentication. This behavior might fall back to using NTLM authentication rather than Kerberos authentication.
When NTLM authentication is used, clients might connect to a rogue server.
The exception to this guidance might be distribution points. Package access accounts don't work when the
distribution point is configured for HTTPS. Package access accounts provide authorization to the content, so that
you can restrict which users can access the content. For more information, see Security guidance for content
management.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Configure a certificate trust list (CTL ) in IIS for site system roles
Site system roles:
A distribution point that you configure for HTTPS
A management point that you configure for HTTPS and enable to support mobile devices
A CTL is a defined list of trusted root certification authorities (CAs). When you use a CTL with group policy and a
public key infrastructure (PKI) deployment, a CTL enables you to supplement the existing trusted root CAs that
are configured on your network. For example, CAs that are automatically installed with Microsoft Windows or
added through Windows enterprise root CAs. When a CTL is configured in IIS, it defines a subset of those
trusted root CAs.
This subset provides you with more control over security. The CTL restricts the client certificates that are
accepted to only those certificates that are issued from the list of CAs in the CTL. For example, Windows comes
with a number of well-known, third-party CA certificates.
By default, the computer that runs IIS trusts certificates that chain to these well-known CAs. When you don't
configure IIS with a CTL for the listed site system roles, the site accepts as a valid client any device that has a
certificate issued from these CAs. If you configure IIS with a CTL that didn't include these CAs, the site refuses
client connections, if the certificate chains to these CAs. For Configuration Manager clients to be accepted for the
listed site system roles, you must configure IIS with a CTL that specifies the CAs that are used by Configuration
Manager clients.

NOTE
Only the listed site system roles require you to configure a CTL in IIS. The certificate issuers list that Configuration
Manager uses for management points provides the same functionality for client computers when they connect to HTTPS
management points.

For more information about how to configure a list of trusted CAs in IIS, see the IIS documentation.
Don't put the site server on a computer with IIS
Role separation helps to reduce the attack profile and improve recoverability. The computer account of the site
server typically has administrative privileges on all site system roles. It may also have these privileges on
Configuration Manager clients, if you use client push installation.
Use dedicated IIS servers for Configuration Manager
Although you can host multiple web-based applications on the IIS servers that are also used by Configuration
Manager, this practice can significantly increase your attack surface. A poorly configured application could allow
an attacker to gain control of a Configuration Manager site system. This breach could allow an attacker to gain
control of the hierarchy.
If you must run other web-based applications on Configuration Manager site systems, create a custom web site
for Configuration Manager site systems.
Use a custom website
For site systems that run IIS, configure Configuration Manager to use a custom website instead of the default
website. If you have to run other web applications on the site system, you must use a custom website. This
setting is a site-wide setting rather than a setting for a specific site system.
When you use custom websites, remove the default virtual directories
When you change from using the default website to using a custom website, Configuration Manager doesn't
remove the old virtual directories. Remove the virtual directories that Configuration Manager originally created
under the default website.
For example, remove the following virtual directories for a distribution point:
SMS_DP_SMSPKG$
SMS_DP_SMSSIG$
NOCERT_SMS_DP_SMSPKG$
NOCERT_SMS_DP_SMSSIG$
Follow IIS Server security guidance
Identify and follow the general guidance for your version of IIS Server. Take into consideration any requirements
that Configuration Manager has for specific site system roles. For more information, see Site and site system
prerequisites.
Configure IIS custom headers
Configure the following custom headers to disable MIME sniffing:
x-content-type-options: nosniff

For more information, see Custom Headers.

If other services use the same IIS instance, make sure these custom headers are compatible.

Security guidance for the management point

Management points are the primary interface between devices and Configuration Manager. Consider attacks
against the management point and the server that it runs on to be high risk, and mitigate appropriately. Apply
all appropriate security guidance and monitor for unusual activity.
Use the following guidance to help secure a management point in Configuration Manager.
Assign the client on a management point to the same site
Avoid the scenario where you assign the Configuration Manager client that's on a management point to a site
other than the management point's site.
If you migrate from an earlier version to Configuration Manager current branch, migrate the client on the
management point to the new site as soon as possible.

Security guidance for the fallback status point

If you install a fallback status point in Configuration Manager, use the following security guidance:
For more information about the security considerations when you install a fallback status point, see Determine
whether you require a fallback status point.
Don't run any other roles on the same site system
The fallback status point is designed to accept unauthenticated communication from any computer. If you run
this site system role with other roles or a domain controller, the risk to that server greatly increases.
Install the fallback status point before you install clients with PKI certificates
If Configuration Manager site systems don't accept HTTP client communication, you might not know that clients
are unmanaged because of PKI-related certificate issues. If you assign clients to a fallback status point, they
report these certificate issues through the fallback status point.
For security reasons, you can't assign a fallback status point to clients after they're installed. You can only assign
this role during client installation.
Avoid using the fallback status point in the perimeter network
By design, the fallback status point accepts data from any client. Although a fallback status point in the perimeter
network could help you to troubleshoot internet-based clients, balance the troubleshooting benefits with the risk
of a site system that accepts unauthenticated data in a publicly accessible network.
If you do install the fallback status point in the perimeter network or any untrusted network, configure the site
server to initiate data transfers. Don't use the default setting that allows the fallback status point to initiate a
connection to the site server.

Security issues for site administration

Review the following security issues for Configuration Manager:
Configuration Manager has no defense against an authorized administrative user who uses
 Configuration Manager to attack the network. Unauthorized administrative users are a high security risk.
They could launch many attacks, which include the following strategies:
Use software deployment to automatically install and run malicious software on every
Configuration Manager client computer in the organization.
Remotely control a Configuration Manager client without client permission.
Configure rapid polling intervals and extreme amounts of inventory. This action creates denial of
service attacks against the clients and servers.
Use one site in the hierarchy to write data to another site's Active Directory data.
The site hierarchy is the security boundary. Consider sites to be management boundaries only.
Audit all administrative user activity and routinely review the audit logs. Require all Configuration
Manager administrative users to undergo a background check before they're hired. Require periodic
rechecks as a condition of employment.
If the enrollment point is compromised, an attacker could obtain certificates for authentication. They
could steal the credentials of users who enroll their mobile devices.
The enrollment point communicates with a CA. It can create, modify, and delete Active Directory objects.
Never install the enrollment point in the perimeter network. Always monitor for unusual activity.
If you allow user policies for internet-based client management, you increase your attack profile.
In addition to using PKI certificates for client-to-server connections, these configurations require
Windows authentication. They might fall back to using NTLM authentication rather than Kerberos. NTLM
authentication is vulnerable to impersonation and replay attacks. To successfully authenticate a user on
the internet, you need to allow a connection from the internet-based site system to a domain controller.
The Admin$ share is required on site system servers.
The Configuration Manager site server uses the Admin$ share to connect to and do service operations on
site systems. Don't disable or remove this share.
Configuration Manager uses name resolution services to connect to other computers. These services are
hard to secure against the following security attacks:
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
Identify and follow any security guidance for the version of DNS that you use for name resolution.

Privacy information for discovery

Discovery creates records for network resources and stores them in the Configuration Manager database.
Discovery data records contain computer information such as IP addresses, OS versions, and computer names.
You can also configure Active Directory discovery methods to return any information that your organization
stores in Active Directory Domain Services.
The only discovery method that Configuration Manager enables by default is Heartbeat Discovery. This method
only discovers computers that already have the Configuration Manager client software installed.
Discovery information isn't directly sent to Microsoft. It's stored in the Configuration Manager database.
Configuration Manager retains information in the database until it deletes the data. This process happens every
90 days by the site maintenance task Delete Aged Discover y Data .
 Network infrastructure considerations for
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To prepare your network to support Configuration Manager, you may need to configure some infrastructure
components. For example, open firewall ports to pass the communications used by Configuration Manager.

Ports and protocols

Different Configuration Manager features use different network ports. Some ports are required, and some you
can customize.
Most Configuration Manager communications use common ports like port 80 for HTTP or 443 for HTTPS. Some
site system roles support the use of custom websites and custom ports. For more information, see Websites for
site system servers.
Before you deploy Configuration Manager, identify the ports that you plan to use, and set up firewalls as needed.
After you install Configuration Manager, if you need to change a port, don't forget to update firewalls on devices
and the network. Also change the configuration of the port in Configuration Manager.
For more information, see the following articles:
How to configure client communication ports
Ports used in Configuration Manager

Internet access requirements

Some Configuration Manager features rely on internet connectivity for full functionality. If your organization
restricts network communication with the internet using a firewall or proxy device, make sure to allow the
necessary endpoints.
For more information, see Internet access requirements

Proxy servers
You can specify separate proxy servers for different site system servers and clients. You make these
configurations when you install a site system role or client, or change them later as needed.
For more information, see Proxy server support.
 Ports used in Configuration Manager
2/16/2022 • 20 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article lists the network ports that Configuration Manager uses. Some connections use ports that aren't
configurable, and some support custom ports that you specify. If you use any port filtering technology, verify
that the required ports are available. These port filtering technologies include firewalls, routers, proxy servers, or
IPsec.

NOTE
If you support internet-based clients by using SSL bridging, in addition to port requirements, you might also have to
allow some HTTP verbs and headers to traverse your firewall.

Ports you can configure

Configuration Manager enables you to configure the ports for the following types of communication:
Enrollment proxy point to enrollment point
Client-to-site systems that run IIS
Client to internet (as proxy server settings)
Software update point to internet (as proxy server settings)
Software update point to WSUS server
Site server to site database server
Site server to WSUS database server
Reporting services points

NOTE
You configure the ports for the reporting services point in SQL Server Reporting Services. Configuration Manager
then uses these ports during communications to the reporting services point. Be sure to review these ports that
define the IP filter information for IPsec policies or for configuring firewalls.

By default, the HTTP port that's used for client-to-site system communication is port 80, and 443 for HTTPS. You
can change these ports during setup or in the site properties.

Non-configurable ports
Configuration Manager doesn't allow you to configure ports for the following types of communication:
Site to site
Site server to site system
Configuration Manager console to SMS Provider
 Configuration Manager console to the internet
Connections to cloud services, such as Microsoft Azure

Ports used by clients and site systems

The following sections detail the ports that are used for communication in Configuration Manager. The arrows in
the section title show the direction of the communication:
--> Indicates that one computer starts communication and the other computer always responds
<--> Indicates that either computer can start communication
Asset Intelligence synchronization point --> Microsoft

DESC RIP T IO N UDP TC P

HTTPS -- 443

Asset Intelligence synchronization point --> SQL Server

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 2 Altern ate p o rt availab le

Client --> Client

Wake-up proxy also uses ICMP echo request messages from one client to another client. Clients use this
communication to confirm whether the other client is awake on the network. ICMP is sometimes referred to as
ping commands. ICMP doesn't have a UDP or TCP protocol number, and so it isn't listed in the below table.
However, any host-based firewalls on these client computers or intervening network devices within the subnet
must permit ICMP traffic for wake-up proxy communication to succeed.

DESC RIP T IO N UDP TC P

Wake On LAN 9 No te 2 Altern ate p o rt availab le --

Wake-up proxy 25536 No te 2 Altern ate p o rt availab le --

Windows PE Peer cache broadcast 8004 --

Windows PE Peer cache download -- 8003

For more information, see Windows PE Peer Cache.

Client --> Configuration Manager Network Device Enrollment Service (NDES ) policy module

DESC RIP T IO N UDP TC P

HTTP 80

HTTPS -- 443

Client --> Cloud distribution point

 DESC RIP T IO N UDP TC P

HTTPS -- 443

For more information, see Ports and data flow.

Client --> Cloud management gateway (CMG )

DESC RIP T IO N UDP TC P

HTTPS -- 443

For more information, see CMG data flow.

Client --> Distribution point, both standard and pull

DESC RIP T IO N UDP TC P

HTTP -- 80 No te 2 Altern ate p o rt availab le

HTTPS -- 443 No te 2 Altern ate p o rt availab le

Express updates -- 8005 No te 2 Altern ate p o rt availab le

NOTE
Use client settings to configure the alternate port for express updates. For more information, see Port that clients use to
receive requests for delta content.

Client --> Distribution point configured for multicast, both standard and pull

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

Multicast protocol 63000-64000 --

Client --> Distribution point configured for PXE, both standard and pull

DESC RIP T IO N UDP TC P

DHCP 67 and 68 --

TFTP 69 No te 4 --

Boot Information Negotiation Layer 4011 --

(BINL)

IMPORTANT
If you enable a host-based firewall, make sure that the rules allow the server to send and receive on these ports. When
you enable a distribution point for PXE, Configuration Manager can enable the inbound (receive) rules on the Windows
Firewall. It doesn't configure the outbound (send) rules.
Client --> Fallback status point

DESC RIP T IO N UDP TC P

HTTP -- 80 No te 2 Altern ate p o rt availab le

Client --> Global catalog domain controller

A Configuration Manager client doesn't contact a global catalog server when it's a workgroup computer or
when it's configured for internet-only communication.

DESC RIP T IO N UDP TC P

Global catalog LDAP -- 3268

Client --> Management point

DESC RIP T IO N UDP TC P

Client notification (default -- 10123 No te 2 Altern ate p o rt availab le

communication before falling back to
HTTP or HTTPS)

HTTP -- 80 No te 2 Altern ate p o rt availab le

HTTPS -- 443 No te 2 Altern ate p o rt availab le

Client --> Software update point

DESC RIP T IO N UDP TC P

HTTP -- 80 or 8530 No te 3

HTTPS -- 443 or 8531 No te 3

Client --> State migration point

DESC RIP T IO N UDP TC P

HTTP -- 80 No te 2 Altern ate p o rt availab le

HTTPS -- 443 No te 2 Altern ate p o rt availab le

Server Message Block (SMB) -- 445

CMG connection point --> CMG virtual machine scale set

Configuration Manager uses these connections to build the CMG channel. For more information, see CMG data
flow.

DESC RIP T IO N UDP TC P

HTTPS (one VM) -- 443

HTTPS (two or more VMs) -- 10124-10139

 DESC RIP T IO N UDP TC P

CMG connection point --> CMG classic cloud service

Configuration Manager uses these connections to build the CMG channel. For more information, see CMG data
flow.

DESC RIP T IO N UDP TC P

TCP-TLS (preferred) -- 10140-10155

HTTPS (fallback with one VM) -- 443

HTTPS (fallback with two or more VMs) -- 10124-10139

CMG connection point --> Management point

DESC RIP T IO N UDP TC P

HTTPS -- 443

HTTP -- 80

The specific port required depends upon the management point configuration. For more information, see CMG
data flow.
CMG connection point --> Software update point
The specific port depends upon the software update point configuration.

DESC RIP T IO N UDP TC P

HTTPS -- 443/8531

HTTP -- 80/8530

For more information, see CMG data flow.

Configuration Manager console --> Client

DESC RIP T IO N UDP TC P

Remote Control (control) -- 2701

Remote Assistance (RDP and RTC) -- 3389

Configuration Manager console --> internet

DESC RIP T IO N UDP TC P

HTTP -- 80

HTTPS -- 443
The Configuration Manager console uses internet access for the following actions:
Downloading software updates from Microsoft Update for deployment packages.
The Feedback item in the ribbon.
Links to documentation within the console.
Downloading items from Community hub
Configuration Manager console --> Reporting services point

DESC RIP T IO N UDP TC P

HTTP -- 80 No te 2 Altern ate p o rt availab le

HTTPS -- 443 No te 2 Altern ate p o rt availab le

Configuration Manager console --> Site server

DESC RIP T IO N UDP TC P

RPC (initial connection to WMI to -- 135

locate provider system)

Configuration Manager console --> SMS Provider

DESC RIP T IO N UDP TC P

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

HTTPS -- 443 *No te

Note for administration service

Any device that makes a call to the administration service on the SMS Provider uses HTTPS port 443. For more
information, see What is the administration service?
Configuration Manager Network Device Enrollment Service (NDES ) policy module --> Certificate
registration point
DESC RIP T IO N UDP TC P

HTTPS -- 443 No te 2 Altern ate p o rt availab le

Data warehouse service point --> SQL Server

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 2 Altern ate p o rt availab le

Distribution point, both standard and pull --> Management point

A distribution point communicates to the management point in the following scenarios:
To report the status of prestaged content
To report usage summary data
 To report content validation
To report the status of package downloads, only for pull-distribution points

DESC RIP T IO N UDP TC P

HTTP -- 80 No te 2 Altern ate p o rt availab le

HTTPS -- 443 No te 2 Altern ate p o rt availab le

Endpoint Protection point --> internet

DESC RIP T IO N UDP TC P

HTTP -- 80

Endpoint Protection point --> SQL Server

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 2 Altern ate p o rt availab le

Enrollment proxy point --> Enrollment point

DESC RIP T IO N UDP TC P

HTTPS -- 443 No te 2 Altern ate p o rt availab le

Enrollment point --> SQL Server

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 2 Altern ate p o rt availab le

Exchange Server Connector --> Exchange Online

DESC RIP T IO N UDP TC P

Windows Remote Management over -- 5986

HTTPS

Exchange Server Connector --> On-premises Exchange Server

DESC RIP T IO N UDP TC P

Windows Remote Management over -- 5985

HTTP

Mac computer --> Enrollment proxy point

DESC RIP T IO N UDP TC P

HTTPS -- 443
Management point --> Domain controller

DESC RIP T IO N UDP TC P

Lightweight Directory Access Protocol 389 389

(LDAP)

Secure LDAP (LDAPS, for signing and 636 636

binding)

Global catalog LDAP -- 3268

RPC Endpoint Mapper -- 135

RPC -- DYNAMIC No te 6

Management point <--> Site server

Note 5

DESC RIP T IO N UDP TC P

RPC Endpoint mapper -- 135

RPC -- DYNAMIC No te 6

Server Message Block (SMB) -- 445

Management point --> SQL Server

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 2 Altern ate p o rt availab le

Mobile device --> Enrollment proxy point

DESC RIP T IO N UDP TC P

HTTPS -- 443

Reporting Services point --> SQL Server

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 2 Altern ate p o rt availab le

Service connection point --> Azure (CMG )

DESC RIP T IO N UDP TC P

HTTPS for CMG service deployment -- 443

For more information, see CMG data flow.

Service connection point --> Azure Logic App
 DESC RIP T IO N UDP TC P

HTTPS for external notification -- 443

For more information, see External notifications.

Site server <--> Asset Intelligence synchronization point

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server --> Client

DESC RIP T IO N UDP TC P

Wake On LAN 9 No te 2 Altern ate p o rt availab le --

Site server --> Cloud distribution point

DESC RIP T IO N UDP TC P

HTTPS -- 443

For more information, see Ports and data flow.

Site server --> Distribution point, both standard and pull
Note 5

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server --> Domain controller

DESC RIP T IO N UDP TC P

Lightweight Directory Access Protocol 389 389

(LDAP)

Secure LDAP (LDAPS, for signing and 636 636

binding)

Global catalog LDAP -- 3268

 DESC RIP T IO N UDP TC P

RPC Endpoint Mapper -- 135

RPC -- DYNAMIC No te 6

Site server <--> Certificate registration point

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server <--> CMG connection point

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server <--> Endpoint Protection point

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server <--> Enrollment point

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server <--> Enrollment proxy point

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

 DESC RIP T IO N UDP TC P

RPC -- DYNAMIC No te 6

Site server <--> Fallback status point

Note 5

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server --> internet

DESC RIP T IO N UDP TC P

HTTP -- 80 No te 1

HTTPS -- 443

Site server <--> Issuing certification authority (CA )

This communication is used when you deploy certificate profiles by using the certificate registration point. The
communication isn't used for every site server in the hierarchy. Instead, it's used only for the site server at the
top of the hierarchy.

DESC RIP T IO N UDP TC P

RPC Endpoint Mapper 135 135

RPC (DCOM) -- DYNAMIC No te 6

Site server --> Server hosting remote content library share

You can move the content library to another storage location to free up hard drive space on your central
administration or primary site servers. For more information, see Configure a remote content library for the site
server.

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

Site server <--> Service connection point

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

 DESC RIP T IO N UDP TC P

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server <--> Reporting services point

Note 5

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server <--> Site server

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

Site server --> SQL Server

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 2 Altern ate p o rt availab le

During the installation of a site that uses a remote SQL Server to host the site database, open the following
ports between the site server and the SQL Server:

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server --> SQL Server for WSUS

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 3 Altern ate p o rt availab le

Site server --> SMS Provider

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

 DESC RIP T IO N UDP TC P

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC No te 6

Site server <--> Software update point

Note 5

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

HTTP -- 80 or 8530 No te 3

HTTPS -- 443 or 8531 No te 3

Site server <--> State migration point

Note 5

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

RPC Endpoint Mapper 135 135

SMS Provider --> SQL Server

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 2 Altern ate p o rt availab le

Software update point --> internet

DESC RIP T IO N UDP TC P

HTTP -- 80 No te 1

Software update point --> Upstream WSUS server

DESC RIP T IO N UDP TC P

HTTP -- 80 or 8530 No te 3

HTTPS -- 443 or 8531 No te 3

SQL Server --> SQL Server

Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server at
its parent or child site.
 DESC RIP T IO N UDP TC P

SQL Server service -- 1433 No te 2 Altern ate p o rt availab le

SQL Server Service Broker -- 4022 No te 2 Altern ate p o rt availab le

TIP
Configuration Manager doesn't require the SQL Server Browser, which uses port UDP 1434.

State migration point --> SQL Server

DESC RIP T IO N UDP TC P

SQL over TCP -- 1433 No te 2 Altern ate p o rt availab le

Notes for ports used by clients and site systems

Note 1: Proxy server port
This port can't be configured but can be routed through a configured proxy server.
Note 2: Alternate port available
You can define an alternate port in Configuration Manager for this value. If you define a custom port, use that
custom port in the IP filter information for IPsec policies or to configure firewalls.
Note 3: Windows Server Update Services (WSUS)
Since Windows Server 2012, by default WSUS uses port 8530 for HTTP and port 8531 for HTTPS.
After installation, you can change the port. You don't have to use the same port number throughout the site
hierarchy.
If the HTTP port is 80, the HTTPS port must be 443.
If the HTTP port is anything else, the HTTPS port must be 1 or higher, for example, 8530 and 8531.

NOTE
When you configure the software update point to use HTTPS, the HTTP port must also be open. Unencrypted
data, such as the EULA for specific updates, uses the HTTP port.

The site server makes a connection to the SQL Server hosting the SUSDB when you enable the following
options for WSUS cleanup:
Add non-clustered indexes to the WSUS database to improve WSUS cleanup performance
Remove obsolete updates from the WSUS database
If you change the default SQL Server port to an alternate port with SQL Server Configuration Manager, make
sure the site server can connect using the defined port. Configuration Manager doesn't support dynamic ports.
By default, SQL Server named instances use dynamic ports for connections to the database engine. When you
use a named instance, manually configure the static port.
Note 4: Trivial FTP (TFTP) Daemon
The Trivial FTP (TFTP) Daemon system service doesn't require a user name or password and is an integral part of
Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP
protocol that's defined by the following RFCs:
 RFC 1350: TFTP
RFC 2347: Option extension
RFC 2348: Block size option
RFC 2349: Time-out interval and transfer size options
TFTP is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond
from a dynamically allocated high port. If you enable this port, the TFTP service can receive incoming TFTP
requests, but the selected server can't respond to those requests. You can't enable the selected server to respond
to inbound TFTP requests unless you configure the TFTP server to respond from port 69.
The PXE-enabled distribution point and the client in Windows PE select dynamically allocated high ports for
TFTP transfers. These ports are defined by Microsoft between 49152 and 65535. For more information, see
Service overview and network port requirements for Windows.
However, during the actual PXE boot, the network card on the device selects the dynamically allocated high port
it uses during the TFTP transfer. The network card on the device isn't bound to the dynamically allocated high
ports defined by Microsoft. It's only bound to the ports defined in RFC 1350. This port can be any from 0 to
65535. For more information about what dynamically allocated high ports the network card uses, contact the
device hardware manufacturer.
Note 5: Communication between the site server and site systems
By default, communication between the site server and site systems is bi-directional. The site server starts
communication to configure the site system, and then most site systems connect back to the site server to send
status information. Reporting service points and distribution points don't send status information. If you select
Require the site ser ver to initiate connections to this site system on the site system properties after the
site system has been installed, the site system won't start communication with the site server. Instead, the site
server starts the communication. It uses the site system installation account for authentication to the site system
server.
Note 6: Dynamic ports
Dynamic ports use a range of port numbers that's defined by the OS version. These ports are also known as
ephemeral ports. For more information about the default port ranges, see Service overview and network port
requirements for Windows.

Other ports
The following sections provide more information about ports that Configuration Manager uses.
Client to server shares
Clients use Server Message Block (SMB) whenever they connect to UNC shares. For example:
Manual client installation that specifies the CCMSetup.exe /source: command-line property
Endpoint Protection clients that download definition files from a UNC path

DESC RIP T IO N UDP TC P

Server Message Block (SMB) -- 445

Connections to SQL Server

For communication to the SQL Server database engine and for intersite replication, you can use the default SQL
Server port or specify custom ports:
Intersite communications use:
 SQL Server Service Broker, which defaults to port TCP 4022.
SQL Server service, which defaults to port TCP 1433.
Intrasite communication between the SQL Server database engine and various Configuration Manager
site system roles defaults to port TCP 1433.
Configuration Manager uses the same ports and protocols to communicate with each SQL Server Always
On availability group replica that hosts the site database as if the replica was a standalone SQL Server
instance.
When you use Azure and the site database is behind an internal or external load balancer, configure the
following components:
Firewall exceptions on each replica
Load-balancing rules
Configure the following ports:
SQL over TCP: TCP 1433
SQL Server Service Broker: TCP 4022
Server Message Block (SMB): TCP 445
RPC Endpoint Mapper: TCP 135

WARNING
Configuration Manager doesn't support dynamic ports. By default, SQL Server named instances use dynamic ports for
connections to the database engine. When you use a named instance, manually configure the static port for intrasite
communication.

The following site system roles communicate directly with the SQL Server database:
Certificate registration point role
Enrollment point role
Management point
Site server
Reporting Services point
SMS Provider
SQL Server --> SQL Server
When a SQL Server hosts a database from more than one site, each database must use a separate instance of
SQL Server. Configure each instance with a unique set of ports.
If you enable a host-based firewall on the SQL Server, configure it to allow the correct ports. Also configure
network firewalls in between computers that communicate with the SQL Server.
For an example of how to configure SQL Server to use a specific port, see Configure a server to listen on a
specific TCP port.
Discovery and publishing
Configuration Manager uses the following ports for the discovery and publishing of site information:
Lightweight Directory Access Protocol (LDAP): 389
 Secure LDAP (LDAPS, for signing and binding): 636
Global catalog LDAP: 3268
RPC Endpoint Mapper: 135
RPC: Dynamically allocated high TCP ports
TCP: 1024: 5000
TCP: 49152: 65535
External connections made by Configuration Manager
On-premises Configuration Manager clients or site systems can make the following external connections:
Asset Intelligence synchronization point --> Microsoft
Endpoint Protection point --> internet
Client --> Global catalog domain controller
Configuration Manager console --> internet
Management point --> Domain controller
Site server --> Domain controller
Site server <--> Issuing Certification Authority (CA)
Software update point --> internet
Software update point --> Upstream WSUS Server
Service connection point --> Azure
Service connection point --> Azure Logic App
CMG connection point --> CMG cloud service
Installation requirements for site systems that support internet-based clients

NOTE
This section only applies to internet-based client management (IBCM). It doesn't apply to the cloud management gateway.
For more information, see Manage clients on the internet.

Internet-based management points, distribution points that support internet-based clients, the software update
point, and the fallback status point use the following ports for installation and repair:
Site server --> Site system: RPC endpoint mapper using UDP and TCP port 135
Site server --> Site system: RPC dynamic TCP ports
Site server <--> Site system: Server message blocks (SMB) using TCP port 445

Application and package installations on distribution points require the following RPC ports:
Site server --> Distribution point: RPC endpoint mapper using UDP and TCP port 135
Site server --> Distribution point: RPC dynamic TCP ports

Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic
ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe). Use the tool to
configure a limited range of ports for these RPC packets. For more information, see How to configure RPC to
use certain ports and how to help secure those ports by using IPsec.
 IMPORTANT
Before you install these site systems, make sure that the remote registry service is running on the site system server and
that you have specified a site system installation account if the site system is in a different Active Directory forest without
a trust relationship. For example, the remote registry service is used on servers running site systems such as distribution
points (both pull and standard) and remote SQL Servers.

Ports used by Configuration Manager client installation

The ports that Configuration Manager uses during client installation depends on the deployment method:
For a list of ports for each client deployment method, see Ports used during Configuration Manager client
deployment
For more information about how to configure Windows Firewall on the client for client installation and
post-installation communication, see Windows Firewall and port settings for clients
Ports used by migration
The site server that runs migration uses several ports to connect to applicable sites in the source hierarchy. For
more information, see Required configurations for migration.
Ports used by Windows Server
The following table lists some of the key ports used by Windows Server.

DESC RIP T IO N UDP TC P

DNS 53 53

DHCP 67 and 68 --

NetBIOS Name Resolution 137 --

NetBIOS Datagram Service 138 --

NetBIOS Session Service -- 139

Kerberos authentication -- 88

For more information, see the following articles:

Service overview and network port requirements for Windows
How to configure a firewall for domains and trusts

Diagram
The following diagram shows the connections between the main components that are in a typical Configuration
Manager site. It currently doesn't include all connections.

Next steps
Proxy server support
Internet access requirements
 Proxy server support in Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Some Configuration Manager site system servers require connections to the internet. If your environment
requires internet traffic to use a proxy server, configure these site system roles to use the proxy.
A computer that hosts a site system server supports a single proxy server configuration. All site system
roles on that computer share this same proxy configuration. If you need separate proxy servers for
different roles or instances of a role, place those roles on separate site system servers.
When you configure new proxy server settings for a site system server that already has a proxy server
configuration, the original configuration is overwritten.
By default, connections to the proxy use the System account of the computer that hosts the site system
role.
If the computer account can't authenticate, the site system server can store user credentials to connect to
the proxy server. These credentials are the site system proxy ser ver account .

Site system roles that use a proxy

The following site system roles connect to the internet, and if necessary, can use a proxy server:
Asset Intelligence synchronization point

IMPORTANT
Starting in November 2021, this feature of Configuration Manager is deprecated. For more information, see Introduction
to asset intelligence in Configuration Manager.

This site system role connects to Microsoft and uses a proxy server configuration on the computer that hosts the
Asset Intelligence synchronization point.
Cloud distribution point

NOTE
The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP instances. To
provide content to internet-based devices, enable a cloud management gateway (CMG) to distribute content. For more
information, see Deprecated features.

The cloud distribution point role runs in Microsoft Azure. You don't configure this site system role to use a proxy.
Set the proxy configuration on the primary site server that manages the cloud distribution point.
For this configuration, the primary site server:
Must be able to connect to Microsoft Azure to set up, monitor, and distribute content to the cloud
distribution point.
By default, uses the computer's System account to make the connection. It can also use the site system
proxy server account, if necessary.
 Uses Windows web browser APIs.
Cloud management gateway connection point
The cloud management gateway (CMG) connection point is an on-premises role that communicates with the
CMG service in Azure. For more information, see Overview of CMG.
Distribution point
If you enable a Configuration Manager distribution point for Microsoft Connected Cache, it can communicate
through an unauthenticated proxy server for internet access. For more information, see Microsoft Connected
Cache.
Exchange Server connector
This site system role connects to an Exchange Server. It uses a proxy server configuration on the computer that
hosts the Exchange Server connector.
Service connection point
This site system role connects to the Configuration Manager cloud service to download version updates for
Configuration Manager. It uses a proxy server that's configured on the computer that hosts the service
connection point.
Software update point
This site system role uses the proxy when it connects to Microsoft Update to download patches and synchronize
information about updates. Like every other site system role, first configure the site system proxy settings. Then
configure the following options specific to the software update point:
Use a proxy ser ver when synchronizing software updates
Use a proxy ser ver when downloading content by using automatic deployment rules

NOTE
While available for use, this setting isn't used by software update points at secondary sites.

These settings are on the Proxy and Account Settings tab of the software update point properties.

NOTE
By default, when the automatic deployment rules run, the System account on the site server of the site on which an
automatic deployment rule was created is used to connect to the internet and download software updates. Alternatively,
configure and use the site system proxy server account.
When this account cannot access the internet, software updates fail to download. The following entry is logged to
ruleengine.log : Failed to download the update from internet. Error = 12007.

Other features that use the proxy for a site system server
The following features use the proxy of the site system that hosts the service connection point role:
Azure Active Directory (Azure AD) user discovery
Azure AD user group discovery
Synchronizing collection membership results to Azure Active Directory groups

Configure the proxy for a site system server

1. In the Configuration Manager console, go to the Administration workspace. Expand Site
 Configuration , and then select the Ser vers and Site System Roles node.
2. Select the site system server that you want to edit. In the details pane, right-click the Site system role,
and select Proper ties .
3. In Site system Properties, switch to the Proxy tab. Configure the following proxy settings:
Use a proxy ser ver when synchronizing information from the internet : Select this option
to enable the site system server to use a proxy server.
Proxy ser ver name : Specify the hostname or FQDN of the proxy server in your environment.
Por t : Specify the network port on which to communicate with the proxy server. By default, it uses
port 80 .
Use credentials to connect to the proxy ser ver : Many proxy servers require a user to
authenticate. By default, the site system server uses its computer account to connect to the proxy
server. If necessary, enable this option, click Set , and then choose an Existing Account or specify
a New Account . These credentials are the site system proxy ser ver account . For more
information, see Accounts used in Configuration Manager.
4. Choose OK to save the new proxy server configuration.

Next steps
If your organization restricts network communication with the internet using a firewall or proxy device, you
need to allow access to internet endpoints. For more information, see internet access requirements.
 Internet access requirements
2/16/2022 • 12 minutes to read • Edit Online

Some Configuration Manager features rely on internet connectivity for full functionality. If your organization
restricts network communication with the internet using a firewall or proxy device, make sure to allow these
endpoints.
Configuration Manager uses the following Microsoft URL forwarding services throughout the product:
https://aka.ms
https://go.microsoft.com

Even if they're not explicitly listed in the sections below, you should always allow these endpoints.

Service connection point

For more information, see About the service connection point.
These configurations apply to the server that hosts the service connection point and any firewalls between that
server and the internet. Allow communication through outgoing HTTPS port TCP 443 to the internet locations.
The service connection point supports using a web proxy with or without authentication to use these locations.
For more information, see Proxy server support.
If the Configuration Manager site fails to connect to required endpoints for a cloud service, it raises a critical
status message ID 11488. When it can't connect to the service, the SMS_SERVICE_CONNECTOR component
status changes to critical. View detailed status in the Component Status node of the Configuration Manager
console.
Starting in version 2010, the service connection point validates important internet endpoints for Desktop
Analytics and tenant attach. These checks help make sure that the cloud-connected services are available. It also
helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more
information, see Validate internet access.
The specific URLs required by the service connection point vary by Configuration Manager feature:
Updates and servicing
Windows servicing
Azure services
Microsoft Store for Business
Cloud services
Configuration Manager console
Desktop Analytics
Tenant attach
External notifications
 TIP
The service connection point uses the Microsoft Intune service when it connects to go.microsoft.com or
manage.microsoft.com . There's a known issue in which the Intune connector experiences connectivity issues if the
Baltimore CyberTrust Root Certificate isn't installed, is expired, or is corrupted on the service connection point. For more
information, see Service connection point doesn't download updates.

Updates and servicing

For more information, see Updates and servicing.

TIP
Enable these endpoints for the management insight rule, Connect the site to the Microsoft cloud for
Configuration Manager updates .

*.akamaiedge.net

*.akamaitechnologies.com

*.manage.microsoft.com

go.microsoft.com

download.microsoft.com

download.windowsupdate.com

download.visualstudio.microsoft.com

sccmconnected-a01.cloudapp.net

configmgrbits.azureedge.net

IMPORTANT
This Azure endpoint only supports TLS 1.2 with specific cipher suites. Make sure your environment supports these
Azure configurations. For more information, see Azure Front Door: TLS configuration FAQ.

ceuswatcab01.blob.core.windows.net

ceuswatcab02.blob.core.windows.net

eaus2watcab01.blob.core.windows.net

eaus2watcab02.blob.core.windows.net

weus2watcab01.blob.core.windows.net

weus2watcab02.blob.core.windows.net

umwatsonc.events.data.microsoft.com

*-umwatsonc.events.data.microsoft.com

Windows servicing
For more information, see Manage Windows as a service.
download.microsoft.com

https://go.microsoft.com/fwlink/?LinkID=619849

dl.delivery.mp.microsoft.com

Azure services
For more information, see Configure Azure services for use with Configuration Manager.
management.azure.com (Azure public cloud)
management.usgovcloudapi.net (Azure US Government cloud)

Co-management
If you enroll Windows devices to Microsoft Intune for co-management, make sure those devices can access the
endpoints required by Intune. For more information, see Network endpoints for Microsoft Intune.

Microsoft Store for Business

If you integrate Configuration Manager with the Microsoft Store for Business, make sure the service connection
point and targeted devices can access the cloud service. For more information, see Microsoft Store for Business
proxy configuration.

Delivery optimization
If you use delivery optimization, clients need to communicate with its cloud service: *.do.dsp.mp.microsoft.com

Distribution points that support Microsoft Connected Cache also require these endpoints.
For more information, see the following articles:
Delivery optimization FAQ
Fundamental concepts for content management in Configuration Manager
Microsoft Connected Cache in Configuration Manager

Cloud services
For more information on the cloud management gateway (CMG), see Plan for CMG.
This section covers the following features:
Cloud management gateway (CMG)
Azure Active Directory (Azure AD) integration
Azure AD-based discovery
Cloud distribution point (CDP)

NOTE
The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP
instances. To provide content to internet-based devices, enable the CMG to distribute content.
The following sections list the endpoints by role. Some endpoints refer to a service by <prefix> , which is the
prefix name of the CMG. For example, if your CMG is GraniteFalls.WestUS.CloudApp.Azure.Com , then the actual
storage endpoint is GraniteFalls.blob.core.windows.net .

TIP
To clarify some terminology:
CMG service name: The common name (CN) of the CMG server authentication certificate. Clients and the CMG
connection point site system role communicate with this service name. For example, GraniteFalls.contoso.com
or GraniteFalls.WestUS.CloudApp.Azure.Com .
CMG deployment name: The first part of the service name plus the Azure location for the cloud service
deployment. The cloud service manager component of the service connection point uses this name when it
deploys the CMG in Azure. The deployment name is always in an Azure domain. The Azure location depends upon
the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net
This article uses examples with a virtual machine scale set as the recommended deployment method in version 2107 and
later. If you use a classic deployment, note the difference as you read this article and configure internet access.

Service connection point for cloud services

For Configuration Manager to deploy the CMG service in Azure, the service connection point needs access to:
Specific Azure endpoints, which are different per environment depending upon the configuration.
Configuration Manager stores these endpoints in the site database. Query the AzureEnvironments
table in SQL Server for the list of Azure endpoints.
Azure services:
(Azure public cloud)
management.azure.com
management.usgovcloudapi.net (Azure US Government cloud)
For Azure AD user discovery: Microsoft Graph endpoint https://graph.microsoft.com/
CMG connection point for cloud services
The CMG connection point needs access to the following endpoints:

TYPE A Z URE P UB L IC C LO UD A Z URE US GO VERN M EN T C LO UD

Service name <prefix>. <prefix>.usgovcloudapp.net

<region>.cloudapp.azure.com

Storage endpoint 1 <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net

Storage endpoint 2 <prefix>.table.core.windows.net <prefix>.table.core.usgovcloudapi.net

The CMG connection point site system supports using a web proxy. For more information on configuring this
role for a proxy, see Proxy server support.
The CMG connection point only needs to connect to the CMG service endpoints. It doesn't need access to other
Azure endpoints.
Configuration Manager client for cloud services
Any Configuration Manager client that needs to communicate with a CMG needs access to the following
endpoints:

TYPE A Z URE P UB L IC C LO UD A Z URE US GO VERN M EN T C LO UD

Deployment name <prefix>. <prefix>.usgovcloudapp.net

<region>.cloudapp.azure.com

Storage endpoint <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net

Azure AD endpoint login.microsoftonline.com login.microsoftonline.us

Configuration Manager console for cloud services

Any device with the Configuration Manager console needs access to the following endpoints:

TYPE A Z URE P UB L IC C LO UD A Z URE US GO VERN M EN T C LO UD

Azure AD endpoints login.microsoftonline.com login.microsoftonline.us

aadcdn.msauth.net
aadcdn.msftauth.net

Software updates
Allow the active software update point to access the following endpoints so that WSUS and Automatic Updates
can communicate with the Microsoft Update cloud service:
http://windowsupdate.microsoft.com

http://*.windowsupdate.microsoft.com

https://*.windowsupdate.microsoft.com

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://download.windowsupdate.com

http://download.microsoft.com

http://*.download.windowsupdate.com

http://ntservicepack.microsoft.com

For more information on software updates, see Plan for software updates.
Intranet firewall
You might need to add endpoints to a firewall that's between two site systems in the following cases:
If child sites have a software update point
If there's a remote active internet-based software update point at a site
Software update point on the child site
http://<FQDN for software update point on child site>

https://<FQDN for software update point on child site>

 http://<FQDN for software update point on parent site>

https://<FQDN for software update point on parent site>

Manage Microsoft 365 Apps

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration
Manager console and supporting documentation while the console is being updated.

If you use Configuration Manager to deploy and update Microsoft 365 Apps for enterprise, allow the following
endpoints:
officecdn.microsoft.com to synchronize the software update point for Microsoft 365 Apps for enterprise
client updates
config.office.com to create custom configurations for Microsoft 365 Apps for enterprise deployments
contentstorage.osi.office.net to support the evaluation of Office add-in readiness

Your top-level site server needs access to the following endpoint to download the Microsoft Apps 365 readiness
file:
Starting March 2, 2021: https://omex.cdn.office.net/mirrored/sccmreadiness/SOT_SCCM_AddinReadiness.CAB
Location prior to March 2, 2021:
https://contentstorage.osi.office.net/sccmreadinessppe/sot_sccm_addinreadiness.cab

NOTE
The location of this file is changing March 2, 2021 . For more information, see Download location change for Microsoft
365 Apps readiness file.

Configuration Manager console

Computers with the Configuration Manager console require access to the following internet endpoints for
specific features:

NOTE
For push notifications from Microsoft to show in the console, the service connection point needs access to
configmgrbits.azureedge.net . It also needs access to this endpoint for updates and servicing, so you may have
already allowed it.

In-console feedback
On the computer where you run the console, allow it to access the following internet endpoints to send
diagnostic data to Microsoft:
petrol.office.microsoft.com

ceuswatcab01.blob.core.windows.net

ceuswatcab02.blob.core.windows.net
 eaus2watcab01.blob.core.windows.net

eaus2watcab02.blob.core.windows.net

weus2watcab01.blob.core.windows.net

weus2watcab02.blob.core.windows.net

umwatsonc.events.data.microsoft.com

*-umwatsonc.events.data.microsoft.com

For more information on this feature, see Product feedback.

Community workspace
Documentation node
For more information on this console node, see Using the Configuration Manager console.
https://aka.ms

https://raw.githubusercontent.com

Community hub
For more information on this feature, see Community hub.
https://github.com

https://communityhub.microsoft.com

Desktop Analytics
For more information, see Enable data sharing.
Server connectivity endpoints
The service connection point needs to communicate with the following endpoints:

EN DP O IN T F UN C T IO N

https://aka.ms Used to locate the service

https://graph.windows.net Used to automatically retrieve settings like CommercialId

when attaching your hierarchy to Desktop Analytics (on
Configuration Manager Server role). For more information,
see Configure the proxy for a site system server.

https://*.manage.microsoft.com Used to synch device collection memberships, deployment

plans, and device readiness status with Desktop Analytics
(on Configuration Manager Server role only). For more
information, see Configure the proxy for a site system
server.

https://dc.services.visualstudio.com For diagnostic data from on-premises service connector to

gain insights about the health of cloud-connected services.

User experience and diagnostic component endpoints

Client devices need to communicate with the following endpoints:
 EN DP O IN T F UN C T IO N

https://v10c.events.data.microsoft.com Connected user experience and diagnostic component

endpoint. Used by devices running Windows 10, version
1809 or later, or version 1803 with the 2018-09 cumulative
update or later installed.

https://v10.events.data.microsoft.com Connected user experience and diagnostic component

endpoint. Used by devices running Windows 10, version
1803 without the 2018-09 cumulative update installed.

https://v10.vortex-win.data.microsoft.com Connected user experience and diagnostic component

endpoint. Used by devices running Windows 10, version
1709 or earlier.

https://vortex-win.data.microsoft.com Connected user experience and diagnostic component

endpoint. Used by devices running Windows 7 and Windows
8.1

Client connectivity endpoints

Client devices need to communicate with the following endpoints:

IN DEX EN DP O IN T F UN C T IO N

1 https://settings- Enables the compatibility update to

win.data.microsoft.com send data to Microsoft.

2 http://adl.windows.com Allows the compatibility update to

receive the latest compatibility data
from Microsoft.

3 https://watson.telemetry.microsoft.comWindows Error Reporting (WER).

Required to monitor deployment
health in Windows 10, version 1803 or
earlier.

4 Windows Error Reporting (WER).

https://umwatsonc.events.data.microsoft.com
Required for device health reports in
Windows 10, version 1809 or later.

5 Windows Error Reporting (WER).

https://ceuswatcab01.blob.core.windows.net
Required to monitor deployment
health in Windows 10, version 1809 or
later.

6 Windows Error Reporting (WER).

https://ceuswatcab02.blob.core.windows.net
Required to monitor deployment
health in Windows 10, version 1809 or
later.

7 Windows Error Reporting (WER).

https://eaus2watcab01.blob.core.windows.net
Required to monitor deployment
health in Windows 10, version 1809 or
later.
 IN DEX EN DP O IN T F UN C T IO N

8 Windows Error Reporting (WER).

https://eaus2watcab02.blob.core.windows.net
Required to monitor deployment
health in Windows 10, version 1809 or
later.

9 Windows Error Reporting (WER).

https://weus2watcab01.blob.core.windows.net
Required to monitor deployment
health in Windows 10, version 1809 or
later.

10 Windows Error Reporting (WER).

https://weus2watcab02.blob.core.windows.net
Required to monitor deployment
health in Windows 10, version 1809 or
later.

11 Online Crash Analysis (OCA). Required

https://kmwatsonc.events.data.microsoft.com
for device health reports in Windows
10, version 1809 or later.

12 https://oca.telemetry.microsoft.com Online Crash Analysis (OCA). Required

to monitor deployment health in
Windows 10, version 1803 or earlier.

13 https://login.live.com Required to provide a more reliable

device identity for Desktop Analytics.

To disable end-user Microsoft account

access, use policy settings instead of
blocking this endpoint. For more
information, see The Microsoft account
in the enterprise.

14 https://v20.events.data.microsoft.com Connected user experience and

diagnostic component endpoint.

Tenant attach
For more information, see Enable tenant attach.
https://aka.ms/configmgrgateway

https://*.manage.microsoft.com for Azure public cloud customers

https://*.manage.microsoft.us for US Government cloud customers on version 2107 or later
https://dc.services.visualstudio.com

The service connection point makes a long standing outgoing connection to the notification service hosted on
https://*.manage.microsoft.com . Verify the proxy used for the service connection point doesn't time out
outgoing connections too quickly. We recommend 3 minutes for outgoing connections to this internet endpoint.
If your environment has proxy rules to allow only specific certificate revocation lists (CRLs) or online certificate
status protocol (OCSP) verification locations, also allow the following CRL and OCSP URLs:
http://crl3.digicert.com
http://crl4.digicert.com
 http://ocsp.digicert.com
http://www.d-trust.net
http://root-c3-ca2-2009.ocsp.d-trust.net
http://crl.microsoft.com
http://oneocsp.microsoft.com
http://ocsp.msocsp.com
http://www.microsoft.com/pkiops

Endpoint analytics
For more information, see Endpoint analytics proxy configuration.
Endpoints required for Configuration Manager-managed devices
Configuration Manager-managed devices send data to Intune via the connector on the Configuration Manager
role and they don't need directly access to the Microsoft public cloud.

EN DP O IN T F UN C T IO N

https://graph.windows.net Used to automatically retrieve settings when attaching your

hierarchy to Endpoint analytics on Configuration Manager
server role. For more information, see Configure the proxy
for a site system server.

https://*.manage.microsoft.com Used to synch device collection and devices with Endpoint

analytics on Configuration Manager server role only. For
more information, see Configure the proxy for a site system
server.

Endpoints required for Intune -managed devices

To enroll devices to Endpoint analytics, they need to send required functional data to Microsoft public cloud.
Endpoint Analytics uses the Windows client and Windows Server Connected User Experiences and
Telemetr y component (DiagTrack) to collect the data from Intune-managed devices. Make sure that the
Connected User Experiences and Telemetr y service on the device is running.

EN DP O IN T F UN C T IO N

https://*.events.data.microsoft.com Used by Intune-managed devices to send required

functional data to the Intune data collection endpoint.

Asset intelligence
If you use asset intelligence, allow the following endpoints for the service to synchronize:
https://sc.microsoft.com
https://ssu2.manage.microsoft.com

Deploy Microsoft Edge

The device running the Configuration Manager console needs access to the following endpoints for deploying
Microsoft Edge:
 LO C AT IO N USE

https://aka.ms/cmedgeapi Information about releases of Microsoft Edge

https://edgeupdates.microsoft.com/api/products? Information about releases of Microsoft Edge

view=enterprise

http://dl.delivery.mp.microsoft.com Content for Microsoft Edge releases

External notifications
For more information, see External notifications.
The service connection point needs to communicate with the notification service, for example Azure Logic Apps.
The access endpoint for the logic app typically has the following format:
https://*.<RegionName>.logic.azure.com:443 . For example: https://prod1.westus2.logic.azure.com:443

To get the access endpoint for the logic app, as well as the associated IP addresses, use the following process:
1. In the Azure portal, under Logic Apps , select the logic app for your notification. For more information, see
Manage logic apps in the Azure portal.
2. In the app's menu, in the Settings section, select Proper ties .
3. View or copy the values for the Access endpoint and the Access endpoint IP addresses .

Microsoft public IP addresses

For more information on the Microsoft IP address ranges, see Microsoft Public IP Space. These addresses update
regularly. There's no granularity by service, any IP address in these ranges could be used.

Next steps
Ports used in Configuration Manager
Proxy server support in Configuration Manager
 About schema extensions for Configuration
Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can extend the Active Directory schema to support Configuration Manager. This action edits a forest's Active
Directory schema to add a new container and several attributes. Configuration Manager sites use these
extensions to publish key information in Active Directory where clients can securely access it. This information
can simplify the deployment and configuration of clients. It also helps clients locate site resources like servers
with deployed content or that provide different services to clients.
Microsoft recommends that you extend your Active Directory schema for Configuration Manager, but it's not
required.
Before you extend the Active Directory schema, you should be familiar with Active Directory Domain Services
and comfortable with modifying the Active Directory schema.

Considerations
There are no new Active Directory schema extensions for Configuration Manager current branch. They
haven't changed since Configuration Manager 2007. If you previously extended the schema an earlier
version, you don't have to extend the schema again.
Extending the schema is a forest-wide, one-time, irreversible action.
Only a member of the Schema Admins group can extend the schema. It can also be a user with
delegated permissions to change the schema.
You can extend the schema before or after you install a Configuration Manager site. However, it's best to
extend the schema before you start to configure your sites and hierarchy settings. This action can simplify
many of the later configuration steps.
After you extend the schema, the Active Directory global catalog replicates throughout the forest. Plan to
extend the schema when the replication traffic won't adversely affect other network-dependent processes.
Active Directory only replicates the newly added attributes.
Devices and clients that don't use the Active Directory schema
Mobile devices that are managed by the Exchange Server connector
The client for macOS computers
Mobile devices that are enrolled by Configuration Manager on-premises MDM
Windows clients that you configure for internet-only client management
Windows clients that Configuration Manager detects to be on the internet

Features that benefit

The following Configuration Manager features benefit from extending the Active Directory schema.
Client computer installation and site assignment
When you install a new client on a Windows computer, it searches Active Directory Domain Services for
installation properties.
If you don't extend the schema, use one of the following options to provide configuration details:
Use client push installation. This method uses the client installation properties that you configure in the
Configuration Manager console.
Use manual installation. Provide at least the following client installation properties on the command line:
Specify a management point or source path from which the computer can download the
installation files. Use the CCMSetup property /mp or /source .
Specify a list of initial management points for the client to use. It uses this initial management
point to assign to the site and download client policy and site settings. Use the CCMSetup
Client.msi property SMSMP .
For more information, see About client installation parameters and properties.
Publish the management point in DNS. Configure clients to use this service location method.
Port configuration for client-to -server communication
When a client installs, it uses the port information from Active Directory. If you later change the client-to-server
communication port for a site, clients get this new port setting from Active Directory.
If you don't extend the schema, use one of the following options to provide new port configurations to existing
clients:
Reinstall clients. Use options that configure the new port.
Deploy a custom script to clients that updates the communication port. If clients can't communicate with
a site because of a port change, you can't use Configuration Manager to deploy this script. For example,
you could use group policy.
Content deployment scenarios
When you create content at one site, and then deploy that content to another site in the hierarchy, the receiving
site tries to verify the signature of the signed content data. This behavior requires access to the public key of the
source site where you create this content. When you extend the Active Directory schema for Configuration
Manager, a site's public key is available to all sites in the hierarchy.
If you don't extend the schema, use the hierarchy maintenance tool, preinst.exe , to exchange the secure key
information between sites.
For example, you plan to create content at a primary site and then deploy that content to a secondary site below
a different primary site. If you extend the Active Directory schema, the secondary site automatically gets the
source primary site's public key. Otherwise, use preinst.exe to share keys between the two sites directly.

Active Directory attributes and classes

When you extend the schema for Configuration Manager, the following classes and attributes are added to the
schema and available to all Configuration Manager sites in that Active Directory forest.
 AT T RIB UT ES C L A SSES

cn=mS-SMS-Assignment-Site-Code cn=MS-SMS-Management-Point
cn=mS-SMS-Capabilities cn=MS-SMS-Roaming-Boundary-Range
cn=MS-SMS-Default-MP cn=MS-SMS-Server-Locator-Point
cn=mS-SMS-Device-Management-Point cn=MS-SMS-Site
cn=mS-SMS-Health-State
cn=MS-SMS-MP-Address
cn=MS-SMS-MP-Name
cn=MS-SMS-Ranged-IP-High
cn=MS-SMS-Ranged-IP-Low
cn=MS-SMS-Roaming-Boundaries
cn=MS-SMS-Site-Boundaries
cn=MS-SMS-Site-Code
cn=mS-SMS-Source-Forest
cn=mS-SMS-Version

NOTE
The schema extensions might include attributes and classes from previous versions of the product but not used by the
latest version. For example:
Attribute: cn=MS-SMS-Site-Boundaries
Class: cn=MS-SMS-Server-Locator-Point

You can view these settings in the ConfigMgr_ad_schema.LDF file from the \SMSSETUP\BIN\x64 folder of
the Configuration Manager installation media.

Next steps
Prepare Active Directory for site publishing
 Prepare Active Directory for site publishing
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you extend the Active Directory schema for Configuration Manager, you introduce new structures to
Active Directory. Configuration Manager sites use these new structures to publish key information in a secure
location where clients can easily access it.
When you manage on-premises clients, you should extend the Active Directory schema for Configuration
Manager. An extended schema can simplify the process of deploying and setting up clients. An extended schema
also lets clients efficiently locate resources like content servers. Extending the schema is a one-time action for
any forest.
If you're not familiar with the benefits of an extended schema for Configuration Manager, see Schema extensions
for Configuration Manager.
When you don't use an extended schema, you can set up other methods like DNS to locate services and site
system servers. These methods of service location require other configurations and aren't the preferred method
for service location by clients. For more information, see Understand how clients find site resources and services
for Configuration Manager.
If your Active Directory schema was extended for Configuration Manager 2007 or System Center 2012
Configuration Manager, then you don't need to do more. The schema extensions are unchanged and are already
in place.

Step 1: Extend the schema

To extend the schema for Configuration Manager:
Use an account that's a member of the Schema Admins security group.
Sign in with that account to the schema master domain controller.
Then use one of the following options to add the new classes and attributes to the Active Directory schema.
Option A: Use the extadsch.exe tool
This tool is in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media.
1. Open a command line, and run extadsch.exe .

TIP
Run this tool from a command line to view feedback while it runs.

2. To verify that the schema extension was successful, review extadsch.log in the root of the system drive.
Option B: Use the LDIF file
This file is in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media.
1. Make a copy of the ConfigMgr_ad_schema.ldf file. Edit it in Notepad, and define the Active Directory
root domain that you want to extend. Replace all instances of the text DC=x in the file with the full name
of the domain to extend. For example, if the full name of the domain to extend is named
 widgets.contoso.com , change all instances of DC=x in the file to DC=widgets, DC=contoso, DC=com .
2. Use the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf file to
Active Directory Domain Services. For example, the following command-line imports the schema
extensions, turns on verbose logging, and creates a log file in the temp directory:
ldifde -i -f ConfigMgr_ad_schema.ldf -v -j "%temp%"

For more information, see Command-line reference: Ldifde.

3. To verify that the schema extension was successful, review the ldifde log file.

Step 2: The System Management container

After you extend the schema, create a container named System Management in Active Directory Domain
Services. Create this container once in each domain that has a Configuration site that will publish data to Active
Directory. For each container, you need to grant permissions to the computer account of each site server that
will publish data to that domain.
1. Use an account that has the Create All Child Objects permission on the System container in Active
Directory Domain Services.
2. Run ADSI Edit (adsiedit.msc), and connect to the site server's domain.
3. Create the container:
a. Expand the fully qualified domain name, and expand the distinguished name. Right-click
CN=System , choose New , and then select Object .
b. In the Create Object window, select Container , and then select Next .
c. In the Value box, enter System Management , and then select Next .
4. Assign permissions:

NOTE
If you prefer, you can use other tools like the Active Directory Users and Computers administrative tool (dsa.msc)
to add permissions to the container.

a. Right-click CN=System Management , and select Proper ties .

b. Switch to the Security tab. Select Add , and then add the site server's computer account with the
Full Control permission.
Add the computer account for each Configuration Manager site server in this domain. If you use
site server high availability, make sure to include the computer account of the site server in
passive mode.
c. Select Advanced , select the site server's computer account, and then select Edit .
d. In the Apply onto list, select This object and all descendant objects .
e. Select OK to save the configuration.

Next steps
After you create the container and grant permissions, configure the Configuration Manager site to publish data
to Active Directory.
Publish site data for Configuration Manager
 Prepare Windows Servers to support Configuration
Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you can use a Windows computer as a site system server for Configuration Manager, it must meet the
prerequisites for its intended use. These prerequisites often include one or more Windows features or roles.
Because the method to enable Windows features and roles differs among OS versions, refer to the
documentation for your OS version for detailed information.
The information in this article provides an overview of the types of Windows configurations that are required to
support Configuration Manager site systems. For configuration details for specific site system roles, see Site and
site system prerequisites.

Windows features and roles

When you set up Windows features and roles on a computer, you might be required to reboot the computer to
complete that configuration. So before you install a Configuration Manager site or site system server, identify
computers that will host specific site system roles.
Features
The following Windows features are required on certain site system servers. Set them up before you install a
site system role on that computer.
.NET Framework : Different site system roles require different versions of .NET Framework.
Background Intelligent Transfer Ser vices (BITS) : Management points require BITS to support
communication with managed devices. This feature includes all automatically selected options.
BranchCache : Distribution points can be set up with BranchCache to support clients.
Data Deduplication : Distribution points can be set up with and benefit from data deduplication.
Remote Differential Compression (RDC) : Each computer that hosts a site server or a distribution
point requires RDC. RDC is used to generate package signatures and compare digital signatures.
Roles
The following Windows roles are required to support specific functionality, like software updates and OS
deployments. IIS is required by the most common site system roles.
Network Device Enrollment Ser vice (under Active Directory Certificate Services): This Windows role
is a prerequisite to use certificate profiles in Configuration Manager.
Web ser ver (IIS) : The following site system roles use IIS:
Distribution point
Enrollment point
Enrollment proxy point
Fallback status point
Management point
Software update point
 State migration point
The minimum version of IIS that's required is the version that's supplied with the OS of the site server.
Windows Deployment Ser vices : This role is used with OS deployment.
Windows Ser ver Update Ser vices : This role is required for software updates.

IIS request filtering for distribution points

By default, IIS uses request filtering to block several file name extensions and folder locations from access by
HTTP or HTTPS communication. On a distribution point, this configuration prevents clients from downloading
packages that have blocked extensions or folder locations.
When your package source files have extensions that are blocked in IIS by your request filtering configuration,
set up request filtering to allow them. Use the IIS Manager to edit the request filtering feature on your
distribution point computers.
Additionally, the following file name extensions are used by Configuration Manager for packages and
applications. Make sure that your request filtering configurations don't block these file extensions:
.PCK
.PKG
.STA
.TAR
For example, source files for a software deployment might include a folder named bin or have a file that has the
.mdb file name extension.
By default, IIS request filtering blocks access to these elements. Bin is blocked as a Hidden Segment and
.mdb is blocked as a file name extension.
When you use the default IIS configuration on a distribution point, clients that use BITS fail to download
this software deployment from the distribution point and indicate that they're waiting for content.
To let the clients download this content, on each applicable distribution point, edit Request Filtering in
IIS Manager. Allow access to the file extensions and folders that are in the packages and applications that
you deploy.

IMPORTANT
Edits to the request filter can increase the attack surface of the computer.
Edits that you make at the server level apply to all websites on the server.
Edits that you make to individual websites apply to only that website.
For best security, run Configuration Manager on a dedicated web server. If you need to run other applications on the web
server, use a custom website for Configuration Manager. For information, see Websites for site system servers.

HTTP verbs
For more information, see Configure request filtering in IIS.
Management points
To make sure that clients can successfully communicate with a management point, on the management point
server make sure IIS allows the following HTTP verbs:
GET
 POST
CCM_POST
HEAD
PROPFIND
Distribution points
Distribution points require that IIS allows the following HTTP verbs:
GET
HEAD
PROPFIND
 Websites for site system servers in Configuration
Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Several Configuration Manager site system roles require the use of Internet Information Services (IIS). By
default, they use the default IIS website to host site system services. When you run other web applications on
the same server, and settings aren't compatible with Configuration Manager, consider using a custom website
for Configuration Manager.

TIP
For improved security, dedicate a server for the Configuration Manager site systems that require IIS. When you run other
applications on a Configuration Manager site system, you increase the attack surface of that computer.

Choosing to use custom websites

By default, site system roles use the Default Web Site in IIS. This configuration is set up automatically when
the site system role installs. However, at primary sites, you can choose to use custom websites instead.
When you use custom websites:
They're enabled for the entire site instead of for individual site system servers or roles.
At primary sites, for each computer that will host an applicable site system role, configure it with a
custom website named SMSWEB . Until you create this website, and set up site system roles on that
computer to use the custom website, clients can't communicate with site system roles on that computer.
Secondary sites are automatically set up to use a custom website when their primary parent site uses it.
Create custom websites in IIS on each secondary site system server that requires IIS.
Prerequisites for using custom websites
Before you enable the option to use custom websites at a site:
Create a custom website named SMSWEB in IIS on each site system server that requires IIS. Set this
configuration at the primary site and at any child secondary sites.
Set up the custom website to respond to the same port that you set up for Configuration Manager client
communication. This port is known as the client request port.
For each custom or default website that uses a custom folder, place a copy of the default document type
that you use in the root folder that hosts the website. For example, with the typical default configuration,
iisstar t.htm is one of several default document types that are available. You can find this file in the root
of the default website. Place a copy of this file or other default document in the root folder that hosts the
SMSWEB custom website. For more information about default document types, see Default Document for
IIS.
About IIS requirements
The following site system roles require IIS and a website to host the site system services:
Distribution point
 Enrollment point
Enrollment proxy point
Fallback status point
Management point
Software update point
State migration point
Other considerations:
When a primary site has custom websites enabled, clients that are assigned to that site are directed to
communicate with the custom websites instead of the default websites.
If you use custom websites for one primary site, consider custom websites for all primary sites in your
hierarchy. This configuration makes sure that clients can successfully roam within the hierarchy. Roaming
is when a client computer moves to a new network segment that is managed by a different site. Roaming
can affect resources that a client can access locally instead of across a WAN link.
Site system roles that use IIS but don't accept client connections also use the SMSWEB website instead of
the default website. For example, the reporting services point.
Custom websites require you to assign port numbers that differ from the computer's default website. A
default website and custom website can't run at the same time if both websites try to use the same
TCP/IP ports.
The TCP/IP ports that you set up in IIS for the custom website must match the client request ports for the
site.

Switch between default and custom websites

Although you can check or uncheck the box for using custom websites at a primary site at any time, plan
carefully before you make this change. When this configuration changes, all applicable site system roles at the
primary site and child secondary sites uninstall and then reinstall.
The following roles reinstall automatically:
Management point
Distribution point
Software update point
Fallback status point
State migration point
You need to manually reinstall the following roles:
Enrollment point
Enrollment proxy point
When you change from the default website to use a custom website, Configuration Manager doesn't remove the
old virtual directories. If you want to remove the files that Configuration Manager used, manually delete the
virtual directories that were created under the default website.
If you change the site to use custom websites, clients that are already assigned to the site need to be
reconfigured to use the new client request ports for the custom websites. For more information, see How to
configure client communication ports.

Set up custom websites

The steps to create a custom website vary for different OS versions. For exact steps, refer to the documentation
for your OS version.
Use the following general information when applicable:
The website name is SMSWEB .
When you set up HTTPS, specify a PKI certificate before you can save the configuration.
After you create the custom website, remove the custom website ports that you use from other websites
in IIS:
1. Edit the Bindings of the other websites to remove ports that match the ports that are assigned to
the SMSWEB website.
2. Start the SMSWEB website.
3. Restart the SMS_SITE_COMPONENT_MANAGER service on the site server of the site.

Next steps
To configure the site to use a custom web site, enable the setting Use custom web site on the Por ts tab of the
site properties. For more information, see Configure client communication ports.
 Diagnostics and usage data for Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager collects diagnostics and usage data about itself, which is used by Microsoft to improve
the installation experience, quality, and security of future releases.
Each Configuration Manager hierarchy enables diagnostics and usage data. It consists of SQL Server queries
that run on a weekly basis on each primary site and at the central administration site (CAS). When the hierarchy
uses a CAS, child primary sites replicate their data to that CAS. At the top-level site of your hierarchy, the service
connection point submits this information when it checks for updates. If the service connection point is in offline
mode, you transfer the information by using the service connection tool.

NOTE
Configuration Manager collects data only from the site's SQL Server database, and it doesn't collect data directly from
clients or site servers.

For more information, see the Microsoft privacy statement.

Next, learn about how Microsoft uses the diagnostics and usage data that Configuration Manager collects:
How Microsoft uses diagnostics and usage data

TIP
The ConfigurationManager PowerShell module also collects usage data. For more information, see Configuration
Manager cmdlet library privacy statement.
Some of the tools that are included with Configuration Manager collect usage data. For more information, see Diagnostic
usage data for tools.
 How Microsoft uses Configuration Manager
diagnostics and usage data
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Diagnostic and usage data that Configuration Manager collects provides Microsoft nearly immediate feedback
about how the product is working and is used to adjust future updates. Microsoft can also see configuration
data that helps them engineer and test the configurations that you use in production. For example:
The Windows server versions used on site servers
Installed language packs
The delta of the SQL Server schema against the product default
This data helps the engineering team plan future tests to make sure you have the best experience with the most
common configurations. This data is crucial to quickly adjust and adapt with a frequent release cycle.
Equally important is how the diagnostics and usage data isn't used. Microsoft doesn't use this data for:
Licensing audits, such as comparing customer usage against license agreements
Auditing of products that are out of support
Advertising based on available data such as feature usage or geolocation (time zone)
Microsoft uses available data to improve the product. For example:
The initial support offered by the current branch of Configuration Manager limited the support timeline
for Windows Server 2008 R2. Microsoft examined the usage data from customers who had upgraded to
the Configuration Manager current branch. They then identified the need to revise and extend this
timeline to support customers who still use this OS.
Microsoft improved the prerequisite checks for installing an update. They removed obsolete rules,
accounted for additional cases, and automatically remediated some issues.
Next, learn about how Configuration Manager collects diagnostics and usage data about itself:
How Configuration Manager collects data
 How Configuration Manager collects diagnostics
and usage data
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To collect diagnostics and usage data for Configuration Manager, each primary site runs SQL Server queries on
a weekly basis. In a multi-site hierarchy, the data is replicated to the central administration site.
At the top-level site of a hierarchy, the service connection point submits this information when it checks for
updates. The mode of the service connection point determines how the data is transferred:
Online : Once a week, the service connection point automatically sends diagnostics and usage data to the
cloud service.
Offline : You manually transfer diagnostics and usage data with the service connection tool.
For more information, see About the service connection point.
Next, you can view diagnostic and usage data to confirm that your Configuration Manager hierarchy contains no
sensitive information:
How to view diagnostics and usage data

TIP
The ConfigurationManager PowerShell module also collects usage data. For more information, see Configuration
Manager cmdlet library privacy statement.
Some of the tools that are included with Configuration Manager collect usage data. For more information, see Diagnostic
usage data for tools.
 How to view diagnostics and usage data for
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can view diagnostic and usage data from your Configuration Manager hierarchy to confirm that it includes
no sensitive or identifiable information. The site summarizes and stores its diagnostic data in the
TEL_Telemetr yResults table of the site database. It formats the data to be programmatically usable and
efficient.
The information in this article gives you a view of the exact data sent to Microsoft. It's not intended to be used
for other purposes, like data analysis.

View data in database

Use the following SQL command to view the contents of this table and show the exact data that's sent:

SELECT * FROM TEL_TelemetryResults

Export the data

When the service connection point is in offline mode, use the service connection tool to export the current data
to a comma-separated values (CSV) file. Run the service connection tool on the service connection point with
the -Expor t parameter.
For more information, see Use the service connection tool.

One-way hashes
Some data consists of strings of random alphanumeric characters. Configuration Manager uses the SHA-256
algorithm to create one-way hashes. This process makes sure that Microsoft doesn't collect potentially sensitive
data. The hashed data can still be used for correlation and comparison purposes.
For example, instead of collecting the names of tables in the site database, it captures the one-way hash for each
table name. This behavior makes sure that any custom table names aren't visible. Microsoft then does the same
one-way hash process of the default SQL Server table names. Comparing the results of the two queries
determines the deviation of your database schema from the product default. This information is then used to
improve updates that require changes to the SQL Server schema.
When you view the raw data, a common hashed value appears in each row of data. This hash is the suppor t ID ,
also known as the hierarchy ID. It's used to correlate data with the same hierarchy without identifying the
customer or source.
How the one -way hash works
1. Get your support ID from the Configuration Manager console. Select the arrow in the upper left corner of
the ribbon, and then choose About Configuration Manager . You can select and copy the support ID
from the window that opens.
2. Use the following Windows PowerShell script to do the one-way hash of your support ID.
 Param( [Parameter(Mandatory=$True)] [string]$value )
$guid = [System.Guid]::NewGuid()
if( [System.Guid]::TryParse($value,[ref] $guid) -eq $true ) {
#many of the values we hash are Guids
$bytesToHash = $guid.ToByteArray()
} else {
#otherwise hash as string (unicode)
$ue = New-Object System.Text.UnicodeEncoding
$bytesToHash = $ue.GetBytes($value)
}
# Load Hash Provider (https://en.wikipedia.org/wiki/SHA-2)
$hashAlgorithm = [System.Security.Cryptography.SHA256Cng]::Create()
# Hash the input
$hashedBytes = $hashAlgorithm.ComputeHash($bytesToHash)
# Base64 encode the result for transport
$result = [Convert]::ToBase64String($hashedBytes)
return $result

3. Compare the script output against the GUID in the raw data. This process shows how the data is
obscured.

Next steps
Next, learn about the levels of diagnostics and usage data that Configuration Manager collects:
Levels of diagnostic usage data
 Levels of diagnostic usage data
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager collects three levels of diagnostics and usage data: Basic , Enhanced , and Full . By
default, this feature is set at the Enhanced level.

IMPORTANT
Configuration Manager doesn't collect site codes, sites names, IP addresses, user names, computer names, physical
addresses, or email addresses on the Basic or Enhanced levels. Any collection of this information on the Full level isn't
purposeful. It's potentially included in advanced diagnostic information like log files or memory snapshots. Microsoft
doesn't use this information to identify you, contact you, or develop advertising.

Levels
Basic
The Basic level includes data about your hierarchy. It's required to help improve your installation or upgrade
experience. This data also helps determine the Configuration Manager updates that are applicable for your
hierarchy.
Enhanced
The Enhanced level is the default after setup finishes. This level includes data that's collected in the Basic level
and feature-specific data. It shows frequency and duration of use of different features. It also includes
Configuration Manager client settings data: component name, state, and certain settings like polling intervals.
Information about software updates is basic on feature usage, it doesn't include data about update compliance
at this level.
Microsoft recommends this level because it provides the minimum data to make product and service
improvements.
Some examples of data that this level doesn't collect include:
Names of sites, users, computer, or other objects
Details of security-related objects
Vulnerabilities like counts of systems that require software updates
Full
The Full level includes all data in the Basic and Enhanced levels. It also includes additional information about
Endpoint Protection, update compliance percentages, and software update information. This level can also
include advanced diagnostic information like system files and memory snapshots. This advanced data might
include personal information exists in memory or log files at the time of capture.

How to change the level

To change the data collection level, you need Modify permissions on the Site object class.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select Hierarchy Settings in the ribbon.
3. Switch to the Diagnostic and Usage Data tab, then choose the data level.

Version-specific details
The following articles detail the specific data that Configuration Manager collects at each level with each
supported version:
Diagnostic and usage data for 2111
Diagnostic and usage data for 2107
Diagnostic and usage data for 2103
Diagnostic and usage data for 2010
Diagnostic and usage data for 2006

Next steps
Next, learn about the diagnostics and usage data that Configuration Manager collects for its tools:
Diagnostic usage data for tools
 Diagnostic and usage data for version 2111
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For more information on the
levels and how to change them, see Levels of diagnostic usage data.
Changes from previous versions are noted with [New] , [Updated] , [Removed] , or [Moved] .

IMPORTANT
Configuration Manager doesn't collect site codes, sites names, IP addresses, user names, computer names, physical
addresses, or email addresses on the Basic or Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log files or memory snapshots. Microsoft
doesn't use this information to identify you, contact you, or develop advertising.

Level 1 - Basic
For Configuration Manager version 2111, this level includes the following data:
Application management (Level 1)
Basic application and deployment type counts: total apps, total apps with multiple deployment types, total
apps with dependencies, total superseded apps, and count of deployment technologies in use
Count of Microsoft Edge installations
Count of clients by default and preferred browser
Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of Windows 10 and later devices by branch, build, and unique Active Directory forest
Count of clients joined to Azure Active Directory (Azure AD)
Count of extended interoperability clients
Count of clients by Windows OS age, to the nearest three-month interval
Top 10 processor names used on clients and servers
Use of the bulk registration token
Count of clients by identity source and registration method. For example, Active Directory, Azure AD, or
PKI client authentication certificate.
[New] Count of clients by OS type and version that are joined to Azure AD or hybrid-joined
Cloud services (Level 1)
Count of clients by co-management enrollment method
Error statistics for co-management enrollment
 Aggregated usage statistics of co-management: number of clients ever enrolled, number of enrolled
clients, number of clients pending enrollment, clients receiving policy, workload states, pilot/exclusion
collection sizes, and enrollment errors
Count of Azure AD applications and services connected to Configuration Manager
Cloud attach and detach actions
Status of last sync with Intune cloud service
Configuration and usage statistics of cloud management gateway: counts of regions and environments,
and authentication/authorization statistics
Summarized count of Endpoint Analytics event
Aggregated statistics on Desktop Analytics enrollment errors and usage
[New] Count of clients by OS type and version that are co-managed, cloud-attached, or both
Configuration Manager console (Level 1)
Statistics about Configuration Manager console connections: OS version, language, SKU and architecture,
system memory, logical processor count, connect site ID, installed .NET versions, console language packs,
and capable authentication level
Hashed list of extensions to Configuration Manager console property pages and wizards
Configuration Manager console crash locations
Configuration Manager console usage statistics
Configuration Manager console notification configuration and status
Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions
Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-side extensions
BitLocker management client counts summarized by enrollment and TPM state
Setup (Level 1)
Build, install type, language packs, features that you enabled
Pre-release use, setup media type, branch type
Software Assurance expiration date
Update pack deployment status and errors, download progress, and prerequisite errors
Use of early update ring
Version of post-upgrade script
Central administration site removal status
Site database (Level 1)
Basic database configuration: processors, memory size, memory settings, Configuration Manager
database configuration, Configuration Manager database size, cluster configuration, configuration of
distributed views, and change tracking version
Database performance metrics: replication processing information, top SQL Server stored procedures by
processor, and disk usage
 SQL Server version, service pack level, edition, collation ID, and character set
Hashed list of top SQL queries by memory usage and lock count
SQL Server Always On availability group replica information, usage, and health status
Site infrastructure (Level 1)
Basic Configuration Manager site hierarchy data: site list, type, version, status, client count, time zone, and
health status
Basic discovery statistics: discovery count, minimum/maximum/average group sizes, and when the site is
running entirely with Azure Active Directory Services
Basic site system server information: site system roles used, internet and SSL status, OS, processors,
physical or virtual machine, and usage of site server high availability
Configured level for diagnostics and usage data, online or offline mode, and fast update configuration
Distribution point and management point types and basic configuration information: protected,
prestaged, PXE, multicast, SSL state, pull/peer distribution points, MDM-enabled, and SSL-enabled
Diagnostics and usage data statistics: when run, runtime, errors
Hashed list of hardware inventory properties longer than 255 characters
Count and processing rates of key Configuration Manager objects: data discovery records (DDR), state
messages, status messages, hardware inventory, software inventory, and overall count of files in inboxes
Site server disk and processor performance information
Uptime and memory usage information for Configuration Manager site server processes
Count of crashes for Configuration Manager site server processes, and Watson signature ID, if available
Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)
Status and health of the administration service
Counts of errors from administration service
Site health information
Site health check configuration and status
Version of Visual Studio redistributable and .NET Framework installed on clients and site system servers
Summarized hierarchy health and activity status
Miscellaneous (Level 1)
Basic OS deployment counts of images
Count of Windows clients that use Windows Update for Business
Count of operating systems for managed devices and policies set by the Exchange Connector
Count of phased deployments created by type
Count of categorized and uncategorized applications for asset intelligence
Aggregated count of upgrade readiness assessments
Number of software updates referenced by task sequence
Level 2 - Enhanced
For Configuration Manager version 2111, this level includes the following data:
Application management (Level 2)
App requirements: count of built-in conditions referenced by deployment technology
App supersedence, maximum depth of chain
Application approval statistics and usage frequency
Application content size statistics
Application deployment information: use of install versus uninstall, requires approval, user interaction
enabled/disabled, dependency, supersedence, and usage count of install behavior feature
Application policy size and complexity statistics
Available application request statistics
Basic configuration information for packages and programs: deployment options and program flags
Basic usage/targeting information for deployment types: user versus device targeted, required versus
available, and universal apps
Count of application applicability by OS
Count of applications referenced in a task sequence
Count of distinct branding for application catalog
Count of Microsoft 365 Apps applications created using dashboard
Count of packages by type
Count of package/program deployments
Count of Windows 10 and later licensed application licenses
Count of Windows Installer deployment types by uninstall content settings
Count of Microsoft Store for Business apps and sync statistics: summarized types of apps, licensed app
status, and number of online and offline licensed apps
Maintenance window type and duration
Minimum/maximum/average number of application deployments per user/device per time period
Most common application installation error codes by deployment technology
MSI configuration options and counts
Statistics on end-user interaction with notification for required software deployments
Universal Data Access usage, how created
Aggregated user device affinity statistics
Max and average primary users per device
Application global condition usage by type
[Updated] Software Center customization configuration, including use of settings to configure Software
Center and notification branding
 Package Conversion Manager readiness and counts
Count of application detection methods by type
Count of application enforcement errors
MSI installer properties
Statistics of user install requests
Aggregated statistics on the use of the email approval feature
File count, content size, services count, and custom action count of MSIs in application catalog
Count of devices by Office ProPlus readiness state
Aggregated statistics on the use of application groups
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and counts of clients with
Microsoft 365 Apps
Aggregated statistics on Office add-in health
Count and size of Office Pro Plus pilot collections
Number of Office Pro Plus devices sending Office health data
[New] Count of the type of actions used on apps over time
Client (Level 2)
Active Management Technology (AMT) client version
BIOS age in years
Count of devices with Secure Boot enabled
Count of devices by TPM state
Client auto-upgrade: deployment configuration including client piloting and exclusion usage (extended
interoperability client)
Client deployment download errors
Client health statistics and top issue summary by client version, component, OS, and workload
Client notification operation action status: how many times each is run, max number of targeted clients,
and average success rate
Count of client installations from each source location type
Count of client installation failures
Count of devices virtualized by Hyper-V or Azure
Count of Software Center actions
Count of UEFI-enabled devices
Deployment methods used for client and count of clients per deployment method
List/count of enabled client agents
OS age in months
Number of hardware inventory classes, software inventory rules, file collection rules, and overall health
 status
Statistics for device health attestation: most common error codes, number of on-premises servers, and
counts of devices in various states
Count of devices by default browser
Count of Configuration Manager-generated server authentication certificates
Count of Microsoft Surface devices by model
Count of client health check failures by issue type
Count of status (total/approved/blocked) for client certificate types
Client counts for different user/device relationship types
Count of clients in VPN boundaries
Cloud services (Level 2)
Azure AD discovery statistics
Count of collections synced to Azure Log Analytics
Count of Upgrade Analytics Connectors
Whether the Azure Log Analytics cloud connector is enabled
Count of pull-distribution points with a cloud distribution point as a source location
Usage of the cloud services onboarding wizard
Cloud services configuration onboarding properties
Cloud services endpoint connectivity and component health
[New] Usage of the cloud-attach wizard
CMPivot (Level 2)
CMPivot usage statistics
Count of saved CMPivot queries
Count of queries by entity type
Co -management (Level 2)
Enrollment schedule and historical statistics
Count of clients eligible for co-management
Associated Microsoft Intune tenant
Collections (Level 2)
Collection ID usage (not running out of IDs)
Collection evaluation statistics: query time, assigned versus unassigned counts, counts by type, ID
rollover, and rule usage
Collections without a deployment
Count of collections synchronized to Azure AD
Compliance settings (Level 2)
 Basic configuration baseline information: count, number of deployments, number of references, and
frequency of changes
Compliance policy error statistics
Count of configuration items by type
Count of deployments that reference built-in settings, including remediate setting
Count of rules and deployments created for custom settings, including remediate setting
Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi, certificate (.pfx), and
compliance policy templates
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy deployments by platform
Windows Hello for Business policy (created, deployed)
Count of deployed Microsoft Edge Legacy browser policies
Count of OneDrive policies (created, deployed)
Count of compliance settings deployed by category, OS, and source (cloud vs on-premises)
Configuration Manager console (Level 2)
Counts of active and viewed console notification messages by type
Count of folders
Console performance information
25 most common actions, wizards, property sheets, and tree nodes accessed in the console
[Updated] List of installed console extensions, and whether they're enabled, required, or approved
Summary of size and count of admin persisted settings
Selected console usage information
Unsigned extension policy
Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and fallback relationships
Boundary group information: count of boundaries and site systems that are assigned to each boundary
group
Boundary group relationships and fallback configuration
Client content download statistics
Count of boundaries by type
Count of peer cache clients, usage statistic, and partial download statistics
Distribution Manager configuration information: threads, retry delay, number of retries, and pull
distribution point settings
Distribution point configuration information: use of branch cache and distribution point monitoring
Distribution point group information: count of packages and distribution points that are assigned to each
distribution point group
Content library type, whether local or remote
 Count of boundary groups by configuration
Count of subnets excluded from peer cache
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender for Endpoint): count of
policies, and whether policies are deployed.
Count of alerts that are configured for Endpoint Protection feature
Count of collections that are selected to appear in Endpoint Protection dashboard
Count of Windows Defender Exploit Guard policies, deployments, and targeted clients
Endpoint Protection deployment errors, count of Endpoint Protection policy deployment error codes
Endpoint Protection antimalware and Windows Firewall policy usage (number of unique policies
assigned to group). This data doesn't include any information about the settings included in the policy.
Aggregated statistics for Microsoft Defender for Endpoint policies
Migration (Level 2)
Count of migrated objects (use of migration wizard)
Mobile device management (MDM ) (Level 2)
Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now commands
Count of mobile device policies
Count of mobile devices Configuration Manager manages, and how you enrolled them (bulk, user-based)
Count of users who have multiple enrolled mobile devices
Mobile device polling schedule and statistics for mobile device check-in duration
On-premises mobile device management (MDM ) (Level 2)
Count of Windows bulk enrollment packages and profiles
Deployment success/failure statistics for on-premises MDM application deployments
OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution points, PXE-enabled
distribution points, and task sequences
Count of boot images by Configuration Manager client version
Count of boot images by Windows PE version
Count of edition upgrade policies
Count of hardware identifiers excluded from PXE
Count of OS deployment by OS version
Count of OS upgrades over time
Count of task sequence deployments using option to pre-download content
Counts of task sequence step usage
Version of Windows ADK installed
Count of image servicing tasks
 Count of imported machines
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded from PXE and client
registration
Count of task sequences by type (OS deployment or generic task sequence)
Count of packages with pre-cache content settings
Grouped sizes of task sequence policies
Count of error codes from feature upgrades for Windows clients
Count of supported and unsupported OS versions
Site updates (Level 2)
Versions of installed Configuration Manager hotfixes
Software updates (Level 2)
Available and deadline deltas that are used in automatic deployment rules
Average and maximum number of assignments per update
Client update evaluation and scan schedules
Classifications synced by the software update point
Cluster patching statistics
Configuration of Windows express updates
Configurations that are used for active Windows servicing plans
Count of deployed Microsoft 365 Apps updates
Count of Microsoft Surface drivers synced
Count of update groups and assignments
Count of update packages and the maximum/minimum/average number of distribution points that are
targeted with packages
Count of updates that are created and deployed with System Center Update Publisher
Count of Windows Update for Business policies created and deployed
Aggregated statistics of Windows Update for Business configurations
Number of automatic deployment rules that are tied to synchronization
Number of automatic deployment rules that create new or add updates to an existing group
Number of automatic deployment rules that have multiple deployments
Number of update groups and minimum/maximum/average number of updates per group
Number of updates and percentage of updates that are deployed, expired, superseded, downloaded, and
contain EULAs
Software update point load-balancing statistics
Software update point synchronization schedule
Total/average number of collections that have software update deployments and the maximum/average
 number of deployed updates
Update scan error codes and machine count
Windows servicing dashboard content versions
Count of third-party software update catalog subscriptions and usage
Count of software updates deployed with and without content
Aggregated statistics on the number of UUP updates that are required, deployed, expired, superseded,
and downloaded
Use of UUP product categories
Count of clients that have deployed at least one UUP quality update or UUP feature update
Top UUP error codes and count of affected devices
List of subscriptions to third-party software update catalogs
Use of WSUS maintenance settings
Orchestration group usage
Windows Update fallback configuration settings
[New] Type, size, and timeout settings of orchestration group scripts
SQL/performance data (Level 2)
Configuration and duration of site summarization
Count of largest database tables
Discovery operational statistics (count of objects found)
Discovery types, enabled, and schedule (full, incremental)
SQL Server change tracking performance issues, retention period, and autocleanup state
SQL Server change tracking retention period
State and status message performance statistics including most common and most expensive message
types
Management point traffic statistics (total bytes sent and received by endpoint)
Management point performance counter measurements
Aggregated performance statistics of calls made to Software Center endpoints on the management point
SQL Server maintenance task configuration and status
Status of recent re-initialization requests
Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule, average time, and use
of customized tables feature
Count of scripts and run/edit statistics
Count of sites with Wake On LAN (WOL)
Reporting usage and performance statistics
 Phased deployment usage statistics
Management insights item counts and progress
Count of crashes for unique non-Configuration Manager processes on the site server, and Watson
signature ID, if available
Aggregated system boot time statistics by OS, form-factor, and drive type
Usage of the Azure migration tool
Count of clients with browser usage
[Updated] Summary of how many site systems have the proxy enabled and how many are
authenticated proxy, including configuration, usage patterns, and traffic patterns
Usage information for the last seven days of in-console product feedback
Count of site-to-site accounts by type
Usage statistics for user and device custom properties

Level 3 - Full
For Configuration Manager version 2111, this level includes the following data:
Automatic deployment rule evaluation schedule information
ATP health summary
Collection evaluation and refresh statistics
Compliance policy statistics on compliance and errors
Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template configuration details
DCM config pack for Configuration Manager usage
Detailed client deployment installation errors
Endpoint Protection health summary: including count of protected, at risk, unknown, and unsupported
clients
Endpoint Protection policy configuration
List of processes configured with installation behavior for applications
Minimum/maximum/average number of hours since last software update scan
Minimum/maximum/average number of inactive clients in software update deployment collections
Minimum/maximum/average number of software updates per package
MSI product code deployment statistics
Overall compliance of software update deployments
Count of groups that have expired software updates
Software update deployment error codes and counts
Software update deployment information: percentage of deployments that are targeted with client versus
UTC time, required versus optional versus silent, and reboot suppression
Software update products synced by software update point
Software update scan success percentages
Top 50 CPUs in the environment
Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that
Microsoft Intune manages
Microsoft Store for Business application details: non-aggregate list of synced applications including
AppID, online state or offline state, and total purchased license counts
Count of clients pushed with option to not allow fallback to NTLM
List of Configuration Manager console extensions
 Diagnostic and usage data for version 2107
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For more information on the
levels and how to change them, see Levels of diagnostic usage data.
Changes from previous versions are noted with [New] , [Updated] , [Removed] , or [Moved] .

IMPORTANT
Configuration Manager doesn't collect site codes, sites names, IP addresses, user names, computer names, physical
addresses, or email addresses on the Basic or Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log files or memory snapshots. Microsoft
doesn't use this information to identify you, contact you, or develop advertising.

Level 1 - Basic
For Configuration Manager version 2107, this level includes the following data:
Application management (Level 1)
Basic application and deployment type counts: total apps, total apps with multiple deployment types, total
apps with dependencies, total superseded apps, and count of deployment technologies in use
Count of Microsoft Edge installations
Count of clients by default and preferred browser
Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of Windows 10 and later devices by branch, build, and unique Active Directory forest
Count of clients joined to Azure Active Directory
Count of extended interoperability clients
Count of clients by Windows OS age, to the nearest three-month interval
Top 10 processor names used on clients and servers
Use of the bulk registration token
Count of clients by identity source and registration method. For example, Active Directory, Azure Active
Directory, or PKI client authentication certificate.
Cloud services (Level 1)
Count of clients by co-management enrollment method
Error statistics for co-management enrollment
Aggregated usage statistics of co-management: number of clients ever enrolled, number of enrolled
 clients, number of clients pending enrollment, clients receiving policy, workload states, pilot/exclusion
collection sizes, and enrollment errors
Count of Azure Active Directory applications and services connected to Configuration Manager
Cloud attach and detach actions
Status of last sync with Intune cloud service
Configuration and usage statistics of cloud management gateway: counts of regions and environments,
and authentication/authorization statistics
Summarized count of Endpoint Analytics event
Aggregated statistics on Desktop Analytics enrollment errors and usage
Configuration Manager console (Level 1)
Statistics about Configuration Manager console connections: OS version, language, SKU and architecture,
system memory, logical processor count, connect site ID, installed .NET versions, console language packs,
and capable authentication level
Hashed list of extensions to Configuration Manager console property pages and wizards
Configuration Manager console crash locations
Configuration Manager console usage statistics
Configuration Manager console notification configuration and status
Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions
Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-side extensions
BitLocker management client counts summarized by enrollment and TPM state
Setup (Level 1)
Build, install type, language packs, features that you enabled
Pre-release use, setup media type, branch type
Software Assurance expiration date
Update pack deployment status and errors, download progress, and prerequisite errors
Use of early update ring
Version of post-upgrade script
Central administration site removal status
Site database (Level 1)
Basic database configuration: processors, memory size, memory settings, Configuration Manager
database configuration, Configuration Manager database size, cluster configuration, configuration of
distributed views, and change tracking version
Database performance metrics: replication processing information, top SQL Server stored procedures by
processor, and disk usage
SQL Server version, service pack level, edition, collation ID, and character set
Hashed list of top SQL queries by memory usage and lock count
 SQL Server Always On availability group replica information, usage, and health status
Site infrastructure (Level 1)
Basic Configuration Manager site hierarchy data: site list, type, version, status, client count, time zone, and
health status
Basic discovery statistics: discovery count, minimum/maximum/average group sizes, and when the site is
running entirely with Azure Active Directory Services
Basic site system server information: site system roles used, internet and SSL status, OS, processors,
physical or virtual machine, and usage of site server high availability
Configured level for diagnostics and usage data, online or offline mode, and fast update configuration
Distribution point and management point types and basic configuration information: protected,
prestaged, PXE, multicast, SSL state, pull/peer distribution points, MDM-enabled, and SSL-enabled
Diagnostics and usage data statistics: when run, runtime, errors
Hashed list of hardware inventory properties longer than 255 characters
Count and processing rates of key Configuration Manager objects: data discovery records (DDR), state
messages, status messages, hardware inventory, software inventory, and overall count of files in inboxes
Site server disk and processor performance information
Uptime and memory usage information for Configuration Manager site server processes
Count of crashes for Configuration Manager site server processes, and Watson signature ID, if available
Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)
Status and health of the administration service
Counts of errors from administration service
Site health information
Site health check configuration and status
Version of Visual Studio redistributable and .NET Framework installed on clients and site system servers
Summarized hierarchy health and activity status
Miscellaneous (Level 1)
Basic OS deployment counts of images
Count of Windows clients that use Windows Update for Business
Count of operating systems for managed devices and policies set by the Exchange Connector
Count of phased deployments created by type
Count of categorized and uncategorized applications for asset intelligence
Aggregated count of upgrade readiness assessments
Number of software updates referenced by task sequence

Level 2 - Enhanced
For Configuration Manager version 2107, this level includes the following data:
Application management (Level 2)
App requirements: count of built-in conditions referenced by deployment technology
App supersedence, maximum depth of chain
Application approval statistics and usage frequency
Application content size statistics
Application deployment information: use of install versus uninstall, requires approval, user interaction
enabled/disabled, dependency, supersedence, and usage count of install behavior feature
Application policy size and complexity statistics
Available application request statistics
Basic configuration information for packages and programs: deployment options and program flags
Basic usage/targeting information for deployment types: user versus device targeted, required versus
available, and universal apps
Count of application applicability by OS
Count of applications referenced in a task sequence
Count of distinct branding for application catalog
Count of Microsoft 365 Apps applications created using dashboard
Count of packages by type
Count of package/program deployments
Count of Windows 10 and later licensed application licenses
Count of Windows Installer deployment types by uninstall content settings
Count of Microsoft Store for Business apps and sync statistics: summarized types of apps, licensed app
status, and number of online and offline licensed apps
Maintenance window type and duration
Minimum/maximum/average number of application deployments per user/device per time period
Most common application installation error codes by deployment technology
MSI configuration options and counts
Statistics on end-user interaction with notification for required software deployments
Universal Data Access usage, how created
Aggregated user device affinity statistics
Max and average primary users per device
Application global condition usage by type
Software Center customization configuration
Package Conversion Manager readiness and counts
Count of application detection methods by type
Count of application enforcement errors
 MSI installer properties
Statistics of user install requests
Aggregated statistics on the use of the email approval feature
File count, content size, services count, and custom action count of MSIs in application catalog
Count of devices by Office ProPlus readiness state
Aggregated statistics on the use of application groups
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and counts of clients with
Microsoft 365 Apps
Aggregated statistics on Office add-in health
Count and size of Office Pro Plus pilot collections
Number of Office Pro Plus devices sending Office health data
Client (Level 2)
Active Management Technology (AMT) client version
BIOS age in years
Count of devices with Secure Boot enabled
Count of devices by TPM state
Client auto-upgrade: deployment configuration including client piloting and exclusion usage (extended
interoperability client)
Client deployment download errors
Client health statistics and top issue summary by client version, component, OS, and workload
Client notification operation action status: how many times each is run, max number of targeted clients,
and average success rate
Count of client installations from each source location type
Count of client installation failures
Count of devices virtualized by Hyper-V or Azure
Count of Software Center actions
Count of UEFI-enabled devices
Deployment methods used for client and count of clients per deployment method
List/count of enabled client agents
OS age in months
Number of hardware inventory classes, software inventory rules, file collection rules, and overall health
status
Statistics for device health attestation: most common error codes, number of on-premises servers, and
counts of devices in various states
Count of devices by default browser
 Count of Configuration Manager-generated server authentication certificates
Count of Microsoft Surface devices by model
Count of client health check failures by issue type
Count of status (total/approved/blocked) for client certificate types
Client counts for different user/device relationship types
Count of clients in VPN boundaries
Cloud services (Level 2)
Azure Active Directory discovery statistics
Count of collections synced to Azure Log Analytics
Count of Upgrade Analytics Connectors
Whether the Azure Log Analytics cloud connector is enabled
Count of pull-distribution points with a cloud distribution point as a source location
Usage of the cloud services onboarding wizard
Cloud services configuration onboarding properties
Cloud services endpoint connectivity and component health
CMPivot (Level 2)
CMPivot usage statistics
Count of saved CMPivot queries
Count of queries by entity type
Co -management (Level 2)
Enrollment schedule and historical statistics
Count of clients eligible for co-management
Associated Microsoft Intune tenant
Collections (Level 2)
Collection ID usage (not running out of IDs)
Collection evaluation statistics: query time, assigned versus unassigned counts, counts by type, ID
rollover, and rule usage
Collections without a deployment
Count of collections synchronized to Azure Active Directory
Compliance settings (Level 2)
[Updated] Basic configuration baseline information: count, number of deployments, number of
references, and frequency of changes
Compliance policy error statistics
Count of configuration items by type
Count of deployments that reference built-in settings, including remediate setting
 Count of rules and deployments created for custom settings, including remediate setting
Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi, certificate (.pfx), and
compliance policy templates
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy deployments by platform
Windows Hello for Business policy (created, deployed)
Count of deployed Microsoft Edge Legacy browser policies
Count of OneDrive policies (created, deployed)
Count of compliance settings deployed by category, OS, and source (cloud vs on-premises)
Configuration Manager console (Level 2)
Counts of active and viewed console notification messages by type
Count of folders
Console performance information
25 most common actions, wizards, property sheets, and tree nodes accessed in the console
List of installed console extensions
Summary of size and count of admin persisted settings
Selected console usage information
[NEW] Unsigned extension policy
Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and fallback relationships
Boundary group information: count of boundaries and site systems that are assigned to each boundary
group
Boundary group relationships and fallback configuration
Client content download statistics
Count of boundaries by type
Count of peer cache clients, usage statistic, and partial download statistics
Distribution Manager configuration information: threads, retry delay, number of retries, and pull
distribution point settings
Distribution point configuration information: use of branch cache and distribution point monitoring
Distribution point group information: count of packages and distribution points that are assigned to each
distribution point group
Content library type, whether local or remote
Count of boundary groups by configuration
Count of subnets excluded from peer cache
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender for Endpoint): count of
policies, and whether policies are deployed.
 Count of alerts that are configured for Endpoint Protection feature
Count of collections that are selected to appear in Endpoint Protection dashboard
Count of Windows Defender Exploit Guard policies, deployments, and targeted clients
Endpoint Protection deployment errors, count of Endpoint Protection policy deployment error codes
Endpoint Protection antimalware and Windows Firewall policy usage (number of unique policies
assigned to group). This data doesn't include any information about the settings included in the policy.
Aggregated statistics for Microsoft Defender for Endpoint policies
Migration (Level 2)
Count of migrated objects (use of migration wizard)
Mobile device management (MDM ) (Level 2)
Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now commands
Count of mobile device policies
Count of mobile devices Configuration Manager manages, and how you enrolled them (bulk, user-based)
Count of users who have multiple enrolled mobile devices
Mobile device polling schedule and statistics for mobile device check-in duration
On-premises mobile device management (MDM ) (Level 2)
Count of Windows bulk enrollment packages and profiles
Deployment success/failure statistics for on-premises MDM application deployments
OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution points, PXE-enabled
distribution points, and task sequences
Count of boot images by Configuration Manager client version
Count of boot images by Windows PE version
Count of edition upgrade policies
Count of hardware identifiers excluded from PXE
Count of OS deployment by OS version
Count of OS upgrades over time
Count of task sequence deployments using option to pre-download content
Counts of task sequence step usage
Version of Windows ADK installed
Count of image servicing tasks
Count of imported machines
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded from PXE and client
registration
Count of task sequences by type (OS deployment or generic task sequence)
 Count of packages with pre-cache content settings
Grouped sizes of task sequence policies
Count of error codes from feature upgrades for Windows clients
[NEW] Count of supported and unsupported OS versions
Site updates (Level 2)
Versions of installed Configuration Manager hotfixes
Software updates (Level 2)
Available and deadline deltas that are used in automatic deployment rules
Average and maximum number of assignments per update
Client update evaluation and scan schedules
Classifications synced by the software update point
Cluster patching statistics
Configuration of Windows express updates
Configurations that are used for active Windows servicing plans
Count of deployed Microsoft 365 Apps updates
Count of Microsoft Surface drivers synced
Count of update groups and assignments
Count of update packages and the maximum/minimum/average number of distribution points that are
targeted with packages
Count of updates that are created and deployed with System Center Update Publisher
Count of Windows Update for Business policies created and deployed
Aggregated statistics of Windows Update for Business configurations
Number of automatic deployment rules that are tied to synchronization
Number of automatic deployment rules that create new or add updates to an existing group
Number of automatic deployment rules that have multiple deployments
Number of update groups and minimum/maximum/average number of updates per group
Number of updates and percentage of updates that are deployed, expired, superseded, downloaded, and
contain EULAs
Software update point load-balancing statistics
Software update point synchronization schedule
Total/average number of collections that have software update deployments and the maximum/average
number of deployed updates
Update scan error codes and machine count
Windows servicing dashboard content versions
Count of third-party software update catalog subscriptions and usage
 Count of software updates deployed with and without content
Aggregated statistics on the number of UUP updates that are required, deployed, expired, superseded,
and downloaded
Use of UUP product categories
Count of clients that have deployed at least one UUP quality update or UUP feature update
Top UUP error codes and count of affected devices
List of subscriptions to third-party software update catalogs
Use of WSUS maintenance settings
Orchestration group usage
Windows Update fallback configuration settings
SQL/performance data (Level 2)
Configuration and duration of site summarization
Count of largest database tables
Discovery operational statistics (count of objects found)
Discovery types, enabled, and schedule (full, incremental)
SQL Server change tracking performance issues, retention period, and autocleanup state
SQL Server change tracking retention period
State and status message performance statistics including most common and most expensive message
types
Management point traffic statistics (total bytes sent and received by endpoint)
Management point performance counter measurements
Aggregated performance statistics of calls made to Software Center endpoints on the management point
SQL Server maintenance task configuration and status
Status of recent re-initialization requests
Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule, average time, and use
of customized tables feature
Count of scripts and run/edit statistics
Count of sites with Wake On LAN (WOL)
Reporting usage and performance statistics
Phased deployment usage statistics
Management insights item counts and progress
Count of crashes for unique non-Configuration Manager processes on the site server, and Watson
signature ID, if available
Aggregated system boot time statistics by OS, form-factor, and drive type
 Usage of the Azure migration tool
Count of clients with browser usage
Summary of how many site systems have the proxy enabled and how many are authenticated proxy
Usage information for the last seven days of in-console product feedback
[NEW] Count of site-to-site accounts by type
[NEW] Usage statistics for user and device custom properties

Level 3 - Full
For Configuration Manager version 2107, this level includes the following data:
Automatic deployment rule evaluation schedule information
ATP health summary
Collection evaluation and refresh statistics
Compliance policy statistics on compliance and errors
Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template configuration details
DCM config pack for Configuration Manager usage
Detailed client deployment installation errors
Endpoint Protection health summary: including count of protected, at risk, unknown, and unsupported
clients
Endpoint Protection policy configuration
List of processes configured with installation behavior for applications
Minimum/maximum/average number of hours since last software update scan
Minimum/maximum/average number of inactive clients in software update deployment collections
Minimum/maximum/average number of software updates per package
MSI product code deployment statistics
Overall compliance of software update deployments
Count of groups that have expired software updates
Software update deployment error codes and counts
Software update deployment information: percentage of deployments that are targeted with client versus
UTC time, required versus optional versus silent, and reboot suppression
Software update products synced by software update point
Software update scan success percentages
Top 50 CPUs in the environment
Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that
Microsoft Intune manages
Microsoft Store for Business application details: non-aggregate list of synced applications including
AppID, online state or offline state, and total purchased license counts
Count of clients pushed with option to not allow fallback to NTLM
List of Configuration Manager console extensions
 Diagnostic and usage data for version 2103
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For more information on the
levels and how to change them, see Levels of diagnostic usage data.
Changes from previous versions are noted with [New] , [Updated] , [Removed] , or [Moved] .

IMPORTANT
Configuration Manager doesn't collect site codes, sites names, IP addresses, user names, computer names, physical
addresses, or email addresses on the Basic or Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log files or memory snapshots. Microsoft
doesn't use this information to identify you, contact you, or develop advertising.

Level 1 - Basic
For Configuration Manager version 2103, this level includes the following data:
Application management (Level 1)
Basic application and deployment type counts: total apps, total apps with multiple deployment types, total
apps with dependencies, total superseded apps, and count of deployment technologies in use
Count of Microsoft Edge installations
Count of clients by default and preferred browser
Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of Windows 10 devices by branch, build, and unique Active Directory forest
Count of clients joined to Azure Active Directory
Count of extended interoperability clients
Count of clients by Windows OS age, to the nearest three-month interval
Top 10 processor names used on clients and servers
Use of the bulk registration token
Count of clients by identity source and registration method. For example, Active Directory, Azure Active
Directory, or PKI client authentication certificate.
Cloud services (Level 1)
Count of clients by co-management enrollment method
Error statistics for co-management enrollment
Aggregated usage statistics of co-management: number of clients ever enrolled, number of enrolled
 clients, number of clients pending enrollment, clients receiving policy, workload states, pilot/exclusion
collection sizes, and enrollment errors
Count of Azure Active Directory applications and services connected to Configuration Manager
Cloud attach and detach actions
Status of last sync with Intune cloud service
Configuration and usage statistics of cloud management gateway: counts of regions and environments,
and authentication/authorization statistics
Summarized count of Endpoint Analytics event
Aggregated statistics on Desktop Analytics enrollment errors and usage
Configuration Manager console (Level 1)
Statistics about Configuration Manager console connections: OS version, language, SKU and architecture,
system memory, logical processor count, connect site ID, installed .NET versions, console language packs,
and capable authentication level
Hashed list of extensions to Configuration Manager console property pages and wizards
Configuration Manager console crash locations
Configuration Manager console usage statistics
Configuration Manager console notification configuration and status
Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions
Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-side extensions
[Updated] BitLocker management client counts summarized by enrollment and TPM state
Setup (Level 1)
Build, install type, language packs, features that you enabled
Pre-release use, setup media type, branch type
Software Assurance expiration date
Update pack deployment status and errors, download progress, and prerequisite errors
Use of early update ring
Version of post-upgrade script
[New] Central administration site removal status
Site database (Level 1)
Basic database configuration: processors, memory size, memory settings, Configuration Manager
database configuration, Configuration Manager database size, cluster configuration, configuration of
distributed views, and change tracking version
Database performance metrics: replication processing information, top SQL Server stored procedures by
processor, and disk usage
SQL Server version, service pack level, edition, collation ID, and character set
Hashed list of top SQL queries by memory usage and lock count
 SQL Server Always On availability group replica information, usage, and health status
Site infrastructure (Level 1)
Basic Configuration Manager site hierarchy data: site list, type, version, status, client count, time zone, and
health status
Basic discovery statistics: discovery count, minimum/maximum/average group sizes, and when the site is
running entirely with Azure Active Directory Services
Basic site system server information: site system roles used, internet and SSL status, OS, processors,
physical or virtual machine, and usage of site server high availability
Configured level for diagnostics and usage data, online or offline mode, and fast update configuration
Distribution point and management point types and basic configuration information: protected,
prestaged, PXE, multicast, SSL state, pull/peer distribution points, MDM-enabled, and SSL-enabled
Diagnostics and usage data statistics: when run, runtime, errors
Hashed list of hardware inventory properties longer than 255 characters
Count and processing rates of key Configuration Manager objects: data discovery records (DDR), state
messages, status messages, hardware inventory, software inventory, and overall count of files in inboxes
Site server disk and processor performance information
Uptime and memory usage information for Configuration Manager site server processes
Count of crashes for Configuration Manager site server processes, and Watson signature ID, if available
Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)
Status and health of the administration service
Counts of errors from administration service
Site health information
Site health check configuration and status
Version of Visual Studio redistributable and .NET Framework installed on clients and site system servers
Summarized hierarchy health and activity status
Miscellaneous (Level 1)
Basic OS deployment counts of images
Count of Windows 10 clients that use Windows Update for Business
Count of operating systems for managed devices and policies set by the Exchange Connector
Count of phased deployments created by type
Count of categorized and uncategorized applications for asset intelligence
[New] Aggregated count of upgrade readiness assessments
[New] Number of software updates referenced by task sequence

Level 2 - Enhanced
For Configuration Manager version 2103, this level includes the following data:
Application management (Level 2)
App requirements: count of built-in conditions referenced by deployment technology
App supersedence, maximum depth of chain
Application approval statistics and usage frequency
Application content size statistics
Application deployment information: use of install versus uninstall, requires approval, user interaction
enabled/disabled, dependency, supersedence, and usage count of install behavior feature
Application policy size and complexity statistics
Available application request statistics
Basic configuration information for packages and programs: deployment options and program flags
Basic usage/targeting information for deployment types: user versus device targeted, required versus
available, and universal apps
Count of application applicability by OS
Count of applications referenced in a task sequence
Count of distinct branding for application catalog
Count of Microsoft 365 Apps applications created using dashboard
Count of packages by type
Count of package/program deployments
Count of Windows 10 licensed application licenses
Count of Windows Installer deployment types by uninstall content settings
Count of Microsoft Store for Business apps and sync statistics: summarized types of apps, licensed app
status, and number of online and offline licensed apps
Maintenance window type and duration
Minimum/maximum/average number of application deployments per user/device per time period
Most common application installation error codes by deployment technology
MSI configuration options and counts
Statistics on end-user interaction with notification for required software deployments
Universal Data Access usage, how created
Aggregated user device affinity statistics
Max and average primary users per device
Application global condition usage by type
Software Center customization configuration
Package Conversion Manager readiness and counts
Count of application detection methods by type
Count of application enforcement errors
 MSI installer properties
Statistics of user install requests
Aggregated statistics on the use of the email approval feature
File count, content size, services count, and custom action count of MSIs in application catalog
Count of devices by Office ProPlus readiness state
Aggregated statistics on the use of application groups
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and counts of clients with
Microsoft 365 Apps
Aggregated statistics on Office add-in health
Count and size of Office Pro Plus pilot collections
Number of Office Pro Plus devices sending Office health data
Client (Level 2)
Active Management Technology (AMT) client version
BIOS age in years
Count of devices with Secure Boot enabled
Count of devices by TPM state
Client auto-upgrade: deployment configuration including client piloting and exclusion usage (extended
interoperability client)
Client deployment download errors
Client health statistics and top issue summary by client version, component, OS, and workload
Client notification operation action status: how many times each is run, max number of targeted clients,
and average success rate
Count of client installations from each source location type
Count of client installation failures
Count of devices virtualized by Hyper-V or Azure
Count of Software Center actions
Count of UEFI-enabled devices
Deployment methods used for client and count of clients per deployment method
List/count of enabled client agents
OS age in months
Number of hardware inventory classes, software inventory rules, file collection rules, and overall health
status
Statistics for device health attestation: most common error codes, number of on-premises servers, and
counts of devices in various states
Count of devices by default browser
 Count of Configuration Manager-generated server authentication certificates
Count of Microsoft Surface devices by model
Count of client health check failures by issue type
Count of status (total/approved/blocked) for client certificate types
Client counts for different user/device relationship types
Count of clients in VPN boundaries
Cloud services (Level 2)
Azure Active Directory discovery statistics
Count of collections synced to Azure Log Analytics
Count of Upgrade Analytics Connectors
Whether the Azure Log Analytics cloud connector is enabled
Count of pull-distribution points with a cloud distribution point as a source location
Usage of the cloud services onboarding wizard
[New] Cloud services configuration onboarding properties
[New] Cloud services endpoint connectivity and component health
CMPivot (Level 2)
CMPivot usage statistics
Count of saved CMPivot queries
Count of queries by entity type
Co -management (Level 2)
Enrollment schedule and historical statistics
Count of clients eligible for co-management
Associated Microsoft Intune tenant
Collections (Level 2)
Collection ID usage (not running out of IDs)
Collection evaluation statistics: query time, assigned versus unassigned counts, counts by type, ID
rollover, and rule usage
Collections without a deployment
Count of collections synchronized to Azure Active Directory
Compliance settings (Level 2)
Basic configuration baseline information: count, number of deployments, and number of references
Compliance policy error statistics
Count of configuration items by type
Count of deployments that reference built-in settings, including remediate setting
Count of rules and deployments created for custom settings, including remediate setting
 Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi, certificate (.pfx), and
compliance policy templates
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy deployments by platform
Windows Hello for Business policy (created, deployed)
Count of deployed Microsoft Edge Legacy browser policies
Count of OneDrive policies (created, deployed)
Count of compliance settings deployed by category, OS, and source (cloud vs on-premises)
Configuration Manager console (Level 2)
Counts of active and viewed console notification messages by type
Count of folders
Console performance information
25 most common actions, wizards, property sheets, and tree nodes accessed in the console
List of installed console extensions
Summary of size and count of admin persisted settings
Selected console usage information
Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and fallback relationships
Boundary group information: count of boundaries and site systems that are assigned to each boundary
group
Boundary group relationships and fallback configuration
Client content download statistics
Count of boundaries by type
Count of peer cache clients, usage statistic, and partial download statistics
Distribution Manager configuration information: threads, retry delay, number of retries, and pull
distribution point settings
Distribution point configuration information: use of branch cache and distribution point monitoring
Distribution point group information: count of packages and distribution points that are assigned to each
distribution point group
Content library type, whether local or remote
Count of boundary groups by configuration
Count of subnets excluded from peer cache
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender for Endpoint): count of
policies, and whether policies are deployed.
Count of alerts that are configured for Endpoint Protection feature
Count of collections that are selected to appear in Endpoint Protection dashboard
 Count of Windows Defender Exploit Guard policies, deployments, and targeted clients
Endpoint Protection deployment errors, count of Endpoint Protection policy deployment error codes
Endpoint Protection antimalware and Windows Firewall policy usage (number of unique policies
assigned to group). This data doesn't include any information about the settings included in the policy.
Aggregated statistics for Microsoft Defender for Endpoint policies
Migration (Level 2)
Count of migrated objects (use of migration wizard)
Mobile device management (MDM ) (Level 2)
Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now commands
Count of mobile device policies
Count of mobile devices Configuration Manager manages, and how you enrolled them (bulk, user-based)
Count of users who have multiple enrolled mobile devices
Mobile device polling schedule and statistics for mobile device check-in duration
On-premises mobile device management (MDM ) (Level 2)
Count of Windows 10 bulk enrollment packages and profiles
Deployment success/failure statistics for on-premises MDM application deployments
OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution points, PXE-enabled
distribution points, and task sequences
Count of boot images by Configuration Manager client version
Count of boot images by Windows PE version
Count of edition upgrade policies
Count of hardware identifiers excluded from PXE
Count of OS deployment by OS version
Count of OS upgrades over time
Count of task sequence deployments using option to pre-download content
Counts of task sequence step usage
Version of Windows ADK installed
Count of image servicing tasks
Count of imported machines
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded from PXE and client
registration
Count of task sequences by type (OS deployment or generic task sequence)
Count of packages with pre-cache content settings
Grouped sizes of task sequence policies
 [New] Count of error codes from feature upgrades for Windows 10 clients
Site updates (Level 2)
Versions of installed Configuration Manager hotfixes
Software updates (Level 2)
Available and deadline deltas that are used in automatic deployment rules
Average and maximum number of assignments per update
Client update evaluation and scan schedules
Classifications synced by the software update point
Cluster patching statistics
Configuration of Windows 10 express updates
Configurations that are used for active Windows 10 servicing plans
Count of deployed Microsoft 365 Apps updates
Count of Microsoft Surface drivers synced
Count of update groups and assignments
Count of update packages and the maximum/minimum/average number of distribution points that are
targeted with packages
Count of updates that are created and deployed with System Center Update Publisher
Count of Windows Update for Business policies created and deployed
Aggregated statistics of Windows Update for Business configurations
Number of automatic deployment rules that are tied to synchronization
Number of automatic deployment rules that create new or add updates to an existing group
Number of automatic deployment rules that have multiple deployments
Number of update groups and minimum/maximum/average number of updates per group
Number of updates and percentage of updates that are deployed, expired, superseded, downloaded, and
contain EULAs
Software update point load-balancing statistics
Software update point synchronization schedule
Total/average number of collections that have software update deployments and the maximum/average
number of deployed updates
Update scan error codes and machine count
Windows 10 dashboard content versions
Count of third-party software update catalog subscriptions and usage
Count of software updates deployed with and without content
Aggregated statistics on the number of UUP updates that are required, deployed, expired, superseded,
and downloaded
 Use of UUP product categories
Count of clients that have deployed at least one UUP quality update or UUP feature update
Top UUP error codes and count of affected devices
List of subscriptions to third-party software update catalogs
Use of WSUS maintenance settings
Orchestration group usage
Windows Update fallback configuration settings
SQL/performance data (Level 2)
Configuration and duration of site summarization
Count of largest database tables
Discovery operational statistics (count of objects found)
Discovery types, enabled, and schedule (full, incremental)
SQL Server change tracking performance issues, retention period, and autocleanup state
SQL Server change tracking retention period
State and status message performance statistics including most common and most expensive message
types
Management point traffic statistics (total bytes sent and received by endpoint)
Management point performance counter measurements
Aggregated performance statistics of calls made to Software Center endpoints on the management point
SQL Server maintenance task configuration and status
Status of recent re-initialization requests
Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule, average time, and use
of customized tables feature
Count of scripts and run/edit statistics
Count of sites with Wake On LAN (WOL)
Reporting usage and performance statistics
Phased deployment usage statistics
Management insights item counts and progress
Count of crashes for unique non-Configuration Manager processes on the site server, and Watson
signature ID, if available
Aggregated system boot time statistics by OS, form-factor, and drive type
Usage of the Azure migration tool
Count of clients with browser usage
Summary of how many site systems have the proxy enabled and how many are authenticated proxy
 [New] Usage information for the last seven days of in-console product feedback

Level 3 - Full
For Configuration Manager version 2103, this level includes the following data:
Automatic deployment rule evaluation schedule information
ATP health summary
Collection evaluation and refresh statistics
Compliance policy statistics on compliance and errors
Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template configuration details
DCM config pack for Configuration Manager usage
Detailed client deployment installation errors
Endpoint Protection health summary: including count of protected, at risk, unknown, and unsupported
clients
Endpoint Protection policy configuration
List of processes configured with installation behavior for applications
Minimum/maximum/average number of hours since last software update scan
Minimum/maximum/average number of inactive clients in software update deployment collections
Minimum/maximum/average number of software updates per package
MSI product code deployment statistics
Overall compliance of software update deployments
Count of groups that have expired software updates
Software update deployment error codes and counts
Software update deployment information: percentage of deployments that are targeted with client versus
UTC time, required versus optional versus silent, and reboot suppression
Software update products synced by software update point
Software update scan success percentages
Top 50 CPUs in the environment
Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that
Microsoft Intune manages
Microsoft Store for Business application details: non-aggregate list of synced applications including
AppID, online state or offline state, and total purchased license counts
Count of clients pushed with option to not allow fallback to NTLM
List of Configuration Manager console extensions
 Diagnostic and usage data for version 2010
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For more information on the
levels and how to change them, see Levels of diagnostic usage data.
Changes from previous versions are noted with [New] , [Updated] , [Removed] , or [Moved] .

IMPORTANT
Configuration Manager doesn't collect site codes, sites names, IP addresses, user names, computer names, physical
addresses, or email addresses on the Basic or Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log files or memory snapshots. Microsoft
doesn't use this information to identify you, contact you, or develop advertising.

Level 1 - Basic
For Configuration Manager version 2010, this level includes the following data:
Application management (Level 1)
Basic application and deployment type counts: total apps, total apps with multiple deployment types, total
apps with dependencies, total superseded apps, and count of deployment technologies in use
Count of Microsoft Edge installations
Count of clients by default and preferred browser
Client (Level 1)
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of Windows 10 devices by branch, build, and unique Active Directory forest
Count of clients joined to Azure Active Directory
Count of extended interoperability clients
Count of clients by Windows OS age, to the nearest three-month interval
Top 10 processor names used on clients and servers
Use of the bulk registration token
[New] Count of clients by identity source and registration method. For example, Active Directory, Azure
Active Directory, or PKI client authentication certificate.
Cloud services (Level 1)
Count of clients by co-management enrollment method
Error statistics for co-management enrollment
Aggregated usage statistics of co-management: number of clients ever enrolled, number of enrolled
 clients, number of clients pending enrollment, clients receiving policy, workload states, pilot/exclusion
collection sizes, and enrollment errors
Count of Azure Active Directory applications and services connected to Configuration Manager
Cloud attach and detach actions
Status of last sync with Intune cloud service
Configuration and usage statistics of cloud management gateway: counts of regions and environments,
and authentication/authorization statistics
Summarized count of Endpoint Analytics event
Aggregated statistics on Desktop Analytics enrollment errors and usage
Configuration Manager console (Level 1)
Statistics about Configuration Manager console connections: OS version, language, SKU and architecture,
system memory, logical processor count, connect site ID, installed .NET versions, console language packs,
and capable authentication level
Hashed list of extensions to Configuration Manager console property pages and wizards
Configuration Manager console crash locations
Configuration Manager console usage statistics
Configuration Manager console notification configuration and status
Protection (Level 1)
Basic Endpoint Protection information about antimalware client versions
Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-side extensions
[New] BitLocker management client counts summarized by state
Setup (Level 1)
Build, install type, language packs, features that you enabled
Pre-release use, setup media type, branch type
Software Assurance expiration date
Update pack deployment status and errors, download progress, and prerequisite errors
Use of early update ring
Version of post-upgrade script
Site database (Level 1)
Basic database configuration: processors, memory size, memory settings, Configuration Manager
database configuration, Configuration Manager database size, cluster configuration, configuration of
distributed views, and change tracking version
[Removed] Configuration Manager database schema (hash of all object definitions)
Database performance metrics: replication processing information, top SQL Server stored procedures by
processor, and disk usage
SQL Server version, service pack level, edition, collation ID, and character set
Hashed list of top SQL queries by memory usage and lock count
 SQL Server Always On availability group replica information, usage, and health status
Site infrastructure (Level 1)
Basic Configuration Manager site hierarchy data: site list, type, version, status, client count, time zone, and
health status
Basic discovery statistics: discovery count, minimum/maximum/average group sizes, and when the site is
running entirely with Azure Active Directory Services
Basic site system server information: site system roles used, internet and SSL status, OS, processors,
physical or virtual machine, and usage of site server high availability
Configured level for diagnostics and usage data, online or offline mode, and fast update configuration
Distribution point and management point types and basic configuration information: protected,
prestaged, PXE, multicast, SSL state, pull/peer distribution points, MDM-enabled, and SSL-enabled
Diagnostics and usage data statistics: when run, runtime, errors
***[Removed]***Whether network discovery is enabled or disabled
Hashed list of hardware inventory properties longer than 255 characters
Count and processing rates of key Configuration Manager objects: data discovery records (DDR), state
messages, status messages, hardware inventory, software inventory, and overall count of files in inboxes
Site server disk and processor performance information
Uptime and memory usage information for Configuration Manager site server processes
Count of crashes for Configuration Manager site server processes, and Watson signature ID, if available
Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)
Status and health of the administration service
Counts of errors from administration service
Site health information
Site health check configuration and status
[New] Version of Visual Studio redistributable and .NET Framework installed on clients and site system
servers
[New] Summarized hierarchy health and activity status
Miscellaneous (Level 1)
Basic OS deployment counts of images
Count of Windows 10 clients that use Windows Update for Business
Count of operating systems for managed devices and policies set by the Exchange Connector
Count of phased deployments created by type
Count of categorized and uncategorized applications for asset intelligence

Level 2 - Enhanced
For Configuration Manager version 2010, this level includes the following data:
Application management (Level 2)
App requirements: count of built-in conditions referenced by deployment technology
App supersedence, maximum depth of chain
Application approval statistics and usage frequency
Application content size statistics
Application deployment information: use of install versus uninstall, requires approval, user interaction
enabled/disabled, dependency, supersedence, and usage count of install behavior feature
Application policy size and complexity statistics
Available application request statistics
Basic configuration information for packages and programs: deployment options and program flags
Basic usage/targeting information for deployment types: user versus device targeted, required versus
available, and universal apps
[Removed] Count of App-V environments and deployment properties
Count of application applicability by OS
Count of applications referenced in a task sequence
Count of distinct branding for application catalog
Count of Microsoft 365 Apps applications created using dashboard
Count of packages by type
Count of package/program deployments
Count of Windows 10 licensed application licenses
Count of Windows Installer deployment types by uninstall content settings
Count of Microsoft Store for Business apps and sync statistics: summarized types of apps, licensed app
status, and number of online and offline licensed apps
Maintenance window type and duration
Minimum/maximum/average number of application deployments per user/device per time period
Most common application installation error codes by deployment technology
MSI configuration options and counts
Statistics on end-user interaction with notification for required software deployments
Universal Data Access usage, how created
Aggregated user device affinity statistics
Max and average primary users per device
Application global condition usage by type
Software Center customization configuration
Package Conversion Manager readiness and counts
Count of application detection methods by type
Count of application enforcement errors
 MSI installer properties
Statistics of user install requests
Aggregated statistics on the use of the email approval feature
File count, content size, services count, and custom action count of MSIs in application catalog
Count of devices by Office ProPlus readiness state
Aggregated statistics on the use of application groups
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and counts of clients with
Microsoft 365 Apps
Aggregated statistics on Office add-in health
Count and size of Office Pro Plus pilot collections
Number of Office Pro Plus devices sending Office health data
Client (Level 2)
Active Management Technology (AMT) client version
BIOS age in years
Count of devices with Secure Boot enabled
Count of devices by TPM state
Client auto-upgrade: deployment configuration including client piloting and exclusion usage (extended
interoperability client)
[Removed] Client cache size configuration
Client deployment download errors
Client health statistics and top issue summary by client version, component, OS, and workload
Client notification operation action status: how many times each is run, max number of targeted clients,
and average success rate
Count of client installations from each source location type
Count of client installation failures
Count of devices virtualized by Hyper-V or Azure
Count of Software Center actions
Count of UEFI-enabled devices
Deployment methods used for client and count of clients per deployment method
List/count of enabled client agents
OS age in months
Number of hardware inventory classes, software inventory rules, file collection rules, and overall health
status
Statistics for device health attestation: most common error codes, number of on-premises servers, and
counts of devices in various states
 Count of devices by default browser
Count of Configuration Manager-generated server authentication certificates
Count of Microsoft Surface devices by model
Count of client health check failures by issue type
[New] Count of status (total/approved/blocked) for client certificate types
[New] Client counts for different user/device relationship types
[New] Count of clients in VPN boundaries
Cloud services (Level 2)
Azure Active Directory discovery statistics
Count of collections synced to Azure Log Analytics
Count of Upgrade Analytics Connectors
Whether the Azure Log Analytics cloud connector is enabled
Count of pull-distribution points with a cloud distribution point as a source location
Usage of the cloud services onboarding wizard
CMPivot (Level 2)
CMPivot usage statistics
Count of saved CMPivot queries
Count of queries by entity type
Co -management (Level 2)
Enrollment schedule and historical statistics
Count of clients eligible for co-management
Associated Microsoft Intune tenant
Collections (Level 2)
Collection ID usage (not running out of IDs)
Collection evaluation statistics: query time, assigned versus unassigned counts, counts by type, ID
rollover, and rule usage
Collections without a deployment
Count of collections synchronized to Azure Active Directory
Compliance settings (Level 2)
Basic configuration baseline information: count, number of deployments, and number of references
Compliance policy error statistics
Count of configuration items by type
Count of deployments that reference built-in settings, including remediate setting
Count of rules and deployments created for custom settings, including remediate setting
Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi, certificate (.pfx), and
 compliance policy templates
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy deployments by platform
Windows Hello for Business policy (created, deployed)
Count of deployed Microsoft Edge Legacy browser policies
Count of OneDrive policies (created, deployed)
Count of compliance settings deployed by category, OS, and source (cloud vs on-premises)
Configuration Manager console (Level 2)
[Updated] Counts of active and viewed console notification messages by type
Count of folders
Console performance information
25 most common actions, wizards, property sheets, and tree nodes accessed in the console
[New] List of installed console extensions
[New] Summary of size and count of admin persisted settings
[New] Selected console usage information
Content (Level 2)
Boundary group statistics: how many fast, how many slow, count per group, and fallback relationships
Boundary group information: count of boundaries and site systems that are assigned to each boundary
group
Boundary group relationships and fallback configuration
Client content download statistics
Count of boundaries by type
Count of peer cache clients, usage statistic, and partial download statistics
Distribution Manager configuration information: threads, retry delay, number of retries, and pull
distribution point settings
Distribution point configuration information: use of branch cache and distribution point monitoring
Distribution point group information: count of packages and distribution points that are assigned to each
distribution point group
Content library type, whether local or remote
Count of boundary groups by configuration
Count of subnets excluded from peer cache
Protection (Level 2)
Microsoft Defender for Endpoint policies (formerly known as Windows Defender for Endpoint): count of
policies, and whether policies are deployed.
Count of alerts that are configured for Endpoint Protection feature
Count of collections that are selected to appear in Endpoint Protection dashboard
Count of Windows Defender Exploit Guard policies, deployments, and targeted clients
 Endpoint Protection deployment errors, count of Endpoint Protection policy deployment error codes
Endpoint Protection antimalware and Windows Firewall policy usage (number of unique policies
assigned to group). This data doesn't include any information about the settings included in the policy.
Aggregated statistics for Microsoft Defender for Endpoint policies
Migration (Level 2)
Count of migrated objects (use of migration wizard)
Mobile device management (MDM ) (Level 2)
Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now commands
Count of mobile device policies
Count of mobile devices Configuration Manager manages, and how you enrolled them (bulk, user-based)
Count of users who have multiple enrolled mobile devices
Mobile device polling schedule and statistics for mobile device check-in duration
Microsoft Intune troubleshooting (Level 2)
[Removed] Count and size of device actions (wipe, retire, lock), usage data, and data messages that are
replicated to Microsoft Intune
[Removed] Count and size of state, status, inventory, RDR, DDR, UDX, Tenant state, POL, LOG, Cert, CRP,
Resync, CFD, RDO, BEX, ISM, and compliance messages that are downloaded from Microsoft Intune
[Removed] Full and delta user synchronization statistics for Microsoft Intune
On-premises mobile device management (MDM ) (Level 2)
Count of Windows 10 bulk enrollment packages and profiles
Deployment success/failure statistics for on-premises MDM application deployments
OS deployment (Level 2)
Count of boot images, drivers, driver packages, multicast-enabled distribution points, PXE-enabled
distribution points, and task sequences
Count of boot images by Configuration Manager client version
Count of boot images by Windows PE version
Count of edition upgrade policies
Count of hardware identifiers excluded from PXE
Count of OS deployment by OS version
Count of OS upgrades over time
Count of task sequence deployments using option to pre-download content
Counts of task sequence step usage
Version of Windows ADK installed
Count of image servicing tasks
Count of imported machines
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded from PXE and client
 registration
Count of task sequences by type (OS deployment or generic task sequence)
Count of packages with pre-cache content settings
[New] Grouped sizes of task sequence policies
Site updates (Level 2)
Versions of installed Configuration Manager hotfixes
Software updates (Level 2)
Available and deadline deltas that are used in automatic deployment rules
Average and maximum number of assignments per update
Client update evaluation and scan schedules
Classifications synced by the software update point
Cluster patching statistics
Configuration of Windows 10 express updates
Configurations that are used for active Windows 10 servicing plans
Count of deployed Microsoft 365 Apps updates
Count of Microsoft Surface drivers synced
Count of update groups and assignments
Count of update packages and the maximum/minimum/average number of distribution points that are
targeted with packages
Count of updates that are created and deployed with System Center Update Publisher
Count of Windows Update for Business policies created and deployed
Aggregated statistics of Windows Update for Business configurations
Number of automatic deployment rules that are tied to synchronization
Number of automatic deployment rules that create new or add updates to an existing group
Number of automatic deployment rules that have multiple deployments
Number of update groups and minimum/maximum/average number of updates per group
Number of updates and percentage of updates that are deployed, expired, superseded, downloaded, and
contain EULAs
Software update point load-balancing statistics
Software update point synchronization schedule
Total/average number of collections that have software update deployments and the maximum/average
number of deployed updates
Update scan error codes and machine count
Windows 10 dashboard content versions
Count of third-party software update catalog subscriptions and usage
 Count of software updates deployed with and without content
Aggregated statistics on the number of UUP updates that are required, deployed, expired, superseded,
and downloaded
Use of UUP product categories
Count of clients that have deployed at least one UUP quality update or UUP feature update
Top UUP error codes and count of affected devices
List of subscriptions to third-party software update catalogs
Use of WSUS maintenance settings
Orchestration group usage
Windows Update fallback configuration settings
SQL/performance data (Level 2)
Configuration and duration of site summarization
Count of largest database tables
Discovery operational statistics (count of objects found)
Discovery types, enabled, and schedule (full, incremental)
SQL Server change tracking performance issues, retention period, and autocleanup state
SQL Server change tracking retention period
State and status message performance statistics including most common and most expensive message
types
Management point traffic statistics (total bytes sent and received by endpoint)
Management point performance counter measurements
Aggregated performance statistics of calls made to Software Center endpoints on the management point
SQL Server maintenance task configuration and status
Status of recent re-initialization requests
Miscellaneous (Level 2)
Configuration of data warehouse service point including synchronization schedule, average time, and use
of customized tables feature
Count of scripts and run/edit statistics
Count of sites with Wake On LAN (WOL)
Reporting usage and performance statistics
Phased deployment usage statistics
Management insights item counts and progress
Count of crashes for unique non-Configuration Manager processes on the site server, and Watson
signature ID, if available
Aggregated system boot time statistics by OS, form-factor, and drive type
 Usage of the Azure migration tool
Count of clients with browser usage
[New] Summary of how many site systems have the proxy enabled and how many are authenticated
proxy

Level 3 - Full
For Configuration Manager version 2010, this level includes the following data:
Automatic deployment rule evaluation schedule information
ATP health summary
Collection evaluation and refresh statistics
Compliance policy statistics on compliance and errors
Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template configuration details
DCM config pack for Configuration Manager usage
Detailed client deployment installation errors
Endpoint Protection health summary: including count of protected, at risk, unknown, and unsupported
clients
Endpoint Protection policy configuration
List of processes configured with installation behavior for applications
Minimum/maximum/average number of hours since last software update scan
Minimum/maximum/average number of inactive clients in software update deployment collections
Minimum/maximum/average number of software updates per package
MSI product code deployment statistics
Overall compliance of software update deployments
Count of groups that have expired software updates
Software update deployment error codes and counts
Software update deployment information: percentage of deployments that are targeted with client versus
UTC time, required versus optional versus silent, and reboot suppression
Software update products synced by software update point
Software update scan success percentages
Top 50 CPUs in the environment
Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that
Microsoft Intune manages
Microsoft Store for Business application details: non-aggregate list of synced applications including
AppID, online state or offline state, and total purchased license counts
Count of clients pushed with option to not allow fallback to NTLM
List of Configuration Manager console extensions
 Diagnostic and usage data for version 2006
2/16/2022 • 14 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following sections provide additional detail about data collected at each level. For more information on the
levels and how to change them, see Levels of diagnostic usage data.
Changes from previous versions are noted with [New] , [Updated] , [Removed] , or [Moved] .

IMPORTANT
Configuration Manager doesn't collect site codes, sites names, IP addresses, user names, computer names, physical
addresses, or email addresses on the Basic or Enhanced levels. Any collection of this information on the Full level is not
purposeful. It is potentially included in advanced diagnostic information like log files or memory snapshots. Microsoft
doesn't use this information to identify you, contact you, or develop advertising.

Level 1 - Basic
For Configuration Manager version 2006, this level includes the following data:
Statistics about Configuration Manager console connections: OS version, language, SKU and architecture,
system memory, logical processor count, connect site ID, installed .NET versions, console language packs,
and capable authentication level
Basic application and deployment type counts: total apps, total apps with multiple deployment types, total
apps with dependencies, total superseded apps, and count of deployment technologies in use
Basic Configuration Manager site hierarchy data: site list, type, version, status, client count, time zone, and
health status
Basic database configuration: processors, memory size, memory settings, Configuration Manager
database configuration, Configuration Manager database size, cluster configuration, configuration of
distributed views, and change tracking version
Basic discovery statistics: discovery count, minimum/maximum/average group sizes, and when the site is
running entirely with Azure Active Directory Services
Basic Endpoint Protection information about antimalware client versions
Basic OS deployment counts of images
Basic site system server information: site system roles used, internet and SSL status, OS, processors,
physical or virtual machine, and usage of site server high availability
Configuration Manager database schema (hash of all object definitions)
Configured level for diagnostics and usage data, online or offline mode, and fast update configuration
Count of client languages and locales
Count of Configuration Manager client versions, OS versions, and Office versions
Count of operating systems for managed devices and policies set by the Exchange Connector
Count of Windows 10 devices by branch, build, and unique Active Directory forest
Count of Windows 10 clients that use Windows Update for Business
Database performance metrics: replication processing information, top SQL Server stored procedures by
processor, and disk usage
Distribution point and management point types and basic configuration information: protected,
prestaged, PXE, multicast, SSL state, pull/peer distribution points, MDM-enabled, and SSL-enabled
Hashed list of extensions to admin console property pages and wizards
Setup Information:
Build, install type, language packs, features that you enabled
Pre-release use, setup media type, branch type
Software Assurance expiration date
Update pack deployment status and errors, download progress, and prerequisite errors
Use of update fast ring
Version of post-upgrade script
SQL Server version, service pack level, edition, collation ID, and character set
Diagnostics and usage data statistics: when run, runtime, errors
Whether network discovery is enabled or disabled
Count of clients joined to Azure Active Directory
Count of phased deployments created by type
Count of extended interoperability clients
Hashed list of hardware inventory properties longer than 255 characters
Count of clients by co-management enrollment method
Error statistics for co-management enrollment
Count of clients by Windows OS age, to the nearest three-month interval
Top 10 processor names used on clients and servers
Count and processing rates of key Configuration Manager objects: data discovery records (DDR), state
messages, status messages, hardware inventory, software inventory, and overall count of files in inboxes
Site server disk and processor performance information
Uptime and memory usage information for Configuration Manager site server processes
Count of crashes for Configuration Manager site server processes, and Watson signature ID, if available
Hashed list of top SQL queries by memory usage and lock count
Aggregated usage statistics of co-management: number of clients ever enrolled, number of enrolled
clients, number of clients pending enrollment, clients receiving policy, workload states, pilot/exclusion
collection sizes, and enrollment errors
Existence of Microsoft BitLocker Administration and Monitoring (MBAM) server-side extensions
 Count of categorized and uncategorized applications for asset intelligence
Status and health of the administration service
Hash of key site attributes (site ID, SQL Server broker ID, and site exchange key)
Count of Microsoft Edge installations
Count of Azure Active Directory applications and services connected to Configuration Manager
Site health information
Configuration Manager console crash locations
Configuration Manager console usage statistics
Cloud attach and detach actions
Status of last sync with Intune cloud service
Counts of errors from administration service
Use of the bulk registration token
Count of clients by default and preferred browser
[Moved] Configuration and usage statistics of Cloud Management Gateway: counts of regions and
environments, and authentication/authorization statistics
[Moved] SQL Server Always On availability group replica information, usage, and health status
[New] Admin console notification configuration and status
[New] Site health check configuration and status
[New] Summarized count of Endpoint Analytics event
[Moved] Aggregated statistics on Desktop Analytics enrollment errors and usage

Level 2 - Enhanced
For Configuration Manager version 2006, this level includes the following data:
Application management
App requirements: count of built-in conditions referenced by deployment technology
App supersedence, maximum depth of chain
Application approval statistics and usage frequency
Application content size statistics
Application deployment information: use of install versus uninstall, requires approval, user interaction
enabled/disabled, dependency, supersedence, and usage count of install behavior feature
Application policy size and complexity statistics
Available application request statistics
Basic configuration information for packages and programs: deployment options and program flags
Basic usage/targeting information for deployment types: user versus device targeted, required versus
available, and universal apps
Count of App-V environments and deployment properties
Count of application applicability by OS
Count of applications referenced in a task sequence
Count of distinct branding for application catalog
Count of Microsoft 365 Apps applications created using dashboard
Count of packages by type
Count of package/program deployments
Count of Windows 10 licensed application licenses
Count of Windows Installer deployment types by uninstall content settings
Count of Microsoft Store for Business apps and sync statistics: summarized types of apps, licensed app
status, and number of online and offline licensed apps
Maintenance window type and duration
Minimum/maximum/average number of application deployments per user/device per time period
Most common application installation error codes by deployment technology
MSI configuration options and counts
Statistics on end-user interaction with notification for required software deployments
Universal Data Access usage, how created
Aggregated user device affinity statistics
Max and average primary users per device
Application global condition usage by type
Software Center customization configuration
Package Conversion Manager readiness and counts
Count of application detection methods by type
Count of application enforcement errors
MSI installer properties
Statistics of user install requests
Aggregated statistics on the use of the email approval feature
File count, content size, services count, and custom action count of MSIs in application catalog
Count of devices by Office ProPlus readiness state
Aggregated statistics on the use of application groups
Aggregated statistics on Office add-ins, usage of the Office Readiness Toolkit, and counts of clients with
Microsoft 365 Apps
Aggregated statistics on Office add-in health
Count and size of Office Pro Plus pilot collections
 Number of Office Pro Plus devices sending Office health data
Client
Active Management Technology (AMT) client version
BIOS age in years
Count of devices with Secure Boot enabled
Count of devices by TPM state
Client auto-upgrade: deployment configuration including client piloting and exclusion usage (extended
interoperability client)
Client cache size configuration
Client deployment download errors
Client health statistics and top issue summary by client version, component, OS, and workload
Client notification operation action status: how many times each is run, max number of targeted clients,
and average success rate
Count of client installations from each source location type
Count of client installation failures
Count of devices virtualized by Hyper-V or Azure
Count of Software Center actions
Count of UEFI-enabled devices
Deployment methods used for client and count of clients per deployment method
List/count of enabled client agents
OS age in months
[Updated] Number of hardware inventory classes, software inventory rules, file collection rules, and
overall health status
Statistics for device health attestation: most common error codes, number of on-premises servers, and
counts of devices in various states
Count of devices by default browser
Count of Configuration Manager-generated server authentication certificates
Count of Microsoft Surface devices by model
Count of client health check failures by issue type
Cloud services
Azure Active Directory discovery statistics
Count of collections synced to Azure Log Analytics
Count of Upgrade Analytics Connectors
Whether the Azure Log Analytics cloud connector is enabled
Count of pull-distribution points with a cloud distribution point as a source location
 Usage of the cloud services onboarding wizard
CMPivot
CMPivot usage statistics
Count of saved CMPivot queries
Count of queries by entity type
Co -management
Enrollment schedule and historical statistics
Count of clients eligible for co-management
Associated Microsoft Intune tenant
Collections
Collection ID usage (not running out of IDs)
Collection evaluation statistics: query time, assigned versus unassigned counts, counts by type, ID
rollover, and rule usage
Collections without a deployment
Count of collections synchronized to Azure Active Directory
Compliance settings
Basic configuration baseline information: count, number of deployments, and number of references
Compliance policy error statistics
Count of configuration items by type
Count of deployments that reference built-in settings, including remediate setting
Count of rules and deployments created for custom settings, including remediate setting
Count of deployed Simple Certificate Enrollment Protocol (SCEP), VPN, Wi-Fi, certificate (.pfx), and
compliance policy templates
Count of SCEP certificate, VPN, Wi-Fi, certificate (.pfx), and compliance policy deployments by platform
Windows Hello for Business policy (created, deployed)
Count of deployed Microsoft Edge Legacy browser policies
Count of OneDrive policies (created, deployed)
[New] Count of compliance settings deployed by category, OS, and source (cloud vs on-premises)
Configuration Manager console
Count of non-critical console notifications
Count of folders
Console performance information
25 most common actions, wizards, property sheets, and tree nodes accessed in the console
Content
Boundary group statistics: how many fast, how many slow, count per group, and fallback relationships
Boundary group information: count of boundaries and site systems that are assigned to each boundary
 group
Boundary group relationships and fallback configuration
Client content download statistics
Count of boundaries by type
Count of peer cache clients, usage statistic, and partial download statistics
Distribution Manager configuration information: threads, retry delay, number of retries, and pull
distribution point settings
Distribution point configuration information: use of branch cache and distribution point monitoring
Distribution point group information: count of packages and distribution points that are assigned to each
distribution point group
Content library type, whether local or remote
Count of boundary groups by configuration
Count of subnets excluded from peer cache
Endpoint Protection
Microsoft Defender for Endpoint policies (formerly known as Windows Defender for Endpoint): count of
policies, and whether policies are deployed.
Count of alerts that are configured for Endpoint Protection feature
Count of collections that are selected to appear in Endpoint Protection dashboard
Count of Windows Defender Exploit Guard policies, deployments, and targeted clients
Endpoint Protection deployment errors, count of Endpoint Protection policy deployment error codes
Endpoint Protection antimalware and Windows Firewall policy usage (number of unique policies
assigned to group). This data doesn't include any information about the settings included in the policy.
Aggregated statistics for Microsoft Defender for Endpoint policies
Migration
Count of migrated objects (use of migration wizard)
Mobile device management (MDM )
Count of issued mobile device actions: lock, pin rest, wipe, retire, and sync now commands
Count of mobile device policies
Count of mobile devices Configuration Manager manages, and how you enrolled them (bulk, user-based)
Count of users who have multiple enrolled mobile devices
Mobile device polling schedule and statistics for mobile device check-in duration
Microsoft Intune troubleshooting
Count and size of device actions (wipe, retire, lock), usage data, and data messages that are replicated to
Microsoft Intune
Count and size of state, status, inventory, RDR, DDR, UDX, Tenant state, POL, LOG, Cert, CRP, Resync, CFD,
RDO, BEX, ISM, and compliance messages that are downloaded from Microsoft Intune
Full and delta user synchronization statistics for Microsoft Intune
On-premises mobile device management (MDM )
Count of Windows 10 bulk enrollment packages and profiles
Deployment success/failure statistics for on-premises MDM application deployments
OS deployment
Count of boot images, drivers, driver packages, multicast-enabled distribution points, PXE-enabled
distribution points, and task sequences
Count of boot images by Configuration Manager client version
Count of boot images by Windows PE version
Count of edition upgrade policies
Count of hardware identifiers excluded from PXE
Count of OS deployment by OS version
Count of OS upgrades over time
Count of task sequence deployments using option to pre-download content
Counts of task sequence step usage
Version of Windows ADK installed
Count of image servicing tasks
Count of imported machines
Count of duplicate hardware identifiers (MAC address and SMBIOS GUID) excluded from PXE and client
registration
Count of task sequences by type (OS deployment or generic task sequence)
Count of packages with pre-cache content settings
Site updates
Versions of installed Configuration Manager hotfixes
Software updates
Available and deadline deltas that are used in automatic deployment rules
Average and maximum number of assignments per update
Client update evaluation and scan schedules
Classifications synced by the software update point
Cluster patching statistics
Configuration of Windows 10 express updates
Configurations that are used for active Windows 10 servicing plans
Count of deployed Microsoft 365 Apps updates
Count of Microsoft Surface drivers synced
Count of update groups and assignments
Count of update packages and the maximum/minimum/average number of distribution points that are
 targeted with packages
Count of updates that are created and deployed with System Center Update Publisher
Count of Windows Update for Business policies created and deployed
Aggregated statistics of Windows Update for Business configurations
Number of automatic deployment rules that are tied to synchronization
Number of automatic deployment rules that create new or add updates to an existing group
Number of automatic deployment rules that have multiple deployments
Number of update groups and minimum/maximum/average number of updates per group
Number of updates and percentage of updates that are deployed, expired, superseded, downloaded, and
contain EULAs
Software update point load-balancing statistics
Software update point synchronization schedule
Total/average number of collections that have software update deployments and the maximum/average
number of deployed updates
Update scan error codes and machine count
Windows 10 dashboard content versions
Count of third-party software update catalog subscriptions and usage
Count of software updates deployed with and without content
Aggregated statistics on the number of UUP updates that are required, deployed, expired, superseded,
and downloaded
Use of UUP product categories
Count of clients that have deployed at least one UUP quality update or UUP feature update
Top UUP error codes and count of affected devices
List of subscriptions to third-party software update catalogs
Use of WSUS maintenance settings
Orchestration group usage
Windows Update fallback configuration settings
SQL/performance data
Configuration and duration of site summarization
Count of largest database tables
Discovery operational statistics (count of objects found)
Discovery types, enabled, and schedule (full, incremental)
SQL Server change tracking performance issues, retention period, and autocleanup state
SQL Server change tracking retention period
State and status message performance statistics including most common and most expensive message
 types
Management point traffic statistics (total bytes sent and received by endpoint)
Management point performance counter measurements
Aggregated performance statistics of calls made to Software Center endpoints on the management point
SQL Server maintenance task configuration and status
Status of recent re-initialization requests
Miscellaneous
Configuration of data warehouse service point including synchronization schedule, average time, and use
of customized tables feature
Count of scripts and run/edit statistics
Count of sites with Wake On LAN (WOL)
Reporting usage and performance statistics
Phased deployment usage statistics
Management insights item counts and progress
Count of crashes for unique non-Configuration Manager processes on the site server, and Watson
signature ID, if available
Aggregated system boot time statistics by OS, form-factor, and drive type
Usage of the Azure migration tool
Count of clients with browser usage

Level 3 - Full
For Configuration Manager version 2006, this level includes the following data:
Automatic deployment rule evaluation schedule information
ATP health summary
Collection evaluation and refresh statistics
Compliance policy statistics on compliance and errors
Compliance settings: SCEP, VPN, Wi-Fi, and compliance policy template configuration details
DCM config pack for Configuration Manager usage
Detailed client deployment installation errors
Endpoint Protection health summary: including count of protected, at risk, unknown, and unsupported
clients
Endpoint Protection policy configuration
List of processes configured with installation behavior for applications
Minimum/maximum/average number of hours since last software update scan
Minimum/maximum/average number of inactive clients in software update deployment collections
Minimum/maximum/average number of software updates per package
MSI product code deployment statistics
Overall compliance of software update deployments
Count of groups that have expired software updates
Software update deployment error codes and counts
Software update deployment information: percentage of deployments that are targeted with client versus
UTC time, required versus optional versus silent, and reboot suppression
Software update products synced by software update point
Software update scan success percentages
Top 50 CPUs in the environment
Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that
Microsoft Intune manages
Microsoft Store for Business application details: non-aggregate list of synced applications including
AppID, online state or offline state, and total purchased license counts
Count of clients pushed with option to not allow fallback to NTLM
List of Configuration Manager console extensions
 Diagnostic usage data for tools
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Some of the tools that are included with Configuration Manager collect usage data. Microsoft uses this data to
improve the quality of these tools, and better understand customer usage. Microsoft collects data for the
following Configuration Manager tools:
Client tools
Server tools
Support Center
CMTrace
For more general information about these tools, see Configuration Manager Tools.

NOTE
The ConfigurationManager PowerShell module also collects usage data. For more information, see Configuration
Manager cmdlet library privacy statement.

The following data is collected for these tools:

Version
Start and stop times to calculate duration of use
Because these tools can run on any Windows device, they all use the Windows diagnostic data channel. They
don't rely on Configuration Manager diagnostic data collection. The device on which the tool runs needs to be
configured for at least Optional diagnostic data. If you configure the device for any other setting, Windows
won't collect data for these Configuration Manager tools. For more information on these Windows diagnostic
data levels, see the following articles:
Windows 10, version 1709 and newer optional diagnostic data
Configure Windows diagnostic data in your organization
Next, see the frequently asked questions about diagnostic and usage data for Configuration Manager:
Frequently asked questions
 Plan for security in Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes the following concepts for you to consider when planning for security with your
Configuration Manager implementation:
Certificates (self-signed and PKI)
The trusted root key
Signing and encryption
Role-based administration
Azure Active Directory
SMS Provider authentication
Before you start, make sure you're familiar with the fundamentals of security in Configuration Manager.

Certificates
Configuration Manager uses a combination of self-signed and public key infrastructure (PKI) digital certificates.
Use PKI certificates whenever possible. Some scenarios require PKI certificates. When PKI certificates aren't
available, the site automatically generates self-signed certificates. Some scenarios always use self-signed
certificates.
For more information, see Plan for certificates.

The trusted root key

The Configuration Manager trusted root key provides a mechanism for Configuration Manager clients to verify
that site systems belong to their hierarchy. Every site server generates a site exchange key to communicate with
other sites. The site exchange key from the top-level site in the hierarchy is called the trusted root key.
The function of the trusted root key in Configuration Manager resembles a root certificate in a public key
infrastructure. Anything signed by the private key of the trusted root key is trusted further down the hierarchy.
Clients store a copy of the site's trusted root key in the root\ccm\locationservices WMI namespace.
For example, the site issues a certificate to the management point, which it signs with the private key of the
trusted root key. The site shares with clients the public key of its trusted root key. Then clients can differentiate
between management points that are in their hierarchy and management points that aren't in their hierarchy.
Clients automatically get the public copy of the trusted root key by using two mechanisms:
You extend the Active Directory schema for Configuration Manager, and publish the site to Active
Directory Domain Services. Then clients retrieve this site information from a global catalog server. For
more information, see Prepare Active Directory for site publishing.
When you install clients using the client push installation method. For more information, see Client push
installation.
If clients can't get the trusted root key by using one of these mechanisms, they trust the trusted root key that's
provided by the first management point that they communicate with. In this scenario, a client might be
misdirected to an attacker's management point where it would receive policy from the rogue management
point. This action requires a sophisticated attacker. This attack is limited to the short time before the client
retrieves the trusted root key from a valid management point. To reduce this risk of an attacker misdirecting
clients to a rogue management point, pre-provision the clients with the trusted root key.
For more information and procedures to manage the trusted root key, see Configure security.

Signing and encryption

When you use PKI certificates for all client communications, you don't have to plan for signing and encryption to
help secure client data communication. If you set up any site systems that run IIS to allow HTTP client
connections, decide how to help secure the client communication for the site.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

To help protect the data that clients send to management points, you can require clients to sign the data. You can
also require the SHA-256 algorithm for signing. This configuration is more secure, but don't require SHA-256
unless all clients support it. Many operating systems natively support this algorithm, but older operating
systems might require an update or hotfix.
While signing helps protect the data from tampering, encryption helps protect the data from information
disclosure. You can enable encryption for the inventory data and state messages that clients send to
management points in the site. You don't have to install any updates on clients to support this option. Clients
and management points require more CPU usage for encryption and decryption.

NOTE
To encrypt the data, the client uses the public key of the management point's encryption certificate. Only the
management point has the corresponding private key, so only it can decrypt the data.
The client bootstraps this certificate with the management point's signing certificate, which it bootstraps with the site's
trusted root key. Make sure to securely provision the trusted root key on clients. For more information, see The trusted
root key.

For more information about how to configure the settings for signing and encryption, see Configure signing
and encryption.
For more information on the cryptographic algorithms used for signing and encryption, see Cryptographic
controls technical reference.

Role-based administration
With Configuration Manager, you use role-based administration to secure the access that administrative users
need to use Configuration Manager. You also secure access to the objects that you manage, like collections,
deployments, and sites.
With the combination of security roles, security scopes, and collections, you segregate the administrative
assignments that meet your organization's requirements. Used together, they define the administrative scope of
a user. This administrative scope controls the objects that an administrative user views in the Configuration
Manager console, and it controls the permissions that a user has on those objects.
For more information, see Fundamentals of role-based administration.

Azure Active Directory

Configuration Manager integrates with Azure Active Directory (Azure AD) to enable the site and clients to use
modern authentication.
For more information about Azure AD, see Azure Active Directory documentation.
Onboarding your site with Azure AD supports the following Configuration Manager scenarios:
Client scenarios
Manage clients on the internet via cloud management gateway
Manage cloud domain-joined devices
Co-management
Deploy user-available apps
Microsoft Store for Business online apps
Manage Microsoft 365 Apps for enterprise
Server scenarios
Desktop Analytics
Tenant attach
Endpoint analytics
Azure Log Analytics
Community Hub
User discovery

SMS Provider authentication

You can specify the minimum authentication level for administrators to access Configuration Manager sites. This
feature enforces administrators to sign in to Windows with the required level before they can access
Configuration Manager. It applies to all components that access the SMS Provider. For example, the
Configuration Manager console, SDK methods, and Windows PowerShell cmdlets.
Configuration Manager supports the following authentication levels:
Windows authentication : Require authentication with Active Directory domain credentials. This setting
is the previous behavior, and the current default setting.
Cer tificate authentication : Require authentication with a valid certificate that's issued by a trusted PKI
certificate authority. You don't configure this certificate in Configuration Manager. Configuration Manager
requires the administrator to be signed into Windows using PKI.
Windows Hello for Business authentication : Require authentication with strong two-factor
authentication that's tied to a device and uses biometrics or a PIN. For more information, see Windows
Hello for Business.
 IMPORTANT
When you select this setting, the SMS Provider and administration service require the user's authentication token
to contain a multi-factor authentication (MFA) claim from Windows Hello for Business. In other words, a user of
the console, SDK, PowerShell, or administration service has to authenticate to Windows with their Windows Hello
for Business PIN or biometric. Otherwise the site rejects the user's action.
This behavior is for Windows Hello for Business, not Windows Hello.

For more information on how to configure this setting, see Configure SMS Provider authentication.

Next steps
Certificates in Configuration Manager
Plan for PKI certificates
Configure security
Cryptographic controls technical reference
 Configure security in Configuration Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the information in this article to help you set up security-related options for Configuration Manager. Before
you start, make sure you have a Plan for security.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Client PKI certificates

If you want to use public key infrastructure (PKI) certificates for client connections to site systems that use
Internet Information Services (IIS), use the following procedure to configure settings for these certificates.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node. Select the primary site to configure.
2. In the ribbon, choose Proper ties . Then switch to the Communication Security tab.
3. Select the settings for site systems that use IIS.
HTTPS only : Clients that are assigned to the site always use a client PKI certificate when they
connect to site systems that use IIS. For example, a management point and distribution point.
HTTPS or HTTP : You don't require clients to use PKI certificates.
Use Configuration Manager-generated cer tificates for HTTP site systems : For more
information on this setting, see Enhanced HTTP.
4. Select the settings for client computers.
Use client PKI cer tificate (client authentication capability) when available : If you chose
the HTTPS or HTTP site server setting, choose this option to use a client PKI certificate for HTTP
connections. The client uses this certificate instead of a self-signed certificate to authenticate itself
to site systems. If you chose HTTPS only , this option is automatically chosen.
When more than one valid PKI client certificate is available on a client, select Modify to configure
the client certificate selection methods. For more information about the client certificate selection
method, see Planning for PKI client certificate selection.
Clients check the cer tificate revocation list (CRL) for site systems : Enable this setting for
clients to check your organization's CRL for revoked certificates. For more information about CRL
checking for clients, see Planning for PKI certificate revocation.
5. To import, view, and delete the certificates for trusted root certification authorities, select Set . For more
information, see Planning for the PKI trusted root certificates and the certificate issuers List.
Repeat this procedure for all primary sites in the hierarchy.
Manage the trusted root key
Use these procedures to pre-provision and verify the trusted root key for a Configuration Manager client.

NOTE
If clients can get the trusted root key from Active Directory Domain Services or client push, you don't have to pre-
provision it.
When clients use HTTPS communication to management points, you don't have to pre-provision the trusted root key.
They establish trust by the PKI certificates.

For more information on the trusted root key, see Plan for security.
Pre -provision a client with the trusted root key by using a file
1. On the site server, browse to the Configuration Manager installation directory. In the \bin\<platform>
subfolder, open the following file in a text editor: mobileclient.tcf
2. Locate the entry, SMSPublicRootKey . Copy the value from that line, and close the file without saving any
changes.
3. Create a new text file, and paste the key value that you copied from the mobileclient.tcf file.
4. Save the file in a location where all computers can access it, but where the file is safe from tampering.
5. Install the client by using any installation method that accepts client.msi properties. Specify the following
property: SMSROOTKEYPATH=<full path and file name>

IMPORTANT
When you specify the trusted root key during client installation, also specify the site code. Use the following
client.msi property: SMSSITECODE=<site code>

Pre -provision a client with the trusted root key without using a file
1. On the site server, browse to the Configuration Manager installation directory. In the \bin\<platform>
subfolder, open the following file in a text editor: mobileclient.tcf
2. Locate the entry, SMSPublicRootKey . Copy the value from that line, and close the file without saving any
changes.
3. Install the client by using any installation method that accepts client.msi properties. Specify the following
client.msi property: SMSPublicRootKey=<key> where <key> is the string that you copied from
mobileclient.tcf.

IMPORTANT
When you specify the trusted root key during client installation, also specify the site code. Use the following
client.msi property: SMSSITECODE=<site code>

Verify the trusted root key on a client

1. Open a Windows PowerShell console as an administrator.
2. Run the following command:
 (Get-WmiObject -Namespace root\ccm\locationservices -Class TrustedRootKey).TrustedRootKey

The returned string is the trusted root key. Verify that it matches the SMSPublicRootKey value in the
mobileclient.tcf file on the site server.
Remove or replace the trusted root key
Remove the trusted root key from a client by using the client.msi property, RESETKEYINFORMATION = TRUE .
To replace the trusted root key, reinstall the client together with the new trusted root key. For example, use client
push, or specify the client.msi property SMSPublicRootKey .
For more information on these installation properties, see About client installation parameters and properties.

Signing and encryption

Configure the most secure signing and encryption settings for site systems that all clients in the site can
support. These settings are especially important when you let clients communicate with site systems by using
self-signed certificates over HTTP.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node. Select the primary site to configure.
2. In the ribbon, select Proper ties , and then switch to the Signing and Encr yption tab.
This tab is available on a primary site only. If you don't see the Signing and Encr yption tab, make sure
that you're not connected to a central administration site or a secondary site.
3. Configure the signing and encryption options for clients to communicate with the site.
Require signing : Clients sign data before sending to the management point.
Require SHA-256 : Clients use the SHA-256 algorithm when signing data.

WARNING
Don't Require SHA-256 without first confirming that all clients support this hash algorithm. These clients
include ones that might be assigned to the site in the future.
If you choose this option, and clients with self-signed certificates can't support SHA-256, Configuration
Manager rejects them. The SMS_MP_CONTROL_MANAGER component logs the message ID 5443.

Use encr yption : Clients encrypt client inventory data and status messages before sending to the
management point.
Repeat this procedure for all primary sites in the hierarchy.

Role-based administration
Role-based administration combines security roles, security scopes, and assigned collections to define the
administrative scope for each administrative user. A scope includes the objects that a user can view in the
console, and the tasks related to those objects that they have permission to do. Role-based administration
configurations are applied at each site in a hierarchy.
For more information, see Configure role-based administration. This article details the following actions:
Create custom security roles
 Configure security roles
Configure security scopes for an object
Configure collections to manage security
Create a new administrative user
Modify the administrative scope of an administrative user

IMPORTANT
Your own administrative scope defines the objects and settings that you can assign when you configure role-based
administration for another administrative user. For information about planning for role-based administration, see
Fundamentals of role-based administration.

Manage accounts
Configuration Manager supports Windows accounts for many different tasks and uses. To view accounts that
are configured for different tasks, and to manage the password that Configuration Manager uses for each
account, use the following procedure:
1. In the Configuration Manager console, go to the Administration workspace, expand Security , and then
choose the Accounts node.
2. To change the password for an account, select the account in the list. Then choose Proper ties in the
ribbon.
3. Choose Set to open the Windows User Account dialog box. Specify the new password for
Configuration Manager to use for this account.

NOTE
The password that you specify must match this account's password in Active Directory.

For more information, see Accounts used in Configuration Manager.

Azure Active Directory

Integrate Configuration Manager with Azure Active Directory (Azure AD) to simplify and cloud-enable your
environment. Enable the site and clients to authenticate by using Azure AD.
For more information, see the Cloud Management service in Configure Azure services.

SMS Provider authentication

You can specify the minimum authentication level for administrators to access Configuration Manager sites. This
feature enforces administrators to sign in to Windows with the required level before they can access
Configuration Manager. For more information, see Plan for SMS Provider authentication.

IMPORTANT
This configuration is a hierarchy-wide setting. Before you change this setting, make sure that all Configuration Manager
administrators can sign in to Windows with the required authentication level.
To configure this setting, use the following steps:
1. First sign in to Windows with the intended authentication level.
2. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
3. Select Hierarchy Settings in the ribbon.
4. Switch to the Authentication tab. Select the desired authentication level, and then select OK .
Only when necessary, select Add to exclude specific users or groups. For more information, see
Exclusions.
Exclusions
From the Authentication tab of Hierarchy Settings, you can also exclude certain users or groups. Use this
option sparingly. For example, when specific users require access to the Configuration Manager console, but
can't authenticate to Windows at the required level. It may also be necessary for automation or services that run
under the context of a system account.

Next steps
How to enable TLS 1.2
Cryptographic controls technical reference
Communication between endpoints
 Cryptographic controls technical reference
2/16/2022 • 18 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager uses signing and encryption to help protect the management of the devices in the
Configuration Manager hierarchy. With signing, if data has been altered in transit, it's discarded. Encryption
helps prevent an attacker from reading the data by using a network protocol analyzer.
The primary hashing algorithm that Configuration Manager uses for signing is SHA-256 . When two
Configuration Manager sites communicate with each other, they sign their communications with SHA-256.
Starting in version 2107, the primary encryption algorithm that Configuration Manager uses is AES-256 .
Encryption mainly happens in the following two areas:
If you enable the site to Use encr yption , the client encrypts its inventory data and state messages that it
sends to the management point.
When the client downloads secret policies, the management point always encrypts these policies. For
example, an OS deployment task sequence that includes passwords.
For clients on version 2103 and earlier, the primary encryption algorithm is 3DES .

NOTE
If you configure HTTPS communication, these messages are encrypted twice. The message is encrypted with AES, then the
HTTPS transport is encrypted with AES.

When you use client communication over HTTPS, configure your public key infrastructure (PKI) to use
certificates with the maximum hashing algorithms and key lengths. When using CNG v3 certificates,
Configuration Manager clients only support certificates that use the RSA cryptographic algorithm. For more
information, see PKI certificate requirements and CNG v3 certificates overview.
For transport security, anything that uses TLS supports AES. This support includes when you configure the site
for enhanced HTTP or HTTPS. For on-premises site systems, you can control the TLS cipher suites. For cloud-
based roles like the cloud management gateway (CMG), if you enable TLS 1.2, Configuration Manager
configures the cipher suites.
For most cryptographic operations with Windows-based operating systems, Configuration Manager uses these
algorithms from the Windows CryptoAPI library rsaenh.dll.
For more information about specific functionality, see Site operations.

Site operations
Information in Configuration Manager can be signed and encrypted. It supports these operations with or
without PKI certificates.
Policy signing and encryption
The site signs client policy assignments with its self-signed certificate. This behavior helps prevent the security
risk of a compromised management point from sending tampered policies. If you use internet-based client
management, this behavior is important because it requires an internet-facing management point.
When policy contains sensitive data, starting in version 2107, the management point encrypts it with AES-256.
In version 2103 and earlier, it uses 3DES. Policy that contains sensitive data is only sent to authorized clients. The
site doesn't encrypt policy that doesn't have sensitive data.
When a client stores policy, it encrypts the policy using the Windows data protection application programming
interface (DPAPI).
Policy hashing
When a client requests policy, it first gets a policy assignment. Then it knows which policies apply to it, and it can
request only those policy bodies. Each policy assignment contains the calculated hash for the corresponding
policy body. The client downloads the applicable policy bodies and then calculates the hash for each policy body.
If the hash on the policy body doesn't match the hash in the policy assignment, the client discards the policy
body.
The hashing algorithm for policy is SHA-256 .
Content hashing
The distribution manager service on the site server hashes the content files for all packages. The policy provider
includes the hash in the software distribution policy. When the Configuration Manager client downloads the
content, the client regenerates the hash locally and compares it to the one supplied in the policy. If the hashes
match, the content isn't altered, and the client installs it. If a single byte of the content is altered, the hashes won't
match, and the client doesn't install the software. This check helps to make sure that the correct software is
installed because the actual content is compared with the policy.
The default hashing algorithm for content is SHA-256 .
Not all devices can support content hashing. The exceptions include:
Windows clients when they stream App-V content.
Windows Mobile clients, though these clients verify the signature of an application that's signed by a
trusted source.
Inventory signing and encryption
When a client sends hardware or software inventory to a management point, it always signs the inventory. It
doesn't matter if the client communicates with the management point over HTTP or HTTPS. If they use HTTP, you
can also choose to encrypt this data, which is recommended.
State migration encryption
When a task sequence captures data from a client for OS deployment, it always encrypts the data. In version
2103 and later, the task sequence runs the User State Migration Tool (USMT) with the AES-256 encryption
algorithm. In version 2010 and earlier, it uses 3DES .
Encryption for multicast packages
For every OS deployment package, you can enable encryption when you use multicast. This encryption uses the
AES algorithm. If you enable encryption, no other certificate configuration is required. The multicast-enabled
distribution point automatically generates symmetric keys to encrypt the package. Each package has a different
encryption key. The key is stored on the multicast-enabled distribution point by using standard Windows APIs.
When the client connects to the multicast session, the key exchange occurs over an encrypted channel. If the
client uses HTTPS, it uses the PKI-issued client authentication certificate. If the client uses HTTP, it uses the self-
signed certificate. The client only stores the encryption key in memory during the multicast session.
Encryption for OS deployment media
When you use media to deploy operating systems, you should always specify a password to protect the media.
With a password, the task sequence environment variables are encrypted with AES-128 . Other data on the
media, including packages and content for applications, isn't encrypted.
Encryption for cloud-based content
When you enable a cloud management gateway (CMG) to store content, the content is encrypted with AES-
256 . The content is encrypted whenever you update it. When clients download the content, it's encrypted and
protected by the HTTPS connection.
Signing in software updates
All software updates must be signed by a trusted publisher to protect against tampering. On client computers,
the Windows Update Agent (WUA) scans for the updates from the catalog. It won't install the update if it can't
locate the digital certificate in the Trusted Publishers store on the local computer.
When you publish software updates with System Center Updates Publisher, a digital certificate signs the
software updates. You can either specify a PKI certificate or configure Updates Publisher to generate a self-
signed certificate to sign the software update. If you use a self-signed certificate to publish the updates catalog,
such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities
certificate store on the local computer. WUA also checks whether the Allow signed content from intranet
Microsoft update ser vice location group policy setting is enabled on the local computer. This policy setting
must be enabled for WUA to scan for the updates that were created and published with System Center Updates
Publisher.
Signed configuration data for compliance settings
When you import configuration data, Configuration Manager verifies the file's digital signature. If the files aren't
signed, or if the signature check fails, the console warns you to continue with the import. Only import the
configuration data if you explicitly trust the publisher and the integrity of the files.
Encryption and hashing for client notification
If you use client notification, all communication uses TLS and the highest algorithms that the server and client
can negotiate. For example, all supported Windows OS versions can use at least AES-128 encryption. The same
negotiation occurs for hashing the packets that are transferred during client notification, which uses SHA-2 .

Certificates
For a list of the public key infrastructure (PKI) certificates that can be used by Configuration Manager, any special
requirements or limitations, and how the certificates are used, see PKI certificate requirements. This list includes
the supported hash algorithms and key lengths. Most certificates support SHA-256 and 2048 -bits key length.
Most Configuration Manager operations that use certificates also support v3 certificates. For more information,
see CNG v3 certificates overview.

NOTE
All certificates that Configuration Manager uses must contain only single-byte characters in the subject name or subject
alternative name.

Configuration Manager requires PKI certificates for the following scenarios:

When you manage Configuration Manager clients on the internet
When you manage Configuration Manager clients on mobile devices
When you manage macOS computers
When you use a cloud management gateway (CMG)
For most other communication that requires certificates for authentication, signing, or encryption, Configuration
Manager automatically uses PKI certificates if available. If they aren't available, Configuration Manager
generates self-signed certificates.
Configuration Manager doesn't use PKI certificates when it manages mobile devices by using the Exchange
Server connector.
Mobile device management and PKI certificates
If the mobile device isn't locked by the mobile operator, you can use Configuration Manager to request and
install a client certificate. This certificate provides mutual authentication between the client on the mobile device
and Configuration Manager site systems. If the mobile device is locked, you can't use Configuration Manager to
deploy certificates.
If you enable hardware inventory for mobile devices, Configuration Manager also inventories the certificates
that are installed on the mobile device.
OS deployment and PKI certificates
When you use Configuration Manager to deploy operating systems, and a management point requires HTTPS
client connections, the client needs a certificate to communicate with the management point. This requirement is
even when the client is in a transitional phase such as booting from task sequence media or a PXE-enabled
distribution point. To support this scenario, create a PKI client authentication certificate, and export it with the
private key. Then import it to the site server properties and also add the management point's trusted root CA
certificate.
If you create bootable media, you import the client authentication certificate when you create the bootable
media. To help protect the private key and other sensitive data configured in the task sequence, configure a
password on the bootable media. Every computer that boots from the bootable media uses the same certificate
with the management point as required for client functions such as requesting client policy.
If you use PXE, import the client authentication certificate to the PXE-enabled distribution point. It uses the same
certificate for every client that boots from that PXE-enabled distribution point. To help protect the private key
and other sensitive data in the task sequences, require a password for PXE.
If either of these client authentication certificates is compromised, block the certificates in the Cer tificates node
in the Administration workspace, Security node. To manage these certificates, you need the permission to
Manage operating system deployment cer tificate .
After Configuration Manager deploys the OS installs the client, the client requires its own PKI client
authentication certificate for HTTPS client communication.
ISV proxy solutions and PKI certificates
Independent Software Vendors (ISVs) can create applications that extend Configuration Manager. For example,
an ISV could create extensions to support non-Windows client platforms such as macOS. However, if the site
systems require HTTPS client connections, these clients must also use PKI certificates for communication with
the site. Configuration Manager includes the ability to assign a certificate to the ISV proxy that enables
communications between the ISV proxy clients and the management point. If you use extensions that require
ISV proxy certificates, consult the documentation for that product.
If the ISV certificate is compromised, block the certificate in the Cer tificates node in the Administration
workspace, Security node.
Copy GUID for ISV proxy certificate
Starting in version 2111, to simplify the management of these ISV proxy certificates, you can now copy its GUID
in the Configuration Manager console.
1. In the Configuration Manager console, go to the Administration workspace.
2. Expand Security , and select the Cer tificates node.
3. Sort the list of the certificates by the Type column.
4. Select a certificate of type ISV Proxy .
5. In the ribbon, select Copy Cer tificate GUID .
This action copies this certificate's GUID, for example: aa05bf38-5cd6-43ea-ac61-ab101f943987

Asset Intelligence and certificates

Configuration Manager installs with an X.509 certificate that the Asset Intelligence synchronization point uses to
connect to Microsoft. Configuration Manager uses this certificate to request a client authentication certificate
from the Microsoft certificate service. The client authentication certificate is installed on the Asset Intelligence
synchronization point and it's used to authenticate the server to Microsoft. Configuration Manager uses the
client authentication certificate to download the Asset Intelligence catalog and to upload software titles.
This certificate has a key length of 1024 bits.
Azure services and certificates
The cloud management gateway (CMG) requires server authentication certificates. These certificates allow the
service to provide HTTPS communication to clients over the internet. For more information, see CMG server
authentication certificate.
Clients require another type of authentication to communicate with a CMG and the on-premises management
point. They can use Azure Active Directory, a PKI certificate, or a site token. For more information, see Configure
client authentication for cloud management gateway.
Clients don't require a client PKI certificate to use cloud-based storage. After they authenticate to the
management point, the management point issues a Configuration Manager access token to the client. The client
presents this token to the CMG to access the content. The token is valid for eight hours.
CRL checking for PKI certificates
A PKI certificate revocation list (CRL) increases overall security, but does require some administrative and
processing overhead. If you enable CRL checking, but clients can't access the CRL, the PKI connection fails.
IIS enables CRL checking by default. If you use a CRL with your PKI deployment, you don't need to configure
most site systems that run IIS. The exception is for software updates, which requires a manual step to enable
CRL checking to verify the signatures on software update files.
When a client uses HTTPS, it enables CRL checking by default. For macOS clients, you can't disable CRL checking.
The following connections don't support CRL checking in Configuration Manager:
Server-to-server connections
Mobile devices that are enrolled by Configuration Manager.

Server communication
Configuration Manager uses the following cryptographic controls for server communication.
Server communication within a site
Each site system server uses a certificate to transfer data to other site systems in the same Configuration
Manager site. Some site system roles also use certificates for authentication. For example, if you install the
enrollment proxy point on one server, and the enrollment point on another server, they can authenticate one
another by using this identity certificate.
When Configuration Manager uses a certificate for this communication, if there's a PKI certificate available with
server authentication capability, Configuration Manager automatically uses it. If not, Configuration Manager
generates a self-signed certificate. This self-signed certificate has server authentication capability, uses SHA-256,
and has a key length of 2048 bits. Configuration Manager copies the certificate to the Trusted People store on
other site system servers that might need to trust the site system. Site systems can then trust one another by
using these certificates and PeerTrust.
In addition to this certificate for each site system server, Configuration Manager generates a self-signed
certificate for most site system roles. When there is more than one instance of the site system role in the same
site, they share the same certificate. For example, you might have multiple management points in the same site.
This self-signed certificate uses SHA-256 and has a key length of 2048 bits. It's copied to the Trusted People
Store on site system servers that might need to trust it. The following site system roles generate this certificate:
Asset Intelligence synchronization point
Certificate registration point
Endpoint Protection point
Enrollment point
Fallback status point
Management point
Multicast-enabled distribution point
Reporting services point
Software update point
State migration point
Configuration Manager automatically generates and manages these certificates.
To send status messages from the distribution point to the management point, Configuration Manager uses a
client authentication certificate. When you configure the management point for HTTPS, it requires a PKI
certificate. If the management point accepts HTTP connections, you can use a PKI certificate. It can also use a
self-signed certificate with client authentication capability, uses SHA-256, and has a key length of 2048 bits.
Server communication between sites
Configuration Manager transfers data between sites by using database replication and file-based replication. For
more information, see Data transfers between sites and Communications between endpoints.
Configuration Manager automatically configures the database replication between sites. If available, it uses PKI
certificates with server authentication capability. If not available, Configuration Manager creates self-signed
certificates for server authentication. In both cases, it authenticates between sites by using certificates in the
Trusted People store that uses PeerTrust. It uses this certificate store to make sure that only the Configuration
Manager hierarchy SQL Servers participate in site-to-site replication.
Site servers establish site-to-site communication by using a secure key exchange that happens automatically.
The sending site server generates a hash and signs it with its private key. The receiving site server checks the
signature by using the public key and compares the hash with a locally generated value. If they match, the
receiving site accepts the replicated data. If the values don't match, Configuration Manager rejects the replication
data.
Database replication in Configuration Manager uses the SQL Server Service Broker to transfer data between
sites. It uses the following mechanisms:
SQL Server to SQL Server: This connection uses Windows credentials for server authentication and self-
signed certificates with 1024 bits to sign and encrypt the data with the AES algorithm. If available, it uses
PKI certificates with server authentication capability. It only uses certificates in the computer's Personal
 certificate store.
SQL Service Broker: This service uses self-signed certificates with 2048 bits for authentication and to sign
and encrypt the data with the AES algorithm. It only uses certificates in the SQL Server master database.
File-based replication uses the server message block (SMB) protocol. It uses SHA-256 to sign data that isn't
encrypted and doesn't contain any sensitive data. To encrypt this data, use IPsec, which you implement
independently from Configuration Manager.

Clients that use HTTPS

When site system roles accept client connections, you can configure them to accept HTTPS and HTTP
connections, or only HTTPS connections. Site system roles that accept connections from the internet only accept
client connections over HTTPS.
Client connections over HTTPS offer a higher level of security by integrating with a public key infrastructure
(PKI) to help protect client-to-server communication. However, configuring HTTPS client connections without a
thorough understanding of PKI planning, deployment, and operations could still leave you vulnerable. For
example, if you don't secure your root certificate authority (CA), attackers could compromise the trust of your
entire PKI infrastructure. Failing to deploy and manage the PKI certificates by using controlled and secured
processes might result in unmanaged clients that can't receive critical software updates or packages.

IMPORTANT
The PKI certificates that Configuration Manager uses for client communication protect the communication only between
the client and some site systems. They don't protect the communication channel between the site server and site systems
or between site servers.

Unencrypted communication when clients use HTTPS

When clients communicate with site systems over HTTPS, most traffic is encrypted. In the following situations,
clients communicate with site systems without using encryption:
Client fails to make an HTTPS connection on the intranet and falls back to using HTTP when site systems
allow this configuration.
Communication to the following site system roles:
Client sends state messages to the fallback status point.
Client sends PXE requests to a PXE-enabled distribution point.
Client sends notification data to a management point.
You configure reporting services points to use HTTP or HTTPS independently from the client communication
mode.

Clients that use HTTP

When clients use HTTP communication to site system roles, they can use PKI certificates for client authentication,
or self-signed certificates that Configuration Manager generates. When Configuration Manager generates self-
signed certificates, they have a custom object identifier for signing and encryption. These certificates are used to
uniquely identify the client. These self-signed certificates use SHA-256 , and have a key length of 2048 bits.
OS deployment and self-signed certificates
When you use Configuration Manager to deploy operating systems with self-signed certificates, the client must
also have a certificate to communicate with the management point. This requirement is even if the computer is
in a transitional phase such as booting from task sequence media or a PXE-enabled distribution point. To
support this scenario for HTTP client connections, Configuration Manager generates self-signed certificates that
have a custom object identifier for signing and encryption. These certificates are used to uniquely identify the
client. These self-signed certificates use SHA-256 , and have a key length of 2048 bits. If these self-signed
certificates are compromised, prevent attackers from using them to impersonate trusted clients. Block the
certificates in the Cer tificates node in the Administration workspace, Security node.
Client and server authentication
When clients connect over HTTP, they authenticate the management points by using either Active Directory
Domain Services or by using the Configuration Manager trusted root key. Clients don't authenticate other site
system roles, such as state migration points or software update points.
When a management point first authenticates a client by using the self-signed client certificate, this mechanism
provides minimal security because any computer can generate a self-signed certificate. Use client approval to
enhance this process. Only approve trusted computers, either automatically by Configuration Manager, or
manually by an administrative user. For more information, see Manage clients.

About SSL vulnerabilities

To improve the security of your Configuration Manager clients and servers, do the following actions:
Enable TLS 1.2 across all devices and services. To enable TLS 1.2 for Configuration Manager, see How to
enable TLS 1.2 for Configuration Manager.
Disable SSL 3.0, TLS 1.0, and TLS 1.1.
Reorder the TLS-related cipher suites.
For more information, see the following articles:
Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
Prioritizing Schannel cipher suites
These procedures don't affect Configuration Manager functionality.

NOTE
Updates to Configuration Manager download from the Azure content delivery network (CDN), which has cipher suite
requirements. For more information, see Azure Front Door: TLS configuration FAQ..
 Certificates in Configuration Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager uses a combination of self-signed and public key infrastructure (PKI) digital certificates.
Use PKI certificates whenever possible. For more information, see PKI certificate requirements. When
Configuration Manager requests PKI certificates during enrollment for mobile devices, use Active Directory
Domain Services and an enterprise certification authority. For all other PKI certificates, deploy and manage them
independently from Configuration Manager.
PKI certificates are required when client computers connect to internet-based site systems. The cloud
management gateway also requires certificates. For more information, see Manage clients on the internet.
When you use a PKI, you can also use IPsec to help secure the server-to-server communication between site
systems in a site, between sites, and for other data transfer between computers. Implementation of IPsec is
independent from Configuration Manager.
When PKI certificates aren't available, Configuration Manager automatically generates self-signed certificates.
Some certificates in Configuration Manager are always self-signed. In most cases, Configuration Manager
automatically manages the self-signed certificates, and you don't have to take another action. One example is
the site server signing certificate. This certificate is always self-signed. It makes sure that the policies that clients
download from the management point were sent from the site server and weren't tampered with. As another
example, when you enable the site for Enhanced HTTP, the site issues self-signed certificates to site server roles.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

CNG v3 certificates
Configuration Manager supports Cryptography: Next Generation (CNG) v3 certificates. Configuration Manager
clients can use a PKI client authentication certificate with private key in a CNG Key Storage Provider (KSP). With
KSP support, Configuration Manager clients support hardware-based private keys, such as a TPM KSP for PKI
client authentication certificates.
For more information, see CNG v3 certificates overview.

Enhanced HTTP
Using HTTPS communication is recommended for all Configuration Manager communication paths, but is
challenging for some customers because of the overhead of managing PKI certificates. The introduction of Azure
Active Directory (Azure AD) integration reduces some but not all of the certificate requirements. You can instead
enable the site to use enhanced HTTP. This configuration supports HTTPS on site systems by using self-signed
certificates, along with Azure AD for some scenarios. It doesn't require PKI.
For more information, see Enhanced HTTP.

Certificates for CMG

Managing clients on the internet via the cloud management gateway (CMG) requires the use of certificates. The
number and type of certificates varies depending upon your specific scenarios.
For more information, see CMG set up checklist.

NOTE
The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP instances. To
provide content to internet-based devices, enable the CMG to distribute content. For more information, see Deprecated
features.
For more information about certificates for a CDP, see Certificates for the cloud distribution point.

The site server signing certificate

The site server always creates a self-signed certificate. It uses this certificate for several purposes.
Clients can securely get a copy of the site server signing certificate from Active Directory Domain Services and
from client push installation. If clients can't get a copy of this certificate by one of these mechanisms, install it
when you install the client. This process is especially important if the client's first communication with the site is
with an internet-based management point. Because this server is connected to an untrusted network, it's more
vulnerable to attack. If you don't take this other step, clients automatically download a copy of the site server
signing certificate from the management point.
Clients can't securely get a copy of the site server certificate in the following scenarios:
You don't install the client by using client push, and:
You haven't extended the Active Directory schema for Configuration Manager.
You haven't published the client's site to Active Directory Domain Services.
The client is from an untrusted forest or a workgroup.
You're using internet-based client management and you install the client when it's on the internet.
For more information on how to install clients with a copy of the site server signing certificate, use the
SMSSIGNCERT command-line property. For more information, see About client installation parameters and
properties.

Hardware-bound key storage provider

Configuration Manager uses self-signed certificates for client identity and to help protect communication
between the client and site systems. When you update the site and clients to version 2107 or later, the client
stores its certificate from the site in a hardware-bound key storage provider (KSP). This KSP is typically the
trusted platform module (TPM). The certificate is also marked non-exportable.
If the client also has a PKI-based certificate, it continues to use that certificate for TLS HTTPS communication. It
uses its self-signed certificate for signing messages with the site. For more information, see PKI certificate
requirements.

NOTE
For clients that also have a PKI certificate, the Configuration Manager console displays the Client cer tificate property as
Self-signed . The client control panel Client cer tificate property shows PKI .

When you update to version 2107 or later, clients with PKI certificates will recreate self-signed certificates, but
don't reregister with the site. Clients without a PKI certificate will reregister with the site, which can cause extra
processing at the site. Make sure that your process to update clients allows for randomization. If you
simultaneously update lots of clients, it may cause a backlog on the site server.
Configuration Manager doesn't use TPMs that are known vulnerable. If a device has a vulnerable TPM, the client
falls back to using a software-based KSP. The certificate is still not exportable.
OS deployment media doesn't use hardware-bound certificates, it continues to use self-signed certificates from
the site. You create the media on a device that has the console, but then it can run on any client.
To troubleshoot certificate behaviors, use the Cer tificateMaintenance.log on the client.

Next steps
Plan for PKI certificates in Configuration Manager
Configure security
Cryptographic controls technical reference
 Plan for PKI certificates in Configuration Manager
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager uses public key infrastructure (PKI)-based digital certificates when available. Use of
these certificates is recommended for greater security, but not required for most scenarios. You need to deploy
and manage these certificates independently from Configuration Manager.
This article provides information about PKI certificates in Configuration Manager to help you plan your
implementation. For more general information about the use of certificates in Configuration Manager, see
Certificates in Configuration Manager.

PKI certificate revocation

When you use PKI certificates with Configuration Manager, plan for use of a certificate revocation list (CRL).
Devices use the CRL to verify the certificate on the connecting computer. The CRL is a file that a certificate
authority (CA) creates and signs. It has a list of certificates that the CA has issued but revoked. When a certificate
administrator revokes certificates, its thumbprint is added to the CRL. For example, if an issued certificate is
known or suspected to be compromised.

IMPORTANT
Because the location of the CRL is added to a certificate when a CA issues it, make sure that you plan for the CRL before
you deploy any PKI certificates that Configuration Manager uses.

IIS always checks the CRL for client certificates, and you can't change this configuration in Configuration
Manager. By default, Configuration Manager clients always check the CRL for site systems. Disable this setting
by specifying a site property and by specifying a CCMSetup property.
Computers that use certificate revocation checking but can't locate the CRL behave as if all certificates in the
certification chain are revoked. This behavior is because they can't verify if the certificates are in the certificate
revocation list. In this scenario, all connections fail that require certificates and include CRL checking. When
validating that your CRL is accessible by browsing to its HTTP location, it's important to note that the
Configuration Manager client runs as LOCAL SYSTEM. Testing CRL accessibility with a web browser under a user
context may succeed, but the computer account may be blocked when attempting to make an HTTP connection
to the same CRL URL. For example, it can be blocked because of an internal web filtering solution like a proxy.
Add the CRL URL to the approved list for any web filtering solutions.
Checking the CRL every time that a certificate is used offers more security against using a certificate that's
revoked. It does introduce a connection delay and more processing on the client. Your organization may require
this security check for clients on the internet or an untrusted network.
Consult your PKI administrators before you decide whether Configuration Manager clients need to check the
CRL. When both of the following conditions are true, consider keeping this option enabled in Configuration
Manager:
Your PKI infrastructure supports a CRL, and it's published where all Configuration Manager clients can
locate it. These clients might include devices on the internet, and ones in untrusted forests.
The requirement to check the CRL for each connection to a site system that's configured to use a PKI
certificate is greater than the following requirements:
 Faster connections
Efficient processing on the client
The risk of clients failing to connect to servers if they can't locate the CRL

PKI trusted root certificates

If your IIS site systems use PKI client certificates for client authentication over HTTP, or for client authentication
and encryption over HTTPS, you might have to import root CA certificates as a site property. Here are the two
scenarios:
You deploy operating systems by using Configuration Manager, and the management points only accept
HTTPS client connections.
You use PKI client certificates that don't chain to a root certificate that the management points trust.

NOTE
When you issue client PKI certificates from the same CA hierarchy that issues the server certificates that you use
for management points, you don't have to specify this root CA certificate. However, if you use multiple CA
hierarchies and you aren't sure whether they trust each other, import the root CA for the clients' CA hierarchy.

If you need to import root CA certificates for Configuration Manager, export them from the issuing CA or from
the client computer. If you export the certificate from the issuing CA that's also the root CA, don't export the
private key. Store the exported certificate file in a secure location to prevent tampering. You need access to the
file when you set up the site. If you access the file over the network, make sure the communication is protected
from tampering by using IPsec.
If any root CA certificate that you import are renewed, import the renewed certificate.
These imported root CA certificates and the root CA certificate of each management point create the certificate
issuers list. Configuration Manager computers use this list in the following ways:
When clients connect to management points, the management point verifies that the client certificate is
chained to a trusted root certificate in the site's certificate issuers list. If it doesn't, the certificate is
rejected, and the PKI connection fails.
When clients select a PKI certificate and have a certificate issuers list, they select a certificate that chains
to a trusted root certificate in the certificate issuers list. If there's no match, the client doesn't select a PKI
certificate. For more information, see PKI client certificate selection.

PKI client certificate selection

If your IIS site systems use PKI client certificates for client authentication over HTTP or for client authentication
and encryption over HTTPS, plan for how Windows clients select the certificate to use for Configuration
Manager.

NOTE
Some devices don't support a certificate selection method. Instead, they automatically select the first certificate that fulfills
the certificate requirements. For example, clients on macOS computers and mobile devices don't support a certificate
selection method.

In many cases, the default configuration and behavior are sufficient. The Configuration Manager client on
Windows computers filters multiple certificates by using these criteria in this order:
1. The certificate issuers list: The certificate chains to a root CA that's trusted by the management point.
2. The certificate is in the default certificate store of Personal .
3. The certificate is valid, not revoked, and not expired. The validity check also verifies that the private key is
accessible.
4. The certificate has client authentication capability.
5. The certificate Subject Name contains the local computer name as a substring.
6. The certificate has the longest validity period.
Configure clients to use the certificate issuers list by using the following mechanisms:
Publish it with Configuration Manager site information to Active Directory Domain Services.
Install clients by using client push.
Clients download it from the management point after they're successfully assigned to their site.
Specify it during client installation as a CCMSetup client.msi property of CCMCERTISSUERS.
If clients don't have the certificate issuers list when they're first installed, and aren't yet assigned to the site, they
skip this check. When clients do have the certificate issuers list, and don't have a PKI certificate that chains to a
trusted root certificate in the certificate issuers list, certificate selection fails. Clients don't continue with the other
certificate selection criteria.
In most cases, the Configuration Manager client correctly identifies a unique and appropriate PKI certificate.
When this behavior isn't the case, instead of selecting the certificate based on the client authentication capability,
you can set up two alternative selection methods:
A partial string match on the client certificate subject name. This method is a case-insensitive match. It's
appropriate if you're using the fully qualified domain name (FQDN) of a computer in the subject field and
want the certificate selection to be based on the domain suffix, for example contoso.com . You can use
this selection method to identify any string of sequential characters in the certificate subject name that
differentiates the certificate from others in the client certificate store.

NOTE
You can't use the partial string match with the subject alternative name (SAN) as a site setting. Although you can
specify a partial string match for the SAN by using CCMSetup, it'll be overwritten by the site properties in the
following scenarios:
Clients retrieve site information that's published to Active Directory Domain Services.
Clients are installed by using client push installation.
Use a partial string match in the SAN only when you install clients manually and when they don't retrieve site
information from Active Directory Domain Services. For example, these conditions apply to internet-only clients.

A match on the client certificate subject name attribute values or the subject alternative name (SAN)
attribute values. This method is a case-sensitive match. It's appropriate if you're using an X500
distinguished name or equivalent object identifiers (OIDs) in compliance with RFC 3280, and you want
the certificate selection to be based on the attribute values. You can specify only the attributes and their
values that you require to uniquely identify or validate the certificate and differentiate the certificate from
others in the certificate store.
The following table shows the attribute values that Configuration Manager supports for the client certificate
selection criteria:
 O ID AT T RIB UT E DIST IN GUISH ED N A M E AT T RIB UT E AT T RIB UT E DEF IN IT IO N

0.9.2342.19200300.100.1.25 DC Domain component

1.2.840.113549.1.9.1 E or E-mail Email address

2.5.4.3 CN Common name

2.5.4.4 SN Subject name

2.5.4.5 SERIALNUMBER Serial number

2.5.4.6 C Country code

2.5.4.7 L Locality

2.5.4.8 S or ST State or province name

2.5.4.9 STREET Street address

2.5.4.10 O Organization name

2.5.4.11 OU Organizational unit

2.5.4.12 T or Title Title

2.5.4.42 G or GN or GivenName Given name

2.5.4.43 I or Initials Initials

2.5.29.17 (no value) Subject Alternative Name

NOTE
If you configure either of the above alternate certificate selection methods, the certificate Subject Name doesn't need to
contain the local computer name.

If more than one appropriate certificate is located after the selection criteria are applied, you can override the
default configuration to select the certificate that has the longest validity period. Instead, you can specify that no
certificate is selected. In this scenario, the client can't communicate with IIS site systems with a PKI certificate.
The client sends an error message to its assigned fallback status point to alert you to the certificate selection
failure. Then you can change or refine your certificate selection criteria.
The client behavior then depends on whether the failed connection was over HTTPS or HTTP:
If the failed connection was over HTTPS: The client tries to connect over HTTP and uses the client self-
signed certificate.
If the failed connection was over HTTP: The client tries to connect again over HTTP by using the self-
signed client certificate.
To help identify a unique PKI client certificate, you can also specify a custom store other than the default of
Personal in the Computer store. Create a custom certificate store outside of Configuration Manager. You need
to be able to deploy certificates to this custom store and renew them before the validity period expires.
For more information, see Configure settings for client PKI certificates.

Transition strategy for PKI certificates

The flexible configuration options in Configuration Manager let you gradually transition clients and the site to
use PKI certificates to help secure client endpoints. PKI certificates provide better security and enable you to
manage internet clients.
This plan first introduces PKI certificates for authentication only over HTTP, and then for authentication and
encryption over HTTPS. When you follow this plan to gradually introduce these certificates, you reduce the risk
that clients become unmanaged. You'll also benefit from the highest security that Configuration Manager
supports.
Because of the number of configuration options and choices in Configuration Manager, there's no single way to
transition a site so that all clients use HTTPS connections. The following steps provide general guidance:
1. Install the Configuration Manager site and configure it so that site systems accept client connections over
HTTPS and HTTP.
2. Configure the Communication Security tab in the site properties. Set Site System Settings to HTTP
or HTTPS and select Use PKI client cer tificate (client authentication capability) when available .
For more information, see Configure settings for client PKI certificates.
3. Pilot a PKI rollout for client certificates. For an example deployment, see Deploy the client certificate for
Windows computers.
4. Install clients by using the client push installation method. For more information, see the How to install
Configuration Manager clients by using client push.
5. Monitor client deployment and status by using the reports and information in the Configuration Manager
console.
6. Track how many clients are using a client PKI certificate by viewing the Client Cer tificate column in the
Assets and Compliance workspace, Devices node.
You can also deploy the Configuration Manager HTTPS Readiness Assessment Tool
(CMHttpsReadiness.exe ) to computers. Then use the reports to view how many computers can use a
client PKI certificate with Configuration Manager.

NOTE
When you install the Configuration Manager client, it installs the CMHttpsReadiness.exe tool in the
%windir%\CCM folder. The following command-line options are available when you run this tool:

/Store:<Certificate store name> : This option is the same as the CCMCERTSTORE client.msi property
/Issuers:<Case-sensitive issuer common name> : This option is the same as the CCMCERTISSUERS
client.msi property
/Criteria:<Selection criteria> : This option is the same as the CCMCERTSEL client.msi property
/SelectFirstCert : This option is the same as the CCMFIRSTCERT client.msi property

The tool outputs information to the CMHttpsReadiness.log in the CCM\Logs directory.

For more information, see About client installation properties.

7. When you're confident that enough clients are successfully using their client PKI certificate for
authentication over HTTP, follow these steps:
 a. Deploy a PKI web server certificate to a member server that runs another management point for
the site, and configure that certificate in IIS. For more information, see Deploy the web server
certificate for site systems that run IIS.
b. Install the management point role on this server. Configure the Client connections option in the
management point properties for HTTPS .
8. Monitor and verify that clients that have a PKI certificate use the new management point by using HTTPS.
You can use IIS logging or performance counters to verify.
9. Reconfigure other site system roles to use HTTPS client connections. If you want to manage clients on the
internet, make sure that site systems have an internet FQDN. Configure individual management points
and distribution points to accept client connections from the internet.

IMPORTANT
Before you set up site system roles to accept connections from the internet, review the planning information and
prerequisites for internet-based client management. For more information, see Communications between
endpoints.

10. Extend the PKI certificate rollout for clients and for site systems that run IIS. Set up the site system roles
for HTTPS client connections and internet connections, as required.
11. For the highest security: When you're confident that all clients are using a client PKI certificate for
authentication and encryption, change the site properties to use HTTPS only.

Next steps
Configure security
Cryptographic controls technical reference
PKI certificate requirements
 CNG v3 certificates overview
2/16/2022 • 2 minutes to read • Edit Online

Configuration Manager supports Cryptography: Next Generation (CNG) certificates. Configuration Manager
clients can use a PKI client authentication certificate with the private key generated and stored in a CNG Key
Storage Provider (KSP). With KSP support, Configuration Manager clients support hardware-based private keys,
such as a TPM KSP for PKI client authentication certificates.

NOTE
When using CNG certificates, Configuration Manager clients only support certificates that use the RSA cryptographic
algorithm.

Supported scenarios
You can use Cryptography API: Next Generation (CNG) v3 certificate templates for the following scenarios:
Client registration and communication with an HTTPS management point
Software distribution and application deployment with an HTTPS distribution point
OS deployment
Client messaging SDK (with latest update) and ISV Proxy
Cloud management gateway (CMG) configuration
User-targeted available applications in Software Center
Also use CNG v3 certificates for the following HTTPS-enabled server roles:
Management point
Distribution point
Software update point
State migration point
Certificate registration point, including the NDES server with the Configuration Manager policy module

NOTE
CNG is backward compatible with Crypto API (CAPI). CAPI certificates continue to be supported even when CNG support
is enabled on the client.

Unsupported scenarios
The following scenarios currently aren't supported:
The following server roles aren't operational when installed in HTTPS mode with a CNG v3 certificate
bound to the web site in Internet Information Services (IIS):
Enrollment point
Enrollment proxy point

To use CNG certificates

To use CNG v3 certificates, your certification authority (CA) needs to provide CNG certificate templates for
target machines. Template details vary according to the scenario; however, the following properties are required:
Compatibility tab
Cer tificate Authority must be Windows Server 2008 or later. (Windows Server 2012 is
recommended.)
Cer tificate recipient must be Windows Vista/Server 2008 or later. (Windows 8/Windows Server
2012 is recommended.)
Cr yptography tab
Provider Categor y must be Key Storage Provider . (required)
Algorithm name must be RSA . (required)
Request must use one of the following providers: must be Microsoft Software Key
Storage Provider .

NOTE
The requirements for your environment or organization may be different. Contact your PKI expert. The important point to
consider is a certificate template must use a Key Storage Provider to take advantage of CNG.

For best results, we recommend building the Subject Name from Active Directory information. Use the DNS
Name for Subject name format and include the DNS name in the alternate subject name. Otherwise, you
must provide this information when the device enrolls into the certificate profile.
 PKI certificate requirements for Configuration
Manager
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The public key infrastructure (PKI) certificates that you might require for Configuration Manager are listed in the
following tables. This information assumes basic knowledge of PKI certificates.
You can use any PKI to create, deploy, and manage most certificates in Configuration Manager. For client
certificates that Configuration Manager enrolls on mobile devices and Mac computers, they require use of
Active Directory Certificate Services.
When you use Active Directory Certificate Services and certificate templates, this Microsoft PKI solution can
ease the management of certificates. Use the Microsoft cer tificate template reference in the sections below
to identify the certificate template that most closely matches the certificate requirements. Only an enterprise
certification authority (CA) that runs on the Enterprise or Datacenter editions of Windows server can use
template-based certificates.
For more information, see the following articles:
Step-by-step example deployment of the PKI certificates for Configuration Manager: Windows Server
2008 Certification Authority
Active Directory Certificate Services Overview
How to enable Transport Layer Security (TLS) 1.2

Supported certificate types

Secure Hash Algorithm 2 (SHA -2) certificates
Issue new server and client authentication certificates that are signed with SHA-2, which includes SHA-256 and
SHA-512. All internet-facing services should use a SHA-2 certificate. For example, if you purchase a public
certificate for use with a cloud management gateway, make sure that you purchase a SHA-2 certificate.
Windows doesn't trust certificates signed with SHA-1. For more information, see Windows Enforcement of
SHA1 certificates.
CNG v3 certificates
Configuration Manager supports Cryptography: Next Generation (CNG) v3 certificates. Configuration Manager
clients can use a PKI client authentication certificate with private key in a CNG Key Storage Provider (KSP). With
KSP support, Configuration Manager clients support hardware-based private keys, such as a TPM KSP for PKI
client authentication certificates.
For more information, see CNG v3 certificates overview.

PKI certificates for servers

Site systems that run IIS and support HTTPS client connections
This web server certificate is used to:
Authenticate the servers to the client
 Encrypt all data that's transferred between the client and these servers with TLS.
Applies to:
Management point
Distribution point
Software update point
State migration point
Enrollment point
Enrollment proxy point
Certificate registration point
Certificate requirements:
Certificate purpose: Ser ver authentication
Microsoft certificate template: Web Ser ver
The Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1)

Subject Name:
If the site system accepts connections from the internet, the Subject Name or Subject
Alternative Name must contain the internet fully qualified domain name (FQDN).
If the site system accepts connections from the intranet, the Subject Name or Subject
Alternative Name must contain either the intranet FQDN (recommended) or the computer's
name, depending on how the site system is set up.
If the site system accepts connections from both the internet and the intranet, both the internet
FQDN and the intranet FQDN (or computer name) must be specified. Use the ampersand ( & )
symbol delimiter between the two names.

NOTE
When the software update point accepts client connections from the internet only, the certificate must contain
both the internet FQDN and the intranet FQDN.

Key length: Configuration Manager doesn't specify a maximum supported key length for this certificate.
Consult your PKI and IIS documentation for any key-size related issues for this certificate.
Most site system roles support key storage providers for certificate private keys (v3). For more information, see
CNG v3 certificates overview.
This certificate must be in the Personal store in the Computer certificate store.
Cloud management gateway (CMG )
This service certificate is used to:
Authenticate the CMG service in Azure to Configuration Manager clients
Encrypt all data transferred between them by using TLS.
Export this certificate in a Public Key Certificate Standard (PKCS #12) format. You need to know the password, so
that you can import the certificate when you create the CMG.
Certificate requirements:
 Certificate purpose: Ser ver authentication
Microsoft certificate template: Web Ser ver
The Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1)

The Subject Name must contain a customer-defined service name as the Common Name for the
specific instance of the cloud management gateway.
The private key must be exportable.
Supported key lengths: 2048-bit or 4096-bit
This certificate supports key storage providers for certificate private keys (v3).
For more information, see CMG server authentication certificate.
Site system servers that run Microsoft SQL Server
This certificate is used for server-to-server authentication.
Certificate requirements:
Certificate purpose: Ser ver authentication
Microsoft certificate template: Web Ser ver
The Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1)

The Subject Name must contain the intranet fully qualified domain name (FQDN)
Maximum supported key length is 2,048 bits.
This certificate must be in the Personal store in the Computer certificate store. Configuration Manager
automatically copies it to the Trusted People Store for servers in the Configuration Manager hierarchy that might
have to establish trust with the server.
SQL Server Always On failover cluster instance
This certificate is used for server-to-server authentication.
Certificate requirements:
Certificate purpose: Ser ver authentication
Microsoft certificate template: Web Ser ver
The Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1)

The Subject Name must contain the intranet fully qualified domain name (FQDN) of the cluster
The private key must be exportable
The certificate must have a validity period of at least two years when you configure Configuration
Manager to use the failover cluster instance
Maximum supported key length is 2,048 bits.
Request and install this certificate on one node in the cluster. Then export the certificate and import it to the
other nodes.
This certificate must be in the Personal store in the Computer certificate store. Configuration Manager
automatically copies it to the Trusted People Store for servers in the Configuration Manager hierarchy that might
have to establish trust with the server.
Site system monitoring
Applies to:
Management point
State migration point
Certificate requirements:
Certificate purpose: Client authentication
Microsoft certificate template: Workstation Authentication
The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)

Computers must have a unique value in the Subject Name field or in the Subject Alternative Name
field.

NOTE
If you use multiple values for the Subject Alternative Name , it only uses the first value.

Maximum supported key length is 2,048 bits.

This certificate is required on the listed site system servers, even if the Configuration Manager client isn't
installed. This configuration allows the site to monitor and report on the health of these site system roles.
The certificate for these site systems must be in the Personal store of the Computer certificate store.
Servers running the Configuration Manager Policy Module with the Network Device Enrollment Service
(NDES ) role service
Certificate requirements:
Certificate purpose: Client authentication
Microsoft certificate template: Workstation Authentication
The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)

There are no specific requirements for the certificate Subject Name or Subject Alternative Name
(SAN). You can use the same certificate for multiple servers running the Network Device Enrollment
Service.
Supported key lengths: 1,024 bits and 2,048 bits.
Site systems that have a distribution point installed
This certificate has two purposes:
It authenticates the distribution point to an HTTPS-enabled management point before the distribution point
sends status messages.
A PXE-enabled distribution point sends this certificate to computers. If the task sequence includes client
actions like client policy retrieval or sending inventory information, the computer can connect to an HTTPS-
enabled management point during the OS deployment process.
This certificate is only used during the OS deployment process. It isn't installed on the client. Because of this
temporary use, you can use the same certificate for every OS deployment if you don't want to use multiple
client certificates.
 NOTE
The requirements for this certificate are the same as the client certificate for boot images. Because the requirements are
the same, you can use the same certificate file.

Certificate requirements:
Certificate purpose: Client authentication
Microsoft certificate template: Workstation Authentication
The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)

There are no specific requirements for the certificate Subject Name or Subject Alternative Name
(SAN). It's recommended to use a different certificate for each distribution point, but you can use the
same certificate.
The private key must be exportable.
Maximum supported key length is 2,048 bits.
Export this certificate in a Public Key Certificate Standard (PKCS #12) format. You need to know the password, so
that you can import the certificate to the distribution point properties.
Proxy web servers for internet-based client management
If the site supports internet-based client management, and you use a proxy web server by using SSL termination
(bridging) for incoming internet connections, the proxy web server has the following certificate requirements:

NOTE
If you use a proxy web server without SSL termination (tunneling), no additional certificates are required on the proxy
web server.

Certificate requirements:
Certificate purpose: Ser ver authentication and Client authentication
Microsoft certificate template: Web Ser ver and Workstation Authentication
Internet FQDN in the Subject Name or Subject Alternative Name field. If you use Microsoft
certificate templates, the Subject Alternative Name is only available with the workstation template.
This certificate is used to authenticate the following servers to internet clients and to encrypt all data transferred
between the client and this server with TLS:
Internet-based management point
Internet-based distribution point
Internet-based software update point
The client authentication is used to bridge client connections between the Configuration Manager clients and the
internet-based site systems.

PKI certificates for clients

Windows client computers
Except for the software update point, this certificate authenticates the client to site systems that run IIS and
support HTTPS client connections.
Certificate requirements:
Certificate purpose: Client authentication
Microsoft certificate template: Workstation Authentication
The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)

The Key Usage value must contain Digital Signature, Key Encipherment (a0)

Client computers must have a unique value in the Subject Name or Subject Alternative Name field. If
used, the Subject Name field must contain the local computer name unless an alternative certificate
selection criteria is specified. For more information, see Plan for PKI client certificate selection.

NOTE
If you use multiple values for the Subject Alternative Name , it only uses the first value.

There's no maximum supported key length.

By default, Configuration Manager looks for computer certificates in the Personal store in the Computer
certificate store.
Boot images for deploying operating systems
The certificate is used if the task sequence includes client actions like client policy retrieval or sending inventory
information. It allows the computer to connect to an HTTPS-enabled management point during the OS
deployment process.
This certificate is only used during the OS deployment process. It isn't used to install the client or installed on the
device. Because of this temporary use, you can use the same certificate for every OS deployment if you don't
want to use multiple client certificates.
When you have an environment that's HTTPS-only, the boot image must have a valid certificate. This certificate
allows the device to communicate with the site and for the deployment to continue. The client can automatically
generate a certificate when the device is joined to Active Directory, or you can install a client certificate by using
another method.

NOTE
The requirements for this certificate are the same as the server certificate for site systems with the distribution point role.
Because the requirements are the same, you can use the same certificate file.

Certificate requirements:
Certificate purpose: Client authentication
Microsoft certificate template: Workstation Authentication
The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)

There are no specific requirements for the certificate Subject Name or Subject Alternative Name
(SAN) fields. You can use the same certificate for all boot images.
The private key must be exportable.
Maximum supported key length is 2,048 bits.
Export this certificate in a Public Key Certificate Standard (PKCS #12) format. You need to know the password, so
that you can import the certificate to the boot image properties.
macOS client computers
This certificate authenticates the macOS client computer to the site system servers that it communicates with.
For example, management points and distribution points.
Certificate requirements:
Certificate purpose: Client authentication
Microsoft certificate template:
For Configuration Manager enrollment: Authenticated Session
For certificate installation independent from Configuration Manager: Workstation Authentication
The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)
Subject Name:
For Configuration Manager that creates a User certificate, the certificate Subject value is
automatically populated with the user name of the person who enrolls the macOS computer.
For certificate installation that doesn't use Configuration Manager enrollment, but deploys a
Computer certificate independently from Configuration Manager, the certificate Subject value must
be unique. For example, specify the FQDN of the computer.
The Subject Alternative Name field isn't supported.
Maximum supported key length is 2,048 bits.
Mobile device clients
This certificate authenticates the mobile device client to the site system servers that it communicates with. For
example, management points and distribution points.
Certificate requirements:
Certificate purpose: Client authentication
Microsoft certificate template: Authenticated Session
The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)

Maximum supported key length is 2,048 bits.

These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. Base64 encoded
X.509 format isn't supported.
Root certification authority (CA ) certificates
This certificate is a standard root CA certificate.
Applies to:
OS deployment
Client certificate authentication
Mobile device enrollment
Certificate purpose: Certificate chain to a trusted source
The root CA certificate must be provided when clients have to chain the certificates of the communicating server
to a trusted source. The root CA certificate for clients must be provided if the client certificates are issued by a
different CA hierarchy than the CA hierarchy that issued the management point certificate.
 Step-by-step example deployment of the PKI
certificates for Configuration Manager: Windows
Server 2008 certification authority
2/16/2022 • 29 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This step-by-step example deployment, which uses a Windows Server 2008 certification authority (CA), has
procedures that show you how to create and deploy the public key infrastructure (PKI) certificates that
Configuration Manager uses. These procedures use an enterprise certification authority (CA) and certificate
templates. The steps are appropriate for a test network only, as a proof of concept.
Because there's no single method of deployment for the required certificates, consult your particular PKI
deployment documentation for the required procedures and best practices to deploy the required certificates
for a production environment. For more about the certificate requirements, see PKI certificate requirements for
Configuration Manager.

TIP
You can adapt the instructions in this topic for operating systems that aren't documented in the Test Network
Requirements section. However, if you are running the issuing CA on Windows Server 2012, you're not prompted for the
certificate template version. Instead, specify this on the Compatibility tab of the template properties:
Cer tification Authority : Windows Ser ver 2003
Cer tificate recipient : Windows XP / Ser ver 2003

Test network requirements

The step-by-step instructions have the following requirements:
The test network is running Active Directory Domain Services with Windows Server 2008, and it is
installed as a single domain, single forest.
You have a member server running Windows Server 2008 Enterprise Edition, which has the Active
Directory Certificate Services role installed on it, and it is set up as an enterprise root certification
authority (CA).
You have one computer that has Windows Server 2008 (Standard Edition or Enterprise Edition, R2 or
later) installed on it, that computer is designated as a member server, and Internet Information Services
(IIS) is installed on it. This computer will be the Configuration Manager site system server that you will
configure with an intranet fully qualified domain name (FQDN) to support client connections on the
intranet and an internet FQDN if you must support mobile devices that are enrolled by Configuration
Manager and clients on the internet.
You have one Windows Vista client that has the latest service pack installed, and this computer is set up
with a computer name that comprises ASCII characters and is joined to the domain. This computer will be
a Configuration Manager client computer.
You can sign in with a root domain administrator account or an enterprise domain administrator account
and use this account for all procedures in this example deployment.
Overview of the certificates
The following table lists the types of PKI certificates that might be required for Configuration Manager and
describes how they are used.

C ERT IF IC AT E REQ UIREM EN T C ERT IF IC AT E DESC RIP T IO N

Web server certificate for site systems that run IIS This certificate is used to encrypt data and authenticate the
server to clients. It must be installed externally from
Configuration Manager on site systems servers that run
Internet Information Services (IIS) and that are set up in
Configuration Manager to use HTTPS.

For the steps to set up and install this certificate, see Deploy
the web server certificate for site systems that run IIS in this
topic.

Service certificate for clients to connect to cloud-based For the steps to configure and install this certificate, see
distribution points Deploy the service certificate for cloud-based distribution
points in this topic.

Impor tant: This certificate is used in conjunction with the

Windows Azure management certificate. For more about the
management certificate, see How to Create a Management
Certificate and How to Add a Management Certificate to a
Windows Azure Subscription.

Client certificate for Windows computers This certificate is used to authenticate Configuration
Manager client computers to site systems that are set up to
use HTTPS. It can also be used for management points and
state migration points to monitor their operational status
when they are set up to use HTTPS. It must be installed
externally from Configuration Manager on computers.

For the steps to set up and install this certificate, see Deploy
the client certificate for Windows computers in this topic.

Client certificate for distribution points This certificate has two purposes:

The certificate is used to authenticate the distribution point

to an HTTPS-enabled management point before the
distribution point sends status messages.

When the Enable PXE suppor t for clients distribution

point option is selected, the certificate is sent to computers
that PXE boot so that they can connect to a HTTPS-enabled
management point during the deployment of the operating
system.

For the steps to set up and install this certificate, see Deploy
the client certificate for distribution points in this topic.

Enrollment certificate for mobile devices This certificate is used to authenticate Configuration
Manager mobile device clients to site systems that are set
up to use HTTPS. It must be installed as part of mobile
device enrollment in Configuration Manager, and you
choose the configured certificate template as a mobile device
client setting.

For the steps to set up this certificate, see Deploy the

enrollment certificate for mobile devices in this topic.
 C ERT IF IC AT E REQ UIREM EN T C ERT IF IC AT E DESC RIP T IO N

Client certificate for Mac computers You can request and install this certificate from a Mac
computer when you use Configuration Manager enrollment
and choose the configured certificate template as a mobile
device client setting.

For the steps to set up this certificate, see Deploy the client
certificate for Mac computers in this topic.

Deploy the web server certificate for site systems that run IIS
This certificate deployment has the following procedures:
Create and issue the web server certificate template on the certification authority
Request the web server certificate
Configure IIS to use the web server certificate
Create and issue the web server certificate template on the certification authority
This procedure creates a certificate template for Configuration Manager site systems and adds it to the
certification authority.
To c r e a t e a n d i ssu e t h e w e b se r v e r c e r t i fi c a t e t e m p l a t e o n t h e c e r t i fi c a t i o n a u t h o r i t y

1. Create a security group named ConfigMgr IIS Ser vers that has the member servers to install
Configuration Manager site systems that will run IIS.
2. On the member server that has Certificate Services installed, in the Certification Authority console, right-
click Cer tificate Templates and then choose Manage to load the Cer tificate Templates console.
3. In the results pane, right-click the entry that has Web Ser ver in the Template Display Name column,
and then choose Duplicate Template .
4. In the Duplicate Template dialog box, ensure that Windows 2003 Ser ver, Enterprise Edition is
selected, and then choose OK .

IMPORTANT
Do not select Windows 2008 Ser ver, Enterprise Edition .

5. In the Proper ties of New Template dialog box, on the General tab, enter a template name, like
ConfigMgr Web Ser ver Cer tificate , to generate the web certificates that will be used on
Configuration Manager site systems.
6. Choose the Subject Name tab, and make sure that Supply in the request is selected.
7. Choose the Security tab, and then remove the Enroll permission from the Domain Admins and
Enterprise Admins security groups.
8. Choose Add , enter ConfigMgr IIS Ser vers in the text box, and then choose OK .
9. Choose the Enroll permission for this group, and do not clear the Read permission.
10. Choose OK , and then close the Cer tificate Templates Console .
11. In the Certification Authority console, right-click Cer tificate Templates , choose New , and then choose
Cer tificate Template to Issue .
12. In the Enable Cer tificate Templates dialog box, choose the new template that you just created,
ConfigMgr Web Ser ver Cer tificate , and then choose OK .
13. If you do not need to create and issue more certificates, close Cer tification Authority .
Request the web server certificate
This procedure lets you specify the intranet and internet FQDN values that will be set up in the site system
server properties and then installs the web server certificate on to the member server that runs IIS.
To r e q u e st t h e w e b se r v e r c e r t i fi c a t e

1. Restart the member server that runs IIS to ensure that the computer can access the certificate template
that you created by using the Read and Enroll permissions that you configured.
2. Choose Star t , choose Run , and then type mmc.exe. In the empty console, choose File , and then choose
Add/Remove Snap-in .
3. In the Add or Remove Snap-ins dialog box, choose Cer tificates from the list of Available snap-ins ,
and then choose Add .
4. In the Cer tificate snap-in dialog box, choose Computer account , and then choose Next .
5. In the Select Computer dialog box, ensure that Local computer : (the computer this console is
running on) is selected, and then choose Finish .
6. In the Add or Remove Snap-ins dialog box, choose OK .
7. In the console, expand Cer tificates (Local Computer) , and then choose Personal .
8. Right-click Cer tificates , choose All Tasks , and then choose Request New Cer tificate .
9. On the Before You Begin page, choose Next .
10. If you see the Select Cer tificate Enrollment Policy page, choose Next .
11. On the Request Cer tificates page, identify the ConfigMgr Web Ser ver Cer tificate from the list of
available certificates, and then choose More information is required to enroll for this cer tificate.
Click here to configure settings .
12. In the Cer tificate Proper ties dialog box, in the Subject tab, do not make any changes to Subject
name . This means that the Value box for the Subject name section remains blank. Instead, from the
Alternative name section, choose the Type drop-down list, and then choose DNS .
13. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system
properties, and then choose OK to close the Cer tificate Proper ties dialog box.
Examples:
If the site system will only accept client connections from the intranet, and the intranet FQDN of
the site system server is ser ver1.internal.contoso.com , enter ser ver1.internal.contoso.com ,
and then choose Add .
If the site system will accept client connections from the intranet and the internet, and the intranet
FQDN of the site system server is ser ver1.internal.contoso.com and the internet FQDN of the
site system server is ser ver.contoso.com :
a. Enter ser ver1.internal.contoso.com , and then choose Add .
b. Enter ser ver.contoso.com , and then choose Add .
 NOTE
You can specify the FQDNs for Configuration Manager in any order. However, check that all devices that
will use the certificate, such as mobile devices and proxy web servers, can use a certificate subject
alternative name (SAN) and multiple values in the SAN. If devices have limited support for SAN values in
certificates, you might have to change the order of the FQDNs or use the Subject value instead.

14. On the Request Cer tificates page, choose ConfigMgr Web Ser ver Cer tificate from the list of
available certificates, and then choose Enroll .
15. On the Cer tificates Installation Results page, wait until the certificate is installed, and then choose
Finish .
16. Close Cer tificates (Local Computer) .
Configure IIS to use the web server certificate
This procedure binds the installed certificate to the IIS Default Web Site .
To se t u p I I S t o u se t h e w e b se r v e r c e r t i fi c a t e

1. On the member server that has IIS installed, choose Star t , choose Programs , choose Administrative
Tools , and then choose Internet Information Ser vices (IIS) Manager .
2. Expand Sites , right-click Default Web Site , and then choose Edit Bindings .
3. Choose the https entry, and then choose Edit .
4. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr
Web Server Certificates template, and then choose OK .

NOTE
If you are not sure which is the correct certificate, choose one, and then choose View . This lets you compare the
selected certificate details to the certificates in the Certificates snap-in. For example, the Certificates snap-in shows
the certificate template that was used to request the certificate. You can then compare the certificate thumbprint
of the certificate that was requested by using the ConfigMgr Web Server Certificates template to the certificate
thumbprint of the certificate currently selected in the Edit Site Binding dialog box.

5. Choose OK in the Edit Site Binding dialog box, and then choose Close .
6. Close Internet Information Ser vices (IIS) Manager .
The member server is now set up with a Configuration Manager web server certificate.

IMPORTANT
When you install the Configuration Manager site system server on this computer, make sure that you specify the same
FQDNs in the site system properties as you specified when you requested the certificate.

Deploy the service certificate for cloud-based distribution points

This certificate deployment has the following procedures:
Create and issue a custom web server certificate template on the certification authority
Request the custom web server certificate
Export the custom web server certificate for cloud-based distribution points
 Create and issue a custom web server certificate template on the certification authority
This procedure creates a custom certificate template that is based on the web server certificate template. The
certificate is for Configuration Manager cloud-based distribution points and the private key must be exportable.
After the certificate template is created, it is added to the certification authority.

NOTE
This procedure uses a different certificate template from the web server certificate template that you created for site
systems that run IIS. Although both certificates require server authentication capability, the certificate for cloud-based
distribution points requires you to enter a custom-defined value for the Subject Name and the private key must be
exported. As a security best practice, do not set up certificate templates so that the private key can be exported unless
this configuration is required. The cloud-based distribution point requires this configuration because you must import the
certificate as a file, rather than choose it from the certificate store.
When you create a new certificate template for this certificate, you can restrict the computers that can request a
certificate whose private key can be exported. On a production network, you might also consider adding the following
changes for this certificate:
Require approval to install the certificate for additional security.
Increase the certificate validity period. Because you must export and import the certificate each time before it
expires, an increase of the validity period reduces how often you must repeat this procedure. However, an
increase of the validity period also decreases the security of the certificate because it provides more time for an
attacker to decrypt the private key and steal the certificate.
Use a custom value in the certificate Subject Alternative Name (SAN) to help identify this certificate from
standard web server certificates that you use with IIS.

To c r e a t e a n d i ssu e t h e c u st o m w e b se r v e r c e r t i fi c a t e t e m p l a t e o n t h e c e r t i fi c a t i o n a u t h o r i t y

1. Create a security group named ConfigMgr Site Ser vers that has the member servers to install
Configuration Manager primary site servers that will manage cloud-based distribution points.
2. On the member server that is running the Certification Authority console, right-click Cer tificate
Templates , and then choose Manage to load the Certificate Templates management console.
3. In the results pane, right-click the entry that has Web Ser ver in the Template Display Name column,
and then choose Duplicate Template .
4. In the Duplicate Template dialog box, ensure that Windows 2003 Ser ver, Enterprise Edition is
selected, and then choose OK .

IMPORTANT
Do not select Windows 2008 Ser ver, Enterprise Edition .

5. In the Proper ties of New Template dialog box, on the General tab, enter a template name, like
ConfigMgr Cloud-Based Distribution Point Cer tificate , to generate the web server certificate for
cloud-based distribution points.
6. Choose the Request Handling tab, and then choose Allow private key to be expor ted .
7. Choose the Security tab, and then remove the Enroll permission from the Enterprise Admins security
group.
8. Choose Add , enter ConfigMgr Site Ser vers in the text box, and then choose OK .
9. Select the Enroll permission for this group, and do not clear the Read permission.
10. Choose the Cr yptography tab and ensure that Minimum key size has been set to 2048 .
11. Choose OK , and then close Cer tificate Templates Console .
12. In the Certification Authority console, right-click Cer tificate Templates , choose New , and then choose
Cer tificate Template to Issue .
13. In the Enable Cer tificate Templates dialog box, choose the new template that you just created,
ConfigMgr Cloud-Based Distribution Point Cer tificate , and then choose OK .
14. If you do not have to create and issue more certificates, close Cer tification Authority .
Request the custom web server certificate
This procedure requests and then installs the custom web server certificate on the member server that will run
the site server.
To r e q u e st t h e c u st o m w e b se r v e r c e r t i fi c a t e

1. Restart the member server after you create and configure the ConfigMgr Site Ser vers security group
to ensure that the computer can access the certificate template that you created by using the Read and
Enroll permissions that you configured.
2. Choose Star t , choose Run , and then enter mmc.exe. In the empty console, choose File , and then choose
Add/Remove Snap-in .
3. In the Add or Remove Snap-ins dialog box, choose Cer tificates from the list of Available snap-ins ,
and then choose Add .
4. In the Cer tificate snap-in dialog box, choose Computer account , and then choose Next .
5. In the Select Computer dialog box, ensure that Local computer : (the computer this console is
running on) is selected, and then choose Finish .
6. In the Add or Remove Snap-ins dialog box, choose OK .
7. In the console, expand Cer tificates (Local Computer) , and then choose Personal .
8. Right-click Cer tificates , choose All Tasks , and then choose Request New Cer tificate .
9. On the Before You Begin page, choose Next .
10. If you see the Select Cer tificate Enrollment Policy page, choose Next .
11. On the Request Cer tificates page, identify the ConfigMgr Cloud-Based Distribution Point
Cer tificate from the list of available certificates, and then choose More information is required to
enroll for this cer tificate. choose here to configure settings .
12. In the Cer tificate Proper ties dialog box, in the Subject tab, for the Subject name , choose Common
name as the Type .
13. In the Value box, specify your choice of service name and your domain name by using an FQDN format.
For example: clouddp1.contoso.com .

NOTE
Make the service name unique in your namespace. You will use DNS to create an alias (CNAME record) to map
this service name to an automatically generated identifier (GUID) and an IP address from Windows Azure.

14. Choose Add , and then choose OK to close the Cer tificate Proper ties dialog box.
15. On the Request Cer tificates page, choose ConfigMgr Cloud-Based Distribution Point Cer tificate
from the list of available certificates, and then choose Enroll .
16. On the Cer tificates Installation Results page, wait until the certificate is installed, and then choose
Finish .
17. Close Cer tificates (Local Computer) .
Export the custom web server certificate for cloud-based distribution points
This procedure exports the custom web server certificate to a file, so that it can be imported when you create
the cloud-based distribution point.
To e x p o r t t h e c u st o m w e b se r v e r c e r t i fi c a t e fo r c l o u d - b a se d d i st r i b u t i o n p o i n t s

1. In the Cer tificates (Local Computer) console, right-click the certificate that you just installed, choose
All Tasks , and then choose Expor t .
2. In the Certificates Export Wizard, choose Next .
3. On the Expor t Private Key page, choose Yes, expor t the private key , and then choose Next .

NOTE
If this option is not available, the certificate has been created without the option to export the private key. In this
scenario, you cannot export the certificate in the required format. You must set up the certificate template so that
the private key can be exported, and then request the certificate again.

4. On the Expor t File Format page, ensure that the Personal Information Exchange - PKCS #12
(.PFX) option is selected.
5. On the Password page, specify a strong password to protect the exported certificate with its private key,
and then choose Next .
6. On the File to Expor t page, specify the name of the file that you want to export, and then choose Next .
7. To close the wizard, choose Finish in the Cer tificate Expor t Wizard page, and then choose OK in the
confirmation dialog box.
8. Close Cer tificates (Local Computer) .
9. Store the file securely and ensure that you can access it from the Configuration Manager console.
The certificate is now ready to be imported when you create a cloud-based distribution point.

Deploy the client certificate for Windows computers

This certificate deployment has the following procedures:
Create and issue the Workstation Authentication certificate template on the certification authority
Configure autoenrollment of the Workstation Authentication template by using Group Policy
Automatically enroll the Workstation Authentication certificate and verify its installation on computers
Create and issue the Workstation Authentication certificate template on the certification authority
This procedure creates a certificate template for Configuration Manager client computers and adds it to the
certification authority.
To c r e a t e a n d i ssu e t h e W o r k st a t i o n A u t h e n t i c a t i o n c e r t i fi c a t e t e m p l a t e o n t h e c e r t i fi c a t i o n a u t h o r i t y

1. On the member server that is running the Certification Authority console, right-click Cer tificate
Templates , and then choose Manage to load the Certificate Templates management console.
2. In the results pane, right-click the entry that has Workstation Authentication in the Template Display
Name column, and then choose Duplicate Template .
3. In the Duplicate Template dialog box, ensure that Windows 2003 Ser ver, Enterprise Edition is
selected, and then choose OK .

IMPORTANT
Do not select Windows 2008 Ser ver, Enterprise Edition .

4. In the Proper ties of New Template dialog box, on the General tab, enter a template name, like
ConfigMgr Client Cer tificate , to generate the client certificates that will be used on Configuration
Manager client computers.
5. Choose the Security tab, select the Domain Computers group, and then select the additional
permissions of Read and Autoenroll . Do not clear Enroll .
6. Choose OK , and then close Cer tificate Templates Console .
7. In the Certification Authority console, right-click Cer tificate Templates , choose New , and then choose
Cer tificate Template to Issue .
8. In the Enable Cer tificate Templates dialog box, choose the new template that you just created,
ConfigMgr Client Cer tificate , and then choose OK .
9. If you do not need to create and issue more certificates, close Cer tification Authority .
Configure autoenrollment of the Workstation Authentication template by using Group Policy
This procedure sets up Group Policy to autoenroll the client certificate on computers.
To se t u p a u t o e n r o l l m e n t o f t h e W o r k st a t i o n A u t h e n t i c a t i o n t e m p l a t e b y u si n g G r o u p P o l i c y

1. On the domain controller, choose Star t , choose Administrative Tools , and then choose Group Policy
Management .
2. Go to your domain, right-click the domain, and then choose Create a GPO in this domain, and Link
it here .

NOTE
This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default
Domain Policy that is installed with Active Directory Domain Services. When you assign this Group Policy at the
domain level, you will apply it to all computers in the domain. In a production environment, you can restrict the
autoenrollment so that it enrolls on only selected computers. You can assign the Group Policy at an organizational
unit level, or you can filter the domain Group Policy with a security group so that it applies only to the computers
in the group. If you restrict autoenrollment, remember to include the server that is set up as the management
point.

3. In the New GPO dialog box, enter a name, like Autoenroll Cer tificates , for the new Group Policy, and
then choose OK .
4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then
choose Edit .
5. In the Group Policy Management Editor , expand Policies under Computer Configuration , and
then go to Windows Settings / Security Settings / Public Key Policies .
6. Right-click the object type named Cer tificate Ser vices Client - Auto-enrollment , and then choose
Proper ties .
7. From the Configuration Model drop-down list, choose Enabled , choose Renew expired cer tificates,
update pending cer tificates, remove revoked cer tificates , choose Update cer tificates that use
 cer tificate templates , and then choose OK .
8. Close Group Policy Management .
Automatically enroll the Workstation Authentication certificate and verify its installation on computers
This procedure installs the client certificate on computers and verifies the installation.
To a u t o m a t i c a l l y e n r o l l t h e W o r k st a t i o n A u t h e n t i c a t i o n c e r t i fi c a t e a n d v e r i fy i t s i n st a l l a t i o n o n t h e c l i e n t c o m p u t e r

1. Restart the workstation computer, and wait a few minutes before you sign in.

NOTE
Restarting a computer is the most reliable method of ensuring success with certificate autoenrollment.

2. Sign in with an account that has administrative privileges.

3. In the search box, enter mmc.exe., and then press Enter .
4. In the empty management console, choose File , and then choose Add/Remove Snap-in .
5. In the Add or Remove Snap-ins dialog box, choose Cer tificates from the list of Available snap-ins ,
and then choose Add .
6. In the Cer tificate snap-in dialog box, choose Computer account , and then choose Next .
7. In the Select Computer dialog box, ensure that Local computer : (the computer this console is
running on) is selected, and then choose Finish .
8. In the Add or Remove Snap-ins dialog box, choose OK .
9. In the console, expand Cer tificates (Local Computer) , expand Personal , and then choose
Cer tificates .
10. In the results pane, confirm that a certificate has Client Authentication in the Intended Purpose
column, and that ConfigMgr Client Cer tificate is in the Cer tificate Template column.
11. Close Cer tificates (Local Computer) .
12. Repeat steps 1 through 11 for the member server to verify that the server that will be set up as the
management point also has a client certificate.
The computer is now set up with a Configuration Manager client certificate.

Deploy the client certificate for distribution points

NOTE
This certificate can also be used for media images that do not use PXE boot, because the certificate requirements are the
same.

This certificate deployment has the following procedures:

Create and issue a custom Workstation Authentication certificate template on the certification authority
Request the custom Workstation Authentication certificate
Export the client certificate for distribution points
Create and issue a custom Workstation Authentication certificate template on the certification authority
 This procedure creates a custom certificate template for Configuration Manager distribution points so that the
private key can be exported and adds the certificate template to the certification authority.

NOTE
This procedure uses a different certificate template from the certificate template that you created for client computers.
Although both certificates require client authentication capability, the certificate for distribution points requires that the
private key is exported. As a security best practice, do not set up certificate templates so the private key can be exported
unless this configuration is required. The distribution point requires this configuration because you must import the
certificate as a file rather than choose it from the certificate store.
When you create a new certificate template for this certificate, you can restrict the computers that can request a
certificate whose private key can be exported. In our example deployment, this will be the security group that you
previously created for Configuration Manager site system servers that run IIS. On a production network that distributes
the IIS site system roles, consider creating a new security group for the servers that run distribution points so that you
can restrict the certificate to just these site system servers. You might also consider adding the following modifications for
this certificate:
Require approval to install the certificate for additional security.
Increase the certificate validity period. Because you must export and import the certificate each time before it
expires, an increase of the validity period reduces how often you must repeat this procedure. However, an
increase of the validity period also decreases the security of the certificate because it provides more time for an
attacker to decrypt the private key and steal the certificate.
Use a custom value in the certificate Subject field or Subject Alternative Name (SAN) to help identify this
certificate from standard client certificates. This can be particularly helpful if you will use the same certificate for
multiple distribution points.

To c r e a t e a n d i ssu e t h e c u st o m W o r k st a t i o n A u t h e n t i c a t i o n c e r t i fi c a t e t e m p l a t e o n t h e c e r t i fi c a t i o n a u t h o r i t y

1. On the member server that is running the Certification Authority console, right-click Cer tificate
Templates , and then choose Manage to load the Certificate Templates management console.
2. In the results pane, right-click the entry that has Workstation Authentication in the Template Display
Name column, and then choose Duplicate Template .
3. In the Duplicate Template dialog box, ensure that Windows 2003 Ser ver, Enterprise Edition is
selected, and then choose OK .

IMPORTANT
Do not select Windows 2008 Ser ver, Enterprise Edition .

4. In the Proper ties of New Template dialog box, on the General tab, enter a template name, like
ConfigMgr Client Distribution Point Cer tificate , to generate the client authentication certificate for
distribution points.
5. Choose the Request Handling tab, and then choose Allow private key to be expor ted .
6. Choose the Security tab, and then remove the Enroll permission from the Enterprise Admins security
group.
7. Choose Add , enter ConfigMgr IIS Ser vers in the text box, and then choose OK .
8. Select the Enroll permission for this group, and do not clear the Read permission.
9. Choose OK , and then close Cer tificate Templates Console .
10. In the Certification Authority console, right-click Cer tificate Templates , choose New , and then choose
Cer tificate Template to Issue .
11. In the Enable Cer tificate Templates dialog box, choose the new template that you just created,
ConfigMgr Client Distribution Point Cer tificate , and then choose OK .
12. If you do not have to create and issue more certificates, close Cer tification Authority .
Request the custom Workstation Authentication certificate
This procedure requests and then installs the custom client certificate on to the member server that runs IIS and
that will be set up as a distribution point.
To r e q u e st t h e c u st o m W o r k st a t i o n A u t h e n t i c a t i o n c e r t i fi c a t e

1. Choose Star t , choose Run , and then enter mmc.exe. In the empty console, choose File , and then choose
Add/Remove Snap-in .
2. In the Add or Remove Snap-ins dialog box, choose Cer tificates from the list of Available snap-ins ,
and then choose Add .
3. In the Cer tificate snap-in dialog box, choose Computer account , and then choose Next .
4. In the Select Computer dialog box, ensure that Local computer : (the computer this console is
running on) is selected, and then choose Finish .
5. In the Add or Remove Snap-ins dialog box, choose OK .
6. In the console, expand Cer tificates (Local Computer) , and then choose Personal .
7. Right-click Cer tificates , choose All Tasks , and then choose Request New Cer tificate .
8. On the Before You Begin page, choose Next .
9. If you see the Select Cer tificate Enrollment Policy page, choose Next .
10. On the Request Cer tificates page, choose ConfigMgr Client Distribution Point Cer tificate from
the list of available certificates, and then choose Enroll .
11. On the Cer tificates Installation Results page, wait until the certificate is installed, and then choose
Finish .
12. In the results pane, confirm that a certificate has Client Authentication in the Intended Purpose
column and that ConfigMgr Client Distribution Point Cer tificate is in the Cer tificate Template
column.
13. Do not close Cer tificates (Local Computer) .
Export the client certificate for distribution points
This procedure exports the custom Workstation Authentication certificate to a file so that it can be imported in
the distribution point properties.
To e x p o r t t h e c l i e n t c e r t i fi c a t e fo r d i st r i b u t i o n p o i n t s

1. In the Cer tificates (Local Computer) console, right-click the certificate that you just installed, choose
All Tasks , and then choose Expor t .
2. In the Certificates Export Wizard, choose Next .
3. On the Expor t Private Key page, choose Yes, expor t the private key , and then choose Next .

NOTE
If this option is not available, the certificate has been created without the option to export the private key. In this
scenario, you cannot export the certificate in the required format. You must set up the certificate template so that
the private key can be exported and then request the certificate again.
4. On the Expor t File Format page, ensure that the Personal Information Exchange - PKCS #12
(.PFX) option is selected.
5. On the Password page, specify a strong password to protect the exported certificate with its private key,
and then choose Next .
6. On the File to Expor t page, specify the name of the file that you want to export, and then choose Next .
7. To close the wizard, choose Finish on the Cer tificate Expor t Wizard page, and choose OK in the
confirmation dialog box.
8. Close Cer tificates (Local Computer) .
9. Store the file securely and ensure that you can access it from the Configuration Manager console.
The certificate is now ready to be imported when you set up the distribution point.

TIP
You can use the same certificate file when you set up media images for an operating system deployment that does not
use PXE boot, and the task sequence to install the image must contact a management point that requires HTTPS client
connections.

Deploy the enrollment certificate for mobile devices

This certificate deployment has a single procedure to create and issue the enrollment certificate template on the
certification authority.
Create and issue the enrollment certificate template on the certification authority
This procedure creates an enrollment certificate template for Configuration Manager mobile devices and adds it
to the certification authority.
To c r e a t e a n d i ssu e t h e e n r o l l m e n t c e r t i fi c a t e t e m p l a t e o n t h e c e r t i fi c a t i o n a u t h o r i t y

1. Create a security group that has users who will enroll mobile devices in Configuration Manager.
2. On the member server that has Certificate Services installed, in the Certification Authority console, right-
click Cer tificate Templates , and then choose Manage to load the Certificate Templates management
console.
3. In the results pane, right-click the entry that has Authenticated Session in the Template Display
Name column, and then choose Duplicate Template .
4. In the Duplicate Template dialog box, ensure that Windows 2003 Ser ver, Enterprise Edition is
selected, and then choose OK .

IMPORTANT
Do not select Windows 2008 Ser ver, Enterprise Edition .

5. In the Proper ties of New Template dialog box, on the General tab, enter a template name, like
ConfigMgr Mobile Device Enrollment Cer tificate , to generate the enrollment certificates for the
mobile devices to be managed by Configuration Manager.
6. Choose the Subject Name tab, make sure that Build from this Active Director y information is
selected, select Common name for the Subject name format:, and then clear User principal name
(UPN) from Include this information in alternate subject name .
 7. Choose the Security tab, choose the security group that has users who have mobile devices to enroll,
and then choose the additional permission of Enroll . Do not clear Read .
8. Choose OK , and then close Cer tificate Templates Console .
9. In the Certification Authority console, right-click Cer tificate Templates , choose New , and then choose
Cer tificate Template to Issue .
10. In the Enable Cer tificate Templates dialog box, choose the new template that you just created,
ConfigMgr Mobile Device Enrollment Cer tificate , and then choose OK .
11. If you do not need to create and issue more certificates, close the Certification Authority console.
The mobile device enrollment certificate template is now ready to be selected when you set up a mobile
device enrollment profile in the client settings.

Deploy the client certificate for Mac computers

This certificate deployment has a single procedure to create and issue the enrollment certificate template on the
certification authority.
Create and issue a Mac client certificate template on the certification authority
This procedure creates a custom certificate template for Configuration Manager Mac computers and adds the
certificate template to the certification authority.

NOTE
This procedure uses a different certificate template from the certificate template that you might have created for Windows
client computers or for distribution points.
When you create a new certificate template for this certificate, you can restrict the certificate request to authorized users.

To c r e a t e a n d i ssu e t h e M a c c l i e n t c e r t i fi c a t e t e m p l a t e o n t h e c e r t i fi c a t i o n a u t h o r i t y

1. Create a security group that has user accounts for administrative users who will enroll the certificate on
the Mac computer by using Configuration Manager.
2. On the member server that is running the Certification Authority console, right-click Cer tificate
Templates , and then choose Manage to load the Certificate Templates management console.
3. In the results pane, right-click the entry that displays Authenticated Session in the Template Display
Name column, and then choose Duplicate Template .
4. In the Duplicate Template dialog box, ensure that Windows 2003 Ser ver, Enterprise Edition is
selected, and then choose OK .

IMPORTANT
Do not select Windows 2008 Ser ver, Enterprise Edition .

5. In the Proper ties of New Template dialog box, on the General tab, enter a template name, like
ConfigMgr Mac Client Cer tificate , to generate the Mac client certificate.
6. Choose the Subject Name tab, make sure that Build from this Active Director y information is
selected, choose Common name for the Subject name format:, and then clear User principal name
(UPN) from Include this information in alternate subject name .
7. Choose the Security tab, and then remove the Enroll permission from the Domain Admins and
 Enterprise Admins security groups.
8. Choose Add , specify the security group that you created in step one, and then choose OK .
9. Choose the Enroll permission for this group, and do not clear the Read permission.
10. Choose OK , and then close Cer tificate Templates Console .
11. In the Certification Authority console, right-click Cer tificate Templates , choose New , and then choose
Cer tificate Template to Issue .
12. In the Enable Cer tificate Templates dialog box, choose the new template that you just created,
ConfigMgr Mac Client Cer tificate , and then choose OK .
13. If you do not have to create and issue more certificates, close Cer tification Authority .
The Mac client certificate template is now ready to be selected when you set up client settings for
enrollment.
 Additional information about privacy for
Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Updates and servicing

Configuration Manager uses an update model that helps keep your environment current with the latest updates
and features. This feature uses a site system role called the service connection point. You choose the server
where to install this role.
For more information about collected information and how it's used, see Usage data.

Usage data
Configuration Manager collects diagnostics and usage data about itself, which Microsoft uses to improve the
installation experience, quality, and security of future releases. Diagnostics and usage data is enabled for each
Configuration Manager hierarchy. It consists of SQL Server queries that run on a weekly basis on each primary
site and at the central administration site. When the hierarchy uses a central administration site, the data from
primary sites is then replicated to that site. At the top-level site of your hierarchy, the service connection point
submits this information when it checks for updates. If the service connection point is in offline mode, the
information is transferred by using the service connection tool.
Configuration Manager collects data only from the site's SQL Server database, and it doesn't collect data directly
from clients or site servers.
Administrators can change the level of data that's collected by going to the Usage Data section of the
Configuration Manager console.
For more information about usage data levels and settings, see Diagnostics and usage data.

Log Analytics Connector

The Log Analytics Connector syncs data, such as collections, from Configuration Manager to the Azure cloud
service. The Azure subscription ID and secret key are stored in the Configuration Manager database when an
admin configures the feature. Both the Azure Active Directory client secret and the Azure workspace shared key
are stored in the on-premises Configuration Manager database. All communications between Configuration
Manager and Azure use HTTPS. No additional information about the collections is provided to Microsoft outside
of randomized diagnostics and usage data.
For more information about the information that Log Analytics collects, see Log analytics data security.

Asset Intelligence
Asset Intelligence lets administrators define, track, and proactively manage conformity with configuration
standards. Metering and reporting on the deployment and use of both physical and virtual applications helps
organizations make better business decisions about software licensing and maintain compliance with licensing
agreements. After collecting usage data from Configuration Manager clients, you can use different features to
view the data, including collections, queries, and reporting.
During each synchronization, a catalog of known software is downloaded from Microsoft. You can choose to
send Microsoft information about uncategorized software titles that are discovered within your organization to
be researched and added to the catalog. Prior to uploading this information, a dialog box shows data that's
going to be uploaded. Uploaded data can't be recalled. Asset Intelligence doesn't send information about users
and computers or license usage to Microsoft.
After a software title is uploaded, Microsoft researchers identify, categorize, and then make that knowledge
available to all other customers who use this feature and other consumers of the catalog. Any uploaded
software title becomes public. The application and its categorization become part of the catalog and then can be
downloaded to other consumers of the catalog. Before you configure Asset Intelligence data collection and
decide whether to submit information to Microsoft, consider the privacy requirements of your organization.
Asset Intelligence isn't enabled by default in Configuration Manager. Uploading uncategorized titles never occurs
automatically, and the system isn't designed to automate this task. You must manually select and approve the
upload of each software title.

Endpoint Protection
Microsoft Cloud Protection Service was formerly known as Microsoft Active Protection Service or MAPS.
The applicable products are System Center Endpoint Protection and the Endpoint Protection feature of
Configuration Manager (to manage System Center Endpoint Protection and Windows Defender for Windows 10
or later).
The Microsoft Cloud Protection Service antimalware community is a voluntary worldwide online community
that includes System Center Endpoint Protection users. When you join Microsoft Cloud Protection Service,
System Center Endpoint Protection automatically sends information to Microsoft. Microsoft uses the
information to determine software to investigate for potential threats and to help improve the effectiveness of
System Center Endpoint Protection. This community helps stop the spread of new malicious software infections.
If a Microsoft Cloud Protection Service report includes details about malware or potentially unwanted software
that the Endpoint Protection client may be able to remove, Microsoft Cloud Protection Service downloads the
latest signature to address it. Microsoft Cloud Protection Service can also find "false positives" and fix them.
(False positives are where something originally identified as malware turns out not to be.)
Microsoft Cloud Protection Service reports include information about potential malware files, like file names,
cryptographic hash, vendor, size, and date stamps. In addition, Microsoft Cloud Protection Service might collect
full URLs to indicate the origin of the file. These URLs might occasionally have personal information like search
terms or data that was entered in forms. Reports might also include actions that you took when Endpoint
Protection notified you about unwanted software. Microsoft Cloud Protection Service reports include this
information to help Microsoft gauge how effectively Endpoint Protection can detect and remove malware and
potentially unwanted software and to attempt to identify new malware.
You can join Microsoft Cloud Protection Service if you have a basic or advanced membership. Basic member
reports have the information described previously. Advanced member reports are more comprehensive and
may include additional details about the software that Endpoint Protection detects, like the location of such
software, file names, how the software operates, and how it has affected your computer. These reports and
reports from other Endpoint Protection users who participate in Microsoft Cloud Protection Service help
Microsoft researchers discover new threats more rapidly. Malware definitions are then created for programs
that meet the analysis criteria, and the updated definitions are made available to all users through Microsoft
Update.
To help detect and fix certain kinds of malware infections, the product regularly sends Microsoft Cloud
Protection Service information about the security state of your PC. This information includes information about
your PC's security settings and log files that describe the drivers and other software that load while your PC
boots.
A number that uniquely identifies your PC is also sent. Also, Microsoft Cloud Protection Service may collect the
IP addresses that the potential malware files connect to.
Microsoft Cloud Protection Service reports are used to improve Microsoft software and services. The reports
might also be used for statistical or other testing or analytical purposes and to generate definitions. Only
Microsoft employees, contractors, partners, and vendors who have a business need to use the reports can
access them.
Microsoft Cloud Protection Service does not intentionally collect personal information. To the extent that
Microsoft Cloud Protection Service collects any personal information, Microsoft does not use the information to
identify you or contact you.
For more information, see Endpoint Protection.

Site Hierarchy – Geographical View with Bing Maps

IMPORTANT
Starting in August 2020, this feature is deprecated. Use the Hierarchy Diagram option.

In the Configuration Manager console, go to the Monitoring workspace, select the Site Hierarchy node, and
switch to the Geographical View . This view lets you use maps that Microsoft Bing Maps provides to view your
Configuration Manager physical server topology. To enable this feature, location information that you provide is
sent from your server to the Bing Maps Web service.
Microsoft uses the information to operate and improve Microsoft Bing Maps and other Microsoft sites and
services. For more information, see the Microsoft Privacy Statement.
You can choose not to use the Geographical View for the Site Hierarchy. The default Hierarchy Diagram view lets
you see the hierarchy and doesn't use the Bing Maps service.
 How to enable TLS 1.2
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (Current Branch)

Transport Layer Security (TLS), like Secure Sockets Layer (SSL), is an encryption protocol intended to keep data
secure when being transferred over a network. These articles describe steps required to ensure that
Configuration Manager secure communication uses the TLS 1.2 protocol. These articles also describe update
requirements for commonly used components and troubleshooting common problems.

Enabling TLS 1.2

Configuration Manager relies on many different components for secure communication. The protocol that's
used for a given connection depends on the capabilities of the relevant components on both the client and
server side. If any component is out-of-date or not properly configured, the communication might use an older,
less secure protocol. To correctly enable Configuration Manager to support TLS 1.2 for all secure
communications, you must enable TLS 1.2 for all required components. The required components depend on
your environment and the Configuration Manager features that you use.

IMPORTANT
Start this process with the clients, especially previous versions of Windows. Before enabling TLS 1.2 and disabling the older
protocols on the Configuration Manager servers, make sure that all clients support TLS 1.2. Otherwise, the clients can't
communicate with the servers and can be orphaned.

Tasks for Configuration Manager clients, site servers, and remote site
systems
To enable TLS 1.2 for components that Configuration Manager depends on for secure communication, you'll
need to do multiple tasks on both the clients and the site servers.
Enable TLS 1.2 for Configuration Manager clients
Update Windows and WinHTTP on Windows 8.0, Windows Server 2012 (non-R2) and earlier
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the OS level
Update and configure the .NET Framework to support TLS 1.2
Enable TLS 1.2 for Configuration Manager site servers and remote site systems
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the OS level
Update and configure the .NET Framework to support TLS 1.2
Update SQL Server and the SQL Server Native Client
Update Windows Server Update Services (WSUS)

Features and scenario dependencies

This section describes the dependencies for specific Configuration Manager features and scenarios. To
determine the next steps, locate the items that apply to your environment.
 F EAT URE O R SC EN A RIO UP DAT E TA SK S

Site servers (central, primary, or secondary) - Update .NET Framework

- Verify strong cryptography settings

Site database server Update SQL Server and its client components

Secondary site servers Update SQL Server and its client components to a compliant
version of SQL Server Express

Site system roles - Update .NET Framework and verify strong cryptography
settings
- Update SQL Server and its client components on roles that
require it, including the SQL Server Native Client

Reporting services point - Update .NET Framework on the site server, the SQL Server
Reporting Services servers, and any computer with the
console
- Restart the SMS_Executive service as necessary

Software update point Update WSUS

Cloud management gateway Enforce TLS 1.2

Configuration Manager console - Update .NET Framework

- Verify strong cryptography settings

Configuration Manager client with HTTPS site system roles Update Windows to support TLS 1.2 for client-server
communications by using WinHTTP

Software Center - Update .NET Framework

- Verify strong cryptography settings

Windows 7 clients Before you enable TLS 1.2 on any server components,
update Windows to support TLS 1.2 for client-server
communications by using WinHTTP. If you enable TLS 1.2 on
server components first, you can orphan earlier versions of
clients.

Frequently asked questions

Why use TLS 1.2 with Configuration Manager?
TLS 1.2 is more secure than the previous cryptographic protocols such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1.
Essentially, TLS 1.2 keeps data being transferred across the network more secure.
Where does Configuration Manager use encryption protocols like TLS 1.2?
There are basically five areas that Configuration Manager uses encryption protocols like TLS 1.2:
Client communications to IIS-based site server roles when the role is configured to use HTTPS. Examples of
these roles include distribution points, software update points, and management points.
Management point, SMS Executive, and SMS Provider communications with SQL. Configuration Manager
always encrypts SQL Server communications.
Site Server to WSUS communications if WSUS is configured to use HTTPS.
The Configuration Manager console to SQL Server Reporting Services (SSRS) if SSRS is configured to use
HTTPS.
 Any connections to internet-based services. Examples include the cloud management gateway (CMG), the
service connection point sync, and sync of update metadata from Microsoft Update.
What determines which encryption protocol is used?
HTTPS will always negotiate the highest protocol version that is supported by both the client and server in an
encrypted conversation. On establishing a connection, the client sends a message to the server with its highest
available protocol. If the server supports the same version, it sends a message using that version. This
negotiated version is the one that is used for the connection. If the server doesn't support the version presented
by the client, the server message will specify the highest version it can use. For more information about the TLS
Handshake protocol, see Establishing a Secure Session by using TLS.
What determines which protocol version the client and server can use?
Generally, the following items can determine which protocol version is used:
The application can dictate which specific protocol versions to negotiate.
Best practice dictates to avoid hard coding specific protocol versions at the application level and to
follow the configuration defined at the component and OS protocol level.
Configuration Manager follows this best practice.
For applications written using the .NET Framework, the default protocol versions depend on the version of
the framework they were compiled upon.
.NET versions before 4.6.3 did not include TLS 1.1 and 1.2 in the list of protocols for negotiation, by
default.
Applications that use WinHTTP for HTTPS communications, like the Configuration Manager client, depend on
the OS version, patch level, and configuration for protocol version support.

Additional resources
Cryptographic controls technical reference
Transport layer security (TLS) best practices with the .NET Framework
KB 3135244: TLS 1.2 support for Microsoft SQL Server

Next steps
Enable TLS 1.2 on clients
Enable TLS 1.2 on the site servers
 How to enable TLS 1.2 on clients
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (Current Branch)

When enabling TLS 1.2 for your Configuration Manager environment, start by ensuring the clients are capable
and properly configured to use TLS 1.2 before enabling TLS 1.2 and disabling the older protocols on the site
servers and remote site systems. There are three tasks for enabling TLS 1.2 on clients:
Update Windows and WinHTTP
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level
Update and configure the .NET Framework to support TLS 1.2
For more information about dependencies for specific Configuration Manager features and scenarios, see About
enabling TLS 1.2.

Update Windows and WinHTTP

Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016, and later versions of Windows
natively support TLS 1.2 for client-server communications over WinHTTP.
Earlier versions of Windows, such as Windows 7 or Windows Server 2012, don't enable TLS 1.1 or TLS 1.2 by
default for secure communications using WinHTTP. For these earlier versions of Windows, install Update
3140245 to enable the registry value below, which can be set to add TLS 1.1 and TLS 1.2 to the default secure
protocols list for WinHTTP. With the patch installed, create the following registry values:

IMPORTANT
Enable these settings on all clients running earlier versions of Windows before enabling TLS 1.2 and disabling the older
protocols on the Configuration Manager servers. Otherwise, you can inadvertently orphan them.

Verify the value of the DefaultSecureProtocols registry setting, for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\
DefaultSecureProtocols = (DWORD): 0xAA0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\
DefaultSecureProtocols = (DWORD): 0xAA0

If you change this value, restart the computer.

The example above shows the value of 0xAA0 for the WinHTTP DefaultSecureProtocols setting. Update to
enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows lists the hexadecimal value for
each protocol. By default in Windows, this value is 0x0A0 to enable SSL 3.0 and TLS 1.0 for WinHTTP. The above
example keeps these defaults, and also enables TLS 1.1 and TLS 1.2 for WinHTTP. This configuration ensures that
the change doesn't break any other application that might still rely on SSL 3.0 or TLS 1.0. You can use the value
of 0xA00 to only enable TLS 1.1 and TLS 1.2. Configuration Manager supports the most secure protocol that
Windows negotiates between both devices.
If you want to completely disable SSL 3.0 and TLS 1.0, use the SChannel disabled protocols setting in Windows.
For more information, see Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the
operating system level
TLS 1.2 is enabled by default. Therefore, no change to these keys is needed to enable it. You can make changes
under Protocols to disable TLS 1.0 and TLS 1.1 after you've followed the rest of the guidance in these articles
and you've verified that the environment works when only TLS 1.2 enabled.
Verify the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols registry
subkey setting, as shown in Transport layer security (TLS) best practices with the .NET Framework.

Update and configure the .NET Framework to support TLS 1.2

Determine .NET version
First, determine the installed .NET versions. For more information, see Determine which versions and service
pack levels of .NET Framework are installed.
Install .NET updates
Install the .NET updates so you can enable strong cryptography. Some versions of .NET Framework might
require updates to enable strong cryptography. Use these guidelines:
NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry settings, but no
additional changes are required.

NOTE
Starting in version 2107, Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site servers,
specific site systems, clients, and the console. If possible in your environment, install the latest version of .NET
version 4.8.

Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For more information,
see .NET Framework versions and dependencies.
If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server 2012 R2, or Windows
Server 2012, it's highly recommended that you install the latest security updates for the .Net Framework
4.5.1 and 4.5.2 to ensure TLS 1.2 can be enabled properly.
For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2 with the following
hotfix rollups:
For Windows 8.1 and Server 2012 R2: Hotfix rollup 3099842
For Windows Server 2012: Hotfix rollup 3099844
Configure for strong cryptography
Configure .NET Framework to support strong cryptography. Set the SchUseStrongCrypto registry setting to
DWORD:00000001 . This value disables the RC4 stream cipher and requires a restart. For more information about
this setting, see Microsoft Security Advisory 296038.
Make sure to set the following registry keys on any computer that communicates across the network with a TLS
1.2-enabled system. For example, Configuration Manager clients, remote site system roles not installed on the
site server, and the site server itself.
For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit
OSs, update the following subkey values:
 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

NOTE
The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting
allows .NET to use the OS configuration. For more information, see TLS best practices with the .NET Framework.

Next steps
Enable TLS 1.2 on the site servers and remote site systems
Common issues when enabling TLS 1.2
 How to enable TLS 1.2 on the site servers and
remote site systems
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (Current Branch)

When enabling TLS 1.2 for your Configuration Manager environment, start with enabling TLS 1.2 for the clients
first. Then, enable TLS 1.2 on the site servers and remote site systems second. Finally, test client to site system
communications before potentially disabling the older protocols on the server side. The following tasks are
needed for enabling TLS 1.2 on the site servers and remote site systems:
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level
Update and configure the .NET Framework to support TLS 1.2
Update SQL Server and client components
Update Windows Server Update Services (WSUS)
For more information about dependencies for specific Configuration Manager features and scenarios, see About
enabling TLS 1.2.

Ensure that TLS 1.2 is enabled as a protocol for SChannel at the

operating system level
TLS 1.2 is enabled by default. Therefore, no change to these keys is needed to enable it. You can make changes
under Protocols to disable TLS 1.0 and TLS 1.1 after you've followed the rest of the guidance in these articles
and you've verified that the environment works when only TLS 1.2 enabled.
Verify the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols registry
subkey setting, as shown in Transport layer security (TLS) best practices with the .NET Framework.

Update and configure the .NET Framework to support TLS 1.2

Determine .NET version
First, determine the installed .NET versions. For more information, see Determine which versions and service
pack levels of .NET Framework are installed.
Install .NET updates
Install the .NET updates so you can enable strong cryptography. Some versions of .NET Framework might
require updates to enable strong cryptography. Use these guidelines:
NET Framework 4.6.2 and later supports TLS 1.1 and TLS 1.2. Confirm the registry settings, but no
additional changes are required.

NOTE
Starting in version 2107, Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site servers,
specific site systems, clients, and the console. If possible in your environment, install the latest version of .NET
version 4.8.

Update NET Framework 4.6 and earlier versions to support TLS 1.1 and TLS 1.2. For more information,
 see .NET Framework versions and dependencies.
If you're using .NET Framework 4.5.1 or 4.5.2 on Windows 8.1, Windows Server 2012 R2, or Windows
Server 2012, it's highly recommended that you install the latest security updates for the .Net Framework
4.5.1 and 4.5.2 to ensure TLS 1.2 can be enabled properly.
For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2 with the following
hotfix rollups:
For Windows 8.1 and Server 2012 R2: Hotfix rollup 3099842
For Windows Server 2012: Hotfix rollup 3099844
Configure for strong cryptography
Configure .NET Framework to support strong cryptography. Set the SchUseStrongCrypto registry setting to
DWORD:00000001 . This value disables the RC4 stream cipher and requires a restart. For more information about
this setting, see Microsoft Security Advisory 296038.
Make sure to set the following registry keys on any computer that communicates across the network with a TLS
1.2-enabled system. For example, Configuration Manager clients, remote site system roles not installed on the
site server, and the site server itself.
For 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit
OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

NOTE
The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting
allows .NET to use the OS configuration. For more information, see TLS best practices with the .NET Framework.

Update SQL Server and client components

Microsoft SQL Server 2016 and later support TLS 1.1 and TLS 1.2. Earlier versions and dependent libraries
might require updates. For more information, see KB 3135244: TLS 1.2 support for Microsoft SQL Server.
Secondary site servers need to use at least SQL Server 2016 Express with Service Pack 2 (13.2.50.26) or later.
SQL Server Native Client
 NOTE
KB 3135244 also describes requirements for SQL Server client components.

Make sure to also update the SQL Server Native Client to at least version SQL Server 2012 SP4 (11.*.7001.0).
This requirement is a prerequisite check (warning).
Configuration Manager uses SQL Server Native Client on the following site system roles:
Site database server
Site server: central administration site, primary site, or secondary site
Management point
Device management point
State migration point
SMS Provider
Software update point
Multicast-enabled distribution point
Asset Intelligence update service point
Reporting services point
Enrollment point
Endpoint Protection point
Service connection point
Certificate registration point
Data warehouse service point

Update Windows Server Update Services (WSUS)

To support TLS 1.2 in earlier versions of WSUS, install the following update on the WSUS server:
For WSUS server that's running Windows Server 2012, install update 4022721 or a later rollup update.
For WSUS server that's running Windows Server 2012 R2, install update 4022720 or a later rollup
update.
Starting in Windows Server 2016, TLS 1.2 is supported by default for WSUS. TLS 1.2 updates are only needed
on Windows Server 2012 and Windows Server 2012 R2 WSUS servers.

Next steps
Common issues when enabling TLS 1.2
 Common issues when enabling TLS 1.2
2/16/2022 • 3 minutes to read • Edit Online

This article provides advice for common issues that occur when you enable TLS 1.2 support in Configuration
Manager.

Unsupported platforms
The following client platforms are supported by Configuration Manager but aren't supported in a TLS 1.2
environment:
Apple OS X
Windows devices managed with on-premises MDM

Reports don't show in the console

If reports don't show in the Configuration Manager console, make sure to update the computer on which you're
running the console. Update the .NET Framework, and enable strong cryptography.

FIPS security policy enabled

If you enable the FIPS security policy setting for either the client or a server, Secure Channel (Schannel)
negotiation can cause them to use TLS 1.0. This behavior happens even if you disable the protocol in the
registry.
To investigate, enable Secure Channel event logging, and then review Schannel events in the system log. For
more information, see Restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.

SQL Server communication failure

If SQL Server communication fails and returns an SslSecurityError error, verify the following settings:
Update .NET Framework, and enable strong cryptography on each machine
Update SQL Server on the host server
Update SQL Server client components on all systems that communicate with SQL. For example, the site
servers, SMS provider, and site role servers.

Configuration Manager client communication failures

If the Configuration Manager client doesn't communicate with site roles, verify that you updated Windows to
support TLS 1.2 for client-server communication by using WinHTTP. Common site roles include distribution
points, management points, and state migration points.

Reporting services point fails and returns an expected error

If the reporting services point doesn't configure reports, check the SRSRP.log for the following error entry:
The underlying connection was closed: An expected error occurred on a receive.

To resolve this issue, follow these steps:

1. Update .NET Framework, and enable strong cryptography on all relevant computers.
2. After you install any updates, restart the SMS_Executive service.

Service connection point upload failures

If the service connection point doesn't upload data to SCCMConnectedService, update the .NET Framework, and
enable strong cryptography on each computer. After you make the changes, remember to restart the computers.

Configuration Manager console displays Intune onboarding dialog

box
If the Intune onboarding dialog box appears when the console tries to connect to the Microsoft Endpoint
Manager admin center, update the .NET Framework, and enable strong cryptography on each computer. After
you make the changes, remember to restart the computers.

Configuration Manager console displays failure to sign in to Azure

When you try to create applications in Azure Active Directory (Azure AD), if the Azure Services onboarding
dialog box immediately fails after you select Sign in , update the .NET Framework, and enable strong
cryptography. After you make the changes, remember to restart the computers.

Configuration Manager cloud services and TLS 1.2

The Azure virtual machines used by the cloud management gateway support TLS 1.2. Supported client versions
automatically use TLS 1.2.
The SMSAdminui.log may contain an error similar to the following example:

Microsoft.ConfigurationManager.CloudBase.AAD.AADAuthenticationException
Service returned error. Check InnerException for more details
at Microsoft.ConfigurationManager.CloudBase.AAD.AADAuthenticationContext.GetAADAuthResultObject
...
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException
Service returned error. Check InnerException for more details
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask
...
System.Net.WebException
The underlying connection was closed: An unexpected error occurred on a receive.
at System.Net.HttpWebRequest.GetResponse

In the System EventLog, SChannel EventID 36874 may be logged with the following description:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites
supported by the client application are supported by the server. The TLS connection request has failed.

Additional resources
Transport layer security (TLS) best practices with the .NET Framework
KB 3135244: TLS 1.2 support for Microsoft SQL Server
Cryptographic controls technical reference

Next steps
Enable TLS 1.2 on clients
Enable TLS 1.2 on the site servers and remote site systems
 Evaluate Configuration Manager by building your
own lab environment
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Learn how to create a lab environment to evaluate Configuration Manager for use in your organization.
Configuration Manager is a complex and powerful tool to manage your users, devices, and software. It's a good
idea to thoroughly evaluate Configuration Manager before full deployment, so that you can marry conceptual
understanding with hands-on exercises.
This guide is primarily meant for admins who are evaluating the use of Configuration Manager in corporate
environments:
Admins who want a solution to fully manage PCs, servers, and mobile devices
Admins in high-security industries that require the security of on-premises device management with the
flexibility of cloud-based device management
Admins who want to manage the scaling-up of their on-premises server architecture

What this lab does

The main goal of creating this lab environment is to give you the general knowledge to start working with
Configuration Manager, and to enhance your understanding of Configuration Manager. You'll walk through an
expedited assembly of the current version of Configuration Manager, by using two servers:
One that hosts Active Directory, the domain controller, and the DNS server
One that hosts Configuration Manager and all associated SQL Server components
Client machines are installed within Hyper-V. The lab itself can also be run as a fully virtualized system on a
single server.

What this lab does not do

This lab will not take you through all Configuration Manager scenarios. It is not designed to be immediately
migrated into an active environment.
When you build this lab, you will have a functional environment to work in. But this environment will not be
optimized for factors like system performance, hard disk space management, and SQL Server storage.

Recommended reading before you build the lab

There is a wealth of content available in Documentation for Configuration Manager. We recommend that you
read the following topics from this library before you start to build the lab:
Learn core concepts about the Configuration Manager console, end-user portals, and example scenarios
in Introduction to Configuration Manager.
Learn about the primary management capabilities of Configuration Manager in Features and capabilities
of Configuration Manager.
Bolster your knowledge with Fundamentals of Configuration Manager.
Learn the importance of security roles in Fundamentals of role-based administration for Configuration
Manager.
Learn about content management in Concepts for content management.
Learn how to successfully support daily tasks throughout your deployment in Understand how clients
find site resources and services for Configuration Manager.
 Set up a Configuration Manager lab
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Following the guidance in this topic will enable you to set up a lab for evaluating Configuration Manager with
simulated real-life activities.

NOTE
Microsoft offers a pre-configured version of this lab using an evaluation version of Configuration Manager. For more
information, see Windows and Office deployment and management lab kit.

Core components
Setting up your environment for Configuration Manager requires some core components to support the
installation of Configuration Manager.
The lab environment uses Windows Ser ver 2012 R2 , into which we will install Configuration
Manager.
You can download an evaluation version of Windows Server 2012 R2 from the Evaluation Center.
Consider modifying or disabling Internet Explorer Enhanced Security Configuration in order to more
easily access some of the downloads referenced throughout the course of these exercises. For more
information, see Internet Explorer: Enhanced Security Configuration.
The lab environment uses SQL Ser ver 2012 SP2 for the site database.
You can download an evaluation version of SQL Server 2012 from the Microsoft Download Center.
SQL Server has Supported versions of SQL Server that must be met for use with Configuration Manager.
Configuration Manager requires a 64-bit version of SQL Server to host the site database.
SQL_Latin1_General_CP1_CI_AS as the SQL Collation class.
Windows authentication , rather than SQL Server authentication, is required.
A dedicated SQL Ser ver instance is required.
Do not limit the system addressable memor y for SQL Server.
Configure the SQL Ser ver ser vice account to run using a low rights domain user account.
You must install SQL Ser ver repor ting ser vices .
Intersite communications use the SQL Server Service Broker on default port TCP 4022.
Intrasite communications between the SQL Server database engine and select Configuration
Manager site system roles use default port TCP 1433.
The domain controller uses Windows Ser ver 2008 R2 with Active Directory Domain Services
installed. The domain controller also functions as the host for the DHCP and the DNS servers for use with
a fully qualified domain name.
 For more information, see overview of Active Directory Domain Services.
Hyper-V is used with a few vir tual machines to verify that the management steps taken in these
exercises are functioning as expected. A minimum of three virtual machines is recommended, with
Windows 10 installed.
For more information, see overview of Hyper-V.
Administrator permissions will be required for all of these components.
Configuration Manager requires an administrator with local permissions within the Windows
Server environment
Active Directory requires an administrator with permissions to modify the schema
Virtual machines require local permissions on the machines themselves
Though not required for this lab, you can review Supported configurations for Configuration Manager for
additional information on requirements for implementing Configuration Manager. Refer to documentation for
software versions other than those referenced here.
Once you have installed all of these components, there are additional steps you must take to configure your
Windows environment for Configuration Manager:

Prepare Active Directory content for the lab

For this lab, you will create a security group, then add a domain user to it.
Security group: Evaluation
Group scope: Universal
Group type: Security
Domain user: ConfigUser
Under normal circumstances, you would not grant universal access to all users within your environment.
You are doing so with this user in order to streamline bringing your lab online.
The next steps required to enable Configuration Manager clients to query Active Directory Domain Services to
locate site resources are listed over the next procedures.

Create the System Management container

Configuration Manager will not automatically create the required System Management container in Active
Directory Domain Services when the schema is extended. Therefore, you will create this for your lab. This step
will require you to install ADSI Edit.
Ensure that you are logged on as an account that has Create All Child Objects permission on the System
Container in Active Directory Domain Services.
To create the System Management container:
1. Run ADSI Edit , and connect to the domain in which the site server resides.
2. Expand Domain<computer fully qualified domain name> , expand <distinguished name> , right-
click CN=System , click New , and then click Object .
3. In the Create Object dialog box, select Container , and then click Next .
4. In the Value box, type System Management , and then click Next .
5. Click Finish to complete the procedure.

Set security permissions for the System Management container

Grant the site server's computer account the permissions that are required to publish site information to the
container. You will use ADSI Edit for this task as well.

IMPORTANT
Confirm that you are connected to the site server's domain prior to beginning the following procedure.

To set security permissions for the System Management container:

1. In the console pane, expand the site ser ver's domain , expand DC=<ser ver distinguished name> ,
and then expand CN=System . Right-click CN=System Management , and then click Proper ties .
2. In the CN=System Management Proper ties dialog box, click the Security tab, and then click Add to
add the site server computer account. Grant the account Full Control permissions.
3. Click Advanced , select the site server's computer account, and then click Edit .
4. In the Apply onto list, select This object and all descendant objects .
5. Click OK to close the ADSI Edit console and complete the procedure.
For more information, see Extend the Active Directory schema for Configuration Manager

Extend the Active Directory schema using extadsch.exe

You will extend the Active Directory schema for this lab, as this allows you to use all Configuration Manager
features and functionality with the least amount of administrative overhead. Extending the Active Directory
schema is a forest-wide configuration that is done one time per forest. Extending the schema permanently
modifies the set of classes and attributes in your base Active Directory configuration. This action is irreversible.
Extending the schema allows Configuration Manager to access components that will allow it to function most
effectively within your lab environment.

IMPORTANT
Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema
Admins security group. Attempting to use alternate credentials will fail.

To extend the Active Directory schema using extadsch.exe:

1. Create a backup of the schema master domain controller's system state. For more information about
backing up master domain controller, see Windows Server Backup
2. Navigate to \SMSSETUP\BIN\X64 in the installation media.
3. Run extadsch.exe .
4. Verify that the schema extension was successful by reviewing the extadsch.log located in the root folder
of the system drive.
For more information, see Extend the Active Directory schema for Configuration Manager.

Other required tasks

You will also need to complete the following tasks prior to installation.
 Create a folder for storing all downloads
There will be multiple downloads required for components of the installation media throughout this exercise.
Before beginning any installation procedures, determine a location that will not require you to move these files
until you wish to decommission your lab. A single folder with separate subfolders to store these downloads is
recommended.
Install .NET and activate Windows Communication Foundation
You will need to install two .NET Frameworks: first, .NET 3.5.1 and then .NET 4.5.2+. You will also need to activate
Windows Communication Foundation (WCF). WCF is designed to offer a manageable approach to distributed
computing, broad interoperability, and direct support for service orientation, and simplifies development of
connected applications through a service-oriented programming model. For more information, see What Is
Windows Communication Foundation?.
To install .NET and activate Windows Communication Foundation:
1. Open Ser ver Manager , then navigate to Manage . Click Add Roles and Features to open the Add
Roles and Features Wizard.
2. Review the information provided in the Before You Begin panel, then click Next .
3. Select Role-based or feature-based installation , then click Next .
4. Select your server from the Ser ver Pool , then click Next .
5. Review the Ser ver Roles panel, then click Next .
6. Add the following Features by selecting them from the list:
.NET Framework 3.5 Features
.NET Framework 3.5 (includes .NET 2.0 and 3.0)
.NET Framework 4.5 Features
.NET Framework 4.5
ASP.NET 4.5
WCF Ser vices
HTTP Activation
TCP Por t Sharing
7. Review the Web Ser ver Role (IIS) and Role Ser vices screen, then click Next .
8. Review the Confirmation screen, then click Next .
9. Click Install and verify that the installation completed properly in the Notifications pane of Ser ver
Manager .
10. After the base installation of .NET completes, navigate to the Microsoft Download Center to obtain the
web installer for the .NET Framework 4.5.2. Click the Download button, then Run the installer. It will
automatically detect and install the required components in your selected language.
Enable BITS, IIS, and RDC
The Background Intelligent Transfer Service (BITS) is used for applications that need to transfer files
asynchronously between a client and a server. By metering the flow of the transfers in the foreground and
background, BITS preserves the responsiveness of other network applications. It will also automatically resume
file transfers if a transfer session is interrupted.
You will install BITS for this lab, as this site server will also be used as a management point.
Internet Information Services (IIS) is a flexible, scalable web server that can be used to host anything on the web.
It is used by Configuration Manager for a number of site system roles. For additional information on IIS, review
Websites for site system servers.
Remote Differential Compression (RDC) is a set of APIs that applications can use to determine if any changes
have been made to a set of files. RDC enables the application to replicate only the changed portions of a file,
keeping network traffic to a minimum.
To enable BITS, IIS, and RDC site server roles:
1. On your site server, open Ser ver Manager . Navigate to Manage . Click Add Roles and Features to
open the Add Roles and Features Wizard .
2. Review the information provided in the Before You Begin panel, then click Next .
3. Select Role-based or feature-based installation , then click Next .
4. Select your server from the Ser ver Pool , then click Next .
5. Add the following Ser ver Roles by selecting them from the list:
Web Ser ver (IIS)
Common HTTP Features
Default Document
Director y Browsing
HTTP Errors
Static Content
HTTP Redirection
Health and Diagnostics
HTTP Logging
Logging Tools
Request Monitor
Tracing
Performance
Static Content Compression
Dynamic Content Compression
Security
Request Filtering
Basic Authentication
Client Cer tificate Mapping Authentication
IP and Domain Restrictions
URL Authorization
Windows Authentication
 Application Development
.NET Extensibility 3.5
.NET Extensibility 4.5
ASP
ASP.NET 3.5
ASP.NET 4.5
ISAPI Extensions
ISAPI Filters
Ser ver Side Includes
FTP Ser ver
FTP Ser vice
Management Tools
IIS Management Console
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 Management Console
IIS 6 Scripting Tools
IIS 6 WMI Compatibility
IIS 6 Management Scripts and Tools
Management Ser vice
6. Add the following Features by selecting them from the list:
Background Intelligent Transfer Ser vice (BITS)
IIS Ser ver Extension
Remote Ser ver Administration Tools
Feature Administration Tools
BITS Ser ver Extensions Tools
7. Click Install and verify that the installation completed properly in the Notifications pane of Ser ver
Manager .
By default, IIS blocks several types of file extensions and locations from access by HTTP or HTTPS
communication. To enable these files to be distributed to client systems, you will need to configure request
filtering for IIS on your distribution point. For more information, see IIS Request Filtering for distribution points.
To configure IIS filtering on distribution points:
1. Open IIS Manager and select the name of your server in the sidebar. This will take you to the Home
screen.
2. Verify that Features View is selected at the bottom of the Home screen. Navigate to IIS and open
Request Filtering .
3. In the Actions pane, click Allow File Name Extension...
4. Type .msi into the dialog box and click OK .

Installing Configuration Manager

You will create a Determine when to use a primary site to manage clients directly. This will allow your lab
environment to support management for Site system scale of potential devices.
During this process, you will also install the Configuration Manager console, which will be used to manage your
evaluation devices going forward.
Before you begin the installation, launch the Prerequisite Checker on the server using Windows Server 2012 to
confirm that all settings have been correctly enabled.
To download and install Configuration Manager:
1. Navigate to the System Center Evaluations page to download the newest evaluation version of
Configuration Manager.
2. Decompress the download media into your predefined location.
3. Follow the installation procedure listed at Install a site using the Configuration Manager Setup Wizard.
Within that procedure, you will input the following:

ST EP IN SIT E IN STA L L AT IO N P RO C EDURE SEL EC T IO N

Step 4: the Product Key page Select Evaluation .

Step 7: Prerequisite Downloads Select Download required files and specify your
predefined location.

Step 10: Site and Installation Settings - Site code:L AB

- Site name:Evaluation
- Installation folder : specify your predefined location.

Step 11: Primar y Site Installation Select Install the primar y site as a stand-alone
site , then click Next .

Step 12: Database Installation - SQL Ser ver name (FQDN): input your FQDN here.
- Instance name: leave this blank, as you will use the
default instance of SQL Server that you previously
installed.
- Ser vice Broker Por t: leave as default port of 4022.

Step 13: Database Installation Leave these settings as default.

Step 14: SMS Provider Leave these settings as default.

Step 15: Client Communication Settings Confirm that All site system roles accept only
HTTPS communication from clients is not selected

Step 16: Site System Roles Input your FQDN and confirm that your selection of All
site system roles accept only HTTPS
communication from clients is still deselected.

Enable publishing for the Configuration Manager site

Each Configuration Manager site publishes its own site-specific information to the System Management
container within its domain partition in the Active Directory schema. Bidirectional channels for communication
between Active Directory and Configuration Manager must be opened to handle this traffic. You will also
additionally enable Forest Discovery to determine certain components of your Active Directory and network
infrastructure.
To configure Active Directory forests for publishing:
1. In the bottom-left corner of the Configuration Manager console, click Administration .
2. In the Administration workspace, expand Hierarchy Configuration , then click Discover y Methods .
3. Select Active Director y Forest Discover y and click Proper ties .
4. In the Proper ties dialog box, select Enable Active Director y Forest Discover y . Once this is active,
select Automatically create Active Director y site boundaries when they are discovered . A
dialog box will appear that states Do you want to run full discover y as soon as possible? Click
Yes .
5. In the Discover y Method group at the top of the screen, click Run Forest Discover y Now , then
navigate to Active Director y Forests in the sidebar. Your Active Directory forest should be shown in the
list of discovered forests.
6. Navigate to the top of the screen, to the General tab.
7. In the Administration workspace, expand Hierarchy Configuration , then click Active Director y
Forests .
To enable a Configuration Manager site to publish site information to your Active Directory forest:
1. In the Configuration Manager console, click Administration .
2. You will configure a new forest that has not yet been discovered.
3. In the Administration workspace, click Active Director y Forests .
4. On the Publishing tab of the site properties, select your connected forest, then click Ok to save the
configuration.
 Create a Configuration Manager lab in Azure
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch, technical preview branch)

This guide describes how to build a Configuration Manager lab environment in Microsoft Azure. It uses Azure
templates to simplify and automate the creation of a lab using Azure resources. Two Azure templates are
provided:
Configuration Manager technical preview Azure template installs the latest version of the Configuration
Manager technical preview branch.
Configuration Manager current branch Azure template installs the evaluation of the latest version of
Configuration Manager current branch.
For more information, see Configuration Manager on Azure.

Prerequisites
This process requires an Azure subscription in which you can create the following objects:
Two Standard_B2s virtual machines for domain controller, management point, and distribution point.
One Standard_B2ms virtual machine for the primary site server and the SQL Server database server.
Standard_LRS storage account

TIP
To help determine potential costs, see the Azure pricing calculator.

Process
1. Go to the Configuration Manager technical preview template or Configuration Manager current branch
template.
2. Select Deploy to Azure , which opens the Azure portal.
3. Complete the Azure quickstart template with the following information:
Basics
Subscription : The name of the subscription in which to create the VMs
Resource group : Select a resource group to use for these VMs
Location : Select an Azure data center to host this lab environment
Settings
Prefix : The prefix name of the machines. For more information, see Azure VM info.
Admin Username : The name of a user on the VMs with administrative rights. You use this
user to sign in to the VMs.
Admin Password : The password must meet the Azure complexity requirements. For more
information, see adminPassword.
 IMPORTANT
The following settings are required by Azure. Use the default values. Don't change these values.
_ar tifacts Location : The location of the scripts for this template
_ar tifacts Location Sas Token : The sasToken is required to access the artifacts location
Location : The location for all resources

4. Read the terms and conditions. If you agree, select I agree to the terms and conditions stated
above . Then select Purchase to continue.
Azure validates the settings, and then begins the deployment. Check the status of the deployment in the Azure
portal.

NOTE
The process can take 2-4 hours. Even when the Azure portal shows successful deployment, configuration scripts continue
to run. Don't restart the VMs during the process.

To see the status of the configuration scripts, connect to the <prefix>PS1 server, and view the following file:
%windir%\TEMP\ProvisionScript\PS1.json . If it shows all steps as complete, the process is done.

To connect to the VMs, first get from the Azure portal the public IP addresses for each VM. When you connect to
the VM, the domain name is contoso.com . Use the credentials that you specified in the deployment template.
For more information, see How to connect and log on to an Azure virtual machine running Windows.

Azure VM info
All Three VMs have the following specifications:
150 GB of disk space
Both a public and private IP address. The public IPs are in a network security group that only allows remote
desktop connections on TCP port 3389.
The prefix that you specified in the deployment template is the VM name prefix. For example, if you set
"contoso" as the prefix, then the domain controller machine name is contosoDC .
<prefix>DC01

Active Directory domain controller

Standard_B2s, which has two processors and 4 GB of memory
Windows Server 2019 Datacenter edition
Windows features and roles
Active Directory Domain Services (ADDS)
.NET
Remote Differential Compression (RDC)
<prefix>PS01

Standard_B2ms, which has two processors and 8 GB of memory

Windows Server 2016 Datacenter edition
SQL Server
Windows 10 ADK with Windows PE
 Configuration Manager primary site
Windows features and roles
.NET
Remote Differential Compression (RDC)
Internet Information Service (IIS)
<prefix>DPMP01

Standard_B2s, which has two processors and 4 GB of memory

Windows Server 2019 Datacenter edition
Distribution point
Management point
Windows features and roles
.NET
Remote Differential Compression (RDC)
Internet Information Service (IIS)
Background intelligent transfer service (BITS)
<prefix>CL01

Only for Configuration Manager current branch evaluation template

Windows 10
Configuration Manager client
 Technical preview for Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (technical preview branch)

This article provides details about the monthly technical preview branch of Configuration Manager. The technical
preview introduces new functionality that Microsoft is working on. It introduces new features that aren't yet
included in the current branch of Configuration Manager. These features might eventually be included in an
update to the current branch. Before we finalize the features, we want you to try them out and give us feedback.
Because this release is a technical preview, details and functionality are subject to change.
This information applies to all versions of the Configuration Manager technical preview branch. This article lists
each new feature along with the technical preview version in which it first appears. For example, version 2201
for January ( 01 ) of 2022 ( 22 ). Separate articles dedicated to each preview version detail the individual
features.
For information about what's new in the current branch of Configuration Manager, see What's new in
Configuration Manager incremental versions.

TIP
You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Requirements and limitations

IMPORTANT
The technical preview is licensed for use only in a lab environment. Microsoft may not provide support services and
certain features may not be available in technical previews. Additionally, technical preview software may have reduced or
different security, privacy, accessibility, availability, and reliability standards relative to commercially provided software.

For most product prerequisites, use the information in the Supported configurations. The following exceptions
apply to the technical preview branch:
Each install is active for 90 days before it becomes inactive.
English is the only language supported.
It only supports the following setup command-line parameters:
/silent
/testdbupgrade
The service connection point installs to online mode. It doesn't support offline mode.

NOTE
You may need to allow specific internet URLs, some of which are specific to the technical preview branch. For more
information, see Internet access requirements.

The separate articles for each specific version of the technical preview include additional limitations or
 requirements, as applicable.
The following features aren't supported with the technical preview branch:
Migration to or from this preview branch.
Upgrade to this preview branch.
Site recovery from the cd.latest folder.
There's no support for updating to current branch from this preview branch.

NOTE
When updates are available for a preview version, you still find and install them from the Updates and
Ser vicing node of the Configuration Manager console. For a video of the in-console upgrade process, see
Installing Configuration Manager update packages on youtube.com.

It only supports a standalone primary site. There's no support for a central administration site, multiple
primary sites, or secondary sites.
The technical preview branch of Configuration Manager supports the following products and technologies:
Unless otherwise noted, the technical preview branch supports the same versions of SQL Server as the
current branch. For more information, see Supported SQL Server versions.
The site supports up to 10 clients, which can run any supported client OS version.

NOTE
The inclusion of these products in this content doesn't imply an extension of support for a version that's beyond its
support lifecycle. Configuration Manager doesn't support products that are beyond their support lifecycle. For more
information, see Microsoft Lifecycle Policy.

Install and update

The Configuration Manager technical preview branch for lab use is distinct from the Configuration Manager
current branch for production use.
First install a baseline version of the technical preview branch. After installing a baseline version, then use in-
console updates to bring your installation up to date with the most recent preview version. Typically, new
versions of the technical preview are available each month.
Microsoft supports each technical preview version up until three successive versions are available. For example,
when version 1908 released, version 1904 was no longer in support. Versions 1905, 1906, and 1907 remained
in support. When a baseline falls out of support, it's still supported for installing a new technical preview site,
assuming you immediately update to a supported version. The older baseline is supported until a new baseline
version is available. Update to the latest available version from the baseline, and then repeat the update process
until you install the latest technical preview version.
 TIP
When you install an update to the technical preview, you update your preview installation to that new technical preview
version. A technical preview installation never has the option to upgrade to a current branch installation. It also never
receives updates from the current branch release.
Several times throughout the year, there are technical preview branch and current branch versions with the same version
number. For example, there is a technical preview version 2006 and a current branch version 2006.

Active baseline versions

Install a baseline version for up to one year after its release. When you install a new technical preview site, use
the latest baseline version:
Technical preview version 2110
Download a baseline version from the Evaluation Center.

Providing feedback
We love to hear your feedback about the new features in the technical preview. For more information, see
Product feedback.
If you have ideas about new features you would like to see, let us know! Submit new ideas and vote on the ideas
by others: Feedback for Configuration Manager.

Features in the most recent version

The following features are available with the most recent Configuration Manager technical preview version:
Technical preview version 2201
Visualize content distribution status
Custom icon support for task sequences and packages
Prefer cloud-based software update points on switching
LEDBAT support for software update points
Improvements to Power BI Report Server Integration
Tenant attach features are generally available
Deployment Status client notification actions
Sort by icon in the console
PowerShell release notes preview
Improved notice for content on task sequence media

NOTE
Features that were available in a previous version of the technical preview remain available in later versions. Similarly,
features that are added to the Configuration Manager current branch remain available in the technical preview branch.

Features in recent technical previews

The following features were released with previous versions of the Configuration Manager technical preview
branch since the latest current branch version:
 TIP
When a new current branch version is available, features that are available in that version are listed in the latest What's
new article. For more information, see What's new in incremental versions.

Technical preview version 2112

Customize maximum run time for other software update types
Console and user experience improvements
Exclude data warehouse reporting tables from synchronization
A new remote assistance tool

Features in previous technical previews

The following features were released with previous versions of the Configuration Manager technical preview
branch. These features remain available in later versions, but aren't yet available in the current branch.

F EAT URE T EC H N IC A L P REVIEW VERSIO N

Customize maximum run time for other software update Tech preview 2112
types

Console and user experience improvements Tech preview 2112

Exclude data warehouse reporting tables from Tech preview 2112

synchronization

Branding in the Windows Update native reboot experience Tech preview 2110

Tenant attach: Software updates information Tech preview 2107

Intune role-based access control for tenant attach Tech preview 2106

Windows Update native experience for software updates Tech preview 2105.2

Support Center dark and light themes Tech preview 2105

Community hub support for application content Tech preview 2012

Improvements to multicast-enabled distribution points Tech preview 1908.2

Phased deployment templates Tech preview 1908

Client-based PXE responder service Tech preview 1712

PXE network boot support for IPv6 Tech preview 1706

Use Azure Active Directory Tech preview 1702

Improvements to Asset Intelligence Tech preview 1608

Next steps
For more information, see the following articles:
Evaluate Configuration Manager in a lab
What's new in Configuration Manager incremental versions
Introduction to Configuration Manager

TIP
For more information on current branch features that require consent to enable, see pre-release features.
For more information on current branch features that you must enable first, see Enable optional features from updates.
 Features in Configuration Manager technical
preview version 2201
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (technical preview branch)

This article introduces the features that are available in the technical preview for Configuration Manager, version
2201. Install this version to update and add new features to your technical preview site.
Review the technical preview article before installing this update. That article familiarizes you with the general
requirements and limitations for using a technical preview, how to update between versions, and how to provide
feedback.
The following sections describe the new features to try out in this version:

Visualize content distribution status

You can now monitor content distribution path and status in a graphical format. The graph shows distribution
point type, distribution state, and associated status messages. This visualization allows you to more easily
understand the status of your content package distribution. It helps you answer questions like:
Has the site successfully distributed the content?
Is the content distribution in progress?
Which distribution points have already processed the content?
This example shows a graph for the content distribution status of the Configuration Manager client package in
an example hierarchy. It lets you easily see the following information:
The solid blue line from the site server to each distribution point indicates that the rate limit is Unlimited .
For more information, see Rate limits.
The green check mark on DP01 and DP02 indicates that the content was successfully distributed to these site
systems.
The red X on DP03 and both cloud distribution points indicates that there's an error in distributing the
content to these site systems.

TIP
Navigating this graph is similar to the collection relationships graphical view. That article includes tips to navigate the
viewer, many of which also apply to this graph for content distribution.

Try it out!
Try to complete the tasks. Then send Feedback with your thoughts on the feature.
1. In the Configuration Manager console, go to the Monitoring workspace, expand Distribution Status
and select the Content Status node.
2. If this node doesn't show anything, first distribute content.
3. Select a distributed content item. For example, the Configuration Manager client package .
4. In the ribbon, select View Content Distribution . This action displays the distribution graph for the
selected content.
Hover over the status icon to quickly view more information. Select the path or the status icon to
view status messages for the content.
Hover over the title of the site system to quickly view more information. Select it to drill through to
the Distribution Points node.

Custom icon support for task sequences and packages

Previously, task sequences and legacy packages would always display a default icon in Software Center. Based
on your feedback, you can now add custom icons for task sequences and legacy packages. These icons appear in
Software Center when you deploy these objects. Instead of a default icon, a custom icon can improve the user
experience to better identify the software.
Try it out!
Try to complete the tasks. Then send Feedback with your thoughts on the feature.
1. If needed, create a task sequence or create a package and program.
2. Open the properties of a task sequence or package.
3. For a task sequence, switch to the More Options tab. For a package, the icon option is on the General
tab.

NOTE
The existing task sequence property page for Performance is now renamed to More Options .

4. In the section for the icon, select Browse . Select an icon from the default shell library, or browse to
another file in a local or network path.
It supports the following file types:
Programs ( .exe )
Libraries ( .dll )
Icons ( .ico )
Images ( .png , .jpeg , .jpg )
The file doesn't need to be on clients that you target with the deployment. Configuration Manager
includes the image with the deployment policy.
The maximum file size for an image is 256 KB.
Icons can have pixel dimensions of up to 512 x 512.
After you save the properties, deploy the task sequence or package, if it's not already deployed. For more
information, see one of the following articles:
Deploy a task sequence
Deploy packages and programs
When clients receive the deployment policy, they'll display the icon in Software Center.

NOTE
To take full advantage of new Configuration Manager features, after you update the site, also update clients to the latest
version. While new functionality appears in the Configuration Manager console when you update the site and console, the
complete scenario isn't functional until the client version is also the latest.

Known issues with icons for legacy packages

To change the icon on an existing package that's already deployed, change another setting of the package
or create a new deployment.
Custom icons only appear for legacy packages that you deploy to device collections. They don't yet
support user-based deployments.

Prefer cloud-based software update points on switching

Clients now prefer to scan against a cloud management gateway (CMG) software update point (SUP) over an
on-premises SUP when the boundary group uses the Prefer cloud based source over on-premises source
option. To reduce the performance impact of this change, clients don't automatically switch their SUP to a cloud-
based SUP. The client will stay assigned to their current SUP unless their current SUP fails or the client is
manually switched to a new SUP.
Try it out!
Try to complete the tasks. Then send Feedback with your thoughts on the feature.
1. Ensure your cloud management gateway is configured and functional
2. Verify that your software update points are functional and synchronized.
3. Enable the Allow Configuration Manager cloud management gateway traffic option for any SUP you
want to use with CMG.
a. Go to Administration > Site Configuration > Ser vers and Site System Roles . Select
Proper ties on the software update point site system role from the site server you want to use.
b. On the General tab, enable the Allow Configuration Manager cloud management gateway
traffic option.
4. Configure the boundary group for this behavior by enabling the Prefer cloud based sources over on-
premises sources option and adding the CGM SUP server to the Site system ser vers list.
a. Go to Administration > Hierarchy Configuration > Boundar y Groups . Edit the boundary
groups where you want clients to prefer a CMG SUP for updates scanning.
b. Select Proper ties for the boundary group.
c. In the References tab, select Add... and add the CMG SUP to the Site system ser vers list.
d. In the Options tab, select the Prefer cloud based sources over on-premises sources option.
e. Select OK to save the settings and to close the boundary group properties window.
5. To manually switch clients to a new SUP, use the Switch to next Software Update Point client notification
action for a device or for a collection.
Clients in the boundary group don't automatically switch to a new SUP unless scanning against their
current SUP fails four times over the course of two hours.
6. To verify that clients prefer the CMG SUP, start a software update scan cycle on some of the clients that you
switched.
To limit potential performance issues caused by a large number of clients scanning against a new SUP
simultaneously, we recommend that if you're immediately calling a scan cycle on a large number of
clients that you start with no more than 100 clients every 10-15 minutes. Increase or decrease the
 number of clients and the frequency once you gauge the performance impact in your environment.
7. The client's LocationSer vices.log will show the CMG SUP listed as the first LocationRecord WSUSURL in the
WSUSLocationReply . The CMG SUP will also be listed as the server for the update scan in the
WUAHandler.log .

LEDBAT support for software update points

You can now enable Windows Low Extra Delay Background Transport (LEDBAT) for your software update points.
LEDBAT adjusts download speeds during client scans against WSUS to help control network congestion.
If a site system has both the distribution point and software update point roles, you can configure LEDBAT
independently on the roles. For example, if you only enable LEDBAT on the distribution point role, the software
update point role doesn't inherit the same configuration.
For more general information on Windows LEDBAT, see Fundamental concepts for content management.
Prerequisites for LEDBAT on software update points
To use LEDBAT in this scenario, install the software update point role on a site system running Windows Server
2016 or later.
Try it out!
Try to complete the tasks. Then send Feedback with your thoughts on the feature.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Ser vers and Site System Roles node.
2. Select a site system that has the software update point role.
3. In the details pane of site system roles, select the Software update point role.
4. In the ribbon, on the Site Role group, select Proper ties .
5. On the General tab of the software update point properties, enable the following setting: Adjust the
download speed to use the unused network bandwidth (Windows LEDBAT) .

Improvements to Power BI Report Server Integration

We've made the following improvements for Power BI Report Server integration:
You can now use Microsoft Power BI Desktop (Optimized for Power BI Report Server) versions that were
released after January 2021
Configuration Manager now correctly handles Power BI reports saved by Power BI Desktop (optimized for
Power BI Report Server) May 2021 or later.
Reports saved by Power BI Desktop (optimized for Power BI Report Server) May 2021 or later function
in earlier versions of Configuration Manager. However, you might experience delays updating the data
source on newly updated reports, or receive The remote server returned an error; (400) Bad Request.
errors in the SRSRP.log . For more information about the relevant change to Power BI Desktop
(optimized for Power BI Report Server) May 2021, see Change data source connection strings in
Power BI reports.

Tenant attach features are generally available

The following tenant attach features are now generally available:
Client details
Applications
 Device timeline
Resource explorer
CMPivot
Scripts
Bitlocker Recovery Keys
Collections

Deployment Status client notification actions

You can now perform client notification actions, including Run Scripts , from the Deployment Status view. To
run client notification actions from the Deployment Status view:
1. Go to the Deployments node in the Monitoring workspace.
2. Select a deployment, then select View Status , or double-click on the deployment.
3. Right-click on either a group of clients in a Categor y or a single client in the Asset details pane to display
the client notification actions.
Currently, any user can perform these actions, but they’ll receive a permissions error if they don't have
the correct permissions.
Currently, when there are no devices associated with the deployment status, the client notification
actions display but won't trigger any notifications.

Sort by icon in the console

Based on your feedback, in the Configuration Manager console you can now sort by icon. Any node that uses
different icons now sorts properly. This improvement helps you easily group objects of a similar type.
The following example shows the Devices node sorted by icon, which is the device status:
PowerShell release notes preview
These release notes summarize changes to the Configuration Manager PowerShell cmdlets in this technical
preview release.
For more information about PowerShell for Configuration Manager, see Get started with Configuration Manager
cmdlets.
New cmdlets
Get-CMAADTenant
Use this cmdlet to get an Azure Active Directory (Azure AD) tenant from the site.

Get-CMAADTenant
Get-CMAADTenant -Id $id
Get-CMAADTenant -Name $name

Set-CMCollectionCloudSync
Use this cmdlet to configure the following cloud sync features for a collection:
Make a collection available to assign endpoint security policies from the Microsoft Endpoint Manager
admin center. For more information, see Tenant attach: Onboard Configuration Manager clients to
Microsoft Defender for Endpoint from the admin center.
Synchronize collection member results to Azure AD groups. For more information, see Synchronize
members to Azure AD groups.

Set-CMCollectionCloudSync -Name $name -EnableAssignEndpointSecurityPolicy $true -TenantId $tenantId -

AddGroupName $array -Verbose
Set-CMCollectionCloudSync -Id $collectionId -TenantName $tenantName -RemoveGroupName $array1 -AddGroupName
$array2
$collectionObj | Set-CMCollectionCloudSync TenantObject $tenantObj -RemoveGroupName $array1 -AddGroupName
$array2

Modified cmdlets
Get-CMDeploymentTypeDetectionClause
For more information, see Get-CMDeploymentTypeDetectionClause.
Non-breaking changes
The cmdlet can now get a detection clause from a script deployment type.
Get-CMDeploymentStatusDetails
For more information, see Get-CMDeploymentStatusDetails.
Bugs that were fixed
Updated the cmdlet to avoid a potential null reference error.
Import-CMApplication
For more information, see Import-CMApplication.
Non-breaking changes
Updated the import logic to align with console. Added new warning messages.
New-CMCoManagementPolicy
For more information, see New-CMCoManagementPolicy.
Non-breaking changes
The cmdlet now supports applicability for Windows 11 on ARM64 devices.
New-CMApplication
For more information, see New-CMApplication.
Non-breaking changes
It can now get an application icon from the specified file.
New-CMTaskSequence
For more information, see New-CMTaskSequence.
Non-breaking changes
Added the IconLocationFile parameter to support specifying an icon for the task sequence. For more
information, see Support for task sequence and package icons.
New-CMTaskSequenceDeployment
For more information, see New-CMTaskSequenceDeployment.
Bugs that were fixed
Fixed an issue with the AllowSharedContent parameter.
Publish-CMThirdPartySoftwareUpdateContent
For more information, see Publish-CMThirdPartySoftwareUpdateContent.
Non-breaking changes
Added the Force parameter to run the command without asking for confirmation.
Set-CMSoftwareUpdatePointComponent
For more information, see Set-CMSoftwareUpdatePointComponent.
Non-breaking changes
Added the NonWindowsUpdateMaxRuntimeMins parameter to change the default maximum run time for
non-Windows software updates.
Set-CMTaskSequence
For more information, see Set-CMTaskSequence.
Non-breaking changes
Added the IconLocationFile parameter to support specifying an icon for the task sequence. For more
information, see Support for task sequence and package icons.
Set-CMTaskSequenceDeployment
For more information, see Set-CMTaskSequenceDeployment.
Bugs that were fixed
Fixed an issue with the AllowSharedContent parameter.
Start-CMTaskSequenceDeployment
For more information, see Start-CMTaskSequenceDeployment.
Bugs that were fixed
Fixed an issue with the AllowSharedContent parameter.

Improved notice for content on task sequence media

When you create task sequence media in the Configuration Manager console, you have to select distribution
points that contain the content required by the task sequence. If some content isn't available on the selected
distribution points, the wizard would display an error that simply said some packages aren't available.
Based on your feedback, this message now includes the list of package IDs for the content that's not available.
This change makes the notice more actionable, so you can more easily see what content is missing. This
information is also listed in the CreateTsMedia.log file.

Next steps
For more information about installing or updating the technical preview branch, see Technical preview.
For more information about the different branches of Configuration Manager, see Which branch of
Configuration Manager should I use?.
 Features in Configuration Manager technical
preview version 2112
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (technical preview branch)

This article introduces the features that are available in the technical preview for Configuration Manager, version
2112. Install this version to update and add new features to your technical preview site.
Review the technical preview article before installing this update. That article familiarizes you with the general
requirements and limitations for using a technical preview, how to update between versions, and how to provide
feedback.
The following sections describe the new features to try out in this version:

Customize maximum run time for other software update types

Previously, software updates that didn't belong to the following update categories defaulted to a maximum run
time of 60 minutes (or 10 minutes prior to version 2103):
Windows feature updates
Windows non-feature updates
Office 365 updates
Starting in this technical preview, you can customize the maximum run time for all other software updates,
which includes third-party updates.
Try it out!
Try to complete the tasks. Then send Feedback with your thoughts on the feature.
Change the maximum run time for all other software updates:
1. Go to Administration > Over view > Site Configuration > Sites then select the top-level site.
2. From the ribbon, select Settings > Configure Site Components > Software Update Point to open
the Software Update Point Component Proper ties .
3. In the Maximum Run Time tab, change the following property to a value between 5 and 9999:
Maximum run time for all other software updates outside these categories, such as third-
par ty updates (minutes)

NOTE
The new run time for these updates only applies to updates that are newly synchronized after the change. Existing
updates that have already been synchronized will not use this value.

Console and user experience improvements

Based on your feedback, we’ve made a few improvements to the console and user experience.
When using temporary device nodes, right-click device actions like Run Scripts are now available to make
 the experience in the console consistent
For example, if you're in the Client Health Dashboard then select a specific version from the Client
Versions chart, you're taken to a temporary node. The temporary node now has additional actions
available from the right-click menu
Copy/paste is available for more objects from details panes.
Added the Name property in the details pane for configuration items, configuration item related
policies, and applications
Company portal no longer displays an available package as a featured application
Software update search results and the search criteria are now cached when you navigate to another node.
When you navigate back to the All Software Updates node, your search criteria and results are preserved
from your last query.

Exclude data warehouse reporting tables from synchronization

When you install the data warehouse, it synchronizes a set of default tables from the site database. These tables
are required for data warehouse reports. While troubleshooting issues, you may want to stop synchronizing
these default tables. Starting in this release, you can exclude one or more of these required tables from
synchronization.
Try it out!
Try to complete the tasks. Then send Feedback with your thoughts on the feature.
1. When you install or configure the properties of the data warehouse, on the Synchronization settings
page, choose Select tables .
2. In the Database tables window, deselect one or more tables of type Required .
3. The console will prompt you to confirm the change, since some reports may no longer work correctly.

A new remote assistance tool

As announced at Microsoft Ignite 2021, a public preview of the new remote assistance solution is now available
in the Microsoft Endpoint Manager admin center. This cloud-based tool can help you more securely support
users of Windows devices.
This new tool will be the solution for remote control of remote devices. While you can't currently start this tool
from the Configuration Manager console, tenant attach provides the mechanism to eventually provide these
remote help capabilities.
With the release of this new tool, the Configuration Manager feature for remote control anywhere using cloud
management gateway (CMG) won't be available in the next technical preview release.
For more information, see the following resources:
Remote help: a new remote assistance tool from Microsoft (blog post)
Enable remote help scenarios with Microsoft Endpoint Manager (demo video)
Use remote help with Intune and Microsoft Endpoint Manager

General known issues

Unable to install an existing console extensions after site upgrade
After a site upgrade, console extensions that aren't built into Configuration Manager won't install for new
consoles. If the extension was already installed on a console, that console may continue to use the extension.
Workaround
To work around this issue, delete the extension from the Console Extensions node. Redownload the extension
from Community hub or reimport the extension and enable notifications for it as needed.

Next steps
For more information about installing or updating the technical preview branch, see Technical preview.
For more information about the different branches of Configuration Manager, see Which branch of
Configuration Manager should I use?.
 Features in Configuration Manager technical
preview version 2111
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (technical preview branch)

This article introduces the features that are available in the technical preview for Configuration Manager, version
2111. Install this version to update and add new features to your technical preview site.
Review the technical preview article before installing this update. That article familiarizes you with the general
requirements and limitations for using a technical preview, how to update between versions, and how to provide
feedback.
The following sections describe the new features to try out in this version:

Improvements to the Windows servicing dashboard

We now display a Windows 11 Latest Feature Updates chart in the Windows Ser vicing dashboard. The
new chart makes it easier to determine how many of your Windows 11 clients are on the latest feature update.
To display the dashboard, go to Software Librar y > Over view > Windows Ser vicing .

Co-management Eligible Devices collection

There's a new built-in device collection for Co-management Eligible Devices . The Co-management
Eligible Devices collection uses incremental updates and a daily full update to keep the collection up to date.

Improvement to app groups

This release resolves one of the known issues for app groups from version 2110. View and managing app
groups in the Microsoft Endpoint Manager admin center doesn't require an elevated role. It honors permissions
and scopes as defined in Configuration Manager. For example, your user account requires the Approve
permission on an app group to approve it for installation from the admin center. This behavior is consistent with
applications.

Improvement to task sequence deployment type

Consider the following scenario:
An application has a task sequence deployment type.
It's deployed as available.
A device has maintenance windows defined.
A user on the device runs the deployment in Software Center outside of a maintenance window.
Configuration Manager honors the user's intent to install the application, even though there's no available
maintenance window. Previously, when the task sequence ran, the Restar t Computer step would fail because
of the maintenance window.
Based on your feedback, this step now ignores maintenance windows only when the task sequence is run as an
app deployment type.

PowerShell release notes preview

These release notes summarize changes to the Configuration Manager PowerShell cmdlets in this technical
preview release.
For more information about PowerShell for Configuration Manager, see Get started with Configuration Manager
cmdlets.
New cmdlets for orchestration groups
For more general information about this feature, see Orchestration groups in Configuration Manager.
Get-CMOrchestrationGroup
Use this cmdlet to get an orchestration group object by name or ID. You can use this object with Invoke-
CMOrchestrationGroup, Remove-CMOrchestrationGroup, or Set-CMOrchestrationGroup.
Invoke-CMOrchestrationGroup
Use this cmdlet to start orchestration.

Get-CMOrchestrationGroup -Name $OGName | Invoke-CMOrchestrationGroup -IgnoreServiceWindow $true

New-CMOrchestrationGroup
Use this cmdlet to create a new orchestration group.

New-CMOrchestrationGroup -Name $Script:OGName -SiteCode $SiteCode -Description "Desc" -OrchestrationType

Percentage -OrchestrationValue 10 -OrchestrationTimeOutMin 300 -MaxLockTimeOutMin 55 -PreScript "PreScript"
-PreScriptTimeoutSec 30 -PostScript "PostScript" -PostScriptTimeoutSec 55 -MemberResourceIds
$Script:device.ResourceID

Remove-CMOrchestrationGroup
Use this cmdlet to remove the specified orchestration group.
Set-CMOrchestrationGroup
Use this cmdlet to configure an orchestration group.
Deprecated cmdlets
The Remove-CMDeploymentTypeSupersedence cmdlet for deployment type supersedence is deprecated
and may be removed in a future release. Instead, use the new Set-CMApplicationSupersedence cmdlet.
Modified cmdlets
Add-CMDeviceCollectionDirectMembershipRule
For more information, see Add-CMDeviceCollectionDirectMembershipRule.
Bugs that were fixed
Fixed an issue when adding a rule by resource object.
Get-CMClientSetting
For more information, see Get-CMClientSetting.
Non-breaking changes
Added support to return the value for the Disable Deadline Randomization setting in the Computer Agent
group.
New-CMBoundary
For more information, see New-CMBoundary.
Non-breaking changes
Added new parameter ValueStar tsWith to support Improvements to VPN boundary types.
New-CMTSStepApplyWindowsSetting
For more information, see New-CMTSStepApplyWindowsSetting.
Breaking changes
Removed the following unsupported parameters:
MaximumConnection
Ser verLicensing
New-CMTSPartitionSetting
For more information, see New-CMTSPartitionSetting.
Non-breaking changes
Set default value for AssignVolumeLetter.
New-CMTSStepPrestartCheck
For more information, see New-CMTSStepPrestartCheck.
Non-breaking changes
Added new parameters for TPM existence check:
CheckTpmEnabled
CheckTpmActivated
New-CMWdacSetting
For more information, see New-CMWdacSetting.
Non-breaking changes
Added support for new platform rules for Windows 10 ARM64 and Windows 10 multi-session.
Remove-CMPersistentUserSettingsGroup
For more information, see Remove-CMPersistentUserSettingsGroup.
Bugs that were fixed
Fixed a query issue when remove settings group by name.
Set-CMTSStepPrestartCheck
For more information, see Set-CMTSStepPrestartCheck.
Non-breaking changes
Added new parameters for TPM existence check:
CheckTpmEnabled
CheckTpmActivated
Set-CMBoundary
For more information, see Set-CMBoundary.
Non-breaking changes
Added new parameter ValueStar tsWith to support Improvements to VPN boundary types.
Set-CMDistributionPoint
For more information, see Set-CMDistributionPoint.
Non-breaking changes
Added new parameter EnableMaintenanceMode to support to manage maintenance mode.
Set-CMSoftwareUpdatePoint
For more information, see Set-CMSoftwareUpdatePoint.
Bugs that were fixed
Fixed an issue with regular expression processing when trying to clear the WSUS access account from a
software update point.
Set-CMTSStepApplyWindowsSetting
For more information, see Set-CMTSStepApplyWindowsSetting.
Breaking changes
Removed the following unsupported parameters:
MaximumConnection
Ser verLicensing

Next steps
For more information about installing or updating the technical preview branch, see Technical preview.
For more information about the different branches of Configuration Manager, see Which branch of
Configuration Manager should I use?.
 Features in Configuration Manager technical
preview version 2110
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (technical preview branch)

This article introduces the features that are available in the technical preview for Configuration Manager, version
2110. Install this version to update and add new features to your technical preview site. When you install a new
technical preview site, this release is also available as a baseline version.
Review the technical preview article before installing this update. That article familiarizes you with the general
requirements and limitations for using a technical preview, how to update between versions, and how to provide
feedback.
The following sections describe the new features to try out in this version:

Simplified cloud attach configuration

We've simplified the process to cloud attach your Configuration Manager environment. You can now choose to
use a streamlined set of recommended defaults when cloud attaching your environment. By using the
recommended default settings, your eligible devices will be cloud attached and you'll enable capabilities like rich
analytics, cloud console, and real-time device querying. The default settings include the following features:
Enables automatic enrollment of all eligible devices into Intune
Enrolls your clients into co-management, with all workloads pointed to Configuration Manager
Enables Endpoint analytics
Enables automatic upload of all your devices to Microsoft Endpoint Manager admin center (tenant attach)
Cloud attach using the default settings
Use the following steps to cloud attach your environment with the default settings:
1. From the Configuration Manager console, go to Administration > Cloud ser vices > Cloud Attach .
2. Select Configure Cloud Attach from the ribbon to open the wizard.
3. Select your Azure environment , then select Sign In . Sign into your account when prompted.
4. Ensure that Use default settings (recommended) is selected, then choose Next and Yes when the app
registration notice appears.
5. Review the summary and select Next to cloud attach your environment and complete the wizard.

Improvements to client health dashboard

This release includes improvements to the Client health dashboard.
While you can configure the dashboard to limit the view by collection, previously it would reset to the All
Systems collection when you refreshed the node. You can now select the ribbon action to Choose
Default Collection , which sets a persistent user preference.
You still use the Client Status Settings action to configure the periods of time to evaluate client health.
This action is now available in the ribbon of the Client health dashboard node. This change makes it
easier to access this action, without needing to switch to the parent node for Client Status .
The existing options to filter the dashboard are now condensed to a single Filter tile.
The Overall client health tile is on the top row, which makes it easier to see when you select this node.
This percentage should be as close to 100% as possible.
The Combined (All) and Combined (Any) scenarios are removed. A new tile, Clients with any
failure , shows the percentage of clients that report any health issue. This percentage should be as close
to 0% as possible.
The dashboard includes a new tile for Health trends by scenario . It shows the percentage of healthy
clients for the selected scenario. Use the slider control at the top of the tile to adjust the number of days
to display in the chart.

NOTE
This maximum value for the slider control is the same as the Retain client status histor y for the following
number of days in Client Status Settings . It's 31 days by default.
It's limited by the amount of client health data in the site database. In the following example, while it's configured
to display 31 days of history, there's only three days of available data.

The following example shows the trend for client health evaluation:
Enable update notifications from Microsoft 365 Apps
You can now configure the end-user experience for Microsoft 365 Apps updates. This client setting allows you to
enable or disable notifications from Microsoft 365 Apps for these updates. The new Enable update
notifications from Microsoft 365 Apps option has been added to the Software Updates group of client
settings. The following options are available for the setting:
No : Doesn't display Microsoft 365 Apps updates notifications from Microsoft 365 Apps (default)
Yes : Displays Microsoft 365 Apps updates notifications from Microsoft 365 Apps
End-user experience for update notifications from Microsoft 365 Apps
Which notifications are displayed to the user about updates for Microsoft 365 Apps is also determined by the
settings for per deployment notifications from Software Center. If deployment notifications from Software
Center are disabled, then the end user won't receive any notifications from either Software Center or Microsoft
365 Apps, regardless of how notifications from Microsoft 365 Apps are set. If notifications from both Software
Center and Microsoft 365 Apps are enabled, then the end user will receive notifications from Software Center
and Microsoft 365 Apps. Below is a chart of which notifications for Microsoft 365 Apps updates are displayed to
the end user for these settings:

DISP L AY P ER DEP LO Y M EN T SO F T WA RE H IDE P ER DEP LO Y M EN T SO F T WA RE

C EN T ER N OT IF IC AT IO N S C EN T ER N OT IF IC AT IO N S

Enable update notifications from User receives notifications from No notifications from Software Center
Microsoft 365 Apps: Yes Software Center
No notifications from Microsoft 365
User receives notifications from Apps
Microsoft 365 Apps

Enable update notifications from User receives notifications from No notifications from Software Center
Microsoft 365 Apps: No Software Center
No notifications from Microsoft 365
No notifications from Microsoft 365 Apps
Apps

Branding in the Windows Update native reboot experience

You can now add branding information when using the native Windows restart experience for software updates.
To use this feature, client devices must be running Windows Insider build 21277 or later. From the Computer
Restar t client device settings, ensure that Windows is selected as the restart experience. For the Specify
organization name option, enter the organization name to display in the restart notifications. Branding
information will be included in the Windows restart notification for updates that require restart.

Improvements to application groups

This release includes the following improvements to application group:
Now when you deploy an app group as required to a device or user collection, you can specify that it
automatically uninstalls when the resource is removed from the collection. For more general information
on this feature, see Implicit uninstall.
The following app approval behaviors are now supported with app groups:
Deploy an app group to a user collection and require approval.
A user can then request the app group in Software Center.
You can approve or deny the user's request for the app group.
Deploy an app group to a device collection and require approval. The deployment is suspended on
the device until you trigger installation via automation. For example, use the Approve-
CMApprovalRequest PowerShell cmdlet.
From the Configuration Manager console, when you select a device, there's a new action in the
Device group of the ribbon to Install Application Group . For more information, see Install
applications for a device.
When you enable tenant attach, you can view status and take actions on app groups from the
Microsoft Endpoint Manager admin center. For more information, see Install an application from
the admin center.
Known issues for app groups in this technical preview release
If an app group was previously approved and installed on a device, the Deny action doesn't automatically
uninstall it.
To view and manage app groups in the Microsoft Endpoint Manager admin center, your account needs
the Full Administrator role in Configuration Manager.

Improvements to external notifications

Starting in Configuration Manager current branch version 2107, you could enable the site to send notifications
to an external system or application. This feature used a PowerShell script to manage the status filter rules and
subscriptions. For more information, see External notifications.
This release adds support in the Configuration Manager console to create or edit a subscription for external
notifications. It supports events for status filter rules and application approval requests.
Try it out!
Try to complete the tasks. Then send Feedback with your thoughts on the feature.
1. Create an Azure Logic App and copy the URL. For more information, see Create an Azure logic app and
workflow.
2. In the Configuration Manager console, go to the Monitoring workspace. Expand Aler ts , and select the
new External ser vice notifications node.
3. In the ribbon, select Create subscription .
4. Specify a Name for the subscription to identify it in the Configuration Manager console. Optionally add a
Description .
5. For the External ser vice URL value, paste the URL of the Azure Logic App that you copied in the first
step.

6. Select the gold asterisk to add a new event to the subscription.

How to trigger an event depends upon the type of subscription:
For a status filter rule, trigger an event for the site component. For example, stop or restart the service or
thread.
For an app approval request, use Software Center to request an app that requires approval.
For more information on next steps, see Monitor the workflow.

Approvals for orchestration group scripts

Pre and post-scripts for Orchestration groups now require approval to take effect. If you open, author, or modify
a script, approval for the script is required from another admin. When selecting an approved script from the
Scripts library, no additional approval is needed. By default, users can't approve a script they've authored.
These roles give an additional level of security against running a script without oversight. For ease of testing,
you're able to disable script approval for the environment by changing the hierarchy setting.
To assist you with script approval, the following two tabs were added to the details pane for Orchestration
Groups :
Summar y : Contains information about the selected orchestration group, including the Approval State of
scripts.
Scripts : Lists information about pre and post-scripts, including the timeout, approver, and approval state for
each script.
Approval states for pre and post-scripts
The approval state for each of the scripts is displayed in the Scripts tab. Editing a script after it's approved will
reset the approval state. The Approval State for each script is defined below:
Approved : The script is approved. Approval is granted from either of the following ways:
Selecting a script from the list of approved PowerShell scripts
Manual approval of the script by selecting Approve from the ribbon or the right-click menu.
Waiting for approval : The script is pending approval. Scripts that are written or edited directly in the code
editor, or imported from a .ps1 file will start in this approval state.
Declined : The script was denied during the approval process.

IMPORTANT
Editing a script after it's approved will reset the approval state to Waiting for approval. This also means that the
previously approved version of the script will not run if you start orchestration on the group while that script is in the
Waiting for approval state.

Permissions
Approving scripts for orchestration groups requires one of the following security roles:
Full Administrator
Operations Administrator
Approve or deny a script for an orchestration group
1. From the Configuration Manager console, go to the Assets and Compliance workspace > Over view >
Orchestration Groups .
2. Select an orchestration group and then select the Scripts tab for the group.
3. Select one of the scripts and choose Approve/Deny from either the ribbon or the right-click menu.
4. Review the script from the Script Details page in the Approve or Deny Script wizard. Select Next when
 you're finished reviewing the script.
5. On the Script Approval page in the wizard, select Approve or Deny . If needed, enter in a comment to be
displayed in the Scripts detail pane.
6. Complete the wizard to finish the approval process.

Task sequence check for TPM 2.0

To help you better deploy Windows 11, the Check Readiness step in the task sequence now includes checks for
TPM 2.0.
TPM 2.0 or above is enabled : Checks whether the device that's running the task sequence has a TPM 2.0
that's enabled.
TPM 2.0 or above is activated : If the device has an enabled TPM 2.0, check that it's activated.
The task sequence smsts.log file also shows the TPM version.

Console improvements
Based on your feedback, this release includes the following improvements to the Configuration Manager
console:
When you show the members of a device collection, and select a device in the list, switch to the
Collections tab in the details pane. This new view shows the list of collections of which the selected
device is a member. It makes it easier for you to see this information.

When viewing a collection, you could previously see the amount of time the site took to evaluate the
collection membership. This data is now also available in the Monitoring workspace. When you select a
collection in either subnode of the Collection Evaluation node, the details pane displays this collection
evaluation time data.
Status messages for console extensions
To improve the visibility and transparency of console extensions, the site now creates status messages for
related events. These status messages have IDs from 54201 to 54208 . They all include the following
information:
The user that made the change
The ID of the extension
The version of the extension
There are four categories of message events:
Required or optional
Approve or disapprove
Enable or disable
Tombstone or untombstone
For example, the description of status message ID 54201 is User "%1" made console extension with ID
"%2" and version "%3" required .

Use these status messages to make sure your site uses known and trusted console extensions.

General known issues

Community hub download button is always enabled
The Download button for items in Community hub doesn't disable once an object has been downloaded. The
download will fail if you attempt to download the item again.

Next steps
For more information about installing or updating the technical preview branch, see Technical preview.
For more information about the different branches of Configuration Manager, see Which branch of
Configuration Manager should I use?.
 Migrate data between hierarchies in Configuration
Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use migration to transfer data from a supported source hierarchy to your Configuration Manager (current
branch) destination hierarchy. When you migrate data from a source hierarchy:
You access data from the site databases in the source infrastructure, and then transfer that data to your
current environment.
Migration doesn't change the data in the source hierarchy. Instead it discovers the data and stores a copy
in the database of the destination hierarchy.
Consider the following points when you plan your migration strategy:
You can migrate an existing Configuration Manager 2007 SP2 infrastructure to Configuration Manager
(current branch).
You can migrate some or all of the supported data from a source site.
You can migrate the data from a single source site to several different sites in the destination hierarchy.
You can move data from multiple source sites to a single site in the destination hierarchy.
The following video discusses and demonstrates two common migration scenarios. It also includes options for
including Microsoft Azure in migration plans.

Concepts
Configuration Manager uses the following concepts and terms during migration.
Source hierarchy
A hierarchy that runs a supported version of Configuration Manager and has data that you want to migrate.
When you set up migration, you identify the source hierarchy when you specify the top-level site of a source
hierarchy. After you specify a source hierarchy, the top-level site of the destination hierarchy gathers data from
the database of the designated source site to identify the data that you can migrate.
For more information, see Source hierarchies.
Source sites
The sites in the source hierarchy that have data that you can migrate to your destination hierarchy.
For more information, see Source sites.
Destination hierarchy
A Configuration Manager (current branch) hierarchy where migration runs to import data from a source
hierarchy.
Data gathering
The ongoing process of identifying the information in a source hierarchy that you can migrate to your
destination hierarchy. Configuration Manager checks the source hierarchy on a schedule. This process identifies
any changes to information in the source hierarchy that you previously migrated and that you might want to
update in the destination hierarchy.
For more information, see Data gathering.
Migration jobs
The process of configuring the specific objects to migrate, and then managing the migration of those objects to
the destination hierarchy.
For more information, see Planning a migration job strategy.
Client migration
The process of transferring information that clients use from the database of the source site to the database of
the destination hierarchy. This migration of data is then followed by an upgrade of client software on devices to
the client software version from the destination hierarchy.
For more information, see Planning a client migration strategy.
Shared distribution points
The distribution points from the source hierarchy that Configuration Manager shares with the destination
hierarchy during the migration period.
During the migration period, clients assigned to sites in the destination hierarchy can get content from shared
distribution points.
For more information, see Share distribution points between source and destination hierarchies.
Monitoring migration
The process of monitoring migration activities. You monitor migration progress and success from the
Migration node in the Administration workspace.
For more information, see Planning to monitor migration activity.
Stop gathering data
The process of stopping data gathering from source sites. When you no longer have data to migrate from a
source hierarchy, or if you want to pause migration-related activities, you can configure the destination
hierarchy to stop gathering data from the source hierarchy.
For more information, see Data gathering.
Clean up migration data
The process of finishing migration from a source hierarchy by removing information about the migration from
the destination hierarchies database.
For more information, see Planning to complete migration.

Typical workflow
To set up a workflow for migration:
1. Specify a supported source hierarchy.
2. Set up data gathering. Data gathering enables Configuration Manager to collect information about data
that can migrate from the source hierarchy.
Configuration Manager automatically repeats the process to collect data on a simple schedule until you
stop the data gathering process. By default, the data gathering process repeats every four hours so that
Configuration Manager can identify changes to data in the source hierarchy. Data gathering is also
necessary to share distribution points.
3. Create migration jobs to migrate data between the source and destination hierarchy.
4. You can stop the data gathering process at any time by using the Stop Gathering Data action. When
you stop data gathering, Configuration Manager no longer identifies changes to data in the source
hierarchy and can no longer share distribution points. Typically, you use this action when you no longer
plan to migrate data or share distribution points from the source hierarchy.
5. Optionally, after data gathering has stopped at all sites for the source hierarchy, you can clean up the
migration data by using the Clean Up Migration Data action. This action deletes the historical data
about migration from a source hierarchy from the database of the destination hierarchy.
After you migrate data, and you no longer need the source hierarchy to manage devices in your environment,
you can decommission that source hierarchy and infrastructure.

Scenarios
Configuration Manager supports the following migration scenarios:
Migration from Configuration Manager 2007 hierarchies
Migration from Configuration Manager 2012 or another Configuration Manager hierarchy

NOTE
The expansion of a hierarchy that has a standalone site into a hierarchy that has a central administration site isn't
categorized as a migration. For information about hierarchy expansion, see Expand a stand-alone primary site.

Migration from Configuration Manager 2007 hierarchies

When you use migration to migrate data from Configuration Manager 2007, you can maintain your investment
in your existing site infrastructure and gain the following benefits:
Site database improvements
The Configuration Manager (current branch) database supports full Unicode.
Database replication between sites
Replication in Configuration Manager (current branch) is based on Microsoft SQL Server. This behavior
improves the performance of site-to-site data transfer.
User-centric management
Users are the focus of management tasks in Configuration Manager (current branch). For example, you can
distribute software to a user even if you don't know the device name for that user. Additionally, Configuration
Manager gives users much more control over what software is installed on their devices and when that software
is installed.
Hierarchy simplification
Configuration Manager (current branch) lets you build a simpler site hierarchy. This improvement is due to the
introduction of the central administration site type and changes to the behavior of primary and secondary sites.
Configuration Manager (current branch) uses less network bandwidth and requires fewer servers than previous
versions.
Role-based administration
This central security model in Configuration Manager (current branch) offers hierarchy-wide security and
management that corresponds to your administrative and business requirements.
 NOTE
Because of design changes that were first introduced in System Center 2012 Configuration Manager, you can't upgrade
Configuration Manager 2007 to Configuration Manager (current branch). In-place upgrade is supported from System
Center 2012 Configuration Manager to Configuration Manager (current branch).

Migration from Configuration Manager 2012 or another Configuration Manager hierarchy

The process of migrating data from a System Center 2012 Configuration Manager or Configuration Manager
hierarchy is the same. This process includes migrating data from multiple source hierarchies into a single
destination hierarchy. You might use this process when your company gets additional resources that are already
managed by Configuration Manager. Additionally, you can migrate data from a test environment to your
Configuration Manager production environment. This process lets you maintain your investment in the
Configuration Manager test environment.

See also
Planning for migration to Configuration Manager
Configuring source hierarchies and source sites for migration
Operations for migration
Security and privacy for migration
Start using Configuration Manager
 Plan for migration to Configuration Manager
current branch
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you migrate data to a Configuration Manager current branch destination hierarchy, make sure that you
are familiar with sites and hierarchies in Configuration Manager. For more about sites and hierarchies, see
Fundamentals of Configuration Manager.
Install a Configuration Manager current branch hierarchy to be the destination hierarchy before you migrate
data from a supported source hierarchy.
After you install the destination hierarchy, set up the management features and functions that you want to use in
your destination hierarchy before you start to migrate data.
Additionally, you might have to plan for overlap between the source hierarchy and your destination hierarchy.
For example, you might set up the source hierarchy to use the same network locations or boundaries as your
destination hierarchy, and you then install new clients to your destination hierarchy and use automatic site
assignment. In this scenario, because a newly installed Configuration Manager client can select a site to join
from either hierarchy, the client might incorrectly assign to your source hierarchy. Therefore, plan to assign each
new client in the destination hierarchy to a specific site in that hierarchy instead of using automatic site
assignment.
For more about site assignments, see Client site assignment considerations in Interoperability between different
versions of Configuration Manager.
Use the following articles to help you plan how to migrate a supported source hierarchy to a Configuration
Manager destination hierarchy:
Prerequisites for migration
Administrator checklists for migration planning
Determine whether to migrate data to Configuration Manager current branch
Plan a source hierarchy strategy
Administrator checklists for migration planning
Plan a client migration strategy
Plan a content deployment migration strategy
Plan for the migration of Configuration Manager objects to Configuration Manager current branch
Plan to monitor migration activity
Plan to complete migration
 Prerequisites for migration in Configuration
Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To migrate from a supported source hierarchy, you must have access to each applicable Configuration Manager
source site, and permissions within the Configuration Manager destination site to configure and run migration
operations.
Use the information in the following sections to help you understand the versions of Configuration Manager
that are supported for migration, and the required configurations.
Versions of Configuration Manager that are supported for migration
Source site languages that are supported for migration
Required configurations for migration

Versions of Configuration Manager that are supported for migration

You can migrate data from a source hierarchy that runs any of the following versions of Configuration Manager:
Configuration Manager 2007 SP2 (For the purpose of migration, Configuration Manager 2007 R2 or R3
on the source site are not a consideration. So long as the source site runs SP2, sites with either the R2 or
R3 add-on installed are supported for migration to Configuration Manager current branch).
System Center 2012 Configuration Manager SP2 or System Center 2012 R2 Configuration Manager SP1.

TIP
In addition to migration, you can use an in-place upgrade of sites that run System Center 2012 Configuration
Manager to Configuration Manager current branch.

A Configuration Manager hierarchy of the same or lesser version of Configuration Manager.

For example, if you have a destination hierarchy that runs Configuration Manager current branch 1606,
you could use migration to copy data from a source hierarchy that runs version 1606 or 1602. However
you could not migrate data from a source hierarchy that runs 1610.

Source site languages that are supported for migration

When you migrate data between Configuration Manager hierarchies, the data is stored in the destination
hierarchy in the language neutral format for Configuration Manager. Because Configuration Manager 2007 does
not store data in a language neutral format, the migration process must convert objects to this format during
migration from Configuration Manager 2007. Therefore, only Configuration Manager 2007 source sites that are
installed with the following languages are supported for migration:
English
French
German
 Japanese
Korean
Russian
Simplified Chinese
Traditional Chinese
When you migrate data from a System Center 2012 Configuration Manager or Configuration Manager current
branch hierarchy, there are no source site language limitations. Objects in the source site database are already in
a language neutral format.

Required configurations for migration

The following are required configurations for using migration and migration operations:
To configure, run, and monitor migration in the Configuration Manager console:
In the destination site, your account must be assigned the role-based administration security role of
Infrastructure Administrator . This security role grants permissions to manage all migration
operations, which includes the creation of migration jobs, clean up, monitoring, and the action to share
and upgrade distribution points.
Data Gathering:
To enable the destination site to gather data, you must configure the following two source site access
accounts for use with each source site:
Source Site Account: This account is used to access the SMS Provider of the source site.
For a Configuration Manager 2007 SP2 source site, this account requires Read permission
to all source site objects.
For a System Center 2012 Configuration Manager or Configuration Manager current
branch source site, this account requires Read permission to all source site objects, You
grant this permission to the account by using role-based administration. For information
about how to use role-based administration, see Fundamentals of role-based
administration for Configuration Manager.
Source Site Database Account: This account is used to access the SQL Server database of the
source site and requires Connect , Execute , and Select permissions to the source site database.
You can configure these accounts when you configure a new source hierarchy, data gathering for an
additional source site, or when you reconfigure the credentials for a source site. These accounts can use a
domain user account, or you can specify the computer account of the top-level site of the destination
hierarchy.

IMPORTANT
If you use the Configuration Manager computer account for either access account, ensure that this account is a
member of the security group Distributed COM Users in the domain where the source site resides.

When gathering data, the following network protocols and ports are used:
NetBIOS/SMB - 445 (TCP)
RPC (WMI) - 135 (TCP & UDP)
 Dynamic RPC. Dynamic ports use a range of port numbers that are defined by the OS version.
These ports are also known as ephemeral ports. For more information about the default port
ranges, see Service overview and network port requirements for Windows.
SQL Server - The TCP ports in use by both the source and destination site databases.
Migrate Software Updates:
Before you migrate software updates, you must configure the destination hierarchy with a software
update point. For more information, see Planning to migrate software updates.
Share distribution points:
To successfully share any distribution points from a source site, at least one primary site or the central
administration site in the destination hierarchy must use the same port numbers for client requests as
the source site. For information about client request ports, see How to configure client communication
ports
For each source site, only the distribution points that are installed on site system servers that are
configured with a FQDN are shared.
In addition, to share a distribution point from a System Center 2012 Configuration Manager or
Configuration Manager current branch source site, the Source Site Account (which accesses the SMS
Provider for the source site server), must have Modify permissions to the Site object on the source site.
You grant this permission to the account by using role-based administration. For information about how
to use role-based administration, see Fundamentals of role-based administration for Configuration
Manager.
Upgrade or reassign distribution points:
The Source Site Access Account configured to gather data from the SMS Provider of the source site
must have the following permissions:
To upgrade a Configuration Manager 2007 distribution point, the account requires Read , Execute ,
and Delete permissions to the Site class on the Configuration Manager2007 site server to
successfully remove the distribution point from the Configuration Manager2007 source site
To reassign a System Center 2012 Configuration Manager or Configuration Manager current
branch distribution point, the account must have Modify permission to the Site object on the
source site. You grant this permission to the account by using role-based administration. For
information about how to use role-based administration, see Fundamentals of role-based
administration for Configuration Manager.
To successfully upgrade or reassign a distribution point to a new hierarchy, the ports that are
configured for client requests at the site that manages the distribution point in the source
hierarchy must match the ports that are configured for client requests at the destination site that
will manage the distribution point. For information about client request ports, see How to
configure client communication ports.
 Administrator checklists for migration planning in
Configuration Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the following administrator checklists to help you plan your migration strategy to Configuration Manager
current branch.

Administrator checklist for migration planning

Use the following checklist for pre-migration planning steps.
Assess the current environment:
Identify existing business requirements that are met by the source hierarchy and develop plans to
continue to meet those requirements in the destination hierarchy.
Review the functionality and changes that are available with the version of Configuration
Manager that you use, and use this information to help you design your destination
hierarchy:
For more information, see Fundamentals of Configuration Manager and What's new.
Determine the administrative security model to use for role-based administration:
For more information, see Fundamentals of role-based administration for Configuration Manager.
Assess your network and Active Director y topology: Review your existing domain structure and
network topology and consider how this influences your hierarchy design and migration tasks.
Finalize your destination hierarchy design:
Decide upon the placement of a central administration site, primary sites, secondary sites, and content
distribution options.
Map your hierarchy to the computers that you will use for sites and site ser vers in the
destination hierarchy:
Identify the computers that sites and site system servers will use in the destination hierarchy, and then
ensure that they have sufficient capacity to meet existing and future operational requirements.
Plan your object migration strategy:
Plan to use the available migration jobs to migrate different objects, including site boundaries, collections,
advertisements, and deployments. For more information, see Types of migration jobs in Planning a
migration job strategy
Configuration Manager migrates only the objects that you select. Any objects that are not migrated and
that are required in the destination hierarchy must be re-created in the destination hierarchy.
Objects that can migrate are displayed when you configure migration jobs.
Plan your client migration strategy:
Plan to migrate clients by using a controlled approach that limits the network bandwidth and server
 processing requirements when you migrate clients to the destination hierarchy. For more about planning
a client migration strategy, see Planning a client migration strategy.
Plan for inventor y and compliance data:
Configuration Manager does not support migrating hardware inventory, software inventory, or desired
configuration management compliance data for software updates or clients.
Instead, after the client migrates to its new site in the destination hierarchy and receives policy for these
configurations, the client submits this information to its assigned site. This action populates the
destination site database with current inventory and compliance data.
Plan for the completion of migration from the source hierarchy:
Decide when objects and clients will be migrated. After migration completes, you can plan to
decommission the site servers in the source hierarchy.

Administrator checklist for hierarchy migration

Use the following checklist to help you plan a destination hierarchy before you start migration.
Identify the computers to use in the destination hierarchy:
Configuration Manager does not support an in-place upgrade from Configuration Manager 2007
infrastructure. Instead you use migration to move data from Configuration Manager 2007 to
Configuration Manager current branch. This requires you to use a side-by-side deployment and install
Configuration Manager on new computers.
Similarly, when you migrate from another Configuration Manager hierarchy, you must install a new
destination hierarchy that is a side-by-side deployment to your source hierarchy.
Create your destination hierarchy:
To prepare for migration, install and configure a Configuration Manager destination hierarchy that
includes a primary site. For example:
Install a central administration site and then install at least one child primary.
Install a stand-alone primary if you do not plan to use a central administration site.
If you want to migrate information that is related to software updates, configure a software
update point in the destination hierarchy and synchronize software updates:
You must configure and synchronize software updates in the destination hierarchy before you can
migrate software updates information from the source hierarchy.
Install and configure additional site system roles in the destination hierarchy:
Configure additional site system roles and site systems that you require.
Check operational functionality in the destination hierarchy:
Check the following:
If the destination hierarchy includes multiple sites, confirm that database replication is working
between sites. Database replication is not applicable to stand-alone primary sites.
Check that all installed site system roles are operational.
Check that the Configuration Manager clients you install to the destination hierarchy can
communicate successfully with their assigned site.
Administrator checklist for migration
Use the following checklist to migrate data from the source hierarchy to the destination hierarchy.
Enable migration in the destination hierarchy:
Configure a source hierarchy by specifying the top-level site of the source hierarchy. For more about
specifying the source site, see Planning a source hierarchy strategy.
When the source hierarchy runs Configuration Manager 2007 SP2, select and configure
additional sites in the source hierarchy:
For each additional site in the Configuration Manager 2007 SP2 source hierarchy that you want to collect
data from, you must configure credentials for data gathering. When you configure each source site, the
data-gathering process begins immediately and continues throughout the migration period until you
stop data gathering for that site. Data gathering ensures that you can migrate objects from the source
hierarchy that are updated or added after a previous data-gathering process.

NOTE
When the source hierarchy runs System Center 2012 Configuration Manager or later, you do not need to
configure additional source sites.

Configure distribution point sharing:

You can share distribution points between the two hierarchies to make content for objects that you
migrate available to clients in the destination hierarchy. This ensures that the same content remains
available for clients in both hierarchies and that you can maintain this content until you stop gathering
data and finish the migration.
For information about shared distribution points, see Share distribution points between source and
destination hierarchies in Planning a content deployment migration strategy.
Create and run migration jobs to migrate objects associated with the clients in the source
hierarchy:
Create migration jobs to migrate objects between hierarchies. The required configurations for each
migration job can vary depending on what data the job migrates.
For example, when you migrate content, regardless of the migration job you use, you must assign a site
in the destination hierarchy to own management of that content. The assigned site will access the original
source file location for the content and is responsible for distributing that content to distribution points in
the destination hierarchy.
For more information, see Create and edit migration jobs for Configuration Manager in Operations for
migrating to Configuration Manager current branch.
Migrate clients to the destination hierarchy:
The process of migrating clients depends on your migration scenario:
When you migrate clients that have a client version that is not the same as the destination
hierarchy, you must upgrade the client software. Upgrade requires the removal of the current
Configuration Manager client, followed by the installation of the new client version that matches
the destination site.
When you migrate clients that have a client version that matches the version of the destination
hierarchy, the client does not upgrade or reinstall. Instead, the client reassigns to a primary site in
 the destination hierarchy.
When you migrate a client to the destination hierarchy, the client is associated with its data that you
previously migrated to that destination hierarchy.
For more information, see Planning a client migration strategy.
Upgrade or reassign shared distribution points:
When you no longer have to support clients in your source hierarchy, you can upgrade shared
distribution points from a Configuration Manager 2007 source site, or reassign shared distribution points
from a System Center 2012 Configuration Manager or Configuration Manager current branch source
site. When you upgrade or reassign a distribution point, the site system role transfers to a primary site in
the destination hierarchy and the distribution point is removed from the source site in the source
hierarchy. When you upgrade or reassign a shared distribution point, the content remains on the
distribution point computer and you do not have to redeploy the content to new distribution points in the
destination hierarchy.
You can also upgrade a distribution point that is co-located on a Configuration Manager 2007 secondary
site server. This removes the secondary site and results in only a distribution point in the destination
hierarchy.
For information about shared distribution points, see Share distribution points between source and
destination hierarchies in Planning a content deployment migration strategy.
Finish migration:
After you have migrated data and clients from all sites in the source hierarchy and you have upgraded
applicable distribution points, you can finish migration. To finish migration you stop gathering data for
each source site in the source hierarchy. You can then remove migration information that you do not
need and decommission your source hierarchy infrastructure. For more information, see Planning to
complete migration.
 Determine whether to migrate data to
Configuration Manager current branch
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

In Configuration Manager current branch, migration provides a process for transferring data and configurations
that you've created from supported versions of Configuration Manager to your new hierarchy. You can use this
to:
Combine multiple hierarchies into one.
Move data and configurations from a lab deployment into your production deployment.
Move data and configuration from a prior version of Configuration Manager, like Configuration Manager
2007, which has no upgrade path to Configuration Manager current branch, or from System Center 2012
Configuration Manager (which does support an upgrade path to Configuration Manager current branch).
With the exception of the distribution point site system role and the computers that host distribution points, no
infrastructure (which includes sites, site system roles, or computers that host a site system role), migrates,
transfers, or can be shared between hierarchies.
Although you cannot migrate server infrastructure, you can migrate Configuration Manager clients between
hierarchies. Client migration involves migrating the data that clients use from the source hierarchy to the
destination hierarchy, and then installing or reassigning the client software so that the client then reports to the
new hierarchy.
After you install a client to the new hierarchy and the client submits its data, its unique Configuration Manager
ID helps Configuration Manager associate the data that you previously migrated with each client computer.
The functionality that's provided by migration helps you maintain investments that you have made in
configurations and deployments while letting you take full advantage of core changes in the product first (which
was first introduced in System Center 2012 Configuration Manager and then continued in Configuration
Manager). These changes include a simplified Configuration Manager hierarchy that uses fewer sites and
resources, and the improved processing that comes from using native 64-bit code that runs on 64-bit hardware.
For information about the versions of Configuration Manager that migration supports, see Prerequisites for
migration.

Data that you can migrate to Configuration Manager current branch

Migration can migrate most objects between supported Configuration Manager hierarchies. The migrated
instances of some objects from a supported version of Configuration Manager 2007 must be modified to
conform to the System Center 2012 Configuration Manager schema and object format.
These modifications don't affect the data in the source site database. Objects that are migrated from a supported
version of System Center 2012 Configuration Manager or Configuration Manager current branch don't require
modification.
The following are objects that can migrate based on the version of Configuration Manager in the source
hierarchy. Some objects, like queries, do not migrate. If you want to continue to use these objects that do not
migrate you must recreate them in the new hierarchy. Other objects, including some client data, are
automatically recreated in the new hierarchy when you manage clients in that hierarchy.
Objects that you can migrate from System Center 2012 Configuration Manager or Configuration Manager
current branch
Applications for System Center 2012 Configuration Manager and later versions
App-V Virtual Environment from System Center 2012 Configuration Manager and later versions
Asset Intelligence customizations
Boundaries
Collections: To migrate collections from a supported version of System Center 2012 Configuration
Manager or Configuration Manager current branch, you use an object migration job.
Compliance settings:
Configuration baselines
Configuration items
Deployments
Operating system deployment:
Boot images
Driver packages
Drivers
Images
Packages
Task sequences
Search results: Saved search criteria
Software updates:
Deployments
Deployment packages
Templates
Software update lists
Software distribution packages
Software metering rules
Virtual application packages
Objects that you can migrate from Configuration Manager 2007 SP2
Advertisements
Applications for System Center 2012 Configuration Manager and later versions
App-V Virtual Environment from System Center 2012 Configuration Manager and later versions
Asset Intelligence customizations
Boundaries
 Collections: You migrate collections from a supported version of Configuration Manager 2007 by using a
collection migration job.
Compliance settings (referred to as desired configuration management in Configuration Manager 2007):
Configuration baselines
Configuration items
Operating system deployment:
Boot images
Driver packages
Drivers
Images
Packages
Task sequences
Search results: Search folders
Software updates:
Deployments
Deployment packages
Templates
Software update lists
Software distribution packages
Software metering rules
Virtual application packages

Data that you can't migrate to Configuration Manager current branch

You cannot migrate the following types of objects:
AMT client provisioning information
Files on clients, including:
Client inventory and history data
Files in the client cache
Queries
Configuration Manager 2007 security rights and instances for the site and objects
Configuration Manager 2007 reports from SQL Server Reporting Services
Configuration Manager 2007 web reports
System Center 2012 Configuration Manager and Configuration Manager current branch reports
System Center 2012 Configuration Manager and Configuration Manager current branch role-based
administration:
Security roles
Security scopes
 Plan a source hierarchy strategy in Configuration
Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you set up a migration job in your Configuration Manager environment, you must configure a source
hierarchy and gather data from at least one source site in that hierarchy. Use the following sections to help you
plan for configuring source hierarchies, configuring source sites, and determining how Configuration Manager
gathers information from the source sites in the source hierarchy.

Source hierarchies
A source hierarchy is a Configuration Manager hierarchy that has data that you want to migrate. When you set
up migration and specify a source hierarchy, you specify the top-level site of the source hierarchy. This site is
also called a source site. Additional sites that you can migrate data from in the source hierarchy are also called
source sites.
When you set up a migration job to migrate data from a Configuration Manager 2007 source hierarchy,
you configure it to migrate data from one or more specific source sites in the source hierarchy.
When you set up a migration job to migrate data from a source hierarchy that runs System Center 2012
Configuration Manager or later, you only need to specify the top-level site.
You can set up only one source hierarchy at a time.
If you set up a new source hierarchy, that hierarchy automatically becomes the current source hierarchy
replacing the previous source hierarchy.
When you set up a source hierarchy, you must specify the top-level site of the source hierarchy and
specify credentials for Configuration Manager to use to connect to the SMS Provider and site database of
that source site.
Configuration Manager uses these credentials to run data gathering to retrieve information about the
objects and distribution points from the source site.
As part of the data gathering process, child sites in the source hierarchy are identified.
If the source hierarchy is a Configuration Manager 2007 hierarchy, you can set up those additional sites
as source sites with separate credentials for each source site.
Although you can set up multiple source hierarchies in succession, migration is active for only one source
hierarchy at a time.
If you set up an additional source hierarchy before you complete migration from the current source
hierarchy, Configuration Manager cancels any active migration jobs and postpones any scheduled
migration jobs for the current source hierarchy.
The newly configured source hierarchy then becomes the current source hierarchy, and the original
source hierarchy is now inactive.
You can then set up connection credentials, additional source sites, and migration jobs for the new source
hierarchy.
If you restore an inactive source hierarchy and have not previously used Cleanup Migration Data , you can
view the previously configured migration jobs for that source hierarchy. However, before you can continue
migration from that hierarchy, you must reconfigure the credentials to connect to applicable source sites in the
hierarchy, and then reschedule any migration jobs that did not finish.
Cau t i on

If you migrate data from more than a single source hierarchy, each additional source hierarchy must contain a
unique set of site codes.
Source and destination hierarchies also requires different set of site codes.
For more about configuring a source hierarchy, see Configuring source hierarchies and source sites for
migration to Configuration Manager current branch

Source sites
Source sites are the sites in the source hierarchy that have the data that you want to migrate. The top-level site
of the source hierarchy is always the first source site. When migration collects data from the first source site of a
new source hierarchy, it discovers information about additional sites in that hierarchy.
After data gathering completes for the initial source site, the actions you take next depend on the product
version of the source hierarchy.
Source sites that run Configuration Manager 2007 SP2
After data is gathered from the initial source site of the Configuration Manager 2007 SP2 hierarchy, you do not
have to set up additional source sites before you create migration jobs. However, before you can migrate data
from additional sites, you must set up additional sites as source sites, and Configuration Manager must
successfully gather data from those sites.
To gather data from additional sites, you individually set up each site as a source site. This requires you to
specify the credentials for Configuration Manager to connect to the SMS Provider and site database of each
source site. After you set up the credentials for a source site, the data gathering process for that site begins.
When you set up additional source sites in a Configuration Manager 2007 SP2 source hierarchy, you must set
up source sites from the top down, which means you set up the bottom-tier sites last. You can configure source
sites in a branch of the hierarchy at any time, but you must set up a site as a source site before you set up any of
its child sites as source sites.

NOTE
Only primary sites in a Configuration Manager 2007 SP2 hierarchy are supported for migration.

Source sites that run System Center 2012 Configuration Manager or later
After data is gathered from the initial source site of the System Center 2012 Configuration Manager or later
hierarchy, you do not have to set up additional source sites in that source hierarchy. This is because unlike
Configuration Manager 2007, these versions of Configuration Manager use a shared database, and the shared
database lets you identify and then migrate all available objects from the initial source site.
When you set up the access accounts to gather data, you might need to grant the Source Site SMS Provider
Account access to multiple computers in the source hierarchy. This might be needed when the source site
supports multiple instances of the SMS Provider, each on a different computer. When data gathering begins, the
top-level site of the destination hierarchy contacts the top-level site in the source hierarchy to identify the
locations of the SMS Provider for that site. Only the first instance of the SMS provider is identified. If the data
gathering process cannot access the SMS Provider at the location it identifies, the process fails and does not try
to connect to additional computers that run an instance of SMS Provider for that site.
Data gathering
Immediately after you specify a source hierarchy, set up credentials for each additional source site in a source
hierarchy, or share the distribution points for a source site, Configuration Manager starts to gather data from
the source site.
The data gathering process then repeats itself on a simple schedule to maintain synchronization with any
changes to data in the source site. By default, the process repeats every four hours. You can change the schedule
for this cycle by editing the Proper ties of the source site. The initial data gathering process must review all
objects in the Configuration Manager database and can take a long time to finish. Subsequent data gathering
processes identify only changes to the data and require less time to finish.
To gather data, the top-level site in the destination hierarchy connects to the SMS Provider and the site database
of the source site to retrieve a list of objects and distribution points. These connections use the source site access
accounts. For information about required configurations for gathering data, see Prerequisites for migration.
You can start and stop the data gathering process by using Gather Data Now and Stop Gathering Data in
the Configuration Manager console.
After you use Stop Gathering Data for a source site for any reason, you must reconfigure credentials for the
site before you can gather data from that site again. Until you reconfigure the source site, Configuration
Manager cannot identify new objects or changes to previously migrated objects at that site.

NOTE
Before you expand a standalone primary site into a hierarchy with a central administration site, you must stop all data
gathering. You can reconfigure data gathering after the site expansion completes.

Gather Data Now

After the initial data gathering process runs for a site, this process repeats itself to identify objects that have
updated since the last data gathering cycle. You can also use the Gather Data Now action in the Configuration
Manager console to immediately start the process and to reset the start time of the next cycle.
After a data gathering process successfully finishes for a source site, you can share the distribution points from
the source site and configure migration jobs to migrate data from the site. Data gathering is a repeating process
for migration, and it continues until you change the source hierarchy or use Stop Gathering Data to end the
data gathering process for that site.
Stop Gathering Data
You can use Stop Gathering Data to end the data gathering process for a source site when you no longer want
Configuration Manager to identify new or changed objects from that site. This action also prevents
Configuration Manager from offering clients in the destination hierarchy any shared distribution points from the
source as content locations for the content that you have migrated.
To stop gathering data from each source site, you must run Stop Gathering Data on the bottom-tier source
sites, and then repeat the process at each parent site. The top-level site of the source hierarchy must be the last
site on which you stop gathering data. You must stop data gathering at each child site before performing this
action at a parent site. Typically, you only stop gathering data when you are ready to complete the migration
process.
After you stop gathering data for a source site, information previously gathered about objects and collections
from that site remain available to use when you set up new migration jobs. However, you do not see any new
objects or collections, nor do you see changes that were made to existing objects. If you reconfigure the source
site and begin gathering data again, you will see information and status about previously migrated objects.
 Plan a migration job strategy in Configuration
Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use migration jobs to configure the specific data that you want to migrate to your Configuration Manager
current branch environment. Migration jobs identify the objects that you plan to migrate, and they run at the
top-level site in your destination hierarchy. You can set up one or more migration jobs per source site. This lets
you migrate all objects at one time or limited subsets of data with each job.
You can create migration jobs after Configuration Manager has successfully gathered data from one or more
sites from the source hierarchy. You can migrate data in any sequence from the source sites that have gathered
data. With a Configuration Manager 2007 source site, you can migrate data only from the site where an object
was created. With source sites that run System Center 2012 Configuration Manager or later, all data that you can
migrate is available at the top-level site of the source hierarchy.
Before you migrate clients between hierarchies, ensure that the objects that clients use have migrated and that
these objects are available in the destination hierarchy. For example, when you migrate from a Configuration
Manager 2007 SP2 source hierarchy, you might have an advertisement for content that is deployed to a custom
collection that has a client. In this scenario, we recommend that you migrate the collection, the advertisement,
and the associated content before you migrate the client. This data cannot be associated with the client in the
destination hierarchy if the content, collection, and advertisement are not migrated before the client migrates. If
a client is not associated with the data related to a previously run advertisement and content, the client can be
offered the content for installation in the destination hierarchy, which might be unnecessary. When the client
migrates after the data has migrated, the client is associated with this content and advertisement, and unless the
advertisement is recurring, is not offered this content for the migrated advertisement again.
Some objects require more than the migration of data from the source hierarchy to the destination hierarchy.
For example, to successfully migrate software updates for your clients to your destination hierarchy, you must
deploy an active software update point, configure the catalog of products, and synchronize the software update
point with Windows Server Update Services (WSUS) in the destination hierarchy.

Types of migration jobs

Configuration Manager supports the following types of migration jobs. Each job type is designed to help define
the objects that you can include in that job.
Collection migration (only supported when migrating from Configuration Manager 2007 SP2): Migrate
objects that are related to collections you select. By default, collection migration includes all objects that are
associated with members of the collection. You can exclude specific object instances when you use a collection
migration job.
Object migration : Migrate individual objects that you select. You select only the specific data that you want to
migrate.
Previously migrated object migration : Migrate objects that you previously migrated when they have
updated in the source hierarchy after they were last migrated.
Objects that you can migrate
Not every object can migrate by a specific type of migration job. The following list identifies the type of objects
that you can migrate with each type of migration job.

NOTE
Collection migration jobs are available only when you migrate objects from a Configuration Manager 2007 SP2 source
hierarchy.

Job types you can use to migrate each object

Adver tisements (available to migrate from supported Configuration Manager 2007 source sites)
Collection migration
Asset Intelligence catalog
Object migration
Previously migrated object migration
Asset Intelligence hardware requirements
Object migration
Previously migrated object migration
Asset Intelligence software list
Object migration
Previously migrated object migration
Boundaries
Object migration
Previously migrated object migration
Configuration baselines
Collection migration
Object migration
Previously migrated object migration
Configuration items
Collection migration
Object migration
Previously migrated object migration
Maintenance windows
Collection migration
Operating system deployment boot images
Collection migration
Object migration
Previously migrated object migration
Operating system deployment driver packages
Collection migration
Object migration
Previously migrated object migration
Operating system deployment drivers
Collection migration
Object migration
Previously migrated object migration
Operating system deployment images
Collection migration
Object migration
Previously migrated object migration
Operating system deployment packages
Collection migration
Object migration
Previously migrated object migration
Software distribution packages
Collection migration
Object migration
Previously migrated object migration
Software metering rules
Object migration
Previously migrated object migration
Software update deployment packages
Collection migration
Object migration
Previously migrated object migration
Software update deployment templates
Collection migration
Object migration
Previously migrated object migration
Software update deployments
Collection migration
Software update lists
 Object migration
Previously migrated object migration
Task sequences
Collection migration
Object migration
Previously migrated object migration
Vir tual application packages
Collection migration
Object migration

IMPORTANT
Although you can migrate a virtual application package by using object migration, the packages cannot be
migrated by using the migration job type of Previously Migrated Object Migration . Instead, you must delete
the migrated virtual application package from the destination site and then create a new migration job to migrate
the virtual application.

General planning for all migration jobs

Use the Create Migration Job wizard to create a migration job to migrate objects to your destination hierarchy.
The type of the migration job that you create determines which objects are available to migrate. You can create
and use multiple migration jobs to migrate data from the same source site or from multiple source sites. The
use of one type of migration job does not block the use of a different type of migration job.
After a migration job runs successfully, its status is listed as Completed and it cannot be run again. However,
you can create a new migration job to migrate any of the objects that were migrated by the original job, and the
new migration job can include additional objects as well. When you create additional migration jobs, the objects
that have been previously migrated show the state of Migrated . You can select these objects to migrate them
again, but unless the object has been updated in the source hierarchy, migrating these objects again is not
necessary. If the object has been updated in the source hierarchy after it was originally migrated, you can
identify that object when you use the migration job type of Objects modified after migration .
You can delete a migration job before it runs. However, after a migration job finishes, it remains visible in the
Configuration Manager console and cannot be deleted. Each migration job that has finished or has not yet run
remains visible in the Configuration Manager console until you finish the migration process and clean up
migration data.

NOTE
After you have finished migration by using the Clean Up Migration Data action, you can reconfigure the same
hierarchy as the current source hierarchy to restore visibility to the objects you previously migrated.

You can view the objects contained in any migration job in the Configuration Manager console by selecting the
migration job and then choosing the Objects in Job tab.
Use the information in the following sections to help you plan for all migration jobs.
Data selection
When you create a collection migration job, you must select one or more collections. After you select the
collections, the Create Migration Job wizard shows the objects that are associated with the collections. By
default, all objects associated with the selected collections are migrated, but you can uncheck the objects that
you do not want to migrate with that job. When you uncheck an object that has dependent objects, those
dependent objects are also unchecked. All unchecked objects are added to an exclusion list. Objects on an
exclusion list are removed from automatic selection for future migration jobs. You must manually edit the
exclusion list to remove objects that you want to have automatically selected for migration in migration jobs you
create in the future.
Site ownership for migrated content
When you migrate content for deployments, you must assign the content object to a site in the destination
hierarchy. This site then becomes the owner for that content in the destination hierarchy. Although the top-level
site of your destination hierarchy is the site that actually migrates the metadata for content, it is the assigned site
that accesses the original source files for the content across the network.
To minimize the network bandwidth that is used during migration, consider transferring ownership of content to
the closest available site. Because information about the content is shared globally in Configuration Manager, it
will be available at every site.
Information about content is shared to all sites in the destination hierarchy by using database replication.
However, any content that you assign to a primary site and then deploy to distribution points at other primary
sites transfers by using file-based replication. This transfer is routed through the central administration site and
then to each additional primary site. By centralizing packages that you plan to distribute to multiple primary
sites before or during migration when you assign a site as the content owner, you can reduce data transfers
across low-bandwidth networks.
Role -based administration security scopes for migrated data
When you migrate data to a destination hierarchy, you must assign one or more role-based administration
security scopes to the objects whose data is migrated. This ensures that only the appropriate administrative
users have access to this data after it is migrated. The security scopes that you specify are defined by the
migration job and are applied to each object that is migrated by that job. If you require different security scopes
to be applied to different sets of objects and you want to assign those scopes during migration, you must
migrate the different sets of objects by using different migration jobs.
Before you set up a migration job, review how role-based administration works in Configuration Manager. If
necessary, set up one or more security scopes for the data that you migrate to control who will have access to
the migrated objects in the destination hierarchy.
For more about security scopes and role-based administration, see Fundamentals of role-based administration
for Configuration Manager.
Review migration actions
When you set up a migration job, the Create Migration Job wizard shows a list of actions that you must take to
ensure a successful migration and a list of actions that Configuration Manager takes during the migration of the
selected data. Review this information carefully to check the expected outcome.
Schedule migration jobs
By default, a migration job runs immediately after it is created. However, you can specify when the migration job
runs when you create the job or by editing the properties of the job. You can schedule the migration job to run
as follows:
Run the job now
Run the job at a specific start time
Not run the job
Specify conflict resolution for migrated data
By default, migration jobs do not overwrite data in the destination database unless you configure the migration
job to skip or overwrite data that has previously been migrated to the destination database.

Plan for collection migration jobs

Collection migration jobs are available only when you migrate data from a source hierarchy that runs a
supported version of Configuration Manager 2007. You must specify one or more collections to migrate when
you migrate by collection. For each collection that you specify, the migration job automatically selects all related
objects for migration. For example, if you select a specific collection of users, the collection members are then
identified, and you can migrate the deployments associated with that collection. Optionally, you can select other
deployment objects to migrate that are associated with those members. All these selected items are added to
the list of objects that can be migrated.
When you migrate a collection, Configuration Manager also migrates collection settings, including maintenance
windows and collection variables, but it cannot migrate collection settings for AMT client provisioning.
Use the information in the following sections to learn about additional configurations that can apply to
collection-based migration jobs.
Exclude objects from collection migration jobs
You can exclude specific objects from a collection migration job. When you exclude a specific object from a
collection migration job, that object is added to a global exclusion list that has all the objects that you have
excluded from migration jobs created for any source site in the current source hierarchy. Objects on the
exclusion list are still available for migration in future jobs but are not automatically included when you create a
new collection-based migration job.
You can edit the exclusion list to remove objects that you have previously excluded. After you remove an object
from the exclusion list, it is then automatically selected when an associated collection is specified during the
creation of a new migration job.
Unsupported collections
Configuration Manager can migrate any of the default user collections, device collections, and most custom
collections from a Configuration Manager 2007 source hierarchy. However, Configuration Manager cannot
migrate collections that contain users and devices in the same collection.
The following collections cannot be migrated:
A collection that has users and devices.
A collection that has a reference to a collection of a different resource type. For example, a device-based
collection that has either a subcollection or a link to a user-based collection. In this example, only the top-
level collection migrates.
A collection that has a rule to include unknown computers. The collection migrates, but the rule to include
unknown computers does not migrate.
Empty collections
An empty collection is a collection that has no resources associated with it. When Configuration Manager
migrates an empty collection, it converts the collection to an organizational folder that has no users or devices.
This folder is created with the name of the empty collection under the User Collections or Device
Collections node in the Assets and Compliance workspace in the Configuration Manager console.
Linked collections and subcollections
When you migrate collections that are linked to other collections or that have subcollections, Configuration
Manager creates a folder under the User Collections or Device Collections node in addition to the linked
collections and subcollections.
Collection dependencies and include objects
When you specify a collection to migrate in the Create Migration Job wizard, any dependent collections are
automatically selected to be included with the job. This behavior ensures that all necessary resources are
available after migration.
For example: You select a collection for devices that run Windows 10 and is named Win_10 . This collection is
limited to a collection that has all your client operating systems and is named All_Clients . The collection
All_Clients will be automatically selected for migration.
Collection limiting
With Configuration Manager current branch, collections are global data and are evaluated at each site in the
hierarchy. Therefore, plan how to limit the scope of a collection after it is migrated. During migration, you can
identify a collection from the destination hierarchy to use to limit the scope of the collection that you are
migrating so that the migrated collection does not include unanticipated members.
For example, in Configuration Manager 2007, collections are evaluated at the site that creates them and at child
sites. An advertisement might be deployed to only a child site, and this would limit the scope for that
advertisement to that child site. In comparison, with Configuration Manager current branch, collections are
evaluated at each site and associated advertisements are then evaluated for each site. Collection limiting lets
you refine the collection members based on another collection to avoid the addition of unexpected collection
members.
Site code replacement
When you migrate a collection that has criteria that identifies a Configuration Manager 2007 site, you must
specify a specific site in the destination hierarchy. This ensures that the migrated collection remains functional in
your destination hierarchy and does not increase in scope.
Specify behavior for migrated advertisements
By default, collection-based migration jobs disable advertisements that migrate to the destination hierarchy. This
includes any programs that are associated with the advertisement. When you create a collection-based
migration job that has advertisements, you see the Enable programs for deployment in Configuration
Manager after an adver tisement is migrated option on the Settings page of the Create Migration Job
wizard. If you select this option, programs that are associated with the advertisements are enabled after they
have migrated. As a best practice, do not select this option. Instead, enable the programs after they have
migrated when you can verify the clients that will receive them.

NOTE
You see the Enable programs for deployment in Configuration Manager after an adver tisement is migrated
option only when you are creating a collection-based migration job and the migration job contains advertisements.

To enable a program after migration, clear Disable this program on computers where it is adver tised on
the Advanced tab of the program properties.

Plan for object migration jobs

Unlike collection migration, you must select each object and object instance that you want to migrate. You can
select the individual objects (like advertisements from a Configuration Manager 2007 hierarchy or a publication
from a System Center 2012 Configuration Manager or Configuration Manager current branch hierarchy) to add
to the list of objects to migrate for a specific migration job. Any objects that you do not add to the migration list
are not migrated to the destination site by the object migration job.
Object-based migration jobs do not have any additional configurations to plan for beyond those applicable to all
migration jobs.

Plan for previously migrated object migration jobs

When an object that you have already migrated to the destination hierarchy is updated in the source hierarchy,
you can migrate that object again by using the Objects modified after migration job type. For example,
when you rename or update the source files for a package in the source hierarchy, the package version
increments in the source hierarchy. After the package version increments, the package can be identified for
migration by this job type.
This job type is similar to the object migration type except that when you select objects to migrate, you can only
select from objects that have been updated after they were migrated by a previous migration job.
When you select this job type, the conflict resolution behavior on the Settings page of the Create Migration Job
wizard is configured to overwrite previously migrated objects. This setting cannot be changed.

NOTE
This migration job can identify objects that are automatically updated by the source hierarchy and objects that an
administrative user updates.
 Plan a client migration strategy in Configuration
Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To migrate clients from the source hierarchy to a Configuration Manager current branch destination hierarchy,
you must do two tasks. You must migrate the objects that are associated with the client and you must then
reinstall or reassign the clients from the source hierarchy to the destination hierarchy. You migrate the objects
first so that they are available when the clients are migrated. The objects associated with the client are migrated
by using migration jobs. For information about how to migrate the objects that are associated with the client,
see Planning a migration job strategy.
Use the following sections to help you plan to migrate clients to the destination hierarchy.
Plan to migrate clients to the destination hierarchy
Plan to handle data maintained on clients during migration
Plan for inventory and compliance data during migration

Plan to migrate clients to the destination hierarchy

When you migrate clients from a source hierarchy, the client software on the client computer upgrades to match
the product version of the destination hierarchy.
A Configuration Manager 2007 source hierarchy: When you migrate clients from a source
hierarchy that runs a supported version of Configuration Manager, the client software upgrades to the
client version for the destination hierarchy.
A System Center 2012 Configuration Manager or later source hierarchy: When you migrate
clients between hierarchies that are of the same product version, the client software does not change or
upgrade. Instead, the client reassigns from the source hierarchy to a site in the destination hierarchy.

NOTE
When the product version of a hierarchy is not supported for migration to your destination hierarchy, upgrade all
sites and clients in the source hierarchy to a compatible product version. After the source hierarchy upgrades to a
supported product version, you can migrate between the hierarchies. For more information, see Versions of
Configuration Manager that are supported for migration in Prerequisites for migration.

Use the following information to help you plan the client migration:
To upgrade or reassign clients from a source site to a destination site, you can use any client deployment
method that is supported for deploying clients in the destination hierarchy. Typical client deployment
methods include client push installation, software distribution, Group Policy, and software update-based
client installation. For more information, see Client installation methods.
Ensure that the device that runs the client software in the source hierarchy meets the minimum hardware
requirements and runs an operating system that is supported by the version of Configuration Manager in
the destination hierarchy.
 Before you migrate a client, run a migration job to migrate the information that the client will use in the
destination hierarchy.
Clients that upgrade retain their run history for deployments. This prevents deployments from rerunning
unnecessarily in the destination hierarchy.
For Configuration Manager 2007 clients, advertisement run history is retained.
For clients from System Center 2012 Configuration Manager or Configuration Manager current
branch, deployment run history is retained.
You can migrate clients from sites in the source hierarchy in any order that you choose. However,
consider migrating limited numbers of clients in phases rather than migrating large numbers of clients at
a single time. A phased migration reduces the network bandwidth requirements and server processing
when each newly upgraded client submits its initial full inventory and compliance data to its assigned
site.
When you migrate Configuration Manager 2007 clients, the existing client software is uninstalled from
the client computer and the new client software is installed.
Configuration Manager cannot migrate a Configuration Manager 2007 client that has the App-V client
installed unless the App-V client version is 4.6 SP1 or later.
You can monitor the client migration process in the Migration node of the Administration workspace in the
Configuration Manager console.
After you migrate the client to the destination hierarchy, you can no longer manage that device by using your
source hierarchy, and you should consider removing the client from the source hierarchy. Although this is not a
requirement when you migrate hierarchies, it can help prevent identification of a migrated client in a source
hierarchy report, or an incorrect count of resources between the two hierarchies during the migration. For
example, when a migrated client remains in the source site database, you might run a software updates report
that incorrectly identifies the computer as an unmanaged resource when it is now managed by the destination
hierarchy.

Plan to handle data maintained on clients during migration

When you migrate a client from its source hierarchy to the destination hierarchy, some information is retained
on the device, while other information is not available on the device after migration.
The following information is retained on the client device:
The unique identifier (GUID), which associates a client with its information in the Configuration Manager
database.
The advertisement or deployment history, which prevents clients from unnecessarily rerunning
advertisements or deployments in the destination hierarchy.
The following information is not retained on the client device:
The files in the client cache. If the client requires these files to install software, the client downloads them
again from the destination hierarchy.
Information from the source hierarchy about any advertisements or deployments that have not yet run. If
you want the client to run the advertisements or deployments after it migrates, you must redeploy them
to the client in the destination hierarchy.
Information about inventory. The client resends this information to its assigned site in the destination
hierarchy after the client migrates and the new client data has been generated.
 Compliance data. The client resends this information to its assigned site in the destination hierarchy after
the client migrates and the new client data has been generated.
When a client migrates, information that is stored in the Configuration Manager client registry and file path is
not retained. After migration, reapply these settings. Typical settings include the following:
Power schemes
Logging settings
Local policy settings
Additionally, you might have to reinstall some applications.

Plan for inventory and compliance data during migration

Client inventory and compliance data is not saved when you migrate a client to the destination hierarchy.
Instead, this information is recreated in the destination hierarchy when a client first sends its information to its
assigned site. To help reduce the resulting network bandwidth requirements and server processing, consider
migrating a small number of clients in phases rather than migrating a large number of clients at a single time.
Additionally, you cannot migrate customizations for hardware inventory from a source hierarchy. You must
introduce these to the destination hierarchy independently from migration. For information about how to
extend hardware inventory, see How to configure hardware inventory.
 Plan a content deployment migration strategy in
Configuration Manager
2/16/2022 • 21 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

While you actively migrate data to a Configuration Manager current branch destination hierarchy, Configuration
Manager clients in both the source and destination hierarchies can maintain access to content that you deployed
in the source hierarchy. You can also use migration to upgrade or reassign distribution points from the source
hierarchy to become distribution points in the destination hierarchy. When you share and upgrade or reassign
distribution points, this strategy can help you avoid having to redeploy content to new servers in the destination
hierarchy for the clients that you migrate.
Although you can recreate and distribute content in the destination hierarchy, you can also use the following
options to manage this content:
Share distribution points in the source hierarchy with clients in the destination hierarchy.
Upgrade standalone Configuration Manager 2007 distribution points or Configuration Manager 2007
secondary sites in the source hierarchy to become distribution points in the destination hierarchy.
Reassign distribution points from a Configuration Manager source hierarchy to a site in the destination
hierarchy.

Share distribution points between source and destination hierarchies

During migration, you can share distribution points from a source hierarchy with the destination hierarchy. You
can use shared distribution points to make content that you have migrated from a source hierarchy immediately
available to clients in the destination hierarchy without having to recreate that content, and then distribute it to
new distribution points in the destination hierarchy. When clients in the destination hierarchy request content
that is deployed to distribution points that you have shared, the shared distribution points can be offered to the
clients as valid content locations.
In addition to being a valid content location for clients in the destination hierarchy while migration from the
source hierarchy remains active, it is possible to upgrade or reassign a distribution point to the destination
hierarchy. You can upgrade Configuration Manager 2007 shared distribution points and reassign System Center
2012 Configuration Manager shared distribution points. When you upgrade or reassign a shared distribution
point, the distribution point is removed from the source hierarchy and becomes a distribution point in the
destination hierarchy. After you upgrade or reassign a shared distribution point, you can continue to use the
distribution point in the destination hierarchy after migration from the source hierarchy is finished. For more
about how to upgrade a shared distribution point, see Plan to upgrade Configuration Manager 2007 shared
distribution points. For more about how to reassign a shared distribution point, see Plan to reassign
Configuration Manager distribution points.
You can choose to share distribution points from any source site in your source hierarchy. When you share
distribution points for a source site, child secondary sites are shared at each qualifying distribution point at that
primary site and at each of the primary sites. To qualify to be a shared distribution point, the site system server
that hosts the distribution point must be set up with a fully qualified domain name (FQDN). Any distribution
points that are set up with a NetBIOS name are disregarded.
 TIP
Configuration Manager 2007 does not require you to set up an FQDN for site system servers.

Use the following information to help you plan for shared distribution points:
Distribution points that you share must meet the prerequisites for shared distribution points. For more
about these prerequisites, see Required configurations for migration in Prerequisites for migration.
The share distribution point action is a site-wide setting that shares all qualifying distribution points at a
source site and at any direct child secondary sites. You cannot select individual distribution points to
share when you enable distribution point sharing.
Clients in the destination hierarchy can receive content location information for packages that are
distributed to distribution points that are shared from the source hierarchy. For distribution points from a
Configuration Manager 2007 source hierarchy, this includes branch distribution points, distribution
points on server shares, and standard distribution points.

WARNING
If you change the source hierarchy, shared distribution points from the original source hierarchy are no longer
available and cannot be offered as content locations to clients in the destination hierarchy. If you reconfigure
migration to use the original source hierarchy, the previously shared distribution points are restored as valid
content location servers.

When you migrate a package that is hosted on a shared distribution point, the package version must
remain the same in the source and destination hierarchies. When a package version is not the same in the
source and destination hierarchy, clients in the destination hierarchy cannot retrieve that content from the
shared distribution point. Therefore, if you update a package in the source hierarchy, you must re-migrate
the package data before clients in the destination hierarchy can retrieve that content from a shared
distribution point.

NOTE
When you view details for a package that is hosted on a shared distribution point, the number of packages that
display as Hosted Migrated Packages on the source site's Shared Distribution Points tab is not updated
until the next data gathering cycle is finished.

You can view shared distribution points and their properties in the Source Hierarchy node of the
Administration workspace in the Configuration Manager console that connects to the destination
hierarchy.
You cannot use a shared distribution point from a Configuration Manager 2007 source hierarchy to host
packages for Microsoft Application Virtualization (App-V). App-V packages must migrate and be
converted for use by clients in the destination hierarchy. However, you can use a shared distribution point
from a System Center 2012 Configuration Manager or Configuration Manager current branch source
hierarchy to host App-V packages for clients in a destination hierarchy.
When you share a protected distribution point from a Configuration Manager 2007 source hierarchy, the
destination hierarchy creates a boundary group that includes the protected network locations of that
distribution point. You cannot change this boundary group in the destination hierarchy. However, if you
change the protected boundary information for the distribution point in the Configuration Manager 2007
source hierarchy, that change is reflected in the destination hierarchy after the next data gathering cycle
finishes.
 NOTE
System Center 2012 Configuration Manager and Configuration Manager current branch sites use the concept of
preferred distribution points instead of protected distribution points. This condition only applies to distribution
points that are shared from Configuration Manager 2007 source sites.

The eligible distribution points are not visible in the Configuration Manager console before you share
distribution points from a source site. After you share distribution points, only the distribution points that are
successfully shared are listed.
After you have shared distribution points, you can change the configuration of any shared distribution point in
the source hierarchy. Changes that you make to the configuration of a distribution point are reflected in the
destination hierarchy after the next data gathering cycle. Distribution points that you updated to qualify for
sharing are shared automatically, while those that no longer qualify stop sharing distribution points. For
example, you might have a distribution point that is not set up with an intranet FQDN and was not initially
shared with the destination hierarchy. After you set up the FQDN for that distribution point, the next data
gathering cycle identifies this configuration, and the distribution point is then shared with the destination
hierarchy.

Plan to upgrade Configuration Manager 2007 shared distribution

points
When you migrate from a Configuration Manager 2007 source hierarchy, you can upgrade a shared distribution
point to make it a Configuration Manager current branch distribution point. You can upgrade distribution points
at primary sites and secondary sites. The upgrade process removes the distribution point from the
Configuration Manager 2007 hierarchy and makes it a site system server in the destination hierarchy. This
process also copies the existing content that is on the distribution point to a new location on the distribution
point computer. The upgrade process then modifies the copy of the content to create the single instance store
for use with content deployment in the destination hierarchy. Therefore, when you upgrade a distribution point,
you do not have to redistribute migrated content that was hosted on the Configuration Manager 2007
distribution point.
After Configuration Manager converts the content to the single instance store, Configuration Manager deletes
the original source content on the distribution point computer to free up disk space. Configuration Manager
does not use the original source content location.
Not all Configuration Manager 2007 distribution points that you can share are eligible for upgrade to
Configuration Manager current branch. To be eligible for upgrade, a Configuration Manager 2007 distribution
point must meet the conditions for upgrade. These conditions include the site system server on which the
distribution point is installed and the type of Configuration Manager 2007 distribution point that is installed. For
example, you cannot upgrade any type of distribution point that is installed on the site server computer at a
primary site, but you can upgrade a standard distribution point that is installed on the site server computer at a
secondary site.

NOTE
You can upgrade only those Configuration Manager 2007 shared distribution points that are on a computer that runs an
operating system version that is supported for distribution points in the destination hierarchy. For example, although you
can share a Configuration Manager 2007 distribution point that is on a computer that runs Windows Vista, you cannot
upgrade this shared distribution point because the operating system is not supported by Configuration Manager current
branch for use as a distribution point.

The following table lists the supported locations for each type of Configuration Manager 2007 distribution point
that you can upgrade.

DIST RIB UT IO N P O IN T O N A
DIST RIB UT IO N P O IN T O N A SIT E SY ST EM C O M P UT ER
SIT E SY ST EM C O M P UT ER OT H ER T H A N T H E SIT E
T Y P E O F DIST RIB UT IO N OT H ER T H A N T H E SIT E SERVER A N D H O ST IN G DIST RIB UT IO N P O IN T O N A
P O IN T SERVER OT H ER SIT E SY ST EM RO L ES SEC O N DA RY SIT E SERVER

Standard distribution point Yes No Yes

Distribution point on server Yes No No

shares1

Branch distribution point Yes No No

1 Configuration Manager current branch does not support server shares for site systems, but it does support the
upgrade of a Configuration Manager 2007 distribution point that is on a server share. When you upgrade a
Configuration Manager 2007 distribution point that is on a server share, the distribution point type is
automatically converted to a server, and you must select the drive on the distribution point computer that will
store the single instance content store.

WARNING
Before you upgrade a branch distribution point, uninstall the Configuration Manager 2007 client software. When you
upgrade a branch distribution point that has the Configuration Manager 2007 client software installed, the content that
was previously deployed to the computer is removed from the computer, and the upgrade of the distribution point fails.

To identify distribution points that are eligible for upgrade in the Configuration Manager console in the Source
Hierarchy node, select a source site, and then select the Shared Distribution Points tab. Eligible distribution
points display Yes in the Eligible for Upgrade column.
When you upgrade a distribution point that is installed on a Configuration Manager 2007 secondary site server,
the secondary site is uninstalled from the source hierarchy. Although this scenario is called a secondary site
upgrade, this applies only to the distribution point site system role. The result is that the secondary site is not
upgraded and instead is uninstalled. This leaves a distribution point from the destination hierarchy on the
computer that was the secondary site server. If you plan to upgrade the distribution point on a secondary site,
see Plan to upgrade Configuration Manager 2007 secondary sites in this topic.
Distribution point upgrade process
You can use the Configuration Manager console to upgrade Configuration Manager 2007 distribution points
that you have shared with the destination hierarchy. When you upgrade a shared distribution point, the
distribution point is uninstalled from the Configuration Manager 2007 site. It is then installed as a distribution
point that is attached to a primary or secondary site that you specify in the destination hierarchy. The upgrade
process creates a copy of the migrated content that is stored on the distribution point, and then converts this
copy to the single instance content store. When Configuration Manager converts a package to the single
instance content store, it deletes that package from the SMSPKG share on the distribution point computer unless
the package has one or more advertisements that are set to Run program from distribution point .
To upgrade the distribution point, Configuration Manager uses the Source Site Access Account that is set up
to gather data from the SMS Provider of the source site. Although this account requires only Read permission
for site objects to gather data from the source site, it must also have Delete and Modify permission to the Site
class to successfully remove the distribution point from the Configuration Manager 2007 site during the
upgrade.
 NOTE
Configuration Manager can convert content to the single instance store on only one distribution point at a time. When
you set up multiple distribution point upgrades, the distribution points are queued for upgrade and processed one at a
time.

Before you upgrade a shared distribution point, ensure that all content that is deployed to the distribution point
is migrated. Content that you do not migrate before you upgrade the distribution point is not available in the
destination hierarchy after the upgrade. When you upgrade a distribution point, the content in the migrated
packages is converted into a format that is compatible with the single instance store of the destination hierarchy.
To upgrade a distribution point from within the Configuration Manager console, the Configuration Manager
2007 site system server must meet the following conditions:
The distribution point configuration and location must be eligible for upgrade.
The distribution point computer must have sufficient disk space for the content to be converted from the
Configuration Manager 2007 content storage format to the single instance store format. This conversion
requires available free disk space equal to the size of the largest package that is stored on the distribution
point.
The distribution point computer must run an operating system version that is supported as a distribution
point in the destination hierarchy.

NOTE
When Configuration Manager checks for the eligibility of a distribution point for upgrade, it does not validate the
operating system version of the distribution point computer.

To upgrade a distribution point, in the Administration workspace, expand Migration , expand the Source
Hierarchy node, and then select the site that has the distribution point that you want to upgrade. Next, in the
details pane, on the Shared Distribution Points tab, select the distribution point that you want to upgrade.
You can confirm that the distribution point is ready for upgrade by viewing the status in the Eligible for
Reassignment column. Next, on the Configuration Manager console ribbon, on the Distribution Points tab,
in the Distribution Point group, select Reassign . This opens a wizard that you use to finish the upgrade of the
distribution point.
When you upgrade a shared distribution point, you must assign the distribution point to a primary or secondary
site of your choice in the destination hierarchy. After the distribution point is upgraded, manage the distribution
point as a distribution point in the destination hierarchy like any other distribution point.
You can monitor the progress of a distribution point upgrade in the Configuration Manager console by selecting
the Distribution Point Migration node under the Migration node of the Administration workspace. You
can also view information in the Migmctrl.log on the central administration site server of the destination
hierarchy, or in the distmgr.log on the site server in the destination hierarchy that manages the upgraded
distribution point.
 NOTE
When you upgrade a distribution point to the destination hierarchy, the distribution point site system role is removed
from the Configuration Manager 2007 source site. However, packages that were sent to the distribution point are not
updated in the Configuration Manager 2007 hierarchy. In the Configuration Manager 2007 console, packages that had
been sent to the distribution point continue to list the site system computer as a distribution point with a Type of
Unknown . Subsequent updates to the package in Configuration Manager 2007 result in Distribution Manager reporting
errors in the distmgr.log for that site when the site attempts to update the package on the unknown site system.

If you decide not to upgrade a shared distribution point, you can still install a distribution point from the
destination hierarchy on a former Configuration Manager 2007 distribution point. Before you can install the
new distribution point, you must first uninstall all Configuration Manager 2007 site system roles from the
distribution point computer. This includes the Configuration Manager 2007 site if it is the site server computer.
When you uninstall a Configuration Manager 2007 distribution point, content that was deployed to the
distribution point is not deleted from the computer.
Plan to upgrade Configuration Manager 2007 secondary sites
When you use migration to upgrade a shared distribution point that is hosted on a Configuration Manager 2007
secondary site server, Configuration Manager upgrades the distribution point site system role to be a
distribution point in the destination hierarchy. It also uninstalls the secondary site from the source hierarchy. The
result is a Configuration Manager current branch distribution point, but no secondary site.
For a distribution point on the site server computer to be eligible for upgrade, Configuration Manager must be
able to uninstall the secondary site and each of the site system roles on that computer. Typically, a shared
distribution point on a Configuration Manager 2007 server share is eligible for upgrade. However, when a
server share exists on the secondary site server, the secondary site and any shared distribution points on that
computer are not eligible for upgrade. This is because the server share is treated as an additional site system
object when the process attempts to uninstall the secondary site, and this process cannot uninstall this object. In
this scenario, you can enable a standard distribution point on the secondary site server and then redistribute the
content to that standard distribution point. This process does not use network bandwidth, and when finished,
you can uninstall the distribution point on the server share, remove the server share, and then upgrade the
distribution point and secondary site.
Before you upgrade a shared distribution point, review the distribution point configuration in Configuration
Manager 2007 to avoid upgrading a distribution point on a secondary site that you still want to use with
Configuration Manager 2007. This is a good practice, because after you upgrade a shared distribution point that
is on a secondary site server, the site system server is removed from the Configuration Manager 2007 hierarchy
and is no longer available for use with that hierarchy. When the secondary site is removed, any remaining
distribution points at that secondary site are orphaned. This means they become unmanaged from
Configuration Manager 2007 and are no longer shared or eligible for upgrade.

WARNING
When you view shared distribution points in the Configuration Manager console, there is no visible indication that a
shared distribution point is on a remote site system server or on the secondary site server.

When you have a secondary site in a remote network location that is used primarily to control the deployment
of content to that remote location, consider upgrading secondary sites that have a shared distribution point.
Because you can set up bandwidth control for when you distribute content to a Configuration Manager current
branch distribution point, you can often upgrade a secondary site to a distribution point, set up the distribution
point for bandwidth controls, and avoid installing a secondary site in that network location in the destination
hierarchy.
The process to upgrade a shared distribution point on a secondary site server is the same as any other shared
distribution point upgrade. Content is copied and converted to the single instance store in use by the destination
hierarchy. However, when you upgrade a shared distribution point that is on a secondary site server, the
upgrade process also uninstalls the management point (if present) and then uninstalls the secondary site from
the server. The result is that the secondary site is removed from the Configuration Manager 2007 hierarchy. To
uninstall the secondary site, Configuration Manager uses the account that is set up to gather data from the
source site.
During the upgrade, there is a delay between when the Configuration Manager 2007 secondary site is
uninstalled and the when the installation of the distribution point in the destination hierarchy begins. The data-
gathering cycle determines this delay of up to four hours. The delay is intended to provide time for the
secondary site to uninstall before the new distribution point installation begins.
For more about how to upgrade a shared distribution point, see Plan to upgrade Configuration Manager 2007
shared distribution points.

Plan to reassign Configuration Manager distribution points

When you migrate from a supported version of System Center 2012 Configuration Manager to a hierarchy of
the same version, you can reassign a shared distribution point from the source hierarchy to a site in the
destination hierarchy. This is like the concept of upgrading a Configuration Manager 2007 distribution point to
become a distribution point in the destination hierarchy. You can reassign distribution points from primary sites
and secondary sites. The action to reassign a distribution point removes the distribution point from the source
hierarchy and makes the computer and its distribution point a site system server of the site that you select in the
destination hierarchy.
When you reassign a distribution point, you do not have to redistribute migrated content that was hosted on the
source site distribution point. Additionally, unlike the upgrade of a Configuration Manager 2007 distribution
point, reassignment of a distribution point does not require additional disk space on the distribution point
computer. This is because beginning with System Center 2012 Configuration Manager, distribution points use
the single instance store format for content. The content on the distribution point computer does not need to be
converted when the distribution point is reassigned between hierarchies.
For a System Center 2012 Configuration Manager distribution point to be eligible for reassignment, it must
meet the following criteria:
A shared distribution point must be installed on a computer other than the site server.
A shared distribution point cannot be co-located with any additional site system roles.
To identify distribution points that are eligible for reassignment in the Configuration Manager console in the
Source Hierarchy node, select a source site, and then select the Shared Distribution Points tab. Eligible
distribution points display Yes in the Eligible for Reassignment column (this column is named Eligible for
Upgrade prior to System Center 2012 R2 Configuration Manager).
Distribution point reassignment process
You can use the Configuration Manager console to reassign distribution points that you have shared from an
active source hierarchy. When you reassign a shared distribution point, the distribution point is uninstalled from
its source site and then installed as a distribution point that is attached to a primary or secondary site that you
specify in the destination hierarchy.
To reassign the distribution point, the destination hierarchy uses the Source Site Access Account that is set up to
gather data from the SMS Provider of the source site. For information about required permissions and
additional prerequisites, see Prerequisites for migration.
Migrate multiple shared distribution points at the same time
Beginning with version 1610, you can use Reassign Distribution point to have Configuration Manager
process in parallel the reassignment of up to 50 shared distribution points at the same time. This includes
shared distribution points from supported source sites that run:
Configuration Manager 2007
System Center 2012 Configuration Manager
System Center 2012 R2 Configuration Manager
Configuration Manager (current branch)
When you reassign distribution points, each distribution point must qualify to be either upgraded or reassigned.
The name of the action and process involved (upgrade or reassign) depends on which version of Configuration
Manager the source site runs. The end results for both actions are the same: the distribution point is assigned to
one of your Current Branch sites with its content in place.
Prior to version 1610, Configuration Manager could process only one distribution point at a time. Now you can
reassign as many distribution points as you want with the following caveats:
Although you cannot multiselect distribution points to be reassigned, when you have queued up more than
one, Configuration Manager will process them in parallel instead of waiting to finish one before starting the
next.
By default, up to 50 distribution points are processed in parallel at a time. After the reassignment of the first
distribution point is finished, Configuration Manager will begin to process the 51st, and so on.
When you use the Configuration Manager SDK, you can change SharedDPImpor tThreadLimit to adjust
the number of reassigned distribution points that Configuration Manager can process in parallel.

Assign content ownership when migrating content

When you migrate content for deployments, you must assign the content object to a site in the destination
hierarchy. This site then becomes the owner for that content in the destination hierarchy. Although the top-level
site of your destination hierarchy is the site that migrates the metadata for content, it is the assigned site that
uses the original source files for the content across the network.
To minimize the network bandwidth that is used when you migrate content, consider transferring ownership of
content to a site in the destination hierarchy that is close on the network to the content location in the source
hierarchy. Because information about the content in the destination hierarchy is shared globally, it will be
available at every site.
Although information about content is shared to all sites by using database replication, any content that you
assign to a primary site and then deploy to distribution points at other primary sites transfers by file-based
replication. This transfer is routed through the central administration site and then to the additional primary site.
You can reduce data transfers across low-bandwidth networks by centralizing packages that you plan to
distribute to multiple primary sites before or during migration when you assign a site as the content owner.
 Plan for the migration of Configuration Manager
objects to Configuration Manager current branch
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

With Configuration Manager current branch, you can migrate many of the different objects that are associated
with different features found at a source site.

Plan to migrate software updates

You can migrate software update objects, like software update packages and software update deployments.
To successfully migrate software update objects, you must first set up your destination hierarchy with
configurations that match your source hierarchy environment. This requires the following actions:
Deploy an active software update point in the destination hierarchy
Set up the catalog of products and languages to match the configuration of your source hierarchy
Sync the software update point in the destination hierarchy with Windows Server Update Services
(WSUS)
When you migrate software updates, consider the following:
Migration of software update objects can fail when you have not synced information in your destination
hierarchy to match the configuration of your source hierarchy.

WARNING
Configuration Manager does not support use of the WSUSutil tool to sync data between a source and destination
hierarchy.

You cannot migrate custom updates that are published by using System Center Updates Publisher.
Instead, custom updates must be republished to the destination hierarchy.
When you migrate from a Configuration Manager 2007 source hierarchy, the migration process modifies some
software update objects to the format in use by the destination hierarchy. Use the following table to help you
plan the migration of software update objects from Configuration Manager 2007.

C O N F IGURAT IO N M A N A GER 2007 O B JEC T O B JEC T N A M E A F T ER M IGRAT IO N

Software update lists Software update lists are converted to software update
groups.

Software update deployments Software update deployments are converted to deployments

and update groups.

After you migrate a software update deployment from

Configuration Manager 2007, you must enable it in the
destination hierarchy before you can deploy it.
 C O N F IGURAT IO N M A N A GER 2007 O B JEC T O B JEC T N A M E A F T ER M IGRAT IO N

Software update packages Software update packages remain software update packages.

Software update templates Software update templates remain software update

templates.

The Duration value in Configuration Manager 2007

deployment templates does not migrate.

When you migrate objects from a System Center 2012 Configuration Manager or Configuration Manager
current branch source hierarchy, the software updates objects are not modified.

Plan to migrate content

You can migrate content from a supported source hierarchy to your destination hierarchy. For a Configuration
Manager 2007 source hierarchy, this content includes software distribution packages and programs and virtual
applications, like Microsoft Application Virtualization (App-V). For System Center 2012 Configuration Manager
and Configuration Manager current branch source hierarchies, this content includes applications and App-V
virtual applications. When you migrate content between hierarchies, the compressed source files migrate to the
destination hierarchy.
Packages and programs
When you migrate packages and programs, they are not modified by migration. However, before you migrate
them, you must set up each package to use a Universal Naming Convention (UNC) path for its source file
location. As part of the configuration to migrate packages and programs, you must assign a site in the
destination hierarchy to manage this content. The content is not migrated from the assigned site, but after
migration, the assigned site accesses the original source file location by using the UNC mapping.
After you migrate a package and program to the destination hierarchy, and while migration from the source
hierarchy remains active, you can make the content available to clients in that hierarchy by using a shared
distribution point. To use a shared distribution point, the content must remain accessible on the distribution
point at the source site. For more about shared distribution points, see Share distribution points between source
and destination hierarchies in Plan a content deployment migration strategy.
For content that has migrated, if the content version changes in the source hierarchy or the destination
hierarchy, clients can no longer access the content from the shared distribution point in the destination
hierarchy. In this scenario, you must re-migrate the content to restore a consistent version of the package
between the source hierarchy and the destination hierarchy. This information syncs during the data gathering
cycle.

TIP
For each package that you migrate, update the package in the destination hierarchy. This action can prevent issues with
deploying the package to distribution points in the destination hierarchy. However, when you update a package on the
distribution point in the destination hierarchy, clients in that hierarchy will no longer be able to get that package from a
shared distribution point. To update a package in the destination hierarchy, in the Configuration Manager console, go to
the Software Library, right-click on the package, and then select Update Distribution Points . Do this action for each
package that you migrate.
 TIP
Use Package Conversion Manager to convert packages and programs into Configuration Manager applications. For more
information, see Package Conversion Manager.

Virtual applications
When you migrate App-V packages from a supported Configuration Manager 2007 site, the migration process
converts them to applications in the destination hierarchy. Additionally, based on existing advertisements for the
App-V package, the following deployment types are created in the destination hierarchy:
If there are no advertisements, one deployment type is created that uses the default deployment type
settings.
If one advertisement exists, one deployment type is created that uses the same settings as the
Configuration Manager 2007 advertisement.
If multiple advertisements exist, a deployment type is created for each Configuration Manager 2007
advertisement by using the settings for that advertisement.

IMPORTANT
If you migrate a previously migrated Configuration Manager 2007 App-V package, the migration fails because virtual
application packages do not support the overwrite migration behavior. In this scenario, you must delete the migrated
virtual application package from the destination hierarchy, and then create a new migration job to migrate the virtual
application.

NOTE
After you migrate an App-V package, you can use the Update Content wizard to change the source path for App-V
deployment types. For more about how to update content for a deployment type, see How to manage deployment types
in Management tasks for Configuration Manager applications.

When you migrate from a System Center 2012 Configuration Manager or Configuration Manager current
branch source hierarchy, you can migrate objects for the App-V virtual environment in addition to App-V
deployment types and applications. For more about App-V environments, see Deploying App-V virtual
applications.
Advertisements
You can migrate advertisements from a supported Configuration Manager 2007 source site to the destination
hierarchy by using collection-based migration. If you upgrade a client, it retains the history of previously run
advertisements to prevent the client from rerunning migrated advertisements.

NOTE
You cannot migrate advertisements for virtual packages. This is an exception to the migration of advertisements.

Applications
You can migrate applications from a supported System Center 2012 Configuration Manager or Configuration
Manager current branch source hierarchy to a destination hierarchy. If you reassign a client from the source
hierarchy to the destination hierarchy, the client retains the history of previously installed applications to
prevent the client from rerunning a migrated application.
Plan to migrate collections
You can migrate the criteria for collections from a supported System Center 2012 Configuration Manager or
Configuration Manager current branch source hierarchy. For this, you use an object-based migration job. When
you migrate a collection, you migrate the rules for the collection and not information about the members of the
collection or information or objects related to the members of the collection.
Migration of the collection object is not supported when you migrate from a Configuration Manager 2007
source hierarchy.

Plan to migrate operating system deployments

You can migrate the following operating system deployment objects from a supported source hierarchy:
Operating system images and packages. The source path of boot images is updated to the default image
location for the Windows Administrative Installation Kit (Windows AIK) on the destination site. The
following are requirements and limitations to migrating operating system images and packages:
To successfully migrate image files, the computer account of the SMS Provider server for the
destination hierarchy's top-level site must have Read and Write permission to the image source
files of the source site's Windows AIK location.
When you migrate an operating system installation package, ensure that the configuration of the
package on the source site points to the folder that has the WIM file and not to the WIM file itself. If
the installation package points to the WIM file, the migration of the installation package will fail.
When you migrate a boot image package from a Configuration Manager 2007 source site, the
package ID of the package is not maintained in the destination site. The result of this is that clients
in the destination hierarchy cannot use boot image packages that are available on shared
distribution points.
Task sequences. When you migrate a task sequence that has a reference to a client installation package,
that reference is replaced with a reference to the client installation package of the destination hierarchy.

NOTE
When you migrate a task sequence, Configuration Manager might migrate objects that are not required in the
destination hierarchy. These objects include boot images and Configuration Manager 2007 client installation
packages.

Drivers and driver packages. When you migrate driver packages, the computer account of the SMS
Provider in the destination hierarchy must have full control to the package source.

Plan to migrate desired configuration management

You can migrate configuration items and configuration baselines.

NOTE
Uninterpreted configuration items from Configuration Manager 2007 source hierarchies aren't supported for migration.
You can't migrate or import these configuration items to the destination hierarchy.

You can import Configuration Manager 2007 Configuration Packs. The import process automatically converts
the configuration packs to be compatible with Configuration Manager current branch.
Plan to migrate boundaries
You can migrate boundaries between hierarchies. When you migrate boundaries from Configuration Manager
2007, each boundary from the source site migrates at the same time and is added to a new boundary group
that is created in the destination hierarchy. When you migrate boundaries from a System Center 2012
Configuration Manager or Configuration Manager current branch hierarchy, each boundary you select is added
to a new boundary group in the destination hierarchy.
Each automatically created boundary group is enabled for content location but not for site assignment. This
prevents overlapping boundaries for site assignment between the source and destination hierarchies. When you
migrate from a Configuration Manager 2007 source site, this helps prevent new Configuration Manager 2007
clients that install from incorrectly assigning to the destination hierarchy. By default, Configuration Manager
current branch clients do not automatically assign to Configuration Manager 2007 sites.
During migration, if you share a distribution point with the destination hierarchy, any boundaries that are
associated with that distribution automatically migrate to the destination hierarchy. In the destination hierarchy,
migration creates a new read-only boundary group for each shared distribution point. If you change the
boundaries for the distribution point in the source hierarchy, the boundary group in the destination hierarchy
updates with these changes during the next data gathering cycle.

Plan to migrate reports

Configuration Manager does not support the migration of reports. Instead, use SQL Server Reporting Services
Report Builder to export reports from the source hierarchy, and then import them to the destination hierarchy.

NOTE
Because there are schema changes for reports between Configuration Manager 2007 and Configuration Manager current
branch, test each report that you import from a Configuration Manager 2007 hierarchy to ensure that it functions as
expected.

For more about reporting, see Introduction to reporting.

Plan to migrate organizational and search folders

You can migrate organizational folders and search folders from a supported source hierarchy to a destination
hierarchy. In addition, from a System Center 2012 Configuration Manager or Configuration Manager current
branch source hierarchy, you can migrate the criteria for a saved search to a destination hierarchy.
By default, the migration process maintains your search folder and administrative folder structures for objects
and collections when you migrate. However, in the Create Migration Job wizard, on the Settings page, you can
set up a migration job to not migrate the organizational structure for objects by unchecking the box for this
option. The organizational structures of collections are always maintained.
One exception to this is a search folder that contains virtual applications. When an App-V package is migrated,
the App-V package is transformed into an application in Configuration Manager. After migration of the search
folder, only the remaining packages are found, and the search folder cannot locate an App-V package because of
this conversion to an application when the App-V package migrates.
When you migrate a saved search from a System Center 2012 Configuration Manager or Configuration
Manager current branch source hierarchy, you migrate the criteria for the search, and not the information about
the search results. Migration of a saved search is not applicable from a Configuration Manager 2007 source site.

Plan to migrate Asset Intelligence customizations

You can migrate customizations for Asset Intelligence from a supported source hierarchy to a destination
hierarchy. There are no significant changes to the structure of Asset Intelligence customizations between
Configuration Manager 2007 and Configuration Manager current branch.

NOTE
Configuration Manager current branch doesn't support the migration of Asset Intelligence objects from a Configuration
Manager 2007 site that is using Asset Intelligence Service 2.0 (AIS 2.0).

Plan to migrate software metering rules customizations

There are no significant changes to software metering between Configuration Manager 2007 and Configuration
Manager current branch. You can migrate your software metering rules from a supported source hierarchy to a
destination hierarchy.
By default, software metering rules that you migrate to a destination hierarchy are not associated with a specific
site in the destination hierarchy and instead apply to all clients in the hierarchy. To apply a software metering
rule to clients at a specific site, you must edit the metering rule after it migrates.
 Planning to monitor migration activity in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

With Configuration Manager, you can monitor migration in the Configuration Manager console that connects to
the destination hierarchy. In the Configuration Manager console in the Administration workspace, you can use
the Migration node to monitor the progress and success of migration jobs. You can view summary information
for each migration job that identifies objects that have migrated, those objects that have not yet migrated, and
the number of objects that are excluded from a migration job. You will also see details about any migration
problems.

View Migration Progress

To view the progress of a migration job, use any of the following actions:
In the Administration workspace of the Configuration Manager console, expand the Migration Jobs
node, select a migration job, and then select the Objects in Job tab.
Use the Configuration Manager log files to review the migration progress or to identify any problems.
Migration Manager is the Configuration Manager process that tracks migration actions and records these
in the migmctrl.log file in the &lt;InstallationPath>\LOGS folder on the site server.

NOTE
If a migration job fails, review the details in the migmctrl.log file as soon as possible. The migration log entries are
continually added to the file and overwrite old details. If the entries are overwritten, you might not be able to
identify whether any problems that you might encounter with the migrated objects relate to migration issues.
Migration activity is logged at the top-level site of the hierarchy regardless of the site your Configuration
Manager console connects to when you configure migration.

Use Configuration Manager reporting. Configuration Manager provides several built-in reports for
migration, or you can edit those reports to fit your requirements. For more information about
Configuration Manager reports, see Introduction to reporting.
 Plan to complete migration in Configuration
Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

With Configuration Manager, you can complete the process of migration when a source hierarchy no longer has
data that you want to migrate to your destination hierarchy. Completing migration includes the following
general steps:
Ensure that data you require has migrated. Before you complete migration from a source hierarchy, make
sure that you have successfully migrated all of the resources from the source hierarchy that you require
in the destination hierarchy. This can include data and clients.
Stop gathering data from source sites. To complete migration from a source hierarchy, you must first stop
gathering data from source sites.
Clean up migration data. After you stop gathering data from all source sites in a source hierarchy, you can
remove data about the migration process and source hierarchy from the database of the destination
hierarchy.
Decommission the source hierarchy. After you complete migration from a source hierarchy and that
hierarchy no longer has resources that you manage, you can decommission the sites in the source
hierarchy and remove the related infrastructure from your environment. For information about how to
decommission sites and source hierarchies, consult the documentation for that version of Configuration
Manager.
Use the following sections to help you plan to complete migration from a source hierarchy by stopping data
gathering and cleaning up migration data:
Plan to stop gathering data
Plan to clean up migration data

Plan to stop gathering data

Before you complete migration and clean up migration data, you must stop gathering data from each source
site in the source hierarchy. To stop gathering data from each source site, you must perform the Stop
Gathering Data command on the bottom tier source sites, and then repeat the process at each parent site. The
top-level site of the source hierarchy must be the last site on which you stop gathering data. You must stop data
gathering at each child site before performing this command on a parent site. Typically, you only stop gathering
data when you are ready to finish the migration process.
After you stop gathering data from a source site, shared distribution points from that site are no longer available
as content locations for clients in the destination hierarchy. Therefore, ensure that any migrated content that the
clients in the destination hierarchy require access to remains available by using one of the following options:
In the destination hierarchy, distribute the content to at least one distribution point.
Before you stop gathering data from a source site, upgrade or reassign shared distribution points that
have the required content. For more about upgrading or reassigning shared distribution points, see the
applicable sections in Planning a content deployment migration strategy.
After you stop gathering data from each source site in the source hierarchy, you can clean up migration data.
Until you clean up migration data, each migration job that has run or that is scheduled to run remains accessible
in the Configuration Manager console.
For more about source sites and data gathering, see Planning a source hierarchy strategy.

Plan to clean up migration data

The last step required to finish migration is to clean up migration data. You can use the Clean Up Migration
Data command after you have stopped gathering data for each source site in the source hierarchy. This optional
action removes data about the current source hierarchy from the database of the destination hierarchy.
When you clean up migration data, most data about the migration is removed from the database of the
destination hierarchy. However, details about migrated objects are retained. With these details, you can use the
Migration workspace to reconfigure the source hierarchy that has the data that was migrated to resume
migration from that source hierarchy, or to review the objects and site ownership of the objects that previously
migrated.
 Configure source hierarchies and source sites for
migration to Configuration Manager current branch
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To enable migration of data to your Configuration Manager current branch environment, you must configure a
supported Configuration Manager source hierarchy and one or more source sites in that hierarchy that contain
data that you want to migrate.

NOTE
Operations for migration are run at the top-level site in the destination hierarchy. If you configure migration when you
use a Configuration Manager console that is connected to a primary child site, you must allow time for the configuration
to replicate to the central administration site, start, and then replicate status back to the primary site to which you are
connected.

Use the information and procedures in the following sections to specify the source hierarchy and add additional
source sites. After you finish these procedures, you can create migration jobs and start to migrate data from the
source hierarchy to the destination hierarchy.
Specify a source hierarchy for migration
Identify additional source sites of the source hierarchy

Specify a source hierarchy for migration

To migrate data to your destination hierarchy, you must specify a supported source hierarchy that has the data
that you want to migrate. By default, the top-level site of that hierarchy becomes a source site of the source
hierarchy. If you migrate from a Configuration Manager 2007 hierarchy, you can then set up additional source
sites for migration after data is gathered from the initial source site. If you migrate from a System Center 2012
Configuration Manager or Configuration Manager current branch hierarchy, you do not have to set up
additional source sites to migrate data from the source hierarchy. This is because these versions of
Configuration Manager use a shared database that is available at the top-level site of the source hierarchy. The
shared database has all the information that you can migrate.
Use the following procedures to specify a source hierarchy for migration and to identify additional source sites
in a Configuration Manager 2007 hierarchy.
Run this procedure with a Configuration Manager console that is connected to the destination hierarchy:
To configure a source hierarchy
1. In the Configuration Manager console, click Administration .
2. In the Administration workspace, expand Migration , and then click Source Hierarchy .
3. On the Home tab, in the Migration group, click Specify Source Hierarchy .
4. In the Specify Source Hierarchy dialog box, for Source Hierarchy , select New source hierarchy .
5. For Top-level Configuration Manager site ser ver , enter the name or IP address of the top-level site
of a supported source hierarchy.
6. Specify source site access accounts that have the following permissions:
Source Site Account: Read permission to the SMS Provider for the specified top-level site in the
source hierarchy. Distribution point sharing and upgrades require Modify and Delete
permissions to the site in the source hierarchy.
Source Site Database Account: Read and Execute permission to the SQL Server database for the
specified top-level site in the source hierarchy.
If you specify the use of the computer account, Configuration Manager uses the computer account
of the top-level site of the destination hierarchy. For this option, ensure that this account is a
member of the security group Distributed COM Users in the domain where the top-level site of
the source hierarchy resides.
7. To share distribution points between the source and destination hierarchies, select the Enable
distribution point sharing for the source site ser ver check box. If you do not enable distribution
point sharing at this time, you can do so by editing the credentials of the source site after data gathering
has finished.
8. Click OK to save the configuration. This opens the Data Gathering Status dialog box, and data
gathering starts automatically.
9. When data gathering finishes, click Close to close the Data Gathering Status dialog box and complete
the configuration.

Identify additional source sites of the source hierarchy

When you configure a supported source hierarchy, the top-level site of that hierarchy is automatically
configured as a source site, and data is automatically gathered from that site. The next action that you take
depends on the version of Configuration Manager that is run by the source hierarchy:
For a Configuration Manager 2007 source hierarchy, you can begin migration from that initial source site
or set up additional source sites from the source hierarchy after the data gathering finishes for the initial
source site. To migrate data that is only available from a child site, set up additional source sites for a
Configuration Manager 2007 hierarchy. For example, you might configure additional source sites to
gather data about content that you want to migrate when it's created at a child site in the source
hierarchy and is not available at the top site of the source hierarchy.
For a System Center 2012 Configuration Manager or Configuration Manager current branch source
hierarchy, you do not need to configure additional source sites. This is because these versions of
Configuration Manager use a shared database that is available at the top-level site of the source
hierarchy. The shared database has all the information that you can migrate from all of the sites in that
source hierarchy. This makes the data that you can migrate available from the top-level site of the source
hierarchy.
When you configure additional source sites for a Configuration Manager 2007 source hierarchy, you must
configure the additional source sites from the top of the source hierarchy to the bottom. You must configure a
parent site as a source site before you configure any of its child sites as source sites.
Use the following procedure to configure additional source sites for Configuration Manager 2007 source
hierarchies:
To identify additional source sites in the source hierarchy
1. In the Configuration Manager console, click Administration .
2. In the Administration workspace, expand Migration , and then click Source Hierarchy .
3. Choose the site that you want to configure as a source site.
4. On the Home tab, in the Source Site group, click Configure .
5. In the Source Site Credentials dialog box, for the source site access accounts, specify accounts that
have the following permissions:
Source Site Account: Read permission to the SMS Provider for the specified top-level site in the
source hierarchy. Distribution point sharing and upgrades require Modify and Delete
permissions to the site in the source hierarchy.
Source Site Database Account: Read and Execute permission to the SQL Server database for the
specified top-level site in the source hierarchy.
If you specify the use of the computer account, Configuration Manager uses the computer account of the
top-level site of the destination hierarchy. For this option, ensure that this account is a member of the
security group Distributed COM Users in the domain where the top-level site of the source hierarchy
resides.
6. To share distribution points between the source and destination hierarchies, select the Enable
distribution point sharing for the source site ser ver check box. If you do not enable distribution
point sharing at this time, you can do so by editing the credentials for the source site after data gathering
has finished.
7. Click OK to save the configuration. This opens the Data Gathering Status dialog box, and data
gathering starts automatically.
8. When data gathering finishes, click Close to complete the configuration.
 Operations for migrating to Configuration Manager
current branch
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

For migration in Configuration Manager, you can migrate data and clients after you successfully gather data
from a source site in a supported source hierarchy. Use the information in the following sections to create and
run migration jobs to migrate data and clients, and then finish the migration process.
Create and edit migration jobs
Run migration jobs
Upgrade or reassign a shared distribution point
Monitor migration activity in the Migration workspace
Migrate clients
Finish migration

Create and edit migration jobs

Use the following procedures to create data migration jobs, edit the exclusion list for collection-based migration
jobs, set up shared distribution points, and edit migration job schedules.

NOTE
The following procedure for creating a migrating job that migrates by collections applies only to source hierarchies that
run a supported version of Configuration Manager 2007. The collection-based migration job type is not available when
you migrate from a System Center 2012 Configuration Manager or Configuration Manager current branch source
hierarchy.

Create a migration job to migrate by collections

1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Migration , and then choose Migration Jobs .
3. On the Home tab, in the Create group, choose Create Migration Job .
4. On the General page of the Create Migration Job wizard, set up the following and then choose OK :
Specify a name for the migration job.
In the Job type drop-down list, select Collection migration .
5. On the Select Collections page, set up the following and then choose Next :
Select the collections that you want to migrate.
If you want to migrate only collections and not the objects that are associated with those
collections, uncheck Migrate objects that are associated with the specified collections . If
you uncheck this option, no associated objects are migrated in this job, and you can skip steps 6
and 7.
 6. On the Select Objects page, uncheck any object types or specific available objects that you do not want
to migrate. By default, all associated object types and available objects are selected. Choose Next .
7. On the Content Ownership page, assign the ownership of content from each listed source site to a site
in the destination hierarchy, and then choose Next .
8. On the Security Scope page, select one or more role-based administration security scopes to assign to
the objects to migrate in this migration job, and then choose Next .
9. On the Collection Limiting page, set up a collection from the destination hierarchy to limit the scope of
each listed collection, and then choose Next . If no collections are listed, choose Next .
10. On the Site Code Replacement page, assign a site code from the destination hierarchy to replace the
Configuration Manager 2007 site code for each listed collection, and then choose Next . If no collections
are listed, choose Next .
11. On the Review Information page, choose Save To File to save the displayed information for later
viewing. When you are ready to continue, choose Next .
12. On the Settings page, set up when the migration job will run, choose any additional settings that you
need for this migration job, and then choose Next .
13. Confirm the settings and finish the wizard.
Create a migration Job to migrate by objects
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Migration , and then choose Migration Jobs .
3. On the Home tab, in the Create group, choose Create Migration Job .
4. On the General page of the Create Migration Job wizard, set up the following, and then choose Next :
Specify a name for the migration job.
In the Job type drop-down list, select Object migration .
5. On the Select Objects page, select the object types that you want to migrate. By default, all available
objects are selected for each object type that you select.
6. On the Content Ownership page, assign the ownership of content from each listed source site to a site
in the destination hierarchy, and then choose Next . If no source sites are listed, choose Next .
7. On the Security Scope page, select one or more role-based administration security scopes to assign to
the objects in this migration job, and then choose Next .
8. On the Review Information page, choose Save To File to save the displayed information for later
viewing. When you are ready to continue, choose Next .
9. On the Settings page, set up when the migration job will run and choose any additional settings that you
need for this migration job. Then choose Next .
10. Confirm the settings and finish the wizard.
Create a migration job to migrate changed objects
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Migration , and then choose Migration Jobs .
3. On the Home tab, in the Create group, choose Create Migration Job .
4. On the General page of the Create Migration Job wizard, set up the following and then choose Next :
 Specify a name for the migration job.
In the Job type drop-down list, select Objects modified after migration .
5. On the Select Objects page, select the object types that you want to migrate. By default, all available
objects are selected for each object type that you select.
6. On the Content Ownership page, assign the ownership of content from each listed source site to a site
in the destination hierarchy, and then choose Next . If no source sites are listed, choose Next .
7. On the Security Scope page, select one or more role-based administration security scopes to assign to
the objects in this migration job, and then choose Next .
8. On the Review Information page, choose Save To File to save the displayed information for later
viewing. When you are ready to continue, choose Next .
9. On the Settings page, set up when the migration job will run and choose any additional settings that you
require for this migration job. Unlike the other migration job types, this migration job must overwrite the
previously migrated objects in the Configuration Manager database. Choose Next .
10. Confirm the settings and then finish the wizard.
Modify the exclusion list for migration
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, choose Migration to gain access to the exclusion list. You can also
access the exclusion list from the Source Hierarchy or Migration Jobs node.
3. On the Home tab, in the Migration group, choose Edit Exclusion List .
4. In the Edit Exclusion List dialog box, select the excluded object that you want to remove from the
exclusion list, and then choose Remove .
5. Choose OK to save the changes and finish the edit. To cancel current changes and restore all the objects
that you have removed, choose Cancel , and then choose No . This will cancel the removal of the objects,
and close the Edit Exclusion List dialog box.
Share distribution points from the source hierarchy
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Migration , choose Source Hierarchy , and then select the
source site that you want to set up.
3. On the Home tab, in the Source Site group, choose Configure .
4. On the Source Site Credentials dialog box, select Enable distribution point sharing for the
source site ser ver , and then choose OK .
5. When data gathering finishes, choose Close .
Change the schedule of a migration job
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Migration , and then choose Migration Jobs .
3. Choose the migration job that you want to change. On the Home tab, in the Proper ties group, choose
Proper ties .
4. In the properties of the migration job, select the Settings tab, change the run time for the migration job,
and then choose OK .
Run migration jobs
Use the following procedure to run a migration job that has not yet started.
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Migration , and then choose Migration Jobs .
3. Choose the migration job that you want to run. On the Home tab, in the Migration Job group, choose
Star t .
4. Choose Yes to start the migration job.

Upgrade or reassign a shared distribution point

You can upgrade a supported distribution point that is shared from a Configuration Manager 2007 source site
(or reassign a supported distribution point that is shared from a Configuration Manager source site) to be a
distribution point in the destination hierarchy.

IMPORTANT
Before you upgrade a Configuration Manager 2007 branch distribution point, you must uninstall the Configuration
Manager 2007 client software from the branch distribution point computer. If the Configuration Manager 2007 client
software is installed when you attempt to upgrade the distribution point, the upgrade fails and content that was
previously deployed to the branch distribution point is removed from the computer.

Cau t i on

When you upgrade or reassign a shared distribution point, the distribution point site system role and site
system computer are removed from the source site and added as a distribution point to the site in the
destination hierarchy that you select.
Upgrade or reassign a shared distribution point
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Migration , and then choose Source Hierarchy .
3. Select the site that owns the distribution point you want to upgrade, choose the Shared Distribution
Points tab, and select the eligible distribution point that you want to upgrade or reassign.
4. On the Distribution Point tab, in the Distribution Point group, choose Reassign .
5. Specify settings in the Reassign Shared Distribution Point wizard like you are installing a new distribution
point for the destination hierarchy, with the following addition:
On the Content Conversion page, review the guidance about the space required to convert the
existing content. Then, on the Drive Settings page of the wizard, ensure that the drive of the
distribution point computer that is selected has the required amount of free disk space.
6. Confirm the settings and then finish the wizard.

Monitor migration activity in the Migration workspace

Use the Configuration Manager console to monitor migration.
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Migration , and then choose Migration Jobs .
3. Choose the migration job that you want to monitor.
4. View details and status about the selected migration job on the tabs for Summar y and Objects in Job .

Migrate clients
After you migrate data for clients between hierarchies but before you finish migration, plan to migrate clients to
the destination hierarchy. The migration of clients between hierarchies involves uninstalling the Configuration
Manager client software from computers that are assigned to the source hierarchy, and then installing the
Configuration Manager client software from the destination hierarchy. When you install the client from the
destination hierarchy you also assign the client to a primary site in that hierarchy. For more about migrating
clients, see Planning a client migration strategy.

Finish migration
Use this procedure to finish migration from the source hierarchy.
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Migration , and then choose Source Hierarchy .
3. For a Configuration Manager 2007 source hierarchy, select a source site that is at the bottom level of the
source hierarchy. For a System Center 2012 Configuration Manager or Configuration Manager current
branch source hierarchy, select the available source site.
4. On the Home tab, in the Clean Up group, choose Stop Gathering Data .
5. Choose Yes to confirm the action.
6. For a Configuration Manager 2007 source hierarchy, before you continue to the next step, repeat steps 3,
4, and 5. Go through these steps at each site in the hierarchy, from the bottom of the hierarchy to the top.
For a System Center 2012 Configuration Manager or Configuration Manager current branch source
hierarchy, continue to the next step.
7. On the Home tab, in the Clean Up group, choose Clean Up Migration Data .
8. On the Clean Up Migration Data dialog box, from the Source hierarchy drop-down list, select the
site code and site server of the top-level site of the source hierarchy, and then choose OK .
9. Choose Yes to finish the migration process for the source hierarchy.
 Security and privacy for migration to Configuration
Manager current branch
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This topic contains security best practices and privacy information for migration to your Configuration Manager
current branch environment.

Security Best Practices for Migration

Use the following security best practice for migration.

SEC URIT Y B EST P RA C T IC E M O RE IN F O RM AT IO N

Use the computer account for the Source Site SMS Provider If you must use a user account for migration, remove the
Account and the Source Site SQL Server Account rather than account details when migration is completed.
a user account.

Use IPsec when you migrate content from a distribution Although the migrated content is hashed to detect
point in a source site to a distribution point in your tampering, if the data is modified while it is transferred, the
destination site. migration will fail.

Restrict and monitor the administrative users who can create The integrity of the database of the destination hierarchy
migration jobs. depends upon the integrity of data that the administrative
user chooses to import from the source hierarchy. In
addition, this administrative user can read all data from the
source hierarchy.

Security Issues for Migration

Migration has the following security issues:
Clients that are blocked from a source site might successfully assign to the destination hierarchy before
their client record is migrated.
Although Configuration Manager retains the blocked status of clients that you migrate, the client can
successfully assign to the destination hierarchy if assignment occurs before the migration of the client
record is completed.
Audit messages are not migrated.
When you migrate data from a source site to a destination site, you lose any auditing information from the
source hierarchy.

Privacy Information for Migration

Migration discovers information from the site databases that you identify in a source infrastructure and stores
this data to the database in the destination hierarchy. The information that Configuration Manager can discover
from a source site or hierarchy depends upon the features that were enabled in the source environment, as well
as the management operations that were performed in that source environment.
For more information about security and privacy information, see Security and privacy for Configuration
Manager.
You can migrate some or all of the supported data from a source site to a destination hierarchy.
Migration is not enabled by default and requires several configuration steps. Migration information is not sent
to Microsoft.
Before you migrate data from a source hierarchy, consider your privacy requirements.
 Deploy servers and roles
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you plan out your Configuration Manager site and hierarchy topology and are ready to get sites installed
or upgraded, use the information in the following articles:
Install Configuration Manager sites
Upgrade to Configuration Manager
Scenarios to streamline your installation of Configuration Manager
Configure sites and hierarchies
Migrate data between hierarchies
 Where to get installation media for Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If you have Configuration Manager volume licenses with Software Assurance, or if you have purchased licenses
for Configuration Manager volume licenses, you can download baseline source media to install Configuration
Manager from the Volume Licensing Service Center.
If you have a Configuration Manager license from EMS, Microsoft 365, or a Cloud Solution Provider (CSP),
please see the Product and Licensing FAQ.
If you would like to purchase volume licenses for Configuration Manager, contact your preferred Microsoft
Reseller or see How to purchase through Volume Licensing. You can also download media to install an
evaluation edition of Configuration Manager from the Evaluation Center website.
To learn about baseline media for Configuration Manager, see Baseline and update versions.
 Reference for Configuration Manager Setup
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager Setup provides links to several topics that are detailed in the following sections. The
information presented here can help you prepare to install a Configuration Manager site or hierarchy, and help
prepare you for some of the decisions you must make during the installation.

Before you begin

Before you install new Configuration Manager sites, make sure you have reviewed the following information,
which can help set the stage for a successful deployment design:
Fundamentals of Configuration Manager
Plan for Configuration Manager infrastructure
Prepare to install Configuration Manager sites

Assess server readiness

Before you begin the installation of a new site, make sure that the site server and the remote site system servers
you plan to use for the site (for example, the server that hosts the site database) meet all prerequisite
configurations. These topics in the documentation library can help:
Supported configurations for Configuration Manager
Prerequisite Checker

Usage data levels and settings

When you install your first Configuration Manager site, Configuration Manager automatically installs and
configures a new site system role, the ser vice connection point , on the site server. The service connection
point has these default settings:
Online mode (an offline mode also is available)
Enhanced data collection level (two other data collection levels, Basic and Full, also are available)
When the service connection point site system role is online, Microsoft can automatically collect diagnostics and
usage information over the Internet. Information that is collected helps us:
Identify and troubleshoot problems
Improve our products and service
Identify updates for Configuration Manager that apply to the version of Configuration Manager you use
Levels of data collection
Data collection includes these three levels:
Basic includes data about setup and upgrade, like the number of sites and which Configuration Manager
features are enabled. No personally identifiable information is transmitted.
Enhanced includes the data in the Basic level setting, plus it transmits data about the hierarchy, how each
feature is used (frequency and duration), and enhanced diagnostic information like the memory state of
your server when a system or app crash occurs. No personally identifiable data is transmitted.
 Full includes the data in the Basic and Enhanced level settings, and it also sends advanced diagnostic
information like system files and memory snapshots. This option might include personally identifiable
information, but we won't use that information to identify or contact you, or to target advertising to you.
For more information, including disclosure of the details collected by each level, see Diagnostics and usage data
for Configuration Manager.
For more information, see the Microsoft Privacy Statement.
 Setup Downloader for Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you run Configuration Manager setup to install or upgrade a site, you can use the setup downloader
standalone tool to download updated setup files. Run the tool from the version of Configuration Manager that
you want to install. Use updated setup files to make sure your site installation uses current versions of key
installation files.
When you use setup downloader, you specify a folder to contain the files. The account you use to run the tool
must have Full Control permissions to the download folder. When you run setup to install or upgrade a site,
you can specify this local copy of files you previously downloaded. This behavior prevents setup from
connecting to Microsoft when you start the site install or upgrade. You can use the same local copy of setup files
for other site installations or upgrades of the same version.
The setup downloader tool downloads the following types of files:
Required prerequisite redistributable files
Language packs
The latest product updates for setup
You have two options to run setup downloader:
Run the application with the user interface
Run the application at a command prompt for additional command-line options
If your organization restricts network communication with the internet using a firewall or proxy device, you
need to allow the tool to access internet endpoints. The device where you'll run the tool requires internet access
the same as the service connection point. For more information, see Internet access requirements.

Run setup downloader with the user interface

1. On a computer that has internet access, browse to the installation media for the version of Configuration
Manager that you want to install.
2. In the SMSSETUP\BIN\X64 subfolder, run Setupdl.exe .
3. Specify the path for the folder to store the updated installation files, and then select Download . Setup
downloader verifies the files that are currently in the download folder. It downloads only files that are
missing or that are newer than existing files. It creates subfolders for downloaded languages, and other
required components.
4. To review the download results, see C:\ConfigMgrSetup.log .

Run setup downloader from a command prompt

1. Open a command prompt, and change directory to the installation media for the version of Configuration
Manager that you want to install.
2. Change directory to the SMSSETUP\BIN\X64 subfolder, and run Setupdl.exe with the necessary
options.
3. To review the download results, see C:\ConfigMgrSetup.log .
Command-line options
You can use the following command-line options with Setupdl.exe :
/VERIFY : Verify the files in the download folder, which include language files. For the list of outdated files,
review C:\ConfigMgrSetup.log . When you use this option, it doesn't download any files.
/VERIFYL ANG : Only verify the language files in the download folder. For the list of outdated language
files, review C:\ConfigMgrSetup.log .
/L ANG : Download only the language files to the download folder.
/NOUI : Start setup downloader without the user interface. When you use this option, the download
path is required.
Download path : To automatically start the verification or download process, specify the path to the
download folder. When you use the /NOUI option, the download path is required. If you don't specify a
download path, setup downloader prompts you to specify the path. If the folder doesn't exist, setup
downloader creates it.
Example commands
Example 1
Setup downloader verifies the files in the specified download folder, and then downloads files.
setupdl.exe C:\Download

Example 2
Setup downloader only verifies the files in the specified download folder.
setupdl.exe /VERIFY C:\Download

Example 3
Setup downloader verifies the files in the specified download folder, and then downloads files. The tool doesn't
show any user interface.
setupdl.exe /NOUI C:\Download

Example 4
Setup downloader verifies the language files in the specified download folder, and then downloads only the
language files.
setupdl.exe /LANG C:\Download

Copy setup downloader files to another computer

1. In Windows Explorer, go to either one of the following locations:
<Configuration Manager installation media>\SMSSETUP\BIN\X64
<Configuration Manager installation path>\BIN\X64
2. Copy the following files to the same destination folder on the other computer:
setupdl.exe
.\<language>\setupdlres.dll

NOTE
This file is in the subfolder for the install language. For instance, English is in the 00000409 subfolder.
 The destination folders on your device should look like the following example:
C:\ConfigManInstall\setupdl.exe

C:\ConfigManInstall\00000409\setupdlres.dll

3. Run the setup downloader from the destination computer. Use either the user interface or the command
prompt.
 Prerequisite Checker for Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you run Setup to install or upgrade a Configuration Manager site, or before you install a site system role
on a new server, you can use this stand-alone application (Prereqchk .exe ) from the version of Configuration
Manager that you want use to verify server readiness. Use Prerequisite Checker to identify and fix problems that
would block a site or site system role installation.

NOTE
Prerequisite Checker always runs as part of Setup.

By default, when Prerequisite Checker runs:

It validates the server where it runs.
The local computer is scanned for an existing site server, and only the checks that are applicable to the site
are run.
If no existing sites are detected, all prerequisite rules are run.
It checks rules to verify that software and settings required for setup are installed. It's possible that some
prerequisites require other configurations or software updates that the tool doesn't check.
It logs its results in the ConfigMgrPrereq.log file on the system drive of the computer. The log file might
contain more information that doesn't appear in the tool.
When you run Prerequisite Checker at a command prompt and specify specific command-line options:
Prerequisite Checker only runs the checks that are associated with the site server or site systems that you
specify in the command line.
To check a remote computer, your user account must have Administrator rights to the remote computer.
For more information, see List of prerequisite checks.

Source folders
By default, the prerequisite checker tool is in one of the following locations:
<Configuration Manager installation media>\SMSSETUP\BIN\X64
<Configuration Manager installation path>\BIN\X64

Copy to another computer

1. In Windows Explorer, go to one of the X64 source folders.
2. Copy the following files to the destination folder on the other computer:
prereqchk.exe
prereqcore.dll
prereqchkres.dll This file is in the subfolder for the install language. For example, English is in the
00000409 subfolder.
basesql.dll
 basesvr.dll
baseutil.dll

Run with default checks

1. In Windows Explorer, go to one of the X64 source folders.
2. Run prereqchk .exe to start Prerequisite Checker.

NOTE
The tool requires administrative permissions on the local computer.

Prerequisite Checker detects existing sites, and if found, runs the checks for upgrade readiness. If no sites are
found, it runs all checks. The Site Type column provides information about the site server or site system with
which the rule is associated.
In the Prerequisite Checker user interface, Prerequisite Checker creates a list of discovered problems in the
Prerequisite result section.
Select an item in the list for details about how to resolve the problem.
Before you install the component, resolve all items in the list that have an Error status.
To review results after you close the tool, open the ConfigMgrPrereq.log file in the root of the system
drive. The log file might contain more information that's not displayed in the tool.

Run from a command prompt

1. Open a Windows command prompt as an administrator and change directory to one of the X64 source
folders.
2. To start Prerequisite Checker and run all prerequisite checks on the server, run the following command:
prereqchk.exe /LOCAL
You can also run it with other command-line options. For example, to check a primary site:
prereqchk.exe /PRI /SQL sql01.contoso.com /SDK cmprov01.contoso.com /JOIN cas.contoso.com /MP
mp01.contoso.com /DP dp01.contoso.com

Command-line options
There are four installation scenarios. The following list summarizes all of the command-line options for each
scenario:
Central administration site (CAS)
Required
/CAS
/SDK
/SQL
Optional
/EXPAND
/INSTALLDIR
/NOUI
/SCP
/SSBPORT
Primar y site
Required
/PRI
/SDK
/SQL
Optional
/DP
/INSTALLDIR
/JOIN
/MP
/NOUI
/SCP
/SSBPORT
Secondar y site
Required
/SEC
Optional
/INSTALLDIR
/INSTALLSQLEXPRESS
/NOUI
/SECUPGRADE
/SOURCEDIR
/SQLPORT
/SSBPORT
Configuration Manager console
/ADMINUI
For more information on these options, see the following sections.
/AdminUI
Applies to: Console
Required. This option verifies that the local computer meets the requirements for installing the Configuration
Manager console. It doesn't check any server requirements. You can't combine this option with any other option.
/CAS
Applies to: CAS
Required. This option verifies that the local server meets the requirements for the CAS. You can't combine it with
the /PRI or /SEC options.
/DP
Applies to: Primary
Optional. Specify the FQDN of the server to host the distribution point role, for example:
/PRI /DP dp01.contoso.com

This option verifies that the specified server meets the requirements for the distribution point site system role.
This option can be used alone or with the /PRI option.
/Expand
Applies to: CAS
Optional. Specify the FQDN of a primary site, for example: /CAS /EXPAND cmprimary.contoso.com

This option verifies that the referenced primary site meets the requirements to expand a hierarchy with a CAS.
/InstallDir
Applies to: CAS, Primary, Secondary
Optional. Specify the local installation path, for example /InstallDir C:\ConfigMgr

This option verifies the minimum disk space for site installation.
/InstallSQLExpress
Applies to: Secondary
Optional. This option verifies that SQL Server Express can be installed on the specified secondary site server.
/Join
Applies to: Primary
Optional. Specify the FQDN of the CAS server, for example, /PRI /JOIN cas.contoso.com

This option verifies that the local server meets the requirements for connecting to the CAS server.
/MP
Applies to: Primary
Optional. Specify the FQDN of the server to host the management point role, for example:
/PRI /MP mp01.contoso.com

This option verifies that the specified server meets the requirements for the management point site system role.
This option can be used alone or with the /PRI option.
/NoUI
Applies to: CAS, Primary, Secondary
Optional. This option starts the prerequisite checker without displaying the user interface. Specify this option
before any other option in the command line.
/Pri
Applies to: Primary
Required. This option verifies that the local server meets the requirements for a primary site. You can't combine
it with the /CAS or /SEC options.
/SCP
Applies to: CAS, Primary
Optional. Specify the FQDN of the server to host the service connection point. This server may be the same as
the site server.
Starting in version 2111, this option verifies that the specified computer meets the requirements for the service
connection point site system role. You can use this option alone or with the /PRI or /CAS options.
/SDK
Applies to: CAS, Primary
Required. Specify the FQDN of the server to host the SMS Provider role. This server may be the same as the site
server.
This option verifies that the specified server meets the requirements for the SMS Provider.
/Sec
Applies to: Secondary
Required. Specify the FQDN of the secondary site server, for example: /SEC sec01.contoso.com

This option verifies that the specified server meets the requirements for the secondary site. You can't combine it
with the /CAS or /PRI options.
/SecUpgrade
Applies to: Secondary
Optional. Specify the FQDN of the secondary site server, for example: /SECUPGRADE sec01.contoso.com

This option verifies that the specified server meets the requirements for the secondary site upgrade. You can't
combine it with the /CAS , /PRI , or /SEC options.
/SourceDir
Applies to: Secondary
Optional. This option verifies that the computer account of the secondary site can access the folder that hosts
the source files for Configuration Manager setup.
/SQL
Applies to: CAS, Primary
Required. Specify the fully qualified domain name (FQDN) of the SQL Server, for example
/SQL sql01.contoso.com

This option verifies that the specified server meets the requirements for SQL Server to host the Configuration
Manager site database.
/SQLPort
Applies to: Secondary
Optional. This option verifies that a firewall exception exists to allow communication for the SQL Server service
port. It also checks that the port isn't in use by another named instance of SQL Server. The default port is 1433.
/SSBPort
Applies to: CAS, Primary, Secondary
Optional. This option verifies that a firewall exception exists to allow communication on the SQL Server Service
Broker (SSB) port. The default SSB port is 4022.
 List of prerequisite checks for Configuration
Manager
2/16/2022 • 26 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article details the prerequisite checks that run when you install or update Configuration Manager. For more
information, see Prerequisite checker.

Errors
Active migration mappings on the target primary site
Applies to: Central administration site
There are no active migration mappings to primary sites.
Active replica MP
Applies to: Primary site
There's an active management point replica.
Administrative rights on expand primary site
Applies to: Central administration site
When you expand a primary site to a hierarchy, the user account that runs setup has Administrator rights on
the standalone primary site server.
Administrative rights on site system
Applies to: Central administration site, primary site, secondary site
The user account that runs Configuration Manager setup has Administrator rights on the site server.
Administrator rights on central administration site
Applies to: Primary site
The user account that runs Configuration Manager setup has Administrator rights on the central
administration site server.
Application catalog rules are unsupported
Applies to: Primary site
Starting in version 2107, this error happens if the site has either of the following site system roles:
Application catalog website point
Application catalog web service point
Support for the application catalog was removed in version 1910. For more information, see Remove the
application catalog.
Asset Intelligence synchronization point on the expanded primary site
 IMPORTANT
Starting in November 2021, this feature of Configuration Manager is deprecated. For more information, see Introduction
to asset intelligence in Configuration Manager.

Applies to: Central administration site

When you expand a primary site to a hierarchy, the Asset Intelligence synchronization point role isn't installed
on the standalone primary site.
BITS enabled
Applies to: Management point
Background Intelligent Transfer Service (BITS) is installed on the management point. This check can fail for one
of the following reasons:
BITS isn't installed
The IIS 6.0 WMI compatibility component for IIS 7.0 isn't installed on the server or remote IIS host
Setup was unable to verify remote IIS settings. IIS common components aren't installed on the site server.
Case -insensitive collation on SQL Server
Applies to: Site database server
The SQL Server installation uses a case-insensitive collation, such as SQL_Latin1_General_CP1_CI_AS .
Central administration site server administrative rights on expand primary site
Applies to: Central administration site
When you expand a primary site to a hierarchy, the computer account of the central administration site server
has Administrator rights on the standalone primary site server.
Client version on management point computer
Applies to: Management point
You're installing the management point on a server that doesn't have a different version of the Configuration
Manager client installed.
Cloud management gateway on the expanded primary site
Applies to: Central administration site
When you expand a primary site to a hierarchy, the cloud management gateway role isn't installed on the
standalone primary site.
Connection to SQL Server on central administration site
Applies to: Primary site
The user account that runs Configuration Manager setup on the primary site to join an existing hierarchy has
the sysadmin role on the SQL Server instance for the central administration site.
Custom client agent settings have NAP enabled
Applies to: Central administration site, primary site
There are no custom client settings that enable network access protection (NAP).
Data warehouse service point on the expanded primary site
Applies to: Central administration site
When you expand a primary site to a hierarchy, the data warehouse service point role isn't installed on the
standalone primary site.
Dedicated SQL Server instance
Applies to: Central administration site, primary site, secondary site
You configured a dedicated instance of SQL Server to host the Configuration Manager site database.
If another site uses the instance, you must select a different instance for the new site. You can also uninstall the
other site, or move its database to a different instance for the SQL Server.
Default client agent settings have NAP enabled
Applies to: Central administration site, primary site
The default client settings don't enable network access protection (NAP).
Domain membership (error)
Applies to: Central administration site, primary site, secondary site, SMS Provider, SQL Server
The Configuration Manager computer is a member of a Windows domain.
Endpoint Protection point on the expanded primary site
Applies to: Central administration site
When you expand a primary site to a hierarchy, the Endpoint Protection point role isn't installed on the
standalone primary site.
Existing Configuration Manager server components on server
Applies to: Central administration site, primary site, secondary site
A site server or site system role isn't already installed on the server selected for site installation.
Existing stand-alone primary site for version and site code
Applies to: Central administration site, primary site
The primary site you plan to expand is a standalone primary site. It has the same version of Configuration
Manager, but a different site code than the central administration site to be installed.
Firewall exception for SQL Server
Applies to: Central administration site, primary site, secondary site, management point
The Windows Firewall is disabled or a relevant Windows Firewall exception exists for SQL Server.
Allow Sqlservr.exe or the required TCP ports to be accessed remotely. By default, SQL Server listens on TCP port
1433, and the SQL Server Service Broker (SSB) uses TCP port 4022.
Free disk space on site server
Applies to: Central administration site, primary site, secondary site
To install the site server, it must have at least 15 GB of free disk space. If you install the SMS Provider on the
same server, it needs an additional 1 GB of free space.
IIS service running
Applies to: Management point, distribution point
IIS is installed and running on the server for the management point or distribution point.
Incompatible collection references
Applies to: Central administration site
During an upgrade, collections reference only other collections of the same type.
Match collation of expand primary site
Applies to: Central administration site
When you expand a primary site to a hierarchy, the site database for the standalone primary site has the same
collation as the site database at the central administration site.
Maximum text replication size for SQL Server Always On availability groups
Applies to: Site database server
When using an availability group, the max text repl size setting must be properly configured. For more
information, see Prepare to use an availability group.
Microsoft Intune Connector on the expanded primary site
Applies to: Central administration site
When you expand a primary site to a hierarchy, the Microsoft Intune Connector role isn't installed on the
standalone primary site.
Microsoft Remote Differential Compression (RDC ) library registered
Applies to: Central administration site, primary site, secondary site
The RDC library is registered on the Configuration Manager site server.
Microsoft Windows Installer
Applies to: Central administration site, primary site, secondary site
Verifies the Windows Installer version.
When this check fails, setup wasn't able to verify the version, or the installed version doesn't meet the minimum
requirement of Windows Installer 4.5.
Minimum .NET Framework version for Configuration Manager console
Applies to: Configuration Manager console
Microsoft .NET Framework 4.0 is installed on the Configuration Manager console computer.
Minimum .NET Framework version for Configuration Manager site server
Applies to: Central administration site, primary site, secondary site
.NET Framework 3.5 is installed or enabled on the Configuration Manager site server.
Minimum .NET Framework version for SQL Server Express edition installation for Configuration Manager
secondary site
Applies to: Secondary site
.NET Framework 4.0 is installed or enabled on the Configuration Manager secondary site server. This version is
required by SQL Server Express.
Parent database collation
Applies to: Primary site, secondary site
The collation of the site database matches the collation of the parent site's database. All sites in a hierarchy must
use the same database collation.
Parent site replication status
Applies to: Central administration site, primary site
The replication status of the parent site is Replication active (state 125 ).
Pending system restart
Applies to: Central administration site, primary site, secondary site
Before you run setup, another program requires the server to be restarted.
To see if the computer is in a pending restart state, it checks the following registry locations:
HKLM:Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending

HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

HKLM:SYSTEM\CurrentControlSet\Control\Session Manager, PendingFileRenameOperations

HKLM:Software\Microsoft\ServerManager, CurrentRebootAttempts

Primary FQDN
Applies to: Central administration site, primary site, secondary site, site database server
The NetBIOS name of the computer matches the local hostname in the fully qualified domain name (FQDN).
Read-only domain controller
Applies to: Central administration site, primary site, secondary site
Site database servers and secondary site servers aren't supported on a read-only domain controller (RODC).
For more information, see Installing SQL Server on a domain controller.
Required SQL Server collation
Applies to: Central administration site, primary site, secondary site
The instance for SQL Server is configured to use the SQL_Latin1_General_CP1_CI_AS collation.
If the Configuration Manager site database is already installed, this check also applies to the database. For
information about changing your SQL Server instance and database collations, see SQL Server collation and
unicode support.
If you're using a Chinese OS and require GB18030 support, this check doesn't apply. For more information
about enabling GB18030 support, see International support.
Required version of Microsoft .NET Framework (error)
Applies to: CAS, primary site, secondary site
This rule checks if the .NET Framework is at least version 4.6.2. You'll see this error if the system has less than
version 4.6.2.
Starting in version 2111, Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site
servers, specific site systems, clients, and the console. If possible in your environment, .NET version 4.8 is
recommended. A later version of Configuration Manager will require .NET version 4.8. Before you run setup to
install or update the site, first update .NET and restart the system. For more information, Site and site system
prerequisites.

NOTE
Third-party add-ons that use Microsoft .NET Framework and rely on Configuration Manager libraries also need to use
.NET 4.6.2 or later. For more information, see External dependencies require .NET 4.6.2.

Server service is running

Applies to: Central administration site, primary site, secondary site
The Server service is started and running.
Setup source folder
Applies to: Secondary site
The computer account for the secondary site has the following permissions to the setup source folder and share:
Read NTFS file system permissions
Read share permissions

NOTE
If you use administrative shares, for example, C$ and D$, the secondary site computer account must be an
Administrator on the server.

Setup source version

Applies to: Secondary site
The Configuration Manager version in the specified source folder for the secondary site installation matches the
Configuration Manager version of the primary site.
Site code in use
Applies to: Primary site
The specified site code isn't already in use in the Configuration Manager hierarchy. Specify a unique site code for
this site.
Site server computer account administrative rights
Applies to: Primary site, site database server
The site server computer account has Administrator rights on the SQL Server and management point.
Site server FQDN length
Applies to: Central administration site, primary site, secondary site
The length of the FQDN of the site server.
Site server in passive mode on the expanded primary site
Applies to: Central administration site
When you expand a primary site to a hierarchy, the site server in passive mode role isn't installed on the
standalone primary site.
SMS Provider in same domain as site server
Applies to: SMS Provider
Any instance of the SMS Provider is in the same domain as the site server.
Software update point in NLB configuration
Applies to: Software update point
The site isn't using network load balancing (NLB) with any virtual locations for active software update points.
Software update point using a load balancer
Applies to: Software update point
Configuration Manager doesn't support software update points on network (NLB) or hardware load balancers
(HLB).
SQL Server Always On availability groups
Applies to: Site database server
When using an availability group, the server must meet the minimum requirements. For more information, see
Prepare to use an availability group.
SQL Server Always On availability group configured for readable secondaries
Applies to: Site database server
When using an availability group, check the secondary read state of the replicas.
SQL Server Always On availability group configured for manual failover
Applies to: Site database server
When using an availability group, configure the replicas for manual failover.
SQL Server Always On availability group replicas on default instance
Applies to: Site database server
When using an availability group, replicas are on the default instance.
SQL Server Always On availability group replicas must all have the same seeding mode
Applies to: Site database server
When using an availability group, you need to configure replicas with the same seeding mode.
SQL Server Always On availability group replicas must be healthy
Applies to: Site database server
When using an availability group, replicas are in a healthy state.
SQL Server configuration for site upgrade
Applies to: Site database server
The SQL Server meets the minimum requirements for site upgrade. For more information, see Supported SQL
Server versions.
SQL Server edition
Applies to: Site database server
SQL Server at the site isn't SQL Server Express.
SQL Server Express database size on secondary site
Applies to: Secondary site
Starting in version 2107, this check will fail if the amount of replicated data from the primary site will exceed the
10-GB size limit of SQL Server Express. For more information, see Configuration Manager site sizing and
performance FAQ.
SQL Server Express on secondary site
Applies to: Secondary site
SQL Server Express can successfully install on the secondary site server.
SQL Server on the secondary site server
Applies to: Secondary site
SQL Server is installed on the secondary site server. You can't install SQL Server on a remote site system for a
secondary site.

WARNING
This check only applies when you select to have setup use an existing instance of SQL Server.

SQL Server service running account

Applies to: Central administration site, primary site, secondary site
The sign-in account for the SQL Server service isn't a local user account or LOCAL SERVICE .
Configure the SQL Server service to use a valid domain account, NETWORK SERVICE , or LOCAL SYSTEM .
SQL Server site database consistency
Applies to: Site database server
Verify database consistency.
SQL Server sysadmin rights
Applies to: Site database server
The user account that runs Configuration Manager setup has the sysadmin role on the SQL Server instance
that you selected for site database installation. This check also fails when setup is unable to access the instance
for the SQL Server to verify permissions.
SQL Server sysadmin rights for reference site
Applies to: Site database server
The user account that runs Configuration Manager setup has the sysadmin role on the SQL Server role
instance that you selected as the reference site database. SQL Server sysadmin role permissions are required
to modify the site database.
SQL Server TCP port
Applies to: Site database server
TCP is enabled for the SQL Server instance, and is set to use a static port.
SQL Server version
Applies to: Site database server
A supported version of SQL Server is installed on the specified site database server.
For more information, see Support for SQL Server versions.
Unsupported OS for Configuration Manager console
Applies to: Configuration Manager console
Install the Configuration Manager console on computers that run a supported OS version.
For more information, see the Supported OS versions for the Configuration Manager console.
Unsupported OS for site server
Applies to: Central administration site, primary site, secondary site, Configuration Manager console,
management point, distribution point
The server runs a supported OS version.
For more information, see Supported OS versions for Configuration Manager site system servers.
Unsupported site system role: out of band service point
Applies to: Primary site
The out of band service point site system role isn't installed.
Unsupported site system role: system health validation point
Applies to: Primary site
The system health validation point site system role isn't installed.
Unsupported upgrade path
Applies to: Central administration site, primary site
All site servers in the hierarchy meet the Configuration Manager minimum version that's required for upgrade.
USMT installed
Applies to: Central administration site, primary site (standalone only)
The User State Migration Tool (USMT) component of the Windows Assessment and Deployment Kit (ADK) for
Windows is installed.
Validate FQDN of SQL Server
Applies to: Site database server
You specified a valid FQDN for the SQL Server computer.
Verify central administration site version
Applies to: Primary site
The central administration site has the same version of Configuration Manager.
Verify database consistency
Applies to: Central administration site, primary site
Verifies consistency of the site database in SQL Server.
Windows Deployment Tools installed
Applies to: SMS Provider
The Windows Deployment Tools component of the Windows ADK is installed.
Windows Failover Cluster
Applies to: Site server, management point, distribution point
Server with the site server, management point, or distribution point roles aren't part of a Windows Cluster.
The Configuration Manager setup process doesn't block installation of the site server role on a computer with
the Windows role for Failover Clustering. SQL Server Always On availability groups require this role, so
previously you couldn't colocate the site database on the site server. With this change, you can create a highly
available site with fewer servers by using an availability group and a site server in passive mode. For more
information, see High availability options.
Windows PE installed
Applies to: SMS Provider
The Windows Preinstallation Environment (PE) component of the Windows ADK is installed.

Warnings
Active Directory domain functional level
Applies to: Central administration site, primary site
The Active Directory domain and forest functional level is a minimum of Windows Server 2008 R2. For more
information, see Support for Active Directory domains.
Administrative rights on distribution point
Applies to: Distribution point
The user account running setup has Administrator rights on the distribution point.
Administrative rights on management point
Applies to: Management point, distribution point
The computer account of the site server has Administrator rights on the management point and distribution
point.
Administrative share (site system)
Applies to: Management point
The required administrative shares are present on the site system computer.
Application compatibility
Applies to: Central administration site, primary site
Current applications are compliant with the application schema.
Backlogged inboxes
Applies to: Central administration site, primary site
The site server is processing critical inboxes in a timely fashion. Inboxes don't contain files older than one day.
It checks the following inbox folders:
despoolr.box\receive\*.i??

despoolr.box\receive\*.s??

despoolr.box\receive\*.nil

schedule.box\requests\*.sr?

To resolve this warning, check whether the despooler and scheduler site system components are running.
BITS installed
Applies to: Management point
The Background Intelligent Transfer Service (BITS) is installed and enabled in IIS.
Check if the site uses Microsoft Operations Management Suite (OMS ) Connector
Applies to: Central administration site, primary site
Starting in version 2103, this check warns about the presence of the Log Analytics connector for Azure Monitor.
(This feature is called the OMS Connector in the Azure Services wizard.)
Starting in version 2107, this connector is removed from the product. This check will be an error that blocks
upgrade.
Check if the site uses Upgrade Readiness cloud service connector
Applies to: Central administration site, primary site
The Upgrade Readiness service is retired as of January 31, 2020. For more information, see Windows Analytics
retirement on January 31, 2020.
Desktop Analytics is the evolution of Windows Analytics. For more information, see What is Desktop Analytics.
If your Configuration Manager site had a connection to Upgrade Readiness, you need to remove it and
reconfigure clients. For more information, see Remove Upgrade Readiness connection.
If you ignore this prerequisite warning, Configuration Manager setup automatically removes the Upgrade
Readiness connector.
Cloud management gateway requires either token-based authentication or an HTTPS management point
Applies to: Cloud management gateway
With some versions of Configuration Manager, you can't use an HTTP management point with the cloud
management gateway (CMG). Either configure the CMG for HTTPS, or configure the site for enhanced HTTP. For
more information, see Overview of cloud management gateway.
Configuration for SQL Server memory usage
Applies to: Site database server
SQL Server is configured for unlimited memory use. Configure SQL Server memory to have a maximum limit.
Distribution point package version
Applies to: Distribution points
All distribution points in the site have the latest version of software distribution packages.
Domain membership (warning)
Applies to: Management point, distribution point
The Configuration Manager computer is a member of a Windows domain.
Enable site system roles for HTTPS or Enhanced HTTP
Applies to: central administration site, primary site
Starting in version 2103, if your site is configured to allow HTTP communication without enhanced HTTP, you'll
see this warning. To improve the security of client communications, in the future Configuration Manager will
require HTTPS communication or enhanced HTTP.
This check looks at the following settings:
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select a site, and then in the ribbon select Proper ties .
3. Switch to the Communication Security tab.
Configure one of the following options:
HTTPS only : This site setting requires that all site systems that use IIS use HTTPS. These site
systems need a server authentication certificate, and clients need a client authentication certificate.
For more information, see Plan a transition strategy for PKI certificates.
HTTPS or HTTP and Use Configuration Manager-generated cer tificates for HTTP site
systems : This combination of settings enables Enhanced HTTP.
 NOTE
If you see this warning when updating the central administration site, it may be because of a child primary site.

Firewall exception for SQL Server (standalone primary site )

Applies to: Primary site (standalone only)
The Windows Firewall is disabled, or a relevant Windows Firewall exception exists for SQL Server.
Allow Sqlservr.exe or the required TCP ports to be accessed remotely. By default, SQL Server listens on TCP port
1433, and the Server Service Broker (SSB) uses TCP port 4022.
Firewall exception for SQL Server for management point
Applies to: Management point
The Windows Firewall is disabled, or a relevant Windows Firewall exception exists for SQL Server.
IIS HTTPS configuration
Applies to: Management point, distribution point
IIS website has bindings for the HTTPS communication protocol.
When you install site roles that require HTTPS, configure IIS site bindings on the specified server with a valid
public key infrastructure (PKI) certificate.
Invalid discovery records
Applies to: central administration site
There are discovery records that are no longer valid. These records will be marked for deletion.
Network access protection (NAP) is no longer supported
Applies to: Primary site
There are no software updates that are enabled for NAP.
NTFS drive on site server
Applies to: Primary site
The disk drive is formatted with the NTFS file system. For better security, install site server components on disk
drives formatted with the NTFS file system.
Pending configuration item policy updates
Applies to: Primary site
You may see this warning if you have many application deployments and at least one of them requires approval.
You have two options:
Ignore the warning and continue with the update. This action causes higher processing on the site server
during the update as it processes the policies. You may also see more processor load on the management
point after the update.
Revise one of the applications that has no requirements or a specific OS requirement. Pre-process some
of the load on the site server at that time. Review objreplmgr.log , and then monitor the processor on
the management point. After the processing is complete, update the site. There will still be some
additional processing after the update, but less than if you ignore the warning with the first option.
Pending system restart on the remote SQL Server
Applies to: remote SQL Server
Before you run setup, another program requires the server to be restarted.
To see if the computer is in a pending restart state, it checks the following registry locations:
HKLM:Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending

HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

HKLM:SYSTEM\CurrentControlSet\Control\Session Manager, PendingFileRenameOperations

HKLM:Software\Microsoft\ServerManager, CurrentRebootAttempts

PowerShell 2.0 on site server

Applies to: Primary site with Exchange connector
Windows PowerShell 2.0 or a later version is installed on the site server for the Configuration Manager
Exchange Connector.
Recommended version of Microsoft .NET Framework
Applies to: CAS, primary site, secondary site
This rule checks if the .NET Framework is at least version 4.8. You'll see this warning if the system has at least
version 4.6.2, but less than version 4.8.
Starting in version 2107, Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site
servers, specific site systems, clients, and the console. If possible in your environment, .NET version 4.8 is
recommended. A later version of Configuration Manager will require .NET version 4.8. Before you run setup to
install or update the site, first update .NET and restart the system. For more information, Site and site system
prerequisites.
Remote connection to WMI on secondary site
Applies to: Secondary site
Setup can establish a remote connection to WMI on the secondary site server.
Required version of Microsoft .NET Framework (warning)
Applies to: CAS, primary site, secondary site
In version 2107, this rule checks if the .NET Framework is at least version 4.6.2. You'll see this warning if the
system has less than version 4.6.2.

IMPORTANT
Starting in version 2111, if this check fails, it returns an error instead of a warning.

Configuration Manager requires Microsoft .NET Framework version 4.6.2 for site servers, specific site systems,
clients, and the console. If possible in your environment, .NET version 4.8 is recommended. A later version of
Configuration Manager will require .NET version 4.8. Before you run setup to install or update the site, first
update .NET and restart the system. For more information, Site and site system prerequisites.
Schema extensions
Applies to: Central administration site, primary site
The Active Directory schema has been extended. If it's extended, the version of the schema extensions that were
used.
Configuration Manager doesn't require Active Directory schema extensions for site server installation. Microsoft
recommends them for the full use of all Configuration Manager features. For more information about the
advantages of extending the schema, see Prepare Active Directory for site publishing.
Share name in package
Applies to: Central administration site, primary site
Packages don't have invalid characters in the share name, such as # .
Site system to SQL Server communication
Applies to: Secondary site, management point
The account that you configured to run the SQL Server service for the site database instance has a valid service
principal name (SPN) in Active Directory Domain Services. Register a valid SPN in Active Directory to support
Kerberos authentication.
SQL Server 2012 lifecycle
Applies to: CAS, primary site, secondary site
This rule warns for the presence of SQL Server 2012. The support lifecycle for SQL Server 2012 ends on July 12,
2022. Plan to upgrade database servers in your environment, including SQL Server Express at secondary sites.
For more information, see Removed and deprecated for site servers: SQL Server.
SQL Server change tracking cleanup
Applies to: Site database server
Check if the site database has a backlog of SQL Server change tracking data.
Manually verify this check by running a diagnostic stored procedure in the site database. First, create a
diagnostic connection to your site database. The easiest method is to use SQL Server Management Studio's
Database Engine Query Editor, and connect to admin:<instance name> .
In a dedicated administrator connection query window, run the following commands:

USE <ConfigMgr database name>

EXEC spDiagChangeTracking

Depending upon the size of your database and the backlog size, this stored procedure could run in a few
minutes or several hours. When the query completes, you see two sections of data related to the backlog. First
look at CT_Days_Old . This value tells you the age (days) of the oldest entry in your syscommittab table. It
should be five days, which is the Configuration Manager default value. Don't change this default value. At times
of heavy data processing or replication, the oldest entry in syscommittab could be over five days. If this value is
above seven days, run a manual cleanup of change tracking data.
To clean up the change tracking data, run the following command in the dedicated administration connection:

USE <ConfigMgr database name>

EXEC spDiagChangeTracking @CleanupChangeTracking = 1

This command starts a cleanup of syscommittab and all of the associated side tables. It can run in several
minutes or several hours. To monitor its progress, query the vLogs view. To see the current progress, run the
following query:

SELECT * FROM vLogs WHERE ProcedureName = 'spDiagChangeTracking'

SQL Server Express version on secondary site
Applies to: Secondary site
Starting in version 2103, if you have a secondary site that uses SQL Server Express edition, this check warns if
the version is earlier than SQL Server 2016 with service pack 2 (13.0.5026.0). If Configuration Manager didn't
install SQL Server Express, then setup skips this check. Setup looks for the presence of the CONFIGMGRSEC
instance.
Microsoft recommends that you keep SQL Server Express up to date. For more information, see Security for site
administration.
SQL Server Native Client
When you install a new site, Configuration Manager automatically installs SQL Server Native Client as a
redistributable component. After the site is installed, Configuration Manager doesn't upgrade SQL Server Native
Client. Updating the SQL Server Native Client may require a restart, which can impact the site install process.
This check makes sure the site server has a supported version of the SQL Server Native Client. The prerequisite
check doesn't verify the version of the SQL Server Native Client on remote site systems.
The minimum version is SQL Server 2012 SP4 ( 11.*.7001.0 ). This SQL Server Native Client version supports
TLS 1.2. For more information, see the following articles:
TLS 1.2 support for Microsoft SQL Server
How to enable TLS 1.2 for Configuration Manager
Configuration Manager uses SQL Server Native Client on the following site system roles:
Site database server
Site server: central administration site, primary site, or secondary site
Management point
Device management point
State migration point
SMS Provider
Software update point
Multicast-enabled distribution point
Asset Intelligence update service point
Reporting services point
Enrollment point
Endpoint Protection point
Service connection point
Certificate registration point
Data warehouse service point
SQL Server process memory allocation
Applies to: Site database server
SQL Server reserves a minimum of 8 GB of memory for the central administration site and primary site, and a
minimum of 4 GB of memory for the secondary site.
For more information, see SQL Server memory configuration options.
 NOTE
This check isn't applicable to SQL Server Express on a secondary site. This edition is limited to 1 GB of reserved memory.

SQL Server security mode

Applies to: Site database server
SQL Server is configured for Windows authentication security.
Unsupported site system OS version for upgrade
Applies to: Primary site, secondary site
Site system roles other than distribution points are installed on servers running Windows Server 2012 or later.
For more information, see Supported operating systems for Configuration Manager site system servers.

NOTE
This check can't resolve the status of site system roles installed in Azure or for the cloud storage used by Microsoft Intune.
Ignore warnings for these roles as false positives.

Upgrade Assessment Toolkit is unsupported

Applies to: Central administration site, primary site
The Upgrade Assessment Toolkit isn't installed. For more information, see Removed and deprecated features.
Verify site server permissions to publish to Active Directory
Applies to: Central administration site, primary site, secondary site
The computer account for the site server has Full Control permissions to the System Management container
in the Active Directory domain.
For more information, see Prepare Active Directory for site publishing.

NOTE
If you manually verify the permissions, you can ignore this warning.

Windows Remote Management (WinRM ) v1.1

Applies to: Primary site, Configuration Manager console
WinRM 1.1 is installed on the primary site server or the Configuration Manager console computer to run the
out-of-band management console.
WinRM is automatically installed with all currently-supported versions of Windows. For more information, see
Installation and configuration for Windows Remote Management.
WSUS on site server
Applies to: Central administration site, primary site
A supported version of Windows Server Update Services (WSUS) is installed on the site server.
When you use a software update point on a server other than the site server, you must install the WSUS
Administration Console on the site server. For more information about WSUS, see Windows Server Update
Services.
 Resources for installing Configuration Manager sites
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following articles can help you install Configuration Manager or add sites to your existing Configuration
Manager hierarchy.
Prepare to install sites
This article offers essential information that can help you install a site to a new or existing hierarchy.
Information includes when to choose non-default source files, limitations that apply to all sites, and
optional actions you can take to help simplify your tasks when you install more than one site.
Prerequisites for installing sites
Learn about the user rights and permissions your account must have to install a site and related
prerequisites for each type of site you can install.
Install sites using the Setup Wizard
This article walks you through the site installation wizard. It provides details about options that might not
be clear in the wizard user interface.
Install sites using a command line and script
Learn how to create a site installation script, and how to use it for unattended site installs.
Install the Configuration Manager console
This article has guidance on how to install the Configuration Manager console on a computer on which
you're not installing a site.
Upgrade an evaluation installation to a full installation
Read this article when you're ready to upgrade your evaluation site to a fully licensed Configuration
Manager site.
 Prepare to install Configuration Manager sites
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To prepare for a successful deployment of one or more Configuration Manager sites, become familiar with the
details in this article. These steps can save you time during installation of multiple sites and help prevent
missteps that might result in the need to reinstall one or more sites.

TIP
When managing Configuration Manager site and hierarchy infrastructure, the terms upgrade, update, and install are used
to describe three separate concepts. To learn how each term is used, see About upgrade, update, and install.

Options for installing different types of sites

When you install a new Configuration Manager site, the version of the source files that you can use depends on
the version of sites that are already in the hierarchy (if any). The installation methods that you can use depend
on the type of site you want to install.
Before installing a site, make sure you have planned your hierarchy, and that you understand the type of site you
want to install. For more information, see Design a hierarchy of sites.
First site
The first site that you install in a hierarchy will be either a stand-alone primary site or a central administration
site.
Installation media : To install a central administration site or a stand-alone primary site as the first site in a new
hierarchy, you must use a baseline version of Configuration Manager. Do not install the first site of a new
hierarchy by using updated source files from the CD.Latest folder of any site.
Installation method : You can install either type of site by using the Configuration Manager Setup Wizard, or
you can configure a script to use with a scripted command-line installation.
Additional sites
After the initial site is installed, you can add more sites at any time. You have the following options for adding
sites (up to supported limits):

SIT E T H AT Y O U H AVE A DDIT IO N A L SIT E T Y P E Y O U C A N IN STA L L

Central administration site Child primary site

Child primary site Secondary site

Stand-alone primary site Secondary site (you can expand the primary site, which
converts the stand-alone primary site to a child primary site)

Installation media : When you install a central administration site to expand a stand-alone primary site, or if
you install a new child primary site in an existing hierarchy, you must use installation media (that contains
source files) that matches the version of the existing site or sites.
 IMPORTANT
If you have installed in-console updates that have changed the version of the previously installed sites, do not use the
original installation media. Instead, in that scenario, use source files from the CD.Latest folder of an updated site.
Configuration Manager requires you to use source files that match the version of the existing site that your new site will
connect to.

A secondary site must be installed from the Configuration Manager console. This way, secondary sites are
always installed by using source files from the parent primary site.
Installation method : The method you use to install additional sites depends on the type of site you want to
install.
Add a central administration site : You can use the Configuration Manager Setup Wizard or a scripted
command line to install the new central administration site as a parent site to your existing stand-alone
primary site. For more information, see Expanding a stand-alone primary site.
Add a child primar y site : You can use the Configuration Manager Setup Wizard or a command-line
installation to add a child primary site below a central administration site.
Add a secondar y site : Use the Configuration Manager console to install a secondary site as a child site
below a primary site. Other methods are not supported for adding secondary sites.

Common tasks to complete before starting an installation

Understand the hierarchy topology you will use for your deployment
For more information, see Design a hierarchy of sites for Configuration Manager.
Prepare and configure individual ser vers to meet prerequisites and suppor ted
configurations for use with Configuration Manager
For more information, see Site and site system prerequisites.
Install and configure SQL Ser ver to host the site database
For more information, see Support for SQL Server versions for Configuration Manager.
Prepare your network environment to suppor t Configuration Manager
For more information, see Configure firewalls, ports, and domains to prepare for Configuration Manager.
If you will use a public key infrastructure (PKI), prepare your infrastructure and cer tificates
For more information, see PKI certificate requirements for Configuration Manager.
Install the latest security updates on computers you will use as site ser vers or site system
ser vers, and when necessar y, restar t them

About site names and site codes

Site codes and site names are used to identify and manage the sites in a Configuration Manager hierarchy. In the
Configuration Manager console, the site code and site name are displayed in the <site code> - <site name>
format. Every site code that you use in your hierarchy must be unique. If the Active Directory schema is
extended for Configuration Manager and your sites are publishing data, the site codes used within an Active
Directory forest must be unique even if they are used in a different Configuration Manager hierarchy or if they
have been used in earlier Configuration Manager installations. Be sure to carefully plan your site codes and site
names before you deploy your hierarchy.
Specify a site code and site name
When you run Configuration Manager Setup, you are prompted for a site code and site name for the central
administration site, and for each primary site and secondary site installation. A site code must uniquely identify
each site in the hierarchy. Because the site code is used in folder names, never use the following names for the
site code, which include names reserved for Configuration Manager and Windows:
AUX
CON
NUL
PRN
SMS
ENV

NOTE
Configuration Manager Setup does not verify that a site code is not already in use.

To enter the site code for a site when you're running Configuration Manager Setup, you must enter three
alphanumeric characters. Only the letters A through Z and the numbers 0 through 9, in any combination, are
allowed in site codes. The sequence of letters or numbers has no effect on the communication between sites. For
example, it is not necessary to name a primary site ABC and a secondary site DEF.
The site name is a friendly name identifier for the site. You can only use the characters A through Z, a through z,
0 through 9, and the hyphen (-) in site names.

IMPORTANT
A change of the site code or site name after you install the site is not supported.

Reuse a site code

Site codes cannot be used more than one time in a Configuration Manager hierarchy for a central
administration site or for a primary site, even if the original site and site code have been uninstalled. If you reuse
a site code, you risk having object ID conflicts in your hierarchy. You can reuse the site code for a secondary site
if that secondary site and the site code are no longer in use in your Configuration Manager hierarchy or in the
Active Directory forest.

Limits and restrictions for installed sites

Before you install a site, it's important to understand the following limitations that apply to sites and site
hierarchies:
After running Setup, you cannot change the following site properties without uninstalling the site and then
reinstalling it by using the new values:
Program Files installation directory
Site code
Site description
When your hierarchy includes a central administration site:
Configuration Manager does not support moving a child primary site out of a hierarchy to create a
stand-alone primary site or to attach it to a different hierarchy. Instead, uninstall the child primary site,
and then reinstall it as a new stand-alone primary site or as a child site of the central administration
site of a different hierarchy.

Optional steps before running Setup

Manually run Setup Downloader
To download the updated Setup files for Configuration Manager, you can run Setup Downloader. If the computer
where you will run Setup is not connected to the Internet, or if you expect to install multiple site servers,
consider using Setup Downloader to download the required updates to Setup. Here's additional information:
By default, Setup connects to the Internet to download updated Setup files.
By default, the files are stored in the Redist folder.
You can direct Setup to a location on your network where you have previously stored a copy of these files.
Manually run Prerequisite Checker
To identify and fix problems before you run Setup to install a site and before you install a site system role on a
server, you can run Prerequisite Checker. Prerequisite Checker helps ensure that the computer meets the
requirements to host the site or site system role. Here's additional information:
By default, Setup runs Prerequisite Checker.
If there are any errors, Setup stops until the issue is fixed.
Identify optional por ts
You can identify optional ports for site systems and clients to use. Here's additional information:
By default, site systems and clients use predefined ports to communicate.
During Setup, you can configure alternate ports.
For more information, see Ports used.
 Prerequisites for installing Configuration Manager
sites
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you begin a site installation, learn about the prerequisites for installing the different types of
Configuration Manager sites.

Primary sites and the central administration site

The following prerequisites apply to installing one of the following types:
A central administration site (CAS) as the first site of a hierarchy
A stand-alone primary site
A child primary site
If you're installing a CAS as part of a hierarchy expansion, see the section for Expanding a stand-alone primary
site.
Prerequisites for installing a primary site or a CAS
The necessary Windows Server roles, features, and Windows components must be installed. For more
information, see Site system prerequisites
The user account that installs the site must have the following permissions:
Administrator on the following servers:
The site server
Each SQL Server that hosts the site database
Each instance of the SMS Provider for the site
Sysadmin on the instance of SQL Server that hosts the site database

IMPORTANT
When Configuration Manager setup finishes, the site server computer account still needs sysadmin
permissions to SQL Server. Don't remove the SQL Server sysadmin permissions from this account.
For more information on the need for these permissions after setup is complete, see Accounts: Elevated
permissions.

If you're installing a primary site, you may also need Administrator permissions on additional servers.
For example, where you install the initial management point and distribution point, if not on the site
server.
If you're installing a new child primary site below a CAS, you need the following additional permissions:
Administrator on the site server that hosts the CAS
Administrator on the SQL Server that hosts the CAS site database
Role-based administration permissions within Configuration Manager that are equivalent to the
 security role of Infrastructure Administrator or Full Administrator
Use the correct installation source files, and run setup from that location. For information about the
correct source files to use to install different types of sites, see Prepare to install site: Options for installing
different types of sites.
The site server needs access to the latest setup files from Microsoft. Use one of the following methods:
Before you start the install, download and store a copy of these files on your local network. For
more information, see Setup Downloader.
If a local copy of these files isn't available, the site server needs access to the internet. It downloads
these files from Microsoft during the installation. For more information, see Internet access
requirements.
The site server and site database server must meet all prerequisite configurations. Before starting
Configuration Manager setup, manually run Prerequisite Checker to identify and fix problems.
Prerequisites to expand a stand-alone primary site
A stand-alone primary site must meet the following prerequisites before you can expand it into a hierarchy with
a CAS:
Source file version matches site version
Install the new CAS using media from a CD.Latest folder that matches the version of the stand-alone primary
site. To make sure the versions match, use the source files found in the CD.Latest folder on the stand-alone
primary site.
For more information about the correct source files to use to install different sites, see Prepare to install sites:
Options for installing different types of sites.
Stop active migration from another hierarchy
You can't configure the stand-alone primary site to migrate data from another Configuration Manager hierarchy.
Stop active migration to the stand-alone primary site from other Configuration Manager hierarchies and
remove all configurations for migration. These configurations include:
Migration jobs that haven't completed
Data gathering
The configuration of the active source hierarchy
This configuration is necessary because Configuration Manager migrates data from the top-level site of the
hierarchy. When you expand a stand-alone primary site, the configurations for migration don't transfer to the
CAS.
After you expand the stand-alone primary site, if you reconfigure migration at the primary site, the CAS runs the
migration jobs.
For more information about how to configure migration, see Configure source hierarchies and source sites for
migration.
Computer account as Administrator
Add the computer account of the server that hosts the new CAS to the Administrators group on the stand-
alone primary site server.
To successfully expand the stand-alone primary site, the computer account of the new CAS needs
Administrator permissions on the stand-alone primary site. This account requires these permissions only
during site expansion. When site expansion finishes, you can remove the account from the user group on the
primary site.
Installation account permissions
The user account that runs Configuration Manager setup to install the new CAS needs role-based administration
permissions at the stand-alone primary site.
For the user account that installs a CAS as part of a site expansion, add them to the proper role at the stand-
alone primary site. Use the built-in Full Administrator or Infrastructure Administrator roles.
For more information including the complete list of required permissions, see Site installation account.
Top-level site roles
Before you expand the site, uninstall the following site system roles from the stand-alone primary site:
Asset Intelligence sync point
Endpoint protection point
Service connection point
Configuration Manager only supports these roles at the top-level site of the hierarchy. Uninstall these site
system roles before you expand the stand-alone primary site. After you expand the site, reinstall these site
system roles at the CAS.
All other site system roles can remain installed at the primary site.
Open the SQL Server Service Broker port
The network port must be open for the SQL Server Service Broker (SSB) between the stand-alone primary site
and the server for the CAS.
To successfully replicate data between a CAS and a primary site, Configuration Manager requires an open port
between the two sites for SSB to use. When you install a CAS and expand a stand-alone primary site, the
prerequisite check doesn't verify that the port you specify for the SSB is open on the primary site.
Known issues with Azure services
After you expand the site, you need to reconfigure the following Azure services with Configuration Manager:
Log Analytics
Microsoft Store for Business
Cloud management gateway
Tenant attach
The easiest method is to renew the Azure Active Directory tenant secret key. For more information, see Renew
secret key.
Instead of renewing the secret key, remove and then recreate the connection to that service.

Secondary sites
The following prerequisites are for installing secondary sites:
The necessary Windows Server roles, features, and Windows components must be installed. For more
information, see Site system prerequisites.
The administrator who configures the installation of the secondary site in the Configuration Manager
console needs role-based administration permissions that are equivalent to the security role of
Infrastructure Administrator or Full Administrator .
Add the computer account of the parent primary site to the Administrators group on the secondary site
server.
When the secondary site uses a previously installed instance of SQL Server to host the secondary site
database:
 The computer account of the parent primary site needs sysadmin permissions on the instance of
SQL Server on the secondary site server.
The Local System account of the secondary site server computer needs sysadmin permissions
on the instance of SQL Server on the secondary site server.

IMPORTANT
When Configuration Manager setup finishes, both accounts still need sysadmin permissions to SQL
Server. Don't remove the sysadmin permissions from these accounts.

The secondary site server must meet all prerequisite configurations. These configurations include SQL
Server and the default site system roles of the management point and distribution point.

Next steps
After you've confirmed the prerequisites, you're ready to run setup. For more information, see Use the Setup
Wizard to install Configuration Manager sites.
 Use the Setup Wizard to install Configuration
Manager sites
2/16/2022 • 20 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To install a new Configuration Manager site by using a guided user interface, use the Configuration Manager
Setup Wizard (setup.exe). The wizard supports installing a primary site or central administration site (CAS). You
also use the wizard to upgrade an evaluation installation of Configuration Manager to a fully licensed
installation. When you don't want to use the wizard, you can instead use an installation script and run an
unattended command-line installation.
Install a secondary site from within the Configuration Manager console. Secondary sites don't support a
scripted command-line installation.
Before you install a site, be familiar with the details in the following articles:
Design a hierarchy of sites
Site and site system prerequisites
Prepare to install sites
Prerequisites for installing sites
Assess server readiness with the Prerequisite Checker

TIP
If you need assistance with site installation, see the Support options and community resources. For example, the
Microsoft Q&A forum for Configuration Manager site and client deployment.

Install a central administration or primary site

Use the following procedure to install a CAS or a primary site. Also use it to upgrade an evaluation site to a fully
licensed Configuration Manager site.
If you're installing a CAS as part of a site expansion scenario, review Expanding a stand-alone primary site
before using the following procedure.
Process to install a primary or CAS
1. On the computer where you want to install the site, run <InstallationMedia>\SMSSETUP\BIN\X64\Setup.exe
to start the Configuration Manager Setup Wizard .

NOTE
When you install a CAS to expand on a stand-alone primary site, or install a new child primary site in an existing
hierarchy, use installation media (source files) that match the version of the existing site or sites. If you've installed
in-console updates that have changed the version of the previously installed sites, don't use the original
installation media. Instead, use source files from the CD.Latest folder of an updated site. Configuration Manager
requires you to use source files that match the version of the existing site that your new site will connect to.

2. On the Before You Begin page, choose Next .

3. On the Getting Star ted page, select the type of site that you want to install:
Central administration site, as the first site of a new hierarchy, or when expanding a stand-alone
primary site:
Select Install a Configuration Manager central administration site .
Later in this process, you'll choose to install a CAS for a new hierarchy, or to expand a stand-alone
primary site.
Primary site, as a stand-alone primary site that is the first site of a new hierarchy, or as a child
primary:
Select Install a Configuration Manager primar y site .

TIP
Typically, you only select the option Use typical installation options for a stand-alone primar y
site when you want to install a stand-alone primary site in a test environment. When you select this
option, setup does the following actions:
Automatically configures the site as a stand-alone primary site.
Uses a default installation path.
Uses a local installation of the default instance of SQL Server for the site database.
Installs a management point and a distribution point on the site server computer.
Configures the site with English and the display language of the OS on the primary site server if it
matches one of the languages that Configuration Manager supports.

4. On the Product Key page:

Choose whether to install Configuration Manager as an evaluation edition or a licensed edition.
If you select a licensed edition, enter your product key, and choose Next .
If you select an evaluation edition, choose Next . You can upgrade an evaluation installation
to a full installation later.
You can also specify the Software Assurance expiration date of your licensing agreement. It's a
convenient reminder of that date. If you don't enter this date during Setup, you can specify it later
from within the Configuration Manager console.

NOTE
Microsoft doesn't validate the expiration date that you entered and doesn't use this date for license
validation. You can use it as a reminder of your expiration date. This date is useful because Configuration
Manager periodically checks for new software updates offered online. Your software assurance license
status should be current so that you're eligible to use these additional updates.

For more information, see Licensing and branches.

5. On the Microsoft Software License Terms page, read and accept the license terms.
6. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software.
Setup downloads and automatically installs the software on site systems or clients when it's required.
Accept all of the terms before you continue to the next page.
7. On the Prerequisite Downloads page, specify whether Setup must download the latest prerequisite
redistributable files from the internet or use previously downloaded files:
 If you want Setup to download the files at this time, select Download required files . Then
specify a location to store the files.
If you previously downloaded the files by using Setup Downloader, select Use previously
downloaded files . Then specify the download folder.

TIP
If you use previously downloaded files, verify that the path to the download folder contains the most
recent version of the files.

8. On the Ser ver Language Selection page, select the languages that are available for the Configuration
Manager console and for reports. The wizard selects English by default and you can't remove it. For more
information, see Language packs.
9. On the Client Language Selection page, select the languages that are available to client computers.
Also specify whether to enable all client languages for mobile device clients. The wizard selects English by
default and you can't remove it.

IMPORTANT
When you use a CAS, make sure that client languages you configure at the CAS include all client languages that
you configure at each child primary site. Clients that install from a distribution point have access to the client
languages from the top-tier site, while clients that install from a management point have access to the client
languages from their assigned primary site.

10. On the Site and Installation Settings page, specify the following settings for the new site that you're
installing:
Site code : Each site code in a hierarchy must be unique. Use three alpha-numeric characters: A
through Z and 0 through 9 . Because the site code is used in folder names, don't use the
following Windows-reserved names:
AUX
CON
NUL
PRN
SMS

NOTE
Setup doesn't verify whether the site code that you specify is already in use, or if it's a reserved name.

Site name : Each site requires this friendly name, which can help you identify the site.
Installation folder : This folder is the path to the Configuration Manager installation. You can't
change the location after the site installs. The path can't contain Unicode characters or trailing
spaces.
 NOTE
Consider whether you want to use the default installation folder. If you use the default OS partition in a
production environment, you may experience the following issues in the future:
If Configuration Manager uses the additional free disk space on the OS partition, neither Windows or
Configuration Manager will operate properly. If you install Configuration Manager on a separate
partition, its disk consumption won't impact the OS.
Configuration Manager performance is better with a fast disk. Some server designs don't optimize the
OS disk for speed.
You can service, restore, or reinstall the OS without impacting your Configuration Manager installation.

11. On the Site Installation page, use the following option that matches your scenario:
I'm installing a CAS:
On the Central Administration Site Installation page, select Install as the first site in a
new hierarchy , and then choose Next to continue.
I'm expanding a stand-alone primary into a hierarchy with a CAS:
On the Central Administration Site Installation page, select Expand an existing stand-
alone primar y into a hierarchy . Then specify the FQDN of the stand-alone primary site server,
and choose Next to continue.
The media that you use to install the new CAS must match the version of the primary site.
I'm installing a stand-alone primary site:
On the Primar y Site Installation page, select Install the primar y site as a stand-alone site ,
and then choose Next .
I'm installing a child primary site:
On the Primar y Site Installation page, select Join the primar y site to an existing
hierarchy . Then specify the FQDN for the CAS, and choose Next .
12. On the Database Information page, specify the following information:
SQL Ser ver name (FQDN) : By default, this value is set to the site server computer.
If you use a custom port, add that port to the FQDN of the SQL Server. Follow the FQDN of the
SQL Server with a comma and then the port number. For example, for server
SQLSer ver1.fabrikam.com , use the following string to specify custom port 1551 :
SQLServer1.fabrikam.com,1551

Instance name : By default, this value is blank. It uses the default instance of SQL Server on the
site server computer.
Database name : By default, this value is set to CM_<Sitecode> . You can customize this value.
Ser vice Broker Por t : By default, this value is set to use the default SQL Server Service Broker
(SSB) port of 4022. SQL Server uses it to communicate directly to the site database at other sites.
13. On the second Database Information page, you can specify custom locations for the SQL Server data
file and the SQL Server log file for the site database:
By default, it uses the default file locations for SQL Server.
When you use a SQL Server Always On failover cluster instance, the option to specify custom file
 locations isn't available.
The prerequisite checker doesn't run a check for free disk space for custom file locations.
14. On the SMS Provider Settings page, specify the FQDN for the server where you want to install the
SMS Provider.
By default, it specifies the site server.
After the site installs, you can configure more SMS Providers. For more information, see Plan for
the SMS Provider.
15. On the Client Communication Settings page, choose how clients will communicate with site systems.
The more secure option is to require all site systems to use HTTPS. Otherwise, you individually configure
the communication method for each site system role.
When you select All site system roles accept only HTTPS communication from clients , the client
computer must have a valid PKI certificate for client authentication. For more information, see PKI
certificate requirements.

NOTE
This step only applies when you install a primary site. If you're installing a CAS, skip this step.

16. On the Site System Roles page, choose whether to install a management point or distribution point.
For each role that you choose to have installed by Setup:

NOTE
This step only applies when you install a primary site. If you're installing a CAS, skip this step.

Enter the FQDN for the server that will host the role. Then choose the client connection method
that the server will support: HTTP or HTTPS.
If you selected All site system roles accept only HTTPS communication from clients on
the previous page, the wizard automatically configures the client connection settings for HTTPS.
You can't change this setting unless you go back to the previous page.

NOTE
To install site system roles, Setup uses the site system installation account . By default, it uses the primary
site's computer account. This account must be a local administrator on the remote computer to install the role. If
this account lacks the required permissions, don't install the roles during Setup. After you configure additional
accounts to use as site system installation accounts, install the roles from the Configuration Manager console. For
more information, see Accounts.

17. On the Usage Data page, review the information about data that Microsoft collects, and then choose
Next . For more information, see Diagnostics and usage data.
18. The Ser vice Connection Point Setup page is only available when you're installing a stand-alone
primary site or a CAS.

NOTE
If you're installing a child primary site, skip this step.
 If you're installing a CAS as part of a site expansion scenario, and the stand-alone primary site already
has this role, first uninstall it from the stand-alone primary site. Configuration Manager can only have
one instance of the service connection point in a hierarchy. It's only supported at the top-tier site of the
hierarchy.
After you select a configuration for the Ser vice Connection Point , choose Next . After Setup completes,
you can change this configuration from the Configuration Manager console. For more information, see
About the service connection point.
19. On the Settings Summar y page, review the setting that you've selected. When you're ready, choose
Next to start the Prerequisite Checker.
20. On the Prerequisite Installation Check page, it lists any problems that the checker can identify.
When the Prerequisite Checker finds a problem, choose an item in the list for details about how to
resolve the problem.
Before you can continue to install the site, resolve any Failed items. Try to resolve all Warning
items, but they don't block installation.
After you resolve any issues, choose Run Check to rerun the Prerequisite Checker.
When the Prerequisite Checker runs, and no checks receive a Failed status, you can choose Begin
Install to start the site installation.

TIP
In addition to the feedback that the wizard provides, you can find additional information about prerequisite issues
in the ConfigMgrPrereq.log file. It's in the root of the system drive on the server. For more information, see List
of prerequisite checks.

21. On the Installation page, Setup displays the installation status. When the core site server installation is
complete, you can Close the installation wizard. When you close the wizard, the installation and initial
site configurations continue in the background.
You can connect a Configuration Manager console to the site before Setup is complete. This
console connects as read-only, and lets you view objects and settings, but you can't modify
anything.
After Setup completes, you can connect a console to edit objects and settings.
Starting in Configuration Manager version 2010, if setup fails, you can Repor t update error to
Microsoft . For more information, see Report setup and upgrade failures to Microsoft.

Expand a stand-alone primary site

When you've installed a stand-alone primary site as your first site, you can later install a CAS to expand that site
into a larger hierarchy. This process is also called site expansion. The main reason to expand to a hierarchy is for
scale. A hierarchy allows you to support more clients than a stand-alone primary site can support. For more
information, see Size and scale numbers.
When you expand a stand-alone primary site, you install a new CAS that uses the existing stand-alone primary
site database as a reference. After the new CAS installs, the stand-alone primary site functions as a child primary
site.
You can only expand a stand-alone primary site into a new hierarchy.
You can only expand one stand-alone primary site into a specific hierarchy. You can't use this option to
 join other stand-alone primary sites into the same hierarchy. Instead, use the Migration Wizard to
migrate data from one hierarchy into another. For more information, see Migrate data between
hierarchies.
After you expand a stand-alone site into a hierarchy with a CAS, you can install other child primary child
sites.
To remove a primary site from a hierarchy with a CAS, first uninstall the primary site.
Before you start, first see the prerequisites to expand a site.
To expand the site, use the procedure to install a primary or central administration site with the following
caveats:
Install the CAS by using the same version of Configuration Manager as the stand-alone primary site.
On the Getting Star ted page of the Setup Wizard, select the option to install a CAS. At a later stage of
Setup, you'll choose an option to expand an existing stand-alone primary site.
On the Client Language Selection page for the new CAS, select the same client languages that you
configured on the original primary site.
On the Site Installation page, select the option to expand the stand-alone primary site.

Install a secondary site

Use the Configuration Manager console to install a secondary site.
In a hierarchy, you don't have to connect the console to the parent primary site. If the console isn't
connected to the parent primary site for the new secondary site, Configuration Manager replicates the
command to install the secondary site to the correct primary site.
Before you start the secondary site installation, make sure that your user account has the prerequisite
permissions. Also make sure that the server that will host the new secondary site meets all the
prerequisites for use as a secondary site server. For more information, see Prerequisites for installing
sites and Site and site system prerequisites.
When you install the secondary site, Configuration Manager configures the new site to use the same
client communication ports as the parent primary site.
Process to install a secondary site
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node. Select the site that will be the parent primary site of the new
secondary site.
2. In the ribbon, select Create Secondar y Site . This action starts the Create Secondar y Site Wizard .
3. On the Before You Begin page, confirm that the listed server is the primary site that you want to be the
parent of the new secondary site. Then choose Next .
4. On the General page, specify the following settings:
Site code : Each site code in a hierarchy must be unique. Use three alpha-numeric characters: A
through Z and 0 through 9 . Because the site code is used in folder names, don't use the
following Windows-reserved names:
AUX
CON
NUL
 PRN
SMS

NOTE
Setup doesn't verify whether the site code that you specify is already in use, or if it's a reserved name.

Site ser ver name : This value is the FQDN of the server for the new secondary site.
Site name : Each site requires this friendly name, which can help you identify the site in the
console.
Installation folder : This folder is the path to the Configuration Manager installation. You can't
change the location after the site installs. The path can't contain Unicode characters or trailing
spaces.

IMPORTANT
After you specify details on this page, you can choose Summar y to skip to the end of the wizard. This action uses
the default settings for the remainder of the secondary site options.
Only use this option when you're familiar with the default settings in this wizard, and they're the settings
you want to use.
When you use the default settings, boundary groups aren't associated with the distribution point. Until
you configure boundary groups that include the secondary site server, clients won't use the distribution
point that's installed on this secondary site as a content source location.

5. On the Installation Source Files page, choose how the secondary site server gets the source files to
install the site.
When you use CD.Latest source files that are shared on the network or copied locally to the target
secondary site server:
The CD.Latest source file location includes a folder named Redist . Move this Redist folder as a
subfolder under the SMSSETUP folder.
Copy the following files from the Redist folder to the SMSSETUP\BIN\X64 folder:
SharedManagementObjects.msi
SQLSysClrTypes.msi
sqlncli.msi
If any of the files from Redist aren't available, Setup fails to install the secondary site.
The computer account of the secondary site server needs Read permissions to the source file
folder and share.
6. On the SQL Ser ver Settings page, specify the version of SQL Server to use:

NOTE
Setup doesn't validate the information that you enter on this page until it starts the installation. Before you
continue, verify these settings.

Install and configure a local copy of SQL Express on the secondar y site computer
SQL Ser ver Ser vice por t : Specify the SQL Server service port for SQL Server Express to
 use. The service port is typically configured to use TCP port 1433, but you can configure
another port.
SQL Ser ver Broker por t : Specify the SQL Server Service Broker (SSB) port for SQL
Server Express to use. The Service Broker is typically configured to use TCP port 4022, but
you can configure a different port. Specify a valid port that no other site or service is using,
and that the firewall doesn't block.
Use an existing SQL Ser ver instance
SQL Ser ver FQDN : Review the FQDN for the computer running SQL Server. Use a local
server running SQL Server to host the secondary site database, and you can't modify this
setting.
SQL Ser ver instance : Specify the instance of SQL Server to use as the secondary site
database. Leave this option blank to use the default instance.
ConfigMgr site database name : Specify the name to use for the secondary site
database.
SQL Ser ver Broker por t : Specify the SQL Server Service Broker (SSB) port for SQL
Server to use. Specify a valid port that no other site or service is using, and that the firewall
doesn't block.

TIP
For a list of the SQL Server versions that Configuration Manager supports, see Supported SQL Server versions.

7. On the Distribution Point page, configure settings for the distribution point that Setup will install on
the secondary site server.
Required settings:
Specify how client devices communicate with the distribution point : Choose
between HTTP and HTTPS.
Create a self-signed cer tificate or impor t a PKI client cer tificate : Choose between
using a self-signed certificate or importing a certificate from your PKI. A self-signed
certificate lets you also allow anonymous connections from Configuration Manager clients
to the content library. The certificate is used to authenticate the distribution point to a
management point before the distribution point sends status messages. For more
information, see PKI certificate requirements.
Optional settings:
Install and configure IIS if required by Configuration Manager : Select this setting to
let Configuration Manager install and configure Internet Information Services (IIS) on the
server. Configuration Manager only installs IIS if it's not already installed on the server. IIS is
required on all distribution points.

NOTE
Although this setting is optional, IIS is required to add the distribution point role.

Enable and configure BranchCache for this distribution point

Description : This value is a friendly description for the distribution point to help you
 recognize it in the console.
Enable this distribution point for prestaged content
8. On the Drive Settings page, specify the drive settings for the secondary site distribution point.
You can configure up to two disk drives for the content library and two disk drives for the package share.
However, Configuration Manager can use other drives when the first two reach the configured drive
space reserve. Use this Drive Settings page to configure the priority for the disk drives and the amount
of free disk space to remain on each disk drive.
Drive space reser ve (MB) : The value that you configure for this setting determines the amount
of free space on a drive before Configuration Manager chooses a different drive and continues the
copy process to that drive. Content files can span multiple drives.
Content Locations : Specify the content locations for the content library and package share.
Configuration Manager copies content to the primary content location until the amount of free
space reaches the value that's specified for Drive space reser ve (MB) .
By default, the content locations are set to Automatic . The primary content location is set to the disk
drive that has the most space at installation time. The secondary location is set to the disk drive that has
the most free disk space after the primary drive. When the primary and secondary drives reach the drive
space reserve, Configuration Manager selects another available drive with the most free disk space and
continues the copy process.
9. On the Content Validation page, specify whether to validate the integrity of content files on the
distribution point.
When you enable content validation on a schedule, Configuration Manager starts the process at
the scheduled time. It verifies all content on the distribution point.
You can also configure the Content validation priority .
10. On the Boundar y Groups page, manage the boundary groups for this distribution point:
Allow fallback source location for content : This option allows clients outside these boundary
groups to fall back and use the distribution point as a source location for content when no preferred
distribution points are available.
For more information, see the Fundamental concepts for content management.
11. On the Summar y page, verify the settings, and then choose Next to install the secondary site. When the
wizard shows the Completion page, you can close the wizard. The secondary site installation continues
in the background.
How to verify the secondary site installation status
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the new secondary site, and then choose Show Install Status in the ribbon.

TIP
When you install more than one secondary site at a time, the Prerequisite Checker runs against a single site at a
time. It finishes a site before it starts to check the next site.

Next steps
Configure sites and hierarchies
 IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Install consoles
Release notes
 Use a command line to install Configuration
Manager sites
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can run Configuration Manager setup at a command prompt to automate the installation of different kinds
of site types. This article provides an overview of the command-line methods.

Supported tasks for command-line installations

Install a central administration site (CAS) or primary site
Modify the languages in use at a CAS or primary site
Recovery a site

TIP
You can also install the Configuration Manager client and console from the command prompt. For more information, see
the following articles:
Install consoles
Deploy clients to Windows computers

About the command-line script file

For unattended installations of Configuration Manager, you can specify a script file that contains installation
options.

NOTE
You can't use the unattended script file to upgrade an evaluation site to a licensed installation of Configuration Manager.

To use an answer file with setup, first configure the script file with required keys and values. For an unattended
installation of a CAS or primary site, the script file requires the following sections:
Identification
Options
SQLConfigOptions
HierarchyExpansionOption
CloudConnectorOptions
SABranchOptions
Then run setup with the command line-option /SCRIPT and specify a script file.
To recover a site, the script file also uses the RecoveryOptions section.
For a list of keys and values to use in an unattended installation script file, see Unattended setup script file keys.
 NOTE
When you run setup from the CD.Latest folder for a scripted install or recovery, include the CDLatest key with a value
of 1 . This value isn't supported with installation media from the Microsoft Volume License site. For more information on
how to use this key name in the script file, see Command-line options.

Create the script

When you run setup to install a site using the user interface, setup automatically creates the installation script.
When you confirm the settings on the Summar y page of the wizard, the following actions happen:
Setup creates the script %TEMP%\ConfigMgrAutoSave.ini . You can rename this file before you use it, but it needs
the .ini file extension.
The unattended installation script contains the settings that you selected in the wizard.
You can modify the script to install other sites in your hierarchy.
You can use this script to do an unattended setup of Configuration Manager.
This script file provides the same information as the Setup Wizard, except that there are no default settings.
Specify all values for the setup keys that are required and necessary for your requirements.
When setup creates the unattended installation script, it includes the product key that you entered in the Setup
Wizard. This key can be a valid product key, or EVAL to install an evaluation version of Configuration Manager.
The product key value in the script is required by the prerequisite checker. When setup starts the actual site
installation, it clears the product key value in the script. Before using the script for an unattended installation of a
new site, edit the script to provide a valid product key or to specify an evaluation installation of Configuration
Manager.

TIP
You can also manually create the script file from a plain-text editor like Notepad.

Section names, key names, and values

The script contains section names, key names, and values.
Required section key names vary depending on the installation type.
The order of the sections and the order of the keys within sections aren't important.
The keys aren't case-sensitive.
When you provide values for keys, the name of the key must be followed by an equal sign ( = ) and the value
for the key. For example, CDLatest=1
To view the full set of options, see Command-line options for setup and scripts.

Use a setup script file

To use a setup script file, specify the file name after the /SCRIPT command-line option.
The script file name requires the .ini extension.
Provide the full path to the file. For example, if you name the file setup.ini , and store it in the C:\Setup
folder, then use the following command line: setup.exe /script C:\Setup\setup.ini
The account that runs setup must have Administrator rights on the computer. When you run setup with
the unattended script, open the command prompt window with the Run as administrator option.
Modify languages
To modify the languages that are installed at a site from a command prompt:
Run setup from <ConfigMgrInstallationPath>\Bin\X64 on the site server
Use the /MANAGEL ANGS command-line option
Specify a language script file with the languages to add or remove
For example, use the following command syntax: setupwpf.exe /MANAGELANGS <language script file>

For more information values to use in the language script file, see Manage languages.
For more information on languages in Configuration Manager, see Language packs.

Next steps
Command-line options for setup
Unattended setup script file keys
Install the Configuration Manager console
 Command-line options for Configuration Manager
setup
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use this information to configure scripts or to install Configuration Manager from a command line. For more
information on how to use these command-line options, see Command-line overview.
Run setup.exe from the \BIN\X64 directory of the Configuration Manager installation path on the site server.

TIP
You can also use setupwpf.exe from the same folder, but it doesn't include basic prerequisite checks.

/DEINSTALL
Uninstall the site. Run setup from the site server computer.

/DONTSTARTSITECOMP
Install a site, but prevent the Site Component Manager service from starting. Until the Site Component Manager
service starts, the site isn't active. The Site Component Manager is responsible for installing and starting the
SMS_Executive service, and for other processes at the site. After the site install is finished, when you start the
Site Component Manager service, it installs the SMS_Executive service and other processes that are necessary
for the site to operate.

/HIDDEN
Hide the user interface during setup. Only use this option with the /SCRIPT option. The unattended script file
must provide all required options or setup fails.

/NOUSERINPUT
Disable user input during setup, but display the setup wizard. Only use this option with the /SCRIPT option. The
unattended script file must provide all required options or setup fails.

/RESETSITE
Run a site reset. This action resets the database and service accounts for the site. For more information, see Run
a site reset.

/TESTDBUPGRADE
Run a test on a backup of the site database to make sure that the database can upgrade.
 IMPORTANT
The test upgrade is no longer a required or recommend step for most sites.
If your database is suspect, or is modified by customizations not explicitly supported by Configuration Manager, continue
to use this process.
Don't run this command-line option on your production site database. Running this command-line option on your
production site database upgrades the site database and could render your site inoperable.

Provide the instance name and database name for the site database. If you specify only the database name,
setup uses the default instance name.
/TESTDBUPGRADE <Instance name>\<Database name>

/TESTDBUPGRADE CM_ABC

/TESTDBUPGRADE Named\CM_ABC

For more information, see Test the database upgrade when installing an update.

/UPGRADE
Run an unattended upgrade of a site. Specify the product key including the dash ( - ) delimiters. Also specify the
path to the previously downloaded setup prerequisite files.
For example: /UPGRADE xxxxx-xxxxx-xxxxx-xxxxx-xxxxx C:\Setup\prereqs

For more information about setup prerequisite files, see Setup Downloader.

/SCRIPT
Run an unattended installation. Use a setup initialization file with this option. For more information about how
to run setup unattended, see Install sites using a command line. For more information on the script file keys and
values, see Unattended setup script file keys.
For example: /SCRIPT C:\Setup\setup.ini

/SDKINST
Install the SMS Provider on the specified server. Provide the fully qualified domain name (FQDN) for the SMS
Provider computer. For more information about the SMS Provider, see Plan for the SMS Provider.
For example: /SDKINST cm02.contoso.com

/SDKDEINST
Uninstall the SMS Provider on the specified computer. Provide the FQDN for the SMS Provider computer.
For example: /SDKDEINST cm01.contoso.com

/MANAGELANGS
Manage the languages that are installed at a previously installed site. Provide the location for the language
script file that contains the language settings. For more information, see the Keys to manage languages.
For example: /MANAGELANGS C:\Setup\langsetup.ini
Next steps
Unattended setup script file keys
 Unattended setup script file keys
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article defines all of the keys and values to specify in the .ini installation script file. Use this file with the
/SCRIPT command-line option to do an unattended installation or recovery of a Configuration Manager site.
The tables in this article show:
The available setup script keys and their corresponding values
If they're required
Which type of installation they're used for
A short description of the key
For more information, see the following articles:
Command-line overview
Setup command-line options
Specify the section names in square brackets ( [] ): [<Section name>] . For example, [Identification] .
When you provide values for keys, the name of the key must be followed by an equal sign ( = ) and the value for
the key: <Key name>=<Value> . For example, CDLatest=1 . Make sure the keys are under the appropriate section.
Each section and each value needs to be unique in a single script. For example, there can only be one
[Identification] section and only one Action key.

Supported actions
A script is primarily defined by the Action key in the Identification section. The following list includes all of the
currently supported actions for running setup unattended:
InstallCAS : Install a central administration site (CAS)
InstallPrimarySite : Install a primary site
ManageLanguages : Add or remove client and server languages
RecoverPrimarySite : Recovery a primary site
RecoverCCAR : Recover a CAS

Install a site
Identification section for site install
Depending upon the type of site you're installing, include the following keys with the appropriate values in the
Identification section:

K EY N A M E REQ UIRED VA L UES DETA IL S

Action Yes - InstallPrimarySite - Install a primary site.

- InstallCAS - Install a central
administration site (CAS)
 K EY N A M E REQ UIRED VA L UES DETA IL S

CDLatest Yes 2 1 : Setup runs from When you run setup from
CD.Latest the CD.Latest folder,
include this key and value.
This value tells setup that
you're using media from
CD.Latest .

Note 2: CDLatest required

The CDLatest key is only required when you run setup from the CD.Latest folder to install a primary site or a
central administration site. For more information, see About the command-line script file.
Options section for site install
Include the following keys in the Options section to install a site:

K EY N A M E REQ UIRED VA L UES DETA IL S

ProductID Yes - The type of license to install.

xxxxx-xxxxx-xxxxx-
xxxxx-xxxxx
: A valid product key with
dashes
- Eval : Install the
evaluation version

SiteCode Yes Three character code, for The three-character site

example XYZ code that uniquely identifies
the site in the hierarchy.

SiteName Yes A site name The friendly name for this

site to help identify it.

SMSInstallDir Yes Local directory path The installation folder for

the Configuration Manager
program files.

SDKServer Yes SMS Provider FQDN The FQDN of the first

server to host the SMS
Provider.

PrerequisiteComp Yes - 0 : Download Specify whether prerequisite

- 1 : Already downloaded files have already been
downloaded. If you use a
value of 0 , setup
downloads the files.

PrerequisitePath Yes Local directory path The path to the prerequisite

files. Depending on the
PrerequisiteComp value,
setup uses this path to
store downloaded files or to
locate previously
downloaded files.

AdminConsole Yes - 0 : Don't install Specify whether to install

- 1 : Install the Configuration Manager
console on the site server.
 K EY N A M E REQ UIRED VA L UES DETA IL S

JoinCEIP Yes 0 While support for the

Customer Experience
Improvement Program
(CEIP) was removed from
the product, this key is still
required.

MobileDeviceLanguage Yes - 0 : Don't install Specify whether the mobile

- 1 : Install device client languages are
installed.

When you install a site, you can also specify the keys to manage languages, such as AddSer verLanguages or
AddClientLanguages . For more information, see Options section for languages.
The following keys in the Options section are specific to a primary site:

K EY N A M E REQ UIRED VA L UES DETA IL S

ManagementPoint No MP FQDN The FQDN of the server

that will host the first
management point (MP)
site system role.

ManagementPointProtocol No HTTPS or HTTP The protocol to use for the

MP.

DistributionPoint No DP FQDN The FQDN of the server

that will host the first
distribution point (DP) site
system role.

DistributionPointProtocol No HTTPS or HTTP The protocol to use for the

DP.

DistributionPointInstallIIS No - 0 : Don't install Specify whether to install IIS

- 1 : Install on the DP.

RoleCommunicationProtocol Yes EnforceHTTPS or Specify whether to

HTTPorHTTPS configure all site systems to
accept only HTTPS
communication from clients,
or to configure the
communication method for
each site system role. When
you select EnforceHTTPS ,
clients need a valid public
key infrastructure (PKI)
certificate for client
authentication.

ClientsUsePKICertificate Yes - 0 : Don't use Specify whether clients will

- 1 : Use use a client PKI certificate to
communicate with site
system roles.
 K EY N A M E REQ UIRED VA L UES DETA IL S

UseFQDN No - 0 : Don't use Specify whether the site

- 1 : Use systems' FQDN is for use
on the internet.

ParentSiteCode No Site code When you're adding a child

primary site to an existing
hierarchy, specify the site
code of the CAS.

ParentSiteServer No FQDN When you're adding a child

primary site to an existing
hierarchy, specify the FQDN
of the CAS server.

SQLConfigOptions section for site install

Include the following keys in the SQLConfigOptions section to install a site:

K EY N A M E REQ UIRED VA L UES DETA IL S

SQLServerName Yes FQDN of SQL Server The name of the server or

clustered instance that's
running SQL Server to host
the site database.

DatabaseName Yes Name or The name of the SQL Server

Instance\Name database to create or use. If
it's on the default instance,
just specify the database
name. Otherwise specify
the instance and name.

SQLServerPort No Port number The port that SQL Server

uses. By default, it uses
1433.

SQLSSBPort No Port number The SQL Server Service

Broker (SSB) port. By
default, SSB uses TCP port
4022.

SQLDataFilePath No Local directory path An alternate location to

create the database .mdb
file.

SQLLogFilePath No Local directory path An alternate location to

create the database .ldf log
file.

CloudConnectorOptions section for site install

Include the following keys in the CloudConnectorOptions section to install a site:

K EY N A M E REQ UIRED VA L UES DETA IL S

 K EY N A M E REQ UIRED VA L UES DETA IL S

CloudConnector Yes - 0 : Don't install Specify whether to install a

- 1 : Install service connection point
(SCP) at this site. Because
you can only install the SCP
at the top-tier site of a
hierarchy, set this value to
0 for a child primary site.

CloudConnectorServer Yes* SCP FQDN The FQDN of the server

that will host the SCP role. *
Only required when
CloudConnector equals
1 .

UseProxy Yes* - 0 : No proxy Specify whether the SCP

- 1 : Use proxy uses a proxy server. * Only
required when
CloudConnector equals
1 .

ProxyName Yes* Proxy FQDN The FQDN of the proxy

server that the SCP uses. *
Only required when
UseProxy equals 1 .

ProxyPort Yes* Port number The port number of the

proxy server that the SCP
uses. * Only required when
UseProxy equals 1 .

SABranchOptions section for site install

Include the following keys in the SABranchOptions section to install a site:

K EY N A M E REQ UIRED VA L UES DETA IL S

SAActive No - 0 : You don't have SA Specify if you have active

- 1 : SA is active Software Assurance (SA).
For more information, see
Product and licensing FAQ.

CurrentBranch No - 0 : Install the LTSB Specify whether to use

- 1 : Install current branch Configuration Manager
current branch or long-
term servicing branch
(LTSB). For more
information, see Which
branch of Configuration
Manager should I use?.

SAExpiration No Date The date when SA expires,

used as a convenient
reminder of that date. For
more information, see
Licensing and branches.

HierarchyExpansionOption section for site expansion

When you're installing a CAS to expand a standalone primary site into a hierarchy, use the following keys in the
HierarchyExpansionOption section:

K EY N A M E REQ UIRED VA L UES DETA IL S

CCARSiteServer No CAS FQDN The FQDN of the CAS that

a primary site attaches to
when it joins the
Configuration Manager
hierarchy. Specify the CAS
during setup.

CASRetryInterval No Minutes If the connection to the

CAS fails, the primary site
waits this number of
minutes, and then
reattempts the connection.

WaitForCASTimeout No 0 to 100 The maximum timeout

value in minutes for a
primary site to connect to
the CAS.

UseDistributionView No - 0 : Don't enable Specify whether to use

- 1 : Enable distributed views to
optimize database
replication.

JoinPrimarySiteName No Site server FQDN The FQDN of the primary

site server to expand.

Manage languages
Identification section for languages
Include the following key in the Identification section to manage languages:

K EY N A M E REQ UIRED VA L UES DETA IL S

Action Yes ManageLanguages Manages the server, client,

and mobile client language
support at a site.

Options section for languages

Include the following keys in the Options section to manage languages:

K EY N A M E REQ UIRED VA L UES DETA IL S

AddServerLanguages No See n o te 1 The server languages that

will be available for the
Configuration Manager
console, reports, and other
objects.

AddClientLanguages No See n o te 1 The languages that will be

available to client
computers.
 K EY N A M E REQ UIRED VA L UES DETA IL S

DeleteServerLanguages No See n o te 1 The languages to remove.

They'll no longer be
available for the
Configuration Manager
console, reports, and other
objects.

DeleteClientLanguages No See n o te 1 The languages to remove,

and which will no longer be
available to client
computers. English is
available by default, you
can't remove it.

MobileDeviceLanguage Yes - 0 : Don't install Specify whether the mobile

- 1 : Install device client languages are
installed.

PrerequisiteComp Yes - 0 : Download Specify whether prerequisite

- 1 : Already downloaded files have already been
downloaded. For example, if
you use a value of 0 ,
setup downloads the files.

PrerequisitePath Yes Local directory path The path to the prerequisite

files. Depending on the
PrerequisiteComp value,
setup uses this path to
store downloaded files or to
locate previously
downloaded files.

ResetSecSiteLangs No - 0 : Don't reset Reset the language packs

- 1 : Reset installed at a secondary site.

Note 1: Supported language values

Use the three-letter code for the server languages or client languages that Configuration Manager supports. For
example, to add support for German on the client, specify the following key and value pair:
AddClientLanguages=DEU

English ( ENG ) is available by default. You don't have to add it, and you can't remove it.

Recover a site
Identification section for site recovery
Depending upon the type of site you're recovering, include the following keys with the appropriate values in the
Identification section:

K EY N A M E REQ UIRED VA L UES DETA IL S

Action Yes - RecoverPrimarySite - Recover a primary site

- RecoverCCAR - Recover a CAS
 K EY N A M E REQ UIRED VA L UES DETA IL S

CDLatest Yes 3 1 : Setup runs from When you run setup from
CD.Latest the CD.Latest folder, include
this key and value. This
value tells setup that you're
using media from CD.Latest.

Note 3: CDLatest required

The CDLatest key is only required when you run setup from the CD.Latest folder to recover a site. For more
information, see About the command-line script file.
RecoveryOptions section for site recovery
Include the following keys in the Recover yOptions section to recover a site:

K EY N A M E REQ UIRED VA L UES DETA IL S

ServerRecoveryOptions Yes - 1 : Site server and SQL What components to

Server recover. See n o te 4
- 2 : Site server only
- 4 : SQL Server only

DatabaseRecoveryOptions Yes* - 10 : Restore from backup Specify how setup recovers

- 20 : Manually recovered the site database in SQL
- 40 : Create new database Server. * Only required
- 80 : Skip when
Ser verRecover yOptions
is 1 or 4 .

ReferenceSite Yes* FQDN The reference primary site

that the CAS uses to
recover global data. * Only
required when
DatabaseRecover yOptio
ns is 40 . See n o te 5

SiteServerBackupLocation No Directory path The path to the site server

backup set. If you don't
specify a value, setup
reinstalls the site without
restoring it from a backup
set.

BackupLocation Yes* Directory path The path to the site

database backup set. *
Required when
Ser verRecover yOptions
is 1 or 4 , and
DatabaseRecover yOptio
ns is 10 .

Note 4: ServerRecoveryOptions value notes

1 or 2 : To recover the site by using a site backup, specify a value for SiteSer verBackupLocation . If
you don't specify a value, setup reinstalls the site without restoring it from a backup set.
4 : The BackupLocation key is required when you configure a value of 10 for the
DatabaseRecover yOptions key, which is to restore the site database from backup.
Note 5: ReferenceSite value notes
If the database backup is older than the change-tracking retention period, or when you recover the site
without a backup, specify the reference primary site that the CAS uses to recover global data.
When you don't specify a reference site, and the backup is older than the change-tracking retention
period, all primary sites are reinitialized with the restored data from the CAS.
When you don't specify a reference site, and the backup is within the change-tracking retention period,
only changes that are made after the backup are replicated from primary sites. When there are conflicting
changes from different primary sites, the CAS uses the first one that it receives.
Options section for site recovery
Many of the keys in the Options section are also required for site recovery. For more information, see Options
section for site install. The following table summarizes the keys in the Options section for site recovery:

K EY N A M E REQ UIRED C O M M EN T

ProductID Yes

SiteCode Yes Use the same site code that it used

before the failure.

SiteName No

SMSInstallDir Yes

SDKServer Yes Use the same server that hosted this

role before the failure.

PrerequisiteComp Yes

PrerequisitePath Yes

AdminConsole Yes* * Only required when

Ser verRecover yOptions is 1 or
2 .

JoinCEIP Yes

SQLConfigOptions section for site recovery

Many of the keys in the SQLConfigOptions section are also required for site recovery. For more information,
see SQLConfigOptions section for site install. The following table summarizes the keys in the
SQLConfigOptions section for site recovery:

K EY N A M E REQ UIRED C O M M EN T

SQLServerName Yes Use the same server that hosted the

site database before the failure.

DatabaseName Yes Use the same database name that was

used before the failure.

SQLSSBPort Yes Use the same port that was used

before the failure.
 K EY N A M E REQ UIRED C O M M EN T

SQLDataFilePath No

SQLLogFilePath No

CloudConnectorOptions section for site recovery

Many of the keys in the CloudConnectorOptions section are also required for site recovery. For more
information, see CloudConnectorOptions section for site install. The following table summarizes the keys in the
CloudConnectorOptions section for site recovery:

K EY N A M E REQ UIRED C O M M EN T

CloudConnector Yes

CloudConnectorServer Yes* * Only required when

CloudConnector equals 1 .

UseProxy Yes* * Only required when

CloudConnector equals 1 .

ProxyName Yes* * Only required when UseProxy

equals 1 .

ProxyPort Yes* * Only required when UseProxy

equals 1 .

HierarchyExpansionOption section for site recovery

Many of the keys in the HierarchyExpansionOption section are also required for site recovery. For more
information, see HierarchyExpansionOption section for site install. The following table summarizes the keys in
the HierarchyExpansionOption section for site recovery:

K EY N A M E REQ UIRED C O M M EN T

CCARSiteServer Yes* * Only required if the primary site was

attached to a CAS before the failure.

CASRetryInterval No

WaitForCASTimeout No

Examples
Example script to install a primary site
[Identification]
Action=InstallPrimarySite
CDLatest=1

[Options]
ProductID=Eval
SiteCode=XYZ
SiteName=Contoso eval site
SMSInstallDir=D:\Program Files\Microsoft Configuration Manager
SDKServer=cmsite.contoso.com
PrerequisiteComp=0
PrerequisitePath=C:\Sources\Redist
AdminConsole=1
JoinCEIP=0
ManagementPoint=cmsite.contoso.com
ManagementPointProtocol=HTTP
DistributionPoint=cmsite.contoso.com
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=1
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
MobileDeviceLanguage=0

[SQLConfigOptions]
SQLServerName=cmsql.contoso.com
SQLServerPort=1433
DatabaseName=CM_XYZ
SQLSSBPort=4022
SQLDataFilePath=E:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\
SQLLogFilePath=E:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\DATA\

[CloudConnectorOptions]
CloudConnector=1
CloudConnectorServer=cmsite.contoso.com
UseProxy=0

[SABranchOptions]
SAActive=1
CurrentBranch=1
 Install the Configuration Manager console
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Administrators use the Configuration Manager console to manage the Configuration Manager environment.
Each Configuration Manager console can connect to a central administration site (CAS) or to a primary site. You
can't connect a Configuration Manager console to a secondary site.
The Configuration Manager console is always installed on the site server for the CAS or a primary site. To install
the console separate from site server installation, run the standalone installer.

Prerequisites
Supported OS versions for Configuration Manager consoles
You have local Administrator rights on the target computer for the console.
You have Read permissions to the location of the console installation files.
.NET version requirements
Starting in version 2107, the console requires Microsoft .NET Framework version 4.6.2, but version 4.8 is
recommended. If you install the console on other devices, make sure to update .NET. If the device doesn't already
have it, the console setup doesn't install this prerequisite.
Starting in version 2103, the ConfigurationManager PowerShell module requires Microsoft .NET version 4.7.2 or
later.

NOTE
.NET Framework version 4.6.2 is preinstalled with Windows Server 2016 and Windows 10 version 1607. Later versions of
Windows are preinstalled with a later version of the .NET Framework.
.NET Framework version 4.8 isn't supported on some OS versions, such as Windows 10 2015 LTSB.
For more information, see .NET Framework system requirements.

Source paths
Decide which source path to use:
ConsoleSetup folder in the installation path on the site server: \Tools\ConsoleSetup

When you install a site server, it copies the console installation files and supported language packs for the
site to the Tools\ConsoleSetup subfolder. Optionally, you can copy the ConsoleSetup folder to an
alternate location to start the installation. When you update the site, it always keeps its local version up to
date.
Configuration Manager installation media: \SMSSETUP\BIN\I386

Installing the Configuration Manager console from the installation media always installs the English
version. This behavior happens even if the site server supports different languages, or the target
computer's OS is set to a different language.
When possible, start the console installer from the ConsoleSetup folder rather than from the source media.

IMPORTANT
Don't install the console using the CD.Latest source files. It's an unsupported scenario, and may cause problems with
the console installation. For more information, see The CD.Latest folder.

If you create a package for installing the console on other computers, make sure the package includes the
following files:
ConsoleSetup.exe
AdminConsole.msi
ConfigMgr.AC_Extension.i386.cab
ConfigMgr.AC_Extension.amd64.cab

Use the Setup Wizard

1. Browse to the source path, and open ConsoleSetup.exe .

IMPORTANT
Always install the console by using ConsoleSetup.exe . Although you can install the Configuration Manager
console by running AdminConsole.msi, this method doesn't run prerequisites or dependency checks. The
installation might not install correctly.

2. In the wizard, select Next .

3. On the Site Ser ver page, enter the fully qualified domain name (FQDN) of the site server to which the
Configuration Manager console connects.
4. On the Installation Folder page, enter the installation folder for the Configuration Manager console.
The folder path can't include trailing spaces or Unicode characters.
5. On the Ready to Install page, select Install .

Install from a command prompt

TIP
Installing the Configuration Manager console from a command prompt always installs the English version. This behavior
happens even if the target computer's OS is set to a different language. To install the Configuration Manager console in a
language other than English, use the Setup Wizard.

ConsoleSetup.exe command-line options

/q
Installs the Configuration Manager console unattended. The TargetDir and DefaultSiteSer verName options
are required when you use this option.
/uninstall
Uninstalls the Configuration Manager console. Specify this option first when you use it with the /q option.
LangPackDir
Specifies the path to the folder that contains the language files. You can use Setup Downloader to download
the language files. If you don't use this option, Setup looks for the language folder in the current folder. If the
language folder isn't found, Setup continues to install English only. For more information, see Setup
Downloader.
TargetDir
Specifies the installation folder to install the Configuration Manager console. This option is required when you
use the /q option.
DefaultSiteServerName
Specifies the FQDN of the site server to which the console connects when it opens. This option is required when
you use the /q option.
Examples
Silent install
ConsoleSetup.exe /q "TargetDir=%ProgramFiles%\ConfigMgr Console" DefaultSiteServerName=MyServer.Contoso.com

Silent install with language packs

ConsoleSetup.exe /q "TargetDir=C:\Program Files\ConfigMgr Console" DefaultSiteServerName=MyServer.Contoso.com
LangPackDir=C:\Downloads\ConfigMgr

Silent uninstall
ConsoleSetup.exe /uninstall /q

Next steps
An administrator sees objects in the console based on the permissions assigned to their user account. For more
information, see Fundamentals of role-based administration.
For more information on the fundamentals of navigating the Configuration Manager console, see How to use
the console.
 Upgrade an evaluation installation of Configuration
Manager to a full installation
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If you installed Configuration Manager as an evaluation version, after 180 days the Configuration Manager
console becomes read-only. You then need to activate the product from the Site Maintenance page in Setup.
At any time before or after the 180-day period, you can upgrade to a full installation.

NOTE
When you connect a Configuration Manager console to an evaluation installation of Configuration Manager, the window
title bar displays the number of days that remain until it expires. The number of days in the window title doesn't
automatically refresh. It only updates when you make a new connection to a site.

You can upgrade the following sites that run an evaluation installation:
Central administration site (CAS)
Primary site
Configuration Manager doesn't consider secondary sites as evaluation installations. So after you upgrade a
primary parent site to a full installation, you don't need to modify a secondary site.

Prerequisites
To upgrade an evaluation version to a licensed version, you need the following requirements:
A valid product license key to use during the upgrade.
Administrator rights on the site server.

Process
1. On the site server, run .\BIN\X64\Setup.exe from the Configuration Manager installation folder. Use
this copy of Setup because site maintenance options aren't available when you run Setup from source
media.
2. On the Before You Begin page, select Next .
3. On the Getting Star ted page, select Perform site maintenance or reset the Site , and then select
Next .
4. On the Site Maintenance page, select Upgrade the evaluation edition to a licensed edition . Then
enter a valid product key, and select Next .
5. On the Microsoft Software License Terms page, read and accept the license terms, and then select
Next .
6. On the Configuration page, select Close to complete the wizard.
 NOTE
Until you reconnect the console to the site, the title bar might indicate that the site is still an evaluation version.

Next steps
Configure sites and hierarchies
 Upgrade to Configuration Manager current branch
2/16/2022 • 18 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Do an in-place upgrade to Configuration Manager current branch from a site and hierarchy that runs System
Center 2012 Configuration Manager. Before upgrading from System Center 2012 Configuration Manager, you
must prepare the sites. This preparation requires you to remove specific configurations that can prevent a
successful upgrade. Then follow the upgrade sequence when more than a single site is involved.

TIP
When managing Configuration Manager site and hierarchy infrastructure, the terms upgrade, update, and install are used
to describe three separate concepts. To learn how each term is used, see About upgrade, update, and install.

In-place upgrade paths

The following options are the currently supported in-place upgrade paths:
Upgrade to the latest current branch version
You can upgrade the following products to a fully licensed, baseline version of Configuration Manager:
System Center 2012 Configuration Manager with Service Pack 2
System Center 2012 R2 Configuration Manager with Service Pack 1
For more information, see Frequently asked questions for Configuration Manager branches and licensing.

TIP
When you upgrade from a System Center 2012 Configuration Manager version to current branch, you might be able to
streamline your upgrade process. For more information, see the following:
Baseline and update versions
The CD.Latest folder

If you previously installed Configuration Manager Evaluation version, you can use the upgrade process to
convert the site to the full version. For more information, see Upgrade an evaluation installation of
Configuration Manager to a full installation.
Unsupported paths
The following paths aren't supported:
It's not supported to upgrade a technical preview branch to a fully licensed installation. A technical
preview version can only upgrade to a later version of the technical preview.
Migration from a technical preview to a fully licensed version isn't supported.

Upgrade checklists
The following checklists can help you plan a successful upgrade to Configuration Manager.
Before you upgrade
Review these steps before you upgrade to Configuration Manager.
Review your System Center 2012 Configuration Manager environment
Resolve issues as detailed in the following Microsoft Support article: Configuration Manager clients reinstall
every five hours because of a recurring retry task and may cause an inadvertent client upgrade.
Make sure your environment meets the supported configurations
Review the server OS version in use to host site system roles:
Some older operating systems supported by System Center 2012 Configuration Manager aren't
supported by Configuration Manager current branch. Before the upgrade, remove site system
roles on those OS versions. For more information, see Supported operating systems for site
system servers.
The prerequisite checker for Configuration Manager doesn't verify the prerequisites for site system
roles on the site server or on remote site systems.
Review required prerequisites for each computer that hosts a site system role. For example, to deploy an
OS, Configuration Manager uses the Windows Assessment and Deployment Kit (ADK). Before you run
Setup, download and install the Windows ADK on the site server and on each computer that runs an
instance of the SMS Provider.
For more information about supported platforms and prerequisite configurations, see Supported
configurations.
For more information about using the Windows ADK with Configuration Manager, see Infrastructure
requirements for OS deployment.
Review the site and hierarchy status and verify that there are no unresolved issues
Before you upgrade a site, resolve all operational issues for the following components:
Site server
Site database server
Site system roles on remote computers
A site upgrade can fail because of existing operational problems.
Install all applicable critical updates for operating systems on computers that host the site, the site database server, and remote
site system roles
Before you upgrade a site, install any critical software updates for each applicable site system. If an update that
you install requires a restart, restart the applicable computers before you start the upgrade.
Uninstall the site system roles not supported by Configuration Manager
The following site system roles are no longer used in Configuration Manager. Uninstall them before you
upgrade from System Center 2012 Configuration Manager:
Out of Band Management point
System Health Validator point
Application catalog website point and web service point
Disable database replicas for management points at primary sites
Configuration Manager can't upgrade a primary site that has a database replica for management points. Disable
database replication before you:
Create a backup of the site database to test the database upgrade
Upgrade the production site to Configuration Manager current branch
For more information, see the following articles:
 System Center 2012 Configuration Manager: Configure database replicas for management points
Configuration Manager, current branch: Database replicas for management points
Reconfigure software update points that use NLB
Configuration Manager can't upgrade a site that uses a Network Load Balancing (NLB) cluster to host software
update points.
If you use NLB clusters for software update points, use PowerShell to remove the NLB cluster. (Beginning with
System Center 2012 Configuration Manager SP1, there was no option in the Configuration Manager console to
configure an NLB cluster.)
Disable all site maintenance tasks at each site during its upgrade
Before you upgrade to Configuration Manager, disable any site maintenance tasks that might run during the
time the upgrade process is active. This list includes but isn't limited to the following tasks:
Backup Site Server
Delete Aged Client Operations
Delete Aged Discovery Data
If a site database maintenance task runs during the upgrade process, the site upgrade can fail.
Before you disable a task, record the schedule of the task so you can restore its configuration after the site
upgrade completes.
For more information about site maintenance tasks, see the following articles:
System Center 2012 Configuration Manager: Planning for site operations
Configuration Manager, current branch: Reference for maintenance tasks
Run setup prerequisite checker
Before you upgrade a site, run the Prerequisite Checker independently from setup to validate that your site
meets the prerequisites. Later, when you upgrade the site, prerequisite checker runs again.
The independent prerequisite check evaluates the site for upgrade to both the current branch and the long-term
servicing branch (LTSB) of Configuration Manager. Because some features aren't supported by the LTSB, you
might see entries in the ConfigMgrPrereq.log that are like the following examples:
INFO: The site is a LTSB edition.
Unsupported site system role 'Asset Intelligence synchronization point' for the LTSB edition; Error;
Configuration Manager has detected that the 'Asset Intelligence synchronization point' is installed.
Asset Intelligence is not supported on the LTSB edition. You must uninstall the Asset Intelligence
synchronization point site system role before you can continue.

If you plan to upgrade to the current branch, errors for the LTSB edition can be safely ignored. They only apply if
you plan to upgrade to the LTSB.
Later, when you run Configuration Manager setup to do the upgrade, the prerequisite check runs again. It
evaluates your site based on the branch of Configuration Manager you choose to install (current branch, or
LTSB). If you choose to upgrade to the current branch, it doesn't run the check for features that aren't supported
by the LTSB.
For more information, see the Prerequisite checker and List of prerequisite checks.
Download prerequisite files and redistributable files for Configuration Manager
Use Setup Downloader to download prerequisite redistributable files, language packs, and the latest product
updates for Configuration Manager.
For information, see Setup Downloader.
Plan to manage server and client languages
When you upgrade a site, the site upgrade installs only the language pack versions you select during the
upgrade.
Setup reviews the current language configuration of your site. It then identifies the language packs that
are available in the folder where you store previously downloaded prerequisite files.
You can affirm the selection of the current server and client language packs, or change the selections to
add or remove support for languages.
Only language packs that are available when you run Setup can be selected.

NOTE
You can't use the language packs from System Center 2012 Configuration Manager to enable languages for a
Configuration Manager current branch site.

For more information about language packs, see Language packs.

Review considerations for site upgrades
When you upgrade a site, some features and configurations reset to a default configuration. To help you prepare
for these and related changes, see Considerations for upgrading.
Create a backup of the site database at the central administration site (CAS) and primary sites
Before you upgrade a site, back up the site database to make sure that you have a successful backup to use for
disaster recovery.
For more information, see Backup and recovery.
Back up a customized configuration.mof file
If you use a customized configuration.mof file to define data classes you use with hardware inventory, create a
backup of this file. After the upgrade, restore this file to your site. For more information, see How to extend
hardware inventory.
Test the database upgrade process on a copy of the most recent site database backup
Before you upgrade a Configuration Manager CAS or primary site, test the site database upgrade process on a
copy of the site database.
Test the site database upgrade process. When you upgrade a site, the site database might be modified.
Although testing the database upgrade isn't required, it can identify problems for the upgrade before
your production database is affected.
A failed site database upgrade can render your site database inoperable and might require a site recovery
to restore functionality.
Although the site database is shared between sites in a hierarchy, plan to test the database at each
applicable site before you upgrade that site.
If you use database replicas for management points at a primary site, disable replication before you
create the backup of the site database.
Configuration Manager doesn't support the backup of secondary sites, or the test upgrade of a secondary site
database.
It's not supported to run a test database upgrade on the production site database. Doing so upgrades the site
database and could render your site inoperable.
For more information, see Test the site database upgrade.
Restart the site server and each computer that hosts a site system role
Do this action to make sure there are no pending actions from a recent installation of updates or from
prerequisites.
Start the upgrade
Starting at the top-level site in the hierarchy, run Setup.exe from the Configuration Manager source media.
After the top-level site upgrades, you can begin the upgrade of each child site. Complete the upgrade of each
site before you begin to upgrade the next site.
Until all sites in your hierarchy upgrade to Configuration Manager, your hierarchy operates in a mixed version
mode.
For information about how to run upgrade, see Upgrade sites.
After you upgrade
Review these steps after you upgrade to Configuration Manager.
Upgrade stand-alone Configuration Manager consoles
By default, when you upgrade a CAS or primary site, the installation also upgrades the Configuration Manager
console that's installed on the site server. Manually upgrade each console that's installed on a computer other
than the site server.

TIP
Close each open console before you start the upgrade.

For more information, see Install Configuration Manager consoles.

Reconfigure database replicas for management points at primary sites
If you use database replicas for management points at primary sites, uninstall the database replicas before you
upgrade the site. After you upgrade a primary site, reconfigure the database replica for management points.
For more information, see Database replicas for management points.
Reconfigure any database maintenance tasks you disabled before the upgrade
If you disabled database maintenance tasks at a site before the upgrade, reconfigure those tasks at the site using
the same settings that were in place before the upgrade.
Upgrade clients
After all your sites upgrade to Configuration Manager, plan to upgrade clients.
When you upgrade a client, the current client software is uninstalled and the new client software version is
installed. To upgrade clients, you can use any method that Configuration Manager supports.

TIP
When you upgrade the top-level site of a hierarchy, the client installation package on each distribution point in the
hierarchy is also updated. When you upgrade a primary site, the client upgrade package that's available from that primary
site is updated.

For more information, see How to upgrade clients for Windows computers.

Considerations for upgrading

Automatic actions
When you upgrade to Configuration Manager, the following actions occur automatically:
 A site reset. This action includes a reinstallation of all site system roles.
If the site is the top-level site of a hierarchy, it updates the client installation package on each distribution
point in the hierarchy. The site also updates the default boot images to use the new Windows PE version
for the same version of the Windows ADK. However, the upgrade doesn't upgrade existing media for use
with image deployment.
If the site is a primary site, it updates the client upgrade package for that site.
Manual actions after an upgrade
After you upgrade a site, make sure that you do the following actions:
Make sure that clients assigned to each primary site upgrade and install the new client version.
Upgrade each Configuration Manager console that connects to the site and that runs on a computer
that's remote from the site server.
At primary sites where you use database replicas for management points, reconfigure the database
replicas.
After the site upgrades, manually upgrade physical media like ISO files for CDs, DVDs, or USB flash
drives. It also includes prestaged media provided to hardware vendors. The site upgrade updates the
default boot images, it can't upgrade these media files or devices used external to Configuration Manager.
Plan to update custom boot images when you don't require the older version of Windows PE.
Actions that affect configurations and settings
When a site upgrades to Configuration Manager, some configurations and settings don't persist after the
upgrade. Some configurations are set to a new default. The following list includes some settings that don't
persist or that change:
Software Center : The following Software Center items are reset to their default values:
Work information is reset to business hours from 5:00am to 10:00pm Monday to Friday.
The value for Computer maintenance is set to Suspend Software Center activities when
my computer is in presentation mode .
The value for Remote control is set to the value in the client settings that are assigned to the
computer.
Software update summarization schedules : Custom summarization schedules for software updates
or software update groups are reset to the default value of one hour. After the upgrade finishes, reset
custom summarization values to the required frequency.

Test the site database upgrade

This process only applies when you're upgrading a prior version like System Center 2012 Configuration
Manager to Configuration Manager current branch.
Before you upgrade a site, test a copy of that site's database for the upgrade.
To test the database for an upgrade, you first restore a copy of the site database to an instance of SQL Server
that doesn't host a Configuration Manager site. The version of SQL Server that you use to host the database
copy must be a version of SQL Server that Configuration Manager supports.
After you restore the site database, on the SQL Server computer, run Configuration Manager Setup from the
source media folder for Configuration Manager.
For more information including specific steps, see Test the database upgrade.
Upgrade sites
If you've completed the following tasks, you're ready to upgrade your Configuration Manager site:
Pre-upgrade configurations for your site
Test the upgrade of the site database on a database copy
Download prerequisite files and language packs for the version that you plan to install
When you upgrade a site in a hierarchy, you upgrade the top-level site of the hierarchy first. This top-level site is
either a CAS or a stand-alone primary site. After you complete the upgrade of a CAS, you can upgrade child
primary sites in any order you want. After you upgrade a primary site, you can upgrade that site's secondary
sites, or upgrade other primary sites before you upgrade any secondary sites.
Before you upgrade a site, close the Configuration Manager console on the site server until the upgrade
successfully completes. Also close all remote consoles that run on other computers. After the site upgrade
completes successfully, you can reconnect the console. Until you upgrade a console to the new version, that
console can't display some objects and information that are available in new version.
Upgrade a CAS or primary site
1. Verify that the user who runs Setup has the following security rights:
Local Administrator rights on the site server
If the site database server is remote from the site server, local Administrator rights on it
2. On the site server, run the following program from the Configuration Manager source media:
.\SMSSETUP\BIN\X64\Setup.exe . This action starts the Configuration Manager Setup wizard.

3. Read the information on the Before You Begin page, and then select Next .
4. On the Getting Star ted page, select Upgrade this Configuration Manager site , and then select
Next .
5. On the Product Key page:
If you previously installed Configuration Manager Evaluation version, you can select Install the
licensed edition of this product . Then enter your product key for the full installation of Configuration
Manager. This action converts the site to the full version. For more information, see Upgrade an
evaluation installation of Configuration Manager to a full installation.
You can specify the Software Assurance expiration date of your licensing agreement. This date is a
convenient reminder for you of that date. If you don't enter this value during setup, you can specify it
later in the console.

NOTE
Microsoft doesn't validate this expiration date, and doesn't use this date for license validation. It's a reminder to
you of your expiration date. Configuration Manager periodically checks for new software updates offered online.
To be eligible to install these updates, your license status should be current.

For more information, see Licensing and branches.

6. On the Microsoft Software License Terms page, read and accept the license terms, and then select
Next .
7. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software, and
then select Next . Setup downloads and automatically installs the software on site systems or clients
when it's required. Before you can continue to the next page, agree to all terms.
 8. On the Prerequisite Downloads page, specify whether Setup downloads the latest content from the
internet or uses previously downloaded files. This content includes prerequisite redistributable files,
language packs, and the latest product updates. If you already used Setup Downloader, select Use
previously downloaded files and specify the download folder. For more information, see Setup
Downloader.

NOTE
When you use previously downloaded files, verify that the path to the download folder contains the most recent
version of the files.

9. On the Ser ver Language Selection page, view the list of languages that are currently installed for the
site. Select other languages that are available at this site for the Configuration Manager console and for
reports. You can also clear languages that you no longer want to support at this site. By default, English is
selected and can't be removed.

IMPORTANT
Each version of Configuration Manager can't use language packs from a prior version. To enable support for a
language at a site that you upgrade, use the version of the language pack for the new version. For example,
during upgrade from System Center 2012 Configuration Manager to Configuration Manager current branch, if
the current branch version of a language pack isn't available with the prerequisite files you download, you can't
install support for that language.

10. On the Client Language Selection page, view the list of languages that are currently installed for the
site. Select other languages that are available at this site for client computers, or clear languages that you
no longer want to support at this site. Specify whether to enable all client languages for mobile device
clients, and then select Next . By default, English is selected and can't be removed.
11. On the Settings Summar y page, review the configuration. When you're ready, select Next to start the
Prerequisite Checker. This tool verifies server readiness for the upgrade of the site. For more information,
see Prerequisite Checker.
12. On the Prerequisite Installation Check page, if there are no problems listed, select Next to upgrade
the site and site system roles.
If the Prerequisite Checker finds a problem, select the item on the list for details about how to resolve it.
Resolve all items in the list that have an Error status before you continue Setup. For items with a
Warning status, resolve as many as possible in your environment. After you resolve the issues, select
Run Check to restart prerequisite checking. For more detailed information, open the
ConfigMgrPrereq.log file in the root of the system drive. The log file can contain additional information
that's not displayed in the user interface. For a list of installation prerequisite rules and descriptions, see
Prerequisite checks.
On the Upgrade page, Setup displays the overall progress status. When Setup completes the core site server
and site system installation, you can close the wizard. Site configuration continues in the background.
Upgrade a secondary site
1. Verify that the administrative user that runs Setup has the following security rights:
Local Administrator rights on the secondary site server
Infrastructure Administrator or Full Administrator security role on the parent primary site
System administrator (SA ) rights on the site database of the secondary site
2. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and then select the Sites node.
3. Select the secondary site that you want to upgrade. On the Home tab of the ribbon, in the Site group,
select Upgrade .
4. Select Yes to confirm the decision, and to start the upgrade of the secondary site.
The secondary site upgrade runs in the background. After the upgrade is complete, confirm the status in the
Configuration Manager console. Select the secondary site server, then on the Home tab of the ribbon, in the
Site group, select Show Install Status .

Post-upgrade tasks
After you upgrade a site, you might have to complete other tasks to finish the upgrade or reconfigure the site.
These tasks can include the following items:
Upgrade Configuration Manager clients
Upgrade Configuration Manager consoles
Re-enable database replicas for management points
Restore settings for Configuration Manager functionality that you use and that doesn't persist after the
upgrade

Next steps
Scenarios to streamline your installation of Configuration Manager current branch
 Scenarios to streamline your installation of
Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

With the release of update versions for Configuration Manager current branch, there are new scenarios to
streamline the install of a new hierarchy to an update version. You can also use these techniques to upgrade
from Microsoft System Center 2012 Configuration Manager.
The following list is a summary of the two main scenarios:
Install a new Configuration Manager current branch hierarchy that runs an update version.
Install only the top-tier site with a baseline version. Then immediately install an update to bring that
site current with the update version that you'll use. Then install others sites directly to that update
version.
This process skips the installation of other sites to a baseline level, and then updating them to the
update version that you want to use.
The process also skips the installation of clients to a baseline version, and then reinstalling them when
you update to a later version.
Upgrade a Microsoft System Center 2012 Configuration Manager infrastructure to an update version of
Configuration Manager.
Manually upgrade your central administration site (CAS) and each primary site to a baseline version
before you install an update version.
Don't upgrade secondary sites from Microsoft System Center 2012 Configuration Manager until your
primary sites run the update version that you'll use.
Don't upgrade clients from Microsoft System Center 2012 Configuration Manager until your primary
sites run the update version that you'll use.

Install a new hierarchy to an update version

1. Install a top-level site for your new hierarchy by using the baseline media. You can use baseline media
only to install the first site of a new hierarchy. For more information, see Use the Setup Wizard to install
sites.
After this step, your top-level site runs the baseline version.
2. Use in-console updates to update your top-level site to a later version. Before you install any child sites or
clients, update your top-level site to the update version that you plan to use. For more information, see
Updates for Configuration Manager.
After this step, your top-level site runs the updated version.
3. If you intend for the first site to be a CAS, next install new child primary sites. Use the installation media
from the CD.Latest folder on the CAS server to install child primary sites. Use this source media to make
sure that new child primary sites match the version of the CAS. For more information, see The CD.Latest
folder for Configuration Manager.
4. Add other site system roles on remote servers at the CAS and primary sites. This action makes sure that
the site systems run the updated version. For more information, see Install site system roles.
5. If you plan to have secondary sites, at each primary site, use the in-console option to install new
secondary sites. Because you didn't install secondary sites while primary sites were at the baseline
version, you don't need to update the secondary sites. Instead, you install new secondary sites that run
the updated version. For more information, see Install a secondary site.
6. Install new clients at the primary site. Because you didn't install clients while primary sites were at the
baseline version, you don't need to update clients. Instead, install new clients that run the updated
version. For more information, see Deploy clients.
7. Install new consoles on remote computers. Because you didn't install consoles while primary sites were at
the baseline version, you don't need to update consoles. Install them with the updated version. For more
information, see Install consoles.

Upgrade to current branch

1. Upgrade your top-level System Center 2012 Configuration Manager site to a baseline version of the
current branch. Use source media for Configuration Manager current branch. You always upgrade the
top-level site of a hierarchy first, and then upgrade child sites. For more information, see Upgrade to
Configuration Manager.
After this step, your top-level site runs the baseline version.
2. Upgrade each child primary site in your hierarchy to the same baseline version. When you upgrade from
Microsoft System Center 2012 Configuration Manager, manually upgrade each primary site to a baseline
version of the current branch. Don't upgrade secondary sites yet.
After this step, each primary site runs the baseline version.
3. Set service windows on child-primary sites. After you upgrade all of your primary sites to the baseline
version, configure maintenance windows to control when those sites install infrastructure updates. For
more information, see Service windows for site servers.
Child primary sites automatically install the same updates that you install at a CAS.
Secondary sties don't automatically install new versions. Update them manually from the console.
After this step, child primary sites are ready to install updates during their service window.
4. Install the update version at your top-level site. This action updates your top-level site to the updated
version. After a CAS installs the update version, each child primary site automatically installs the same
update during its service window. For more information, see Updates for Configuration Manager.
After this step, your CAS and each primary site run the updated version.
5. Upgrade secondary sites. After a primary site installs the update, use the in-console option to update
secondary sites. This action upgrades secondary sites directly from System Center 2012 Configuration
Manager to the same update version as the primary site. For more information about upgrading a
secondary site, see Upgrade sites.
6. Upgrade clients. This process upgrades clients directly from System Center 2012 Configuration Manager
to the update version that you installed at the primary site. For more information, see How to upgrade
clients for Windows computers.
After this step, run the updated version.
7. Upgrade consoles on remote computers. This process upgrades clients directly from System Center 2012
Configuration Manager to the update version that you installed at the primary site. For more information,
see Install consoles.
Next steps
Configure sites and hierarchies
 Configure sites and hierarchies for Configuration
Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install your first Configuration Manager site or add additional sites to your hierarchy, use this checklist
to ensure that you consider the most common configurations that affect both sites and hierarchies.
The following configuration notes apply to most deployments:
Some options build upon each other, such as Active Directory Forest Discovery, boundaries, and
boundary groups.
Several configurations have default values to use without configuration changes, at least to start.
Other configurations, like boundary groups and distribution point groups, require you to configure them
before using.

A C T IO N DETA IL S

Configure role-based administration Segregate administrative assignments to control which

administrative users can view and manage different objects
and data in your Configuration Manager environment.

Configurations for role-based administration are shared with

all sites in a hierarchy.

For more information, see Configure role-based

administration.

Publish site data to Active Directory Domain Services Make it easy for clients to find services and efficiently use
site resources.

First extend the Active Directory schema. Then individually

configure each site to publish site data

Configure a service connection point Plan to install and configure the service connection point at
the top-level site of your hierarchy. For more information,
see About the service connection point.

Add site system roles Install one or more additional site system roles for individual
sites. For more information, see Add site system roles.

Configure site boundaries and boundary groups Specify boundaries that define network locations on your
intranet that can contain devices that you want to manage.
Then configure boundary groups so that clients at those
network locations can find Configuration Manager resources.
For more information, see Define site boundaries and
boundary groups.

Configure distribution point groups Configure logical groups of distribution points to make
managing deployments easier. For more information, see
Manage distribution point groups.
A C T IO N DETA IL S

Run discovery Run discovery to find resources on your network, including

network infrastructure, devices, and users.

For more information, see Run discovery.

Add redundancy and capacity for administrators Install additional SMS Providers and Configuration Manager
consoles to expand capacity for administrators to manage
your infrastructure:

Install additional SMS providers to provide redundancy

for console and API connections to the site. For more
information, see Manage the SMS Provider.

Install additional Configuration Manager consoles to

provide access to additional administrative users. For more
information, see Install Configuration Manager consoles.

Configure site components Configure site components at each site to modify the
behavior of site system roles and site status reporting. For
more information, see Site components.

Create custom collections Using information that the site discovers about devices and
users, create custom collections of objects to simplify future
management tasks. For more information, see How to create
collections.

Configure settings to manage high-risk deployments Configure settings at a site to warn administrators when
they create a high-risk deployment. For more information,
see Settings to manage high-risk deployments.

Configure database replicas for management points Configure a database replica to reduce the processor load
that's placed on the site database server by management
points as they service requests from clients. For more
information, see Database replicas for management points.

Configure a SQL Server Always On availability group Configure availability groups as high-availability and
disaster-recovery solutions for hosting the site database at
primary sites and the central administration site. For more
information, see Prepare to use a SQL Server Always On
availability group with Configuration Manager.

Modify replication between sites See Data transfers between sites to learn about the following
subjects:

Configure file-based replication between secondary sites

Configure database replication links

Configure distributed views

Configure site servers in passive mode Starting in version 1806, configure a site server in passive
mode for each primary site and the central administration
site. This feature provides a highly available site server. For
more information, see Site server high availability.
 Add site system roles for Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Each Configuration Manager site supports multiple site system roles. Each role extends the functionality and
capacity of your site to provide services to the site and to manage devices and users. Each site system role on a
site system server must be from the same site.
Configuration Manager doesn't support site system roles for multiple sites on a single site system server.

TIP
If you're not familiar with the basics for site system roles or the difference between the site server, site system servers, and
site system roles, see Fundamentals of Configuration Manager.

The following articles detail procedures and related details for installing site system roles:
Install site system roles: Basic guidance about how to use the two in-console wizards to install new site
system roles.
Set up checklist for CMG: Set up a cloud management gateway (CMG) to manage clients on the internet.
Install site system roles for on-premises mobile device management (MDM): Set up your site system
roles to support managing modern devices by using Configuration Manager on-premises MDM.
Configuration options for site system roles: Some site system roles support configurations that require
more details than the user interface can explain.
Remove a site system role: Guidance and procedures to remove roles from site system servers.
 Install site system roles for Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

There are two methods in the Configuration Manager console to install site system roles:
Add Site System Roles : Add site system roles to an existing site system server in the site.
Create Site System Ser ver : Specify a new server as a site system server, and then install one or more
roles. This method is the same as the Add Site System Roles , except for the first page. You first specify
the name of the server and the site in which you want to install it.

TIP
When you install a role on a remote computer, Configuration Manager adds the computer account of the remote
computer to a local group on the site server.
When you install the site on a domain controller, the group on the site server is a domain group instead of a local group.
In this case, the remote site system role doesn't immediately work. The site system server needs to restart, or you refresh
the Kerberos ticket for the remote server's computer account. For more information, see Accounts used.

Before it installs the site system role, Configuration Manager checks the destination computer to make sure it
meets the prerequisites for the selected roles.
By default, when Configuration Manager installs a site system role, it installs files on the first available NTFS-
formatted disk drive that has the most available free disk space. To prevent Configuration Manager from
installing on specific drives, before you install the site system server, create an empty file named
NO_SMS_ON_DRIVE.SMS in the root of the drive.
Configuration Manager uses the site system installation account to install roles. You specify this account
when you install the role. By default, this account is the local system account of the site server computer. You can
specify a domain user account as the site system installation account. For more information, see Accounts - Site
system installation account.

Install roles on an existing site system server

1. In the Configuration Manager console, go to the Administration workspace. Expand Site
Configuration , and select the Ser vers and Site System Roles node. Select the existing site system
server on which you want to install new site system roles.
2. In the ribbon, on the Home tab, in the Ser ver group, select Add Site System Roles .
3. On the General page, review the settings.

TIP
To access the site system role from the internet, make sure that you specify an internet fully qualified domain
name (FQDN).

4. On the Proxy page, if roles on this server require an internet proxy, then specify settings for a proxy
server. For more information, see Proxy server support.
5. On the System Role Selection page, select the site system roles that you want to add.
6. Complete the wizard. Additional pages may appear for specific roles. For more information, see
Configuration options for site system roles.

TIP
The Windows PowerShell cmdlet, New-CMSiteSystemSer ver , performs the same function as this procedure. For more
information, see New-CMSiteSystemServer.

Install roles on a new site system server

1. In the Configuration Manager console, go to the Administration workspace. Expand Site
Configuration , and select the Ser vers and Site System Roles node.
2. In the ribbon, on the Home tab, in the Create group, select Create Site System Ser ver .
3. On the General page, specify the general settings for the site system.

TIP
To access the new site system role from the internet, make sure that you specify an internet FQDN.

4. On the Proxy page, if roles on this server require an internet proxy, then specify settings for a proxy
server. For more information, see Proxy server support.
5. On the System Role Selection page, select the site system roles that you want to add.
6. Complete the wizard. Additional pages may appear for specific roles. For more information, see
Configuration options for site system roles.

TIP
The Windows PowerShell cmdlet, New-CMSiteSystemSer ver , performs the same function as this procedure. For more
information, see New-CMSiteSystemServer.

Next steps
Configuration options for site system roles
Remove role
 About the service connection point in Configuration
Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The service connection point is a site system role that provides several important functions for the hierarchy.
Before you set up the service connection point, understand and plan for its range of uses. Planning for usage
might affect how you set up this site system role:
Download updates that apply to your Configuration Manager infrastructure. Only relevant updates for
your infrastructure are made available based on usage data you upload.
Upload usage data from your Configuration Manager infrastructure. You can control the level or amount
of detail that you upload. For more information, see Usage data levels and settings.
Deploy a cloud management gateway in Azure
Synchronize apps from the Microsoft Store for Business and Education
Discover users and groups in Azure Active Directory (Azure AD)
Use Desktop Analytics to gain insights on Windows 10 update and app readiness
Each hierarchy supports a single instance of this role. It can only be installed at the top-tier site of your
hierarchy, which is a central administration site (CAS) or stand-alone primary site. If you expand a stand-alone
primary site to a larger hierarchy, uninstall this role from the primary site, and then install it at the CAS.

Modes of operation
The service connection point supports two modes of operation:
Online : The service connection point automatically checks every 24 hours for updates. It downloads new
updates that are available for your current infrastructure and product version to make them available in
the Configuration Manager console.
Offline : The service connection point doesn't connect to the Microsoft cloud service. To manually import
available updates, use the service connection tool.
Change mode
If you change between online or offline modes after you install the service connection point, restart the
SMS_DMP_DOWNLOADER thread of the SMS_Executive service. Restarting this thread makes the change
become effective. To restart this thread, use the Configuration Manager Service Manager.

TIP
You can also restart the SMS_Executive service for Configuration Manager, which restarts most site components.
Alternatively, wait for a scheduled task like a site backup, which stops and restarts the SMS_Executive service for you.

To use the Configuration Manager Service Manager to restart the SMS_DMP_DOWNLOADER thread:
1. In the Configuration Manager console go to the Monitoring workspace, expand System Status , and
select the Component Status node. In the ribbon, choose Star t , and then select Configuration
 Manager Ser vice Manager .
2. In the service manager navigation pane, expand the site, expand Components , and then choose the
component that you want to restart: SMS_DMP_DOWNLOADER .
3. Go to the Component menu, and choose Quer y .
4. Confirm the current status of the component. Then go to the Component menu, and choose Stop .
5. Quer y the component again to confirm that it stopped. Then choose the Star t component action to
restart it.

Remote site system requirements

When you install the service connection point on a site system server that's remote from the site server,
configure one of the following requirements:
The computer account of the site server must be a local admin on the computer that hosts a remote
service connection point.
or
Set up the site system server that hosts this role with a site system installation account. The distribution
manager on the site server uses the site system installation account to transfer updates from the service
connection point.

Internet access requirements

If your organization restricts network communication with the internet using a firewall or proxy device, you
need to allow the service connection point to access internet endpoints.
For more information, see Internet access requirements. Other Configuration Manager features may require
additional endpoints from the service connection point.
These configurations apply to the server that hosts the service connection point and any firewalls between that
server and the internet. Allow communication through outgoing HTTPS port TCP 443 to the internet locations.
The service connection point supports using a web proxy with or without authentication to use these locations.
For more information, see Proxy server support.
If the Configuration Manager site fails to connect to required endpoints for a cloud service, it raises a critical
status message ID 11488. When it can't connect to the service, the SMS_SERVICE_CONNECTOR component
status changes to critical. View detailed status in the Component Status node of the Configuration Manager
console.
Starting in version 2010, the service connection point validates important internet endpoints for Desktop
Analytics and tenant attach. These checks help make sure that the cloud-connected services are available. It also
helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more
information, see Validate internet access.
The specific URLs required by the service connection point vary by Configuration Manager feature:
Updates and servicing
Windows servicing
Azure services
Microsoft Store for Business
Cloud services
Configuration Manager console
 Desktop Analytics
Tenant attach
External notifications

TIP
The service connection point uses the Microsoft Intune service when it connects to go.microsoft.com or
manage.microsoft.com . There's a known issue in which the Intune connector experiences connectivity issues if the
Baltimore CyberTrust Root Certificate isn't installed, is expired, or is corrupted on the service connection point. For more
information, see Service connection point doesn't download updates.

Validate internet access

If you use Desktop Analytics or tenant attach, starting in version 2010, the service connection point now checks
important internet endpoints. These checks help make sure that the cloud-connected services are available. It
also helps you troubleshoot issues by quickly determining if network connectivity is a problem.
For the list of internet endpoints, see the following sections of the Internet access requirements article:
Desktop Analytics
Tenant attach
For more details, review the EndpointConnectivityCheckWorker.log file on the service connection point.
A failure isn't always determined by the HTTP status code, but if there's network connectivity to an endpoint. The
following scenarios can cause a check to fail:
Network connection timeout
SSL/TLS failure
Unexpected status code:

STAT US C O DE DESC RIP T IO N P O SSIB L E REA SO N

407 Proxy authentication required May indicate a proxy issue

408 Request timeout May indicate a proxy issue

426 Upgrade required May indicate a TLS misconfiguration

451 Unavailable for legal reasons May indicate a proxy issue

502 Bad gateway May indicate a proxy issue

511 Network authentication required May indicate a proxy issue

598 Network read timeout error Not RFC compliant, but used by
some proxy servers to indicate a
network timeout

599 Network connection timeout error Not RFC compliant, but used by
some proxy servers to indicate a
network timeout

There are also the following status messages for the SMS_SERVICE_CONNECTOR component:
 M ESSA GE ID SEVERIT Y N OT ES

11410 Informational All checks are successful

11411 Warning One or more non-critical failures

occurred

11412 Error One or more critical failures occurred

Install
When you run Setup to install the top-tier site of a hierarchy, you can install the service connection point.
After setup runs, or if you're reinstalling the role, use the Add Site System Roles wizard or the Create Site
System Ser ver wizard. (Only install the service connection point on the top-tier site of your hierarchy.) For
more information, see Install site system roles.

Move the role

There are several scenarios in which you may need to move the service connection point to another server:
Recovery
Site server high availability
Site expansion
After you move the service connection point, check all site functions. For example, you may need to renew the
secret key for any connections to Azure Active Directory (Azure AD) tenants. For more information, see Renew
secret key.

Console notifications for the service connection point

Occasionally, the Configuration Manager console may give you a notification about your service connection
point. The notification asks you to restart the SMS_EXECUTIVE service on the server that hosts the service
connection point. This notification occurs because a configuration change was made by Microsoft on the
services that your service connection point connects to. Features of Configuration Manager that rely on these
services may not function for your site properly until the SMS_EXECUTIVE service is restarted.

Log files
To view information about uploads to Microsoft, view the Dmpuploader.log on the server that runs the service
connection point. For download progress of updates, view the Dmpdownloader.log . For the complete list of
logs related to the service connection point, see Log files - Service connection point.

Next steps
Use the following flowcharts to understand the process flow and key log entries. This process includes update
downloads and replication of updates to other sites.
Flowchart - Download updates
Flowchart - Update replication
 Configuration options for site system roles in
Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Most configuration options for Configuration Manager site system roles are self-explanatory or are explained in
the wizard or dialog boxes when you configure them. The following sections explain site system roles whose
settings might require additional information.

Certificate registration point

For more information about how to set up the certificate registration point, see Introduction to certificate
profiles.

Distribution point
For more information about how to set up the distribution point for content deployment, see Manage content
and content infrastructure.
For more information about how to set up the distribution point for PXE deployments, see Use PXE to deploy
Windows over the network.
For more information about how to set up the distribution point for multicast deployments, see Use multicast to
deploy Windows over the network.
Install and configure IIS if required by Configuration Manager
Select this option to let Configuration Manager install and set up IIS on the site system if it's not already
installed. IIS must be installed on all distribution points, and you must select this setting to continue in the
wizard.
Site system installation account
For distribution points that are installed on a site server, only the computer account of the site server is
supported for use as the site system installation account. For more information, see Accounts.

Enrollment point
Enrollment points are used to install macOS computers and enroll devices that you manage with on-premises
mobile device management. For more information, see the following articles:
How to deploy clients to Macs
How users enroll devices with on-premises MDM
Allowed connections
The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication
to the enrollment proxy point, and encryption of data over SSL. For more information, see PKI certificate
requirements.
For an example deployment of the server certificate and information about how to configure it in IIS, see
Deploying the web server certificate for site systems that run IIS.
Enrollment proxy point
For more information about how to set up an enrollment proxy point for mobile devices, see How users enroll
devices with on-premises MDM.
Client connections
The HTTPS setting is automatically selected. It requires the following PKI certificates on the server:
For server authentication to mobile devices and Mac computers that you enroll with Configuration Manager
For encryption of data over Secure Sockets Layer (SSL)
For more information about the certificate requirements, see PKI certificate requirements.
For an example deployment of the server certificate and information about how to configure it in IIS, see
Deploying the web server certificate for site systems that run IIS.

Fallback status point

Number of state messages and Throttle interval (in seconds)
The default settings for these options are 10,000 state messages and 3,600 seconds for the throttle interval.
While these settings are sufficient for most circumstances, you might have to change them when both of the
following conditions are true:
The fallback status point accepts connections only from the intranet.
You use the fallback status point during a client deployment rollout for many computers.
In this scenario, a continuous stream of state messages might create a backlog of state messages that causes
high processor usage on the site server for a sustained period. In addition, you might not see up-to-date
information about the client deployment in the Configuration Manager console and in the client deployment
reports.
These fallback status point settings are designed to be set up for state messages that are generated during client
deployment. The settings aren't designed to be set up for client communication issues, like when clients on the
internet can't connect to their internet-based management point. Because the fallback status point can't apply
these settings just to the state messages that are generated during client deployment, don't configure these
settings when the fallback status point accepts connections from the internet.
Each computer that successfully installs the Configuration Manager client sends the following four state
messages to the fallback status point:
Client deployment started
Client deployment succeeded
Client assignment started
Client assignment succeeded
Computers that can't be installed or that assign the Configuration Manager client send additional state
messages.
For example, if you deploy the Configuration Manager client to 20,000 computers, the deployment might send
80,000 state messages to the fallback status point. Because the default throttling configuration lets 10,000 state
messages to be sent to the fallback status point each 3,600 seconds (1 hour), state messages might become
backlogged on the fallback status point. Also consider the available network bandwidth between the fallback
status point and the site server and the processing power of the site server to process many state messages.
To help prevent these issues, consider an increase in the number of state messages and a decrease in the throttle
interval.
Reset the throttle values for the fallback status point if either of the following conditions is true:
You calculate that the current throttle values are higher than required to process state messages from the
fallback status point.
You find that the current throttle settings create high processor usage on the site server.
Don't change the settings for the fallback status point throttle settings unless you understand the consequences.
For example, when you increase the throttle settings to high, the processor usage on the site server can increase
to high, which slows down all site operations.
 Database replicas for management points for
Configuration Manager
2/16/2022 • 21 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager primary sites can use a database replica to reduce the CPU load placed on the site
database server by management points as they service requests from clients. When a management point uses a
database replica, it requests data from the SQL Server computer that hosts the database replica instead of from
the site database server.
This configuration can help reduce the CPU processing requirements on the site database server by offloading
frequent processing tasks related to clients. An example of frequent processing tasks for clients includes sites
where there are a large number of clients that make frequent requests for client policy.

About
Replicas are a partial copy of the site database that replicates to a separate instance of SQL Server.
Primary sites support a dedicated database replica for each management point at the site.
Secondary sites don't support database replicas.
A single database replica can be used by more than a one management point from the same site.
A SQL Server can host multiple database replicas for use by different management points so long
as each runs in a separate instance of SQL Server.
Replicas synchronize a copy of the site database on a fixed schedule from data that the site's database
server publishes for this purpose.
You can configure management points to use a replica when you install it, or at a later time. For an
existing management point, reconfigure it to use the database replica.
Regularly monitor the site database server and each database replica server to make sure that replication
occurs between them. Make sure that the performance of the database replica server is sufficient for the
site and client performance that you require.

Prerequisites
SQL Server requirements
The SQL Server that hosts the database replica has the same requirements as the site database server.
The replica server doesn't need to run the same version or edition of SQL Server as the site database
server, as long as it runs a supported version and edition of SQL Server. For more information, see
Support for SQL Server versions.
The SQL Server service on the computer that hosts the replica database must run as the System account.
Both the SQL Server that hosts the site database and that hosts a database replica must have SQL
Ser ver replication installed.
The site database must publish the database replica, and each remote database replica server must
subscribe to the published data.
 Configure both SQL Servers to support a max text repl size of 2 GB. For more information and how to
configure this setting for SQL Server, see Configure the max text repl size Server Configuration Option.
Self-signed certificate
To configure a database replica, create a self-signed certificate on the database replica server. Make this
certificate available to each management point that will use that database replica server.
The certificate is automatically available to a management point that's installed on the database replica
server.
To make this certificate available to remote management points, first export the certificate. Then add it to
the Trusted People certificate store on the remote management point.
Client notification
To support client notification with a database replica for a management point, configure communication
between the site database server and the database replica server for the SQL Ser ver Ser vice Broker :
Configure each database with information about the other database.
Exchange certificates between the two databases for secure communication.

Limitations
When you configure the site to publish database replicas, use the following procedures instead of the
normal guidance:
Uninstall a site server that publishes a database replica
Move a site server database that publishes a database replica
User deployments in Software Center won't work against a management point using a SQL Server
replica.
Upgrades to Configuration Manager current branch: Before you upgrade a site, either from System
Center 2012 Configuration Manager to Configuration Manager current branch or updating Configuration
Manager current branch to the latest release, disable database replicas for management points. After
your site upgrades, you can reconfigure the database replicas for management points.
Multiple replicas on a single SQL Server: If you configure separate instances of a database replica server
to host multiple database replicas for management points, use a modified configuration script. As noted
in step 4 of the process to Configure database replicas, this action prevents overwriting the self-signed
certificate in use by previously configured database replicas on that server.

Configure
To configure a database replica, the following steps are required:
Step 1 - Configure the site database server to Publish the database replica
Step 2 - Configuring the database replica server
Step 3 - Configure management points to use the database replica
Step 4 -Configure a self-signed certificate for the database replica server
Step 5 - Configure the SQL Server Service Broker for the database replica server
Step 1 - Configure the site database server to publish the database replica
Use the following procedure as an example of how to configure the site database server to publish the database
replica. The specific steps might vary depending upon the version of Windows Server.
Do the following steps on the site database server:
1. Set the SQL Server Agent to automatically start.
2. Create a local user group with the name ConfigMgr_MPReplicaAccess . For each database replica
server that you use at this site, add its computer account to this group. This action enables those database
replica servers to synchronize with the published database replica.

NOTE
You can also create a domain group for this purpose.

3. Configure a file share with the name ConfigMgr_MPReplica .

4. Add the following permissions to the ConfigMgr_MPReplica share:

NOTE
If the SQL Server Agent uses an account other than the local system account, replace SYSTEM with that account
name in the following list.

Share permissions:
SYSTEM: Change
ConfigMgr_MPReplicaAccess: Read
NTFS permissions:
SYSTEM: Full Control
ConfigMgr_MPReplicaAccess: Read , Read & execute , and List folder contents
5. Use SQL Ser ver Management Studio to connect to the site database and run the following stored
procedure as a query: spCreateMPReplicaPublication

NOTE
If you're using a domain group instead of a local group, change this SQL statement to:
EXEC spCreateMPReplicaPublication N'<DomainName>\ConfigMgr_MPReplicaAccess'

When the stored procedure completes, the site database server is configured to publish the database replica.
Step 2 - Configure the database replica server
Use the following procedure as an example of how to configure a database replica server. The specific steps
might vary depending upon the version of Windows Server.
Do the following steps on the database replica server:
1. Set the SQL Server Agent to automatic startup.
2. Use SQL Ser ver Management Studio to connect to the local server. Browse to the Replication folder,
select Local Subscriptions , and then select New Subscriptions . This action starts the New
Subscription Wizard .
a. On the Publication page, select Find SQL Ser ver Publisher . Enter the name of the site
 database server, and then select Connect .
b. Select ConfigMgr_MPReplica , and then select Next .
c. On the Distribution Agent Location page, select Run each agent at its Subscriber (pull
subscriptions) , and then select Next .
d. On the Subscribers page, do one of the following actions:
Select an existing database from the database replica server to use for the database replica,
and then select OK .
Select New database to create a new database for the database replica. On the New
Database page, specify a database name, and then select OK .
e. Select Next to continue.
f. On the Distribution Agent Security page, select the properties button (...) in the Subscriber
Connection row of the dialog box. Then configure the security settings for the connection.

TIP
The properties button, (...) , is in the fourth column of the display box.

Configure the account that runs the Distribution Agent process (process account):
If the SQL Server Agent runs as local system, select Run under the SQL Ser ver Agent
ser vice account (This is not a recommended security best practice.)
If the SQL Server Agent runs by using a different account, select Run under the
following Windows account , and then configure that account. You can specify a
Windows account or a SQL Server account.

IMPORTANT
Grant the account that runs the Distribution Agent permissions to the publisher as a pull subscription. For
more information about configuring these permissions, see Distribution agent security.

For Connect to the Distributor , select By impersonating the process account .

For Connect to the Subscriber , select By impersonating the process account .
After you configure the connection security settings, select OK to save them, and then select Next .
a. On the Synchronization Schedule page, select Define schedule , and then configure the New
Job Schedule . Set the frequency to occur Daily , recur every 5 minute(s) , and the duration to
have No end date . Select Next to save the schedule, and then select Next again.
b. On the Wizard Actions page, enable the option to Create the subscriptions(s) , and then select
Next .
c. Complete the wizard.
3. Immediately after completing the New Subscription Wizard, use SQL Ser ver Management Studio to
connect to the database replica server database. Run the following query to enable the TRUSTWORTHY
database property: ALTER DATABASE <MP Replica Database Name> SET TRUSTWORTHY ON;
4. Review the synchronization status to validate that the subscription is successful:
 On the subscriber computer:
In SQL Ser ver Management Studio , connect to the database replica server, and expand
Replication .
Expand Local Subscriptions , right-click the subscription to the site database publication,
and then select View Synchronization Status .
On the publisher computer:
In SQL Ser ver Management Studio , connect to the site database computer, right-click the
Replication folder, and then select Launch Replication Monitor .
5. To enable common language runtime (CLR) integration for the database replica, use SQL Ser ver
Management Studio to connect to the database replica on the database replica server. Run the
following stored procedure as a query: exec sp_configure 'clr enabled', 1; RECONFIGURE WITH OVERRIDE
6. For each management point that uses a database replica server, add that management points computer
account to the local Administrators group on that database replica server.

TIP
This step isn't necessary for a management point that runs on the database replica server.

The database replica is now ready for a management point to use.

Step 3 - Configure management points to use the database replica
You can configure a management point at a primary site to use a database replica when you install the
management point role, or you can reconfigure an existing management point to use a database replica.
Use the following information to configure a management point to use a database replica:
To configure a new management point:
1. On the Management Point Database page of the wizard to install the management point, select
Use a database replica .
2. Specify the FQDN of the computer that hosts the database replica.
3. For the ConfigMgr site database name , specify the database name of the database replica on that
computer.
To configure a previously installed management point:
1. Open the properties page of the management point, and switch to the Management Point
Database tab.
2. Select Use a database replica , and then specify the FQDN of the computer that hosts the database
replica.
3. Next, for ConfigMgr site database name , specify the database name of the database replica on that
computer.
For each management point that uses a database replica, manually add the computer account of the
management point server to the db_datareader role for the database replica.
In addition to configuring the management point to use the database replica server, enable Windows
Authentication in IIS on the management point:
1. Open Internet Information Ser vices (IIS) Manager .
2. Select the website used by the management point, and open Authentication .
3. Set Windows Authentication to Enabled , and then close Internet Information Ser vices (IIS)
Manager .
Step 4 -Configure a self-signed certificate for the database replica server
Use the following procedures as an example of how to configure the self-signed certificate on the database
replica server. The specific steps might vary depending upon the version of Windows Server.
Configure a self-signed certificate for the database replica server
1. On the database replica server, open a PowerShell command prompt with administrative privileges, and
then run the following command: Set-ExecutionPolicy Unrestricted
2. Copy the following PowerShell script and save it as a file with the name CreateMPReplicaCer t.ps1 .
Place a copy of this file in the root folder of the system partition of the database replica server.

IMPORTANT
If you're configuring more than one database replica on a single SQL Server, for each subsequent replica you
configure, use a modified version of this script for this procedure. For more information, see Supplemental script
for additional database replicas on a single SQL Server.

# Script for creating a self-signed certificate for the local machine and configuring SQL Server to
use it.

Param($SQLInstance)

$ConfigMgrCertFriendlyName = "ConfigMgr SQL Server Identification Certificate"

# Get local computer name

$computerName = "$env:computername"

# Get the SQL Server name

#$key="HKLM:\SOFTWARE\Microsoft\SMS\MP"
#$value="SQL Server Name"
#$sqlServerName= (Get-ItemProperty $key).$value
#$dbValue="Database Name"
#$sqlInstance_DB_Name= (Get-ItemProperty $key).$dbValue

$sqlServerName = [System.Net.Dns]::GetHostByName("localhost").HostName
$sqlInstanceName = "MSSQLSERVER"
$SQLServiceName = "MSSQLSERVER"

if ($SQLInstance -ne $Null)

{
$sqlInstanceName = $SQLInstance
$SQLServiceName = "MSSQL$" + $SQLInstance
}

# Delete existing cert if one exists

function Get-Certificate($storename, $storelocation)
{
$store=new-object
System.Security.Cryptography.X509Certificates.X509Store($storename,$storelocation)
$store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Certificates
}

$cert = Get-Certificate "My" "LocalMachine" | ?{$_.FriendlyName -eq $ConfigMgrCertFriendlyName}

if($cert -is [Object])
{
$store = new-object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
$store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Remove($cert)
$store.Close()
 # Remove this cert from Trusted People too...
$store = new-object
System.Security.Cryptography.X509Certificates.X509Store("TrustedPeople","LocalMachine")
$store.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$store.Remove($cert)
$store.Close()
}

# Create the new cert

$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=" + $sqlServerName, 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1"

$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"

$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)

$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"

$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(3650)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"

$enrollment.InitializeFromRequest($cert)
$enrollment.CertificateFriendlyName = "ConfigMgr SQL Server Identification Certificate"
$certdata = $enrollment.CreateRequest(0x1)
$enrollment.InstallResponse(0x2, $certdata, 0x1, "")

# Add this cert to the trusted peoples store

[Byte[]]$bytes = [System.Convert]::FromBase64String($certdata)

$trustedPeople = new-object System.Security.Cryptography.X509certificates.X509Store "TrustedPeople",

"LocalMachine"
$trustedPeople.Open([Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$trustedPeople.Add([Security.Cryptography.X509Certificates.X509Certificate2]$bytes)
$trustedPeople.Close()

# Get thumbprint from cert

$sha = new-object System.Security.Cryptography.SHA1CryptoServiceProvider
$certHash = $sha.ComputeHash($bytes)
$certHashCharArray = "";
$certThumbprint = "";

# Format the bytes into a hexadecimal string

foreach($byte in $certHash)
{
$temp = ($byte | % {"{0:x}" -f $_}) -join ""
$temp = ($temp | % {"{0,2}" -f $_})
$certHashCharArray = $certHashCharArray+ $temp;
}
$certHashCharArray = $certHashCharArray.Replace(' ', '0');

# SQL Server needs the thumbprint in lower case

foreach($char in $certHashCharArray)
 {
[System.String]$myString = $char;
$certThumbprint = $certThumbprint + $myString.ToLower();
}

# Configure SQL Server to use this cert

$path = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL"
$subKey = (Get-ItemProperty $path).$sqlInstanceName
$realPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\" + $subKey +
"\MSSQLServer\SuperSocketNetLib"
$certKeyName = "Certificate"
Set-ItemProperty -path $realPath -name $certKeyName -Type string -Value $certThumbprint

# restart SQL Server service

Restart-Service $SQLServiceName -Force

3. On the database replica server, run the following command that applies to the configuration of your SQL
Server:
For a default instance of SQL Server: Enter the following command in the PowerShell session:
.\CreateMPReplicaCert.ps1 . When the script runs, it creates the self-signed certificate and
configures SQL Server to use the certificate.
For a named instance of SQL Server: Use PowerShell to run the following command:
.\CreateMPReplicaCert.ps1 <SQL Server instance name>

After the script completes, verify that the SQL Server Agent is running. If not, restart the SQL Server
Agent.
Configure remote management points to use the self-signed certificate of the database replica server
Do the following steps on the database replica server to export the server's self-signed certificate:
1. Go to the Star t menu, select Run , and type mmc.exe . In the empty console, select File , and then select
Add/Remove Snap-in .
2. In the Add or Remove Snap-ins dialog box, select Cer tificates from the list of Available snap-ins ,
and then select Add .
3. In the Cer tificate snap-in dialog box, select Computer account , and then select Next .
4. In the Select Computer dialog box, make sure that Local computer : (the computer this console is
running on) is selected, and then select Finish .
5. In the Add or Remove Snap-ins dialog box, select OK .
6. In the console, expand Cer tificates (Local Computer) , expand Personal , and select Cer tificates .
7. Right-click the certificate with the friendly name of ConfigMgr SQL Ser ver Identification
Cer tificate , select All Tasks , and then select Expor t .
8. Complete the Cer tificate Expor t Wizard with the default options. Save the certificate with the .cer file
name extension.
Do the following steps on the management point server to add the self-signed certificate for the database
replica server to the Trusted People certificate store:
1. Repeat the preceding steps to open the Cer tificate snap-in MMC on the management point computer.
2. In the Certificates console, expand Cer tificates (Local Computer) , expand Trusted People , right-click
Cer tificates , select All Tasks , and then select Impor t . This action starts the Cer tificate Impor t
Wizard .
3. On the File to Impor t page, select the saved certificate, and then select Next .
4. On the Cer tificate Store page, select Place all cer tificates in the following store , with the
Cer tificate store set to Trusted People , and then select Next .
5. Select Finish to close the wizard and complete the certificate configuration on the management point.
Step 5 - Configure the SQL Server Service Broker for the database replica server
To support client notification with a database replica for a management point, configure communication
between the site database server and the database replica server for the SQL Server Service Broker. Configure
each database with information about the other database, and to exchange certificates between the two
databases for secure communication.

NOTE
Before you can use the following procedure, the database replica server must successfully complete the initial
synchronization with the site database server.

The following procedure doesn't modify the Service Broker port that's configured in SQL Server for the site
database server or the database replica server. This procedure configures each database to communicate with
the other database by using the correct Service Broker port.
Use the following procedure to configure the Service Broker for the site database server and the database
replica server:
1. Use SQL Ser ver Management Studio to connect to the replica server database. Then run the
following query to enable the Service Broker on the database replica server:
ALTER DATABASE <Replica Database Name> SET ENABLE_BROKER, HONOR_BROKER_PRIORITY ON WITH ROLLBACK
IMMEDIATE

2. On the database replica server, configure the Service Broker for client notification and export the Service
Broker certificate. Run a SQL Server stored procedure that configures the Service Broker and exports the
certificate as a single action. When you run the stored procedure, specify the FQDN of the database
replica server, the name of the database replicas database, and specify a location for the export of the
certificate file.
Run the following query to configure the required details on the database replica server, and to export
the certificate for the database replica server:
EXEC sp_BgbConfigSSBForReplicaDB '<Replica SQL Server FQDN>', '<Replica Database Name>', '<Certificate
Backup File Path>'

NOTE
When the database replica server isn't on the default instance of SQL Server, also specify the instance name with
the replica database name. In the example command, replace <Replica Database Name> with
<Instance name>\<Replica Database Name> .

After you export the certificate from the database replica server, place a copy of the certificate on the
primary site database server.
3. Use SQL Ser ver Management Studio to connect to the primary site database. After you connect to the
primary sites database, run a query to import the certificate and specify the Service Broker port that's in
use on the database replica server, the FQDN of the database replica server, and name of the database
replicas database. This action configures the primary sites database to use the Service Broker to
communicate to the database of the database replica server.
 Run the following query to import the certificate from the database replica server and specify the
required details:
EXEC sp_BgbConfigSSBForRemoteService 'REPLICA', '<SQL Service Broker Port>', '<Certificate File
Path>', '<Replica SQL Server FQDN>', '<Replica Database Name>'

NOTE
When the database replica server isn't on the default instance of SQL Server, also specify the instance name with
the replica database name. In the example command, replace <Replica Database Name> with
<Instance name>\<Replica Database Name> .

4. On the site database server, run the following command to export the certificate for the site database
server: EXEC sp_BgbCreateAndBackupSQLCert '<Certificate Backup File Path>'
After you export the certificate from the site database server, place a copy of the certificate on the
database replica server.
5. Use SQL Ser ver Management Studio to connect to the replica server database. After you connect to
the replica server database, run a query to import the certificate and specify the site code of the primary
site and the Service Broker port that's in use on the site database server. This action configures the
database replica server to use the Service Broker to communicate to the database of the primary site.
Run the following query to import the certificate from the site database server:
EXEC sp_BgbConfigSSBForRemoteService '<Site Code>', '<SQL Service Broker Port>', '<Certificate File
Path>'

A few minutes after you complete the configuration of the site database and the database replica database, the
notification manager at the primary site sets up the Service Broker conversation for client notification from the
primary site database to the database replica.
Supplemental script for other database replicas on a single SQL Server
When you use the script from step 4 to configure a self-signed certificate for the database replica server on a
SQL Server that already has a database replica you plan to continue using, use a modified version of the original
script. The following modifications prevent the script from deleting an existing certificate on the server, and
create subsequent certificates with unique friendly names. Edit the original script as follows:
Comment out each line between the script entries # Delete existing cert if one exists and
# Create the new cert . Add a pound sign ( # ) as the first character of each applicable line.

For each subsequent database replica you use this script to configure, update the friendly name for the
certificate. Edit the line
$enrollment.CertificateFriendlyName = "ConfigMgr SQL Server Identification Certificate" and replace
ConfigMgr SQL Server Identification Certificate with a new name. For example,
ConfigMgr SQL Server Identification Certificate1 .

Manage database replica configurations

When you use a database replica at a site, use the information in the following sections to supplement the
process of uninstalling a database replica, uninstalling a site that uses a database replica, or moving the site
database to a new installation of SQL Server. When delete publications, use the guidance for deleting
transactional replication for the version of SQL Server that you use for the database replica. For more
information, see Delete a Publication.
 NOTE
After you restore a site database that was configured for database replicas, before you can use the database replicas,
reconfigure each database replica and recreate both the publications and subscriptions.

Uninstall a database replica

When you use a database replica for a management point, you might need to uninstall it and then reconfigure it
for use. For example, remove database replicas before you update Configuration Manager to the latest version.
After the site update completes, restore the database replica for use.
Use the following steps to uninstall a database replica.
1. In the Administration workspace of the Configuration Manager console, expand Site Configuration ,
then select Ser vers and Site System Roles . In the details pane, select the site system server that hosts
the management point that uses the database replica you will uninstall.
2. In the Site System Roles pane, select the Management point role. In the ribbon, on the Site Role tab,
select Proper ties .
3. Switch to the Management Point Database tab. Select Use the site database to configure the
management point to use the site database instead of the database replica. Select OK to save the
configuration.
4. Use SQL Ser ver Management Studio to do the following tasks:
Delete the publication for the database replica from the site server database.
Delete the subscription for the database replica from the database replica server.
Delete the replica database from the database replica server.
Disable publishing and distribution on the site database server. To disable publishing and
distribution, right-click the Replication folder and select Disable Publishing and Distribution .
After you delete the publication, subscription, the replica database, and disable publishing on the site database
server, the database replica is uninstalled.
Uninstall a site server that publishes a database replica
Before you uninstall a site that publishes a database replica, use the following steps to clean up the publication
and any subscriptions.
1. Use SQL Ser ver Management Studio to delete the database replica publication from the site server
database.
2. Use SQL Ser ver Management Studio to delete the database replica subscription from each remote
SQL Server that hosts a database replica for this site.
3. Uninstall the site.
Move a site server database that publishes a database replica
When you move the site database to a new computer, use the following steps:
1. Use SQL Ser ver Management Studio to delete the publication for the database replica from the site
server database.
2. Use SQL Ser ver Management Studio to delete the subscription for the database replica from each
database replica server for this site.
3. Move the database to the new SQL Server computer. For more information, see Modify the site database
 configuration.
4. Recreate the publication for the database replica on the site database server. For more information, see
Step 1 - Configure the site database server to Publish the database replica.
5. Recreate the subscriptions for the database replica on each database replica server. For more information,
see Step 2 - Configuring the database replica server.
 Site components for Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

For each Configuration Manager site, you can configure site components to modify the behavior of site system
roles and site status reporting. Site component configurations apply to a site, and to each instance of an
applicable site system role at the site.
In the Configuration Manager console, go to the Administration workspace, expand Site Configuration , and
select the Sites node. Select a site. In the Settings group of the ribbon, choose Configure Site Components .
Select one of the following options:
Software distribution
Software update point
OS deployment
Management point
Status reporting
Email notification
Collection membership evaluation

About site components

Most options for the various site components are self-explanatory when viewed in the Configuration Manager
console. However, the following details can help explain some of the more complex configurations, or direct you
to other content.

NOTE
The available options for some components vary whether you select the central administration site, a primary site, or a
secondary site. Some components are not available at all for certain types of sites.

Software distribution
Content distribution settings
On the General tab, specify settings that modify how the site server transfers content to its distribution points.
When you increase the values you use for concurrent distribution settings, content distribution can use more
network bandwidth.
Pull distribution point
For more information, see Use a pull-distribution point.
Network access account
For more information, see Network access account.
Automate software distribution site component with PowerShell
To programmatically view and configure the Software distribution site component, use the following
PowerShell cmdlets:
Get-CMSoftwareDistributionComponent
Set-CMSoftwareDistributionComponent
Software update point
For more information, see Install a software update point.
Automate software update point site component with PowerShell
To programmatically view and configure the Software update point site component, use the following
PowerShell cmdlets:
Get-CMSoftwareUpdatePointComponent
Set-CMSoftwareUpdatePointComponent
OS deployment
For more information, see Specify the drive for offline OS image servicing.
Management point
On the General tab, set up the site to publish information about its management points to Active Directory
Domain Services.
Configuration Manager clients use management points to locate services, and to find site information such as
boundary group membership and PKI certificate selection options. Clients also use management points to find
other management points in the site, and distribution points from which to download software. Management
points also help clients to complete site assignment, and to download client policy and upload client
information.
The most secure method for clients to find management points is to publish them in Active Directory Domain
Services. This service location method requires the following to be true:
The schema is extended for Configuration Manager.
There's a System Management container, with appropriate security permissions for the site server to
publish to this container.
The Configuration Manager site is set up to publish to Active Directory Domain Services.
Clients belong to the same Active Directory forest as the site server's forest.
When clients on the intranet can't use Active Directory Domain Services to find management points, use DNS
publishing. This article also describes the option to Publish selected intranet management points in DNS .
For general information about service location, see Understand how clients find site resources and services.
Automate management point site component with PowerShell
To programmatically view and configure the Management point site component, use the following PowerShell
cmdlets:
Get-CMManagementPointComponent
Set-CMManagementPointComponent
Status reporting
These settings directly set up the level of detail that's included in status reports from sites and clients.
Automate status reporting site component with PowerShell
To programmatically view and configure the Status repor ting site component, use the following PowerShell
cmdlets:
Get-CMStatusReportingComponent
Set-CMStatusReportingComponent
Email notification
Specify account and email server details to enable Configuration Manager to send email notifications for alerts.
For more information, see Configure alerts.
Automate email notification site component with PowerShell
To programmatically view and configure the Email notification site component, use the following PowerShell
cmdlets:
Get-CMEmailNotificationComponent
Set-CMEmailNotificationComponent
Collection membership evaluation
Use this component to set how often collection membership is incrementally evaluated. Incremental evaluation
updates a collection membership with only new or changed resources.
For more information, see Best practices for collections.
Automate collection membership evaluation site component with PowerShell
To programmatically view and configure the Collection membership evaluation site component, use the
following PowerShell cmdlets:
Get-CMCollectionMembershipEvaluationComponent
Set-CMCollectionMembershipEvaluationComponent

Configuration Manager Service Manager

You can use the Service Manager to control Configuration Manager services, and to view the status of any
Configuration Manager service or working thread. These services and threads are referred to collectively as
Configuration Manager components.
Components can run on any site system.
Manage components the same way that you manage services in Windows. The following actions apply to
Configuration Manager components:
Start
Stop
Pause
Resume
Query
A Configuration Manager service runs when there's something for it to do. For example, when a configuration
file is written to a component's inbox.
Use Service Manager
1. In the Configuration Manager console, go to the Monitoring workspace, expand System Status , and
select the Component Status node.
2. In the Component group of the ribbon, select Star t , and then choose Configuration Manager
Ser vice Manager .
3. When the Configuration Manager Service Manager opens, connect to the site that you want to manage.
If you don't see the site that you want to manage, go to the Site menu, and select Connect . Then enter
the name of the site server of the correct site.
4. Expand the site and navigate to Components or Ser vers , depending on the location of the components
that you want to manage.
5. In the right pane, select one or more components. Then on the Component menu, select Quer y to
update the status of your selection.
6. After it updates the status of the component, use one of the four action-based options on the
Component menu. Use these actions to modify the component's operation. After you request an action,
query the component again to display the new status of the component.
7. Close the Configuration Manager Service Manager when you're finished modifying the operational status
of components.
 Publish site data for Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you extend the Active Directory schema for Configuration Manager, you can publish Configuration
Manager sites to Active Directory Domain Services (AD DS). This lets Active Directory computers securely
retrieve site information from a trusted source. Although publishing site information to AD DS is not required
for basic Configuration Manager functionality, it can reduce administrative overhead to do so.
When a site is configured to publish to AD DS , Configuration Manager clients can automatically
find management points through Active Directory publishing. They use an LDAP query to a global
catalog server.
When a site does not publish to AD DS , clients must have an alternative mechanism to locate their
default management point.
For information about how clients find a management point, see Understand how clients find site resources and
services for Configuration Manager.

Configure sites to publish to AD DS

The following are the high-level steps:
You must extend the Active Directory schema for Configuration Manager in each forest where you will
publish site data. Also ensure the System Management container is present.
You must grant the computer account of each primary site that will publish data full control to the
System Management container, and all of its child objects.
To enable a Configuration Manager site to publish site information to Active Directory forest
1. In the Configuration Manager console, click Administration .
2. In the Administration workspace, expand Site Configuration , and click Sites . Select the site that you
want to have publish its site data. Then on the Home tab, in the Proper ties group, click Proper ties .
3. On the Publishing tab of the site's properties, select the forests to which this site will publish site data.
4. Click OK to save the configuration.
To set up Active Directory forests for publishing
1. In the Configuration Manager console, click Administration .
2. In the Administration workspace, expand Hierarchy Configuration , and click Active Director y
Forests . If Active Directory Forest Discovery has previously run, you see each discovered forest in the
results pane. The local forest and any trusted forests are discovered when Active Directory Forest
Discovery runs. Only untrusted forests must be manually added.
To set up a previously discovered forest, select the forest in the results pane. Then on the Home
tab, in the Proper ties group, click Proper ties to open the forest properties. Continue with step 3.
To set up a new forest that is not listed, on the Home tab, in the Create group, click Add Forest
to open the Add Forests dialog box. Continue with step 3.
3. On the General tab, complete configurations for the forest that you want to discover, and specify the
 Active Director y Forest Account .

NOTE
Active Directory Forest Discovery requires a global account to discover and publish to untrusted forests. If you do
not use the computer account of the site server, you can only select a global account.

4. If you plan to allow sites to publish site data to this forest, on the Publishing tab, complete
configurations for publishing to this forest.

NOTE
If you enable sites to publish to a forest, you must extend the Active Directory schema of that forest for
Configuration Manager. The Active Directory Forest Account must have Full Control permissions to the System
container in that forest.

5. When you complete the configuration of this forest for use with Active Directory Forest Discovery, click
OK to save the configuration.
 Manage content and content infrastructure for
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you are ready to set up and then manage your content management infrastructure for Configuration
Manager, use the information in the following topics:
Install and configure distribution points for Configuration Manager. Before you can deploy content, you
must install and set up distribution points. Then you can set up distribution point groups to help simplify
management of content across your infrastructure. The information in this topic can help you complete
these tasks, and details the deep and varied settings supported by individual distribution points.
Deploy and manage content for Configuration Manager. Content deployment transfers files and software
to distribution point servers throughout your network. In addition to a simple transfer, you can prestage
content, which is a method that can help you avoid excessive use of network bandwidth. The information
in this topic can help you with the basic tasks of sending that content or using pre-staged content
effectively.
Monitor content you have distributed with Configuration Manager. As you deploy content, you can
monitor its status across your infrastructure. You can also redistribute content that fails to reach
distribution points, or cancel distributions that remain in progress. The information in this topic helps you
understand how to monitor your content, including how to fix some problems when the transfer of
content fails.
 Install and configure distribution points in
Configuration Manager
2/16/2022 • 27 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Install Configuration Manager distribution points to host the content files that you deploy to devices and users.
Create distribution point groups to simplify how you manage distribution points, and how you distribute
content to distribution points.
You install a new distribution point by using the installation wizard. For more information, see Install a
distribution point. To manage the properties of an existing distribution point, edit the properties of the
distribution point. For more information, see Configure a distribution point.
Configure most of the distribution point settings with either method. A few settings are available only when
you're either installing or editing, but not both:
Settings that are available only when you're installing a distribution point:
Allow Configuration Manager to install IIS on the distribution point computer
Configure drive space settings for the distribution point
Settings that are available only when you're editing the properties of a distribution point:
Manage distribution point group relationships
View Content deployed to the distribution point
Configure Rate limits for data transfers to distribution points
Configure Schedules for data transfers to distribution points

Install a distribution point

Before you can make content available to clients, choose a site system server as a distribution point. Assign each
distribution point to at least one boundary group. Add the distribution point role to a new server, or add it to an
existing server.
Prerequisites
When you install a new distribution point, you use an installation wizard that walks you through the available
settings. Before you start, consider the following prerequisites:
You must have the following security permissions to create and configure a distribution point:
Read for the Distribution Point object
Copy to Distribution Point for the Distribution Point object
Modify for the Site object
Manage Cer tificates for Operating System Deployment for the Site object
Install Internet Information Services (IIS) on the Windows server that hosts the distribution point. Or,
when you install the site system role, Configuration Manager can install and configure IIS for you.
 TIP
To prevent Configuration Manager from installing on a specific drive, create an empty file named
NO_SMS_ON_DRIVE.SMS and copy it to the root folder of the drive before you install the distribution point.

Procedure to install a distribution point

Use this procedure to add a new distribution point. To change the configuration of an existing distribution point,
see the Configure a distribution point section.
Start with the general procedure to Install site system roles. Select the Distribution point role on the System
Role Selection page of the Create Site System Server wizard. This action adds the following pages to the
wizard:
Distribution point
Communication
Drive Settings
Pull Distribution Point
PXE Settings
Multicast
Content Validation
Boundary Groups

IMPORTANT
The following settings are available only when you're installing a distribution point:
Allow Configuration Manager to install IIS on the distribution point computer
Configure drive space settings for the distribution point

For more information on the pages of the wizard specific to the distribution point role, see the Configure a
distribution point section. For example, if you want to install the distribution point as a pull-distribution point,
choose the option to Enable this distribution point to pull content from other distribution points .
Then make the other configurations that pull-distribution points require.
After you finish the Create Site System Server wizard, the site adds the distribution point role to the site system
server.

NOTE
You can use PowerShell to automate the installation of a distribution point. For more information, see Add-
CMDistributionPoint.

To help you troubleshoot, review the following log files on the site server:
distmgr.log
SMSdpmon.log
For more information, see Log file reference.

Manage distribution point groups

Distribution point groups provide a logical grouping of distribution points for content distribution. Use these
groups to manage and monitor content from a central location for distribution points that span multiple sites.
Keep the following point in mind:
Add one or more distribution points from any site in the hierarchy to a distribution point group.
Add a distribution point to more than one distribution point group.
When you distribute content to a distribution point group, Configuration Manager distributes the content
to all distribution points that are members of the group.
If you add a distribution point to the group after an initial content distribution, Configuration Manager
automatically distributes the content to the new distribution point member.
Associate a collection with a distribution point group. When you distribute content to that collection,
Configuration Manager determines which groups are associated with the collection. It then distributes the
content to all distribution points that are members of those groups.

NOTE
After you distribute content to a collection, if you then associate the collection with a new distribution point
group, you must redistribute the content to the collection before the content is distributed to the new distribution
point group.

The next sections list the procedures for the following actions to manage distribution point groups:
Create and configure a new distribution point group
Modify an existing distribution point group
Add selected distribution points to existing distribution point groups
Procedure to create and configure a new distribution point group
1. In the Configuration Manager console, go to the Administration workspace, and select the
Distribution Point Groups node.
2. In the ribbon, select Create Group .
3. In the Create New Distribution Point Group window, enter the Name , and optionally a Description for
the group.
4. On the Members tab, select Add .
5. In the Add Distribution Points window, select one or more distribution points to add as members of the
group. Then choose OK .
6. If necessary, switch to the Collections tab of the Create New Distribution Point Group window, and
select Add .
7. In the Select Collections window, select the collections to associate with the distribution point group, and
then choose OK .
8. In the Create New Distribution Point Group window, choose OK to create the group.

NOTE
You can use PowerShell to automate this process. For more information, see New-CMDistributionPointGroup.

Create a new group from an existing distribution point

1. In the Configuration Manager console, go to the Administration workspace, and select the
Distribution Points node. Select one or more distribution points to add to a new distribution point
 group.
2. In the ribbon, select Add Selected Items , and then select Add Selected Items to New Distribution
Point Group .
This process automatically populates the Members tab of the Create New Distribution Point Group window
with the selected servers.
Procedure to modify an existing distribution point group
1. In the Configuration Manager console, go to the Administration workspace, and select the
Distribution Point Groups node.
2. Select an existing distribution point group to modify. In the ribbon, select Proper ties .
3. To associate new collections with this group, switch to the Collections tab, and choose Add . Select the
collections, and then choose OK .
4. To add new distribution points to this group, switch to the Members tab, and choose Add . Select the
distribution points, and then choose OK .
5. Choose OK to save changes to the distribution point group.

NOTE
You can use PowerShell to automate this process. For more information, see Set-CMDistributionPointGroup.

Procedure to add selected distribution points to existing distribution point groups

1. In the Configuration Manager console, go to the Administration workspace, and select the
Distribution Points node. Select one or more distribution points to add to an existing group.
2. In the ribbon, select Add Selected Items , and then select Add Selected Items to Existing
Distribution Point Groups .
3. In the Available distribution point groups , select the groups to which the selected distribution points
are added as members. Then choose OK .

NOTE
You can use PowerShell to automate this process. For more information, see Add-CMDistributionPointToGroup.

Reassign a distribution point

Many customers have large Configuration Manager infrastructures, and are reducing primary or secondary
sites to simplify their environment. They still need to keep distribution points at branch office locations to serve
content to managed clients. These distribution points often contain multiple terabytes or more of content. This
content is costly for time and network bandwidth to distribute to these remote servers.
This feature lets you reassign a distribution point to another primary site without redistributing the content. The
distribution point's current site can be either a primary or secondary site. This action updates the site system
assignment while persisting all of the content on the server. If you need to reassign multiple distribution points,
first do this action on a single distribution point. Then continue with other servers one at a time.
 IMPORTANT
The target server can only host the distribution point role. If the site system server hosts another Configuration Manager
server role, such as the state migration point, you can't reassign the distribution point. You can't reassign a cloud
management gateway.

Before reassigning a distribution point, add the computer account of the destination site server to the local
Administrator group on the target distribution point server.
Follow these steps to reassign a distribution point:
1. In the Configuration Manager console, connect to the central administration site.
2. Go to the Administration workspace, and select the Distribution Points node.
3. Right-click the target distribution point, and select Reassign Distribution Point .
4. Select the target site server and site code to which you want to reassign this distribution point.
Monitor the reassignment similarly as when you add a new role. The simplest method is to refresh the console
view after several minutes. Add the site code column to the view. This value changes when Configuration
Manager reassigns the server. If you try to do another action on the target server before you refresh the console
view, an "object not found" error occurs. Ensure the process is complete and refresh the console view before
starting any other actions on the server.
After reassigning a distribution point, refresh the server's certificate. The new site server needs to re-encrypt
this certificate using its public key and store it in the site database. For more information, see the Create a self-
signed cer tificate or impor t a public key infrastructure (PKI) client cer tificate for the distribution
point setting on the General tab of the distribution point properties.
For PKI certificates, you don't need to create a new certificate. Import the same .PFX and enter the
password.
For self-signed certificates, adjust the expiration date or time to update it.
If you don't refresh the certificate, the distribution point still serves content, but the following functions
fail:
Content validation messages (the distmgr.log shows that it can't decrypt the certificate)
PXE support for clients
Tips
Do this action from the central administration site. This practice helps with replication to the primary
sites.
Don't distribute content to the target server and then attempt to reassign it. Distribute content tasks that
are in progress may fail during the reassignment process, but it retries per normal.
If the server is also a Configuration Manager client, make sure to also reassign the client to the new
primary site. This step is especially critical for pull-distribution points, which use client components to
download content.
This process removes the distribution point from the old site's default boundary group. You need to
manually add it to the new site's default boundary group, if necessary. All other boundary group
assignments remain the same.
 NOTE
You can use PowerShell to automate this process. For more information, see the ReassignSiteCode parameter of the
Set-CMDistributionPoint cmdlet.

Maintenance mode
You can set a distribution point in maintenance mode. Enable maintenance mode when you're installing
software updates, or making hardware changes to the server.
While the distribution point is in maintenance mode, it has the following behaviors:
The site doesn't distribute any content to it.
Management points don't return the location of this distribution point to clients.
When you update the site, a distribution point in maintenance mode still updates.
The distribution point properties are read-only. For example, you can't change the certificate or add
boundary groups.
Any scheduled task, like content validation, still runs on the same schedule.
Be careful about enabling maintenance mode on more than one distribution point. This action may cause a
performance impact to your other distribution points. Depending upon your boundary group configurations,
clients may have increased download times or be unable to download content.
Maintenance mode shouldn't be a long-term state for any distribution point. For any actions with a long
duration, consider first removing the distribution point role.

NOTE
While a distribution point is in maintenance mode, don't do the following actions:
Remove role
Reassign distribution point

Enable maintenance mode

To put a distribution point in maintenance mode, your user account requires the Modify permission on the Site
class. For example, the Infrastructure Administrator and Full Administrator built-in roles have this
permission.
1. In the Configuration Manager console, go to the Administration workspace.
2. Select the Distribution Points node.
3. Select the target distribution point, and choose Enable maintenance mode from the ribbon.
To view the current state of the distribution points, add the "Maintenance mode" column to the Distribution
Points node in the console.
For more information on automating this process with the Configuration Manager SDK, see
SetDPMaintenanceMode method in class SMS_DistributionPointInfo.

Configure a distribution point

Individual distribution points support different kinds of configurations. However, not all distribution point types
support all configurations. For example, cloud management gateways don't support PXE- or multicast-enabled
deployments. For more information about specific limitations, see the following articles:
Supported configurations for cloud management gateway
Use a pull-distribution point
The following sections describe the distribution point configurations when you're installing a new one or editing
an existing one:
General settings
Communication
Drive Settings
Firewall Settings
Pull Distribution Point
PXE Settings
Multicast
Content Validation
Boundary Groups
Procedure to change a distribution point
1. In the Configuration Manager console, go to the Administration workspace, and select the
Distribution Points node.
2. Select the distribution point to configure. In the ribbon, choose Proper ties .
3. Use the information in the following sections when you're editing the properties of the distribution point.
4. After you make the changes that you want, select OK to save your settings and close the distribution
point properties.

NOTE
You can use PowerShell to automate this process. For more information, see Set-CMDistributionPoint.

General
The following settings are on the Distribution point page of the Create Site System Server wizard, and the
General tab of the distribution point properties window:
Description : An optional description for this distribution point role.
Install and configure IIS if required by Configuration Manager : If IIS isn't already installed on the
server, Configuration Manager installs and configures it. Configuration Manager requires IIS on all
distribution points. If you don't choose this setting, and IIS isn't installed on the server, first install IIS
before Configuration Manager can successfully install the distribution point.

NOTE
This option is only on the Distribution point page of the Create Site System Server wizard. It's available only
when you're installing a new distribution point.

Enable and configure BranchCache for this distribution point : Choose this setting to let
Configuration Manager configure Windows BranchCache on the distribution point server. For more
information, see BranchCache.
 Adjust the download speed to use the unused network bandwidth (Windows LEDBAT) : Enable
distribution points to use network congestion control. For more information, see Windows LEDBAT.
Minimum requirements for LEDBAT support:
Windows Server, version 1709 or later
Windows Server 2016 with the following updates:
Cumulative update KB4132216, released June 21, 2018, or a later cumulative update.
Servicing stack update KB4284833, released May 18, 2018, or a later servicing stack update.
Windows Server 2019
Enable this distribution point for prestaged content : This setting enables you to add content to the
server before you distribute software. Because the content files are already in the content library, they
don't transfer over the network when you distribute the software. For more information, see Prestaged
content.
Enable this distribution point to be used as Microsoft Connected Cache ser ver : Use this option
to install a Microsoft Connected Cache server on your distribution point. By caching this content on-
premises, your clients can benefit from the Delivery Optimization feature, but you can help to protect
WAN links. For more information, including description of the other settings, see Microsoft Connected
Cache in Configuration Manager.
Communication
The following settings are on the Communication page of the Create Site System Server wizard and the
distribution point properties window:
Configure how client devices communicate with the distribution point : There are advantages
and disadvantages to using HTTP or HTTPS . For more information, see Security guidance for content
management.
Allow clients to connect anonymously : This setting specifies whether the distribution point allows
anonymous connections from Configuration Manager clients to the content library.
Create a self-signed cer tificate or impor t a PKI client cer tificate : Configuration Manager uses
this certificate for the following purposes:
It authenticates the distribution point to a management point before the distribution point sends
status messages.
When you Enable PXE suppor t for clients on the PXE Settings page, the distribution point
sends it to computers that PXE boot. These computers then use it to connect to a management
point during the OS deployment process.
When you configure all your management points in the site for HTTP, select the option to Create
self-signed cer tificate . When you configure the management points for HTTPS, use the option
to Impor t cer tificate from PKI.
To import the certificate, browse to a valid Public Key Cryptography Standard (PKCS #12) file. This
PFX or CER file has the PKI certificate with the following requirements for Configuration Manager:
The intended use includes client authentication
Enable the private key to be exported

TIP
There are no specific requirements for the certificate subject or subject alternative name (SAN). If
necessary, use the same certificate for multiple distribution points.
 For more information about the certificate requirements, see PKI certificate requirements.
For an example deployment of this certificate, see Deploying the client certificate for distribution
points.
Drive settings

NOTE
These options are available only when you're installing a new distribution point.

Specify the drive settings for the distribution point. Configure up to two disk drives for the content library and
two disk drives for the package share. Configuration Manager can use other drives when the first two reach the
configured drive space reserve. The Drive Settings page configures the priority for the disk drives and the
amount of free disk space that remains on each disk drive.
Drive space reser ve (MB) : This value determines the amount of free space on a drive before
Configuration Manager chooses a different drive and continues the copy process to that drive. Content
files can span multiple drives.
Content locations : Specify the locations for the content library and package share on this distribution
point. By default, all content locations are set to Automatic . Configuration Manager copies content to the
primary content location until the amount of free space reaches the value specified for Drive space
reser ve (MB) . When you select Automatic , Configuration Manager sets the primary content locations
to the disk drive with the most disk space at installation. It sets the secondary locations to the disk drive
with the second-most free disk space. When the primary and secondary locations reach the drive space
reserve, Configuration Manager selects another available drive with the most free disk space to continue
the copy process.

TIP
To prevent Configuration Manager from installing on a specific drive, create an empty file named
NO_SMS_ON_DRIVE.SMS and copy it to the root folder of the drive before you install the distribution point.

For more information, see The content library.

Firewall Settings
The distribution point must have the following inbound rules configured in the Windows firewall:
Windows Management Instrumentation (DCOM-In)
Windows Management Instrumentation (WMI-In)
Without these rules, clients will receive error 0x801901F4 in DataTransferService.log when attempting to
download content.
Pull distribution point
When you Enable this distribution point to pull content from other distribution points , it becomes a
pull-distribution point. You change the behavior of how the distribution point gets the content that you
distribute to it. For more information, see Use a pull-distribution point.
For each pull-distribution point that you configure, specify one or more source distribution points from which it
gets the content:
Choose Add , and then select one or more of the available distribution points to be sources.
Use the arrow buttons to adjust the priority. When the pull-distribution point attempts to transfer content,
 the priority is the order in which it contacts the source distribution points. It first contacts distribution
points with the lowest value.
PXE
Specify whether to enable PXE on the distribution point. Use PXE to start OS deployments on clients. For more
information on how to use PXE in Configuration Manager, see Use PXE to deploy Windows over the network.
When you enable PXE, Configuration Manager installs Windows Deployment Services (WDS) on the server, if
necessary. WDS is the service that supports PXE boot to install operating systems. After you finish the wizard to
create the distribution point, Configuration Manager installs a provider in WDS that uses the PXE boot functions.
You can enable PXE on a distribution point without WDS.
Select the option to Enable PXE suppor t for clients , and then configure the following settings:

NOTE
Select Yes in the Review Required Por ts for PXE dialog box to confirm that you want to enable PXE. Configuration
Manager automatically configures the default ports on Windows firewall. If you use a different firewall, manually configure
the ports.
If you install WDS and DHCP on the same server, configure WDS to listen on a different port. By default, DHCP listens on
the same port. For more information, see Considerations when you have WDS and DHCP on the same server.

Allow this distribution point to respond to incoming PXE requests : Specify whether to enable
WDS to respond to PXE service requests. Use this setting to enable and disable the service without
removing the PXE functionality from the distribution point.
Enable unknown computer suppor t : Specify whether to enable support for computers that
Configuration Manager doesn't manage. For more information, see Prepare for unknown computer
deployments.
Enable a PXE responder without Windows Deployment Ser vice : This option enables a PXE
responder on the distribution point, which doesn't require WDS. This PXE responder supports IPv6
networks. If you enable this option on a distribution point that's already PXE-enabled, Configuration
Manager suspends the WDS service. If you disable this option, but still Enable PXE suppor t for clients ,
then the distribution point enables WDS again.

NOTE
When you enable a PXE responder on a distribution point without Windows Deployment Service, it can be on the
same server as the DHCP service.

Require a password when computers use PXE : To provide more security for your PXE deployments,
specify a strong password.
User device affinity : Specify how you want the distribution point to associate users with the destination
computer for PXE deployments. Choose one of the following options:
Allow user device affinity with auto-approval : Choose this setting to automatically associate
users with the destination computer without waiting for approval.
Allow user device affinity pending administrator approval : Choose this setting to wait for
approval from an administrative user before users are associated with the destination computer.
Do not allow user device affinity : Choose this setting to specify that users aren't associated
with the destination computer. This setting is the default.
 For more information about user device affinity, see Link users and devices with user device
affinity.
Network interfaces : Specify that the distribution point responds to PXE requests from all network
interfaces or from specific network interfaces. If the distribution point responds to specific network
interfaces, then provide the MAC address for each network interface.

NOTE
When changing the network interface, restart the WDS service to make sure it properly saves the configuration.
When using the PXE responder service, restart the ConfigMgr PXE Responder Ser vice (SccmPxe).

Specify the PXE ser ver response delay (seconds) : When you use multiple PXE servers, specify how
long this PXE-enabled distribution point should wait before it responds to computer requests. By default,
the Configuration Manager PXE-enabled distribution point responds immediately.
Multicast
Specify whether to enable multicast on the distribution point. Multicast deployments conserve network
bandwidth by simultaneously sending data to multiple Configuration Manager clients. Without multicast, the
server sends a copy of the data to each client over a separate connection. For more information about using
multicast for OS deployment, see Use multicast to deploy Windows over the network.
When you enable multicast, Configuration Manager installs Windows Deployment Services (WDS) on the server,
if necessary.
Select the option to Enable multicast to simultaneously send data to multiple clients , and then
configure the following settings:
Multicast Connection Account : Specify the account to use when you configure Configuration
Manager database connections for multicast. For more information, see the Multicast connection account.
Multicast address settings : Specify the IP addresses for sending data to the destination computers. By
default, it obtains the IP address from a DHCP server that's enabled to distribute multicast addresses.
Depending on the network environment, you can specify a range of IP addresses from 239.0.0.0 through
239.255.255.255.

IMPORTANT
The IP addresses that you configure must be accessible by the destination computers that request the OS image.
Verify that routers and firewalls allow for multicast traffic between the destination computer and the distribution
point.

UDP por t range for multicast : Specify the range of UDP ports that are used to send data to the
destination computers.

IMPORTANT
The UDP ports must be accessible by the destination computers that request the OS image. Verify that routers
and firewalls allow for multicast traffic between the destination computer and the site server.

Maximum clients : Specify the maximum number of destination computers that can download the OS
image from this distribution point.
Enable scheduled multicast : Specify how Configuration Manager controls when to start deploying
operating systems to destination computers. Configure the following options:
 Session star t delay (minutes) : Specify the number of minutes that Configuration Manager
waits before it responds to the first deployment request.
Minimum session size (clients) : Specify how many requests must be received before
Configuration Manager starts to deploy the operating system.

IMPORTANT
To enable and configure multicast on the Multicast tab of the distribution point properties, the distribution point must
use Windows Deployment Service.
If you Enable PXE suppor t for clients and Enable multicast to simultaneously send data to multiple
clients , then you can't Enable a PXE responder without Windows Deployment Ser vice .
If you Enable PXE suppor t for clients and Enable a PXE responder without Windows Deployment
Ser vice , then you can't Enable multicast to simultaneously send data to multiple clients .

Group relationships

NOTE
These options are available only when you're editing the properties of a previously installed distribution point.

Manage the distribution point groups in which this distribution point is a member.
To add this distribution point as a member to an existing a distribution point group, choose Add . In the Add to
Distribution Point Groups window, select an existing group, and then choose OK .
To remove this distribution point from a distribution point group, select the group in the list, and then choose
Remove . Removing the distribution point from a distribution point group doesn't remove any content from the
distribution point.
Content

NOTE
These options are available only when you're editing the properties of a previously installed distribution point.

Manage the content that you distributed to the distribution point. Select from the list of deployment packages,
and then select one of the following actions:
Validate : Start the process to validate the integrity of the content files for the software. To view the
results of the content validation process, in the Monitoring workspace, expand Distribution Status ,
and then choose the Content Status node. For more information, see Validate content.
Redistribute : Copies all of the content files for the selected software to the distribution point, and
overwrites the existing files. You typically use this action to repair content files. For more information, see
Redistribute content.
Remove : Removes the content files for the software from the distribution point. For more information,
see Remove content.
Content validation
Set a schedule to validate the integrity of content files on the distribution point. When you enable content
validation on a schedule, Configuration Manager starts the process at the scheduled time. It verifies all content
on the distribution point based on the local SMS_PackagesInContLib SCCMDP class. You can also configure the
content validation priority. By default, the priority is set to Lowest . Increasing the priority might increase the
processor and disk utilization on the server during the validation process, but it should complete faster.
To view the results of the content validation process, in the Monitoring workspace, expand Distribution
Status , and then choose the Content Status node. It shows the content for each software type, for example,
application, software update package, and boot image.

WARNING
Although you specify the content validation schedule by using the local time for the computer, the Configuration
Manager console shows the schedule in UTC.

For more information, see Validate content.

Boundary groups
Manage the boundary groups to which you assign this distribution point. Add the distribution point to at least
one boundary group. During content deployment, clients must be in a boundary group associated with a
distribution point to use that distribution point as a source location for content.
Configure boundary group relationships that define when and to which boundary groups a client can fall back
to find content. For more information, see Boundary groups.
Choose Add and select an existing boundary group from the list.
To create a new boundary group for this distribution point, choose Create . For more information on how to
create and configure a boundary group, see Procedures for boundary groups.
When you're editing the properties of a previously installed distribution point, manage the option to Enable for
on-demand distribution . This option allows Configuration Manager to automatically distribute content to this
server when a client requests it. For more information, see On-demand content distribution.
Schedule

NOTE
These options are available only when you're editing the properties of a previously installed distribution point.
This tab is available only when you edit the properties for a distribution point that's remote from the site server.

Configure a schedule that restricts when Configuration Manager can transfer data to the distribution point.
Restrict data by priority or close the connection for selected time periods.
To restrict data, select the time period in the grid, and then choose one of the following settings for Availability :
Open for all priorities : Configuration Manager sends data to the distribution point with no restrictions.
This setting is the default for all time periods.
Allow medium and high priority : Configuration Manager sends only medium-priority and high-
priority data to the distribution point.
Allow high priority only : Configuration Manager sends only high-priority data to the distribution
point.
Closed : Configuration Manager doesn't send any data to the distribution point.
Configure the Distribution priority of software on the Distribution Settings tab of the software's
properties.
 IMPORTANT
The schedule is based on the time zone from the sending site, not the distribution point.

Rate limits

NOTE
These options are available only when you're editing the properties of a previously installed distribution point.
This tab is available only when you edit the properties for a distribution point that's remote from the site server.

Configure rate limits to control the network bandwidth that Configuration Manager uses to transfer content to
the distribution point. Choose from the following options:
Unlimited when sending to this destination : Configuration Manager sends content to the
distribution point with no rate limit restrictions. This setting is the default.
Pulse mode : This option specifies the size of the data blocks that the site server sends to the distribution
point. You can also specify a time delay between sending each data block. Use this option when you must
send data across a very low-bandwidth network connection to the distribution point. For example, you
have constraints to send 1 KB of data every five seconds, whatever the speed of the link or its usage at a
given time.
Limited to specified maximum transfer rates by hour : Specify this setting to have a site send data
to a distribution point by using only the percentage of time that you configure. When you use this option,
Configuration Manager doesn't identify the network's available bandwidth. Instead it divides the time that
it can send data. The server sends data for a short period of time, which is followed by periods of time
when data isn't sent. For example, if you set Limit available bandwidth to 50% , Configuration
Manager transmits data for a time period followed by an equal period of time when no data is sent. The
actual size amount of data, or size of the data block, isn't managed. It only manages the amount of time
during which it sends data.
 Deploy and manage content for Configuration
Manager
2/16/2022 • 19 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install distribution points for Configuration Manager, you can begin to deploy content to them.
Typically, content transfers to distribution points across the network, but other options to get content to the
distribution points exists. After content transfers to a distribution point, you can update, redistribute, remove,
and validate that content on distribution points.

There are many types of content. All of the actions in this article apply to the following objects in the Software
Librar y workspace in the Configuration Manager console:
Applications : Expand the Application Management node, select Applications , and then select the
specific applications.
Packages : Expand the Application Management node, select Packages , and then select the specific
packages.
Software update deployment packages : Expand the Software Updates node, select Deployment
Packages , and then select the specific deployment packages.
Driver packages : Expand the Operating Systems node, select Driver Packages , and then select the
specific driver packages.
OS images : Expand the Operating Systems node, select Operating System Images , and then select
the specific OS images.
OS upgrade packages : Expand the Operating Systems node, select Operating System Upgrade
Packages , and then select the specific OS upgrade packages.
Boot Images : Expand the Operating Systems node, select Boot Images , and then select the specific
boot images.
Task Sequences : Expand the Operating Systems node, select Task Sequences , and then select the
specific task sequence. Although task sequences don't contain content, they have associated content
references.

Distribute content
Typically, you distribute content to distribution points so that it's available to clients. The exception to this
behavior is when you use on-demand content distribution for a specific deployment. When you distribute
content, Configuration Manager stores content files in a package, and then distributes the package to the
distribution point. The content for the package is pulled from the site server's content library.
When you create a package that contains source files, the site on which you create it becomes the site owner for
the content source. Configuration Manager copies the source files from the source file path that you specify for
the object to the content library on the site server that owns it. Then Configuration Manager replicates the
information to additional sites. For more information, see The content library.
Use the following procedure to distribute content to distribution points.
1. In the Configuration Manager console, go to the Software Librar y workspace.
2. Select one of the content types that you want to distribute.
3. On the Home tab of the ribbon, in the Deployment group, select Distribute Content .
4. On the General page of the Distribute Content Wizard, verify that the content listed is the content that
you want to distribute. Then choose whether you want Configuration Manager to detect content
dependencies that are associated with the selected content and add the dependencies to the distribution.

NOTE
For applications, you can also configure the Detect associated content dependencies and add them to
this distribution setting. Configuration Manager automatically configures this setting for task sequences.

5. On the Content tab, if displayed, verify that the content listed is the content that you want to distribute.

NOTE
The Content page displays only when you select the Detect associated content dependencies and add
them to this distribution setting on the General page of the wizard.

6. On the Content Destination page, select Add , choose one of the following options:
Collections : Choose User Collections or Device Collections , and then select the collection
associated with one or more distribution point groups.

NOTE
It only displays the collections that are associated with a distribution point group. For more information,
see Manage distribution point groups.

Distribution Point : Choose an existing distribution point, and then select OK . It doesn't display
distribution points that have previously received the content.
Distribution Point Group : Choose an existing distribution point group, and then select OK . It
doesn't display distribution point groups that have previously received the content.
When you finish adding content destinations, select Next .
7. On the Summar y page, review the settings for the distribution before you continue. To distribute the
content to the selected destinations, select Next .
8. The Progress page displays the progress of the distribution.
9. The Confirmation page displays whether the content was successfully assigned to the servers. To
further monitor the content distribution, see Monitor content you've distributed with Configuration
Manager.

Use prestaged content

Prestaged content is a compressed file that contains the content files and associated metadata for a content
type. You can then manually import this content to another site server, a secondary site, or a distribution point.
When you import the prestaged content file on a site server, it adds the content files to its content library.
It then registers the content in the site server database.
 When you import the prestaged content file on a distribution point, the content files are added to the
content library on the distribution point. It then sends a status message to the site server, which informs
the site that the content is available on the distribution point.
Limitations and considerations for prestaged content
When the distribution point is located on the site server, don't enable the distribution point for prestaged
content. Instead use the procedure in How to prestage content on a distribution point on a site server.
When the distribution point is configured as a pull-distribution point, don't enable the distribution point
for prestaged content. The prestage content configuration for a distribution point overrides the pull-
distribution point configuration. A pull-distribution point that you configure for prestaged content doesn't
pull content from its source distribution point and doesn't receive content from the site server.
Before you can prestage content to the distribution point, create the content library on the server.
Distribute content over the network at least once to prepare the content library. Then you can prestage
content.
When you prestage content for an object with a long package source path, the Extract Content command-
line tool might fail. A long package source path is more than 140 characters.
For more information about when to prestage content files, see Manage network bandwidth for content
management.
Step 1: Create a prestaged content file
1. In the Configuration Manager console, go to the Software Librar y workspace.
2. Select one of the content types that you want to prestage.
3. On the Home tab of the ribbon, select Create Prestage Content File .
4. On the General page of the Create Prestaged Content File Wizard, select Browse . Choose the location
for the prestaged content file, specify a name for the file, and then select Save . You use this prestaged
content file on primary site servers, secondary site servers, or distribution points to import the content
and metadata.
5. For applications, select Expor t all dependencies to have Configuration Manager detect and add the
dependencies associated with the application to the prestaged content file. By default, this setting is
selected.
6. In Administrator comments , enter optional comments about the prestaged content file.
7. On the Content page, verify that the content listed is the content that you want to add to the prestaged
content file.
8. On the Content Locations page, specify the distribution points from which to retrieve the content for
the prestaged content file. You can select more than one distribution point to retrieve the content. The
distribution points are listed in the Content locations section. The Content column displays how many of
the selected packages or applications are available on each distribution point.
Configuration Manager starts with the first distribution point in the list to retrieve the selected content. It
then moves down the list to retrieve the remaining content required for the prestaged content file. To
change the priority order of the distribution points, select Move Up or Move Down .
When the distribution points in the list don't contain all of the selected content, add distribution points to
the list that contain the content. Otherwise, exit the wizard, distribute the content to at least one
distribution point, and then restart the wizard.
9. On the Summar y page, confirm the details. You can go back to previous pages and make changes. Select
 Next to create the prestaged content file.
10. The Progress page displays the content that it's adding to the prestaged content file.
11. On the Completion page, verify that it successfully created the prestaged content file, and then select
Close .
Step 2: Assign the content to distribution points
After you prestage the content file, assign the content to distribution points.

NOTE
When you use a prestaged content file to recover the content library on a site server, and don't have to prestage the
content files on a distribution point, you can skip this procedure.

Use the following procedure to assign the content in the prestaged content file to distribution points.

IMPORTANT
Verify that the distribution points that you want to prestage are configured as prestaged distribution points, or that the
content is distributed to the distribution points over the network.

1. In the Configuration Manager console, go to the Software Librar y workspace.

2. Select the same content type that you selected when you created the prestaged content file.
3. On the Home tab, in the Deployment group, select Distribute Content .
4. On the General page of the Distribute Content Wizard, verify that the content listed is the content that
you prestaged. Choose whether you want Configuration Manager to detect content dependencies that
are associated with the selected content and add the dependencies to the distribution.

NOTE
For applications, you can also configure the Detect associated content dependencies and add them to
this distribution setting. Configuration Manager automatically configures this setting for task sequences.

5. On the Content page, if displayed, verify that the content listed is the content that you want to distribute.

NOTE
The Content page displays only when the Detect associated content dependencies and add them to
this distribution setting is selected on the General page of the wizard.

6. On the Content Destination page, select Add , and choose one of the following options that includes
the distribution points to be prestaged:
Collections : Choose User Collections or Device Collections , then select the collection
associated with one or more distribution point groups.

NOTE
It only displays the collections that are associated with a distribution point group. For more information,
see Manage distribution point groups.
 Distribution Point : Select an existing distribution point, and then select OK . It doesn't display
distribution points that already have the content.
Distribution Point Group : Select an existing distribution point group, and then select OK . It
doesn't display distribution point groups that already have the content.
When you finish adding content destinations, select Next .
7. On the Summar y page, review the settings for the distribution before you continue. To distribute the
content to the selected destinations, select Next .
8. The Progress page displays the progress of the distribution.
9. The Confirmation page displays whether the content was successfully assigned to the distribution
points. To monitor the content distribution, see Monitor content you've distributed.
Step 3: Extract the content from the prestaged content file
After you create the prestaged content file and assign the content to distribution points, extract the content files
to the content library on the target server.
First, manually copy the prestaged content file to the target server. Use a portable drive like a USB drive, or
media like a DVD. Have it available at the location of the server that requires the content.
Next, you use the Extract Content command-line tool to export the content files from the prestaged content file.
When you run the tool, it creates a temporary file as it creates the content files. Then it copies the file to
the destination folder, and deletes the temporary file. The server needs sufficient disk space for this
temporary file.
The tool creates the temporary file in the specified destination folder for the content files.
The user that runs the tool must have Administrator rights on the server where you extract the content.
To extract the content files from the prestaged content file
1. Copy the prestaged content file to the server where you want to extract the content.
2. Copy ExtractContent.exe from the \bin\x64 subfolder of the Configuration Manager site installation.
Copy it to the same folder on the target server as the prestaged content file.
3. On the target server, open the command prompt. Navigate to the folder location of the prestaged content
file and Extract Content tool.

NOTE
You can extract one or more prestaged content files on a site server, secondary site server, or distribution point.

4. Use the following commands to import the content:

Single file: extractcontent.exe /P:<PrestagedFileLocation>\<PrestagedFileName> /S

All prestaged files in the specified folder: extractcontent.exe /P:<PrestagedFileLocation> /S

For example, if D:\PrestagedFiles\ is the prestaged file location, and MyPrestagedFile.pkgx is the
prestaged file name:
extractcontent /P:D:\PrestagedFiles\MyPrestagedFile.pkgx /S

The /S parameter extracts only content files that are newer than what's currently in the content library.
When you extract the prestaged content file on a site server, the content files are added to its content
 library. The site then registers the content in the site server database. When you export the prestaged
content file on a distribution point, it adds the content files to the content library on the distribution point.
The distribution point sends a status message to the parent primary site server, which then registers the
content in the site database.

IMPORTANT
When you update content on the site to a new version, make sure to also update content for prestaged content files. For
example:
1. You create a prestaged content file for version 1 of a package.
2. You update the source files for the package with version 2.
3. You extract the version 1 prestaged content file on a distribution point.
In this example, Configuration Manager doesn't automatically distribute package version 2 to the distribution point.
Create a new prestaged content file that contains the new file version. Then extract the content, update the distribution
point to distribute the files that have changed, or redistribute all files in the package.

How to prestaged content on a distribution point on a site server

When a distribution point is installed on a site server, use the following procedure to successfully prestage
content. This process is different because the content files are already in the content library.
When the distribution point isn't enabled for prestaged content or when the distribution point isn't located on a
site server, see the Use Prestaged content section.
1. Verify that the distribution point isn't enabled for prestaged content.
a. In the Configuration Manager console, go to the Administration workspace.
b. In the Administration workspace, select the Distribution Points node. Then select the
distribution point that's on the site server.
c. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
d. On the General tab, verify that the option to Enable this distribution point for prestaged
content isn't selected.
2. Create a prestaged content file.
3. Assign the content to the distribution point.
4. On the site server, extract the content from the prestaged content file.

NOTE
When the distribution point is on a secondary site, wait for at least 10 minutes. Then in the Configuration
Manager console, assign the content to the distribution point on the secondary site.

Manage distributed content

You have the following options for managing content:
Update content
Update content on schedule
Redistribute content
Remove content
Validate content
Update content
When you update the source file location for a deployment by adding new files or replace existing files with a
newer version, update the content files on distribution points. Use the Update Distribution Points or Update
Content actions.
The site copies the content files from the original package source location to the content library on the site
that owns the package content source.
It increments the package version.
Each instance of the content library on site servers and on distribution points updates with only the changed
files.

WARNING
The package version for applications is always 1 . When you update the content for an application deployment type,
Configuration Manager creates a new content ID for the deployment type, and the package references the new content
ID.

Process to update content on distribution points

1. In the Configuration Manager console, go to the Software Librar y workspace.
2. Select the content type that you want to update.
3. For most object types: On the Home tab of the ribbon, in the Deployment group, select Update
Distribution Points . Then select OK to confirm that you want to update the content.
To update content for applications: Select the Deployment Types tab in the details pane. Choose the
deployment type. On the Deployment Type tab of the ribbon, select Update Content . Then select OK
to confirm that you want to refresh the content.
When you update content for boot images: The Update Distribution Points action opens the Manage
Distribution Point Wizard. For more information, see Update distribution points with the boot image.
Update content on schedule
You can create a schedule for when the site updates the content for the object. Use this option for an object
whose content changes frequently.
1. In the Configuration Manager console, go to the Software Librar y workspace.
2. Select the content type that you want to update.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Data source tab. Select the option to Update distribution points on a schedule .
5. Select Schedule and specify a custom schedule. You can also set a recurrence pattern.
If the source content hasn't changed, then this action doesn't do anything. To redistribute all content, use the
distribute or redistribute actions.
Redistribute content
You can redistribute a package to copy all of the content files in the package to distribution points or distribution
point groups. This action overwrites the existing files.
Use this operation to repair content files in the package or resend the content when the initial distribution fails.
You can redistribute a package from:
Package properties
Distribution point properties
 Distribution point group properties
Process to redistribute content from package properties
1. In the Configuration Manager console, go to the Software Librar y workspace.
2. Select the content types that you want to redistribute.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Content Locations tab. Select the distribution point or distribution point group to which
you want to redistribute the content, and select Redistribute .
Process to redistribute content from distribution point properties
1. In the Configuration Manager console, go to the Administration workspace.
2. In the Administration workspace, select the Distribution Points node. Then select the distribution
point to which you want to redistribute content.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Content tab. Select the content to redistribute, and select Redistribute .
Process to redistribute content from distribution point group properties
1. In the Configuration Manager console, go to the Administration workspace.
2. In the Administration workspace, select the Distribution Point Groups node. Then select the
distribution point group to which you want to redistribute content.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Content tab. Select the content to redistribute, and select Redistribute .

IMPORTANT
The site redistributes the content in the package to all of the distribution points in the group.

Use the SDK to force replication of content

You can use the Retr yContentReplication WMI method from the Configuration Manager SDK to force
distribution manager to copy content from the source location to the content library.
Only use this method to force replication when you need to redistribute content after there were issues with
normal replication of content. You can typically confirm this state in the Monitoring node of the console.
For more information about this SDK option, see RetryContentReplication method in class
SMS_CM_UpdatePackages.
Remove content
When you no longer require content on your distribution points, you can remove it.
When the content is associated with another package that was distributed to the same distribution point, you
can't remove the content.
Process to remove content from distribution points using object properties
1. In the Configuration Manager console, select the Software Librar y workspace.
2. Select the content type that you want to remove its content.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Content Locations tab. Select the distribution point or distribution point group from
which you want to remove the content, select Remove , and then select OK .
Process to remove content using distribution point properties
1. In the Configuration Manager console, select the Administration workspace.
2. In the Administration workspace, select the Distribution Points node, and then select the distribution
point from which you want to delete the content.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Content tab. Choose the content to remove, select Remove , and then select OK .
Process to remove content using distribution point group properties
1. In the Configuration Manager console, select the Administration workspace.
2. In the Administration workspace, select the Distribution Point Groups node. Then select the
distribution point group from which you want to remove content.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Content tab. Choose the content to remove, select Remove , and then select OK .
Validate content
The content validation process verifies the integrity of content files on distribution points. You enable content
validation on a schedule, or you can manually start content validation from the properties of distribution points
and packages.
When the content validation process starts, Configuration Manager verifies the content files on distribution
points. If the file hash is unexpected for the files on the distribution point, Configuration Manager creates a
status message that you can review in the Monitoring workspace.
For more information about configuring the content validation schedule, see Distribution point configurations.
Process to validate all content on a distribution point
1. In the Configuration Manager console, select the Administration workspace.
2. Select the Distribution Points node, and then select the distribution point from which you want to
validate content.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Content tab. Select the package that you want to validate. Select Validate , and then select
OK . The content validation process starts for the package on the distribution point.
5. To view the results of the content validation process, go to the Monitoring workspace. Expand
Distribution Status , and select the Content Status node. This node displays the content for each type.
For more information about monitoring content status, see Monitor content you've distributed.
Process to validate content for a specific object
1. In the Configuration Manager console, select the Software Librar y workspace.
2. Select the content type that you want to validate.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Content Locations tab. Select the distribution point or distribution point group on which
to validate the content. Select Validate , and then select OK . The content validation process starts for the
content on the selected distribution point or distribution point group.
5. To view the results of the content validation process, go to the Monitoring workspace. Expand
Distribution Status , and select the Content Status node. It displays the content for each type. For
more information about monitoring the content status, see Monitor content you've distributed.
 Monitor content you distribute with Configuration
Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the Configuration Manager console to monitor distributed content, including:
The status for all package types for the associated distribution points.
The content validation status for the content in a package.
The status of content assigned to a specific distribution point group.
The state of content assigned to a distribution point.
The status of optional features for each distribution point (content validation, PXE, and multicast).
Configuration Manager only monitors the content on a distribution point that's in the content library. It doesn't
monitor content stored on the distribution point in package or custom shares.

TIP
The Power BI sample reports for Configuration Manager includes a report called Content Status . This report can also
help with monitoring content.

Content status monitoring

The Content Status node in the Monitoring workspace provides information about content packages. In the
Configuration Manager console, review information like:
Package name, type, and ID
How many distribution points a package has been sent to
Compliance rate
When the package was created
Source version
You also find detailed status information for any package, including:
Distribution status
The number of failures
Pending distributions
The number of installations
You can also manage distributions that remain in progress to a distribution point, or that failed to successfully
distribute content to a distribution point:
The option to either cancel or redistribute content is available when you view the deployment status
message of a distribution job to a distribution point in the Asset Details pane. This pane can be found in
either the In Progress tab or the Error tab of the Content Status node.
Additionally, the job details display the percentage of the job that has completed when you view the
details of a job on the In Progress tab. The job details also display the number of retries that remain for
a job. When you view the details of a job on the Error tab, it shows how long before the next retry occurs.
When you cancel a deployment that's not yet complete, the distribution job to transfer that content stops:
The status of the deployment then updates to indicate that the distribution failed, and that it was canceled by
a user action.
This new status appears in the Error tab.

NOTE
When a deployment is near completion, it's possible the action to cancel that distribution won't process before the
distribution to the distribution point completes. When this occurs, the action to cancel the deployment is ignored, and the
status for the deployment displays as successful.
Although you can select the option to cancel a distribution to a distribution point that is located on a site server, this has
no effect. This behavior is because the site server and the distribution point on a site server share the same single
instance content store. There's no actual distribution job to cancel.

When you redistribute content that previously failed to transfer to a distribution point, Configuration Manager
immediately begins redeploying that content to the distribution point. Configuration Manager updates the
status of the deployment to reflect the ongoing state of that redeployment.
Tasks to monitor content
1. In the Configuration Manager console, go to the Monitoring workspace, expand Distribution Status ,
and then select the Content Status node. This node displays the packages.
2. Select the package you want to manage.
3. On the Home tab of the ribbon, in the Content group, select View Status . The console displays detailed
status information for the package.
Continue to one of the following sections for additional actions:
Cancel a distribution that remains in progress
1. Switch to the In Progress tab.
2. In the Asset Details pane, right-click the entry for the distribution that you want to cancel, and select
Cancel .
3. Select Yes to confirm the action and cancel the distribution job to that distribution point.
Redistribute content that failed to distribute
1. Switch to the Error tab.
2. In the Asset Details pane, right-click the entry for the distribution that you want to redistribute, and
select Redistribute .
3. Select Yes to confirm the action and start the redistribution process to that distribution point.

Distribution point group status

The Distribution Point Group Status node in the Monitoring workspace provides information about
distribution point groups. You can review information like:
The distribution point group name, description, and status
How many distribution points are members of the distribution point group
How many packages have been assigned to the group
The compliance rate
You also view the following detailed status information:
 Errors for the distribution point group
How many distributions are in progress
How many have been successfully distributed
Monitor distribution point group status
1. In the Configuration Manager console, go to the Monitoring workspace, expand Distribution Status ,
and then select the Distribution Point Group Status node. It displays the distribution point groups.
2. Select the distribution point group for which you want detailed status information.
3. On the Home tab of the ribbon, select View Status . It displays detailed status information for the
distribution point group.

Distribution point configuration status

The Distribution Point Configuration Status node in the Monitoring workspace provides information
about the distribution point. You can review what attributes are enabled for the distribution point, such as the
PXE, multicast, content validation. Also review the distribution status for the distribution point.

WARNING
Distribution point configuration status is relative to the last 24 hours. If the distribution point has an error and recovers,
the error status might be displayed for up to 24 hours after the distribution point recovers.

Monitor distribution point configuration status

1. In the Configuration Manager console, go to the Monitoring workspace, expand Distribution Status ,
and then select the Distribution Point Configuration Status node.
2. Select a distribution point.
3. In the results pane, switch to the Details tab. It displays status information for the distribution point.

Client data sources dashboard

Use the Client data sources dashboard to better understand from where clients get content in your
environment. The dashboard starts displaying data after clients download content and report that information
back to the site. This process can take up to 24 hours.
Starting in version 2010, the client data sources dashboard now offers an expanded selection of filters to view
information about where clients get content. The following screenshot shows the dashboard in the version 2010
console:
 NOTE
Configuration Manager doesn't enable this optional feature by default. Before you can use it, enable the Client Peer
Cache feature. For more information, see Enable optional features from updates.

1. In the Configuration Manager console, go to the Monitoring workspace, expand Distribution Status ,
and select the Client Data Sources node.
2. Repor t Period : Select a time period to apply to the dashboard.
3. Then select the single boundar y group for which you want to view information.
Starting in version 2010, you can also select additional filters for the dashboard:
All boundary groups
Internet clients
Clients not associated with a boundary group

NOTE
If there's no data available for the selected client group, the chart displays: "This data is not yet available."

You can hover your mouse over tiles to see more details about the different content or policy sources.
Also use the report, Client Data Sources - Summarization , to view a summary of the client data sources for
each boundary group.
Dashboard tiles
The dashboard includes the following tiles:
Data source usage
Starting in version 2010, this tile summarizes the types of sources in your environment and how many clients
use them.
This summary tile replaces the following four tiles in prior versions:
Distribution points
Clients that used a distribution point
Peer cache sources
Clients that used a peer
Client content sources
Displays the sources from which clients got content:
Distribution point
Cloud distribution point, which includes content-enabled cloud management gateways
BranchCache
Peer Cache
Delivery Optimization Note 1
Microsoft Update: Devices report this source when the Configuration Manager client downloads software
updates from Microsoft cloud services. These services include Microsoft Update and Microsoft 365 Apps for
enterprise.

NOTE
To include Delivery Optimization on this dashboard, do the following actions:
Configure the client setting, Enable installation of Express Updates on clients in the Software Updates
group
Deploy Windows express updates
For more information, see Manage Express installation files for Windows updates.
Content downloads using fallback source
Starting in version 2010, this information helps you understand how often clients download content from an
alternate source.
Top distributed content
The most distributed packages by source type
Distribution points
In version 2006 and earlier, this tile displays the number of distribution points that are part of the selected
boundary group. In version 2010, this tile is replaced by the Data source usage tile.
Clients that used a distribution point
In version 2006 and earlier, of the number of clients that are in the selected boundary group, this tile shows how
many used a distribution point to get content. In version 2010, this tile is replaced by the Data source usage tile.
Peer cache sources
In version 2006 and earlier, for the selected boundary group, this tile shows how many peer cache sources have
reported download history. In version 2010, this tile is replaced by the Data source usage tile.
Clients that used a peer
In version 2006 and earlier, of the number of clients that are in the selected boundary group, this tile shows how
many used a peer cache source to get content. In version 2010, this tile is replaced by the Data source usage tile.
 Microsoft Connected Cache in Configuration
Manager
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can install a Microsoft Connected Cache server on your distribution points. By caching this content on-
premises, your clients can benefit from the Delivery Optimization feature that can help to protect WAN links.
This cache server acts as an on-demand transparent cache for content downloaded by Delivery Optimization.
Use client settings to make sure this server is offered only to the members of the local Configuration Manager
boundary group.
This cache is separate from Configuration Manager's distribution point content. If you choose the same drive as
the distribution point role, it stores content separately.

NOTE
The Connected Cache server is an application installed on Windows Server. Starting in Configuration Manager version
2111, the Connected Cache is generally available for production use.
The version of Connected Cache that's available with Configuration Manager version 2107 and earlier is still considered in
development.

Supported scenarios
Connected Cache supports the following three primary scenarios:
Traditional Configuration Manager clients that communicate with on-premises distribution points.
Co-managed clients that get Win32 apps from Microsoft Intune. For more information, see Support for
Intune Win32 apps.
Cloud-only devices, such as Intune-enrolled devices without the Configuration Manager client. For more
information, see Support for cloud-managed devices.

Supported content types

When clients download cloud-managed content, they use Delivery Optimization from the cache server installed
on your distribution point. Cloud-managed content includes the following types:
Microsoft Store apps
If you enable Windows Update for Business policies: Windows feature and quality updates
For co-management workloads:
Windows Update for Business: Windows feature and quality updates
Office Click-to-Run apps: Microsoft 365 Apps and updates
Client apps: Microsoft Store apps and updates
Endpoint Protection: Windows Defender definition updates
 NOTE
Connected Cache doesn't support content that Configuration Manager manages, like software updates with an
integrated software update point.

How it works
When you configure clients to use the Connected Cache server, they no longer request Microsoft cloud-
managed content from the internet. Clients request this content from the cache server installed on the
distribution point. The on-premises server caches this content using the IIS feature for Application Request
Routing (ARR). Then the cache server can quickly respond to any future requests for the same content. If the
Connected Cache server is unavailable, clients download the content from the internet. Clients also use Delivery
Optimization to download portions of the content from peers in their network.

1. Client checks for updates and gets the address for the content delivery network (CDN).
2. Configuration Manager configures Delivery Optimization (DO) settings on the client, including the cache
server name.
3. Client A requests content from the Connected Cache server.
4. If the cache doesn't include the content, then the Connected Cache server gets it from the CDN.
5. If the cache server fails to respond, the client downloads the content from the CDN.
6. Clients will also use DO to get pieces of the content from peers, such as client B and client C.
Prerequisites and limitations
NOTE
Additional prerequisites apply to the scenario for co-managed clients and Intune Win32 apps. For more information, see
Support for Intune Win32 apps.

Supported clients
Connected Cache and Delivery Optimization only support clients running a supported version of Windows 10
or later.
Licensing
You need one of the following license subscriptions for each device that gets content from a Connected Cache-
enabled distribution point:
Windows Enterprise E3 or E5, included in Microsoft 365 F3, E3, or E5
Windows Education A3 or A5, included in Microsoft 365 A3 or A5
Windows Virtual Desktop Access (VDA) E3 or E5
Distribution point
Connected Cache in Configuration Manager requires an on-premises distribution point, with the following
configurations:
Running Windows Server 2012 or later
Microsoft .NET Framework version 4.7.2 or later. For more information, see .NET Framework system
requirements.
The default web site enabled on port 80
Don't preinstall the IIS Application Request Routing (ARR) feature. Connected Cache installs ARR and
configures its settings. Microsoft can't guarantee that the Connected Cache's ARR configuration won't
conflict with other applications on the server that also use this feature.
The Connected Cache application can use an unauthenticated proxy server for internet access. For more
information, see Configure the proxy for a site system server.
Don't use a distribution point that has other site roles, for example, a management point. Enable
Connected Cache on a site system server that only has the distribution point role.
Network access requirements
The distribution point requires internet access to the Microsoft cloud. The specific URLs can vary
depending upon the specific cloud-enabled content. Make sure to also allow the endpoints for delivery
optimization. For more information, see Internet access requirements.
For co-managed clients and Intune Win32 apps, allow the distribution point to access the endpoints for
that scenario. For more information, see Network requirements for PowerShell scripts and Win32 apps.
Clients technically only need access to the distribution point with the Connected Cache. Although it's best
to also give clients access to the internet endpoints for the content, in case they need to fall back to the
original source.

Enable Connected Cache

1. In the Configuration Manager console, go to the Administration workspace, and select the
 Distribution Points node.
2. Select an on-premises distribution point, and then in the ribbon select Proper ties .
3. In the properties of the distribution point role, on the General tab, configure the following settings:
a. Enable the option to Enable this distribution point to be used as Microsoft Connected
Cache ser ver
Review the list of required license subscriptions, and then confirm your licenses.
b. Local drive to be used : Select the disk to use for the cache. Automatic is the default value,
which uses the disk with the most free space.Note 1

NOTE
You can change this drive later. Any cached content is lost, unless you copy it to the new drive.

c. Disk space : Select the amount of disk space to reserve in GB or a percentage of the total disk
space. By default, this value is 100 GB.

NOTE
The default cache size should be sufficient for most customers. You can adjust the cache size later.
If the cache size on disk exceeds the allocated space, ARR clears space by removing content based on its
built-in heuristics.

d. Retain cache when disabling the Connected Cache ser ver : If you remove the cache server,
and you enable this option, the server keeps the cache's content on the disk.
4. In client settings, in the Deliver y Optimization group, configure the setting to Enable devices
managed by Configuration Manager to use Microsoft Connected Cache ser vers for content
download .
Note 1: About drive selection
If you select Automatic , when Configuration Manager installs the Connected Cache component, it honors the
NO_SMS_ON_DRIVE.SMS file. For example, the distribution point has the file C:\NO_SMS_ON_DRIVE.SMS . Even if
the C: drive has the most free space, Configuration Manager configures Connected Cache to use another drive
for its cache.
If you select a specific drive that already has the NO_SMS_ON_DRIVE.SMS file, Configuration Manager
ignores the file. Configuring Connected Cache to use that drive is an explicit intent. For example, the distribution
point has the file F:\NO_SMS_ON_DRIVE.SMS . When you explicitly configure the distribution point properties to use
the F: drive, Configuration Manager configures Connected Cache to use the F: drive for its cache.
To change the drive after you install Connected Cache:
Manually configure the distribution point properties to use a specific drive letter.
If set to automatic, first create the NO_SMS_ON_DRIVE.SMS file. Then make some change to the
distribution point properties to trigger a configuration change.
Automation
Automation via Windows PowerShell
Starting in version 2010, use the following parameters of the Set-CMDistributionPoint cmdlet to configure
the Connected Cache:
 EnableDoinc
DiskSpaceUnit
DiskSpaceDoinc
LocalDriveDoinc
RetainDoincCache
AgreeDoincLicense
For more information, see the 2010 release notes.
Automation via the Configuration Manager SDK
You can use the Configuration Manager SDK to automate the configuration of Microsoft Connected Cache
settings on a distribution point. As is the case for all site roles, use the SMS_SCI_SysResUse WMI class. For more
information, see Programming the site roles.
When you update the SMS_SCI_SysResUse instance for the distribution point, set the following properties:
AgreeDOINCLicense : Set to 1 to accept the license terms.
Flags : Enable |= 4 , disable &= ~4
DiskSpaceDOINC : Set to Percentage or GB
RetainDOINCCache : Set to 0 or 1
LocalDriveDOINC : Set to Automatic , or a specific drive letter, such as C: or D:

Verify
On supported versions of Windows 10 or later, verify this behavior with the Get-Deliver yOptimizationStatus
Windows PowerShell cmdlet. In the cmdlet output, review the BytesFromCacheSer ver value. For more
information, see Monitor Delivery Optimization.
If the cache server returns any HTTP failure, the Delivery Optimization client falls back to the original cloud
source.
For more detailed information, see Troubleshoot Microsoft Connected Cache in Configuration Manager.

Support for Intune Win32 apps

When you enable Connected Cache on your Configuration Manager distribution points, they can serve
Microsoft Intune Win32 apps to co-managed clients.

TIP
All other content that Intune-managed devices download from Microsoft with Delivery Optimization can also be cached
on Microsoft Connected Cache. This content includes software updates for Windows, Microsoft 365 apps, and Microsoft
Edge.

Prerequisites
Client
Update the client to the latest version.
The client device needs to have at least 4 GB of memory.
 TIP
Use the following group policy setting: Computer Configuration > Administrative Templates > Windows
Components > Delivery Optimization > Minimum RAM capacity (inclusive) required to enable use of
Peer Caching (in GB) .

Site
Enable Connected Cache on a distribution point.
The client and the Connected Cache-enabled distribution point need to be in the same boundary group. If
a client isn't in a boundary group with a Connected Cache-enabled distribution point, it won't download
content from a Connected Cache-enabled distribution point in a neighbor or site default boundary group.
Enable Allow peer downloads in this boundar y group option for the Boundary Group that
contains the client and the distribution point. For more information, see Boundary Group options.
Enable the following client settings in the Deliver y Optimization group:
Use Configuration Manager Boundar y Groups for Deliver y Optimization Group ID
Enable devices managed by Configuration Manger to use Microsoft Connected Cache
ser vers for content download
Enable co-management, and switch the Client apps workload to Pilot Intune or Intune . For more
information, see the following articles:
Workloads - Client apps
How to enable co-management
Switch workloads to Intune
If in pilot, add the client to the pilot collection for Client Apps.
Intune
This feature only supports the Intune Win32 app type.
Create and assign (deploy) a new app in Intune for this purpose. (Apps created before Intune version
1811 don't work.) For more information, see Win32 app management in Microsoft Intune.

Support for cloud-managed devices

When you install a Microsoft Connected Cache on a Configuration Manager distribution point, cloud-managed
devices can use the on-premises cache. For example, a device that's managed by Intune, but connects to the on-
premises network. As long as the device can communicate with the server, the cache is available to deliver
content to these devices.
To configure the device to use the Microsoft Connected Cache, configure the DOCacheHost policy. Set it to the
FQDN or IP address of the Configuration Manager distribution point. For more information on this policy, see
Policy CSP - DeliveryOptimization. To use Intune to configure this policy, use the Cache ser ver host names
setting. For more information, see Delivery Optimization settings for Windows devices in Intune.
When you enable this policy for cloud-managed devices, either type of device can request the server to cache
content, and either can download the content. If multiple devices request the same content, no matter their
management authority, they download supported and available content from the Microsoft Connected Cache.

Next steps
Optimize Windows updates with Delivery Optimization
Troubleshoot Microsoft Connected Cache in Configuration Manager
 Troubleshoot Microsoft Connected Cache in
Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

This article provides technical details about Microsoft Connected Cache in Configuration Manager. Use it to help
troubleshoot issues that you may have in your environment. For more information on how it works and how to
use it, see Microsoft Connected Cache in Configuration Manager.

Verify
When you correctly install the Delivery Optimization cache server, and correctly configure clients, they
download from the cache server installed on your distribution point rather than the internet.
Verify this behavior on a client or on the server.
Verify on a client
1. On client running a supported version of Windows 10 or later, download cloud-managed content. For
more information on the types of content that Connected Cache supports, see Supported content types.
2. Open PowerShell and run the following command: Get-DeliveryOptimizationStatus

For example:

PS C:\> Get-DeliveryOptimizationStatus

FileId : ec523d49c4f7c3c4444f0d9b952286ce40fdcee4
FileSize : 549064
TotalBytesDownloaded : 549064
PercentPeerCaching : 0
BytesFromPeers : 0
BytesFromHttp : 0
Status : Caching
Priority : Background
BytesFromCacheServer : 549064
BytesFromLanPeers : 0
BytesFromGroupPeers : 0
BytesFromInternetPeers : 0
BytesToLanPeers : 0
BytesToGroupPeers : 0
BytesToInternetPeers : 0
DownloadDuration : 00:00:00.0780000
HttpConnectionCount : 2
LanConnectionCount : 0
GroupConnectionCount : 0
InternetConnectionCount : 0
DownloadMode : 99
SourceURL :
http://au.download.windowsupdate.com/c/msdownload/update/software/defu/2019/09/am_delta_p
atch_1.301.664.0_ec523d49c4f7c3c4444f0d9b952286ce40fdcee4.exe
NumPeers : 0
PredefinedCallerApplication : WU Client Download
ExpireOn : 9/6/2019 8:36:19 AM
IsPinned : False

Notice that the BytesFromCacheServer attribute isn't zero.

If the client isn't configured correctly, or the cache server isn't installed correctly, the Delivery Optimization client
falls back to the original cloud source. Then the BytesFromCacheServer attribute will be zero.
Verify on the server
First, verify the registry properties are configured correctly:
HKLM\SOFTWARE\Microsoft\Delivery Optimization In-Network Cache . For example, the drive cache location is
PrimaryDrivesInput\DOINC-E77D08D0-5FEA-4315-8C95-10D359D59294 , where PrimaryDrivesInput can be multiple
drives such as C,D,E .
Next, use the following method to simulate a client download request to the server with the mandatory headers.
1. Open a 64-bit PowerShell window as an administrator.
2. Run the following command, and replace the name or IP address of your server for <DoincServer> :

Invoke-WebRequest -URI "http://<DoincServer>/mscomtest/wuidt.gif" -Headers

@{"Host"="b1.download.windowsupdate.com"}

The output looks similar to the following example:

PS C:\WINDOWS\system32> Invoke-WebRequest -URI "http://SERVER01.CONTOSO.COM/mscomtest/wuidt.gif" -Headers

@{"Host"="b1.download.windowsupdate.com"}

StatusCode :
200
StatusDescription :
OK
Content :
{71, 73, 70, 56...}
RawContent :
HTTP/1.1 200 OK
X-HW:
1567797125.dop019.se2.t,1567797125.cds058.se2.s,1567797125.dop114.at2.r,1567797125.cds079.at2
.p,1567797125.cds058.se2.p
X-CCC: cdP+dRBgUCoZO1mezA9zhg2VwQ7P1JWTh9k+GhfQmu8=_SLwv...
Headers : {[X-HW,
1567797125.dop019.se2.t,1567797125.cds058.se2.s,1567797125.dop114.at2.r,1567797125.cds079.a
t2.p,1567797125.cds058.se2.p], [X-CCC,

cdP+dRBgUCoZO1mezA9zhg2VwQ7P1JWTh9k+GhfQmu8=_SLwvtSBQdT3uPQ5ikBe1ABMbdYIIncem+h5dtcLI6GY=],
[X-CID, 100], [Accept-Ranges, bytes]...}
RawContentLength : 969710

The following attributes indicate success:

StatusCode : 200
StatusDescription : OK

Log files
ARR setup log: %temp%\arr_setup.log

Connected Cache server setup log: SMS_DP$\Ms.Dsp.Do.Inc.Setup\DoincSetup.log on the distribution point,

and DistMgr.log on the site server
IIS operational logs: By default, %SystemDrive%\inetpub\logs\LogFiles

Connected Cache server operational log: C:\Doinc\Product\Install\Logs

 TIP
Among other uses, this log can help you identify connectivity issues with the Microsoft cloud.

Setup error codes

When Configuration Manager installs the Connected Cache component on the distribution point, the following
table lists the possible error codes that might occur:

ERRO R C O DE ERRO R DESC RIP T IO N

0x00000000 Success

0x00000BC2 Success, reboot required

0x00000643 Generic install failure

0x00D00001 Connected Cache setup can only be run if Internet

Information Services (IIS) has been installed

0x00D00002 Connected Cache setup can only be run if a 'Default Web

Site' exists on the server

0x00D00003 You can't install Connected Cache if Application Request

Routing (ARR) is already installed

0x00D00004 Connected Cache setup can only be run if Application

Request Routing (ARR) was installed by the Install.ps1 script

0x00D00005 Connected Cache setup requires a PowerShell session

running as Administrator

0x00D00006 Connected Cache setup can only be run from a 64-bit

PowerShell environment

0x00D00007 Connected Cache setup can only be run on a Windows

Server

0x00D00008 Failure: The number of cache drives specified must match the
number of cache drive size percentages specified

0x00D00009 Failure: A valid cache node ID must be supplied

0x00D0000A Failure: A valid cache drive set must be supplied

0x00D0000B Failure: A valid cache drive size percent set must be supplied

0x00D0000C Failure: A valid cache drive size percent set or cache drive size
in GB must be supplied

0x00D0000D Failure: A valid cache drive size percent set and cache drive
size in GB cannot both be supplied
ERRO R C O DE ERRO R DESC RIP T IO N

0x00D0000E Failure: The number of cache drives specified must match the
number of cache drives size in GB specified

0x00D0000F Failure: Couldn't back up the applicationhost.config file from

$AppHostConfig to $AppHostConfigDestinationName

0x00D00010 Failure: Couldn't back up the Default Web Site web.config file
from $WebsiteConfigFilePath to
$WebConfigDestinationName

0x00D00011 Failure: An exception occurred in SetupARRWebFarm.ps1

0x00D00012 Failure: An exception occurred in

SetupARRWebFarmRewriteRules.ps1

0x00D00013 Failure: An exception occurred in

SetupARRWebFarmProperties.ps1

0x00D00014 Failure: An exception occurred in

SetupAllowableServerVariables.ps1

0x00D00015 Failure: An exception occurred in SetupFirewallRules.ps1

0x00D00016 Failure: An exception occurred in

SetupAppPoolProperties.ps1

0x00D00017 Failure: An exception occurred in

SetupARROutboundRules.ps1

0x00D00018 Failure: An exception occurred in SetupARRDiskCache.ps1

0x00D00019 Failure: An exception occurred in SetupARRProperties.ps1

0x00D0001A Failure: An exception occurred in SetupARRHealthProbes.ps1

0x00D0001B Failure: An exception occurred in VerifyIISSItesStarted.ps1

0x00D0001C Failure: An exception occurred in SetDrivesToHealthy.ps1

0x00D0001D Failure: An exception occurred in VerifyCacheNodeSetup.ps1

0x00D0001E You can't install Connected Cache if the Default Web Site
isn't on port 80

0x00D0001F Failure: The cache drive allocation in percentage can't exceed

100

0x00D00020 Failure: The cache drive allocation in GB can't exceed the

drive's free space

0x00D00021 Failure: The cache drive allocation in percentage must be

greater than 0
 ERRO R C O DE ERRO R DESC RIP T IO N

0x00D00022 Failure: The cache drive allocation in GB must be greater

than 0

0x00D00023 Failure: An exception occurred in

RegisterScheduledTask_CacheNodeKeepAlive

0x00D00024 Failure: An exception occurred in

RegisterScheduledTask_Maintenance

0x00D00025 Failure: An exception occurred setting up the rewrite rules for

HTTPS farm: $FarmName

0x00D00026 Failure: An exception occurred setting up the rewrite rules for

HTTP farm: $FarmName

0x00D00027 You can't install Connected Cache because dependent

software "Application Request Routing (ARR)" failed to install.
See the log file located at %temp%\arr_setup.log

IIS configurations
The Connected Cache server install makes several modifications to the IIS configuration on the distribution
point.
Application request routing
The Connected Cache server installs and configures IIS Application Request Routing (ARR). To avoid potential
conflicts, the distribution point can't already have this component installed.
Allowed server variables
After you install the Connected Cache server, the default web site has the following local server variables:
HTTP_HOST
QUERY_STRING
X-CCC
X-CID
X-DOINC-OUTBOUND
Rewrite rules
The Connected Cache server adds the following rewrite rules:
Inbound rewrite rules
Doinc_ForwardToFarm_shswda01.download.manage-selfhost.microsoft.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_swdc01.manage.microsoft.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_swdc02.manage.microsoft.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_dl.delivery.mp.microsoft.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_officecdn.microsoft.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_b1.download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_officecdn.microsoft.com.edgesuite.net_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_au.b1.download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_assets1.xboxlive.com_E77D08D0-5FEA-4315-8C95-10D359D59294
 Doinc_ForwardToFarm_au.download.windowsupdate.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_emdl.ws.microsoft.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_tlu.dl.delivery.mp.microsoft.com_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_ForwardToFarm_assets2.xboxlive.com_E77D08D0-5FEA-4315-8C95-10D359D59294

Outbound rewrite rules

Doinc_Outbound_SetHeader_X_CID_E77D08D0-5FEA-4315-8C95-10D359D59294
Doinc_Outbound_SetHeader_X_CCC_E77D08D0-5FEA-4315-8C95-10D359D59294

IIS custom headers

If requests with X-Forwarded-For headers are blocked on a proxy server, either allow the header on the proxy
server or change the custom header name in IIS for each server farm.
To change the custom header name for each server farm:
1. Open IIS Manager.
2. Select Ser ver Farms .
3. Select a server farm and the proxy icon.
4. Under Custom Headers , change the value X-Forwarded-For to X-Forwarded-For-<custom-name> .

Manage server resources

Disk space required for each Connected Cache server may vary, based on your organization's update
requirements. 100 GB should be enough space to cache the following content:
A feature update
Two to three months of quality and Microsoft 365 Apps updates
Microsoft Intune apps and Windows inbox apps
The Connected Cache server shouldn't consume much system memory or processor time. After you install the
Connected Cache server, if you notice significant process or memory resource consumption, analyze the IIS and
ARR log files.
If the IIS and ARR log files take up too much space on the server, there are several methods you can use to
manage the log files. For more information, see Managing IIS Log File Storage.

See also
Microsoft Connected Cache in Configuration Manager
 Run discovery for Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You use one or more discovery methods in Configuration Manager to find device and user resources that you
can manage. You can also use discovery to identify network infrastructure in your environment. There are
several different methods you can use to discover different things, and each method has its own configurations
and limitations.

Overview of discovery
Discovery is the process by which Configuration Manager learns about the things you can manage. The
following are the available discovery methods:
Active Directory Forest Discovery
Active Directory Group Discovery
Active Directory System Discovery
Active Directory User Discovery
Azure Active Directory User Discovery
Azure Active Directory User Group Discovery
Heartbeat Discovery
Network Discovery
Server Discovery

TIP
You can learn about the individual discovery methods in About discovery methods for Configuration Manager.
For assistance in selecting which methods to use, and at which sites in your hierarchy, see Select discovery methods to
use for Configuration Manager.

To use most discovery methods, you must enable the method at a site, and set it up to search specific network or
Active Directory locations. When it runs, it queries the specified location for information about devices or users
that Configuration Manager can manage. When a discovery method successfully finds information about a
resource, it puts that information into a file called a discovery data record (DDR). That file is then processed by a
primary or central administration site. Processing of a DDR creates a new record in the site database for newly
discovered resources, or updates existing records with new information.
Some discovery methods can generate a large volume of network traffic, and the DDRs they produce can result
in a significant use of CPU resources during processing. Therefore, plan to use only those discovery methods
that you require to meet your goals. You might start by using only one or two discovery methods, and then later
enable additional methods in a controlled manner to extend the level of discovery in your environment.
After discovery information is added to the site database, the information then replicates to each site in the
hierarchy, regardless of where it was discovered or processed. Therefore, while you can set up different
schedules and settings for discovery methods at different sites, you might run a specific discovery method at
only a single site. This reduces the use of network bandwidth through duplicate discovery actions, and reduces
the processing of redundant discovery data at multiple sites.
You can use discovery data to create custom collections and queries that logically group resources for
management tasks. For example:
Pushing client installations, or upgrading.
Deploying content to users or devices.
Deploying client settings and related configurations.

About discovery data records

DDRs are files created by a discovery method. They contain information about a resource you can manage in
Configuration Manager, such as computers, users, and in some cases, network infrastructure. They are processed
at primary sites or at central administration sites. After the resource information in the DDR is entered into the
database, the DDR is deleted, and the information replicates as global data to all sites in the hierarchy.
The site at which a DDR is processed depends on the information it contains:
DDRs for newly discovered resources that are not in the database are processed at the top-level site of
the hierarchy. The top-level site creates a new resource record in the database, and assigns it a unique
identifier. DDRs transfer by file-based replication until they reach the top-level site.
DDRs for previously discovered objects are processed at primary sites. Child primary sites do not transfer
DDRs to the central administration site when the DDR contains information about a resource that is
already in the database.
Secondary sites do not process DDRs, and always transfer them by file-based replication to their parent
primary site.
DDR files are identified by the .ddr extension, and have a typical size of about 1 KB.

Get started with discovery:

Before using the Configuration Manager console to set up discovery, you should understand the differences
among the methods, what they can do, and for some, their limitations.
The following topics can build a foundation that will help you use discovery methods successfully:
About discovery methods for Configuration Manager
Select discovery methods to use for Configuration Manager
Then, when you understand the methods you want to use, find guidance to set up each method in Configure
discovery methods for Configuration Manager.
 About discovery methods for Configuration
Manager
2/16/2022 • 25 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager discovery methods find different devices on your network, devices and users from
Active Directory, or users from Azure Active Directory (Azure AD). To efficiently use a discovery method, you
should understand its available configurations and limitations.

Active Directory Forest Discovery

Configurable: Yes
Enabled by default: No
Accounts you can use to run this method:
Active Director y Forest Discover y Account (user defined)
Computer account of the site server
Unlike other Active Directory discovery methods, Active Directory Forest Discovery does not discover resources
that you can manage. Instead, this method discovers network locations that are configured in Active Directory. It
can convert those locations into boundaries for use throughout your hierarchy.
When this method runs, it searches the local Active Directory forest, each trusted forest, and each additional
forest that you configure in the Active Director y Forests node of the Configuration Manager console.
Use Active Directory Forest Discovery to:
Discover Active Directory sites and subnets, and then create Configuration Manager boundaries based on
those network locations.
Identify supernets that are assigned to an Active Directory site. Convert each supernet into an IP address
range boundary.
Publish to Active Directory Domain Services (AD DS) in a forest when publishing to that forest is enabled.
The specified Active Directory Forest Account must have permissions to that forest.
You can manage Active Directory Forest Discovery in the Configuration Manager console. Go to the
Administration workspace and expand Hierarchy Configuration .
Discover y Methods : Enable Active Directory Forest Discovery to run at the top-level site of your
hierarchy. You can also specify a simple schedule to run discovery. Configure it to automatically create
boundaries from the IP subnets and Active Directory sites that it discovers. Active Directory Forest
Discovery cannot be run at a child primary site or at a secondary site.
Active Director y Forests : Configure the additional forests to discover, specify each Active Directory
Forest Account, and configure publishing to each forest. Monitor the discovery process. Add IP subnets
and Active Directory sites as Configuration Manager boundaries and members of boundary groups.
To configure publishing for Active Directory forests for each site in your hierarchy, connect your Configuration
Manager console to the top-level site of your hierarchy. The Publishing tab in an Active Directory site's
Proper ties dialog box can show only the current site and its child sites. When publishing is enabled for a forest,
and that forest's schema is extended for Configuration Manager, the following information is published for each
site that is enabled to publish to that Active Directory forest:
SMS-Site-<site code>
SMS-MP-<site code>-<site system ser ver name>
SMS-SLP-<site code>-<site system ser ver name>
SMS-<site code>-<Active Director y site name or subnet>

NOTE
Secondary sites always use the secondary site server computer account to publish to Active Directory. If you want
secondary sites to publish to Active Directory, ensure that the secondary site server computer account has permissions to
publish to Active Directory. A secondary site cannot publish data to an untrusted forest.

Cau t i on

When you uncheck the option to publish a site to an Active Directory forest, all previously published information
for that site, including available site system roles, is removed from Active Directory.
Actions for Active Directory Forest Discovery are recorded in the following logs:
All actions, except actions related to publishing, are recorded in the ADForestDisc.Log file in the
<InstallationPath>\Logs folder on the site server.
Active Directory Forest Discovery publishing actions are recorded in the hman.log and sitecomp.log
files in the <InstallationPath>\Logs folder on the site server.
For more information about how to configure this discovery method, see Configure discovery methods.

Active Directory Group Discovery

Configurable: Yes
Enabled by default: No
Accounts you can use to run this method:
Active Director y Group Discover y Account (user defined)
Computer account of the site server

TIP
In addition to the information in this section, see Common features of Active Directory Group, System, and User
Discovery.

Use this method to search Active Directory Domain Services to identify:

Local, global, and universal security groups.
The membership of groups.
Limited information about a group's member computers and users, even when another discovery
method has not previously discovered those computers and users.
This discovery method is intended to identify groups and the group relationships of members of groups. By
default, only security groups are discovered. If you want to also find the membership of distribution groups, you
must check the box for the option Discover the membership of distribution groups on the Option tab in
the Active Director y Group Discover y Proper ties dialog box.
Active Directory Group Discovery doesn't support the extended Active Directory attributes that can be identified
by using Active Directory System Discovery or Active Directory User Discovery. Because this discovery method
isn't optimized to discover computer and user resources, consider running this discovery method after you have
run Active Directory System Discovery and Active Directory User Discovery. This suggestion is because this
method creates a full discovery data record (DDR) for groups, but only a limited DDR for computers and users
that are members of groups.
You can configure the following discovery scopes that control how this method searches for information:
Location : Use a location if you want to search one or more Active Directory containers. This scope option
supports a recursive search of the specified Active Directory containers. This process searches each child
container under the container that you specify. It continues until no more child containers are found.
Groups : Use groups if you want to search one or more specific Active Directory groups. You can
configure Active Director y Domain to use the default domain and forest, or limit the search to an
individual domain controller. Additionally, you can specify one or more groups to search. If you do not
specify at least one group, all groups found in the specified Active Director y Domain location are
searched.
Cau t i on

When you configure a discovery scope, choose only the groups that you must discover. This recommendation is
because Active Directory Group Discovery tries to discover each member of each group in the discovery scope.
Discovery of large groups can require extensive use of bandwidth and Active Directory resources.

NOTE
Before you can create collections that are based on extended Active Directory attributes, and to ensure accurate discovery
results for computers and users, run Active Directory System Discovery or Active Directory User Discovery, depending on
what you want to discover.

Actions for Active Directory Group Discovery are recorded in the file adsgdis.log in the
<InstallationPath>\LOGS folder on the site server.
For more information about how to configure this discovery method, see Configure discovery methods.

Active Directory System Discovery

Configurable: Yes
Enabled by default: No
Accounts you can use to run this method:
Active Director y System Discover y Account (user defined)
Computer account of the site server

TIP
In addition to the information in this section, see Common features of Active Directory Group, System, and User
Discovery.

Use this discovery method to search the specified Active Directory Domain Services locations for computer
resources that can be used to create collections and queries. You can also install the Configuration Manager
client on a discovered device by using client push installation.
By default, this method discovers basic information about the computer, including the following attributes:
Computer name
Operating system and version
Active Directory container name
IP address
Active Directory site
Time stamp of last logon
To successfully create a DDR for a computer, Active Directory System Discovery must be able to identify the
computer account and then successfully resolve the computer name to an IP address.
In the Active Director y System Discover y Proper ties dialog box, on the Active Director y Attributes tab,
you can view the full list of default object attributes that it discovers. You can also configure the method to
discover additional (extended) attributes.
Actions for Active Directory System Discovery are recorded in the file adsysdis.log in the
<InstallationPath>\LOGS folder on the site server.
For more information about how to configure this discovery method, see Configure discovery methods.

Active Directory User Discovery

Configurable: Yes
Enabled by default: No
Accounts you can use to run this method:
Active Director y User Discover y Account (user defined)
Computer account of the site server

TIP
In addition to the information in this section, see Common features of Active Directory Group, System, and User
Discovery.

Use this discovery method to search Active Directory Domain Services to identify user accounts and associated
attributes. By default, this method discovers basic information about the user account, including the following
attributes:
User name
Unique user name (includes domain name)
Domain
Active Directory container names
In the Active Director y User Discover y Proper ties dialog box, on the Active Director y Attributes tab,
you can view the full default list of object attributes that it discovers. You can also configure the method to
discover additional (extended) attributes.
Actions for Active Directory User Discovery are recorded in the file adusrdis.log in the
<InstallationPath>\LOGS folder on the site server.
For more information about how to configure this discovery method, see Configure discovery methods.

Azure Active Directory User Discovery

Use Azure Active Directory (Azure AD) User Discovery to search your Azure AD subscription for users with a
modern cloud identity. Azure AD user discovery can find the following attributes:
objectId
displayName
mail
mailNickname
onPremisesSecurityIdentifier
userPrincipalName
AAD tenantID
onPremisesDomainName
onPremisesSamAccountName
onPremisesDistinguishedName
This method supports full and delta synchronization of user attributes from Azure AD. This information can then
be used along-side discovery data you collect from the other discovery methods.
Actions for Azure AD user discovery are recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file on the
top-tier site server of the hierarchy.
To configure Azure AD user discovery, see Configure Azure Services for Cloud Management. For information
about how to configure this discovery method, see Configure Azure AD User Discovery.

Azure Active Directory user group discovery

You can discover user groups and members of those groups from Azure Active directory (Azure AD). Azure AD
user group discovery can find the following attributes:
objectId
displayName
mailNickname
onPremisesSecurityIdentifier
AAD tenantID
Actions for Azure AD user group discovery are recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file
on the top-tier site server of the hierarchy. For information about how to configure this discovery method, see
Configure Azure AD user group discovery.

Heartbeat Discovery
Configurable: Yes
Enabled by default: Yes
Accounts you can use to run this method:
Computer account of the site server
Heartbeat Discovery differs from other Configuration Manager discovery methods. It is enabled by default and
runs on each computer client (instead of on a site server) to create a DDR. For mobile device clients, this DDR is
created by the management point that the mobile device client is using. To help maintain the database record of
Configuration Manager clients, do not disable Heartbeat Discovery. In addition to maintaining the database
record, this method can force discovery of a computer as a new resource record. It can also repopulate the
database record of a computer that was deleted from the database.
Heartbeat Discovery runs on a schedule configured for all clients in the hierarchy. The default schedule for
Heartbeat Discovery is set to every seven days. If you change the heartbeat discovery interval, ensure that it
runs more frequently than the site maintenance task Delete Aged Discover y Data . This task deletes inactive
client records from the site database. You can configure the Delete Aged Discover y Data task only for
primary sites.
You can also manually invoke Heartbeat Discovery on a specific client. Run the Discover y Data Collection
Cycle on the Action tab of a client's Configuration Manager control panel.
When Heartbeat Discovery runs, it creates a DDR that has the client's current information. The client then copies
this small file (about 1 KB in size) to a management point so that a primary site can process it. The file has the
following information:
Network location
NetBIOS name
Version of the client agent
Operational status details
Heartbeat Discovery is the only discovery method that provides details about the client installation status. It
does so by updating the system resource client attribute to set a value equal to Yes .

NOTE
Even when Heartbeat Discovery is disabled, DDRs are still created and submitted for active mobile device clients. This
behavior ensures that the task to Delete Aged Discover y Data doesn't affect active mobile devices. When the Delete
Aged Discover y Data task deletes a database record for a mobile device, it also revokes the device certificate. This
action blocks the mobile device from connecting to management points.

Actions for Heartbeat Discovery are logged in the following locations:

For computer clients, Heartbeat Discovery actions are recorded on the client in the Inventor yAgent.log
file in the %Windir%\CCM\Logs folder.
For mobile device clients, Heartbeat Discovery actions are recorded in the DMPRP.log file in the
%Program Files%\CCM\Logs folder of the management point that the mobile device client uses.
For more information about how to configure this discovery method, see Configure discovery methods.

Network Discovery
Configurable: Yes
Enabled by default: No
Accounts you can use to run this method:
Computer account of the site server
Use this method to discover the topology of your network and to discover devices on your network that have an
IP address. Network Discovery searches your network for IP-enabled resources by querying the following
entities:
Servers that run a Microsoft implementation of DHCP
Address Resolution Protocol (ARP) caches in network routers
SNMP-enabled devices
Active Directory domains
Before you can use Network Discovery, you must specify the level of discovery to run. You also configure one or
more discovery mechanisms that enable Network Discovery to query for network segments or devices. You can
also configure settings that help control discovery actions on the network. Finally, you define one or more
schedules for when Network Discovery runs.
For this method to successfully discover a resource, Network Discovery must identify the IP address and the
subnet mask of the resource. The following methods are used to identify the subnet mask of an object:
Router ARP cache: Network Discovery queries the ARP cache of a router to find subnet information.
Typically, data in a router ARP cache has a short time-to-live. Therefore, when Network Discovery queries
the ARP cache, the ARP cache might no longer have information about the requested object.
DHCP: Network Discovery queries each DHCP server that you specify to discover the devices for which
the DHCP server has provided a lease. Network Discovery supports only DHCP servers that run the
Microsoft implementation of DHCP.
SNMP device: Network Discovery can directly query an SNMP device. For Network Discovery to query
a device, the device must have a local SNMP agent installed. Also configure Network Discovery to use the
community name that the SNMP agent is using.
When discovery identifies an IP-addressable object and can determine the object's subnet mask, it creates a
DDR for that object. Because different types of devices connect to the network, Network Discovery discovers
resources that don't support the Configuration Manager client. For example, devices that can be discovered but
not managed include printers and routers.
Network Discovery can return several attributes as part of the discovery record that it creates. These attributes
include:
NetBIOS name
IP addresses
Resource domain
System roles
SNMP community name
MAC addresses
Network Discovery activity is recorded in the Netdisc.log file in <InstallationPath>\Logs on the site server that
runs discovery.
For more information about how to configure this discovery method, see Configure discovery methods.

NOTE
Complex networks and low-bandwidth connections can cause Network Discovery to run slowly and generate significant
network traffic. As a best practice, run Network Discovery only when the other discovery methods cannot find the
resources that you have to discover. For example, use Network Discovery if you must discover workgroup computers.
Other discovery methods do not discover workgroup computers.
Levels of Network Discovery
When you configure Network Discovery, you specify one of three levels of discovery:

L EVEL O F DISC O VERY DETA IL S

Topology This level discovers routers and subnets but does not
identify a subnet mask for objects.

Topology and client In addition to topology, this level discovers potential clients
like computers, and resources like printers and routers. This
level of discovery tries to identify the subnet mask of objects
that it finds.

Topology, client, and client operating system In addition to topology and potential clients, this level tries
to discover the computer operating system name and
version. This level uses Windows Browser and Windows
Networking calls.

With each incremental level, Network Discovery increases its activity and network bandwidth usage. Consider
the network traffic that can be generated before you enable all aspects of Network Discovery.
For example, when you first use Network Discovery, you might start with only the topology level to identify your
network infrastructure. Then, reconfigure Network Discovery to discover objects and their device operating
systems. You can also configure settings that limit Network Discovery to a specific range of network segments.
That way, you discover objects in network locations that you require and avoid unnecessary network traffic. This
process also allows you to discover objects from edge routers or from outside your network.
Network Discovery options
To enable Network Discovery to search for IP-addressable devices, configure one or more of these options.

NOTE
Network Discovery runs in the context of the computer account of the site server that runs discovery. If the computer
account does not have permissions to an untrusted domain, the domain and DHCP server configurations can fail to
discover resources.

DHCP
Specify each DHCP server that you want Network Discovery to query. (Network Discovery supports only DHCP
servers that run the Microsoft implementation of DHCP.)
Network Discovery retrieves information by using remote procedure calls to the database on the DHCP
server.
Network Discovery can query both 32-bit and 64-bit DHCP servers for a list of devices that are registered
with each server.
For Network Discovery to successfully query a DHCP server, the computer account of the server that runs
discovery must be a member of the DHCP Users group on the DHCP server. For example, this level of
access exists when one of the following statements is true:
The specified DHCP server is the DHCP server of the server that runs discovery.
The computer that runs discovery and the DHCP server are in the same domain.
A two-way trust exists between the computer that runs discovery and the DHCP server.
The site server is a member of the DHCP Users group.
 When Network Discovery enumerates a DHCP server, it does not always discover static IP addresses.
Network Discovery does not find IP addresses that are part of an excluded range of IP addresses on the
DHCP server. It also does not discover IP addresses that are reserved for manual assignment.
Domains
Specify each domain that you want Network Discovery to query.
The computer account of the site server that runs discovery must have permissions to read the domain
controllers in each specified domain.
To discover computers from the local domain, you must enable the Computer Browser service on at least
one computer. This computer must be on the same subnet as the site server that runs Network Discovery.
Network Discovery can discover any computer that you can view from your site server when you browse
the network.
Network Discovery retrieves the IP address. It then uses an Internet Control Message Protocol (ICMP)
echo request to ping each device that it finds. The ping command helps determine which computers are
currently active.
SNMP Devices
Specify each SNMP device that you want Network Discovery to query.
Network Discovery retrieves the ipNetToMediaTable value from any SNMP device that responds to the
query. This value returns arrays of IP addresses that are client computers or other resources like printers,
routers, or other IP-addressable devices.
To query a device, you must specify the IP address or NetBIOS name of the device.
Configure Network Discovery to use the community name of the device, or the device rejects the SNMP-
based query.
Limiting Network Discovery
When Network Discovery queries an SNMP device on the edge of your network, it can identify information
about subnets and SNMP devices that are outside your immediate network. Use the following information to
limit Network Discovery by configuring the SNMP devices that discovery can communicate with, and by
specifying the network segments to query.
Subnets
Configure the subnets that Network Discovery queries when it uses the SNMP and DHCP options. These two
options search only the enabled subnets.
For example, a DHCP request can return devices from locations across your whole network. If you want to
discover only devices on a specific subnet, specify and enable that specific subnet on the Subnets tab in the
Network Discover y Proper ties dialog box. When you specify and enable subnets, you limit future DHCP and
SNMP discovery tasks to those subnets.

NOTE
Subnet configurations do not limit the objects that the Domains discovery option discovers.

SNMP community names

To enable Network Discovery to successfully query an SNMP device, configure Network Discovery with the
community name of the device. If Network Discovery is not configured by using the community name of the
SNMP device, the device rejects the query.
Maximum hops
When you configure the maximum number of router hops, you limit the number of network segments and
routers that Network Discovery can query by using SNMP.
The number of hops that you configure limits the number of additional devices and network segments that
Network Discovery can query.
For example, a topology-only discovery with 0 (zero) router hops discovers the subnet on which the originating
server resides. It includes any routers on that subnet.
The following diagram shows what a topology-only Network Discovery query finds when it runs on Server 1
with 0 router hops specified: subnet D and Router 1.

The following diagram shows what a topology and client Network Discovery query finds when it runs on Server
1 with 0 router hops specified: subnet D and Router 1, and all potential clients on subnet D.

To get a better idea of how additional router hops can increase the amount of network resources that are
discovered, consider the following network:

Running a topology-only Network Discovery from Server 1 with one router hop discovers the following entities:
Router 1 and subnet 10.1.10.0 (found with zero hops)
Subnets 10.1.20.0 and 10.1.30.0, subnet A, and Router 2 (found on the first hop)

WARNING
Each increase to the number of router hops can significantly increase the number of discoverable resources and increase
the network bandwidth that Network Discovery uses.

Server Discovery
Configurable: No
In addition to the user-configurable discovery methods, Configuration Manager uses a process named Ser ver
Discover y (SMS_WINNT_SERVER_DISCOVERY_AGENT). This discovery method creates resource records for
computers that are site systems, like a computer that is configured as a management point.

Common features of Active Directory Group Discovery, System

Discovery, and User Discovery
This section provides information about features that are common to the following discovery methods:
Active Directory Group Discovery
Active Directory System Discovery
Active Directory User Discovery

NOTE
The information in this section does not apply to Active Directory Forest Discovery.

These three discovery methods are similar in configuration and operation. They can discover computers, users,
and information about group memberships of resources that are stored in Active Directory Domain Services.
The discovery process is managed by a discovery agent. The agent runs on the site server at each site where
discovery is configured to run. You can configure each of these discovery methods to search one or more Active
Directory locations as location instances in the local forest or remote forests.
When discovery searches an untrusted forest for resources, the discovery agent must be able to resolve the
following to be successful:
To discover a computer resource by using Active Directory System Discovery, the discovery agent must
be able to resolve the FQDN of the resource. If it cannot resolve the FQDN, it then tries to resolve the
resource by its NetBIOS name.
To discover a user or group resource by using Active Directory User Discovery or Active Directory Group
Discovery, the discovery agent must be able to resolve the FQDN of the domain controller name that you
specify for the Active Directory location.
For each location that you specify, you can configure individual search options, like enabling a recursive search
of the location's Active Directory child containers. You can also configure a unique account to use when it
searches that location. This account provides flexibility in configuring a discovery method at one site to search
multiple Active Directory locations across multiple forests. You don't have to configure a single account that has
permissions to all locations.
When each of these three discovery methods runs at a specific site, the Configuration Manager site server at
that site contacts the nearest domain controller in the specified Active Directory forest to locate Active Directory
resources. The domain and forest can be in any supported Active Directory mode. The account that you assign
to each location instance must have Read access permission to the specified Active Directory locations.
Discovery searches the specified locations for objects and then tries to collect information about those objects. A
DDR is created when sufficient information about a resource can be identified. The required information varies
depending on the discovery method that is being used.
If you configure the same discovery method to run at different Configuration Manager sites to take advantage
of querying local Active Directory servers, you can configure each site with a unique set of discovery options.
Because discovery data is shared with each site in the hierarchy, avoid overlap between these configurations to
efficiently discover each resource a single time.
For smaller environments, consider running each discovery method at only one site in your hierarchy. This
configuration reduces administrative overhead and the potential for multiple discovery actions to rediscover the
same resources. When you minimize the number of sites that run discovery, you reduce the overall network
bandwidth that discovery uses. You can also reduce the overall number of DDRs that are created and must be
processed by your site servers.
Many of the discovery method configurations are self-explanatory. Use the following sections for more
information about the discovery options that might require additional information before you configure them.
The following options are available for use with multiple Active Directory discovery methods:
Delta Discovery
Filter stale computer records by domain logon
Filter stale records by computer password
Search customized Active Directory attributes
Delta Discovery
Available for:
Active Directory Group Discovery
Active Directory System Discovery
Active Directory User Discovery
Delta Discovery is not an independent discovery method but an option available for the applicable discovery
methods. Delta Discovery searches specific Active Directory attributes for changes that were made since the last
full discovery cycle of the applicable discovery method. The attribute changes are submitted to the
Configuration Manager database to update the discovery record of the resource.
By default, Delta Discovery runs on a five-minute cycle. This schedule is much more frequent than the typical
schedule for a full discovery cycle. This frequent cycle is possible because Delta Discovery uses fewer site server
and network resources than a full discovery cycle does. When you use Delta Discovery, you can reduce the
frequency of the full discovery cycle for that discovery method.
The following are the most common changes that Delta Discovery detects:
New computers or users added to Active Directory
Changes to basic computer and user information
New computers or users that are added to a group
Computers or users that are removed from a group
Changes to system group objects
Although Delta Discovery can detect new resources and changes to group membership, it cannot detect when a
resource has been deleted from Active Directory. DDRs created by Delta Discovery are processed similarly to the
DDRs that are created by a full discovery cycle.
You configure Delta Discovery on the Polling Schedule tab in the properties for each discovery method.
Filter stale computer records by domain logon
Available for:
Active Directory Group Discovery
Active Directory System Discovery
You can configure discovery to exclude computers with a stale computer record. This exclusion is based on the
last domain logon of the computer. When this option is enabled, Active Directory System Discovery evaluates
each computer that it identifies. Active Directory Group Discovery evaluates each computer that is a member of
a group that is discovered.
To use this option:
Computers must be configured to update the lastLogonTimeStamp attribute in Active Directory
Domain Services.
The Active Directory domain functional level must be set to Windows Server 2003 or later.
When you're configuring the time after the last logon that you want to use for this setting, consider the interval
for replication between domain controllers.
You configure filtering on the Option tab in the Active Director y System Discover y Proper ties and Active
Director y Group Discover y Proper ties dialog boxes. Choose to Only discover computers that have
logged on to a domain in a given period of time .

WARNING
When you configure this filter and Filter stale records by computer password , discovery excludes computers that
meet the criteria of either filter.

Filter stale records by computer password

Available for:
Active Directory Group Discovery
Active Directory System Discovery
You can configure discovery to exclude computers with a stale computer record. This exclusion is based on the
last computer account password update by the computer. When this option is enabled, Active Directory System
Discovery evaluates each computer that it identifies. Active Directory Group Discovery evaluates each computer
that is a member of a group that is discovered.
To use this option:
Computers must be configured to update the pwdLastSet attribute in Active Directory Domain Services.
When you're configuring this option, consider the interval for updates to this attribute. Also consider the
replication interval between domain controllers.
You configure filtering on the Option tab in the Active Director y System Discover y Proper ties and Active
Director y Group Discover y Proper ties dialog boxes. Choose to Only discover computers that have
updated their computer account password in a given period of time .

WARNING
When you configure this filter and Filter stale records by domain logon , discovery excludes computers that meet the
criteria of either filter.

Search customized Active Directory attributes

Available for:
Active Directory System Discovery
 Active Directory User Discovery
Each discovery method supports a unique list of Active Directory attributes that can be discovered.
You can view and configure the list of customized attributes on the Active Director y Attributes tab in the
Active Director y System Discover y Proper ties and Active Director y User Discover y Proper ties
dialog boxes.
 Select discovery methods to use for Configuration
Manager
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To successfully and efficiently use discovery for Configuration Manager, you must consider which methods to
use and at which sites to run them.
Because discovery can generate a large volume of network traffic, and the resultant discovery data records
(DDRs) can use significant CPU resources during processing, use only those discovery methods that you require
to meet your goals. You might start by using only one or two discovery methods, and then later enable
additional methods in a controlled manner to extend the level of discovery in your environment. The
information in this topic can help you make informed decisions.
For information about the different discovery methods, see About discovery methods for Configuration
Manager.

Select methods to discover different things

To discover potential Configuration Manager client computers or user resources, you must enable the
appropriate discovery methods. You can use different combinations of discovery methods to locate different
resources, and to discover additional information about those resources. The discovery methods that you use
determine the type of resources that are discovered, and which Configuration Manager services and agents are
used in the discovery process. They also determine the type of information about resources that you can
discover.
Discover computers
When you want to discover computers, you can use Active Director y System Discover y or Network
Discover y .
For example, if you want to discover resources that can install the Configuration Manager client before you use
client push installation, you might run Active Directory System Discovery. Using this method, you not only
discover the resource, but also discover basic information even extended information about it from Active
Directory Domain Services. This information might be useful in building complex queries and collections to use
for the assignment of client settings or content deployment.
Alternatively, you could run Network Discovery, and use its options to discover the operating system of
resources (required to later use client push installation). Network Discovery provides you with information
about your network topology that you are not able to acquire with other discovery methods. This method does
not, however, provide you any information about your Active Directory environment.
There is also a method called Hear tbeat Discover y . It is possible to use only Heartbeat Discovery to force the
discovery of clients that you installed by methods other than client push installation. However, unlike other
discovery methods, Heartbeat Discovery cannot discover computers that do not have an active Configuration
Manager client. It returns a limited set of information, intended to maintain an existing database record rather
than be the basis of that record. Information submitted by Heartbeat Discovery might not be sufficient to build
complex queries or collections.
If you use Active Director y Group Discover y to discover the membership of a specified group, you can
discover limited system or computer information. This does not replace a full discovery of computers, but can
provide basic information. This information is insufficient for client push installation.
Discover users
When you want to discover information about users, use Active Director y User Discover y . Similar to Active
Directory System Discovery, this method discovers users from Active Directory. It includes basic information, in
addition to extended Active Directory information. You can use this information to build complex queries and
collections similar to those for computers.
Discover group information
When you want to discover information about groups and group memberships, use Active Director y Group
Discover y . This discovery method creates resource records for security groups.
You can use this method to search a specific Active Directory group to identify the members of that group, in
addition to any nested groups within that group. You can also use this method to search an Active Directory
location for groups, and recursively search each child container of that location in Active Directory Domain
Services.
This discovery method can also search the membership of distribution groups. This can identify the group
relationships of both users and computers.
When you discover a group, you can also discover limited information about its members. This does not replace
the Active Directory system or user discovery methods, though. It is usually insufficient to build complex queries
and collections, or serve as the basis of a client push installation.
Discover infrastructure
There are two methods you can use to discover network infrastructure, Active Director y Forest Discover y
and Network Discover y .
Use Active Directory Forest Discovery to search an Active Directory forest for information about subnets and
Active Directory site configurations. These configurations can then be automatically entered into Configuration
Manager as boundary locations.
When you want to discover your network topology, use Network Discovery. While other discovery methods
return information related to Active Directory Domain Services, and can identify the current network location of
a client, they do not provide infrastructure information based on the subnets and router topology of your
network.

Discovery data is shared among sites

After Configuration Manager adds discovery data to a database, it is quickly shared among all sites in the
hierarchy. Because there is typically no benefit to discovering the same information at multiple sites in your
hierarchy, consider setting up a single instance of each discovery method that you use to run at a single site. It's
a good idea to do this instead of running multiple instances of a single method at different sites.
However, for some environments it might be useful to assign the same discovery method to run at multiple
sites, each with a separate configuration and schedule. For example, when using Network Discovery, you might
want to direct each site to discover its local network, instead of attempting to discover all network locations
across a WAN.
If you do configure multiple instances of the same discovery methods to run at different sites, plan the
configuration of each site carefully. You want to avoid having two or more sites discover the same resources
from your network or Active Directory. This can consume additional network bandwidth and create duplicate
DDRs.
The following table identifies at which sites you can set up the different discovery methods.
 DISC O VERY M ET H O D SUP P O RT ED LO C AT IO N S

Active Directory Forest Discovery Central administration site

Primary site

Active Directory Group Discovery Primary site

Active Directory System Discovery Primary site

Active Directory User Discovery Primary site

Heartbeat Discovery1 Primary site

Network Discovery Primary site

Secondary site

1 Secondary sites cannot configure Heartbeat Discovery, but can receive the Heartbeat DDR from a client.
When secondary sites run Network Discovery, or receive Heartbeat Discovery DDRs, they transfer the DDR by
file-based replication to their parent primary site. This is because only primary sites and central administration
sites can process DDRs. For more information about how DDRs are processed, see About discovery data
records.

Considerations for different discovery methods

Because each site server and network environment is different, it's a good idea to limit your initial
configurations for discovery. Then closely monitor each site server for its ability to process the discovery data
that is generated.
When you use an Active Director y discovery method for systems, users, or groups:
Run discovery at a site that has a fast network connection to your domain controllers.
Consider the Active Directory replication topology to ensure discovery can access the latest information.
Consider the scope of the discovery configuration, and limit discovery to only those Active Directory
locations and groups that you have to discover.
If you use Network Discover y :
Use a limited initial configuration to identify your network topography.
After you identify your network topography, set up Network Discovery to run at specific sites that are
central to the network areas that you want to more fully discover.
Because Hear tbeat Discover y does not run at a specific site, you do not have to consider it in general
planning for where to run discovery.

Best practices for discovery

For best results with discovery, we recommend the following:
Run Active Director y System Discover y and Active Director y User Discover y before you run
Active Director y Group Discover y.
When Active Directory Group Discovery identifies a previously undiscovered user or computer as a
member of a group, it attempts to discover basic details for the user or computer. Because Active
Directory Group Discovery is not optimized for this type of discovery, this process can cause it to run
slowly. Additionally, Active Directory Group Discovery identifies only the basic details about the users and
computers it discovers, and does not create a complete user or computer discovery record. When you
run Active Directory System Discovery and Active Directory User Discovery, the additional Active
Directory attributes for each object type are available. As a result, Active Directory Group Discovery runs
more efficiently.
When you set up Active Director y Group Discover y, only specify groups that you use with
Configuration Manager.
To help control the use of resources by Active Directory Group Discovery, specify only those groups that
you use with Configuration Manager. This is because Active Directory Group Discovery recursively
searches each group it discovers for users, computers, and nested groups. The search of each nested
group can expand the scope of Active Directory Group Discovery, and reduce performance. Additionally,
when you set up delta discovery for Active Directory Group Discovery, the discovery method monitors
each group for changes. This further reduces performance when the method must search unnecessary
groups.
Set up discover y methods with a longer inter val between full discover y, and a more
frequent period of delta discover y.
Because delta discovery uses fewer resources than a full discovery cycle, and can identify new or
modified resources in Active Directory, you can reduce the frequency of full discovery cycles to run
weekly (or less). Delta discovery for Active Directory System Discovery, Active Directory User Discovery
and Active Directory Group Discovery identifies almost all the changes of Active Directory objects, and
can maintain accurate discovery data for resources.
Run Active Director y discover y methods at a primar y site that has a network location that is
closest to your Active Director y domain controller.
To improve the performance of Active Directory discovery, it's a good idea to run discover at a primary
site that has a fast network connection to your domain controllers. If you run the same Active Directory
discovery method at multiple sites, set up each discovery method to avoid overlap. Unlike past versions
of Configuration Manager, discovery data is shared among sites. Therefore, it is not necessary to discover
the same information at multiple sites. For more information, see Discovery data is shared between sites.
Run Active Director y Forest Discover y at only one site when you plan to automatically
create boundaries from the discover y data.
If you run Active Directory Forest Discovery at more than one site in a hierarchy, it's a good idea to only
enable options to automatically create boundaries at a single site. This is because when Active Directory
Forest Discovery runs at each site and creates boundaries, Configuration Manager cannot merge those
boundaries into a single boundary object. When you configure Active Directory Forest Discovery to
automatically create boundaries at multiple sites, the result can be duplicated boundary objects in the
Configuration Manager console.
 Configure discovery methods for Configuration
Manager
2/16/2022 • 23 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configure discovery methods to find resources to manage from your network, Active Directory, and Azure
Active Directory (Azure AD). First enable and then configure each method that you want to use to search your
environment. You can also disable a method by using the same procedure that you use to enable it. The only
exceptions to this process are Heartbeat Discovery and Server Discovery:
By default, Hear tbeat Discover y is already enabled when you install a Configuration Manager primary
site. It's configured to run on a basic schedule. Keep Heartbeat Discovery enabled. It makes sure that the
discovery data records (DDRs) for devices are up to date. For more information about Heartbeat
Discovery, see About Heartbeat Discovery.
Ser ver Discover y is an automatic discovery method. It finds computers that you use as site systems.
You can't configure or disable it.

Active Directory Forest Discovery

To finish the configuration of Active Directory Forest Discovery, configure settings in the following locations of
the Configuration Manager console:
In the Discover y Methods node:
Enable this discovery method.
Set a polling schedule.
Select whether discovery automatically creates boundaries for the Active Directory sites and
subnets that it discovers.
In the Active Director y Forests node:
Add forests that you want to discover.
Enable discovery of Active Directory sites and subnets in that forest.
Configure settings that enable Configuration Manager sites to publish their site information to the
forest.
Assign an account to use as the Active Directory Forest Account for each forest.
Use the following procedures to enable Active Directory Forest Discovery, and to configure individual forests for
use with Active Directory Forest Discovery.
Configure Active Directory Forest Discovery
1. In the Configuration Manager console, go to the Administration workspace, expand Hierarchy
Configuration , and select the Discover y Methods node.
2. Select the Active Directory Forest Discovery method for the site where you want to configure discovery.
3. On the Home tab of the ribbon, select Proper ties .
4. On the General tab of the properties, configure the following settings:
Enable the discovery method.
Specify options to create site boundaries for discovered locations.
Specify a schedule for when discovery runs.
5. Select OK to save the configuration.
Configure a forest for Active Directory Forest Discovery
1. In the Administration workspace, expand Hierarchy Configuration , and select the Active Director y
Forests node. If Active Directory Forest Discovery has previously run, you see each discovered forest in
the results pane. When this discovery method runs, it discovers the local forest and any trusted forests.
Manually add untrusted forests.
To configure a previously discovered forest, select the forest in the results pane. In the ribbon,
select Proper ties to open the forest properties.
To configure a new forest that isn't listed, on the Home tab of the ribbon, in the Create group,
select Add Forest . This action opens the Add Forests dialog box.
2. On the General tab, finish configurations for the forest that you want to discover, and specify the Active
Director y Forest Account . For more information on this account, see Accounts.

NOTE
Active Directory Forest Discovery requires a global account to discover and publish to untrusted forests. If you
don't use the computer account of the site server, you can only select a global account.

3. If you plan to let sites publish site data to this forest, on the Publishing tab, finish configurations for
publishing to this forest.

NOTE
If you let sites publish to a forest, extend the Active Directory schema of that forest for Configuration Manager.
The Active Directory Forest Account must have Full Control permissions to the System container in that forest.

4. Select OK to save the configuration.

Active Directory discovery for computers, users, or groups

To configure discovery of computers, users, or groups, start with these common steps:
1. In the Configuration Manager console, go to the Administration workspace, expand Hierarchy
Configuration , and select the Discover y Methods node.
2. Select the method for the site where you want to configure discovery.
3. On the Home tab of the ribbon, select Proper ties .
4. On the General tab of the properties, select the checkbox to enable discovery. Or you can configure
discovery now, and then return to enable discovery later.
Then use the information in the following sections to configure the specific discovery methods:
Active Directory Group Discovery
 Active Directory System Discovery
Active Directory User Discovery

NOTE
The information in this section doesn't apply to Active Directory Forest Discovery.

Although each of these discovery methods is independent of the others, they share similar options. For more
information about these configuration options, see Shared options for group, system, and user discovery.

WARNING
The Active Directory polling by each of these discovery methods can generate significant network traffic. Consider
scheduling each discovery method to run at a time when this network traffic doesn't adversely affect business uses of
your network.

Configure Active Directory Group Discovery

1. On the General tab of the Active Directory Group Discovery Properties window, select Add to configure
a discovery scope. Select either Groups or Location . Then finish the following configurations in the Add
Groups or Add Active Director y Location dialog box:
a. Specify a Name for this discovery scope.
b. Specify an Active Director y Domain or Location to search:
If you chose Groups , specify one or more Active Directory groups to discover.
If you chose Location , specify an Active Directory container as a location to discover. You
can also enable a recursive search of Active Directory child containers for this location.
c. Specify the Active Director y Group Discover y Account that the site uses to search this
discovery scope. For more information, see Accounts.
d. Select OK to save the discovery scope configuration.
2. Repeat the previous steps for each other discovery scope that you want to define.
3. On the Polling Schedule tab, configure both the full discovery polling schedule and delta discovery.
4. On the Options tab, configure settings to filter out or exclude stale computer records from discovery.
Also configure the discovery of the membership of distribution groups.

NOTE
By default, Active Directory Group Discovery discovers only the membership of security groups.

5. Select OK to save the configuration.

Configure Active Directory System Discovery
1. On the General tab of the Active Directory System Discovery Properties window, select the New icon
to specify a new Active Directory container. In the Active Director y Container dialog box, finish the
following configurations:
a. Type or browse to a location for the Path . This value is a valid LDAP path to a container or
organizational unit (OU). The site queries this path for resources. For example,
 LDAP://CN=Computers,DC=contoso,DC=com

b. Specify options that change the search behavior:

Discover objects within Active Director y groups : The site also looks at the
membership of groups in this path.
Recursively search Active Director y child containers : If you enable this option, the
site searches any other containers or OUs within the above path. If you disable this option,
the site only searches for resources in the specific path.
Select subcontainers to exclude from this recursive search. This option helps to reduce the
number of discovered objects. Select Add to choose the containers under the above path. In
the Select New Container dialog box, select a child container to exclude. Select OK to close
the Select New Container dialog box.

TIP
The list of Active Directory containers in the Active Directory System Discovery Properties window
includes a column Has Exclusions . When you select containers to exclude, this value is Yes .

c. For each location, specify the account to use as the Active Director y Discover y Account . For
more information, see Accounts.

TIP
For each specified location, you can configure a set of discovery options and a unique Active Directory
Discovery Account.

d. Select OK to save the Active Directory container configuration.

2. On the Polling Schedule tab, configure both the full discovery polling schedule and delta discovery.
3. On the Active Director y Attributes tab, configure other Active Directory attributes for computers that
you want to discover. This tab lists the default object attributes.

TIP
For example, your organization uses the Description attribute on the computer account in Active Directory.
Select Custom , and add Description as a custom attribute. After this discovery method runs, this attribute
shows on the device Properties tab in the Configuration Manager console.

4. On the Options tab, configure settings to filter out or exclude stale computer records from discovery.
5. Select OK to save the configuration.
Configure Active Directory User Discovery
1. On the General tab of the Active Directory User Discovery Properties window, select the New icon to
specify a new Active Directory container. In the Active Director y Container dialog box, finish the
following configurations:
a. Specify one or more locations to search.
b. For each location, specify options that change the search behavior.
c. For each location, specify the account to use as the Active Director y Discover y Account . For
 more information, see Accounts.

NOTE
For each specified location, you can configure a unique set of discovery options and a unique Active
Directory Discovery Account.

d. Select OK to save the Active Directory container configuration.

2. On the Polling Schedule tab, configure both the full discovery polling schedule and delta discovery.
3. On the Active Director y Attributes tab, configure other Active Directory attributes for computers that
you want to discover. This tab lists the default object attributes.
4. Select OK to save the configuration.
Exclude organizational units (OU) from Active Directory User Discovery
Starting in version 2103, you can exclude OUs from Active Directory User Discovery. To exclude an OU:
1. From the Configuration Manager console, go to Administration > Hierarchy Configuration >
Discover y Methods .
2. Select Active Director y User Discover y then select Proper ties from the ribbon.
3. On the General tab of the Active Directory User Discovery Properties window, select the New icon to
specify a new Active Directory container or Edit to change an existing one.
4. In the Active Director y Container dialog box, locate the search option named Select sub containers
to be excluded from discover y .
5. Select Add to add an exclusion or Remove to remove an existing exclusion.
6. Select OK to save the Active Directory container configuration.

Azure AD User Discovery

Azure AD User Discovery isn't enabled or configured the same as other discovery methods. Configure it when
you onboard the Configuration Manager site to Azure AD.
For more information, see Azure AD User Discovery.
Prerequisites for Azure AD User Discovery
To enable and configure this discovery method, Configure Azure Services for Cloud Management .
If you use Configuration Manager to create the Azure app, it configures the app with the necessary permissions.
If you create the app in Azure first, and then import it into Configuration Manager, you need to manually
configure the app. This configuration includes granting the server app permission to read directory data.
1. Open the Azure portal as a user with Global Admin permissions. Go to Azure Active Director y , and
select App registrations . Switch to All applications if necessary.
2. Select the target application.
3. In the Manage menu, select API permissions .
a. On the API permissions panel, select Add a permission .
b. In the Request API permissions panel, switch to APIs my organization uses .
c. Search for and select the Microsoft Graph API.
 d. Select the Application permissions group. Expand Director y , and select Director y.Read.All .
e. Select Add permissions .
4. On the API permissions panel, in the Grant consent section, select Grant admin consent.... Select
Yes .
Configure Azure AD User Discovery
When configuring the Cloud Management Azure service:
On the Discover y page of the wizard, select the option to Enable Azure Active Director y User
Discover y .
Select Settings .
In the Azure AD User Discovery Settings dialog box, configure a schedule for when discovery occurs. You can
also enable delta discovery, which only checks for new or changed accounts in Azure AD.

NOTE
If the user is a federated or synchronized identity, you must use Configuration Manager Active Directory user discovery
as well as Azure AD user discovery. For more information about hybrid identities, see Define a hybrid identity adoption
strategy.

Azure AD User Group Discovery

You can discover user groups and members of those groups from Azure AD. When the site finds users in Azure
AD groups that it hasn't previously discovered, it adds them as new user resources in Configuration Manager. A
user group resource record is created when the group is a security group.
Prerequisites for Azure AD User Group Discovery
Cloud Management Azure service
Permission to read and search Azure AD groups
Log files
Use the SMS_AZUREAD_DISCOVERY_AGENT.log for troubleshooting. This log is also shared with Azure AD user
discovery. For more information, see Log files.
Enable Azure AD user group discovery
To enable discovery on an existing Cloud Management Azure service:
1. Go to the Administration workspace, expand Cloud Ser vices , then select the Azure Ser vices node.
2. Select one of your Azure services, then select Proper ties in the ribbon.
3. In the Discover y tab, check the box to Enable Azure Active Director y Group Discover y , then select
Settings .
4. Select Add under the Discover y Scopes tab.
You can modify the Polling Schedule in the other tab.
5. Select one or more user groups. You can Search by name and choose if you want to see Security groups
only .
You'll be prompted to sign in to Azure when you select Search the first time.
6. Select OK when you finish selecting groups.
7. Once discovery finishes running, you can browse your Azure AD user groups in the Users node.
To enable discovery when configuring a new Cloud Management Azure service:
On the Discover y page of the wizard, select the option to Enable Azure Active Director y Group
 Discover y .
Select Settings .
In the Azure AD Group Discovery Settings dialog box, configure your discovery scope and a schedule for
when discovery occurs.

Heartbeat Discovery
Configuration Manager enables the Heartbeat Discovery method when you install a primary site. If you want to
use the default schedule of every seven days, there's nothing else to configure. Otherwise, you only have to
configure the schedule for how often clients send the Heartbeat Discovery data record to a management point.

NOTE
If you enable both client push installation and the site maintenance task for Clear Install Flag at the same site, set the
schedule of Heartbeat Discovery to be less than the Client Rediscover y period of the Clear Install Flag site
maintenance task. By default, this task runs every 21 days. Heartbeat discovery should run more frequently than the
task, or clients will unnecessarily reinstall. For more information about site maintenance tasks, see Maintenance tasks.

Configure the Heartbeat Discovery schedule

1. In the Configuration Manager console, go to the Administration workspace, expand Hierarchy
Configuration , and select the Discover y Methods node.
2. Select the Hear tbeat Discover y method for the site where you want to configure Heartbeat Discovery.
3. On the Home tab of the ribbon, select Proper ties .
4. Configure the frequency with which clients submit a Heartbeat discovery data record. Then select OK to
save the configuration.

Network Discovery
Before you configure Network Discovery, understand the following topics:
Available levels of Network Discovery
Available Network Discovery options
Limiting Network Discovery on the network
For more information, see About Network Discovery.
The following sections provide information about common configurations for Network Discovery. You can
configure one or more of these configurations for use during the same discovery run. If you use multiple
configurations, plan for the interactions that can affect the discovery results.
For example, you discover all Simple Network Management Protocol (SNMP) devices that use a specific SNMP
community name. For the same discovery run, you disable discovery on a specific subnet. When discovery runs,
Network Discovery doesn't discover the SNMP devices with the specified community name on the subnet that
you've disabled.
Determine your network topology
You can use a topology-only discovery to map your network. This kind of discovery doesn't discover potential
clients. The topology-only Network Discovery relies on SNMP.
When you're mapping your network topology, configure the Maximum hops on the SNMP tab in the
Network Discover y Proper ties dialog box. Just a few hops can help control the network bandwidth that's
used when discovery runs. As you discover more of your network, increase the number of hops to gain a better
understanding of your network topology.
After you understand your network topology, configure the properties for Network Discovery. These properties
help to discover potential clients and their operating systems. Also configure Network Discovery to limit the
network segments that it can search.
For more information, see How to determine your network topology
Network Discovery search options
Configuration Manager supports the following methods to search the network:
Limit searches by using subnets
Search a specific domain
Limit searches by using SNMP community names
Search a specific DHCP server
Limit searches by using subnets
You can configure Network Discovery to search specific subnets during a discovery run. By default, Network
Discovery searches the subnet of the server that runs discovery. Any other subnets that you configure and
enable apply only to SNMP and DHCP search options. When Network Discovery searches domains, it isn't
limited by configurations for subnets.
If you specify one or more subnets on the Subnets tab in the Network Discover y Proper ties dialog box, it
only searches the subnets that you mark as Enabled .
When you disable a subnet, the site excludes it from discovery, and the following conditions apply:
SNMP-based queries don't run on the subnet.
DHCP servers don't reply with a list of resources located on the subnet.
Domain-based queries can discover resources that are located on the subnet.
Search a specific domain
You can configure Network Discovery to search a specific domain or set of domains during a discovery run. By
default, Network Discovery searches the local domain of the server that runs discovery.
If you specify one or more domains on the Domains tab in the Network Discover y Proper ties dialog box, it
only searches the domains that you mark as Enabled .
When you disable a domain, the site excludes it from discovery, and the following conditions apply:
Network Discovery doesn't query domain controllers in that domain.
SNMP-based queries can still run on subnets in the domain.
DHCP servers can still reply with a list of resources located in the domain.
Limit searches by using SNMP community names
You configure Network Discovery to search a specific SNMP community or set of communities during a
discovery run. By default, the method configures the public community name.
Network Discovery uses community names to gain access to routers that are SNMP devices. A router can supply
Network Discovery with information about other routers and subnets that are linked to the first router.
 NOTE
SNMP community names resemble passwords. Network Discovery can get information only from an SNMP device for
which you've specified a community name. Each SNMP device can have its own community name, but often the same
community name is shared among several devices. Additionally, most SNMP devices have a default community name of
public. But some organizations delete the public community name from their devices as a security precaution.

If you include more than one SNMP community on the SNMP tab in the Network Discover y Proper ties
dialog box, it searches them in the order in which they're shown. Make sure that the most frequently used
names are at the top of the list. This configuration helps to minimize network traffic that the site generates when
it tries to contact a device by using different names.

NOTE
Along with using the SNMP community name, you can specify the IP address or resolvable name of a specific SNMP
device. You do this action on the SNMP Devices tab in the Network Discover y Proper ties dialog box.

Search a specific DHCP server

You can configure Network Discovery to use a specific DHCP server or multiple servers to discover DHCP clients
during a discovery run.
Network Discovery searches each DHCP server that you specify on the DHCP tab in the Network Discover y
Proper ties dialog box. If the server that's running discovery leases its IP address from a DHCP server, you can
configure discovery to search that DHCP server. Enable this behavior with the option to Include the DHCP
ser ver that the site ser ver is configured to use .

NOTE
To successfully configure a DHCP server in Network Discovery, your environment must support IPv4. You can't configure
Network Discovery to use a DHCP server in a native IPv6 environment.

How to configure Network Discovery

Use the following procedures to first discover only your network topology, and then to configure Network
Discovery to discover potential clients by using one or more of the available Network Discovery options.
How to determine your network topology
1. In the Configuration Manager console, go to the Administration workspace, expand Hierarchy
Configuration , and select the Discover y Methods node.
2. Select the Network Discover y method for the site where you want to discover network resources.
3. On the Home tab of the ribbon, select Proper ties .
On the General tab, select the option to Enable network discover y . Then select Topology from
the Type of discover y options.
On the Subnets tab, select the Search local subnets option.

TIP
If you know the specific subnets that constitute your network, deselect the Search local subnets
checkbox. Then select the New icon , and add the specific subnets that you want to search. For large
networks, search only one or two subnets at a time to minimize the use of network bandwidth.
 On the Domains tab, select the option to Search local domain .
On the SNMP tab, select an option from the Maximum hops drop-down list. This option
specifies how many router hops Network Discovery can take in mapping your topology.

TIP
When you first map your network topology, configure just a few router hops to minimize the use of
network bandwidth.

4. On the Schedule tab, select the New icon , and set a schedule for running discovery. The Duration is
the period of time that Network Discovery has to complete the search for resources. On smaller subnets,
an hour may be enough, but searching across an enterprise network with multiple router hops will take
longer. If Network Discovery runs out of time, a message is logged in Netdisc.log .

NOTE
You can't assign a different discovery configuration to separate Network Discovery schedules. Each time Network
Discovery runs, it uses the current discovery configuration.

5. Select OK to accept the configurations. Network Discovery runs at the scheduled time.
How to configure Network Discovery
1. In the Configuration Manager console, go to the Administration workspace, expand Hierarchy
Configuration , and select the Discover y Methods node.
2. Select the Network Discover y method for the site where you want to discover network resources.
3. On the Home tab of the ribbon, select Proper ties .
4. On the General tab, select the option to Enable network discover y .
Select from the Type of discover y options the type of discovery that you want to run.
Enable the Slow network option for Configuration Manager to make automatic adjustments for
low-bandwidth networks.
5. To configure discovery to search subnets, switch to the Subnets tab. Then configure one or more of the
following options:
To run discovery on subnets that are local to the computer that runs discovery, enable the option
to Search local subnets .
To search a specific subnet, make sure that the subnet is listed in Subnets to search and has a
Search value of Enabled :
a. If the subnet isn't listed, select the New icon . In the New Subnet Assignment dialog
box, enter the Subnet and Mask information, and then select OK . By default, a new subnet
is enabled for search.
b. To change the Search value for a listed subnet, select it in the list. Then select the Toggle
icon to switch the value between Disabled and Enabled .
6. To configure discovery to search domains, switch to the Domains tab. Then configure one or more of the
following options:
To run discovery on the domain of the computer that runs discovery, enable the option to Search
local domain .
 To search a specific domain, make sure that the domain is listed in Domains and has a Search
value of Enabled :
a. If the domain isn't listed, select the New icon . In the Domain Proper ties dialog box,
enter the Domain information, and then select OK . By default, a new domain is enabled for
search.
b. To change the Search value for a listed domain, select it in the list. Then select the Toggle
icon to switch the value between Disabled and Enabled .
7. To configure discovery to search specific SNMP community names for SNMP devices, switch to the
SNMP tab. Then configure one or more of the following options:
To add an SNMP community name to the list of SNMP Community names , select the New icon
. In the New SNMP Community Name dialog box, specify the Name of the SNMP
community, and then select OK .
To remove an SNMP community name, select the community name, and then select the Delete
icon .
To adjust the search order of SNMP community names, select a community name from the list.
Then select the Move Item Up icon or the Move Item Down icon . When discovery runs,
community names are searched in a top-to-bottom order.
To configure the maximum number of router hops for use by SNMP searches, select the number of
hops from the Maximum hops drop-down list.
8. To configure an SNMP device, switch to the SNMP Devices tab. If the device isn't listed, select the New
icon . In the New SNMP Device dialog box, specify the IP address or device name of the SNMP
device, and then select OK .

NOTE
If you specify a device name, Configuration Manager must be able to resolve the NetBIOS name to an IP address.

9. To configure discovery to query specific DHCP servers, switch to the DHCP tab. Then configure one or
more of the following options:
To query the DHCP server on the computer that is running discovery, enable the option to Always
use the site ser ver's DHCP ser ver .

NOTE
To use this option, the server must lease its IP address from a DHCP server and can't use a static IP
address.

To query a specific DHCP server, select the New icon . In the New DHCP Ser ver dialog box,
specify the IP address or server name of the DHCP server, and then select OK .

NOTE
If you specify a server name, Configuration Manager must be able to resolve the NetBIOS name to an IP
address.

10. To configure when discovery runs, switch to the Schedule tab. Then select the New icon to set a
 schedule for running Network Discovery. You can configure multiple recurring schedules, and multiple
schedules that have no recurrence.

NOTE
If the Schedule tab shows more than one schedule at the same time, Network Discovery runs for all schedules as
it's configured at the time indicated in the schedule. This behavior is also true for recurring schedules.

11. Select OK to save your configurations.

How to verify that Network Discovery has finished
The time that Network Discovery requires to finish can vary depending on one or more of the following factors:
The size of your network
The topology of your network
The maximum number of hops that are configured to find routers in the network
The type of discovery that is being run
Network Discovery doesn't create messages to alert you when it's finished. Use the following procedure to
verify when discovery has finished:
1. In the Configuration Manager console, go to the Monitoring workspace. Expand System Status , and
then select the Status Message Queries node.
2. Select the All Status Messages query.
3. On the Home tab of the ribbon, in the Status Message Queries group, select Show Messages .
4. In the All Status Messages window, select a value from the Select date and time drop-down list that
includes how long ago the discovery started. Then select OK to open the Configuration Manager
Status Message Viewer .

TIP
You can also use the Specify date and time option to select a given date and time that you ran discovery. This
option is useful when you ran Network Discovery on a given date and want to retrieve messages from only that
date.

5. To validate that Network Discovery has finished, search for a status message that has the following
details:
Message ID: 502
Component: SMS_NETWORK_DISCOVERY
Description: This component stopped
If this status message isn't present, Network Discovery hasn't finished.
6. To validate when Network Discovery started, search for a status message that has the following details:
Message ID: 500
Component: SMS_NETWORK_DISCOVERY
Description: This component star ted
This information verifies that Network Discovery started. If this information isn't present, reschedule
Network Discovery.
 Overview of boundaries and boundary groups
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Boundaries in Configuration Manager define network locations on your intranet. These locations include devices
that you want to manage. Boundary groups are logical groups of boundaries that you configure. A hierarchy can
include any number of boundary groups. Each boundary group can contain any combination of the following
boundary types:
IP subnet
Active Directory site name
IPv6 prefix
IP address range
VPN (starting in version 2006)
Clients on the intranet evaluate their current network location and then use that information to identify
boundary groups to which they belong.
Clients use boundary groups to:
Find an assigned site: Boundary groups enable clients to find a primary site for client assignment. This
behavior is also known as automatic site assignment.
Find certain site system roles they can use: Associate a boundary group with certain site system roles.
Then the site provides clients with that list of site systems in the boundary group. Clients use these site
systems for actions such as finding content or a nearby management point.
Clients that are on the internet or configured as internet-only clients don't use boundary information. These
clients can't use automatic site assignment. They can download content from an internet-based distribution
point from their assigned site or a content-enabled cloud management gateway.
During OS deployment, while a device is running Windows PE, the site can convert Active Directory site
boundary information to IP subnet information. This behavior is only during this process, and specifically for
these devices. In other words, if your site only has Active Directory site boundaries, Windows PE clients during
an OS deployment will still be in a boundary.

Overlapping boundaries
Configuration Manager supports overlapping boundary and boundary group configurations for content and
service location requests. Overlapping occurs when a client's location maps to multiple boundary groups. This
behavior happens for one of two reasons:
You add the same boundary to multiple boundary groups.
You add separate boundaries that include the client's location to different boundary groups.
When overlapping occurs, Configuration Manager creates a list of all site systems referenced by all boundary
groups that include a client's location. Configuration Manager sends this list to a client in response to a content
or service location request. Configuration Manager doesn't apply any precedence or deterministic ordering to
this list based on overlapping boundaries and boundary groups. Instead, the client chooses at random from this
list.
For client content requests, Configuration Manager includes only distribution points that have the requested
content in the list of site systems returned. For other service location requests, Configuration Manager includes
only site systems that host the type of role requested which may be one of the following roles:
State migration point
Software update point
Management point
This behavior enables the client to select the nearest server to communicate with for each request type.

Recommendations
Use a mix of the fewest boundaries that meet your needs
Use whichever boundary type or types you choose that work for your environment. To simplify your
management tasks, use boundary types that let you use the fewest number of boundaries you can.
Avoid overlapping boundaries for automatic site assignment
Although each boundary group supports both site assignment and site system reference, create a separate set
of boundary groups to use only for site assignment. Make sure that each boundary in a boundary group isn't a
member of another boundary group with a different site assignment.
A single boundary can be included in multiple boundary groups.
Each boundary group can be associated with a different primary site for site assignment.
For a boundary that's a member of two different boundary groups with different site assignments, clients
randomly select a site to join. This behavior might not be for the site you want the client to join. This
configuration is called overlapping boundaries.
Overlapping boundaries aren't a problem for content location. It can be a useful configuration that
provides clients more resources or content locations they can use.
For more information on boundary groups and site assignment, see Site assignment.

Next steps
Define network locations as boundaries
About boundary groups
 Define network locations as boundaries for
Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager boundaries are locations on your network that contain devices that you want to
manage. You can create different types of boundaries, for example, an Active Directory site or network IP
address. When the Configuration Manager client identifies a similar network location, that device is a part of the
boundary.
Configuration Manager supports the following boundary types:
IP subnet
Active Directory site
IPv6 prefix
IP address range
VPN (starting in version 2006)
You can manually create individual boundaries or use Active Directory forest discovery. This discovery method
automatically finds and creates boundaries for IP subnets and Active Directory sites. When Active Directory
forest discovery identifies a supernet for an Active Directory site, Configuration Manager converts the supernet
into an IP address range boundary.
If a device isn't in the boundary you expect, it may because you haven't defined its network location as a
boundary. When the network location of a device is in doubt, use the following Windows commands on the
device to confirm:
IP address: ipconfig
Active Directory site: nltest /dsgetsite
VPN: ipconfig /all

Boundary types
IP subnet
The IP subnet boundary type requires a Subnet ID . For example, 169.254.0.0 . If you provide the Network
(default gateway) and Subnet mask values, Configuration Manager automatically calculates the Subnet ID .
When you save the boundary, Configuration Manager only saves the Subnet ID value.

NOTE
Configuration Manager doesn't support the direct entry of a supernet as a boundary. Instead, use the IP address range
boundary type.

Active Directory site

For the Active Director y site boundary type, you specify the site name. You can type the name or browse the
local forest of the site server.
When you specify an Active Directory site for a boundary, the boundary includes each IP subnet that's a
member of that Active Directory site. If the configuration of the Active Directory site changes in Active Directory,
the network locations included in this boundary also change.
Active Directory site boundaries don't work for pure Azure Active Directory (Azure AD) devices, also called cloud
domain-joined devices. If they roam on-premises, and you only create Active Directory site type boundaries,
these devices won't be in a boundary.

TIP
Use the following Windows command to see a device's current Active Directory site: nltest /dsgetsite .
To determine if a client is cloud domain-joined, use the following Windows command: dsregcmd /status . For more
information, see dsregcmd command - device state.

IPv6 prefix
For the IPv6 prefix boundary type, you specify a Prefix . For example, 2001:1111:2222:3333 .
IP address range
For the IP address range boundary type, specify the Star ting IP address and Ending IP address for the
range. The range can include part of an IP subnet or multiple IP subnets. Use an IP address range boundary type
to support a supernet.
You can also use this type to define a boundary for a single IP address. Set both the starting and ending IP
addresses as the same value. This configuration may be useful for unique devices or test environments.
VPN
Starting in version 2006, to simplify managing remote clients, create a boundary type for VPNs. When a client
sends a location request, it includes additional information about its network configuration. Based upon this
information, the server determines whether the client is on a VPN. For Configuration Manager to associate the
client in the boundary, connect the device to the VPN.
You can configure a VPN boundary in several ways:
Auto detect VPN : Configuration Manager detects any VPN solution that uses the point-to-point
tunneling protocol (PPTP). If it doesn't detect your VPN, use one of the other options. The boundary value
in the console list will be Auto:On .
Connection name : Specify the name of the VPN connection on the device. It's the name of the network
adapter in Windows for the VPN connection. Configuration Manager matches the first 250 characters of
the string, but doesn't support wildcard characters or partial strings. The boundary value in the console
list will be Name:<name> , where <name> is the connection name that you specify.
For example, you run the ipconfigcommand on the device, and one of the sections starts with:
PPP adapter ContosoVPN: . Use the string ContosoVPN as the Connection name . It displays in the list as
Name:CONTOSOVPN .

Connection description : Specify the description of the VPN connection. Configuration Manager
matches the first 243 characters of the string, but doesn't support wildcard characters or partial strings.
The boundary value in the console list will be Description:<description> , where <description> is the
connection description that you specify.
For example, you run the ipconfig /all command on the device, and one of the connections includes
the following line: Description . . . . . . . . . . . : ContosoMainVPN . Use the string ContosoMainVPN as
the Connection description . It displays in the list as Description:CONTOSOMAINVPN .
 IMPORTANT
To take full advantage of this feature, after you update the site, also update clients to the latest version. New functionality
appears in the Configuration Manager console when you update the site and console. The complete scenario isn't
functional until the client version is also the latest.
To use this VPN boundary during an OS deployment, make sure to also update the boot image to include the latest client
binaries.

Starting in version 2111, you can now match the start of a connection name or description instead of the whole
string. Some third-party VPN drivers dynamically create the connection, which starts with a consistent string but
also has a unique connection identifier. For example, Virtual network adapter #19 . When you use the
Connection name or Connection description options, also use the new Star ts with option.

Create a boundary
1. In the Configuration Manager console, go to the Administration workspace, expand Hierarchy
Configuration , and select the Boundaries node.
2. On the Home tab of the ribbon, in the Create group, select Create Boundar y .
3. On the General tab of the Create Boundar y window, specify the following information:
Description : Identify the boundary by a friendly name or reference.

NOTE
Configuration Manager automatically names the boundary based on its type and scope. You can't modify
the name.

Type : Select the type of boundary to create. Then specify the additional information that the type
requires. For more information, see Boundary types.
4. Switch to the Boundar y Groups tab. If you already have boundary groups in the site, you can
immediately add this new boundary to one or more groups.
5. Select OK to save the new boundary.

Configure a boundary
TIP
When you create a boundary, Configuration Manager automatically names it based on the type and scope of the
boundary. You can't modify this name. To help identify the boundary in the Configuration Manager console, specify a
description.

1. In the Configuration Manager console, go to the Administration workspace, expand Hierarchy

Configuration , and select the Boundaries node.
2. Select the boundary you want to modify. On the Home tab of the ribbon, in the Proper ties group, select
Proper ties .
3. In the Proper ties window for the boundary, on the General tab, you can configure the following
settings:
Edit the Description
 Change the Type for the boundary
Change the scope of a boundary by editing its network locations. For example, for an Active Directory
site boundary you can specify a new Active Directory site name.
4. To view the site systems that are associated with this boundary, switch to the Site Systems tab. You can't
change this configuration from the properties of a boundary.

TIP
For a server to be listed as a site system for a boundary, associate it as a site system server for at least one
boundary group that includes this boundary. Make this configuration on the References tab of a boundary
group. For more information, see Configure site assignment and select site system servers.

5. To modify the boundary group membership for this boundary, select the Boundar y Groups tab:
To add this boundary to one or more boundary groups, select Add . Select one or more boundary
groups, and then select OK .
To remove this boundary from a boundary group, choose the boundary group, and then select
Remove .
6. Select OK to close the boundary properties and save the configuration.

Next steps
Each boundary is available for use by every site in your hierarchy. After you create a boundary, add the
boundary to one or more boundary groups.
 About boundary groups in Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use boundary groups in Configuration Manager to logically organize related network locations called
boundaries. Use boundaries and boundary groups to make it easier to manage your infrastructure. Assign
boundaries to boundary groups before using the boundary group.
By default, Configuration Manager creates a default site boundary group at each site.
To configure boundary groups, associate boundaries and site system roles to the boundary group. This
configuration helps associate clients to site system servers that are located near the clients on the network.
To increase the availability of servers to a wider range of network locations, assign the same boundary and the
same server to more than one boundary group.
Clients use a boundary group for:
Automatic site assignment
To find a site system server that can provide a service, including:
Distribution points for content location.
Software update points
State migration points

NOTE
The state migration point doesn't use fallback relationships. For more information, see Fallback.

Management points
Preferred management points

NOTE
If you use preferred management points, enable this option for the hierarchy, not from within the
boundary group configuration. For more information, see Enable use of preferred management points.

Cloud management gateway (CMG) for policy and content

Boundary groups and relationships

For each boundary group in your hierarchy, you can assign:
One or more boundaries. A client's current boundary group is a network location that's defined as a
boundary assigned to a specific boundary group. A client can have more than one current boundary
group.
One or more site system roles. Clients can always use roles associated with their current boundary group.
Depending on other configurations, they can use roles in other boundary groups.
For each boundary group you create, you can configure a one-way link to another boundary group. The link is
called a relationship. The boundary groups you link to are called neighbor boundary groups. A boundary group
can have more than one relationship, each with a specific neighbor boundary group.
When a client fails to find an available site system in its current boundary group, the configuration of each
relationship determines when it begins to search a neighbor boundary group. This search of other groups is
called fallback.
For more information, see the following articles:
Example of using boundary groups
Create a boundary group
Configure a boundary group
Show boundary groups for devices

Fallback
To prevent problems when clients can't find an available site system in their current boundary group, define the
relationship between boundary groups for fallback behavior. Fallback lets a client expand its search to other
boundary groups to find an available site system.
Relationships are configured on a boundary group properties Relationships tab. When you configure a
relationship, you define a link to a neighbor boundary group. For each type of supported site system role,
configure independent settings for fallback to the neighbor boundary group. For more information, see
Configure fallback behavior.
For example, when you configure a relationship to a specific boundary group, set fallback for distribution points
to occur after 20 minutes. The default is 120 minutes For a more detailed example, see Example of using
boundary groups.
If a client fails to find an available site system role in its current boundary group, the client uses the fallback time
in minutes. This fallback time determines when the client begins to search for an available site system associated
with the neighbor boundary group.
When a client can't find an available site system, it begins to search locations from neighbor boundary groups.
This behavior increases the pool of available site systems. The configuration of boundary groups and their
relationships defines the client's use of this pool of available site systems.
A boundary group can have more than one relationship. With this configuration, you can configure
fallback for each type of site system to different neighbors to occur after different periods of time.
Clients only fall back to a boundary group that's a direct neighbor of their current boundary group.
When a client is a member of more than one boundary group, it defines its current boundary group as a
union of all its boundary groups. The client falls back to neighbors of any of those original boundary
groups.

NOTE
The state migration point role doesn't use fallback relationships. If you add both the state migration point and distribution
point roles to the same site system server, don't configure fallback on its boundary group. If you need to use boundary
group fallback for the distribution point, add the state migration point role on a different site system server.

The default site boundary group

You can create your own boundary groups, and each site has a default site boundary group that Configuration
Manager creates. This group is named Default-Site-Boundar y-Group<sitecode> . For example, the group
for site ABC would be named Default-Site-Boundar y-Group<ABC> .
For each boundary group you create, Configuration Manager automatically creates an implied link to each
default site boundary group in the hierarchy.
The implied link is a default fallback option from a current boundary group to the site's default boundary
group. The default fallback time is 120 minutes.
For clients not in a boundary associated with any boundary group: to identify valid site system roles, use
the default site boundary group from their assigned site.
To manage fallback to the default site boundary group:
Open the properties of the site default boundary group, and change the values on the Default Behavior
tab. Changes you make here apply to all implied links to this boundary group. When you configure an
explicit link to this default site boundary group from another boundary group, you override these default
settings.
Open the properties of a custom boundary group. Change the values for the explicit link to a default site
boundary group. When you set a new time in minutes for fallback or block fallback, that change affects
only the link you're configuring. Configuration of the explicit link overrides the settings on the Default
Behavior tab of a default site boundary group.

Site assignment
You can configure each boundary group with an assigned site for clients.
A newly installed client that uses automatic site assignment joins the assigned site of a boundary group
that contains the client's current network location.
After assigning to a site, a client doesn't change its site assignment when it changes its network location.
For example, a client roams to a new network location. This location is a boundary in a boundary group
with a different site assignment. The client's assigned site doesn't change.
When Active Directory System Discovery discovers a new resource, the site evaluates network
information for the resource against the boundaries in boundary groups. This process associates the new
resource with an assigned site for use by the client push installation method.
When a boundary is a member of more than one boundary groups that have different assigned sites,
clients randomly select one of the sites.
Changes to a boundary groups assigned site only apply to new site assignment actions. Clients that
previously assigned to a site don't reevaluate their site assignment based on changes to the configuration
of a boundary group (or to their own network location).
For more information about client site assignment, see Using automatic site assignment for computers.
For more information on how to configure site assignment, see the following procedures:
Configure site assignment and select site system servers
Configure a fallback site for automatic site assignment

Next steps
Boundary group options
Procedures for boundary groups
NOTE
Some sections that were previously in this article have moved:
Show boundary groups for devices
Distribution points
Boundary group options
Software update points
Management points
Preferred management points
Overlapping boundaries
Example of using boundary groups
 Boundary group options
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To give you more control over policy and content distribution in your environment, boundary groups include
several options to configure behaviors. These settings primarily apply to downloading content from peer
sources. There's also a setting for clients to prefer policy and content from cloud-based sources.
For more information on how to configure these settings, see Configure a boundary group.
If a device is in more than one boundary group, the following behaviors apply for these settings:
Allow peer downloads in this boundar y group : If it's disabled in any one boundary group, the client
won't use delivery optimization.
During peer downloads, only use peers within the same subnet : If it's enabled in any one
boundary group, this setting takes effect.
Prefer distribution points over peers within the same subnet : If it's enabled in any one
boundary group, this setting takes effect.
Prefer cloud based sources over on-premises sources : If it's enabled in any one boundary group, this
setting takes effect.

Allow peer downloads in this boundary group

This setting is enabled by default. The management point provides clients a list of content locations that includes
peer sources. This setting also affects applying Group IDs for Delivery Optimization.
There are two common scenarios in which you should consider disabling this option:
If you have a boundary group that includes boundaries from geographically dispersed locations such as a
VPN. Two clients may be in the same boundary group because they're connected through VPN, but in
vastly different locations that are inappropriate for peer sharing of content.
If you use a single, large boundary group for site assignment that doesn't reference any distribution
points.

IMPORTANT
If a device is in more than one boundary group, make sure to enable this setting on all boundary groups for the device.
Otherwise the client won't use delivery optimization. For example, it doesn't set the DOGroupID registry key.

During peer downloads, only use peers within the same subnet
This setting is dependent upon the preceding option. If you enable this option, the management point only
includes in the content location list peer sources that are in the same subnet as the client.
Common scenarios for enabling this option:
Your boundary group design for content distribution includes one large boundary group that overlaps
other smaller boundary groups. With this new setting, the list of content sources that the management
point provides to clients only includes peer sources from the same subnet.
 You have a single large boundary group for all remote office locations. Enable this option and clients only
share content within the subnet at the remote office location, instead of risking sharing content between
locations.
Depending on the configuration of your network, you can exclude certain subnets for matching. For example,
you want to include a boundary but exclude a specific VPN subnet. By default, Configuration Manager excludes
the default Teredo subnet ( 2001:0000:% ).

NOTE
When you expand a stand-alone primary site to add a central administration site (CAS), the subnet exclusion list reverts
to the default. To work around this issue, after site expansion, run the PowerShell script to customize the subnet exclusion
list on the CAS.

Import your subnet exclusion list as a comma-separated subnet string. Use the percent sign ( % ) as a wildcard
character. On the top-level site server, set or read the SubnetExclusionList embedded property for the
SMS_HIERARCHY_MANAGER component in the SMS_SCI_Component class. For more information, see
SMS_SCI_Component server WMI class.
Sample PowerShell script to update the subnet exclusion list
The following script is a sample way of changing this value. Append your subnets to the Proper tyValue
variable after 2001:0000:%,172.16.16.0 . It's a comma-separated string. Run this script on the top-level site server
in your hierarchy.

$PropertyValue = "2001:0000:%,172.16.16.0"
$PropertyName = "SubnetExclusionList"

$providerMachine = Get-WmiObject -Class "SMS_ProviderLocation" -Namespace "root\sms"

if ($providerMachine -is [system.array])

{
$providerMachine=$providerMachine[0]
}

$SiteCode = $providerMachine.SiteCode

$component = Get-WmiObject -Query 'select comp.* from sms_sci_component comp join SMS_SCI_SiteDefinition
sdef on sdef.SiteCode=comp.SiteCode where sdef.ParentSiteCode="" and
comp.componentname="SMS_HIERARCHY_MANAGER"' -ComputerName $providerMachine.Machine -Namespace
root\sms\site_$SiteCode
$properties = $component.props

Write-host "Updating property for site " $SiteCode

foreach ($property in $properties)

{
if ($property.propertyname -like $PropertyName)
{
Write-host "Current value for SubnetExclusionList is " $property.value1
$property.value1 = $PropertyValue
Write-host "Updating value for SubnetExclusionList to " $property.value1
break
}
}

$component.props = $properties
$component.put()
 NOTE
By default, Configuration Manager includes the Teredo subnet in this list. When you change the list, always read the
existing value first. Append additional subnets to the list, and then set the new value.

Prefer distribution points over peers within the same subnet

By default, the management point prioritizes peer cache sources at the top of the list of content locations. This
setting reverses that priority for clients that are in the same subnet as the peer cache source.

TIP
This behavior applies to the Configuration Manager client. It doesn't apply when the task sequence downloads content.
When the task sequence runs, it prefers peer cache sources over distribution points.

Prefer cloud based sources over on-premises sources

If you have a branch office with a faster internet link, you can prioritize cloud-based sources, which include the
following locations:
Cloud management gateway (CMG). Clients will prefer the CMG for both policy and content.
Microsoft Update

NOTE
You can only use Microsoft Update as a source when you enable the following option in the software update
deployment download settings: If software updates are not available on distribution point in current,
neighbor or site boundar y groups, download content from Microsoft Updates .

Next steps
Boundary groups and distribution points
Procedures for boundary groups
 Boundary groups and distribution points
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When a client requests the location of a distribution point, Configuration Manager sends the client a list of site
systems. These site systems are of the appropriate type associated with each boundary group that includes the
client's current network location.
During software distribution, clients request a location for deployment content on a valid content source.
This location may be a distribution point, or a peer cache source.
During OS deployment, clients request a location to send or receive their state migration information.
Clients get content based on boundary group behaviors. For more information, see Task sequence
support for boundary groups.
During content deployment, if a client requests content that isn't available from a source in its current boundary
group, the client continues to request that content. The client tries different content sources in its current
boundary group until it reaches the fallback period for a neighbor or the default site boundary group. If the
client still hasn't found content, it then expands its search for content sources to include the neighbor boundary
groups.
If you configure the content to distribute on-demand, and it isn't available on a distribution point when a client
requests it, the site begins to transfer the content to that distribution point. It's possible the client finds that
server as a content source before falling back to use a neighbor boundary group.

Client installation
The Configuration Manager client installer, ccmsetup, can get installation content from a local source or via a
management point. Its initial behavior depends upon the command-line parameters you use to install the client:
If you don't use either /mp or /source parameters, ccmsetup tries to get a list of management points
from Active Directory or DNS.
If you only specify /source , it forces the installation from the specified path. It doesn't discover
management points. If it can't find ccmsetup.cab at the specified path, ccmsetup fails.
If you specify both /mp and /source , it checks the specified management points, and any it discovers. If
it can't locate a valid management point, it falls back to the specified source path.
For more information on these ccmsetup parameters, see Client installation parameters and properties.
When ccmsetup contacts the management point to locate the necessary content, the management point returns
distribution points based on boundary group configuration. If you define relationships on the boundary group,
the management point returns distribution points in the following order:
1. Current boundary group
2. Neighbor boundary groups
3. The site default boundary group
 NOTE
The client setup process doesn't use the fallback time. To locate content as quickly as possible, it immediately falls back to
the next boundary group.
In previous versions of Configuration Manager, during this process the management point only returned distribution
points in the client's current boundary group. If no content was available, the setup process fell back to download content
from the management point. There was no option to fall back to distribution points in other boundary groups that might
have the necessary content.

Task sequence support

When a device runs a task sequence and needs to acquire content, it uses boundary group behaviors similar to
the Configuration Manager client.
Configure this behavior using the following settings on the Distribution Points page of the task sequence
deployment:
When no local distribution point is available, use a remote distribution point : For this
deployment, the task sequence can fall back to distribution points in a neighbor boundary group.
Allow clients to use distribution points from the default site boundar y group : For this
deployment, the task sequence can fall back to distribution points in the default site boundary group.
To use this new behavior, make sure to update clients to the latest version.
Location priority
The task sequence tries to acquire content in the following order:
1. Peer cache sources
2. Distribution points in the current boundary group
3. Distribution points in a neighbor boundary group

IMPORTANT
Due to the real-time nature of task sequence processing, it doesn't wait for the failover time on a neighbor
boundary group. It uses the failover times for prioritizing the neighbor boundary groups. For example, if the task
sequence fails to acquire content from a distribution point in its current boundary group, it immediately tries a
distribution point in a neighbor boundary group with the shortest failover time. If that process fails, it then fails
over to a distribution point in a neighbor boundary group with a larger failover time.
For content like applications and software updates, which are downloaded by the client and not the task sequence
engine, the client behaves as normal. In other words, if you install applications or software updates from a task
sequence, when the client tries to download the content it will wait for boundary group failover.

4. Distribution points in the site default boundary group

The task sequence log file smsts.log shows the priority of the location sources that it uses based on the
deployment properties.

Next steps
Boundary groups and software update points
Procedures for boundary groups
 Boundary groups and software update points
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Clients use boundary groups to find a new software update point. To control which servers a client can find, add
individual software update points to different boundary groups.
If you add all existing software update points to the default site boundary group, the client selects a software
update point from the pool of available servers. This behavior is similar to earlier versions of Configuration
Manager current branch. For controlled selection and fallback behavior, add individual software update points to
different boundary groups.
If you install a new site, software update points aren't added to the default site boundary group. Assign software
update points to a boundary group so that clients can find and use them.

Fallback
Configure software update point fallback like other site system roles, but with the following caveats.
New clients use boundary groups to select software update points
When you install new clients, they select a software update point from those servers associated with the
boundary groups you configure. This behavior replaces the previous behavior where clients select a software
update point randomly from a list of the servers that share the client's forest.
Clients continue to use a last known-good software update point until they fall back to find a new one
Clients that already have a software update point continue to use it until it can't be reached. This behavior
includes continued use of a software update point that isn't associated with the client's current boundary group.
This behavior is intentional. The client continues to use an existing software update point, even when it isn't in
the client's current boundary group. When the software update point changes, the client synchronizes data with
the new server, which causes significant network usage. If all clients switch to a new server at the same time, the
delay in transition helps to avoid saturating your network.
A client always tries to reach its last known-good software update point for 120 minutes before starting
fallback
After 120 minutes, if the client hasn't established contact, it then begins fallback. When fallback starts, the client
receives a list of all software update points in its current boundary group. Other software update points in
neighbor and site default boundary groups are available based on fallback configurations.

Fallback configurations
You can configure Fallback times (in minutes) for software update points to be less than 120 minutes.
However, the client still tries to reach its original software update point for 120 minutes. Then it expands its
search to other servers. Boundary group fallback times start when the client first fails to reach its original server.
When the client expands its search, the site provides any boundary groups configured for less than 120 minutes.
To block fallback for a software update point to a neighbor boundary group, configure the setting to Never
fallback .
After failing to reach its original server for two hours, the client then uses a shorter cycle to establish a
connection to a new software update point. This behavior enables the client to rapidly search through the
expanding list of potential software update points.
Example
You configure software update points in boundary group A to fall back after 10 minutes. You configure the same
setting for boundary group B to 130 minutes. A client in boundary group Z fails to reach its last known-good
software update point.
For the next 120 minutes, the client tries to reach only its original server in boundary group Z. After 10
minutes, Configuration Manager adds the software update points from boundary group A to the pool of
available servers. However, the client doesn't try to contact them or any other server until the initial 120-
minute period elapses.
After trying to contact the original software update point for 120 minutes, the client expands its search. It
adds servers to the available pool of software update points that are in it's current and any neighbor
boundary groups configured for 120 minutes or less. This pool includes the servers in boundary group
A, which were previously added to the pool of available servers.
After 10 more minutes, the client expands the search to include software update points from boundary
group B. This period is 130 minutes of total time after the client first failed to reach its last known-good
software update point.

Manually switch to a new software update point

Along with fallback, use client notification to manually force a device to switch to a new software update point.
When you switch to a new server, the devices use fallback to find that new server. Clients switch to the new
software update point during their next software updates scan cycle.
Review your boundary group configurations. Before you start this change, make sure that your software update
points are in the correct boundary groups.
For more information, see Manually switch clients to a new software update point.

Intranet clients can use a CMG software update point

Starting in version 2006, intranet clients can access a software update point via a cloud management gateway
(CMG). Assign the CMG to a boundary group, and enable the software update point to Allow Configuration
Manager cloud management gateway traffic .
This behavior is useful in the following scenarios:
When an internet machine connects to the VPN, it will continue to scan against the CMG software update
point over the internet.
If the only software update point for the boundary group is the CMG software update point, then all
intranet and internet devices will scan against it.

Next steps
Boundary groups and management points
Procedures for boundary groups
 Boundary groups and management points
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configure fallback relationships for management points between boundary groups. This behavior provides
greater control for the management points that clients use. On the Relationships tab of the boundary group
properties, there's a column for management point. When you add a new fallback boundary group, the fallback
time for the management point is currently always zero (0). This behavior is the same for the Default Behavior
on the site default boundary group.
Previously, a common problem occurred when you had a protected management point in a secure network.
Clients on the main network received policy that included this protected management point, even though they
couldn't communicate with it across a firewall. To address this problem now, use the Never fallback option to
make sure that clients only fall back to management points with which they can communicate.

NOTE
If you enable distribution points in the site default boundary group to fallback, and a management point is collocated on
a distribution point, the site also adds that management point to the site default boundary group.

If a client is in a boundary group that with no assigned management point, the site gives the client the entire list
of management points. This behavior makes sure that a client always receives a list of management points.

TIP
If you enable the option to Prefer cloud-based sources over on-premises sources then clients will prefer a cloud
management gateway (CMG) for both policy and content.

Management point boundary group fallback doesn't change the behavior during client installation
(ccmsetup.exe). If the command line doesn't specify the initial management point using the /MP parameter, the
new client receives the full list of available management points. For its initial bootstrap process, the client uses
the first management point it can access. Once the client registers with the site, it receives the management
point list properly sorted with this new behavior.
For more information on the client's behavior to acquire content during installation, see Client installation.
During client upgrade, if you don't specify the /MP command-line parameter, the client queries sources such as
Active Directory and WMI for any available management point. Client upgrade doesn't honor the boundary
group configuration.
For clients to use this capability, enable the following setting: Clients prefer to use management points
specified in boundar y groups in Hierarchy Settings .

NOTE
OS deployment processes aren't aware of boundary groups for management points.

Troubleshoot
New entries appear in the LocationSer vices.log . The Locality attribute identifies one of the following states:
0 : Unknown
1 : The specified management point is only in the site default boundary group for fallback.
2 : The specified management point is in a remote or neighbor boundary group. When the management
point is in both a neighbor and the site default boundary groups, the locality is 2.
3 : The specified management point is in the local or current boundary group. When the management
point is in the current boundary group and either a neighbor or the site default boundary group, the
locality is 3. If you don't enable the preferred management points setting in Hierarchy Settings, the
locality is always 3 no matter which boundary group the management point is in.
Clients use local management points first (locality 3), remote second (locality 2), then fallback (locality 1).
When a client receives five errors in 10 minutes and fails to communicate with a management point in its
current boundary group, it tries to contact a management point in a neighbor or the site default boundary
group. If the management point in the current boundary group later comes back online, the client returns to the
local management point on the next refresh cycle. The refresh cycle is 24 hours, or when the Configuration
Manager agent service restarts.

Preferred management points

NOTE
When you enable Clients prefer to use management points specified in boundar y groups , Configuration
Manager uses the boundary group functionality for the assigned management point.

Preferred management points enable a client to identify a management point that's associated with its current
network location (boundary).
A client tries to use a preferred management point from its assigned site before using one not configured
as preferred from its assigned site.
To use this option, enable Clients prefer to use management points specified in boundar y
groups in Hierarchy Settings . Then configure boundary groups at individual primary sites. Include the
management points that should be associated with that boundary group's associated boundaries. For
more information, see Enable use of preferred management points.
When you configure preferred management points, and a client organizes its list of management points,
the client places the preferred management points at the top of its list. This list includes all management
points from the client's assigned site.

NOTE
Client roaming means it changes its network locations. For example, when a laptop travels to a remote office location.
When a client roams, it might use a management point from the local site before attempting to use a server from its
assigned site. This list of servers from its assigned site includes the preferred management points. For more information,
see Understand how clients find site resources and services.

Next steps
Example of using boundary groups
Procedures for boundary groups
 Example of using boundary groups
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following example uses a client searching for content from a distribution point. This example can be applied
to other site system roles that use boundary groups.
Create three boundary groups that don't share boundaries or site system servers:
Group BG_A with distribution points DP_A1 and DP_A2
Group BG_B with distribution points DP_B1 and DP_B2
Group BG_C with distribution points DP_C1 and DP_C2
Add the network locations of your clients as boundaries to only the BG_A boundary group. Then configure
relationships from that boundary group to the other two boundary groups:
Configure distribution points for the first neighbor group (BG_B) to be used after 10 minutes. This group
contains distribution points DP_B1 and DP_B2. Both are well connected to the first group's boundary
locations.
Configure the second neighbor group (BG_C) to be used after 20 minutes. This group contains
distribution points DP_C1 and DP_C2. Both are across a WAN from the other two boundary groups.
Also add to the default site boundary group another distribution point that's on the site server. This
server is your least preferred content source location, but it's centrally located to all your boundary
groups.
Example of boundary groups and fallback times:
With this configuration:
The client begins searching for content from distribution points in its current boundary group (BG_A). It
searches each distribution point for two minutes, and then switches to the next distribution point in the
boundary group. The client's pool of valid content source locations includes DP_A1 and DP_A2.
If the client fails to find content from its current boundary group after searching for 10 minutes, it then
adds the distribution points from the BG_B boundary group to its search. It then continues to search for
content from a distribution point in its combined pool of servers. This pool now includes servers from
both the BG_A and BG_B boundary groups. The client continues to contact each distribution point for two
minutes, and then switches to the next server in its pool. The client's pool of valid content source
locations includes DP_A1, DP_A2, DP_B1, and DP_B2.
After another 10 minutes (20 minutes total), if the client still hasn't found a distribution point with
content, it expands its pool to include available servers from the second neighbor group, boundary group
BG_C. The client now has six distribution points to search: DP_A1, DP_A2, DP_B2, DP_B2, DP_C1, and
DP_C2. It continues changing to a new distribution point every two minutes until it finds content.
If the client hasn't found content after a total of 120 minutes, it falls back to include the default site
boundary group as part of its continued search. Now the pool includes all distribution points from the
three configured boundary groups, and the final distribution point located on the site server. The client
then continues its search for content, changing distribution points every two minutes until content is
found.
By configuring the different neighbor groups to be available at different times, you control when specific
distribution points are added as a content source location. The client uses fallback to the default site boundary
group as a safety net for content that isn't available from any other location.
Next steps
Procedures for boundary groups
 How to configure boundary groups for
Configuration Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article includes procedures on how to view and configure boundary groups. Before you begin, make sure
you understand boundary group concepts. For more information, see Boundary groups.

Show boundary groups for devices

To help you better identify and troubleshoot device behaviors with boundary groups, you can view the
boundary groups for specific devices. In the Devices node or when you show the members of a Device
Collection , add the Boundar y Group(s) column to the list view.
If a device is in more than one boundary group, the value is a comma-separated list of boundary group
names.
The data updates when the client makes a location request to the site, or at most every 24 hours.
If a client is roaming and not a member of a boundary group, the value is blank.

NOTE
This information is site data and only available on primary sites. You won't see a value for this column when you connect
the Configuration Manager to a central administration site (CAS). For more information, see Types of data.

Create a boundary group

1. In the Configuration Manager console, go to the Administration workspace, expand Hierarchy
Configuration , and select the Boundar y Groups node.
2. On the Home tab, in the Create group, select Create Boundar y Group .
3. In the Create Boundar y Group dialog box, on the General tab, specify a Name for this boundary
group. Optionally include a Description .
4. Select OK to save the new boundary group, or continue to the next section to configure the boundary
group.

Configure a boundary group

1. In the Configuration Manager console, go to the Administration workspace, expand Hierarchy
Configuration , and select the Boundar y Groups node.
2. Select the boundary group you want to modify, and select Proper ties in the ribbon. This action opens
the boundary group Properties window.
Configure the following settings:
Add or remove boundaries
Configure site assignment and select site system servers
 Configure fallback behavior
Configure boundary group options
Add or remove boundaries
In the boundary group Properties window, use the General tab to modify the boundaries that are members of
this boundary group:
To add boundaries, select Add . In the Add Boundaries window, select the check box for one or more
boundaries, and select OK .
To remove boundaries, select the boundary in the list, and select Remove .
Configure site assignment and select site system servers
To modify the site assignment and associated site system server configuration, switch to the References tab in
the boundary group Properties window.
To enable this boundary group for use by clients for site assignment, select Use this boundar y group
for site assignment . Then select a site from the Assigned site dropdown list. For more information,
see Site assignment.
To associate available site system servers with this boundary group, select Add . The Add Site Systems
window only lists servers that have supported site system roles. Select the check box for one or more
servers, and select OK . It adds them as associated site system servers for this boundary group.

NOTE
You can select any combination of available site systems from any site in the hierarchy. Selected site systems are
listed on the Site Systems tab in the properties of each boundary that's a member of this boundary group.

To remove a server from this boundary group, select the server and then select Remove .

NOTE
To stop use of this boundary group for associating site systems, remove all servers listed as associated site system
servers.

Configure fallback behavior

To configure fallback behavior, switch to the Relationships tab in the boundary group Properties window.
To create a relationship with another boundary group:
Select Add . In the Fallback Boundary Groups window, select the boundary group to configure.
Set a fallback time for the following site system roles:
Distribution point
Software update point
Management point
 NOTE
For example, you open the Properties window for the Branch Office boundary group. In the
Fallback Boundary Groups window, you select the Main Office boundary group. You set the
distribution point fallback time to 20 . When you save this configuration, clients in the Branch
Office boundary group will start searching for content from the distribution points in the Main
Office boundary group after 20 minutes.

To prevent fallback to a specific boundary group, select the boundary group, and then select
Never fallback for the type of site system role. This action can include the default site boundary
group.
To modify the configuration of an existing relationship, select the boundary group in the list, and select
Change . This action opens the Fallback Boundary Groups window for just this boundary group.
To remove a relationship, select the boundary group in the list, and select Remove .
For more information, see Fallback.
Configure boundary group options
To configure options for clients in this boundary group, switch to the Options tab. For more information, see
Boundary group options.
Allow peer downloads in this boundar y group : This option is enabled by default. The management
point provides clients a list of content locations that includes peer sources.
During peer downloads, only use peers within the same subnet : This setting is dependent
upon the one above. If you enable this option, the management point only includes in the content
location list peer sources that are in the same subnet as the client.
Prefer distribution points over peers within the same subnet : By default, the management
point prioritizes peer cache sources at the top of the list of content locations. This setting reverses
that priority for clients in the same subnet as a peer cache source.
Prefer cloud based sources over on-premises sources : A common scenario is if you have a branch
office with a faster internet link, you can prioritize cloud content and policy. This behavior includes cloud
management gateways (CMG) or Microsoft Update.

Configure a fallback site for automatic site assignment

If clients aren't in a boundary group with an assigned site, assign them to this site when they're installed.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. On the Home tab of the ribbon, in the Sites group, select Hierarchy Settings .
3. On the General tab, select the checkbox to Use a fallback site . Then select a site from the Fallback
site drop-down list.
4. Select OK to save the configuration.
For more information, see Site assignment.

Enable use of preferred management points

For more information, see Preferred management points.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. On the Home tab of the ribbon, in the Sites group, select Hierarchy Settings .
3. On the General tab, select Clients prefer to use management points specified in boundar y
groups .
4. Select OK to save the configuration.
 High availability options for Configuration Manager
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes how to deploy Configuration Manager using options that maintain a high level of available
service.
The following Configuration Manager options support high availability:
Configure any central administration or primary site with an additional site server in passive mode.
Configure a SQL Server Always On availability group for the site database at primary sites and the
central administration site.
Sites support multiple instances of site system roles that provide important services to clients. For
example, management points and distribution points.
Central administration sites and primary sites support the backup of the site database. The site database
stores all the configurations for sites and clients. The sites in a hierarchy share this configuration data.
Built-in site recovery options can reduce server downtime. These advanced options simplify recovery
when you have a hierarchy with a central administration site.
Clients can automatically remediate typical issues without administrative intervention.
Sites generate alerts about clients that fail to submit recent data, which alerts administrators to potential
problems.
Configuration Manager provides several built-in reports and dashboards. Use these to identify problems
and trends before they become problems for server or client operations.
Configuration Manager includes several features that provide near real-time service. If these features are critical
to meet your business requirements, plan and configure your sites and hierarchies for high availability. For
example:
Client notification actions, such as restart, start Windows Defender scans, or remote desktop.
State-based messages for monitoring features such as software updates and endpoint protection.
Scripts
CMPivot
Other features of Configuration Manager don't provide real-time service. These features include, but aren't
limited to, client settings, hardware and software inventory, software deployments, and compliance settings.
Expect them to operate with some data latency. It's unusual for most scenarios that involve a temporary
interruption of service to become a critical problem. To minimize downtime, maintain autonomy of operations,
and provide a high level of service, configure your sites and hierarchies with high availability in mind.
For example, Configuration Manager clients typically operate autonomously by using known schedules and
configurations for operations, and schedules to submit data to the site for processing.
When clients can't contact the site, they cache data to be submitted until they can contact the site.
Clients that can't contact the site continue to operate. They use the last known schedules and cached
information, until they can contact the site and receive new policies. For example, a client may keep a
 previously downloaded application that they must run or install.
The site monitors its site systems and clients for periodic status updates. It can generate alerts when
these components fail to register.
Built-in reports provide insight to ongoing operations, historical operations, and current trends.
Configuration Manager also supports state-based messages that provide near real-time information for
ongoing operations.

High availability for sites and hierarchies

Use a site server in passive mode
Install an additional site server in passive mode for a central administration or primary site. The site server in
passive mode is in addition to your existing site server in active mode. A site server in passive mode is available
for immediate use, when needed. For more information, see Site server high availability.
Use a remote content library
Move the site's content library to a remote location that provides highly available storage. This feature is a
requirement for site server high availability. For more information, see Configure a remote content library for
the site server.
Centralize content sources
All software content in Configuration Manager requires a package source location on the network. Use
centralized, highly available storage to host a common package source location for all content.
Use a SQL Server Always On solution for the site database
Configuration Manager supports the following SQL Server Always On solutions for the site database:
Host the site database at primary sites and the central administration site in an availability group. For
more information, see Prepare to use a SQL Server Always On availability group.
Use a failover cluster instance for the database at a central administration site or primary site. For more
information, see Use a SQL Server Always On failover cluster instance.
Secondary sites can't use SQL Server Always On, and don't support backup or restoration of their site database.
Recover a secondary site by reinstalling the secondary site from its parent primary site.
Deploy a hierarchy of sites with a central administration site, and one or more child primary sites
This configuration can provide fault tolerance when your sites manage overlapping segments of your network.
It also offers an additional recovery option to use the information in the shared database available at another
site, to rebuild the site database at the recovered site. Use this option to replace a failed or unavailable backup of
the failed site's database.
Create regular backups at central administration sites and primary sites
When you create and test a regular site backup, this makes sure that you have the data necessary to recover a
site. You also practice recovering a site in the minimal amount of time.
Install multiple instances of site system roles
When you install multiple instances of critical site system roles, you provide redundant points of contact for
clients. For example, multiple management points and distribution points provide redundant service in the event
that a specific server is offline.
Install multiple instances of the SMS Provider at a site
The SMS Provider provides the point of administrative contact for one or more Configuration Manager
consoles. To provide redundancy for contact points to administer your site and hierarchy, install multiple SMS
Providers.
High availability for site system roles
At each site, you deploy site system roles to provide the services that you want clients to use at that site. The site
database contains the configuration information for the site and for all clients. Use one or more of the available
options to provide for high availability of the site database, and the recovery of the site and site database if
needed.
Redundancy for important site system roles
Distribution point
Management point
Software update point
State migration point
To provide redundancy for reporting on sites and clients, install multiple instances of the reporting services
point.
Failover support for a software update point in a network load balancing (NLB) cluster was deprecated in
version 1702. For more information, see Removed and deprecated features. To provide redundancy for software
update points, use software update point switching. This allows clients to connect to a new software update
point server if one fails or becomes unavailable. For more information, see Software update point switching
Built-in site backup
Configuration Manager includes a built-in backup task to help you back up your site and critical information on
a regular schedule. Additionally, the Configuration Manager setup wizard supports site restoration actions to
help you restore a site to operations.
Publishing to Active Directory Domain Services and DNS
Configure each site to publish data about the site to Active Directory Domain Services and DNS. This publishing
enables clients to identify the most accessible server on the network. Clients also use it to identify when new site
system servers are available to provide important services, such as management points.
SMS Provider and Configuration Manager console
Configuration Manager supports installing multiple SMS Providers on separate servers as multiple access
points for the console. If one SMS Provider server is offline, you can still view and manage sites and clients.
When a Configuration Manager console connects to a site, it connects to an instance of the SMS Provider at that
site. The instance of the SMS Provider is randomly selected. If the selected SMS Provider isn't available, you have
the following options:
Reconnect the console to the site. Each new connection request is randomly assigned an instance of the
SMS Provider. It's possible that the new connection is assigned an available instance.
Connect the console to a different Configuration Manager site and manage the configuration from that
connection. This option introduces a slight delay of configuration changes of no more than a few minutes.
After the SMS Provider for the site is online, reconnect your Configuration Manager console directly to
the site that you want to manage.
Install the Configuration Manager console on multiple computers for use by administrators. Each SMS Provider
supports connections from more than one console.
Management point
Install multiple management points at each primary site, and enable the sites to publish site data to your Active
Directory infrastructure, and to DNS.
Multiple management points help to load-balance the use of any single management point by multiple clients.
Also consider installing one or more database replicas for management points. This configuration decreases the
processor-intensive operations of the management point. It also increases the availability of this critical site
system role.
Secondary sites only support installation of one management point, which must be located on the secondary
site server. Management points at secondary sites aren't considered to have a highly available configuration.

NOTE
Devices managed by on-premises mobile device management connect to only one management point at a primary site.
The management point is assigned by Configuration Manager to the mobile device during enrollment and then doesn't
change. When you install multiple management points and enable more than one for mobile devices, the management
point that's assigned to a mobile device client is non-deterministic.
If the management point that a mobile device client uses becomes unavailable, you must resolve the problem with that
management point or wipe the mobile device and re-enroll the mobile device so that it can be assigned to an operational
management point that is enabled for mobile devices.

Distribution point
Install multiple distribution points, and deploy content to multiple distribution points. Add more than one
distribution point per boundary group to make sure clients get several options in their content request.
Configure boundary group relationships so that they have a predicable fallback behavior to another boundary
group or content-enabled cloud management gateway. For more information, see Configure boundary groups.

High availability for clients

Client operations are autonomous
Configuration Manager client autonomy includes the following behaviors:
Clients don't require continuous contact with any specific site system servers. They use known
configurations to perform preconfigured actions on a schedule.
Clients can use any available instance of a site system role that provides services to clients. They attempt
to contact known servers until they locate an available server.
Clients can run inventory, software deployments, and similar scheduled actions independent of direct
contact with site system servers.
Clients that are configured to use a fallback status point can submit details to the fallback status point
when they can't communicate with a management point.
Clients can repair themselves
Clients automatically remediate most typical issues without direct administrative intervention.
Periodically, clients self-evaluate their status. They take action to remediate typical problems by using a
local cache of remediation steps and source files for repairs.
When a client fails to submit status information to its site, the site can generate an alert. Administrative
users that receive these alerts can take immediate action to restore the normal operation of the client.
Clients cache information to use in the future
When a client communicates with a management point, the client can obtain and cache the following
information:
Client settings
Client schedules
 Information about software deployments and a download of the software the client is scheduled to
install, when the deployment is configured for this action.
When a client can't contact a management point, the clients locally cache the status, state, and client information
they report to the site. The client transfers this data after it establishes contact with a management point.
Client can submit status to a fallback status point
When you configure a client to use a fallback status point, you provide an additional point of contact for the
client to submit important details about its operation. Clients that are configured to use a fallback status point
continue to send status about their operations to that site system role even when the client can't communicate
with a management point.
Central management of client data and client identity
The site database, rather than the individual client, retains important information about each client's identity, and
associates that data to a specific computer, or user.
The client source files on a computer can be uninstalled and reinstalled without affecting the historical
records for the computer where the client is installed.
Failure of a client computer doesn't affect the integrity of the information that's stored in the database.
This information can remain available for reporting.

Options for sites and site system roles that aren't highly available
Several site systems don't support multiple instances at a site or in the hierarchy. This information can help you
prepare for these site systems going offline.
Asset intelligence synchronization point (hierarchy)

IMPORTANT
Starting in November 2021, this feature of Configuration Manager is deprecated. For more information, see Introduction
to asset intelligence in Configuration Manager.

This site system role isn't considered mission critical and provides optional functionality in Configuration
Manager. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be offline.
Uninstall the role from the current server, and install the role on a new server.
Endpoint protection point (hierarchy)
This site system role isn't considered mission critical and provides optional functionality in Configuration
Manager. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be offline.
Uninstall the role from the current server, and install the role on a new server.
Enrollment point (site )
This site system role isn't considered mission critical and provides optional functionality in Configuration
Manager. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be offline.
Uninstall the role from the current server, and install the role on a new server.
Enrollment proxy point (site )
This site system role isn't considered mission critical and provides optional functionality in Configuration
Manager. However, you can install multiple instances of this site system role at a site, and at multiple sites in the
hierarchy. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be offline.
Uninstall the role from the current server, and install the role on a new server.
When you have more than one enrollment proxy server in a site, use a DNS alias for the server name. When you
use this configuration, DNS round robin provides some fault tolerance and load balancing for when users enroll
their mobile devices.
Fallback status point (site or hierarchy)
This site system role isn't considered mission critical and provides optional functionality in Configuration
Manager. If this site system goes offline, use one of the following options:
Resolve the reason for the site system to be offline.
Uninstall the role from the current server, and install the role on a new server. Because clients are
assigned the fallback status point during client installation, you need to modify existing clients to use the
new site system server.
Service connection point (hierarchy)
While this site system role is critical for keeping Configuration Manager current branch up to date, it's generally
not used frequently. If this system goes offline, use one of the following options:
Resolve the reason for the site system to be offline.
Uninstall the role from the current server, and install the role on a new server.

See also
Supported configurations
Recommended hardware
Supported operating systems for site system servers
Site and site system prerequisites
Site failure impacts
 Site server high availability in Configuration
Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Historically, you could add redundancy to most of the roles in Configuration Manager by having multiple
instances of these roles in your environment. Except for the site server itself. High availability for the site server
role is a Configuration Manager-based solution to install another site server in passive mode. The central
administration site (CAS) and child primary sites can have another site server in passive mode. The site server in
passive mode can be on-premises or cloud-based in Azure.
This feature brings the following benefits
Redundancy and high availability to the site server role
More easily change the hardware or OS of the site server
More easily move your site server to Azure IaaS
The site server in passive mode is in addition to your existing site server that is in active mode. A site server in
passive mode is available for immediate use, when needed. Include this other site server as part of your overall
design for making the Configuration Manager service highly available.
A site server in passive mode:
Uses the same site database as your site server in active mode.
Doesn't write data to the site database when it's in passive mode.
Uses the same content library as your site server in active mode.
To make the site server in passive mode become active, you manually promote it. This action switches the site
server in active mode to be the site server in passive mode. The site system roles that are available on the
original active mode server remain available so long as that computer is accessible. Only the site server role is
switched between active and passive modes.
Microsoft Core Services Engineering and Operations used this feature to migrate their CAS to Microsoft Azure.
For more information, see the Microsoft IT Showcase article.

Supported configurations
Configuration Manager supports site servers in passive mode in a hierarchy. The CAS and child primary
sites can have another site server in passive mode.
The site server in passive mode can be on-premises or cloud-based in Azure.

NOTE
A cloud-based site server in passive mode uses Azure infrastructure as a service (IaaS). For more information, see
the following articles:
Azure virtual machines (for cloud-based infrastructure)
FAQ for Configuration Manager on Azure
Prerequisites
Active Directory
Both site servers must be joined to the same Active Directory domain.
If you've extended the Active Directory schema for Configuration Manager, both site servers need Full
Control permissions to Active Directory's System - System Management container and all
descendant objects.
General configurations for both site servers
Both site servers can run different OS or service pack versions, as long as both are supported by
Configuration Manager.
Don't host the service connection point role on either site server configured for high availability. If it's
currently on the original site server, remove it, and install it on another site system server. For more
information, see About the service connection point.
Configurations for the site server in passive mode
Must meet the prerequisites for installing a primary site.
This requirement includes components like .NET Framework, Remote Differential Compression, and
the Windows ADK. For the complete list, see Site and site system prerequisites.

NOTE
Make sure to install the SQL Server Native Client. If you don't install it, the prerequisite checker during
Configuration Manager setup will report an error about missing SQL Server permissions.

Must have its computer account in the local Administrators group on the site server in active mode.
Must install using source files that match the version of the site server in active mode.
Can't have a site system role from any site installed on it before you install the site server in passive
mode role.
Make sure the computer account for the site server in passive mode has the same permissions as the site
server in active mode. For example, it may need permission to content source files, such as boot image
source directories.
Permissions for the site system installation account
By default, many customers use the site server's computer account to install new site systems. The requirement
is then to add the site server's computer account to the local Administrators group on the remote site system.
If your environment uses this configuration, make sure to add the computer account of the new site server to
this local group on all remote site systems. For example, all remote distribution points.
The more secure and recommended configuration is to use a service account for installing the site system. The
most secure configuration is to use a local service account. If your environment uses this configuration, no
change is needed.
For more information, see Site system installation account and Elevated permissions.
Content library
The site content library must be on a remote network share. Both site servers need Full Control permissions to
the share and its contents. For more information, see Configure a remote content library for the site server.
The site server computer account needs Full control permissions to the network path to which you're
moving the content library. This permission applies to both the share and the file system. No components
 are installed on the remote system.
The site server can't have the distribution point role. The distribution point also uses the content library,
and this role doesn't support a remote content library. After moving the content library, you can't add the
distribution point role to the site server.
Site database
Both site servers must use the same site database.
The database can be remote from each site server. The Configuration Manager setup process doesn't
block installation of the site server role on a computer with the Windows role for Failover Clustering. SQL
Server Always On availability groups require this role, so previously you couldn't colocate the site
database on the site server. With this change, you can create a highly available site with fewer servers by
using an availability group and a site server in passive mode.
The SQL Server that hosts the site database can use a default instance, named instance, failover cluster
instance, or an availability group.
Both site servers need the sysadmin security role on the instance of SQL Server that hosts the site
database. The original site server should already have these roles, so add them for the new site server.
For example, the following SQL script adds these roles for the new site server VM2 in the Contoso
domain:

USE [master]
GO
CREATE LOGIN [contoso\vm2$] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=
[us_english]
GO
ALTER SERVER ROLE [sysadmin] ADD MEMBER [contoso\vm2$]
GO

Both site servers need access to the site database on the instance of SQL Server. The original site server
should already have this access, so add it for the new site server. For example, the following SQL script
adds a login to the CM_ABC database for the new site server VM2 in the Contoso domain:

USE [CM_ABC]
GO
CREATE USER [contoso\vm2$] FOR LOGIN [contoso\vm2$] WITH DEFAULT_SCHEMA=[dbo]
GO

The site server in passive mode is configured to use the same site database as the site server in active
mode. The site server in passive mode only reads from the database. It doesn't write to the database until
after it's promoted to active mode.

Limitations
Only a single site server in passive mode is supported at each site.
A site server in passive mode isn't supported at a secondary site.

NOTE
Secondary sites are still supported under a primary site with highly available site servers.

Promotion of the site server in passive mode to active mode is manual. There's no automatic failover.
 Site system roles can't be installed on the new server before you add the site server in passive mode.

NOTE
After it installs the site server in passive mode, you can add additional roles as necessary. For example, a
management point at a primary site.

For roles like the reporting point that use a database, host the database on a server that's remote from
both site servers.
The Configuration Manager console doesn't automatically install on the site server in passive mode.

Add a site server in passive mode

For more information on the general process of adding roles, see Install site system roles.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , select the Sites node, and select Create Site System Ser ver in the ribbon.
2. On the General page of the Create Site System Server Wizard, specify the server to host the site server
in passive mode. The server you specify can't host any site system roles before installing a site server in
passive mode.
3. On the System Role Selection page, select only Site ser ver in passive mode .

NOTE
The wizard performs the following initial prerequisite checks on this page:
The selected server isn't a secondary site server
The selected server isn't already a site server in passive mode
The site's content library is in a remote location
If these initial prerequisite checks fails, you can't continue past this page of the wizard.

4. On the Site Ser ver In Passive Mode page, provide the following information that's used to run setup
and install the site server role on the specified server:
Choose one of the following options:
Copy installation source files over the network from the site ser ver in active
mode : This option creates a compressed package and sends it to the new site server.
Use the source files at the following location on the site ser ver in passive mode :
For example, a local path to which you already copied the source files. Make sure this
content is the same version as the site server in active mode.
(Recommended) Use the source files at the following network location : Specify the
path directly to the contents of the CD.Latest folder from the site server in active mode.
For example, \\Server\SMS_ABC\CD.Latest where "Server" is the name of the site server in
active mode, and "ABC" is the site code.
Specify the local path at which to install Configuration Manager on the new site server. For
example: C:\Program Files\Configuration Manager
5. Complete the wizard. Configuration Manager then installs the site server in passive mode on the
specified server.
For detailed installation status, in the console go to the Monitoring workspace, and select the Site Ser ver
Status node. The state for the site server in passive mode displays as Installing . For more detailed information,
select the server and select Show Status . This action opens the Site Server Installation Status window. When
the process is complete, the state shows OK for both servers.
For more information on the setup process, see Flowchart - Set up a site server in passive mode.
After you add a site server in passive mode, see both site servers on the Nodes tab in the Sites node of the
console.
All Configuration Manager site server components are in standby on the site server in passive mode. The
Windows services are still running.

Site server promotion

Similarly as with backup and recovery, plan and practice your process to change site servers. Consider the
following points in your promotion plan:
Practice a planned promotion, where both site servers are online. Also practice an unplanned failover, by
forcibly disconnecting or shutting down the site server in active mode.
Determine your operational processes during failover, and what to communicate with other
Configuration Manager administrators.
Before a planned promotion:
Check the overall status of the site and site components. Make sure everything is healthy as
normal for your environment.
Check content status for any packages actively replicating between sites.
Check secondary site status and site replication.
Don't start any new content distribution jobs or maintenance on child or secondary site servers.

NOTE
If file or database replication between sites is in progress during failover, the new site server may not
receive the replicated content. If this happens, redistribute the software content after the new site server is
active. For database replication, you may need to reinitialize a secondary site after failover.

Reduce or remove other scheduled activities at the same time. For example, don't plan to promote
a site server immediately after updating the site to a new version. Site update includes other tasks
that can potentially conflict with the site server promotion.

TIP
Here's an example of how other activities can conflict with site server promotion:
Monday: Update the site to the latest version. Enable automatic client upgrade with client piloting.
Tuesday: Promote the site server in passive mode to be the active site server.
By Wednesday or Thursday, this action may cause all clients to upgrade, not just the pilot collection. This
behavior can cause significant network usage and unexpected load on the distribution points.

Process to promote the site server in passive mode to active mode

This section describes how to change the site server in passive mode to active mode. To access the site and
make this change, you need to be able to access an instance of the SMS Provider. For more information, see Use
multiple SMS Providers.

IMPORTANT
If all instances of the SMS Provider are offline, you can't connect to the site as no provider is available. When you add the
site server in passive mode, setup installs an instance of the SMS Provider on this server.
The Configuration Manager console requests the list of available SMS Providers from WMI on the site server. When you
install multiple SMS Providers at a site, the site randomly assigns each new connection request to use an installed SMS
Provider. You can't specify the SMS Provider location to use with a specific connection session. If your console is unable to
connect to the site because the current site server is offline, specify the other site server in the Site Connection window.

1. In the Configuration Manager console, go to the Administration workspace, expand Site

Configuration , and select the Sites node. Select the site, and then switch to the Nodes tab. Select the
site server in passive mode, and then select Promote to active in the ribbon. Select Yes to confirm and
continue.
2. Refresh the console node. The Status column for the server you're promoting displays in the Nodes tab
as Promoting .
3. After the promotion is complete, the Status column shows OK for both the new site server in active
mode, and for the new site server in passive mode. The Ser ver Name column for the site now displays
the name of the new site server in active mode.
For detailed status, go to the Monitoring workspace, and select the Site Ser ver Status node. The Mode
column identifies which server is Active or Passive. When you promote a server from passive mode to active
mode, select the site server that you're promoting to active, and then choose Show Status from the ribbon. This
action opens the Site Server Promotion Status window that displays more details about the process.
When a site server in active mode switches over to passive mode, only the site system role is made passive. All
other site system roles that are installed on that computer remain active and accessible to clients.
For more information on the planned promotion process, see Flowchart - Promote site server (planned).
Unplanned failover
If the current site server in active mode is offline, the site server for promotion tries to contact the current site
server in active mode for 30 minutes. If the offline server comes back before this time, it's successfully notified,
and the change proceeds gracefully. Otherwise the site server for promotion forcibly updates the site
configuration for it to be active. If the offline server comes back after this time, it first checks the current state in
the site database. It then proceeds with demoting itself to the site server in passive mode.
During this 30-minute waiting period, the site has no site server in active mode. Clients still communicate with
client-facing roles such as management points, software update points, and distribution points. Users can install
software that's already deployed. No site administration is possible in this time period. For more information,
see Site failure impacts.
If the offline server is damaged such that it can't return, delete this site server from the console. Then create a
new site server in passive mode to restore a highly available service.
For more information on the unplanned failover process, see Flowchart - Promote site server (unplanned).
Other tasks after site server promotion
After switching site servers, you don't have to do most of the other tasks as are necessary when recovering a
site. For example, you don't need to reset passwords or reconnect your Microsoft Intune subscription.
The following steps may be required if necessary in your environment:
 If you import PKI certificates for distribution points, reimport the certificate for affected servers. For more
information, see Regenerate the certificates for distribution points.
If you integrate Configuration Manager with the Microsoft Store for Business, reconfigure that
connection. For more information, see Manage apps from the Microsoft Store for Business.
Recreate OSD bootable media and prestaged media in non-PKI environments.
In non-PKI environments, you may need to update the self-signed certificate on PXE-enabled distribution
points. Do this action in the properties of the distribution point on the Communication tab. Make changes
to the self-signed certificate date or time.

Daily monitoring
When you have a site server in passive mode, monitor it daily. Make sure its Status remains OK and is ready for
use. In the Configuration Manager console, go to the Monitoring workspace, and select the Site Ser ver
Status node. View both site servers and their current status. Also view status in the Administration workspace.
Expand Site Configuration , and select the Sites node. Select the site, and then switch to the Nodes tab.

NOTE
When you update the site to a new version of Configuration Manager, it also updates the site server in passive mode.

Remove a site server in passive mode

The process to remove a site server in passive mode is the same as any site system role. Remove the Site
ser ver role from the server in passive mode. For more information, see Procedure to remove a site system role.
When you remove any other site system role, the site component manager ( sitecomp ) processes the request.
When you remove a site server in passive mode, the failover manager processes the request. For status, monitor
the SMS_FAILOVER_MANAGER component.

Next steps
Flowchart - Set up a site server in passive mode Flowchart - Promote site server (planned) Flowchart - Promote
site server (unplanned)
 Flowchart - Set up a site server in passive mode
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This flowchart diagram shows the process by which the site sets up a site server in passive mode. For more
information, see the following articles:
Site server high availability
Flowchart - Promote site server (planned)
The content library
Flowchart - Manage content library
 Flowchart - Promote site server (planned)
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This flowchart diagram shows the process by which a site server in passive mode is promoted to the site server
in active mode. In this example, the administrator plans for the promotion process. Both servers are online and
fully functional. For more information, see the following articles:
Site server high availability
Flowchart - Set up a site server in passive mode
 Flowchart - Promote site server (unplanned)
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This flowchart diagram shows the process by which a site server in passive mode is promoted to the site server
in active mode when the current site server in active mode is offline. In this example, the current site server in
active mode isn't fully operational, for example it is disconnected from the network or powered off. For more
information, see the following articles:
Site server high availability
Flowchart - Promote site server (planned)
Flowchart - Set up a site server in passive mode
 Prepare to use a SQL Server Always On availability
group with Configuration Manager
2/16/2022 • 13 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use this article to prepare Configuration Manager to use a SQL Server Always On availability group for the site
database. This feature provides a high availability and disaster recovery solution.
Configuration Manager supports using availability groups:
At primary sites and the central administration site.
On-premises, or in Microsoft Azure.
When you use availability groups in Microsoft Azure, you can further increase availability of your site database
by using Azure availability sets. For more information on Azure availability sets, see Manage the availability of
virtual machines.

IMPORTANT
Before you continue, be comfortable with configuring SQL Server and availability groups. This article references the SQL
Server documentation library with more information and procedures.

Supported scenarios
The following scenarios are supported for using availability groups with Configuration Manager. For more
information and procedures for each scenario, see Configure availability groups for Configuration Manager.
Create an availability group for use with Configuration Manager
Configure a site to use the availability group
Add or remove synchronous replica members from an availability group that hosts a site database
Configure or recover a site from an asynchronous commit replicas
Move a site database out of an availability group to a default or named instance of a standalone SQL Server

Prerequisites
The following prerequisites apply to all scenarios. If additional prerequisites apply to a specific scenario, they're
detailed with that scenario.
Configuration Manager accounts and permissions
Installation account
The account you use to run Configuration Manager setup must be:
A member of the local Administrators group on each computer that's a member of the availability group.
A sysadmin on each instance of SQL Server that hosts the site database.
Site server to replica member access
The computer account of the site server must be a member of the local Administrators group on each
computer that's a member of the availability group.
SQL Server
Version
Each replica in the availability group must run a version of SQL Server that's supported by your version of
Configuration Manager. When supported by SQL Server, different nodes of an availability group can run
different versions of SQL Server. For more information, see Supported SQL Server versions for Configuration
Manager.
Edition
Use an Enterprise edition of SQL Server.
Account
Each instance of SQL Server can run under a domain user account (ser vice account ) or a non-domain account.
Each replica in a group can have a different configuration.
Use an account with the lowest possible permissions. For more information, see Security considerations
for a SQL Server installation.
For more information on configuring service accounts and permissions for SQL Server, see Configure
Windows service accounts and permissions.
To use a non-domain account, you must use certificates. For more information, see Use certificates for a
database mirroring endpoint (Transact-SQL).
For more general information, see Create a database mirroring endpoint for availability groups.
Database
Configure the database on a new replica
Only make these configurations on a primary replica. To configure a secondary replica, first fail over the primary
to the secondary. This action makes the secondary the new primary replica.
Configure the database of each replica with the following settings:
Enable CLR Integration :

sp_configure 'show advanced options', 1;

GO
RECONFIGURE;
GO
sp_configure 'clr enabled', 1;
GO
RECONFIGURE;
GO

For more information, see CLR integration.

Set Max text repl size to 2147483647 :

EXECUTE sp_configure 'max text repl size (B)', 2147483647

Set the database owner to the SA account. You don't need to enable this account.
Turn ON the TRUSTWORTHY setting:

ALTER DATABASE [CM_xxx] SET TRUSTWORTHY ON;

For more information, see the TRUSTWORTHY database property.

Enable the Ser vice Broker :
 ALTER DATABASE [CM_xxx] SET ENABLE_BROKER

NOTE
You can't enable the Service Broker option on a database that's already part of an availability group. You have to
enable that option before adding it to the availability group.

Configure the Service Broker priority:

ALTER DATABASE [CM_xxx] SET HONOR_BROKER_PRIORITY ON;

ALTER DATABASE [CM_xxx] SET ENABLE_BROKER WITH ROLLBACK IMMEDIATE

Database verification script

Run the following SQL script to verify database configurations for both primary and secondary replicas. Before
you can fix an issue on a secondary replica, change that secondary replica to be the primary replica.
 SET NOCOUNT ON

DECLARE @dbname NVARCHAR(128)

SELECT @dbname = sd.name FROM sys.sysdatabases sd WHERE sd.dbid = DB_ID()

IF (@dbname = N'master' OR @dbname = N'model' OR @dbname = N'msdb' OR @dbname = N'tempdb' OR @dbname =

N'distribution' ) BEGIN
RAISERROR(N'ERROR: Script is targeting a system database. It should be targeting the DB you created
instead.', 0, 1)
GOTO Branch_Exit;
END ELSE
PRINT N'INFO: Targeted database is ' + @dbname + N'.'

PRINT N'INFO: Running verifications....'

IF NOT EXISTS (SELECT * FROM sys.configurations c WHERE c.name = 'clr enabled' AND c.value_in_use = 1)
PRINT N'ERROR: CLR is not enabled!'
ELSE
PRINT N'PASS: CLR is enabled.'

DECLARE @repltable TABLE (

name nvarchar(max),
minimum int,
maximum int,
config_value int,
run_value int )

INSERT INTO @repltable

EXEC sp_configure 'max text repl size (B)'

IF NOT EXISTS(SELECT * from @repltable where config_value = 2147483647 and run_value = 2147483647 )
PRINT N'ERROR: Max text repl size is not correct!'
ELSE
PRINT N'PASS: Max text repl size is correct.'

IF NOT EXISTS (SELECT db.owner_sid FROM sys.databases db WHERE db.database_id = DB_ID() AND db.owner_sid
= 0x01)
PRINT N'ERROR: Database owner is not sa account!'
ELSE
PRINT N'PASS: Database owner is sa account.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id = DB_ID() AND db.is_trustworthy_on =
1 )
PRINT N'ERROR: Trustworthy bit is not on!'
ELSE
PRINT N'PASS: Trustworthy bit is on.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id = DB_ID() AND db.is_broker_enabled =
1 )
PRINT N'ERROR: Service broker is not enabled!'
ELSE
PRINT N'PASS: Service broker is enabled.'

IF NOT EXISTS( SELECT * FROM sys.databases db WHERE db.database_id = DB_ID() AND

db.is_honor_broker_priority_on = 1 )
PRINT N'ERROR: Service broker priority is not set!'
ELSE
PRINT N'PASS: Service broker priority is set.'

PRINT N'Done!'

Branch_Exit:

Availability group configurations

Replica members
 The availability group must have one primary replica.
Use the same number and type of replicas in an availability group that your version of SQL Server
supports.
You can use an asynchronous commit replica to recover your synchronous replica. For more information,
see site database recovery options.

WARNING
Configuration Manager doesn't support failover to use the asynchronous commit replica as your site database.
For more information, see Failover and failover modes (Always On availability groups).

Configuration Manager doesn't validate the state of the asynchronous commit replica to confirm it's current. Use
of an asynchronous commit replica as the site database can put the integrity of your site and data at risk. This
replica can be out of sync by design. For more information, see Overview of SQL Server Always On availability
groups.
Each replica member must have the following configuration:
Use the default instance or a named instance.

NOTE
Don't have a file share on the server that's the same name as the SQL Server instance name.

The Connections in Primar y Role setting is Allow all connections .

The Readable Secondar y setting is Yes .
Enabled for Manual Failover

NOTE
Configuration Manager supports using the availability group synchronous replicas when set to Automatic
Failover . Set Manual Failover when:
You run Configuration Manager setup to specify use of the site database in the availability group.
You install any update to Configuration Manager. (Not just updates that apply to the site database).

All members need the same seeding mode. Configuration Manager setup includes a prerequisite check to
verify this configuration when creating a database through install or recovery.

NOTE
When setup creates the database, and you configure automatic seeding, the availability group must have
permissions to create the database. This requirement applies to both a new database or recovery. For more
information, see Automatic seeding for secondary replica.

Replica member location

Either host all replicas in an availability group on-premises, or host them all on Microsoft Azure. A group that
includes an on-premises member and a member in Azure isn't supported.
 NOTE
If you're using an Azure virtual machine for the SQL Server, enable floating IP . For more information, see Configure a
load balancer for a SQL Server Always On availability group in Azure virtual machines.

Configuration Manager setup needs to connect to each replica. When you set up an availability group in Azure,
and the group is behind an internal or external load balancer, open the following default ports:
RPC Endpoint Mapper: TCP 135
SQL Server Service Broker: TCP 4022
SQL over TCP: TCP 1433
After setup completes, these ports must stay open for Configuration Manager and replication link analyzer.
You can use custom ports for these configurations. Use the same custom ports by the endpoint and on all
replicas in the availability group.
For SQL Server to replicate data between sites, create a load-balancing rule for each port in the Azure load
balancer. For more information, see Configure High Availability Ports for an internal load balancer.
Listener
The availability group must have at least one availability group listener. When you configure Configuration
Manager to use the site database in the availability group, it uses the virtual name of this listener. Although an
availability group can contain multiple listeners, Configuration Manager can only make use of one. For more
information, see Create or configure a SQL Server availability group listener.
File paths
When you run Configuration Manager setup to configure a site to use the database in an availability group, each
secondary replica server must have a SQL Server file path that's identical to the file path for the site database
files on the current primary replica. If an identical path doesn't exist, setup fails to add the instance for the
availability group as the new location of the site database.
The local SQL Server service account must have Full Control permission to this folder.
The secondary replica servers only require this file path while you're using Configuration Manager setup to
specify the database instance in the availability group. After it completes configuration of the site database in the
availability group, you can delete the unused path from secondary replica severs.
For example, consider the following scenario:
You create an availability group that uses three SQL Servers.
Your primary replica server is a new installation of SQL Server 2014. By default, it stores the database
MDF and LDF files in C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA .
You upgraded both of your secondary replica servers to SQL Server 2014 from previous versions. With
the upgrade, these servers keep the original file path to store database files:
C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA .

Before moving the site database to this availability group, on each secondary replica server, create the
following file path: C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\DATA . This path is a
duplicate of the path in use on the primary replica, even if the secondary replicas won't use this file
location.
You then grant the SQL Server service account on each secondary replica full control access to the newly
created file location on that server.
 You can now successfully run Configuration Manager setup to configure the site to use the site database
in the availability group.
Multi-subnet failover
You can enable the MultiSubnetFailover connection string keyword in SQL Server. You also need to manually
add the following values to the Windows Registry on the site server:

HKLM:\SOFTWARE\Microsoft\SMS\Identification
HKLM:\SOFTWARE\Microsoft\SMS\SQL Server

MSF Enabled : 1 (DWORD)

WARNING
Use of site server high availability and SQL Server Always On availability groups with multi-subnet failover doesn't provide
the full capabilities of automatic failover for disaster recovery scenarios.

If you need to create an availability group with a member in a remote location, prioritize based on the lowest
network latency. High network latency can cause replication failures.

Limitations and known issues

The following limitations apply to all scenarios.
Unsupported SQL Server options and configurations
Basic availability groups : Introduced with SQL Server 2016 Standard edition, basic availability groups
don't support read access to secondary replicas. Configuration requires this access. For more
information, see Basic SQL Server availability groups.
Failover cluster instance : Failover cluster instances aren't supported for a replica you use with
Configuration Manager. For more information, see SQL Server Always On failover cluster instances.
SQL Servers that host additional availability groups
When the SQL Server hosts one or more availability groups in addition to the group you use for Configuration
Manager, it needs specific settings at the time you run Configuration Manager setup. These settings are also
needed to install an update for Configuration Manager. Each replica in each availability group must have the
following configurations:
Manual failover
Allow any read-only connection

NOTE
Configuration Manager supports using the availability group synchronous replicas when set to Automatic Failover . Set
Manual Failover when:
You run Configuration Manager setup to specify use of the site database in the availability group.
You install any update to Configuration Manager. (Not just updates that apply to the site database).

Unsupported database use

Configuration Manager supports only the site database in an availability group
The following databases aren't supported by Configuration Manager in an availability group:
Reporting database
 WSUS database
Pre-existing database
You can't use a new database created on the replica. When you configure an availability group, restore a copy of
an existing Configuration Manager database to the primary replica.
Setup errors in ConfigMgrSetup.log
When you run Configuration Manager setup to move a site database to an availability group, it tries to process
database roles on the secondary replicas of the availability group. The ConfigMgrSetup.log file shows the
following error:
ERROR: SQL Server error: [25000][3906][Microsoft][SQL Server Native Client 11.0][SQL Server]Failed to update
database "CM_AAA" because the database is read-only. Configuration Manager Setup 1/21/2016 4:54:59 PM 7344
(0x1CB0)

These errors are safe to ignore.

Site expansion
If you configure the site database for a standalone primary site to use an availability group, you can't expand the
site to include a central administration site. If you try this process, it fails. To expand the site, temporarily remove
the primary site database from the availability group.
You don't need to make any changes to the configuration when adding a secondary site.

Changes for site backup

Backup database files
When a site database uses an availability group, run the built-in Backup Site ser ver maintenance task to back
up common Configuration Manager settings and files. Don't use the MDF or LDF files created by that backup.
Instead, make direct backups of these database files by using SQL Server.
Transaction log
Set the recovery model of the site database to Full . This configuration is a requirement for Configuration
Manager use in an availability group. Plan to monitor and maintain the size of the site database transaction log.
In the full recovery model, the transactions aren't hardened until it makes a full backup of the database or
transaction log. For more information, see Back up and restore of SQL Server databases.

Changes for site recovery

If at least one node of the availability group is still functional, use the site recovery option to Skip database
recover y (Use this option if the site database was unaffected) .
Site recovery can recreate the database in an availability group. This process works with both manual and
automatic seeding.

TIP
When you run the setup/recovery wizard, the New Availability Group Database page only applies to manual seeding
configurations. With automatic seeding, there's no shared database backup, so that page of the wizard isn't shown.

For more information, see Backup and recovery.

Changes for reporting

Install the reporting service point
The reporting services point doesn't support using the listener virtual name of the availability group. It also
doesn't support hosting its database in an availability group.
By default, the reporting services point installation sets the Site database ser ver name to the virtual
name that's specified as the listener. Change this setting to specify a computer name and instance of a
replica in the availability group.
To offload reporting and to increase availability when a replica node is offline, consider installing
additional reporting services points on each replica node. Then configure each reporting services point to
use its own computer name. When you install a reporting service point on each replica of the availability
group, reporting can always connect to an active reporting point server.
Switch the reporting services point used by the console
1. In the Configuration Manager console, go to the Monitoring workspace, expand Repor ting , and select
the Repor ts node.
2. In the ribbon, select Repor t Options .
3. In the Report Options dialog box, select the reporting services point you want to use.

Next steps
This article describes the prerequisites, limitations, and changes to common tasks that Configuration Manager
requires when you use availability groups. For procedures to set up and configure your site to use availability
groups, see Configure availability groups.
 Configure a SQL Server Always On availability
group for Configuration Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the information in this article to configure and manage a SQL Server Always On availability group for the
Configuration Manager site database. Before you start, be familiar with the information to Prepare to use an
availability group. Also be familiar with SQL Server documentation that covers the use of availability groups and
related procedures.

Create and configure an availability group

Use this procedure to create an availability group for Configuration Manager. Then move a copy of the site
database to that availability group.
1. Use the following command to stop the Configuration Manager site:
preinst.exe /stopsite

For more information, see Hierarchy maintenance tool.

2. Change the backup model for the site database from SIMPLE to FULL :

ALTER DATABASE [CM_xxx] SET RECOVERY FULL;

Availability groups only support the FULL backup model. For more information, see View or change the
recovery model of a database.
3. Use SQL Server to create a full backup of your site database. Choose one of the following options:
Will be member of your availability group : If you use this server as the initial primary replica
member of the availability group, you don't need to restore a copy of the site database to this
server or another in the group. The database is already in place on the primary replica. SQL Server
replicates the database to the secondary replicas during a later step.
Will not be a member of the availability group : Restore a copy of the site database to the
server that will host the primary replica of the group.
For more information, see the following articles in the SQL Server documentation:
Create a full database backup
Restore a database backup using SSMS

NOTE
If you plan to move from an availability group to standalone on an existing replica, first remove the database from
the availability group.

4. On the server that will host the initial primary replica of the group, use the New availability group wizard
to create the availability group. In the wizard:
 On the Select Database page, select the database for your Configuration Manager site.
On the Specify Replicas page, configure:
Replicas: Specify the servers that will host secondary replicas.
Listener : Specify the Listener DNS Name as a full DNS name, for example
<listener_server>.fabrikam.com . When you configure Configuration Manager to use the
database in the availability group, it uses this name.
On the Select Initial Data Synchronization page, select Full . After the wizard creates the
availability group, the wizard backs up the primary database and transaction log. Then the wizard
restores them on each server that hosts a secondary replica.

NOTE
If you don't use this step, restore a copy of the site database to each server that hosts a secondary replica.
Then manually join that database to the group.

5. Check the configuration on each replica:

a. Make sure the computer account of the site server is a member of the local Administrators
group on each computer that's a member of the availability group.
b. Run the verification script to confirm that the site database on each replica is correctly configured.
c. If it's necessary to set configurations on secondary replicas, before you continue, manually fail
over the primary replica to the secondary replica. You can only configure the database of a
primary replica. For more information, see Perform a planned manual failover of an availability
group in the SQL Server documentation.
6. After all replicas meet the requirements, the availability group is ready to be used with Configuration
Manager.

Configure a site to use the availability group

When installing a new site, after you have created and configured the availability group, direct setup to use the
FQDN of the availability group listener. If you used a custom port and named instance, leave the instance name
empty in the setup wizard and use the format FQDN of listener, port number. For example, use
listener.contoso.com, 1445 for a named instance that doesn't use the default port of 1433.

If you moved an existing site database to an availability group you created and configured, use Configuration
Manager site maintenance to change the configuration with the below instructions:
1. Run Configuration Manager Setup : \BIN\X64\setup.exe from the Configuration Manager site
installation folder.
2. On the Getting Star ted page, select Perform site maintenance or reset this site , and then select
Next .
3. Select Modify SQL Ser ver configuration , and then select Next .
4. Reconfigure the following settings for the site database:
SQL Ser ver name : Enter the virtual name for the availability group listener. You configured the
listener when you created the availability group. The virtual name should be a full DNS name, like
<Listener_Server>.fabrikam.com .
 Instance: To specify the default instance for the listener of the availability group, this value must
be blank. If the current site database runs on a named instance, clear the current named instance.
Database: Leave the name as it appears. This name is the current site database.
5. After you provide the information for the new database location, complete setup with your normal
process and configurations.

Synchronous replica members

When your site database is hosted in an availability group, use the following procedures to add or remove
synchronous replica members. For more information about the supported type and number of replicas, see
Availability group configurations.
Add or remove a synchronous replica member
Run Configuration Manager setup to add or remove a synchronous replica member. The following steps show
how to add:
1. Add a secondary replica using the SQL Server procedures.
a. Add a secondary replica to an Always On availability group.
b. Watch the status in SQL Server Management Studio. Wait for the availability group to return to full
health.
2. Run Configuration Manager setup, and select the option to modify the site.
3. Specify the availability group listener name as the database name. If the listener uses a non-standard
network port, specify that as well. This action causes setup to make sure each node is appropriately
configured. It also starts a database recovery process.
Configuration Manager setup uses the SQL Server database move operation, and makes sure the nodes are
correctly configured.

Asynchronous replicas
You can use an asynchronous replica in the availability group that you use with Configuration Manager. You
don't need to run the configuration scripts required to configure a synchronous replica, because an
asynchronous replica isn't supported for the site database.
Configure an asynchronous commit replica
For more information, see Add a secondary replica to an availability group.
Use the asynchronous replica to recover your site
Use the asynchronous replica to recover your site database.
1. Stop the active primary site to prevent additional writes to the site database. To stop the site, use the
Hierarchy maintenance tool: preinst.exe /stopsite
2. After you stop the site, use the asynchronous replica instead of a manually recovered database.

Stop using an availability group

Use the following procedure when you no longer want to host your site database in an availability group. With
this process, you'll move the site database back to a single instance of SQL Server.
1. Stop the Configuration Manager site by using the following command: preinst.exe /stopsite . For more
information, see Hierarchy maintenance tool.
 2. Use SQL Server to create a full backup of your site database from the primary replica. For more
information, see Create a full database backup.
3. Use SQL Server to restore the site database backup to the server that will host the site database. For
more information, see Restore a database backup using SSMS.

NOTE
If the primary replica server for the availability group will host the single instance of the site database, skip this
step.

4. On the server that will host the site database, change the backup model for the site database from FULL
to SIMPLE . For more information, see View or change the recovery model of a database.
5. Run Configuration Manager Setup : \BIN\X64\setup.exe from the Configuration Manager site
installation folder.
6. On the Getting Star ted page, select Perform site maintenance or reset this site , and then select
Next .
7. Select Modify SQL Ser ver configuration , and then select Next .
8. Reconfigure the following settings for the site database:
SQL Ser ver name: Enter the name of the server that now hosts the site database.
Instance: Specify the named instance that hosts the site database. If the database is on the default
instance, leave this field blank.
Database: Leave the name as it appears. This name is the current site database.
9. After you provide the information for the new database location, complete setup with your normal
process and configurations. When setup completes, the site restarts, and begins to use the new database
location.
10. To clean up the servers that were members of the availability group, follow the guidance in Remove an
availability group.
 Use a SQL Server Always On failover cluster
instance for the site database
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can use a SQL Server Always On failover cluster instance to host the Configuration Manager site database.
Failover cluster instances provide failover support for the entire instance of SQL Server and improve the
reliability of the site database. However, it doesn't provide additional processing or load-balancing benefits.
Failover cluster instances require the use of shared storage, which can be a single point of failure. Degradation in
performance can occur, because the site server must find the active node of the failover cluster instance before it
connects to the site database.

IMPORTANT
To successfully set up of a failover cluster instance, use the documentation and procedures for SQL Server. For more
information, see Always On Failover Cluster Instances (SQL Server).

Before you install Configuration Manager, prepare the failover cluster instance to support Configuration
Manager. For more information, see Prepare a clustered SQL Server instance.
During Configuration Manager setup, the Windows Volume Shadow Copy Service writer installs on each
physical computer node of the Windows Server failover cluster. This service supports the Backup Site Ser ver
maintenance task.
After the site installs, Configuration Manager checks for changes to the cluster node each hour. Configuration
Manager automatically manages any changes it finds that affect its component installs. For example, a node
failover or the addition of a new node to the failover cluster instance.

Supported options
Configuration Manager supports the following options for failover cluster instances used for the site database:
A single instance cluster
Multiple instance configurations
Multiple active nodes
Both a named or a default instance

Prerequisites
The site database server must be remote from the site server. The cluster can't include the site server.
 NOTE
The Configuration Manager setup process doesn't block installation of the site server role on a computer with the
Windows role for Failover Clustering. SQL Server Always On availability groups require this role, so previously you
couldn't colocate the site database on the site server. With this change, you can create a highly available site with
fewer servers by using an availability group and a site server in passive mode. For more information, see High
availability options.

Add the computer account of the site server to the local Administrators group of each server in the
cluster.
To support Kerberos authentication, enable the TCP/IP network communication protocol for the network
connection of each cluster node. The Named pipes protocol isn't required, but can be used to
troubleshoot Kerberos authentication issues. The network protocol settings are configured in SQL
Ser ver Configuration Manager , under SQL Ser ver Network Configuration .
There are specific certificate requirements when you use a failover cluster instance for the site database.
For more information, see the following articles:
Install a certificate in an Always On failover cluster instance configuration
PKI certificate requirements for Configuration Manager

NOTE
If you don't pre-provision a certificate in SQL Server, Configuration Manager creates and provisions a self-signed
certificate for SQL Server.

Limitations
Installation and configuration
Secondary sites can't use a failover cluster instance.
When you specify a failover cluster instance, you can't set a custom file location for the site database.
SMS Provider
You can't install the SMS Provider on a failover cluster instance. It's also not supported on a computer that runs
as a node participating in the failover cluster instance.
Data replication options
If you use Distributed Views , you can't use a failover cluster instance to host the site database.
Backup and recovery
Configuration Manager doesn't support System Center Data Protection Manager (DPM) backup for failover
cluster instances that use a named instance. It does support DPM backup on failover cluster instances that use
the SQL Server default instance.

Prepare a failover cluster instance

Here are the main tasks to complete to prepare your site database:
Create the failover cluster instance to host the site database on an existing Windows Server failover
cluster environment. For specific steps to install and set up a failover cluster instance, see the
documentation specific to your version of SQL Server. For more information, see Create a new SQL
Server Always On failover cluster instance.
 On each computer in the failover cluster instance, place a file in the root folder of each drive where you
don't want Configuration Manager to install site components. Name the file NO_SMS_ON_DRIVE.SMS . By
default, Configuration Manager installs some components on each physical node, to support operations
such as backup.
Add the computer account of the site server to the local Administrators group of each Windows Server
failover cluster node.
In the failover cluster instance, assign the sysadmin SQL Server role to the user account that runs
Configuration Manager setup.

Install a new site

To install a site that uses a clustered site database, run Configuration Manager setup following your normal
process for installing a site. On the Database Information page, specify the name of the failover cluster
instance. The failover cluster instance name replaces the name of a single computer that runs SQL Server.

IMPORTANT
Make sure to use the name of the SQL Server Always On failover cluster instance, not the Windows Server failover cluster.
If you use the Windows Server failover cluster name, the site database installs on the local hard drive of the active
Windows Server failover cluster node. This configuration prevents successful failover if that node fails.
 Custom locations for Configuration Manager site
database files
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supports custom locations for SQL Server database files.

NOTE
The option to specify non-default file locations isn't available when you use a SQL Server Always On failover cluster
instance.

During setup of a new primary site or central administration site, you can:
Specify non-default file locations for the site database : Configuration Manager setup then creates
the site database using these locations.
Specify the use of a pre-created SQL Ser ver database that uses custom file locations :
Configuration Manager setup then uses that pre-created database and its pre-configured file locations.
After setup, you can change the location of the site database files. This requires you to stop the site and edit the
file location in SQL Server:
1. On the Configuration Manager site server, stop the SMS_Executive service.
2. Move the database in SQL Server. For more information, see Move User Databases.
3. After you complete the database file move, restart the SMS_Executive service on the Configuration
Manager site server.
 Configure role-based administration for
Configuration Manager
2/16/2022 • 16 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

In Configuration Manager, role-based administration combines security roles, security scopes, and assigned
collections to define the administrative scope for each administrative user. An administrative scope includes the
objects that an administrative user can view in the Configuration Manager console and the tasks related to those
objects that they have permission to do.
If you're not yet familiar with these concepts, see Fundamentals of role-based administration.
Use the information in this article to create and configure role-based administration and related security
settings.

NOTE
The procedures in this article assume that your administrative user is in a security role with the required permissions. For
example, the Full Administrator or Security administrator roles.

TIP
Use the Role-based administration and auditing tool to help with the following actions:
Model permissions for a new role that you want to create.
Audit all existing administrative users, collections, and security scopes.
Audit a specific user

Create custom security roles

Configuration Manager provides several built-in security roles. You can't change the permissions of the built-in
roles. If you require other roles, create a custom one. You might create a custom role to grant administrative
users other permissions that they require and aren't included in a built-in role. By using a custom security role,
you can assign them the least required permissions. A custom role can help you avoid assigning a security role
that grants more permissions than they require.
How to create custom security roles
In the Configuration Manager console, go to the Administration workspace. Expand Security , and then select
the Security Roles node. Then use one of the following processes to create a new security role:
Create a new custom security role by copying a built-in role
1. Select an existing security role to use as the source for the new role.
2. On the Home tab of the ribbon, in the Security Role group, select Copy . This action creates a copy of
the source security role.
3. In the Copy Security Role wizard, specify a Name for the new custom security role. The maximum length
is 256 characters.
4. Optional but recommended, specify a Description to summarize the purpose of this custom security
 role. The maximum length is 512 characters.
5. Under Permissions , expand each object type to display the available permissions.
6. To change a permission, select the drop-down list, and choose either Yes or No .
Cau t i on

When you configure a custom security role, only grant permissions that are required by the users
assigned to this role. For example, the Modify permission for the Security Roles object allows assigned
users to edit any accessible security role, even if they aren't assigned to that security role.
7. After you configure the permissions, select OK to save the new security role.
Import a security role that was exported from another Configuration Manager hierarchy

IMPORTANT
Only import custom security role configuration files from a trusted source. When you export a custom security role, save
it in a secure location. The XML files aren't digitally signed.

1. On the Home tab of the ribbon, in the Create group, choose Impor t Security Role .
2. Specify the XML file that contains the exported security role configuration. Select Open to complete the
procedure and create the security role.
3. After you import a custom security role, open its Proper ties . View the permissions to confirm they
include the least required permissions for this role. Change any permissions that aren't required in this
environment.

NOTE
You can't export built-in security roles.

Configure security roles

You can modify the permissions for a custom security role, but you can't modify the built-in security roles.
1. In the Configuration Manager console, go to the Administration workspace, expand Security , and then
select the Security Roles node.
2. Select the custom security role that you want to modify or view.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. On the General tab of the properties window, change the Name or Description if necessary.
5. On the Administrative Users tab, view the users that are associated with this role. To change the
assignment, go to the properties of the administrative user.
6. On the Permissions tab, expand each object type to display the available permissions.
7. To change a permission, select the drop-down list, and then choose either Yes or No .
Cau t i on

When you configure a custom security role, only grant permissions that are required by the users
assigned to this role. For example, the Modify permission for the Security Roles object allows assigned
users to edit any accessible security role, even if they aren't assigned to that security role.
8. When you're done, select OK to save the custom security role.
Configure security scopes for an object
Manage security scopes from the securable object, not from the security scope. The only properties you can
change on a custom security scope is the name and description. You can't modify the two built-in scopes. To
change the name and description of a custom scope, you need the Modify permission for the Security Scopes
object.
When you create a new object in Configuration Manager, it's associated with each security scope that's
associated with the security roles of the account used to create the object. This behavior occurs when those
security roles provide the Create permission or Set Security Scope permission. After you create an object,
you can change the security scopes and assign it to multiple scopes.
For example, you're assigned a security role that grants you permission to create a new boundary group. That
role is associated with the Admins security scope. When you create a new boundary group, you've no option to
assign specific security scopes. The Admins security scope is automatically assigned to the new boundary
group. After you save the new boundary group, you can edit the security scopes for the boundary group.
For more information on how to add a scope for a user, see Modify the administrative scope of an
administrative user.
How to create a custom security scope
1. In the Configuration Manager console, go to the Administration workspace, expand Security , and then
select the Security Scopes node.
2. On the Home tab of the ribbon, in the Create group, select Create Security Scope .
3. In the Create Security Scope window, specify a Security scope name . The maximum length is 256
characters.
4. Optional but recommended, specify a Description to summarize the purpose of this custom security
scope. The maximum length is 512 characters.
5. Select or remove administrative user assignments. You can change these after you create the security
scope.
6. To save the custom security scope, select OK .
How to configure security scopes for an object
1. In the Configuration Manager console, select an object that supports being assigned to a security scope.
For the list of supported objects, see Fundamentals of role-based administration - Security scopes.
2. On the Home tab of the ribbon, in the Classify group, select Set Security Scopes .
For a folder, go to the Folder tab of the ribbon. In the Actions group, select Set Security Scopes .

NOTE
An item is searchable in folders outside of a user's security scope if that user shares a security scope with the
person who created the object.

3. In the Set Security Scopes window, select or clear the security scopes for this object. Select at least one
security scope.
4. Select OK to save the assigned security scopes.

Configure collections to manage security

There are no procedures to configure collections for role-based administration. Collections don't have a role-
based administration configuration. Instead, you assign collections to an administrative user. To determine the
actions that an administrative user can do to a collection and its members, view the permissions for the
Collection object type on the security role.
When an administrative user has permissions to a collection, they also have permissions to collections that are
limited to that collection. For example, your organization uses a collection named All Desktops . There's also a
collection named All Nor th America Desktops that's limited to the All Desktops collection. If an
administrative user has permissions to All Desktops , they have the same permissions to the All Nor th
America Desktops collection.
An administrative user can't use the Delete or Modify permissions on a collection that's directly assigned to
them. They can use these permissions on the collections that are limited to that collection. In the previous
example, the administrative user can delete or modify the All Nor th America Desktops collection, but they
can't delete or modify the All Desktops collection.

Create a new administrative user

To grant individuals or members of a security group access to manage Configuration Manager, create an
administrative user. Specify a Windows account of the user or user group. Assign each administrative user to at
least one security role and one security scope. You can also assign collections to limit the administrative scope of
the user or group.
How to create a new administrative user
1. In the Configuration Manager console, go to the Administration workspace, expand Security , and then
select the Administrative Users node.
2. On the Home tab of the ribbon, in the Create group, select Add User or Group .
3. Select Browse , and then select the user account or group to use for this new administrative user in
Configuration Manager.

NOTE
For console-based administration, you can only specify domain users or domain security groups as an
administrative user.

4. For the Associated security roles , select Add to open a list of the available security roles. Select one or
more security roles, and then select OK .
5. Choose one of the following options to define the securable object behavior for the new user:
All instances of the objects that are related to the assigned security roles : This option
has the following behaviors:
Security scope: All
Collections: All Systems and All Users and User Groups
The security roles that you assign to the user define their access to objects.
New objects that this user creates are assigned to the Default security scope.
Only the instances of objects that are assigned to the specified security scopes and
collections : This option has the following behaviors:
Security scope: Default
Collections: All Systems and All Users and User Groups
These defaults maybe different, as the actual security scopes and collections are limited to
those that are associated with the account that you use to create the administrative user.
 Add or Remove security scopes and collections to customize the administrative scope of this
user.

IMPORTANT
After you create the user, view its properties to select a third option, Associate assigned security roles with
specific security scopes and collections . For more information, see Modify the administrative scope of an
administrative user.

6. Select OK to close the window and create the administrative user.

Modify the administrative scope of an administrative user

You can modify the administrative scope of an administrative user by adding or removing security roles, security
scopes, and collections that are associated with the user. Each administrative user must be associated with at
least one security role and one security scope. You might have to assign one or more collections to the
administrative scope of the user. Most security roles interact with collections and don't function correctly without
an assigned collection.
When you modify an administrative user, you can change the behavior for how securable objects are associated
with the assigned security roles. The three behaviors that you can select are as follows:
All instances of the objects that are related to the assigned security roles : This option
associates the administrative user with the All scope, and the All Systems and All Users and User
Groups collections. The security roles that are assigned to the user define access to objects.
Only the instances of objects that are assigned to the specified security scopes and
collections : This option associates the administrative user to the same security scopes and collections
that are associated to the account you use to configure the administrative user. This option supports the
addition or removal of security roles and collections to customize the administrative scope of the
administrative user.
Associate assigned security roles with specific security scopes and collections : This option lets
you create specific associations between individual security roles and specific security scopes and
collections for the user.

NOTE
This option is available only when you modify the properties of an administrative user.

The current configuration for the securable object behavior changes the process that you use to assign
additional security roles. Use the following procedures that are based on the different options for securable
objects to help you manage an administrative user.
Use the following procedure to view and manage the configuration for securable objects for an administrative
user.
To view and manage the securable object behavior for an administrative user
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Security , and then choose Administrative Users .
3. Select the administrative user that you want to modify.
4. On the Home tab, in the Proper ties group, choose Proper ties .
5. Choose the Security Scopes tab to view the current configuration for securable objects for this
administrative user.
6. To modify the securable object behavior, select a new option for securable object behavior. After you change
this configuration, see the appropriate procedure for further guidance to configure security scopes and
collections, and security roles for this administrative user.
7. Choose OK to complete the procedure.
Use the following procedure to modify an administrative user that has the securable object behavior set to All
instances of the objects that are related to the assigned security roles .
For option: All instances of the objects that are related to the assigned security roles
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Security , and then choose Administrative Users .
3. Select the administrative user that you want to modify.
4. On the Home tab, in the Proper ties group, choose Proper ties .
5. Choose the Security Scopes tab to confirm that the administrative user is configured for All instances
of the objects that are related to the assigned security roles .
6. To modify the assigned security roles, choose the Security Roles tab.
To assign additional security roles to this administrative user, choose Add , check the box for each
additional security role that you want to assign, and then choose OK .
To remove security roles, select one or more security roles from the list, and then choose Remove .
7. To modify the securable object behavior, choose the Security Scopes tab and choose a new option for
the securable object behavior. After you change this configuration, see the appropriate procedure for
further guidance to configure security scopes and collections, and security roles for this administrative
user.

NOTE
When the securable object behavior is set to All instances of the objects that are related to the assigned
security roles , you can't add or remove specific security scopes and collections.

8. Choose OK to complete this procedure.

Use the following procedure to modify an administrative user that has the securable object behavior set to Only
the instances of objects that are assigned to the specified security scopes and collections .
For option: Only the instances of objects that are assigned to the specified security scopes and collections
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Security , and then choose Administrative Users .
3. Select the administrative user that you want to modify.
4. On the Home tab, in the Proper ties group, choose Proper ties .
5. Choose the Security Scopes tab to confirm that the user is configured for Only the instances of
objects that are assigned to the specified security scopes and collections .
6. To modify the assigned security roles, choose the Security Roles tab.
To assign additional security roles to this user, choose Add , check the box for each additional security
role that you want to assign, and then choose OK .
To remove security roles, select one or more security roles from the list, and then choose Remove .
7. To modify the security scopes and collections that are associated with security roles, choose the Security
 Scopes tab.
To associate new security scopes or collections with all security roles that are assigned to this
administrative user, choose Add and select one of the four options. If you select Security Scope or
Collection , check the box for one or more objects to complete that selection, and then choose OK .
To remove a security scope or collection, choose the object, and then choose Remove .
8. Choose OK to complete this procedure.
Use the following procedure to modify an administrative user that has the securable object behavior set to
Associate assigned security roles with specific security scopes and collections .
For option: Associate assigned security roles with specific security scopes and collections
1. In the Configuration Manager console, choose Administration .
2. In the Administration workspace, expand Security , and then choose Administrative Users .
3. Select the administrative user that you want to modify.
4. On the Home tab, in the Proper ties group, choose Proper ties .
5. Choose the Security Scopes tab to confirm that the administrative user is configured for Associate
assigned security roles with specific security scopes and collections .
6. To modify the assigned security roles, choose the Security Roles tab.
To assign additional security roles to this administrative user, choose Add . On the Add Security
Role dialog box, select one or more available security roles, choose Add , and select an object type
to associate with the selected security roles. If you select Security Scope or Collection , check the
box for one or more objects to complete that selection, and then choose OK .

NOTE
You must configure at least one security scope before the selected security roles can be assigned to the
administrative user. When you select multiple security roles, each security scope and collection that you
configure is associated with each of the selected security roles.

To remove security roles, select one or more security roles from the list, and then choose Remove .
7. To modify the security scopes and collections that are associated with a specific security role, choose the
Security Scopes tab, select the security role, and then choose Edit .
To associate new objects with this security role, choose Add , and select an object type to associate
with the selected security roles. If you select Security Scope or Collection , check the box for one
or more objects to complete that selection, and then choose OK .

NOTE
You must configure at least one security scope.

To remove a security scope or collection that is associated with this security role, select the object,
and then choose Remove .
When you have finished modifying the associated objects, choose OK .
8. Choose OK to complete this procedure.
Cau t i on

When a security role grants administrative users the collection deployment permission, those
 administrative users can distribute objects from any security scope for which they have object read
permissions, even if that security scope is associated with a different security role.

Automate with Windows PowerShell

You can use the following PowerShell cmdlets to automate some of these tasks:
Manage administrative users:
Get-CMAdministrativeUser: Get an administrative user object.
New-CMAdministrativeUser: Create a new administrative user.
New-CMAdministrativeUserPermission: {{ Fill in the Synopsis }}
Remove-CMAdministrativeUser: Remove an administrative user.
Manage roles and scopes on users:
Add-CMSecurityRoleToAdministrativeUser: Add a security role to a user or group.
Remove-CMSecurityRoleFromAdministrativeUser: Remove the association between a security role and an
administrative user.
Add-CMSecurityScopeToAdministrativeUser: Add a security scope to a user or group.
Remove-CMSecurityScopeFromAdministrativeUser: Remove the association between a security scope and an
administrative user.
Manage security roles:
Copy-CMSecurityRole: Create a custom security role.
Export-CMSecurityRole: Export a security role to an XML file.
Get-CMSecurityRole: Get a security role.
Import-CMSecurityRole: Import a security role from an XML file.
Remove-CMSecurityRole: Remove custom security roles.
Set-CMSecurityRole: Change configuration settings of a security role.
Manage permissions on security roles:
Get-CMSecurityRolePermission: Get the permissions for a security role.
Set-CMSecurityRolePermission: Configure a security role with specific permissions.
Manage security scopes:
Get-CMSecurityScope: Get a security scope.
New-CMSecurityScope: Create a security scope.
Remove-CMSecurityScope: Remove a security scope.
Set-CMSecurityScope: Configure a security scope.
Manage object security scope:
Add-CMObjectSecurityScope: Add a security scope to an object.
Get-CMObjectSecurityScope: Get the security scope for a Configuration Manager object.
Remove-CMObjectSecurityScope: Remove a security scope from a Configuration Manager object.

Next steps
Role-based administration and auditing tool
Accounts used in Configuration Manager
 Configure Azure services for use with Configuration
Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the Azure Ser vices Wizard to simplify the process of configuring the Azure cloud services you use with
Configuration Manager. This wizard provides a common configuration experience by using Azure Active
Directory (Azure AD) web app registrations. These apps provide subscription and configuration details, and
authenticate communications with Azure AD. The app replaces entering this same information each time you set
up a new Configuration Manager component or service with Azure.

Available services
Configure the following Azure services using this wizard:
Cloud Management : This service enables the site and clients to authenticate by using Azure AD. This
authentication enables other scenarios, such as:
Install and assign Configuration Manager clients using Azure AD for authentication
Configure Azure AD User Discovery
Configure Azure AD User Group Discovery
Support certain cloud management gateway scenarios

TIP
For more information specific to cloud management, see Configure Azure Active Directory for cloud
management gateway.

App approval email notifications

Log Analytics Connector : Connect to Azure Log Analytics. Sync collection data to Log Analytics.

IMPORTANT
This article refers to the Log Analytics Connector, which was formerly called the OMS Connector. This feature was
deprecated in November 2020. It's removed from Configuration Manager in version 2107. For more information,
see Removed and deprecated features.

Microsoft Store for Business : Connect to the Microsoft Store for Business. Get store apps for your
organization that you can deploy with Configuration Manager.
Service details
The following table lists details about each of the services.
Tenants : The number of service instances you can configure. Each instance must be a distinct Azure AD
tenant.
Clouds : All services support the global Azure cloud, but not all services support private clouds, such as
 the Azure US Government cloud.
Web app : Whether the service uses an Azure AD app of type Web app / API, also referred to as a server
app in Configuration Manager.
Native app : Whether the service uses an Azure AD app of type Native, also referred to as a client app in
Configuration Manager.
Actions : Whether you can import or create these apps in the Configuration Manager Azure Services
Wizard.

SERVIC E T EN A N T S C LO UDS W EB A P P N AT IVE A P P A C T IO N S

Cloud Multiple Public, Private Import, Create

management
with
Azure AD
discovery

Log Analytics One Public, Private Import

Connector

Microsoft Store One Public Import, Create

for
Business

About Azure AD apps

Different Azure services require distinct configurations, which you make in the Azure portal. Additionally, the
apps for each service can require separate permissions to Azure resources.
You can use a single app for more than one service. There's only one object to manage in Configuration
Manager and Azure AD. When the security key on the app expires, you only have to refresh one key.
When you create additional Azure services in the wizard, Configuration Manager is designed to reuse
information that's common between services. This behavior helps you from needing to input the same
information more than once.
For more information about the required app permissions and configurations for each service, see the relevant
Configuration Manager article in Available services.
For more information about Azure apps, start with the following articles:
Authentication and authorization in Azure App Service
Web Apps overview
Basics of Registering an Application in Azure AD
Register your application with your Azure Active Directory tenant

Before you begin

After you decide the service to which you want to connect, refer to the table in Service details. This table
provides information you need to complete the Azure Service Wizard. Have a discussion in advance with your
Azure AD administrator. Decide which of the following actions to take:
Manually create the apps in advance in the Azure portal. Then import the app details into Configuration
Manager.
 TIP
For more information specific to cloud management, see Manually register Azure Active Directory apps for the
cloud management gateway.

Use Configuration Manager to directly create the apps in Azure AD. To collect the necessary data from
Azure AD, review the information in the other sections of this article.
Some services require the Azure AD apps to have specific permissions. Review the information for each service
to determine any required permissions. For example, before you can import a web app, an Azure administrator
must first create it in the Azure portal.
When configuring the Log Analytics Connector, give your newly registered web app contributor permission on
the resource group that contains the relevant workspace. This permission allows Configuration Manager to
access that workspace. When assigning the permission, search for the name of the app registration in the Add
users area of the Azure portal. This process is the same as when providing Configuration Manager with
permissions to Log Analytics. An Azure administrator must assign these permissions before you import the app
into Configuration Manager.

Start the Azure Services wizard

1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices ,
and select the Azure Ser vices node.
2. On the Home tab of the ribbon, in the Azure Ser vices group, select Configure Azure Ser vices .
3. On the Azure Ser vices page of the Azure Services Wizard:
a. Specify a Name for the object in Configuration Manager.
b. Specify an optional Description to help you identify the service.
c. Select the Azure service that you want to connect with Configuration Manager.
4. Select Next to continue to the Azure app properties page of the Azure Services Wizard.

Azure app properties

On the App page of the Azure Services Wizard, first select the Azure environment from the list. Refer to the
table in Service details for which environment is currently available to the service.
The rest of the App page varies depending upon the specific service. Refer to the table in Service details for
which type of app the service uses, and which action you can use.
If the app supports both import and creates actions, select Browse . This action opens the Server app
dialog or the Client App dialog.
If the app only supports the import action, select Impor t . This action opens the Import Apps dialog
(server) or the Import Apps dialog (client).
After you specify the apps on this page, select Next to continue to the Configuration or Discovery page of the
Azure Services Wizard.
Web app
This app is the Azure AD type Web app / API, also referred to as a server app in Configuration Manager.
Server app dialog
When you select Browse for the Web app on the App page of the Azure Services Wizard, it opens the Server
app dialog. It displays a list that shows the following properties of any existing web apps:
Tenant friendly name
App friendly name
Service Type
There are three actions you can take from the Server app dialog:
To reuse an existing web app, select it from the list.
Select Impor t to open the Import apps dialog.
Select Create to open the Create Server Application dialog.
After you select, import or create a web app, select OK to close the Server app dialog. This action returns to the
App page of the Azure Services Wizard.
Import apps dialog (server)
When you select Impor t from the Server app dialog or the App page of the Azure Services Wizard, it opens the
Import apps dialog. This page lets you enter information about an Azure AD web app that is already created in
the Azure portal. It imports metadata about that web app into Configuration Manager. Specify the following
information:
Azure AD Tenant Name : The name of your Azure AD tenant.
Azure AD Tenant ID : The GUID of your Azure AD tenant.
Application Name : A friendly name for the app, the display name in the app registration.
Client ID : The Application (client) ID value of the app registration. The format is a standard GUID.
Secret Key : You have to copy the secret key when you register the app in Azure AD.
Secret Key Expir y : Select a future date from the calendar.
App ID URI : This value needs to be unique in your Azure AD tenant. It's in the access token used by the
Configuration Manager client to request access to the service. The value is the Application ID URI of the
app registration entry in the Azure AD portal.
After entering the information, select Verify . Then select OK to close the Import apps dialog. This action returns
to either the App page of the Azure Services Wizard, or the Server app dialog.

IMPORTANT
When you use an imported Azure AD app, you aren't notified of an upcoming expiration date from console notifications.

Create Server Application dialog

When you select Create from the Server app dialog, it opens the Create Server Application dialog. This page
automates the creation of a web app in Azure AD. Specify the following information:
Application Name : A friendly name for the app.
HomePage URL : This value isn't used by Configuration Manager, but required by Azure AD. By default
this value is https://ConfigMgrService .
App ID URI : This value needs to be unique in your Azure AD tenant. It's in the access token used by the
Configuration Manager client to request access to the service. By default this value is
https://ConfigMgrService . Change the default to one of the following recommended formats:

api://{tenantId}/{string} , for example,

api://5e97358c-d99c-4558-af0c-de7774091dda/ConfigMgrService
https://{verifiedCustomerDomain}/{string} , for example,
https://contoso.onmicrosoft.com/ConfigMgrService
 Secret Key validity period : choose either 1 year or 2 years from the drop-down list. One year is the
default value.

NOTE
You may see an option for Never , but Azure AD no longer supports it. If you previously selected this option, the
expiration date is now set for 99 years from the date you created it.

Select Sign in to authenticate to Azure as an administrative user. These credentials aren't saved by
Configuration Manager. This persona doesn't require permissions in Configuration Manager, and doesn't need to
be the same account that runs the Azure Services Wizard. After successfully authenticating to Azure, the page
shows the Azure AD Tenant Name for reference.
Select OK to create the web app in Azure AD and close the Create Server Application dialog. This action returns
to the Server app dialog.

NOTE
If you have an Azure AD Conditional Access policy defined and applies to All Cloud apps - you must exclude the created
Server Application from this policy. For more information on how to exclude specific apps, see Azure AD Conditional
Access Documentation.

Native Client app

This app is the Azure AD type Native, also referred to as a client app in Configuration Manager.
Client App dialog
When you select Browse for the Native Client app on the App page of the Azure Services Wizard, it opens the
Client App dialog. It displays a list that shows the following properties of any existing native apps:
Tenant friendly name
App friendly name
Service Type
There are three actions you can take from the Client App dialog:
To reuse an existing native app, select it from the list.
Select Impor t to open the Import apps dialog.
Select Create to open the Create Client Application dialog.
After you select, import or create a native app, choose OK to close the Client App dialog. This action returns to
the App page of the Azure Services Wizard.
Import apps dialog (client)
When you select Impor t from the Client App dialog, it opens the Import apps dialog. This page lets you enter
information about an Azure AD native app that is already created in the Azure portal. It imports metadata about
that native app into Configuration Manager. Specify the following information:
Application Name : A friendly name for the app.
Client ID : The Application (client) ID value of the app registration. The format is a standard GUID.
After entering the information, select Verify . Then select OK to close the Import apps dialog. This action returns
to the Client App dialog.
 TIP
When you register the app in Azure AD, you may need to manually specify the following Redirect URI :
ms-appx-web://Microsoft.AAD.BrokerPlugin/<ClientID> . Specify the app's client ID GUID, for example:
ms-appx-web://Microsoft.AAD.BrokerPlugin/a26a653e-17aa-43eb-ab36-0e36c7d29f49 .

Create Client Application dialog

When you select Create from the Client App dialog, it opens the Create Client Application dialog. This page
automates the creation of a native app in Azure AD. Specify the following information:
Application Name : A friendly name for the app.
Reply URL : This value isn't used by Configuration Manager, but required by Azure AD. By default this value is
https://ConfigMgrService .

Select Sign in to authenticate to Azure as an administrative user. These credentials aren't saved by
Configuration Manager. This persona doesn't require permissions in Configuration Manager, and doesn't need to
be the same account that runs the Azure Services Wizard. After successfully authenticating to Azure, the page
shows the Azure AD Tenant Name for reference.
Select OK to create the native app in Azure AD and close the Create Client Application dialog. This action returns
to the Client App dialog.

Configuration or Discovery
After specifying the web and native apps on the Apps page, the Azure Services Wizard proceeds to either a
Configuration or Discover y page, depending upon the service to which you're connecting. The details of this
page vary from service to service. For more information, see one of the following articles:
Cloud Management service, Discover y page: Configure Azure AD User Discovery
Log Analytics Connector service, Configuration page: Configure the connection to Log Analytics
Microsoft Store for Business service, Configurations page: Configure Microsoft Store for Business
synchronization
Finally, complete the Azure Services Wizard through the Summary, Progress, and Completion pages. You've
completed the configuration of an Azure service in Configuration Manager. Repeat this process to configure
other Azure services.

Update application settings

To allow your Configuration Manager clients to request an Azure AD device token and to enable the Reading
director y data permissions, you need to update the web server application settings.
1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices , and
select the Azure Active Director y Tenants node.
2. Select the Azure AD tenant for the application you want to update.
3. In the Applications section, select your Azure AD web server application, then select Update Application
Settings from the ribbon.
4. When prompted for confirmation, select Yes to confirm you want to update the application with the latest
settings.

Renew secret key

You need to renew the Azure AD app's secret key before the end of its validity period. If you let the key expire,
Configuration Manager can't authenticate with Azure AD, which will cause your connected Azure services to stop
working.
Starting in version 2006, the Configuration Manager console displays notifications for the following
circumstances:
One or more Azure AD app secret keys will expire soon
One or more Azure AD app secret keys have expired
To mitigate both cases, renew the secret key.
For more information on how to interact with these notifications, see Configuration Manager console
notifications.

NOTE
You need to have at least the "Cloud Application Administrator" Azure AD role assigned to be able to renew the key.

Renew key for created app

1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices ,
and select the Azure Active Director y Tenants node.
2. On the Details pane, select the Azure AD tenant for the app.
3. In the ribbon, select Renew Secret Key . Enter the credentials of either the app owner or an Azure AD
administrator.
Renew key for imported app
If you imported the Azure app in Configuration Manager, use the Azure portal to renew. Note the new secret key
and expiry date. Add this information on the Renew Secret Key wizard.

NOTE
Save the secret key before closing the Azure application properties Key page. This information is removed when you close
the page.

Disable authentication
Starting in version 2010, you can disable Azure AD authentication for tenants not associated with users and
devices. When you onboard Configuration Manager to Azure AD, it allows the site and clients to use modern
authentication. Currently, Azure AD device authentication is enabled for all onboarded tenants, whether or not it
has devices. For example, you have a separate tenant with a subscription that you use for compute resources to
support a cloud management gateway. If there aren't users or devices associated with the tenant, disable Azure
AD authentication.
1. In the Configuration Manager console, go to the Administration workspace.
2. Expand Cloud Ser vices and select the Azure Ser vices node.
3. Select the target connection of type Cloud Management . In the ribbon, select Proper ties .
4. Switch to the Applications tab.
5. Select the option to Disable Azure Active Director y authentication for this tenant .
6. Select OK to save and close the connection properties.
 TIP
It can take up to 25 hours for this change to take effect on clients. For purposes of testing to speed up this change in
behavior, use the following steps:
1. Restart the sms_executive service on the site server.
2. Restart the ccmexec service on the client.
3. Trigger the client schedule to refresh the default management point. For example, use the send schedule tool:
SendSchedule {00000000-0000-0000-0000-000000000023}

View the configuration of an Azure service

View the properties of an Azure service you've configured for use. In the Configuration Manager console, go to
the Administration workspace, expand Cloud Ser vices , and select Azure Ser vices . Select the service you
want to view or edit, and then select Proper ties .
If you select a service and then choose Delete in the ribbon, this action deletes the connection in Configuration
Manager. It doesn't remove the app in Azure AD. Ask your Azure administrator to delete the app when it's no
longer needed. Or run the Azure Service Wizard to import the app.

Cloud management data flow

The following diagram is a conceptual data flow for the interaction between Configuration Manager, Azure AD,
and connected cloud services. This specific example uses the Cloud Management service, which includes a
Windows 10 client, and both server and client apps. The flows for other services are similar.
1. The Configuration Manager administrator imports or creates the client and server apps in Azure AD.
2. Configuration Manager Azure AD user discovery method runs. The site uses the Azure AD server app
token to query Microsoft Graph for user objects.
3. The site stores data about the user objects. For more information, see Azure AD User Discovery.
4. The Configuration Manager client requests the Azure AD user token. The client makes the claim using the
application ID of the Azure AD client app, and the server app as the audience. For more information, see
Claims in Azure AD Security Tokens.
5. The client authenticates with the site by presenting the Azure AD token to the cloud management
gateway and on-premises HTTPS-enabled management point.
For more detailed information, see Azure AD authentication workflow.
 Uninstall roles, sites, and hierarchies in
Configuration Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use this article as a guide to uninstall a Configuration Manager site system role, site, or hierarchy.
Starting in version 2002, you can also remove the central administration site (CAS) from a hierarchy, but keep
the primary site.

Site system role

You might want to remove a role from a site system server for the following reasons:
Broader infrastructure change, such as network or physical locations
Decommission the underlying server
Consolidate roles to reduce costs and complexity
Reconfigure or redesigning the site roles
Discontinue use of the feature that role supports
When you decide you need to remove a role, first consider your answers to the following questions:
Do you still need the role in the site? If so, does another site system already have the role?
Are other site systems with this role properly sized to support your business requirements for
performance and availability?
Are all clients already reconfigured to use another role? Will you rely upon default client behaviors to fall
back or discover another server?
Procedure to remove a site system role
Use the following procedure to remove a role:
1. In the Configuration Manager console, go to the Administration workspace. Expand Site
Configuration , and then select the Ser vers and Site System Roles node.
2. Select the site system server with the role to remove. In the Site System Roles details pane, select the
target role.
3. In the ribbon, on the Site Role tab, in the Site Role group, select Remove Role . Confirm that you want
to remove the role.
Additional information for specific roles
Some roles may have additional steps and considerations.
Software update point
After you remove the software update point, Configuration Manager updates the client policy to remove the
software update point from the list. When you remove the last software update point at the site, the software
update point list contains no software update points. With no roles available, software updates management is
essentially disabled at the site.
When you have more than one software update point at a primary site, and you remove the software update
point that's the synchronization source, choose another software update point at the site to be the new
synchronization source.

Secondary site
Other than when you're decommissioning a hierarchy, the main reason to remove a secondary site is because of
a broader infrastructure change, such as network or physical locations. Also review the reasons to choose a
secondary site.
When you decide you need to remove a secondary site, first consider your answers to the following questions:
Did you remove all site system roles from the site server?
Are any boundaries or boundary groups associated with the secondary site? Reconfigure boundaries
before removing the site.
Are any clients still at the location?
Have you configured other content management options like peer caching?
Options to delete secondary sites
You can't move or reassign a secondary site to another primary site. When you remove a secondary site from its
direct parent site, choose whether to uninstall or delete it.
Uninstall the secondary site
Use this option to remove a functional secondary site that's accessible from the network. This option uninstalls
Configuration Manager from the secondary site server. It then deletes all information about the site and its
resources from the Configuration Manager site.
If Configuration Manager installed SQL Server Express for the secondary site, Configuration Manager uninstalls
SQL Server Express as well. If you installed SQL Server Express before you installed the secondary site,
Configuration Manager doesn't uninstall SQL Server Express.
Delete the secondary site
Use this option in the following situations:
It failed to install
After you uninstall it, the Configuration Manager console still shows the secondary site
This option deletes all information about the site and its resources from the Configuration Manager
hierarchy, but doesn't make any changes on the site server.

TIP
You also can use the Hierarchy Maintenance Tool with the /DELSITE option to delete a secondary site. For more
information, see Hierarchy Maintenance Tool (Preinst.exe).

Prerequisites to delete a secondary site

The administrative user that runs Configuration Manager setup needs the following security rights:
Local Administrator rights on the secondary site server
If the primary site database server is remote from the primary site server, local Administrator rights on
the remote site database server for the primary site.
Infrastructure Administrator or Full Administrator security role on the parent primary site
Sysadmin rights on the secondary site database
Procedure to delete a secondary site
Use the following procedure to uninstall or delete a secondary site:
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and then select the Sites node.
2. Select the secondary site server that you want to remove. In the ribbon, on the Home tab, in the Site
group, select Delete .
3. On the General page, select whether to uninstall or delete the secondary site.
4. Complete the wizard.

Primary site
You might want to uninstall a primary site from your hierarchy for the following reasons:
Consolidate sites to reduce costs and complexity
Reconfigure or redesign the sites of the hierarchy
Before you uninstall a child primary site that uses distributed views for its replication link to the CAS, first turn
off distributed views in your hierarchy. For more information, see Uninstall a primary site that is configured with
distributed views.
Plan to uninstall a primary site
Before you uninstall a primary site, review the following tasks:
Review boundaries, boundary groups, and fallback relationships. If you assign clients to a new site, but
don't change the boundaries, they may be considered roaming. For more information, see Define site
boundaries and boundary groups.
Make sure all active clients are reassigned to another primary site in the hierarchy. Otherwise clients will
be unmanaged after you uninstall the site. For more information, see How to assign clients to a site.
Review the list of site roles to make sure the new site provides the same level of service.
Make sure that you've properly sized the other site systems with this role in the other site. They
will need to support your business requirements for performance and availability with the
additional clients.
If this site has lots of clients, reassign them in stages. Monitor database replication as clients
refresh full inventory and other site-specific data. If you manage software updates, clients will
assign to a new software update point. This behavior causes a full scan for update compliance.
Client reassignment may impact reports and queries that rely on inventory data, and state-based
compliance. Consider temporarily adjusting any client cycles during the transition.
Review all client assignment methods to make sure that none refer to this primary site.
Check if any actively used objects in the hierarchy have static references to the site code. For example,
collection queries, task sequences, or administrative scripts.
If the hierarchy uses a fallback site for automatic site assignment, make sure it doesn't reference this
primary site.
Reconfigure any client installation methods that may reference a static site code.
If this primary site has any site-specific cloud-attached services, make sure to remove them. If you still
need the cloud resources, move them to another primary site in the hierarchy. Remove them from the
primary site that you're going to uninstall, and add them to another primary site.
 If this primary site has any discovery methods for the hierarchy, move them to another site.
Retire any site-based OS deployment media.
Uninstall all site system roles from the site and the site server. For more information, see Uninstall site
system roles. While this preparation step isn't required, it helps identify any additional dependencies
before uninstalling the site.
Uninstall any secondary sites under this primary site. For more information, see the Secondary site
section.
Prerequisites to uninstall a primary site
The administrative user that runs Configuration Manager setup needs the following security rights:
Local Administrator rights on the CAS server
If the CAS database server is remote from the site server, local Administrator rights on the remote site
database server for the CAS.
Sysadmin rights on the CAS site database
Local Administrator rights on the primary site server
If the primary site database server is remote from the primary site server, local Administrator rights on
the remote site database server for the primary site.
Infrastructure Administrator or Full Administrator security role on the CAS
Procedure to uninstall a primary site
You run Configuration Manager setup to uninstall a primary site that doesn't have an associated secondary site.
Use the following procedure to uninstall a primary site:

TIP
If the primary site server is no longer available, use the Hierarchy Maintenance Tool at the CAS to delete the primary site
from the site database. For more information, see Hierarchy Maintenance Tool (Preinst.exe).

1. Start Configuration Manager setup on the primary site server by using one of the following methods:
On the Star t menu, select Configuration Manager Setup .
In the directory for the Configuration Manager installation media, open
\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site version.

In the directory where Configuration Manager is installed, open \BIN\X64\setup.exe .

2. Review the information on the Before You Begin page.
3. On the Getting Star ted page, select Uninstall a Configuration Manager site .

IMPORTANT
When a secondary site is attached to the primary site, you must remove the secondary site before you can
uninstall the primary site.

4. On the Uninstall the Configuration Manager Site page, both of the following options are enabled by
default:
 Remove the site database from the primary site server
Remove the Configuration Manager console
5. Select Yes to confirm the uninstallation of the Configuration Manager primary site.
Uninstall a primary site that uses distributed views
1. Before you uninstall a child primary site, turn off distributed views on each link in the hierarchy between
the CAS and a primary site.
2. After you turn off distributed views on each link, confirm that the data from the primary site finishes
reinitializing at the CAS. To monitor the initialization of data, see Monitor replication.
3. After the data successfully reinitializes with the CAS, you can uninstall the primary site.
4. When the primary site is uninstalled, you can reconfigure distributed views on links from the CAS to
other primary sites.

IMPORTANT
If you uninstall the primary site before you turn off distributed views at each site, or before the data from the
primary site successfully reinitializes at the CAS, data replication might fail.

Decommission a hierarchy
Some organizations have multiple hierarchies because of mergers, acquisitions, test environments, or other
business requirements. If you consolidate management to a single hierarchy, this action can help reduce costs
and complexity. Another reason to decommission the hierarchy is that you're migrating to a cloud-only
management service such as Microsoft Intune, and are ready to remove your on-premises infrastructure.
To decommission a hierarchy with multiple sites, the sequence of removal is important. Start by uninstalling the
sites at the bottom of the hierarchy and then move upward:
1. Remove secondary sites attached to primary sites.
2. Uninstall primary sites.
3. After you uninstall all primary sites, you can uninstall the CAS.
For more information, see the following sections:
Remove a secondary site
Uninstall a primary site
Uninstall the CAS
Uninstall the CAS
The final step to decommission a hierarchy is to uninstall the CAS. Run Configuration Manager setup to uninstall
the CAS that doesn't have child primary sites.
Prerequisites to uninstall the CAS
The administrative user who runs Configuration Manager setup needs the following security rights:
Local Administrator rights on the CAS server
If the CAS database server is remote from the site server, local Administrator rights on the remote site
database server for the CAS.
Procedure to uninstall the CAS
1. Start Configuration Manager setup on the CAS server by using one of the following methods:
On the Star t menu, select Configuration Manager Setup .
 In the directory for the Configuration Manager installation media, open
\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site version.

In the directory where Configuration Manager is installed, open \BIN\X64\setup.exe .

2. Review the information on the Before You Begin page.
3. On the Getting Star ted page, select Uninstall a Configuration Manager site .

IMPORTANT
Remove all child primary sites before you can uninstall the CAS.

4. On the Uninstall the Configuration Manager Site page, both of the following options are enabled by
default:
Remove the site database from the CAS server
Remove the Configuration Manager console
5. Select Yes to confirm the uninstallation of the Configuration Manager central administration site (CAS).

Remove the CAS

Starting in version 2002, if the hierarchy consists of the CAS and a single child primary site, you can remove the
CAS. This action simplifies your Configuration Manager infrastructure to a single, standalone primary site. It
removes the complexities of site-to-site replication, and focuses your management tasks to the single site.
For more information, see Remove the CAS.
 Remove the central administration site
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If the hierarchy consists of the central administration site (CAS) and a single child primary site, you can remove
the CAS. This action simplifies your Configuration Manager infrastructure to a single, standalone primary site. It
removes the complexities of site-to-site replication, and focuses your management tasks to the single site.

NOTE
This feature was first introduced in version 2002 as a pre-release feature. Starting in version 2103, it's no longer a pre-
release feature.
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For
more information, see Enable optional features from updates.

Plan
The hierarchy needs to consist of the CAS and a single child primary site. The primary site can have
secondary sites. To remove other child primary sites from the hierarchy, review the planning steps and
prerequisites to Uninstall a primary site.
Make sure your child primary site meets the size and scale requirements for a stand-alone primary site.
Make sure to upgrade all sites to the latest released version of Configuration Manager current branch.
Move or retire any site roles at the CAS, except the service connection point and the software update
point. Configuration Manager setup handles these two roles when you remove the CAS.
The following roles are most common at the CAS, which you need to retire or move to the primary site:
Asset Intelligence sync point
Endpoint Protection point
Reporting services point
Data warehouse service point
Cloud management gateway (CMG)
Turn off distributed views
Configuration Manager automatically handles package source locations for built-in packages, like the
Configuration Manager client. Review all other content source locations to make sure they aren't using a
share on the CAS.
Stop any active migration jobs and remove all configurations for migration. For more information, see
Stop active migration from another hierarchy.
If you have any custom status filter rules or alerts and subscriptions, recreate them on the child primary
site. Starting in version 2107, also recreate any subscriptions for external notifications.
If you use automatic deployment rules for software updates, recreate them on the child primary site.
If you use Configuration Manager or System Center Updates Publisher to manage third-party software
updates, export the WSUS signing certificate from the software update point on the CAS.
 Before you remove the CAS, wait for the deadlines of any required deployments of third-party
software updates. Clients pre-download content for required deployments, and when you change the
software update point, the content hash changes with local publishing of software updates. (This
behavior doesn't impact other content types, only local publishing of third-party software updates.) If
you remove the CAS with these required deployments still in-progress, they'll fail on clients with a
hash mismatch error.
Review any third-party software that might have a dependency on the CAS.

Prerequisites
Configuration Manager version 2103 or later.
The administrative user that runs Configuration Manager setup needs the following security rights:
Local Administrator rights on the CAS server
If the CAS database server is remote from the site server, local Administrator rights on the
remote site database server for the CAS.
Sysadmin rights on the CAS site database
Local Administrator rights on the primary site server
If the primary site database server is remote from the primary site server, local Administrator
rights on the remote site database server for the primary site.
Sysadmin rights on the primary site database
Infrastructure Administrator or Full Administrator security role on the CAS and primary site
Only one child primary site in the hierarchy. For more information, see Uninstall a primary site.

Process
1. Start Configuration Manager setup on the CAS server by using one of the following methods:
On the Star t menu, select Configuration Manager Setup .
In the directory for the Configuration Manager installation media, open
\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site version.

In the directory where Configuration Manager is installed, open \BIN\X64\setup.exe .

2. Review the information on the Before You Begin page.
3. On the Getting Star ted page, select Perform site maintenance or reset this site .
4. On the Site Maintenance page, select Remove central administration site .
5. On the Reconfiguring Existing Site System Roles page:
Ser vice Connection Point : Enter the fully qualified domain name of the site system in the
primary site to host this required role. For more information, see About the service connection
point.
Software Update Point : Select an existing software update point in the primary site. Setup
configures this software update point to synchronize the same as the CAS configuration.
Setup checks that the specified servers meet the prerequisites. Select Begin Install when you're ready to
continue.
If setup comes across an issue, use the wizard to retry the process.
When setup is complete, it resets the primary site. For more information, see Run a site reset.

Monitor and verify

Review the following logs during the setup process:
C:\ConfigMgrSetup.log on the CAS server
hman.log in the Configuration Manager logs directory on the primary site server
Use the Site Hierarchy node in the Monitoring workspace to visualize the changes to the hierarchy. For
example, the following graphic shows the before and after comparison of the SHY CAS, HAW primary site, and
VWT secondary site:

B EF O RE A F T ER

Post-setup tasks
After you remove the CAS, review the following steps as they apply to your environment.
Manually remove the CAS server computer account from the primary site local groups.
The trusted root key changed, which can require additional actions:
Update OS deployment boot images to include the latest Configuration Manager binaries.
Recreate OS deployment media.
If you enable Endpoint Analytics for devices uploaded to Microsoft Endpoint Manager, in version 2107,
re-enable this option.
If you connect Configuration Manager with Azure Monitor, you need to reset the connection. The first
step to resolve any issues is to renew the secret key. If that doesn't resolve the issue, recreate the
connection.
 IMPORTANT
The Log Analytics Connector was deprecated in November 2020. It's removed from Configuration Manager in
version 2107. For more information, see Removed and deprecated features.

If you enable synchronization of Surface drivers, reconfigure this feature after you remove the CAS. For
more information, see Microsoft Surface drivers and firmware updates.
If you manage third-party software updates:
1. Export the WSUS signing certificate from the software update point on the CAS, if you haven't
already.
2. Before you create any new deployments, remove the update from any existing deployments and
software update packages.
3. To recover software update metadata into a usable state, resynchronize subscribed catalogs. You
can also wait for Configuration Manager to automatically resynchronize.
4. Start or wait for a normal software update sync process to update Configuration Manager with the
current status from WSUS. Optionally, use SCUP or WSUS PowerShell cmdlets to delete and readd
updates.
5. Republish content for updates that you need to deploy.
 Accounts used in Configuration Manager
2/16/2022 • 31 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the following information to identify the Windows groups, accounts, and SQL Server objects that are used
in Configuration Manager, how they're used, and any requirements.
Windows groups that Configuration Manager creates and uses
Configuration Manager_CollectedFilesAccess
Configuration Manager_DViewAccess
Configuration Manager Remote Control Users
SMS Admins
SMS_SiteSystemToSiteServerConnection_MP_<sitecode>
SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>
SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>
SMS_SiteToSiteConnection_<sitecode>
Accounts that Configuration Manager uses
Active Directory group discovery account
Active Directory system discovery account
Active Directory user discovery account
Active Directory forest account
Certificate registration point account
Capture OS image account
Client push installation account
Enrollment point connection account
Exchange Server connection account
Management point connection account
Multicast connection account
Network access account
Package access account
Reporting services point account
Remote tools permitted viewer accounts
Site installation account
Site system installation account
Site system proxy server account
SMTP server connection account
Software update point connection account
Source site account
Source site database account
Task sequence domain join account
Task sequence network folder connection account
Task sequence run as account
User objects that Configuration Manager uses in SQL
 smsdbuser_ReadOnly
smsdbuser_ReadWrite
smsdbuser_ReportSchema
Database roles that Configuration Manager uses in SQL
smsdbrole_AITool
smsdbrole_AIUS
smsdbrole_CRP
smsdbrole_CRPPfx
smsdbrole_DMP
smsdbrole_DmpConnector
smsdbrole_DViewAccess
smsdbrole_DWSS
smsdbrole_EnrollSvr
smsdbrole_extract
smsdbrole_HMSUser
smsdbrole_MCS
smsdbrole_MP
smsdbrole_MPMBAM
smsdbrole_MPUserSvc
smsdbrole_siteprovider
smsdbrole_siteserver
smsdbrole_SUP
smsschm_users

Windows groups that Configuration Manager creates and uses

Configuration Manager automatically creates, and in many cases automatically maintains, the following
Windows groups:

NOTE
When Configuration Manager creates a group on a computer that's a domain member, the group is a local security
group. If the computer is a domain controller, the group is a domain local group. This type of group is shared among all
domain controllers in the domain.

Configuration Manager_CollectedFilesAccess
Configuration Manager uses this group to grant access to view files collected by software inventory.
For more information, see Introduction to software inventory.
Type and location for CollectedFilesAccess
This group is a local security group created on the primary site server.
When you uninstall a site, this group isn't automatically removed. Manually delete it after uninstalling a site.
Membership for CollectedFilesAccess
Configuration Manager automatically manages the group membership. Membership includes administrative
users that are granted the View Collected Files permission to the Collection securable object from an
assigned security role.
Permissions for CollectedFilesAccess
By default, this group has Read permission to the following folder on the site server:
C:\Program Files\Microsoft Configuration Manager\sinv.box\FileCol

Configuration Manager_DViewAccess
This group is a local security group that Configuration Manager creates on the site database server or database
replica server for a child primary site. The site creates it when you use distributed views for database replication
between sites in a hierarchy. It contains the site server and SQL Server computer accounts of the central
administration site.
For more information, see Data transfers between sites.
Configuration Manager Remote Control Users
Configuration Manager remote tools use this group to store the accounts and groups that you set up in the
Permitted Viewers list. The site assigns this list to each client.
For more information, see Introduction to remote control.
Type and location for remote control users
This group is a local security group created on the Configuration Manager client when the client receives a
policy that enables remote tools.
After you disable remote tools for a client, this group isn't automatically removed. Manually delete it after
disabling remote tools.
Membership for remote control users
By default, there are no members in this group. When you add users to the Permitted Viewers list, they're
automatically added to this group.
Use the Permitted Viewers list to manage the membership of this group instead of adding users or groups
directly to this group.
In addition to being a permitted viewer, an administrative user must have the Remote Control permission to
the Collection object. Assign this permission by using the Remote Tools Operator security role.
Permissions for remote control users
By default, this group doesn't have permissions to any locations on the computer. It's used only to hold the
Permitted Viewers list.
SMS Admins
Configuration Manager uses this group to grant access to the SMS Provider through WMI. Access to the SMS
Provider is required to view and change objects in the Configuration Manager console.

NOTE
The role-based administration configuration of an administrative user determines which objects they can view and
manage when using the Configuration Manager console.

For more information, see Plan for the SMS Provider.

Type and location for SMS Admins
This group is a local security group created on each computer that has an SMS Provider.
When you uninstall a site, this group isn't automatically removed. Manually delete it after uninstalling a site.
Membership for SMS Admins
Configuration Manager automatically manages the group membership. By default, each administrative user in a
hierarchy and the site server computer account are members of the SMS Admins group on each SMS Provider
computer in a site.
Permissions for SMS Admins
You can view the rights and permissions for the SMS Admins group in the WMI Control MMC snap-in. By
default, this group is granted Enable Account and Remote Enable on the Root\SMS WMI namespace.
Authenticated users have Execute Methods , Provider Write , and Enable Account .
When you use a remote Configuration Manager console, configure Remote Activation DCOM permissions on
both the site server computer and the SMS Provider. Grant these rights to the SMS Admins group. This action
simplifies administration instead of granting these rights directly to users or groups. For more information, see
Configure DCOM permissions for remote Configuration Manager consoles.
SMS_SiteSystemToSiteServerConnection_MP_<sitecode>
Management points that are remote from the site server use this group to connect to the site database. This
group provides a management point access to the inbox folders on the site server and the site database.
Type and location for SMS_SiteSystemToSiteServerConnection_MP
This group is a local security group created on each computer that has an SMS Provider.
When you uninstall a site, this group isn't automatically removed. Manually delete it after uninstalling a site.
Membership for SMS_SiteSystemToSiteServerConnection_MP
Configuration Manager automatically manages the group membership. By default, membership includes the
computer accounts of remote computers that have a management point for the site.
Permissions for SMS_SiteSystemToSiteServerConnection_MP
By default, this group has Read , Read & execute , and List folder contents permission to the following folder
on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes . This group also has Write
permission to subfolders below inboxes , to which the management point writes client data.
SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>
Remote SMS Provider computers use this group to connect to the site server.
Type and location for SMS_SiteSystemToSiteServerConnection_SMSProv
This group is a local security group created on the site server.
When you uninstall a site, this group isn't automatically removed. Manually delete it after uninstalling a site.
Membership for SMS_SiteSystemToSiteServerConnection_SMSProv
Configuration Manager automatically manages the group membership. By default, membership includes the
computer account or a domain user account. It uses this account to connect to the site server from each remote
SMS Provider.
Permissions for SMS_SiteSystemToSiteServerConnection_SMSProv
By default, this group has Read , Read & execute , and List folder contents permission to the following folder
on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes . This group also has the Write
and Modify permissions to subfolders below the inboxes. The SMS Provider requires access to these folders.
This group also has Read permission to the subfolders on the site server below
C:\Program Files\Microsoft Configuration Manager\OSD\Bin .

It also has the following permissions to the subfolders below

C:\Program Files\Microsoft Configuration Manager\OSD\boot :

Read
Read & execute
List folder contents
Write
Modify
SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>
The file dispatch manager component on Configuration Manager remote site system computers uses this group
to connect to the site server.
Type and location for SMS_SiteSystemToSiteServerConnection_Stat
This group is a local security group created on the site server.
When you uninstall a site, this group isn't automatically removed. Manually delete it after uninstalling a site.
Membership for SMS_SiteSystemToSiteServerConnection_Stat
Configuration Manager automatically manages the group membership. By default, membership includes the
computer account or the domain user account. It uses this account to connect to the site server from each
remote site system that runs the file dispatch manager.
Permissions for SMS_SiteSystemToSiteServerConnection_Stat
By default, this group has Read , Read & execute , and List folder contents permission to the following folder
and its subfolders on the site server: C:\Program Files\Microsoft Configuration Manager\inboxes .
This group also has the Write and Modify permissions to the following folder on the site server:
C:\Program Files\Microsoft Configuration Manager\inboxes\statmgr.box .

SMS_SiteToSiteConnection_<sitecode>
Configuration Manager uses this group to enable file-based replication between sites in a hierarchy. For each
remote site that directly transfers files to this site, this group has accounts set up as a File Replication
Account .
Type and location for SMS_SiteToSiteConnection
This group is a local security group created on the site server.
Membership for SMS_SiteToSiteConnection
When you install a new site as a child of another site, Configuration Manager automatically adds the computer
account of the new site server to this group on the parent site server. Configuration Manager also adds the
parent site's computer account to the group on the new site server. If you specify another account for file-based
transfers, add that account to this group on the destination site server.
When you uninstall a site, this group isn't automatically removed. Manually delete it after uninstalling a site.
Permissions for SMS_SiteToSiteConnection
By default, this group has Full control to the following folder:
C:\Program Files\Microsoft Configuration Manager\inboxes\despoolr.box\receive .

Accounts that Configuration Manager uses

You can set up the following accounts for Configuration Manager.

TIP
Don't use the percentage character ( % ) in the password for accounts that you specify in the Configuration Manager
console. The account will fail to authenticate.

Active Directory group discovery account

The site uses the Active Director y group discover y account to discover the following objects from the
locations in Active Directory Domain Services that you specify:
Local, global, and universal security groups
The membership within these groups
The membership within distribution groups
 Distribution groups aren't discovered as group resources
This account can be a computer account of the site server that runs discovery, or a Windows user account. It
must have Read access permission to the Active Directory locations that you specify for discovery.
For more information, see Active Directory group discovery.
Active Directory system discovery account
The site uses the Active Director y system discover y account to discover computers from the locations in
Active Directory Domain Services that you specify.
This account can be a computer account of the site server that runs discovery, or a Windows user account. It
must have Read access permission to the Active Directory locations that you specify for discovery.
For more information, see Active Directory system discovery.
Active Directory user discovery account
The site uses the Active Director y user discover y account to discover user accounts from the locations in
Active Directory Domain Services that you specify.
This account can be a computer account of the site server that runs discovery, or a Windows user account. It
must have Read access permission to the Active Directory locations that you specify for discovery.
For more information, see Active Directory user discovery.
Active Directory forest account
The site uses the Active Director y forest account to discover network infrastructure from Active Directory
forests. Central administration sites and primary sites also use it to publish site data to Active Directory Domain
Services for a forest.

NOTE
Secondary sites always use the secondary site server computer account to publish to Active Directory.

To discover and publish to untrusted forests, the Active Directory forest account must be a global account. If you
don't use the computer account of the site server, you can select only a global account.
This account must have Read permissions to each Active Directory forest where you want to discover network
infrastructure.
This account must have Full Control permissions to the System Management container and all its child
objects in each Active Directory forest where you want to publish site data. For more information, see Prepare
Active Directory for site publishing.
For more information, see Active Directory forest discovery.
Certificate registration point account
The certificate registration point uses the Cer tificate registration point account to connect to the
Configuration Manager database. It uses its computer account by default, but you can configure a user account
instead. When the certificate registration point is in an untrusted domain from the site server, you must specify a
user account. This account requires only Read access to the site database, because the state message system
handles write tasks.
For more information, see Introduction to certificate profiles.
Capture OS image account
When you capture an OS image, Configuration Manager uses the Capture OS image account to access the
folder where you store captured images. If you add the Capture OS Image step to a task sequence, this
account is required.
The account must have Read and Write permissions on the network share where you store captured images.
If you change the password for the account in Windows, update the task sequence with the new password. The
Configuration Manager client receives the new password when it next downloads the client policy.
If you need to use this account, create one domain user account. Grant it minimal permissions to access the
required network resources, and use it for all capture task sequences.

IMPORTANT
Don't assign interactive sign-in permissions to this account.
Don't use the network access account for this account.

For more information, see Create a task sequence to capture an OS.

Client push installation account
When you deploy clients by using the client push installation method, the site uses the Client push
installation account to connect to computers and install the Configuration Manager client software. If you
don't specify this account, the site server tries to use its computer account.
This account must be a member of the local Administrators group on the target client computers. This account
doesn't require Domain Admin rights.
You can specify more than one client push installation account. Configuration Manager tries each one in turn
until one succeeds.

TIP
If you have a large Active Directory environment and need to change this account, use the following process to more
effectively coordinate this account update:
1. Create a new account with a different name
2. Add the new account to the list of client push installation accounts in Configuration Manager
3. Allow sufficient time for Active Directory Domain Services to replicate the new account
4. Then remove the old account from Configuration Manager and Active Directory Domain Services

IMPORTANT
Use domain or local group policy to assign the Windows user right to Deny log on locally . As a member of the
Administrators group, this account will have the right to sign in locally, which isn't needed. For better security, explicitly
deny the right for this account. The deny right supersedes the allow right.

For more information, see Client push installation.

Enrollment point connection account
The enrollment point uses the Enrollment point connection account to connect to the Configuration
Manager site database. It uses its computer account by default, but you can configure a user account instead.
When the enrollment point is in an untrusted domain from the site server, you must specify a user account. This
account requires Read and Write access to the site database.
For more information, see Install site system roles for on-premises MDM.
Exchange Server connection account
The site server uses the Exchange Ser ver connection account to connect to the specified Exchange Server. It
uses this connection to find and manage mobile devices that connect to Exchange Server. This account requires
Exchange PowerShell cmdlets that provide the required permissions to the Exchange Server computer. For more
information about the cmdlets, see Install and configure the Exchange connector.
Management point connection account
The management point uses the Management point connection account to connect to the Configuration
Manager site database. It uses this connection to send and retrieve information for clients. The management
point uses its computer account by default, but you can configure a user account instead. When the
management point is in an untrusted domain from the site server, you must specify a user account.
Create the account as a low-right local account on the computer that runs Microsoft SQL Server.

IMPORTANT
Don't grant interactive sign-in rights to this account.

Multicast connection account

Multicast-enabled distribution points use the Multicast connection account to read information from the site
database. The server uses its computer account by default, but you can configure a user account instead. When
the site database is in an untrusted forest, you must specify a user account. For example, if your data center has
a perimeter network in a forest other than the site server and site database, use this account to read the
multicast information from the site database.
If you need this account, create it as a low-right local account on the computer that runs Microsoft SQL Server.

IMPORTANT
Don't grant interactive sign-in rights to this account.

For more information, see Use multicast to deploy Windows over the network.
Network access account
Client computers use the network access account when they can't use their local computer account to access
content on distribution points. It mostly applies to workgroup clients and computers from untrusted domains.
This account is also used during OS deployment, when the computer that's installing the OS doesn't yet have a
computer account on the domain.

IMPORTANT
The network access account is never used as the security context to run programs, install software updates, or run task
sequences. It's used only for accessing resources on the network.

A Configuration Manager client first tries to use its computer account to download the content. If it fails, it then
automatically tries the network access account.
If you configure the site for HTTPS or Enhanced HTTP, a workgroup or Azure AD-joined client can securely
access content from distribution points without the need for a network access account. This behavior includes
OS deployment scenarios with a task sequence running from boot media, PXE, or Software Center. For more
information, see Client to management point communication.
 NOTE
If you enable Enhanced HTTP to not require the network access account, the distribution point needs to be running
Windows Server 2012 or later.

Permissions for the network access account

Grant this account the minimum appropriate permissions on the content that the client requires to access the
software. The account must have the Access this computer from the network right on the distribution
point. You can configure up to 10 network access accounts per site.
Create the account in any domain that provides the necessary access to resources. The network access account
must always include a domain name. Pass-through security isn't supported for this account. If you have
distribution points in multiple domains, create the account in a trusted domain.

TIP
To avoid account lockouts, don't change the password on an existing network access account. Instead, create a new
account and set up the new account in Configuration Manager. When sufficient time has passed for all clients to have
received the new account details, remove the old account from the network shared folders and delete the account.

IMPORTANT
Don't grant interactive sign-in rights to this account.
Don't grant this account the right to join computers to the domain. If you must join computers to the domain during a
task sequence, use the Task sequence domain join account.

Configure the network access account

1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node. Then select the site.
2. On the Settings group of the ribbon, select Configure Site Components , and choose Software
Distribution .
3. Choose the Network access account tab. Set up one or more accounts, and then choose OK .
Actions that require the network access account
The network access account is still required for the following actions:
Multicast. For more information, see Use multicast to deploy Windows over the network.
Task sequence deployment option to Access content directly from a distribution point when
needed by the running task sequence . For more information, see Task sequence deployment options.
Request State Store task sequence step. If the task sequence can't communicate with the state
migration point using the device's computer account, it falls back to use the network access account. For
more information, see Request State Store.
Apply OS Image task sequence step option to Access content directly from the distribution
point . This option is primarily for Windows Embedded scenarios with low disk space where caching
content to the local disk is costly. For more information, see Access content directly from the distribution
point
Task Sequence properties setting to Run another program first . This setting runs a package and
program from a network share before the task sequence starts. For more information, see Manage task
sequences to automate tasks: Advanced settings.
 Managing clients in untrusted domains and cross-forest scenarios allow multiple network access
accounts.
Package access account
A Package access account lets you set NTFS permissions to specify the users and user groups that can access
package content on distribution points. By default, Configuration Manager grants access only to the generic
access accounts User and Administrator . You can control access for client computers by using other Windows
accounts or groups. Mobile devices always retrieve package content anonymously, so they don't use a package
access account.
By default, when Configuration Manager copies the content files to a distribution point, it grants Read access to
the local Users group, and Full Control to the local Administrators group. The actual permissions required
depend on the package. If you have clients in workgroups or in untrusted forests, those clients use the network
access account to access the package content. Make sure that the network access account has permissions to the
package by using the defined package access accounts.
Use accounts in a domain that can access the distribution points. If you create or modify the account after you
create the package, you must redistribute the package. Updating the package doesn't change the NTFS
permissions on the package.
You don't have to add the network access account as a package access account, because membership of the
Users group adds it automatically. Restricting the package access account to only the network access account
doesn't prevent clients from accessing the package.
Manage package access accounts
1. In the Configuration Manager console, go to the Software Librar y workspace.
2. In the Software Librar y workspace, determine the type of content for which you want to manage access
accounts, and follow the steps provided:
Application : Expand Application Management , choose Applications , and then select the
application for which to manage access accounts.
Package : Expand Application Management , choose Packages , and then select the package for
which to manage access accounts.
Software update deployment package : Expand Software Updates , choose Deployment
Packages , and then select the deployment package for which to manage access accounts.
Driver package : Expand Operating Systems , choose Driver Packages , and then select the
driver package for which to manage access accounts.
OS image : Expand Operating Systems , choose Operating System Images , and then select
the operating system image for which to manage access accounts.
OS upgrade package : Expand Operating Systems , choose Operating system upgrade
packages , and then select the OS upgrade package for which to manage access accounts.
Boot image : Expand Operating Systems , choose Boot Images , and then select the boot image
for which to manage access accounts.
3. Right-click the selected object, and then choose Manage Access Accounts .
4. In the Add Account dialog box, specify the account type that will be granted access to the content, and
then specify the access rights associated with the account.
 NOTE
When you add a user name for the account, and Configuration Manager finds both a local user account and a
domain user account with that name, Configuration Manager sets access rights for the domain user account.

Reporting services point account

SQL Server Reporting Services uses the Repor ting ser vices point account to retrieve the data for
Configuration Manager reports from the site database. The Windows user account and password that you
specify are encrypted and stored in the SQL Server Reporting Services database.

NOTE
The account you specify must have Log on locally permissions on the computer hosting the SQL Server Reporting
Services database.
The account is automatically granted all necessary rights by being added to the smsschm_users SQL Server Database Role
on the Configuration Manager database.

For more information, see Introduction to reporting.

Remote tools permitted viewer accounts
The accounts that you specify as Permitted Viewers for remote control are a list of users who are allowed to
use remote tools functionality on clients.
For more information, see Introduction to remote control.
Site installation account
Use a domain user account to sign in to the server where you run Configuration Manager setup and install a
new site.
This account requires the following rights:
Administrator on the following servers:
The site server
Each server that hosts the site database
Each instance of the SMS Provider for the site
Sysadmin on the instance of SQL Server that hosts the site database
Configuration Manager setup automatically adds this account to the SMS Admins group.
After installation, this account is the only user with rights to the Configuration Manager console. If you need to
remove this account, make sure to add its rights to another user first.
When expanding a standalone site to include a central administration site, this account requires either Full
Administrator or Infrastructure Administrator role-based administration rights at the standalone primary
site.
Site system installation account
The site server uses the Site system installation account to install, reinstall, uninstall, and set up site
systems. If you set up the site system to require the site server to initiate connections to this site system,
Configuration Manager also uses this account to pull data from the site system after it installs the site system
and any roles. Each site system can have a different installation account, but you can set up only one installation
account to manage all roles on that site system.
This account requires local administrative permissions on the target site systems. Additionally, this account must
have Access this computer from the network in the security policy on the target site systems.

TIP
If you have many domain controllers and these accounts are used across domains, before you set up the site system,
check that Active Directory has replicated these accounts.
When you specify a local account on each site system to be managed, this configuration is more secure than using
domain accounts. It limits the damage that attackers can do if the account is compromised. However, domain accounts
are easier to manage. Consider the trade-off between security and effective administration.

Site system proxy server account

The following site system roles use the Site system proxy ser ver account to access the internet via a proxy
server or firewall that requires authenticated access:
Asset Intelligence synchronization point
Exchange Server connector
Service connection point
Software update point

IMPORTANT
Specify an account that has the least possible permissions for the required proxy server or firewall.

For more information, see Proxy server support.

SMTP server connection account
The site server uses the SMTP ser ver connection account to send email alerts when the SMTP server
requires authenticated access.

IMPORTANT
Specify an account that has the least possible permissions to send emails.

For more information, see Configure alerts.

Software update point connection account
The site server uses the Software update point connection account for the following two software update
services:
Windows Server Update Services (WSUS), which sets up settings like product definitions, classifications,
and upstream settings.
WSUS Synchronization Manager, which requests synchronization to an upstream WSUS server or
Microsoft Update.
The site system installation account can install components for software updates, but it can't do software
update-specific functions on the software update point. If you can't use the site server computer account for this
functionality because the software update point is in an untrusted forest, you must specify this account along
with to the site system installation account.
This account must be a local administrator on the computer where you install WSUS. It must also be part of the
local WSUS Administrators group.
For more information, see Plan for software updates.
Source site account
The migration process uses the Source site account to access the SMS Provider of the source site. This
account requires Read permissions to site objects in the source site to gather data for migration jobs.
If you have Configuration Manager 2007 distribution points or secondary sites with colocated distribution
points, when you upgrade them to Configuration Manager (current branch) distribution points, this account
must also have Delete permissions to the Site class. This permission is to successfully remove the distribution
point from the Configuration Manager 2007 site during the upgrade.

NOTE
Both the source site account and the source site database account are identified as Migration Manager in the
Accounts node of the Administration workspace in the Configuration Manager console.

For more information, see Migrate data between hierarchies.

Source site database account
The migration process uses the Source site database account to access the SQL Server database for the
source site. To gather data from the SQL Server database of the source site, the source site database account
must have the Read and Execute permissions to the source site's SQL Server database.
If you use the Configuration Manager (current branch) computer account, make sure that all the following are
true for this account:
It's a member of the Distributed COM Users security group in the same domain as the Configuration
Manager 2012 site
It's a member of the SMS Admins security group
It has the Read permission to all Configuration Manager 2012 objects

NOTE
Both the source site account and the source site database account are identified as Migration Manager in the
Accounts node of the Administration workspace in the Configuration Manager console.

For more information, see Migrate data between hierarchies.

Task sequence domain join account
Windows Setup uses the Task sequence domain join account to join a newly imaged computer to a domain.
This account is required by the Join Domain or Workgroup task sequence step with the Join a domain option.
This account can also be set up with the Apply Network Settings step, but it isn't required.
This account requires the Domain Join right in the target domain.

TIP
Create one domain user account with the minimal permissions to join the domain, and use it for all task sequences.

IMPORTANT
Don't assign interactive sign-in permissions to this account.
Don't use the network access account for this account.
Task sequence network folder connection account
The task sequence engine uses the Task sequence network folder connection account to connect to a
shared folder on the network. This account is required by the Connect to Network Folder task sequence step.
This account requires permissions to access the specified shared folder. It must be a domain user account.

TIP
Create one domain user account with minimal permissions to access the required network resources, and use it for all task
sequences.

IMPORTANT
Don't assign interactive sign-in permissions to this account.
Don't use the network access account for this account.

Task sequence run as account

The task sequence engine uses the Task sequence run as account to run command lines or PowerShell
Scripts with credentials other than the Local System account. This account is required by the Run Command Line
and Run PowerShell Script task sequence steps with the option Run this step as the following account
chosen.
Set up the account to have the minimum permissions required to run the command line that you specify in the
task sequence. The account requires interactive sign-in rights. It usually requires the ability to install software
and access network resources. For the Run PowerShell Script task, this account requires local administrator
permissions.

IMPORTANT
Don't use the network access account for this account.
Never make the account a domain admin.
Never set up roaming profiles for this account. When the task sequence runs, it downloads the roaming profile for the
account. This leaves the profile vulnerable to access on the local computer.
Limit the scope of the account. For example, create different task sequence run as accounts for each task sequence. Then
if one account is compromised, only the client computers to which that account has access are compromised.
If the command line requires administrative access on the computer, consider creating a local administrator account solely
for this account on all computers that run the task sequence. Delete the account once you no longer need it.

User objects that Configuration Manager uses in SQL Server

Configuration Manager automatically creates and maintains the following user objects in SQL. These objects are
located within the Configuration Manager database under Security/Users.

IMPORTANT
Modifying or removing these objects may cause drastic issues within a Configuration Manager environment. We
recommend that you don't make any changes to these objects.

smsdbuser_ReadOnly
This object is used to run queries under the read-only context. This object is used with several stored
procedures.
smsdbuser_ReadWrite
This object is used to provide permissions for dynamic SQL statements.
smsdbuser_ReportSchema
This object is used to run SQL Server Reporting Executions. The following stored procedure is used with this
function: spSRExecQuery .

Database roles that Configuration Manager uses in SQL

Configuration Manager automatically creates and maintains the following role objects in SQL. These roles
provide access to specific stored procedures, tables, views, and functions. These roles either get or add data in
the Configuration Manager database. These objects are located within the Configuration Manager database
under Security/Roles/Database Roles.

IMPORTANT
Modifying or removing these objects may cause drastic issues within a Configuration Manager environment. Don't
change these objects. The following list is for information purposes only.

smsdbrole_AITool
Configuration Manager grants this permission to administrative user accounts based on role-based access to
import volume license information for Asset Intelligence. This account could be added by a Full Administrator,
Operations Administrator or Asset Manager role, or any role with 'Manage Asset Intelligence' permission.
smsdbrole_AIUS
Configuration Manager grants the computer account that hosts the Asset Intelligence synchronization point
account access to get Asset Intelligence proxy data and to view pending AI data for upload.
smsdbrole_CRP
Configuration Manager grants permission to the computer account of the site system that supports the
certificate registration point for Simple Certificate Enrollment Protocol (SCEP) support for certificate signing and
renewal.
smsdbrole_CRPPfx
Configuration Manager grants permission to the computer account of the site system that supports the
certificate registration point configured for PFX support for signing and renewal.
smsdbrole_DMP
Configuration Manager grants this permission to computer account for a management point that has the option
Allow mobile devices and Mac computers to uses this management point , the ability to provide
support for MDM enrolled devices.
smsdbrole_DmpConnector
Configuration Manager grants this permission to the computer account that hosts the service connection point
to retrieve and provide diagnostic data, manage cloud services, and retrieve service updates.
smsdbrole_DViewAccess
Configuration Manager grants this permission to the computer account of the primary site servers on the CAS
when the SQL Server distributed views option is selected in the replication link properties.
smsdbrole_DWSS
Configuration Manager grants this permission to the computer account that hosts the data warehouse role.
smsdbrole_EnrollSvr
Configuration Manager grants this permission to the computer account that hosts the enrollment point to allow
for device enrollment via MDM.
smsdbrole_extract
Provides access to all the extended schema views.
smsdbrole_HMSUser
For the hierarchy manager service. Configuration Manager grants permissions this account to manage failover
state messages and SQL Server Broker transactions between sites within a hierarchy.

NOTE
The smdbrole_WebPortal role is a member of this role by default.

smsdbrole_MCS
Configuration Manager grants this permission to the computer account of the distribution point that supports
multicast.
smsdbrole_MP
Configuration Manager grants this permission to the computer account that hosts the management point role
to provide support for the Configuration Manager clients.
smsdbrole_MPMBAM
Configuration Manager grants this permission to the computer account that hosts the management point that
manages BitLocker for an environment.
smsdbrole_MPUserSvc
Configuration Manager grants this permission to the computer account that hosts the management point to
support user-based application requests.
smsdbrole_siteprovider
Configuration Manager grants this permission to the computer account that hosts an SMS Provider role.
smsdbrole_siteserver
Configuration Manager grants this permission to the computer account that hosts the primary site or CAS.
smsdbrole_SUP
Configuration Manager grants this permission to the computer account that hosts the software update point for
working with third-party updates.
smsschm_users
Configuration Manager grants access to the account used for the reporting services point account to allow
access to the SMS reporting views to display the Configuration Manager reporting data. The data is further
restricted with the use of role-based access.

Elevated permissions
Configuration Manager requires some accounts to have elevated permissions for on-going operations. For
example, see Prerequisites for installing a primary site. The following list summarizes these permissions and the
reasons why they're needed.
The computer account of the primary site server and central administration site server requires:
Local Administrator rights on all site system servers. This permission is to manage, install, and
 remove system services. The site server also updates local groups on the site system when you
add or remove roles.
Sysadmin access to the SQL Server instance for the site database. This permission is to configure
and manage SQL Server for the site. Configuration Manager tightly integrates with SQL, it's not
just a database.
User accounts in the Full Administrator role require:
Local Administrator rights on all site servers. This permission is to view, edit, remove, and install
system services, registry keys and values, and WMI objects.
Sysadmin access to the SQL Server instance for the site database. This permission is to install and
update the database during setup or recovery. It's also required for SQL Server maintenance and
operations. For example, reindexing and updating statistics.

NOTE
Some organizations may choose to remove sysadmin access and only grant it when it is required. This
behavior is sometimes referred to as "just-in-time (JIT) access." In this case, users with the Full
Administrator role should still have access to read, update, and execute stored procedures on the
Configuration Manager database. These permissions allow them to troubleshoot most issues without full
sysadmin access.
 Communications between endpoints in
Configuration Manager
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes how Configuration Manager site systems and clients communicate across your network. It
includes the following sections:
Communications between site systems in a site
Site server to distribution point
Communications from clients to site systems and services
Client to management point communication
Client to distribution point communication
Considerations for client communications from the internet or an untrusted forest
Communications across Active Directory forests
Support domain computers in a forest that's not trusted by your site server's forest
Support computers in a workgroup
Scenarios to support a site or hierarchy that spans multiple domains and forests

Communications between site systems in a site

When Configuration Manager site systems or components communicate across the network to other site
systems or components in the site, they use one of the following protocols, depending on how you configure
the site:
Server message block (SMB)
HTTP
HTTPS
With the exception of communication from the site server to a distribution point, server-to-server
communications in a site can occur at any time. These communications don't use mechanisms to control the
network bandwidth. Because you can't control the communication between site systems, make sure that you
install site system servers in locations that have fast and well-connected networks.
Site server to distribution point
To help you manage the transfer of content from the site server to distribution points, use the following
strategies:
Configure the distribution point for network bandwidth control and scheduling. These controls resemble
the configurations that are used by intersite addresses. Use this configuration instead of installing
another Configuration Manager site when the transfer of content to remote network locations is your
main bandwidth consideration.
You can install a distribution point as a prestaged distribution point. A prestaged distribution point lets
you use content that is manually put on the distribution point server and removes the requirement to
transfer content files across the network.
For more information, see Manage network bandwidth for content management.

Communications from clients to site systems and services

Clients initiate communication to site system roles, Active Directory Domain Services, and online services. To
enable these communications, firewalls must allow the network traffic between clients and the endpoint of their
communications. For more information about ports and protocols used by clients when they communicate to
these endpoints, see Ports used in Configuration Manager.
Before a client can communicate with a site system role, the client uses service location to find a role that
supports the client's protocol (HTTP or HTTPS). By default, clients use the most secure method that's available to
them. For more information, see Understand how clients find site resources and services.
To help secure the communication between Configuration Manager clients and site servers, configure one of the
following options:
Use a public key infrastructure (PKI) and install PKI certificates on clients and servers. Enable site systems
to communicate with clients over HTTPS. For information about how to use certificates, see PKI certificate
requirements.
Configure the site to Use Configuration Manager-generated cer tificates for HTTP site systems .
For more information, see Enhanced HTTP.
When you deploy a site system role that uses Internet Information Services (IIS) and supports communication
from clients, you must specify whether clients connect to the site system by using HTTP or HTTPS. If you use
HTTP, you must also consider signing and encryption choices. For more information, see Planning for signing
and encryption.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Client to management point communication

There are two stages when a client communicates with a management point: authentication (transport) and
authorization (message). This process varies depending upon the following factors:
Site configuration: HTTPS only, allows HTTP or HTTPS, or allows HTTP or HTTPS with enhanced HTTP enabled
Management point configuration: HTTPS or HTTP
Device identity for device-centric scenarios
User identity for user-centric scenarios
Use the following table to understand how this process works:

C L IEN T A UT H O RIZ AT IO N C L IEN T A UT H O RIZ AT IO N

MP TYPE C L IEN T A UT H EN T IC AT IO N DEVIC E IDEN T IT Y USER IDEN T IT Y
 C L IEN T A UT H O RIZ AT IO N C L IEN T A UT H O RIZ AT IO N
MP TYPE C L IEN T A UT H EN T IC AT IO N DEVIC E IDEN T IT Y USER IDEN T IT Y

HTTP Anonymous Location request: For user-centric scenarios,

With Enhanced HTTP, the Anonymous using one of the following
site verifies the Azure AD Client package: Anonymous methods to prove user
user or device token. Registration, using one of identity:
the following methods to - Windows-integrated
prove device identity: authentication
- Anonymous (manual - Azure AD user token
approval) (Enhanced HTTP)
- Windows-integrated
authentication
- Azure AD device token
(Enhanced HTTP)
After registration, the client
uses message signing to
prove device identity

HTTPS Using one of the following Location request: For user-centric scenarios,
methods: Anonymous using one of the following
- PKI certificate Client package: Anonymous methods to prove user
- Windows-integrated Registration, using one of identity:
authentication the following methods to - Windows-integrated
- Azure AD user or device prove device identity: authentication
token - Anonymous (manual - Azure AD user token
approval)
- Windows-integrated
authentication
- PKI certificate
- Azure AD user or device
token
After registration, the client
uses message signing to
prove device identity

TIP
For more information on the configuration of the management point for different device identity types and with the cloud
management gateway, see Enable management point for HTTPS.

Client to distribution point communication

When a client communicates with a distribution point, it only needs to authenticate before downloading the
content. Use the following table to understand how this process works:

DP T Y P E C L IEN T A UT H EN T IC AT IO N

HTTP - Anonymous, if allowed

- Windows-integrated authentication with computer account
or network access account
- Content access token (Enhanced HTTP)

HTTPS - PKI certificate

- Windows-integrated authentication with computer account
or network access account
- Content access token

Considerations for client communications from the internet or an untrusted forest

For more information, see the following articles:
Overview of cloud management gateway
Plan for internet-based client management

Communications across Active Directory forests

Configuration Manager supports sites and hierarchies that span Active Directory forests. It also supports
domain computers that aren't in the same Active Directory forest as the site server, and computers that are in
workgroups.
Support domain computers in a forest that's not trusted by your site server's forest
Install site system roles in that untrusted forest, with the option to publish site information to that Active
Directory forest
Manage these computers as if they're workgroup computers
When you install site system servers in an untrusted Active Directory forest, the client-to-server communication
from clients in that forest is kept within that forest, and Configuration Manager can authenticate the computer
by using Kerberos. When you publish site information to the client's forest, clients benefit from retrieving site
information, such as a list of available management points, from their Active Directory forest, rather than
downloading this information from their assigned management point.

NOTE
If you want to manage devices that are on the internet, you can install internet-based site system roles in your perimeter
network when the site system servers are in an Active Directory forest. This scenario doesn't require two-way trust
between the perimeter network and the site server's forest.

Support computers in a workgroup

Manually approve workgroup computers when they use HTTP client connections to site system roles.
Configuration Manager can't authenticate these computers by using Kerberos.
Configure workgroup clients to use the Network Access Account so that these computers can retrieve
content from distribution points.
Provide an alternative mechanism for workgroup clients to find management points. Use DNS publishing
or directly assign a management point. These clients can't retrieve site information from Active Directory
Domain Services.
For more information, see the following articles:
Manage conflicting records
Network access account
How to install Configuration Manager clients on workgroup computers
Scenarios to support a site or hierarchy that spans multiple domains and forests
Scenario 1: Communication between sites in a hierarchy that spans forests
This scenario requires a two-way forest trust that supports Kerberos authentication. If you don't have a two-way
forest trust that supports Kerberos authentication, then Configuration Manager doesn't support a child site in
the remote forest.
Configuration Manager supports installing a child site in a remote forest that has the required two-way trust
with the forest of the parent site. For example, you can place a secondary site in a different forest from its
primary parent site as long as the required trust exists.

NOTE
A child site can be a primary site (where the central administration site is the parent site) or a secondary site.

Intersite communication in Configuration Manager uses database replication and file-based transfers. When you
install a site, you must specify an account with which to install the site on the designated server. This account
also establishes and maintains communication between sites. After the site successfully installs and initiates file-
based transfers and database replication, you don't have to configure anything else for communication to the
site.
When a two-way forest trust exists, Configuration Manager doesn't require any additional configuration steps.
By default, when you install a new child site, Configuration Manager configures the following components:
An intersite file-based replication route at each site that uses the site server computer account.
Configuration Manager adds the computer account of each computer to the
SMS_SiteToSiteConnection_<sitecode> group on the destination computer.
Database replication between the SQL Servers at each site.
Also set the following configurations:
Intervening firewalls and network devices must allow the network packets that Configuration Manager
requires.
Name resolution must work between the forests.
To install a site or site system role, you must specify an account that has local administrator permissions
on the specified computer.
Scenario 2: Communication in a site that spans forests
This scenario doesn't require a two-way forest trust.
Primary sites support the installation of site system roles on computers in remote forests.
When a site system role accepts connections from the internet, as a security best practice, install the site
system roles in a location where the forest boundary provides protection for the site server (for example, in a
perimeter network).
To install a site system role on a computer in an untrusted forest:
Specify a Site System Installation Account , which the site uses to install the site system role. (This
account must have local administrative credentials to connect to.) Then install site system roles on the
specified computer.
Select the site system option Require the site ser ver to initiate connections to this site system .
This setting requires the site server to establish connections to the site system server to transfer data.
This configuration prevents the computer in the untrusted location from initiating contact with the site
server that's inside your trusted network. These connections use the Site System Installation
Account .
To use a site system role that was installed in an untrusted forest, firewalls must allow the network traffic even
when the site server initiates the transfer of data.
Additionally, the following site system roles require direct access to the site database. Therefore, firewalls must
allow applicable traffic from the untrusted forest to the site's SQL Server:
 Asset Intelligence synchronization point
Endpoint Protection point
Enrollment point
Management point
Reporting service point
State migration point
For more information, see Ports used in Configuration Manager.
You might need to configure the management point and enrollment point access to the site database.
By default, when you install these roles, Configuration Manager configures the computer account of the
new site system server as the connection account for the site system role. It then adds the account to the
appropriate SQL Server database role.
When you install these site system roles in an untrusted domain, configure the site system role
connection account to enable the site system role to obtain information from the database.
If you configure a domain user account to be the connection account for these site system roles, make sure that
the domain user account has appropriate access to the SQL Server database at that site:
Management point: Management Point Database Connection Account
Enrollment point: Enrollment Point Connection Account
Consider the following additional information when you plan for site system roles in other forests:
If you run Windows Firewall, configure the applicable firewall profiles to pass communications between
the site database server and computers that are installed with remote site system roles.
When the internet-based management point trusts the forest that contains the user accounts, user
policies are supported. When no trust exists, only computer policies are supported.
Scenario 3: Communication between clients and site system roles when the clients aren't in the same Active Directory forest as their
site server
Configuration Manager supports the following scenarios for clients that aren't in the same forest as their site's
site server:
There's a two-way forest trust between the forest of the client and the forest of the site server.
The site system role server is located in the same forest as the client.
The client is on a domain computer that doesn't have a two-way forest trust with the site server, and site
system roles aren't installed in the client's forest.
The client is on a workgroup computer.
Clients on a domain-joined computer can use Active Directory Domain Services for service location when their
site is published to their Active Directory forest.
To publish site information to another Active Directory forest:
Specify the forest and then enable publishing to that forest in the Active Director y Forests node of the
Administration workspace.
Configure each site to publish its data to Active Directory Domain Services. This configuration enables
clients in that forest to retrieve site information and find management points. For clients that can't use
Active Directory Domain Services for service location, you can use DNS or the client's assigned
 management point.
Scenario 4: Put the Exchange Server connector in a remote forest
To support this scenario, make sure that name resolution works between the forests. For example, configure
DNS forwards. When you configure the Exchange Server connector, specify the intranet FQDN of the Exchange
Server. For more information, see Manage mobile devices with Configuration Manager and Exchange.

See also
Plan for security
Security and privacy for Configuration Manager clients
 Enhanced HTTP
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Microsoft recommends using HTTPS communication for all Configuration Manager communication paths, but
it's challenging for some customers because of the overhead of managing PKI certificates. With enhanced HTTP,
Configuration Manager can provide secure communication by issuing self-signed certificates to specific site
systems.
There are two primary goals for this configuration:
You can secure sensitive client communication without the need for PKI server authentication certificates.
Clients can securely access content from distribution points without the need for a network access
account, client PKI certificate, or Windows authentication.
All other client communication is over HTTP. Enhanced HTTP isn't the same as enabling HTTPS for client
communication or a site system.

NOTE
PKI certificates are still a valid option for customers with the following requirements:
All client communication is over HTTPS
Advanced control of the signing infrastructure
If you're already using PKI, site systems use the PKI certificate bound in IIS even if you enable enhanced HTTP.

Scenarios
The following scenarios benefit from enhanced HTTP:
Scenario 1: Client to management point
Azure Active Directory (Azure AD)-joined devices and devices with a Configuration Manager issued token can
communicate with a management point configured for HTTP if you enable enhanced HTTP for the site. With
enhanced HTTP enabled, the site server generates a certificate for the management point allowing it to
communicate via a secure channel.

NOTE
This scenario doesn't require using an HTTPS-enabled management point, but it's supported as an alternative to using
enhanced HTTP. For more information on using an HTTPS-enabled management point, see Enable management point for
HTTPS.

Scenario 2: Client to distribution point

A workgroup or Azure AD-joined client can authenticate and download content over a secure channel from a
distribution point configured for HTTP. These types of devices can also authenticate and download content from
a distribution point configured for HTTPS without requiring a PKI certificate on the client. It's challenging to add
a client authentication certificate to a workgroup or Azure AD-joined client.
This behavior includes OS deployment scenarios with a task sequence running from boot media, PXE, or
Software Center. For more information, see Network access account.
Scenario 3: Azure AD device identity
An Azure AD-joined or hybrid Azure AD device without an Azure AD user signed in can securely communicate
with its assigned site. The cloud-based device identity is now sufficient to authenticate with the CMG and
management point for device-centric scenarios. (A user token is still required for user-centric scenarios.)

Features
The following Configuration Manager features support or require enhanced HTTP:
Cloud management gateway
OS deployment without a network access account
Enable co-management for new internet-based Windows devices
App approvals via email
Administration service
View recently connected consoles
BitLocker management key recovery (version 2103 and later)
Software Center user-available applications (version 2107 and later)
Company Portal on co-managed devices (version 2107 and later)

NOTE
The software update point and related scenarios have always supported secure HTTP traffic with clients as well as the
cloud management gateway. It uses a mechanism with the management point that's different from certificate- or token-
based authentication.

Unsupported scenarios
Enhanced HTTP doesn't currently secure all communication in Configuration Manager. The following list
summarizes some key functionality that's still HTTP.
Client peer-to-peer communication for content
State migration point
Remote tools
Reporting services point

NOTE
This list isn't exhaustive.

Prerequisites
A management point configured for HTTP client connections. Set this option on the General tab of the
management point role properties.
A distribution point configured for HTTP client connections. Set this option on the Communication tab
of the distribution point role properties. Don't enable the option to Allow clients to connect
anonymously .
For scenarios that require Azure AD authentication, onboard the site to Azure AD for cloud management.
If you don't onboard the site to Azure AD, you can still enable enhanced HTTP.
 For Scenario 3 only: A client running a supported version of Windows 10 or later and joined to Azure AD.
The client requires this configuration for Azure AD device authentication.

NOTE
There are no OS version requirements, other than what the Configuration Manager client supports.

Configure the site

1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node. Select the site and choose Proper ties in the ribbon.
2. Switch to the Communication Security tab. Select the option for HTTPS or HTTP . Then enable the
option to Use Configuration Manager-generated cer tificates for HTTP site systems .

TIP
Wait up to 30 minutes for the management point to receive and configure the new certificate from the site.

You can also enable enhanced HTTP for the central administration site (CAS). Use this same process, and open
the properties of the CAS. This action only enables enhanced HTTP for the SMS Provider role at the CAS. It's not
a global setting that applies to all sites in the hierarchy.
For more information on how the client communicates with the management point and distribution point with
this configuration, see Communications from clients to site systems and services.

Validate the certificate

You can see these certificates in the Configuration Manager console. Go to the Administration workspace,
expand Security , and select the Cer tificates node. Look for the SMS Issuing root certificate and the site
server role certificates issued by the SMS Issuing root.
When you enable enhanced HTTP, the site server generates a self-signed certificate named SMS Role SSL
Cer tificate . This certificate is issued by the root SMS Issuing certificate. The management point adds this
certificate to the IIS default web site bound to port 443.
To see the status of the configuration, review mpcontrol.log .

Conceptual diagram
This diagram summarizes and visualizes some of the main aspects of the enhanced HTTP functionality in
Configuration Manager.

The connection with Azure AD is recommended but optional. It enables scenarios that require Azure AD
authentication.
When you enable the site option for enhanced HTTP, the site issues self-signed certificates to site systems
such as the management point and distribution point roles.
With the site systems still configured for HTTP connections, clients communicate with them over HTTPS.

Frequently asked questions

What are the benefits of enhanced HTTP?
The main benefit is to reduce the usage of pure HTTP, which is an insecure protocol. Configuration Manager tries
to be secure by default, and Microsoft wants to make it easy for you to keep your devices secure. Enabling PKI-
based HTTPS is a more secure configuration, but that can be complex for many customers. If you can't do HTTPS,
then enable enhanced HTTP. Microsoft recommends this configuration, even if your environment doesn't
currently use any of the features that support it.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Do I need to use Azure AD to enable enhanced HTTP?

No. Many of the scenarios and features that benefit from enhanced HTTP rely on Azure AD authentication. You
can enable enhanced HTTP without onboarding the site to Azure AD. It then supports features like the
administration service and the reduced need for the network access account. You only need Azure AD when one
of the supporting features requires it.

NOTE
Even if you don't directly use the administration service REST API, some Configuration Manager features natively use it,
including parts of the Configuration Manager console.

How do clients communicate with site systems?

When you enable enhanced HTTP, the site issues certificates to site systems. For example, the management point
and the distribution point. Then these site systems can support secure communication in currently supported
scenarios.
From a client perspective, the management point issues each client a token. The client uses this token to secure
communication with the site systems. That behavior is OS version agnostic, other than what the Configuration
Manager client supports.
If some site systems are already HTTPS, can I enable enhanced HTTP?
Yes. Site systems always prefer a PKI certificate. For example, one management point already has a PKI
certificate, but others don't. When you enable enhanced HTTP for the site, the HTTPS management point
continues to use the PKI certificate. The other management points use the site-issued certificate for enhanced
HTTP.

Next steps
Plan for security
Security and privacy for Configuration Manager clients
Configure security
Communication between endpoints
 Hierarchy Maintenance Tool (Preinst.exe) for
Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Hierarchy Maintenance tool (Preinst.exe) passes commands to the Configuration Manager Hierarchy
Manager while the Hierarchy Manager service is running. The Hierarchy Maintenance tool is automatically
installed when you install a Configuration Manager site. You can find Preinst.exe in the \
<SiteServerName>\SMS_<SiteCode\bin\X64\00000409 shared folder on the site server.
You might use the Hierarchy Maintenance tool in the following scenarios:
When secure key exchange is required, there are situations in which you must manually perform the
initial public key exchange between sites. For more information, see Manually Exchange Public Keys
Between Sites in this topic.
To remove active jobs that are for a destination site that is no longer available.
To delete a site server from the Configuration Manager console when you are unable to uninstall the site
by using Setup. For example, if you physically remove a Configuration Manager site without first running
Setup to uninstall the site, the site information will still exist in the parent site's database, and the parent
site will continue to attempt to communicate with the child site. To resolve this issue, you must run the
Hierarchy Maintenance tool and manually delete the child site from the parent site's database.
To stop all Configuration Manager services at a site without having to stop services individually.
When you are recovering a site, you can use the CHILDKEYS option to distribute the public keys from
multiple child sites to the recovering site.
To run the Hierarchy Maintenance tool, the current user must have administrative privileges on the local
computer. Also, the user must explicitly have the Site - Administer security right; it is not sufficient that the user
inherits this right by being a member of a group that has that permission.

Hierarchy Maintenance Tool Command-Line Options

When you use the Hierarchy Maintenance Tool, you must run it locally on the central administration site,
primary site, or secondary site server.
When you run the Hierarchy Maintenance tool, you must use the following syntax: preinst.exe /<option>. The
following are the command-line options.
/DEL JOB < SiteCode > - Use this option at a site to delete all jobs or commands from the current site to the
specified destination site.
/DELSITE < ChildSiteCodeToRemove > - Use this option at a parent site to delete the data for child sites from
the site database of the parent site. Typically, you use this option if a site server computer is decommissioned
before you uninstall the site from it.
 NOTE
The /DELSITE option does not uninstall the site on the computer specified by the ChildSiteCodeToRemove parameter. This
option only removes the site information from the Configuration Manager site database.

/DUMP < SiteCode > - Use this option on the local site server to write site control images to the root folder of
the drive on which the site is installed. You can write a specific site control image to the folder or write all site
control files in the hierarchy.
/DUMP <SiteCode> writes the site control image only for the specified site.
/DUMP writes the site control files for all sites.
An image is a binary representation of the site control file, which is stored in the Configuration Manager site
database. The dumped site control file image is a sum of the base image plus the pending delta images.
After dumping a site control file image with the Hierarchy Maintenance tool, the file name is in the format
sitectrl_<SiteCode>.ct0.
/STOPSITE - Use this option on the local site server to initiate a shutdown cycle for the Configuration Manager
Site Component Manager service, which partially resets the site. When this shutdown cycle is run, some
Configuration Manager services on a site server and its remote site systems are stopped. These services are
flagged for reinstallation. As a result of this shutdown cycle, some passwords are automatically changed when
the services are reinstalled.

NOTE
If you want to see a record of shutdown, reinstallation, and password changes for Site Component Manager, enable
logging for this component before using this command-line option.

After the shutdown cycle is started, it proceeds automatically, skipping any non-responding components or
computers. However, if the Site Component Manager service cannot access a remote site system during the
shutdown cycle, the components that are installed on the remote site system are reinstalled when the Site
Component Manager service is restarted. When it is restarted, the Site Component Manager service repeatedly
attempts reinstallation of all services that are flagged for reinstallation until it is successful.
You can restart the Site Component Manager service using Service Manager. After it is restarted, all affected
services are uninstalled, reinstalled, and restarted. After you use the /STOPSITE option to initiate the shutdown
cycle, you cannot avoid the reinstallation cycles after the Site Component Manager service is restarted.
/KEYFORPARENT - Use this option on a site to distribute the site's public key to a parent site.
The /KEYFORPARENT option places the public key of the site in the file <SiteCode>.CT4 at the root of the
program files drive. After you run preinst.exe with this option, manually copy the <SiteCode>.CT4 file to the
parent site's ...\Inboxes\hman.box folder (not hman.box\pubkey).
/KEYFORCHILD - Use this option on a site to distribute the site's public key to a child site.
The /KEYFORCHILD option places the public key of the site in the file <SiteCode>.CT5 at the root of the program
files drive. After you run preinst.exe with this option, manually copy the <SiteCode>.CT5 file to the child site's
...\Inboxes\hman.box folder (not hman.box\pubkey).
/CHILDKEYS - You can use this option on the child sites of a site that you are recovering. Use this option to
distribute public keys from multiple child sites to the recovering site.
The /CHILDKEYS option places the key from the site where you run the option, and all of that sites child sites
public keys into the file <SiteCode>.CT6.
After you run preinst.exe with this option, manually copy the <SiteCode>.CT6 file to the recovering site's
...\Inboxes\hman.box folder (not hman.box\pubkey).
/PARENTKEYS - You can use this option on the parent site of a site that you are recovering. Use this option to
distribute public keys from all parent sites to the recovering site.
The /PARENTKEYS option places the key from the site where you run the option, and the keys from each parent
site above that site into the file <SiteCode>.CT7.
After you run preinst.exe with this option, manually copy the <SiteCode>.CT7 file to the recovering site's
...\Inboxes\hman.box folder (not hman.box\pubkey).

Manually Exchange Public Keys Between Sites

By default, the Require secure key exchange option is enabled for Configuration Manager sites. When secure
key exchange is required, there are two situations in which you must manually perform the initial key exchange
between sites:
If the Active Directory schema has not been extended for Configuration Manager
Configuration Manager sites are not publishing site data to Active Directory
You can use the Hierarchy Maintenance tool to export the public keys for each site. Once they have been
exported, you must manually exchange the keys between the sites.

NOTE
After the public keys are manually exchanged, you can review the hman.log log file, which records site configuration
changes and site information publication to Active Directory Domain Services, on the parent site server to ensure that the
primary site has processed the new public key.

To manually transfer the child site public key to the parent site
1. While logged on to the child site, open a command prompt and navigate to the location of Preinst.exe .
2. Type the following to export the child site's public key: Preinst /keyforparent
3. The /keyforparent option places the public key of the child site in the <site code>.CT4 file located at the
root of the system drive.
4. Move the <site code>.CT4 file to the parent site's <install director y>\inboxes\hman.box folder.
To manually transfer the parent site public key to the child site
1. While logged on to the parent site, open a command prompt and navigate to the location of Preinst.exe .
2. Type the following to export the parent site's public key: Preinst /keyforchild .
3. The /keyforchild option places the public key of the parent site in the <site code>.CT5 file located at the
root of the system drive.
4. Move the <site code>.CT5 file to the <install director y>\inboxes\hman.box directory on the child
site.
 International support in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following sections provide technical details to help you make Configuration Manager compliant with
specific international requirements.

GB18030 Requirements
Configuration Manager meets the standards that are defined in GB18030 so that you can use Configuration
Manager in China. A Configuration Manager deployment must have the following configurations to meet the
GB18030 requirements:
Each site server computer and SQL Server computer that you use with Configuration Manager must use
a Chinese operating system.
Each site database and each instance of SQL Server in the hierarchy must use the same collation, and
must be one of the following:
Chinese_Simplified_Pinyin_100_CI_AI
Chinese_Simplified_Stroke_Order_100_CI_AI

NOTE
These database collations are an exception to the requirements that are noted in Support for SQL Server versions
for Configuration Manager.

You must place a file with the name GB18030.SMS in the root folder of the system volume of each site
server computer in the hierarchy. This file does not contain any data and can be an empty text file that is
named to meet this requirement.
 Interoperability between different versions of
Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can install and operate multiple, independent hierarchies of Configuration Manager on the same network.
However, because different hierarchies of Configuration Manager don't interoperate outside of the migration
process, each hierarchy requires configurations to prevent conflicts between them. Additionally, you can create
certain configurations to help resources that you manage interact with the site systems from the correct
hierarchy.

Current branch and earlier versions

Sites of different versions can't coexist in the same Configuration Manager hierarchy. The only exceptions are
during the process of the following upgrade scenarios:
From System Center 2012 Configuration Manager to Configuration Manager current branch
From one Configuration Manager current branch version to a newer version using in-console updates
You can deploy a Configuration Manager current branch site and hierarchy side by side with an existing System
Center 2012 Configuration Manager site or hierarchy. Plan to prevent clients from either version from trying to
join a site from the other version.
For example, if two or more Configuration Manager hierarchies have overlapping boundaries that include the
same network locations, assign each new client to a specific site instead of using automatic site assignment. For
more information, see How to assign clients to a site.
Additionally, you can't install a client from System Center 2012 Configuration Manager on a computer that hosts
a site system role from Configuration Manager current branch. You also can't you install a Configuration
Manager current branch client on a computer that hosts a site system role from System Center 2012
Configuration Manager.
The following clients and connections aren't supported:
Any System Center 2012 Configuration Manager or earlier computer client version
Any System Center 2012 Configuration Manager or earlier device management client
Windows CE Platform Builder device management client (any version)
System Center Mobile Device Manager VPN connection
Client site assignment considerations
Configuration Manager clients can be assigned to only a single primary site. You can't predict the actual site
assignment of a client when all of the following conditions are true:
You use automatic site assignment to assign clients to a site during client installation
More than one boundary group includes the same boundary
The boundary groups have different assigned sites
If boundaries overlap across multiple Configuration Manager sites and hierarchies, clients might not be
assigned to the site you expect, or might not get assigned to a site at all.
Configuration Manager current branch clients check the version of the site before they complete site
assignment. If site boundaries overlap, you can't assign clients to a site with a previous version. However, earlier
System Center 2012 Configuration Manager clients might incorrectly be assigned to a later Configuration
Manager current branch site.
To prevent clients from unintentionally being assigned to the wrong site when two hierarchies have overlapping
boundaries, configure client installation parameters to assign clients to a specific site.

Limitations in a mixed-version hierarchy

When you upgrade a Configuration Manager current branch hierarchy, there are times when different sites will
have different versions. For example, first you upgrade the central administration site. Because of site
maintenance windows, you don't upgrade the primary sites until a later time and date.
When different sites in a single hierarchy run different versions, some functionality isn't available. This behavior
can affect how you manage Configuration Manager objects in the Configuration Manager console, and which
functionality is available to clients. Typically, functionality from the newer version of Configuration Manager isn't
accessible at sites or to clients that run a lower service pack version.
Network access account
You upgrade the central administration site to Configuration Manager current branch. You view the network
access account details from a Configuration Manager console that's connected to this updated site. It doesn't
display account details from sites that still run System Center 2012 Configuration Manager.
After you upgrade the primary site to the same version as the central administration site, the account details are
visible in the console.
The same behavior applies when you update between versions of Configuration Manager.
Boot images for OS deployment
When upgrading from System Center 2012 Configuration Manager to Configuration Manager current branch
When the top-level site of a hierarchy upgrades to Configuration Manager current branch, it automatically
updates the default boot images to use the Windows Assessment and Deployment Kit (ADK) version 10. Use
these boot images only for deployments to clients at Configuration Manager current branch sites. For more
information, see Planning for OS deployment interoperability.
When upgrading between Configuration Manager current branch versions
As long as new versions of Configuration Manager don't update the version of Windows ADK that's in use,
there's no effect on boot images.
New task sequence steps
When you create a task sequence with a step introduced in one version of Configuration Manager that's not
available in an earlier version, you might have the following issues:
An error occurs when you try to edit the task sequence from a site that's running a previous version of
Configuration Manager.
The task sequence doesn't run on a computer that runs a previous version of the Configuration Manager
client.
Client to down-level management point communications
A Configuration Manager client that communicates with a management point from a site that runs a lower
version than the client can only use functionality that the down-level version of Configuration Manager
supports. For example, if you deploy content from a Configuration Manager current branch site that was
recently upgraded to a client that communicates with a management point that hasn't yet upgraded to that
version, that client can't use new functionality from the latest version.
Package and task sequence deployments to legacy clients
You can't deploy a package or task sequence to a client version 5.7730 or earlier. To work around this limitation,
upgrade the client to a later version.
Orchestration groups
Orchestration groups can't be used in a mixed-version hierarchy.
Assign site systems as clients to the same site
If you install the Configuration Manager client on site systems, assign them to the same site. Roles like the
management point and distribution point have shared binary files between the role and the client. These
collocated clients should always be the same version as the site system role.
For example, for a management point in site XYZ, assign the client installed on this site system server to site
XYZ.

Configuration Manager console

This section contains information about the use of the Configuration Manager console in an environment that
has a mix of Configuration Manager versions.
An environment with both System Center 2012 Configuration Manager and Configuration Manager current
branch
To manage a Configuration Manager site, both the console and the site the console connects to must run the
same version of Configuration Manager. For example, you can't use a System Center 2012 Configuration
Manager console to manage a Configuration Manager current branch site, or the other way around.
It's not supported to install both the System Center 2012 Configuration Manager console and the Configuration
Manager current branch console on the same computer.
An environment with multiple versions of Configuration Manager
Configuration Manager current branch doesn't support installing more than a single Configuration Manager
console on a computer. To use multiple consoles that are specific to different versions of Configuration Manager,
install the different consoles on separate computers.
During the process of updating sites in a hierarchy to a new version, you can connect a console to a site that
runs a newer version and view information about other sites in that hierarchy. However, this configuration isn't
recommended. It's possible that differences between the console version and Configuration Manager site
version can result in data issues. Some features that are available in the latest product version won't be available
in the console.
It's not supported to manage a site when using a console with a version that doesn't match the site version.
Doing so might cause loss of data and can put your site at risk. For example, it's not supported to use a console
from version 2103 to manage a site that runs version 2010.

Next steps
Use the Configuration Manager client software for extended interoperability with future versions of a Current
Branch site
 Language packs in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article provides technical details about language support in Configuration Manager. Configuration Manager
site servers and clients are considered language-neutral. Add support for display languages by installing ser ver
language packs or client language packs at a central administration site and at primary sites. You select the
server and client languages to support at a site from the available language pack files during the site installation
process.
Install multiple languages at each site. You only need to install the languages that you use.
Each site supports multiple languages for Configuration Manager consoles.
Add support for only the client languages that you want to support by installing individual client
language packs at each site.
When you install support for a language that matches the following components:
The display language of a computer: Both the Configuration Manager console and the client user
interface that runs on that computer display information in that language.
The language preference that's in use by the web browser of a computer: Connections to web-based
information display in that language. For example, SQL Server Reporting Services.
When you run Configuration Manager setup, it downloads language pack files as part of the prerequisites and
redistributable files. You can also use the setup downloader to download these files before you run setup.

Server languages
Use the following table to map a locale ID to a language that you want to support on servers. For more
information about locale IDs, see Locale IDs assigned by Microsoft.

SERVER L A N GUA GE LO C A L E ID ( L C ID) T H REE- L ET T ER C O DE

English (default) 0409 ENU

Chinese (Simplified) 0804 CHS

Chinese (Traditional, Taiwan) 0404 CHT

Czech 0405 CSY

Dutch - Netherlands 0413 NLD

French 040c FRA

German 0407 DEU

Hungarian 040e HUN

 SERVER L A N GUA GE LO C A L E ID ( L C ID) T H REE- L ET T ER C O DE

Italian - Italy 0410 ITA

Japanese 0411 JPN

Korean 0412 KOR

Polish 0415 PLK

Portuguese - Brazil 0416 PTB

Portuguese - Portugal 0816 PTG

Russian 0419 RUS

Spanish - Spain 0c0a ESN

Swedish 041d SVE

Turkish 041f TRK

Client languages
Use the following table to map a locale ID to a language that you want to support on client computers. For more
information about locale IDs, see Locale IDs assigned by Microsoft.

C L IEN T L A N GUA GE LO C A L E ID ( L C ID) T H REE- L ET T ER C O DE

English (default) 0409 ENG

Chinese -Simplified 0804 CHS

Chinese (Traditional, Taiwan) 0404 CHT

Czech 0405 CSY

Danish 0406 DAN

Dutch - Netherlands 0413 NLD

Finnish 040b FIN

French 040c FRA

German 0407 DEU

Greek 0408 ELL

Hungarian 040e HUN

Italian - Italy 0410 ITA

 C L IEN T L A N GUA GE LO C A L E ID ( L C ID) T H REE- L ET T ER C O DE

Japanese 0411 JPN

Korean 0412 KOR

Norwegian 0414 NOR

Polish 0415 PLK

Portuguese (Brazil) 0416 PTB

Portuguese (Portugal) 0816 PTG

Russian 0419 RUS

Spanish - Spain 0c0a ESN

Swedish 041d SVE

Turkish 041f TRK

Mobile device client languages

When you add support for mobile device languages, all supported mobile device client languages are included.
You can't select individual language packs for mobile device support.

Identify installed language packs

To identify the language packs that are installed on a computer that runs the Configuration Manager client, look
for the locale ID (LCID) of the installed language packs in the computer's registry. This information is available at
the following registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup\InstalledLangs

Customize hardware inventory to collect this information. Then build a custom report to view the language
details. For more information about collecting custom hardware inventory, see How to configure hardware
inventory. For more information, see Create reports.
 About log files in Configuration Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

In Configuration Manager, client and site server components record process information in individual log files.
You can use the information in these log files to help you troubleshoot issues that might occur. By default,
Configuration Manager enables logging for client and server components.
This article provides general information about the Configuration Manager log files. It includes tools to use, how
to configure the logs, and where to find them. For more information on specific log files, see Log files reference.

How it works
Most processes in Configuration Manager write operational information to a log file that is dedicated to that
process. The log files are identified by .log or .lo_ file extensions. Configuration Manager writes to a .log
file until that log reaches its maximum size. When the log is full, the .log file is copied to a file of the same
name but with the .lo_ extension, and the process or component continues to write to the .log file. When the
.log file again reaches its maximum size, the .lo_ file is overwritten and the process repeats. Some
components establish a log file history by appending a date and time stamp to the log file name and by keeping
the .log extension.

Log viewer tools

All Configuration Manager log files are plain text, so you can view them with any text reader like Notepad. The
logs use unique formatting that's best viewed with one of the following specialized tools:
CMTrace
OneTrace
Support Center log file viewer
CMTrace
To view the logs, use the Configuration Manager log viewer tool CMTrace . It's located in the \SMSSetup\Tools
folder of the Configuration Manager source media. The CMTrace tool is added to all boot images that are added
to the Software Library. The CMTrace log viewing tool is automatically installed along with the Configuration
Manager client. For more information, see CMTrace.
OneTrace
OneTrace is a log viewer with Support Center. It works similarly to CMTrace, with improvements. For more
information, see Support Center OneTrace.
Support Center Log File Viewer
Suppor t Center includes a modern log viewer. This tool replaces CMTrace and provides a customizable
interface with support for tabs and dockable windows. It has a fast presentation layer, and can load large log
files in seconds. For more information, see Support Center Log File Viewer.

NOTE
Support Center Log File Viewer and OneTrace use Windows Presentation Foundation (WPF). This component isn't
available in Windows PE. Continue to use CMTrace in boot images with task sequence deployments.
Configure logging options
You can change the configuration of the log files, such as the verbose level, size, and history. There are several
ways to change these settings:
During client installation
Using Configuration Manager Service Manager
Using the Windows Registry
In the Configuration Manager console
You can also use hardware inventory to collect log settings from clients.
Configure logging options during client installation
You can set the configuration of the client log files during installation. Use the following properties:
CCMENABLELOGGING
CCMDEBUGLOGGING
CCMLOGLEVEL
CCMLOGMAXHISTORY
CCMLOGMAXSIZE
For more information, see Client installation properties.
Configure logging options by using Configuration Manager Service Manager
You can change where Configuration Manager stores the log files, and their size.
To modify the size of log files, change the name and location of the log file, or to force multiple components to
write to a single log file, do the following steps:
Modify logging for a component
1. In the Configuration Manager console, go to the Monitoring workspace, expand System Status , and
then select either the Site Status or Component Status node.
2. In the ribbon, select Star t , and then select Configuration Manager Ser vice Manager .
3. When Configuration Manager Service Manager opens, connect to the site that you want to manage. If the
site that you want to manage isn't shown, select Site , select Connect , and then enter the name of the site
server for the correct site.
4. Expand the site and go to Components or Ser vers , depending on where the components that you want
to manage are located.
5. In the right pane, select one or more components.
6. On the Component menu, select Logging .
7. In the Configuration Manager Component Logging dialog box, complete the available configuration
options for your selection.
8. Select OK to save the configuration.
Configure logging options by using the Windows Registry
Use the Windows Registry on the servers or clients to change the following logging options:
Verbose level
Maximum history
Maximum size
When troubleshooting a problem, you can enable verbose logging for Configuration Manager to write
additional details in the log files.

WARNING
Misconfiguration of these settings can cause Configuration Manager to log large amounts of information, or none at all.
While this data can be beneficial for troubleshooting, be cautious when changing these values in production sites. Always
test these changes in a lab environment first. Excessive logging can occur, which might make it difficult to find relevant
information in the log files.

After you make changes to these registry settings, restart the component:
If you change the client settings, restart the SMS Agent Host service (CcmExec).
If you change the server settings, restart the SMS Executive service.
The registry settings vary depending upon the component:
Client and management point
Site server
Site system role
Configuration Manager console
Client and management point logging options
To configure logging options for all components on a client or management point site system, configure these
REG_DWORD values under the following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Logging\@Global

NAME VA L UES DESC RIP T IO N

LogLevel 0 : Verbose The level of detail to write to log files.

1 : Default
2 : Warnings and errors
3 : Errors only

LogMaxHistory Any integer greater than or equal to When a log file reaches the maximum
zero, for example: size, the client renames it as a backup
0 : No history and creates a new log file. Specify how
1 : Default many previous versions to keep.

LogMaxSize Any integer greater than or equal to The maximum log file size in bytes.
10,000, for example: When a log grows to the specified size,
250000 the client renames it as a history file,
and creates a new file. The default
value is 250,000 bytes.

NOTE
Don't change other values that may exist in this registry key.

For advanced debugging, you can also add this REG_SZ value under the following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Logging\DebugLogging
 NAME VA L UES DESC RIP T IO N

Enabled True : enable debug logs Enables debug logging for

False : disable debug logs troubleshooting purposes.

This setting causes the client to log low-level information for troubleshooting. Avoid using this setting in
production sites. Excessive logging can occur, which might make it difficult to find relevant information in the log
files. Make sure to turn off this setting after you resolve the issue.
Site server logging options
You can configure settings globally or for a specific component on the Configuration Manager site server.
Configure these values under the following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing

NAME VA L UES TYPE DESC RIP T IO N

SqlEnabled 1 : enable SQL Server REG_DWORD Add SQL Server trace

tracing logging to all site server
0 : disable SQL Server logs.
tracing

ArchiveEnabled 1 : enable log archives REG_DWORD Archive site server logs to a

0 : disable log archives separate location for
historical preservation.

ArchivePath A valid folder path, for REG_SZ The path to archive site
example C:\Logs\Archive server logs.

Only enable SQL Server tracing for troubleshooting purposes. Avoid using it in production sites. Excessive
logging can occur, which might make it difficult to find relevant information in the log files. Make sure to turn off
this setting after you resolve the issue.

NOTE
Don't change other values that may exist in this registry key.

To configure logging options for a specific server component, configure these REG_DWORD values under the
following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\<ComponentName>

NAME VA L UES DESC RIP T IO N

LoggingLevel 0 : Verbose The level of detail to write to log files.

1 : Default
2 : Warnings and errors
3 : Errors only

LogMaxHistory Any integer greater than or equal to When a log file reaches the maximum
zero, for example: size, the server renames it as a backup
0 : No history and creates a new log file. Specify how
1 : Default many previous versions to keep.
 NAME VA L UES DESC RIP T IO N

MaxFileSize Any integer greater than or equal to The maximum log file size in bytes.
10,000, for example: When a log grows to the specified size,
250000 the client renames it as a history file,
and creates a new file. The default
value is 250,000 bytes.

DebugLogging 1 : enable debug logs Enables debug logging for

0 : disable debug logs troubleshooting purposes.

The DebugLogging setting causes the server to log low-level information for troubleshooting. Avoid using this
setting in production sites. Excessive logging can occur, which might make it difficult to find relevant information
in the log files. Make sure to turn off this setting after you resolve the issue.

NOTE
Don't change other values that may exist in this registry key.

Site system role logging options

You can configure settings globally or for a specific component on a site system that hosts a Configuration
Manager server role.
To configure logging options for a specific server component, configure these REG_DWORD values under the
following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\<ComponentName>\Logging

For example, for the distribution point role:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP\Logging

NAME VA L UES DESC RIP T IO N

LogLevel 0 : Verbose The level of detail to write to log files.

1 : Default
2 : Warnings and errors
3 : Errors only

LogMaxHistory Any integer greater than or equal to When a log file reaches the maximum
zero, for example: size, the server renames it as a backup
0 : No history and creates a new log file. Specify how
1 : Default many previous versions to keep.

LogMaxSize Any integer greater than or equal to The maximum log file size in bytes.
10,000, for example: When a log grows to the specified size,
250000 the server renames it as a history file,
and creates a new file. The default
value is 250,000 bytes.

NOTE
Don't change other values that may exist in this registry key.

Configuration Manager console logging options

To change the verbose level of the AdminUI.log for the Configuration Manager console, use the following
procedure:
1. Open the console configuration file, Microsoft.ConfigurationManagement.exe.config , in an XML
editor like Notepad. The default configuration file is in the following location:
C:\Program Files (x86)\Microsoft Endpoint
Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe.config

2. Under the system.diagnostics > sources > source element, change the switchValue attribute from
Error to Verbose . For example:

Original: <source name="SmsAdminUISnapIn" switchValue="Error"> New:

<source name="SmsAdminUISnapIn" switchValue="Verbose" >

3. Save the file, and restart the console.

Configure logging options in the Configuration Manager console
Enable or disable verbose logging on a client or collection from the console:
1. In the Configuration Manager console, go to the Assets and Compliance workspace, select the
Devices node, and choose a target device.
2. In the ribbon, on the Home tab, in the Device group, select Client Diagnostics . Choose one of the
available actions.
For more information, see Client diagnostics.
Hardware inventory for client log settings
Starting in version 2107, you can enable hardware inventory to collect client log file settings. Enable the
hardware inventory class, Client Diagnostics (CCM_ClientDiagnostics) , and then select the following
attributes:
Debug Logging Enabled
Logging Enabled
Log Level
History File Count
Max Log File Size

NOTE
This inventory class isn't enabled by default.

For more information, see Enable or disable existing hardware inventory classes.

Locating log files

Configuration Manager and dependent components store log files in various locations. These locations depend
on the process that creates the log file and the configuration of your environment.
The following locations are the defaults. If you customized the installation directories in your environment, the
actual paths may vary.
Client: C:\Windows\CCM\logs
Server: C:\Program Files\Microsoft Configuration Manager\Logs
Management point: C:\SMS_CCM\Logs
Configuration Manager console: C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\AdminUILog
IIS: C:\inetpub\logs\logfiles\w3svc1
Task sequence log locations
The location of the task sequence log file smsts.log varies depending upon the phase of the task sequence:
In Windows PE before Format and Partition Disk step: X:\Windows\temp\smstslog\smsts.log (X is the Windows
PE RAM drive)
In Windows PE after Format and Par tition Disk step: X:\smstslog\smsts.log , then copied to
C:\_SMSTaskSequence\Logs\smstslog\smsts.log when drive is ready
In the new Windows OS before the client is installed: C:\_SMSTaskSequence\Logs\smstslog\smsts.log
In Windows after the client is installed: C:\Windows\CCM\Logs\smstslog\smsts.log
In Windows after the task sequence completes: C:\Windows\CCM\Logs\smsts.log

TIP
The read-only task sequence variable _SMSTSLogPath always contains the path of the current log file.

Next steps
Log files reference
Support Center OneTrace
Support Center log file viewer
CMTrace
 Log file reference
2/16/2022 • 44 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

In Configuration Manager, client and site server components record process information in individual log files.
You can use the information in these log files to help you troubleshoot issues that might occur. By default,
Configuration Manager enables logging for client and server components.
For more general information about log files in Configuration Manager, see About log files. That article includes
information on the tools to use, how to configure the logs, and where to find them.
The following sections provide details about the different log files available to you. Monitor Configuration
Manager client and server logs for operation details, and view error information to troubleshoot problems.
Client log files
Client operations
Client installation
Client for Mac computers
Server log files
Site server and site systems
Site server installation
Data warehouse service point
Fallback status point
Management point
Service connection point
Software update point
Log files by functionality
Application management
Asset Intelligence
Backup and recovery
Certificate enrollment
Client notification
Cloud management gateway
Compliance settings and company resource access
Configuration Manager console
Content management
Desktop Analytics
 Discovery
Endpoint analytics
Endpoint Protection
Extensions
Inventory
Migration
Mobile devices
OS deployment
Power management
Remote control
Reporting
Role-based administration
Software metering
Software updates
Wake On LAN
Windows servicing
Windows Update Agent
WSUS server

Client log files

The following sections list the log files related to client operations and client installation.
Client operations
The following table lists the log files located on the Configuration Manager client.

LO G N A M E DESC RIP T IO N

ADALOperationProvider.log Information about client authentication token requests with

Azure Active Directory (Azure AD) Authentication Library
(ADAL).

BitLockerManagementHandler.log Records information about BitLocker management policies.

CAS.log The Content Access service. Maintains the local package

cache on the client.

Ccm32BitLauncher.log Records actions for starting applications on the client

marked run as 32 bit.

CcmEval.log Records Configuration Manager client status evaluation

activities and details for components that are required by
the Configuration Manager client.
LO G N A M E DESC RIP T IO N

CcmEvalTask.log Records the Configuration Manager client status evaluation

activities that are initiated by the evaluation scheduled task.

CcmExec.log Records activities of the client and the SMS Agent Host
service. This log file also includes information about enabling
and disabling wake-up proxy.

CcmMessaging.log Records activities related to communication between the

client and management points.

CCMNotificationAgent.log Records activities related to client notification operations.

Ccmperf.log Records activities related to the maintenance and capture of

data related to client performance counters.

CcmRestart.log Records client service restart activity.

CCMSDKProvider.log Records activities for the client SDK interfaces.

ccmsqlce.log Records activities for the SQL Server Compact Edition (CE)
that the client uses. This log is typically only used when you
enable debug logging, or there's a problem with the
component. The client health task (ccmeval) usually self-
corrects problems with this component.

CcmUsrCse.log Records details during user sign on for folder redirection

policies.

CCMVDIProvider.log Records information for clients in a virtual desktop

infrastructure (VDI).

CertEnrollAgent.log Records information for Windows Hello for Business.

Specifically communication with the Network Device
Enrollment Service (NDES) for certificate requests using the
Simple Certificate Enrollment Protocol (SCEP).

CertificateMaintenance.log Maintains certificates for Active Directory Domain Services

and management points.

CIAgent.log Records details about the process of remediation and

compliance for compliance settings, software updates, and
application management.

CIDownloader.log Records details about configuration item definition

downloads.

CIStateStore.log Records changes in state for configuration items, such as

compliance settings, software updates, and applications.

CIStore.log Records information about configuration items, such as

compliance settings, software updates, and applications.

CITaskMgr.log Records tasks for each application and deployment type,

such as content download and install or uninstall actions.
LO G N A M E DESC RIP T IO N

ClientAuth.log Records signing and authentication activity for the client.

ClientIDManagerStartup.log Creates and maintains the client GUID and identifies tasks
during client registration and assignment.

ClientLocation.log Records tasks that are related to client site assignment.

ClientServicing.log Records information for client deployment state messages

during auto-upgrade and client piloting.

CMBITSManager.log Records information for Background Intelligent Transfer

Service (BITS) jobs on the device.

CMHttpsReadiness.log Records the results of running the Configuration Manager

HTTPS Readiness Assessment Tool. This tool checks whether
computers have a public key infrastructure (PKI) client
authentication certificate that can be used with
Configuration Manager.

CmRcService.log Records information for the remote control service.

CoManagementHandler.log Use to troubleshoot co-management on the client.

ComplRelayAgent.log Records information for the co-management workload for

compliance policies.

ContentTransferManager.log Schedules the Background Intelligent Transfer Service (BITS)

or Server Message Block (SMB) to download or access
packages.

DataTransferService.log Records all BITS communication for policy or package access.

DCMAgent.log Records high-level information about the evaluation, conflict

reporting, and remediation of configuration items and
applications.

DCMReporting.log Records information about reporting policy platform results

into state messages for configuration items.

DcmWmiProvider.log Records information about reading configuration item

synclets from WMI.

DeltaDownload.log Records information about the download of express updates

and updates downloaded using Delivery Optimization.

Diagnostics.log Records the status of client diagnostic actions.

EndpointProtectionAgent Records information about the installation of the System

Center Endpoint Protection client and the application of
antimalware policy to that client.

execmgr.log Records details about packages and task sequences that run
on the client.
LO G N A M E DESC RIP T IO N

ExpressionSolver.log Records details about enhanced detection methods that are

used when verbose or debug logging is turned on.

ExternalEventAgent.log Records the history of Endpoint Protection malware

detection and events related to client status.

FileBITS.log Records all SMB package access tasks.

FileSystemFile.log Records the activity of the Windows Management

Instrumentation (WMI) provider for software inventory and
file collection.

FSPStateMessage.log Records the activity for state messages that are sent to the
fallback status point by the client.

InternetProxy.log Records the network proxy configuration and use activity for
the client.

InventoryAgent.log Records activities of hardware inventory, software inventory,

and heartbeat discovery actions on the client.

InventoryProvider.log More details about hardware inventory, software inventory,

and heartbeat discovery actions on the client.

LocationCache.log Records the activity for location cache use and maintenance
for the client.

LocationServices.log Records the client activity for locating management points,

software update points, and distribution points.

M365AHandler.log Information about the Desktop Analytics settings policy

MaintenanceCoordinator.log Records the activity for general maintenance tasks for the
client.

Mifprovider.log Records the activity of the WMI provider for Management

Information Format (MIF) files.

mtrmgr.log Monitors all software metering processes.

PolicyAgent.log Records requests for policies made by using the Data

Transfer Service.

PolicyAgentProvider.log Records policy changes.

PolicyEvaluator.log Records details about the evaluation of policies on client

computers, including policies from software updates.

PolicyPlatformClient.log Records the process of remediation and compliance for all

providers located in \Program Files\Microsoft Policy Platform,
except the file provider.

PolicySdk.log Records activities for policy system SDK interfaces.

LO G N A M E DESC RIP T IO N

Pwrmgmt.log Records information about enabling or disabling and

configuring the wake-up proxy client settings.

PwrProvider.log Records the activities of the power management provider

(PWRInvProvider) hosted in the WMI service. On all
supported versions of Windows, the provider enumerates
the current settings on computers during hardware
inventory and applies power plan settings.

SCClient_<domain>@<username>_1.log Records the activity in Software Center for the specified user
on the client computer.

SCClient_<domain>@<username>_2.log Records the historical activity in Software Center for the

specified user on the client computer.

Scheduler.log Records activities of scheduled tasks for all client operations.

SCNotify_<domain>@<username>_1.log Records the activity for notifying users about software for
the specified user.

SCNotify_<domain>@<username>_1-<date_time>.log Records the historical information for notifying users about

software for the specified user.

Scripts.log Records the activity of when Configuration Manager scripts

run on the client.

SensorWmiProvider.log Records the activity of the WMI provider for the endpoint
analytics sensor.

SensorEndpoint.log Records the execution of endpoint analytics policy and

upload of client data to the site server.

SensorManagedProvider.log Records the gathering and processing of events and

information for endpoint analytics.

setuppolicyevaluator.log Records configuration and inventory policy creation in WMI.

SleepAgent_<domain>@SYSTEM_0.log The main log file for wake-up proxy.

SmsClientMethodProvider.log Records activity for sending client schedules. For example,

with the Send Schedule tool or other programmatic
methods.

smscliui.log Records use of the Configuration Manager client in Control

Panel.

SrcUpdateMgr.log Records activity for installed Windows Installer applications

that are updated with current distribution point source
locations.

StateMessageProvider.log Records information for the component that sends state

messages from the client to the site.
 LO G N A M E DESC RIP T IO N

StatusAgent.log Records status messages that are created by the client

components.

SWMTRReportGen.log Generates a use data report that is collected by the

metering agent. This data is logged in Mtrmgr.log.

UserAffinity.log Records details about user device affinity.

UserAffinityProvider.log Technical details from the component that tracks user device
affinity.

VirtualApp.log Records information specific to the evaluation of Application

Virtualization (App-V) deployment types.

Wedmtrace.log Records operations related to write filters on Windows

Embedded clients.

wakeprxy-install.log Records installation information when clients receive the

client setting option to turn on wake-up proxy.

wakeprxy-uninstall.log Records information about uninstalling wake-up proxy when

clients receive the client setting option to turn off wake-up
proxy, if wake-up proxy was previously turned on.

Client installation
The following table lists the log files that contain information related to the installation of the Configuration
Manager client.

LO G N A M E DESC RIP T IO N

ccmsetup.log Records ccmsetup.exe tasks for client setup, client upgrade,

and client removal. Can be used to troubleshoot client
installation problems.

ccmsetup-ccmeval.log Records ccmsetup.exe tasks for client status and remediation.

CcmRepair.log Records the repair activities of the client agent.

client.msi.log Records setup tasks done by client.msi. Can be used to

troubleshoot client installation or removal problems.

ClientServicing.log Records information for client deployment state messages

during auto-upgrade and client piloting.

Client for Mac computers

The Configuration Manager client for Mac computers records information in the following log files on the Mac
computer:

LO G N A M E DETA IL S LO C AT IO N
 LO G N A M E DETA IL S LO C AT IO N

CCMClient-<date_time>.log Records activities that are related to /Library/Application

the Mac client operations, including Support/Microsoft/CCM/Logs
application management, inventory,
and error logging.

CCMAgent-<date_time>.log Records information that is related to ~/Library/Logs

client operations, including user sign in
and sign out operations, and Mac
computer activity.

CCMNotifications-<date_time>.log Records activities that are related to ~/Library/Logs

Configuration Manager notifications
displayed on the Mac computer.

CCMPrefPane-<date_time>.log Records activities related to the ~/Library/Logs

Configuration Manager preferences
dialog box on the Mac computer,
which includes general status and error
logging.

The log file SMS_DM.log on the site system server also records communication between Mac computers and
the management point that is set up for mobile devices and Mac computers.

Server log files

The following sections list log files that are on the site server or that are related to specific site system roles.
Site server and site systems
The following table lists the log files that are on the Configuration Manager site server and site system servers.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

adctrl.log Records enrollment processing activity. Site server

ADForestDisc.log Records Active Directory Forest Site server

Discovery actions.

adminservice.log Records actions for the SMS Provider Computer with the SMS Provider
administration service REST API

ADService.log Records account creation and security Site server

group details in Active Directory.

adsgdis.log Records Active Directory Group Site server

Discovery actions.

adsysdis.log Records Active Directory System Site server

Discovery actions.

adusrdis.log Records Active Directory User Site server

Discovery actions.

BusinessAppProcessWorker.log Records processing for Microsoft Store Site server

for Business apps.
LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

ccm.log Records activities for client push Site server

installation.

CertMgr.log Records certificate activities for Site system server

intrasite communication.

chmgr.log Records activities of the client health Site server

manager.

Cidm.log Records changes to the client settings Site server

by the Client Install Data Manager
(CIDM).

CollectionAADGroupSyncWorker.log Log file for synchronization of Site server

collection membership results to Azure
Active Directory.

colleval.log Records details about when collections Site server

are created, changed, and deleted by
the Collection Evaluator.

compmon.log Records the status of component Site system server

threads monitored for the site server.

compsumm.log Records Component Status Site server

Summarizer tasks.

ComRegSetup.log Records the initial installation of COM Site system server

registration results for a site server.

dataldr.log Records information about the Site server

processing of MIF files and hardware
inventory in the Configuration
Manager database.

ddm.log Records activities of the discovery data Site server

manager.

despool.log Records incoming site-to-site Site server

communication transfers.

distmgr.log Records details about package Site server

creation, compression, delta
replication, and information updates. It
can also include other activities from
the distribution manager component.
For example, installing a distribution
point, connection attempts, and
installing components. For more
information on other functionality that
uses this log, see Service connection
point and OS deployment.
LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

EPCtrlMgr.log Records information about the syncing Site server

of malware threat information from
the Endpoint Protection site system
role server with the Configuration
Manager database.

EPMgr.log Records the status of the Endpoint Site system server

Protection site system role.

EPSetup.log Provides information about the Site system server

installation of the Endpoint Protection
site system role.

EnrollSrv.log Records activities of the enrollment Site system server

service process.

EnrollWeb.log Records activities of the enrollment Site system server

website process.

ExternalNotificationsWorker.log Records the queue and activities for Site server

notifications to external systems like
Azure Logic Apps.

fspmgr.log Records activities of the fallback status Site system server

point site system role.

hman.log Records information about site Site server

configuration changes, and about the
publishing of site information in Active
Directory Domain Services.

Inboxast.log Records the files that are moved from Site server
the management point to the
corresponding INBOXES folder on the
site server.

inboxmgr.log Records file transfer activities between Site server

inbox folders.

inboxmon.log Records the processing of inbox files Site server

and performance counter updates.

invproc.log Records the forwarding of MIF files Site server

from a secondary site to its parent site.

migmctrl.log Records information for Migration Top-level site in the Configuration

actions that involve migration jobs, Manager hierarchy, and each child
shared distribution points, and primary site. In a multi-primary site
distribution point upgrades. hierarchy, use the log file that is
created at the central administration
site.
LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

mpcontrol.log Records the registration of the Site system server

management point. Records the
availability of the management point
every 10 minutes.

mpfdm.log Records the actions of the Site system server

management point component that
moves client files to the corresponding
INBOXES folder on the site server.

mpMSI.log Records details about the management Site server

point installation.

MPSetup.log Records the management point Site server

installation wrapper process.

netdisc.log Records Network Discovery actions. Site server

NotiCtrl.log Application request notifications. Site server

ntsvrdis.log Records the discovery activity of site Site server

system servers.

Objreplmgr Records the processing of object Site server

change notifications for replication.

offermgr.log Records advertisement updates. Site server

offersum.log Records the summarization of Site server

deployment status messages.

OfflineServicingMgr.log Records the activities of applying Site server

updates to operating system image
files.

outboxmon.log Records the processing of outbox files Site server

and performance counter updates.

PerfSetup.log Records the results of the installation Site system server

of performance counters.

PkgXferMgr.log Records the actions of the Site server

SMS_Executive component that is
responsible for sending content from a
primary site to a remote distribution
point.

policypv.log Records updates to the client policies Primary site server

to reflect changes to client settings or
deployments.

rcmctrl.log Records the activities of database Site server

replication between sites in the
hierarchy.
LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

replmgr.log Records the replication of files between Site server

the site server components and the
Scheduler component.

ResourceExplorer.log Records errors, warnings, and Computer that runs the Configuration
information about running Resource Manager console
Explorer.

RESTPROVIDERSetup.log Installation of the SMS Provider Computer with the SMS Provider
administration service REST API

ruleengine.log Records details about automatic Site server

deployment rules for the identification,
content download, and software
update group and deployment
creation.

schedule.log Records details about site-to-site job Site server

and file replication.

sender.log Records the files that transfer by file- Site server

based replication between sites.

sinvproc.log Records information about the Site server

processing of software inventory data
to the site database.

sitecomp.log Records details about the maintenance Site server

of the installed site components on all
site system servers in the site.

sitectrl.log Records site setting changes made to Site server

site control objects in the database.

sitestat.log Records the availability and disk space Site server

monitoring process of all site systems.

SMS_AZUREAD_DISCOVERY_AGENT.lo Log file for Azure Active Directory Site server

g (Azure AD) user and user group
discovery.

SMS_BUSINESS_APP_PROCESS_MANA Log file for component that Site server

GER.log synchronizes apps from the Microsoft
Store for Business.

SMS_DataEngine.log Log file for management insights. Site server

SMS_ISVUPDATES_SYNCAGENT.log Log file for synchronization of third- Top-level software update point in the
party software updates. Configuration Manager hierarchy.

SMS_MESSAGE_PROCESSING_ENGINE. Log file for the message processing Site server

log engine, which the site uses to process
results for client actions. For example,
run scripts and CMPivot.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

SMS_OrchestrationGroup.log Log file for orchestration groups Site server

SMS_PhasedDeployment.log Log file for phased deployments Top-level site in the Configuration
Manager hierarchy

SMS_REST_PROVIDER.log Service health state for the SMS Computer with the SMS Provider
Provider administration service REST
API, including certificate information

SmsAdminUI.log Records Configuration Manager Computer that runs the Configuration

console activity. Manager console

smsbkup.log Records output from the site backup Site server

process.

smsdbmon.log Records database changes. Site server

SMSENROLLSRVSetup.log Records the installation activities of the Site system server

enrollment web service.

SMSENROLLWEBSetup.log Records the installation activities of the Site system server

enrollment website.

smsexec.log Records the processing of all site Site server or site system server
server component threads.

SMSFSPSetup.log Records messages generated by the Site system server

installation of a fallback status point.

SMSProv.log Records WMI provider access to the Computer with the SMS Provider
site database.

srsrpMSI.log Records detailed results of the Site system server

reporting point installation process
from the MSI output.

srsrpsetup.log Records results of the reporting point Site system server

installation process.

statesys.log Records the processing of state system Site server

messages.

statmgr.log Records the writing of all status Site server

messages to the database.

swmproc.log Records the processing of metering Site server

files and settings.

UXAnalyticsUploadWorker.log Records data upload to the service for Site server

endpoint analytics.

Site server installation

The following table lists the log files that contain information related to site installation.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

ConfigMgrPrereq.log Records prerequisite component Site server

evaluation and installation activities.

ConfigMgrSetup.log Records detailed output from the site Site Server

server setup.

ConfigMgrSetupWizard.log Records information related to activity Site Server

in the Setup Wizard.

SMS_BOOTSTRAP.log Records information about the Site Server

progress of launching the secondary
site installation process. Details of the
actual setup process are contained in
ConfigMgrSetup.log.

smstsvc.log Records information about the Site server and site system server
installation, use, and removal of a
Windows service. Windows uses this
service to test network connectivity
and permissions between servers. It
uses the computer account of the
server that creates the connection.

Data warehouse service point

The following table lists the log files that contain information related to the data warehouse service point.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

DWSSMSI.log Records messages generated by the Site system server

installation of a data warehouse
service point.

DWSSSetup.log Records messages generated by the Site system server

installation of a data warehouse
service point.

Microsoft.ConfigMgrDataWarehouse.lo Records information about data Site system server

g synchronization between the site
database and the data warehouse
database.

Fallback status point

The following table lists the log files that contain information related to the fallback status point.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

FspIsapi Records details about communications Site system server

to the fallback status point from
mobile device legacy clients and client
computers.

fspMSI.log Records messages generated by the Site system server

installation of a fallback status point.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

fspmgr.log Records activities of the fallback status Site system server

point site system role.

Management point
The following table lists the log files that contain information related to the management point.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CcmIsapi.log Records client messaging activity on Site system server

the endpoint.

CCM_STS.log Records activities for authentication Site system server

tokens, either from Azure Active
Directory or site-issued client tokens.

ClientAuth.log Records signing and authentication Site system server

activity.

MP_CliReg.log Records the client registration activity Site system server

processed by the management point.

MP_Ddr.log Records the conversion of XML.ddr Site system server

records from clients, and then copies
them to the site server.

MP_Framework.log Records the activities of the core Site system server

management point and client
framework components.

MP_GetAuth.log Records client authorization activity. Site system server

MP_GetPolicy.log Records policy request activity from Site system server

client computers.

MP_Hinv.log Records details about the conversion Site system server

of XML hardware inventory records
from clients and the copy of those files
to the site server.

MP_Location.log Records location request and reply Site system server

activity from clients.

MP_OOBMgr.log Records the management point Site system server

activities related to receiving an OTP
from a client.

MP_Policy.log Records policy communication. Site system server

MP_RegistrationManager.log Records activities related to client Site system server

registration, such as validating
certificates, CRL, and tokens.

MP_Relay.log Records the transfer of files that are Site system server
collected from the client.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

MP_RelayMsgMgr.log Records how the management point Site system server

handles incoming client messages,
such as for scripts or CMPivot.

MP_Retry.log Records hardware inventory retry Site system server

processes.

MP_Sinv.log Records details about the conversion Site system server

of XML software inventory records
from clients and the copy of those files
to the site server.

MP_SinvCollFile.log Records details about file collection. Site system server

MP_Status.log Records details about the conversion Site system server

of XML.svf status message files from
clients and the copy of those files to
the site server.

mpcontrol.log Records the registration of the Site server

management point. Records the
availability of the management point
every 10 minutes.

mpfdm.log Records the actions of the Site system server

management point component that
moves client files to the corresponding
INBOXES folder on the site server.

mpMSI.log Records details about the management Site server

point installation.

MPSetup.log Records the management point Site server

installation wrapper process.

UserService.log Records user requests from Software Site system server

Center, retrieving/installing user-
available applications from the server.

Service connection point

The following table lists the log files that contain information related to the service connection point.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CertMgr.log Records certificate and proxy account Site server

information.

CollEval.log Records details about when collections Primary site and central administration
are created, changed, and deleted by site
the Collection Evaluator.

Cloudusersync.log Records license enablement for users. Computer with the service connection
point
LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

Dataldr.log Records information about the Site server

processing of MIF files.

ddm.log Records activities of the discovery data Site server

manager.

Distmgr.log Records details about content Top-level site server

distribution requests.

Dmpdownloader.log Records details about downloads from Computer with the service connection
Microsoft, such as site updates. point

Dmpuploader.log Records detail related to uploading Computer with the service connection
database changes to Microsoft. point

EndpointConnectivityCheckWorker.log Starting in version 2010, records detail Computer with the service connection
related to checks for important point
internet endpoints.

hman.log Records information about message Site server

forwarding.

WsfbSyncWorker.log Records information about the Computer with the service connection
communication with the Microsoft point
Store for Business.

objreplmgr.log Records the processing of policy and Primary site server

assignment.

PolicyPV.log Records policy generation of all Site server

policies.

outgoingcontentmanager.log Records content uploaded to Computer with the service connection

Microsoft. point

ServiceConnectionTool.log Records details about use of the Same location as the tool
service connection tool based on the
parameter you use. Each time you run
the tool, it replaces any existing log file.

Sitecomp.log Records details of service connection Site server

point installation.

SmsAdminUI.log Records Configuration Manager Computer that runs the Configuration

console activity. Manager console

SMS_CLOUDCONNECTION.log Records information about cloud Computer with the service connection
services. point

Smsprov.log Records activities of the SMS Provider. Computer with the SMS Provider
Configuration Manager console
activities use the SMS Provider.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

SrvBoot.log Records details about the service Computer with the service connection
connection point installer service. point

Statesys.log Records the processing of mobile Primary site and central administration
device management messages. site

Software update point

The following table lists the log files that contain information related to the software update point.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

objreplmgr.log Records details about the replication of Site server

software updates notification files from
a parent site to child sites.

PatchDownloader.log Records details about the process of When you manually download
downloading software updates from updates, this file is in your %temp%
the update source to the download directory on the computer where you
destination on the site server. use the console. For automatic
deployment rules, if the Configuration
Manager client is installed on the site
server, this file is on the site server in
%windir%\CCM\Logs .

ruleengine.log Records details about automatic Site server

deployment rules for the identification,
content download, and software
update group and deployment
creation.

SMS_ISVUPDATES_SYNCAGENT.log Log file for synchronization of third- Top-level software update point in the
party software updates. Configuration Manager hierarchy.

SUPSetup.log Records details about the software Site system server

update point installation. When the
software update point installation
completes, Installation was
successful is written to this log file.

WCM.log Records details about the software Site server that connects to the WSUS
update point configuration and server
connections to the WSUS server for
subscribed update categories,
classifications, and languages.

WSUSCtrl.log Records details about the Site system server

configuration, database connectivity,
and health of the WSUS server for the
site.

wsyncmgr.log Records details about the software Site system server

updates sync process.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

WUSSyncXML.log Records details about the Inventory Client computer configured as the sync
Tool for the Microsoft Updates sync host for the Inventory Tool for
process. Microsoft Updates

Log files by functionality

The following sections list log files related to Configuration Manager functions.
Application management
The following table lists the log files that contain information related to application management.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

AppIntentEval.log Records details about the current and Client

intended state of applications, their
applicability, whether requirements
were met, deployment types, and
dependencies.

AppDiscovery.log Records details about the discovery or Client

detection of applications on client
computers.

AppEnforce.log Records details about enforcement Client

actions (install and uninstall) taken for
applications on the client.

AppGroupHandler.log Records detection and enforcement Client

information for application groups

BusinessAppProcessWorker.log Records processing for Microsoft Store Site server

for Business apps.

Ccmsdkprovider.log Records the activities of the application Client

management SDK.

colleval.log Records details about when collections Site system server

are created, changed, and deleted by
the Collection Evaluator.

WsfbSyncWorker.log Records information about the Computer with the service connection
communication with the Microsoft point
Store for Business.

NotiCtrl.log Application request notifications. Site server

PrestageContent.log Records details about the use of the Site system server
ExtractContent.exe tool on a remote,
prestaged distribution point. This tool
extracts content that has been
exported to a file.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

SettingsAgent.log Enforcement of specific applications, Client

records orchestration of application
group evaluation, and details of co-
management policies.

SMS_BUSINESS_APP_PROCESS_MANA Log file for component that Site server

GER.log synchronizes apps from the Microsoft
Store for Business.

SMS_CLOUDCONNECTION.log Records information about cloud Computer with the service connection
services. point

SMS_ImplicitUninstall.log Records events from the implicit Site server

uninstall background worker process.

SMSdpmon.log Records details about the distribution Site server

point health monitoring scheduled
task that is configured on a
distribution point.

SoftwareCenterSystemTasks.log Records activities related to Software Client

Center prerequisite component
validation.

TSDTHandler.log For the task sequence deployment Client

type. It logs the process from app
enforcement (install or uninstall) to the
launch of the task sequence. Use it
with AppEnforce.log and smsts.log.

Packages and programs

The following table lists the log files that contain information related to deploying packages and programs.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

colleval.log Records details about when collections Site server

are created, changed, and deleted by
the Collection Evaluator.

execmgr.log Records details about packages and Client

task sequences that run.

Asset Intelligence
The following table lists the log files that contain information related to Asset Intelligence.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

AssetAdvisor.log Records the activities of Asset Client

Intelligence inventory actions.

aikbmgr.log Records details about the processing of Site server

XML files from the inbox for updating
the Asset Intelligence catalog.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

AIUpdateSvc.log Records the interaction of the Asset Site system server

Intelligence sync point with the cloud
service.

AIUSMSI.log Records details about the installation Site system server

of the Asset Intelligence sync point site
system role.

AIUSSetup.log Records details about the installation Site system server

of the Asset Intelligence sync point site
system role.

ManagedProvider.log Records details about discovering Site system server

software with an associated software
identification tag. Also records
activities related to hardware
inventory.

MVLSImport.log Records details about the processing of Site system server

imported licensing files.

Backup and recovery

The following table lists log files that contain information related to backup and recovery actions, including site
resets, and changes to the SMS Provider.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

ConfigMgrSetup.log Records information about setup and Site server

recovery tasks when Configuration
Manager recovers a site from backup.

Smsbkup.log Records details about the site backup Site server

activity.

smssqlbkup.log Records output from the site database Site database server
backup process when SQL Server is
installed on a server that isn't the site
server.

Smswriter.log Records information about the state of Site server

the Configuration Manager VSS writer
that is used by the backup process.

Certificate enrollment
The following table lists the Configuration Manager log files that contain information related to certificate
enrollment. Certificate enrollment uses the certificate registration point and the Configuration Manager Policy
Module on the server that's running the Network Device Enrollment Service (NDES).

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CertEnrollAgent.log Records client communication with Windows Hello for Business client
NDES for certificate requests using the
Simple Certificate Enrollment Protocol
(SCEP).
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

Crp.log Records enrollment activities. Certificate registration point

Crpctrl.log Records the operational health of the Certificate registration point

certificate registration point.

Crpsetup.log Records details about the installation Certificate registration point

and configuration of the certificate
registration point.

Crpmsi.log Records details about the installation Certificate registration point

and configuration of the certificate
registration point.

NDESPlugin.log Records challenge verification and Configuration Manager Policy Module

certificate enrollment activities. and the Network Device Enrollment
Service

Along with the Configuration Manager log files, review the Windows Application logs in Event Viewer on the
server running the Network Device Enrollment Service and the server hosting the certificate registration point.
For example, look for messages from the NetworkDeviceEnrollmentSer vice source.
You can also use the following log files:
IIS log files for Network Device Enrollment Service:
%SYSTEMDRIVE%\inetpub\logs\LogFiles\W3SVC1
IIS log files for the certificate registration point: %SYSTEMDRIVE%\inetpub\logs\LogFiles\W3SVC1
Network Device Enrollment Policy log file: mscep.log

NOTE
This file is located in the folder for the NDES account profile, for example, in C:\Users\SCEPSvc. For more
information about how to enable NDES logging, see the Enable Logging section of the NDES wiki.

Client notification
The following table lists the log files that contain information related to client notification.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

bgbmgr.log Records details about site server Site server

activities related to client notification
tasks and processing online and task
status files.

BGBServer.log Records the activities of the notification Management point

server, such as client-server
communication and pushing tasks to
clients. Also records information about
the generation of online and task
status files to be sent to the site server.

BgbSetup.log Records the activities of the notification Management point

server installation wrapper process
during installation and uninstallation.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

bgbisapiMSI.log Records details about the notification Management point

server installation and uninstallation.

BgbHttpProxy.log Records the activities of the notification Client

HTTP proxy as it relays the messages
of clients using HTTP to and from the
notification server.

CcmNotificationAgent.log Records the activities of the notification Client

agent, such as client-server
communication and information about
tasks received and dispatched to other
client agents.

Cloud management gateway

The following table lists the log files that contain information related to the cloud management gateway.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CloudMgr.log Records details about deploying the The installdir folder on the primary site
cloud management gateway service, server or CAS.
ongoing service status, and use data
associated with the service. To
configure the logging level, edit the
Logging level value in the following
registry key:
HKLM\SOFTWARE\
Microsoft\SMS\COMPONENTS\
SMS_CLOUD_ SERVICES_MANAGER

CMGSetup.log No te 1 Records details about the second The %approot%\logs on your Azure
phase of the cloud management server, or the SMS/Logs folder on the
gateway deployment (local site system server
deployment in Azure). To configure the
logging level, use the setting Trace
level (Information (Default),
Verbose , Error ) on the Azure
por tal\Cloud ser vices
configuration tab.

CMGService.log No te 1 Records details about the cloud The %approot%\logs on your Azure
management gateway service core server, or the SMS/Logs folder on the
component in Azure. To configure the site system server
logging level, use the setting Trace
level (Information (Default),
Verbose , Error ) on the Azure
por tal\Cloud ser vices
configuration tab.

SMS_Cloud_ProxyConnector.log Records details about setting up Site system server

connections between the cloud
management gateway service and the
cloud management gateway
connection point.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CMGContentService.log No te 1 When you enable a CMG to also serve The %approot%\logs on your Azure
content from Azure storage, this log server, or the SMS/Logs folder on the
records the details of that service. site system server

For troubleshooting deployments, use CloudMgr.log and CMGSetup.log

For troubleshooting service health, use CMGSer vice.log and SMS_Cloud_ProxyConnector.log .
For troubleshooting client traffic, use CMGSer vice.log and SMS_Cloud_ProxyConnector.log .
Note 1: Logs synchronized from Azure
These are local Configuration Manager log files that cloud service manager syncs from Azure storage every five
minutes. The cloud management gateway pushes logs to Azure storage every five minutes. So the maximum
delay is 10 minutes. Verbose switches affect both local and remote logs. The actual file names include the
service name and role instance identifier. For example, CMG-ServiceName-RoleInstanceID-CMGSetup.log. These
log files are synced, so you don't need to RDP to the cloud management gateway to obtain them, and that
option isn't supported.
Compliance settings and company resource access
The following table lists the log files that contain information related to compliance settings and company
resource access.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CIAgent.log Records details about the process of Client

remediation and compliance for
compliance settings, software updates,
and application management.

CITaskManager.log Records information about Client

configuration item task scheduling.

DCMAgent.log Records high-level information about Client

the evaluation, conflict reporting, and
remediation of configuration items and
applications.

DCMReporting.log Records information about reporting Client

policy platform results into state
messages for configuration items.

DcmWmiProvider.log Records information about reading Client

configuration item synclets from WMI.

Configuration Manager console

The following table lists the log files that contain information related to the Configuration Manager console.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

ConfigMgrAdminUISetup.log Records the installation of the Computer that runs the Configuration
Configuration Manager console. Manager console

SmsAdminUI.log Records information about the Computer that runs the Configuration
operation of the Configuration Manager console
Manager console.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

Smsprov.log Records activities of the SMS Provider. Site server or site system server
Configuration Manager console
activities use the SMS Provider.

Content management
The following table lists the log files that contain information related to content management.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CloudDP-<guid>.log Records details for a specific cloud- Site system server

based content source, including
information about storage and content
access.

CloudMgr.log Records details about content Site system server

provisioning, collecting storage and
bandwidth statistics, and
administrator-initiated actions to stop
or start the cloud service that runs a
content-enabled cloud management
gateway (CMG).

DataTransferService.log Records all BITS communication for Computer that is configured as a pull-
policy or package access. This log also distribution point
is used for content management by
pull-distribution points.

PullDP.log Records details about content that the Computer that is configured as a pull-
pull-distribution point transfers from distribution point
source distribution points.

PrestageContent.log Records the details about the use of Site system role
the ExtractContent.exe tool on a
remote, prestaged distribution point.
This tool extracts content that has
been exported to a file.

PkgXferMgr.log Records the actions of the Site server

SMS_Executive component that is
responsible for sending content from a
primary site to a remote distribution
point.

SMSdpmon.log Records details about distribution Site system role

point health monitoring scheduled
tasks that are configured on a
distribution point.

smsdpprov.log Records details about the extraction of Distribution point computer that isn't
compressed files received from a colocated with the site server
primary site. This log is generated by
the WMI provider of the remote
distribution point.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

smsdpusage.log Records details about the Site system role

smsdpusage.exe that runs and gathers
data for the distribution point usage
summary report.

Desktop Analytics
Use the following log files to help troubleshoot issues with Desktop Analytics integrated with Configuration
Manager.
The log files on the service connection point are in the following directory:
%ProgramFiles%\Configuration Manager\Logs\M365A . The log files on the Configuration Manager client are in the
following directory: %WinDir%\CCM\logs .

LO G DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

M365ADeploymentPlanWorker.log Information about deployment plan Service connection point

sync from Desktop Analytics cloud
service to on-premises Configuration
Manager

M365ADeviceHealthWorker.log Information about device health Service connection point

upload from Configuration Manager to
Microsoft cloud

M365AHandler.log Information about the Desktop Client

Analytics settings policy

M365AUploadWorker.log Information about collection and Service connection point

device upload from Configuration
Manager to Microsoft cloud

SmsAdminUI.log Information about Configuration Service connection point

Manager console activity, like
configuring the Azure cloud services

Discovery
The following table lists the log files that contain information related to discovery.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

adsgdis.log Records Active Directory Security Site server

Group Discovery actions.

adsysdis.log Records Active Directory System Site server

Discovery actions.

adusrdis.log Records Active Directory User Site server

Discovery actions.

ADForestDisc.Log Records Active Directory Forest Site server

Discovery actions.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

ddm.log Records activities of the discovery data Site server

manager.

InventoryAgent.log Records activities of hardware Client

inventory, software inventory, and
heartbeat discovery actions on the
client.

netdisc.log Records Network Discovery actions. Site server

Endpoint analytics
LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

UXAnalyticsUploadWorker.log Records data upload to the service for Site server

endpoint analytics.

SensorWmiProvider.log Records the activity of the WMI Client

provider for the endpoint analytics
sensor.

SensorEndpoint.log Records the execution of endpoint Client

analytics policy and upload of client
data to the site server.

SensorManagedProvider.log Records the gathering and processing Client

of events and information for endpoint
analytics.

Endpoint Protection
The following table lists the log files that contain information related to Endpoint Protection.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

EndpointProtectionAgent.log Records details about the installation Client

of the Endpoint Protection client and
the application of antimalware policy
to that client.

EPCtrlMgr.log Records details about the syncing of Site system server

malware threat information from the
Endpoint Protection role server with
the Configuration Manager database.

EPMgr.log Monitors the status of the Endpoint Site system server

Protection site system role.

EPSetup.log Provides information about the Site system server

installation of the Endpoint Protection
site system role.

Extensions
The following table lists the log files that contain information related to extensions.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

AdminUI.ExtensionInstaller.log Records information about the Computer that runs the Configuration
download of extensions from Manager console
Microsoft, and the installation and
uninstallation of all extensions.

FeatureExtensionInstaller.log Records information about the Computer that runs the Configuration
installation and removal of individual Manager console
extensions when they're enabled or
disabled in the Configuration Manager
console.

SmsAdminUI.log Records Configuration Manager Computer that runs the Configuration

console activity. Manager console

Inventory
The following table lists the log files that contain information related to processing inventory data.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

dataldr.log Records information about the Site server

processing of MIF files and hardware
inventory in the Configuration
Manager database.

invproc.log Records the forwarding of MIF files Secondary site server

from a secondary site to its parent site.

sinvproc.log Records information about the Site server

processing of software inventory data
to the site database.

Metering
The following table lists the log files that contain information related to metering.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

mtrmgr.log Monitors all software metering Client

processes.

SWMTRReportGen.log Generates a use data report that is Client

collected by the metering agent. This
data is logged in Mtrmgr.log.

swmproc.log Records the processing of metering Site server

files and settings.

Migration
The following table lists the log files that contain information related to migration.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

migmctrl.log Records information about migration Top-level site in the Configuration

actions that involve migration jobs, Manager hierarchy, and each child
shared distribution points, and primary site. In a multi-primary site
distribution point upgrades. hierarchy, use the log file created at
the central administration site.

Mobile devices
The following sections list the log files that contain information related to managing mobile devices.
Enrollment
The following table lists logs that contain information related to mobile device enrollment.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

DMPRP.log Records communication between Site system server

management points that are enabled
for mobile devices and the
management point endpoints.

dmpmsi.log Records the Windows Installer data for Site system server
the configuration of a management
point that is enabled for mobile
devices.

DMPSetup.log Records the configuration of the Site system server

management point when it's enabled
for mobile devices.

enrollsrvMSI.log Records the Windows Installer data for Site system server
the configuration of an enrollment
point.

enrollmentweb.log Records communication between Site system server

mobile devices and the enrollment
proxy point.

enrollwebMSI.log Records the Windows Installer data for Site system server
the configuration of an enrollment
proxy point.

enrollmentservice.log Records communication between an Site system server

enrollment proxy point and an
enrollment point.

SMS_DM.log Records communication between Site system server

mobile devices, Mac computers, and
the management point that is enabled
for mobile devices and Mac computers.

Exchange Server connector

The following logs contain information related to the Exchange Server connector.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

easdisc.log Records the activities and the status of Site server

the Exchange Server connector.

Mobile device legacy

The following table lists logs that contain information related to the mobile device legacy client.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

DmCertEnroll.log Records details about certificate Client

enrollment data on mobile device
legacy clients.

DMCertResp.htm Records the HTML response from the Client

certificate server when the mobile
device legacy client enroller program
requests a PKI certificate.

DmClientHealth.log Records the GUIDs of all mobile device Site system server
legacy clients that communicate with
the management point that is enabled
for mobile devices.

DmClientRegistration.log Records registration requests and Site system server

responses to and from mobile device
legacy clients.

DmClientSetup.log Records client setup data for mobile Client

device legacy clients.

DmClientXfer.log Records client transfer data for mobile Client

device legacy clients and for ActiveSync
deployments.

DmCommonInstaller.log Records client transfer file installation Client

for configuring mobile device legacy
client transfer files.

DmInstaller.log Records whether DMInstaller correctly Client

calls DmClientSetup, and whether
DmClientSetup exits with success or
failure for mobile device legacy clients.

DmpDatastore.log Records all the site database Site system server

connections and queries made by the
management point that is enabled for
mobile devices.

DmpDiscovery.log Records all the discovery data from the Site system server
mobile device legacy clients on the
management point that is enabled for
mobile devices.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

DmpHardware.log Records hardware inventory data from Site system server

mobile device legacy clients on the
management point that is enabled for
mobile devices.

DmpIsapi.log Records mobile device legacy client Site system server

communication with a management
point that is enabled for mobile
devices.

dmpmsi.log Records the Windows Installer data for Site system server
the configuration of a management
point that is enabled for mobile
devices.

DMPSetup.log Records the configuration of the Site system server

management point when it's enabled
for mobile devices.

DmpSoftware.log Records software distribution data Site system server

from mobile device legacy clients on a
management point that is enabled for
mobile devices.

DmpStatus.log Records status messages data from Site system server

mobile device clients on a
management point that is enabled for
mobile devices.

DmSvc.log Records client communication from Client

mobile device legacy clients with a
management point that is enabled for
mobile devices.

FspIsapi.log Records details about communications Site system server

to the fallback status point from
mobile device legacy clients and client
computers.

OS deployment
The following table lists the log files that contain information related to OS deployment.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CAS.log Records details when distribution Client

points are found for referenced
content.

ccmsetup.log Records ccmsetup tasks for client Client

setup, client upgrade, and client
removal. Can be used to troubleshoot
client installation problems.

CreateTSMedia.log Records details for task sequence Computer that runs the Configuration
media creation. Manager console
LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

Dism.log Records driver installation actions or Site system server

update application actions for offline
servicing.

Distmgr.log Records details about the configuration Site system server

of enabling a distribution point for
Preboot Execution Environment (PXE).

DriverCatalog.log Records details about device drivers Site system server

that have been imported into the
driver catalog.

mcsisapi.log Records information for multicast Site system server

package transfer and client request
responses.

mcsexec.log Records health check, namespace, Site system server

session creation, and certificate check
actions.

mcsmgr.log Records changes to configuration, Site system server

security mode, and availability.

mcsprv.log Records multicast provider interaction Site system server

with Windows Deployment Services
(WDS).

MCSSetup.log Records details about multicast server Site system server

role installation.

MCSMSI.log Records details about multicast server Site system server

role installation.

Mcsperf.log Records details about multicast Site system server

performance counter updates.

MP_ClientIDManager.log Records management point responses Site system server

to client ID requests that task
sequences start from PXE or boot
media.

MP_DriverManager.log Records management point responses Site system server

to Auto Apply Driver task sequence
action requests.

OfflineServicingMgr.log Records details of offline servicing Site system server

schedules and update apply actions on
operating system Windows Imaging
Format (WIM) files.

Setupact.log Records details about Windows Client

Sysprep and setup logs. For more
information, see Log Files.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

Setupapi.log Records details about Windows Client

Sysprep and setup logs.

Setuperr.log Records details about Windows Client

Sysprep and setup logs.

smpisapi.log Records details about the client state Client

capture and restore actions, and
threshold information.

Smpmgr.log Records details about the results of Site system server

state migration point health checks
and configuration changes.

smpmsi.log Records installation and configuration Site system server

details about the state migration point.

smpperf.log Records the state migration point Site system server

performance counter updates.

smspxe.log Records details about the responses to Site system server

clients that use PXE boot, and details
about the expansion of boot images
and boot files.

smssmpsetup.log Records installation and configuration Site system server

details about the state migration point.

SMS_PhasedDeployment.log Log file for phased deployments Top-level site in the Configuration
Manager hierarchy

Smsts.log Records task sequence activities. Client

TSAgent.log Records the outcome of task sequence Client

dependencies before starting a task
sequence.

TaskSequenceProvider.log Records details about task sequences Site system server

when they're imported, exported, or
edited.

loadstate.log Records details about the User State Client

Migration Tool (USMT) and restoring
user state data.

scanstate.log Records details about the User State Client

Migration Tool (USMT) and capturing
user state data.

Power management
The following table lists the log files that contain information related to power management.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

pwrmgmt.log Records details about power Client

management activities on the client
computer, including monitoring and
the enforcement of settings by the
Power Management Client Agent.

Remote control
The following table lists the log files that contain information related to remote control.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CMRcViewer.log Records details about the activity of On the computer that runs the remote
the remote control viewer. control viewer, in the %temp% folder.

Reporting
The following table lists the Configuration Manager log files that contain information related to reporting.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

srsrp.log Records information about the activity Site system server

and status of the reporting services
point.

srsrpMSI.log Records detailed results of the Site system server

reporting services point installation
process from the MSI output.

srsrpsetup.log Records results of the reporting Site system server

services point installation process.

Role -based administration

The following table lists the log files that contain information related to managing role-based administration.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

hman.log Records information about site Site server

configuration changes and the
publishing of site information to Active
Directory Domain Services.

SMSProv.log Records WMI provider access to the Computer with the SMS Provider
site database.

Software metering
The following table lists the log files that contain information related to software metering.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

mtrmgr.log Monitors all software metering Site server

processes.

Software updates
The following table lists the log files that contain information related to software updates.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

AlternateHandler.log Records details when the client calls Client

the Office click-to-run COM interface
to download and install Microsoft 365
Apps for enterprise client updates. It's
similar to use of WuaHandler when it
calls the Windows Update Agent API
to download and install Windows
updates.

ccmperf.log Records activities related to the Client

maintenance and capture of data
related to client performance counters.

DeltaDownload.log Records information about the Client

download of express updates and
updates downloaded using Delivery
Optimization.

PatchDownloader.log Records details about the process of When downloading updates manually,
downloading software updates from this log file is located in the %temp%
the update source to the download directory of the user running the
destination on the site server. console on the machine you're running
the console. For Automatic
Deployment Rules, this log file is
located on the site server in
%windir%\CCM\Logs, if the ConfigMgr
client is installed on the site server.

PolicyEvaluator.log Records details about the evaluation of Client

policies on client computers, including
policies from software updates.

RebootCoordinator.log Records details about the coordination Client

of system restarts on client computers
after software update installations.

ScanAgent.log Records details about scan requests for Client

software updates, the WSUS location,
and related actions.

SdmAgent.log Records details about the tracking of Client

remediation and compliance. However,
the software updates log file,
Updateshandler.log, provides more
informative details about installing the
software updates that are required for
compliance. This log file is shared with
compliance settings.

ServiceWindowManager.log Records details about the evaluation of Client

maintenance windows.

SMS_ISVUPDATES_SYNCAGENT.log Log file for synchronization of third- Top-level software update point in the
party software updates. Configuration Manager hierarchy.
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

SMS_OrchestrationGroup.log Log file for orchestration groups Site server

SmsWusHandler.log Records details about the scan process Client

for the Inventory Tool for Microsoft
Updates.

StateMessage.log Records details about software update Client

state messages that are created and
sent to the management point.

SUPSetup.log Records details about the software Site system server

update point installation. When the
software update point installation
completes, Installation was
successful is written to this log file.

UpdatesDeployment.log Records details about deployments on Client

the client, including software update
activation, evaluation, and
enforcement. Verbose logging shows
additional information about the
interaction with the client user
interface.

UpdatesHandler.log Records details about software update Client

compliance scanning and about the
download and installation of software
updates on the client.

UpdatesStore.log Records details about compliance Client

status for the software updates that
were assessed during the compliance
scan cycle.

WCM.log Records details about software update Site server

point configurations and connections
to the WSUS server for subscribed
update categories, classifications, and
languages.

WSUSCtrl.log Records details about the Site system server

configuration, database connectivity,
and health of the WSUS server for the
site.

wsyncmgr.log Records details about the software Site server

update sync process.

WUAHandler.log Records details about the Windows Client

Update Agent on the client when it
searches for software updates.

Wake On LAN
The following table lists the log files that contain information related to using Wake On LAN.
 NOTE
When you supplement Wake On LAN by using wake-up proxy, this activity is logged on the client. For example, see
CcmExec.log and SleepAgent_<domain>@SYSTEM_0.log in the Client operations section of this article.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

wolcmgr.log Records details about which clients Site server

need to be sent wake-up packets, the
number of wake-up packets sent, and
the number of wake-up packets
retried.

wolmgr.log Records details about wake-up Site server

procedures, such as when to wake up
deployments that are configured for
Wake On LAN.

Windows servicing
The following table lists the log files that contain information related to Windows servicing.
Servicing uses the same infrastructure and process as software updates. For other logs applicable to the
servicing scenario, see Software updates.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CBS.log Records servicing failures related to Client

changes for Windows Updates or roles
and features.

DISM.log Records all actions using DISM. If Client

necessary, DISM.log will point to
CBS.log for more details.

setupact.log Primary log file for most errors that Client

occur during the Windows installation
process. The log file is located in the
%windir%$Windows.~BT\sources\pant
her folder.

For more information, see Online Servicing-Related Log Files.

Windows Update Agent
The following table lists the log files that contain information related to the Windows Update Agent.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

WindowsUpdate.log Records details about when the Client

Windows Update Agent connects to
the WSUS server and retrieves the
software updates for compliance
assessment, and whether there are
updates to the agent components.

For more information, see Windows Update log files.

WSUS server
The following table lists the log files that contain information related to the WSUS server.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

Change.log Records details about WSUS server WSUS server

database information that has
changed.

SoftwareDistribution.log Records details about the software WSUS server

updates that are synced from the
configured update source to the WSUS
server database.

These log files are located in the %ProgramFiles%\Update Services\LogFiles folder.

See also
About log files
Support Center OneTrace
Support Center log file viewer
CMTrace
 Release notes for Configuration Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

With Configuration Manager, product release notes are limited to urgent issues. These issues aren't yet fixed in
the product, or detailed in a troubleshooting article.
Feature-specific documentation includes information about known issues that affect core scenarios.
This article contains release notes for the current branch of Configuration Manager. For information on the
technical preview branch, see Technical Preview.
For information about the new features introduced with different versions, see the following articles:
What's new in version 2111
What's new in version 2107
What's new in version 2103
What's new in version 2010

TIP
You can use RSS to be notified when this page is updated. For more information, see How to use the docs.

Client management
Some policies may not apply to upgraded clients
Applies to version 2107 early update ring
When you upgrade the client from versions 2010 or 2103 to version 2107, the following policies may not apply
on some devices:
Co-management policies on Windows 10 Enterprise multi-session devices such as Azure Virtual Desktop,
and Windows 11 Insider Preview devices
Desktop Analytics on any Windows version
Windows Update for Business policies on Windows 10 x86 and ARM
Microsoft Edge browser profiles on Windows 10 x64 and x86

NOTE
The timing of how clients apply and evaluate these policies is non-deterministic. Even if you have these policies and these
supported platforms, they may not immediately experience this issue.

When you look at the Configurations tab of the Configuration Manager control panel on the client, it will be
blank.
This issue is fixed in the build of version 2107 that's now generally available for all customers. If you previously
opted in to the early update ring, install the Update for Microsoft Endpoint Configuration Manager version 2107,
early update ring.
Client notification actions apply to entire collection
Applies to version 2010
When you use a client notification action on a device in a collection, the action applies to all devices in the
collection.
For example:
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Device Collections node.
2. Select a collection, and then choose the Show Members action.
3. Select a device in the collection. In the ribbon on the Home tab, select Client Notification , and choose
an action such as Restar t .
Because of this issue, this action applies to all members of the collection, not just the selected client.

NOTE
This issue doesn't apply to the Star t CMPivot or Run Script options.

To work around this issue, install the following hotfix: Client notifications sent to all collection members in
Configuration Manager current branch, version 2010.
You can also use the Devices node. Find the device in the list and start the action from there.

NOTE
This issue also applies to the Invoke-CMClientAction PowerShell cmdlet and other SDK methods, if you don't include a
collection object or ID.

Set up and upgrade

Version 2107 update fails to download
Applies to: version 2107 and later
The update for Configuration Manager version 2107 is available to download, but it fails to download. The
dmpdownloader.log on the service connection point has entries similar to the following:

Download large file with BITs

WARNING: EasySetupDownloadSinglePackage Failed with exception: The remote name could not be resolved:
'configmgrbits.azureedge.net'
WARNING: Retry in the next polling cycle

This failure happens because the service connection point can't communicate with the required internet
endpoint, configmgrbits.azureedge.net . Confirm that the site system that hosts the service connection point role
can communicate with this internet endpoint. It was already required, but its use is expanded in version 2107.
The site system can't download version 2107 or later unless your network allows traffic to this URL.
For more information, see internet access requirements for the service connection point.
Management point installation or update fails because of later Visual C++ version
Applies to: version 2107 early update ring
If the site system server has a version of the Visual C++ redistributable later than 14.28.29914, Configuration
Manager setup will fail to install or update the management point role.
To work around this issue, temporarily uninstall the later version of Visual C++ redistributable. When you install
Configuration Manager version 2107, it will install version 14.28.29914.

OS deployment
Image servicing with Windows Server 2022
Applies to: version 2107
If you try to apply software updates to an image for Windows Server 2022, no updates display as available to
install.
This issue is caused by a change to the Windows update category for Server 2022.
To resolve this issue, install the update rollup for Configuration Manager version 2107.
Task sequence and application policy issue
Applies to: version 2107 early update ring installed between August 2, 2021 and August 6, 2021
If you have all of the following conditions:
Task sequence A
Includes the Install Application step with app X
Deployed and made available to either type that includes Configuration Manager clients
Task sequence B
Includes the Install Application step with the same app X
Deployed and made available to either Only media and PXE option
After you update to version 2107, if you make any change to app X, then task sequence A will fail to run on
clients that receive the deployment policy after the site update. The Configuration Manager client can't get all of
the policies for the task sequence and referenced applications. For clients that already had the deployment
policy for task sequence A before the site update, the task sequence will run, but clients won't have the revised
application policy.
You can run the following SQL script on a primary site database to determine if your site has this issue:

select COUNT(*) from Policy where PolicyID like '%/VI%'

AND ((ISNULL(PolicyFlags, 0) & 4096 = 4096)
OR (ISNULL(PolicyFlags, 0) & 2048 = 2048))

If this query returns 0 , there's currently no issue. If the query returns a non-zero value, the issue only exists
given the above conditions.

NOTE
If there are many media and PXE task sequences that reference an application that you revise, the site will take longer to
update these task sequence policies. During this time, some media and PXE task sequence deployments may fail. There's
no workaround for this timing issue.

Workaround for task sequence and application policy issue in version 2107 early update ring
This issue is fixed in the build of version 2107 that's now generally available for all customers. If you previously
opted in to the early update ring, install the Update for Microsoft Endpoint Configuration Manager version 2107,
early update ring.
For OS deployment task sequences to existing clients not with PXE, you may see entries similar to the following
strings in the ExecMgr.log on the client:

cannot load compressed XML policy

Failed to load policy from XML ''
Could not find the policy in WMI for Application ScopeId_88A86770-F44E-47C8-BF8D-
3C1B8A5DF3AA/Application_b711f24c-f766-41e0-9c41-02313b2c8be3
Unable to find application policy for [advertisement: PR220005 appid: ScopeId_88A86770-F44E-47C8-BF8D-
3C1B8A5DF3AA/Application_b711f24c-f766-41e0-9c41-02313b2c8be3]
Fail to initialize TS member info, error 0x87d02004

For this issue, after you install the update for version 2107 early update ring, run the following SQL query on
the primary site to which the client is assigned:

select distinct ci.CI_ID from vSMS_ConfigurationItems ci

join CI_ConfigurationItemRelations_Flat cir on cir.ToCI_ID = ci.CI_ID and cir.RelationType = 11
join vSMS_ConfigurationItems intent_ci on intent_ci.CI_ID = cir.FromCI_ID
join policy p on p.PolicyID = intent_ci.ModelName+'/VI' and ((p.PolicyFlags & 0x800) > 0 or (p.PolicyFlags &
0x1000) > 0)
where ci.CIType_ID = 10 and ci.IsLatest = 1 and ci.IsTombstoned = 0

For each CI_ID that this query returns, create a 0-KB file named <ci_id>.cit . For example, 16777225.cit . Move
the file to the policypv.box directory on the primary site server. For example,
\\cmpri01.contoso.com\SMS_PR1\inboxes\policypv.box\ .

Software updates
Security roles are missing for phased deployments
The OS Deployment Manager built-in security role has permissions to phased deployments. The following
roles are missing these permissions:
Application Administrator
Application Deployment Manager
Software Update Manager
The App Author role may appear to have some permissions to phased deployments, but can't create
deployments.
A user with one these roles can start the Create Phased Deployment wizard, and can see phased deployments
for an application or software update. They can't complete the wizard, or make any changes to an existing
deployment.
To work around this issue, create a custom security role. Copy an existing security role, and add the following
permissions on the Phased Deployment object class:
Create
Delete
Modify
Read
For more information, see Create custom security roles

Configuration Manager console

Unable to open console because extension installation loops
Applies to: version 2111
In certain circumstances, you'll be unable to open the console due to an extension installation loop. This issue
occurs when two or more versions of a single extension were marked as required for installation. This issue
occurs for extensions imported through the wizard, from a PowerShell script, or through Community hub. If you
use the Make optional setting before importing a new version of the extension, this issue doesn't occur.
When you encounter this issue, it initially appears as a normal console extension installation. After the extension
finishes installing, you select Close to restart the Configuration Manager console. When the console restarts,
you're prompted to install the console extension again. The extension installation will continue to loop and the
Configuration Manager console doesn't fully open.
To both prevent and workaround this issue, run the below SQL script on your CAS database and all of your
primary site databases:

ALTER VIEW vSMS_ConsoleExtensionMetadata

AS
WITH m AS(
SELECT *,
RN = ROW_NUMBER()OVER(PARTITION BY ID ORDER BY Version DESC)
FROM ConsoleExtensionMetadata
)
SELECT
m.ID,
m.Name,
m.Description,
m.Author,
m.Version,
m.IsEnabled,
m.IsApproved,
m.CreatedTime,
m.CreatedBy,
m.UpdateTime,
m.IsTombstoned,
m.IsRequired,
m.IsSigned,
m.IsUnsignedAllowed,
CASE m.IsRequired
WHEN 0 THEN ''
ELSE
(
SELECT top(1) author FROM ConsoleExtensionRevisionHistory h
WHERE m.ID=h.ExtensionId AND m.Version=h.Version AND h.Changes & 1=1
ORDER BY h.RevisionTime DESC
)
END AS RequiredBy,
m.IsSetupDefined
FROM m
WHERE RN = 1
GO

Supported platform conditions don't update for some objects

Applies to version 2107
You can select supported platforms on many objects such as applications, task sequences, and configuration
items. Starting in version 2107, these lists are updated to include categories for Windows 11. After you update
the primary site to version 2107, there are different behaviors depending upon the type of object:
Within 24 hours of updating the site, the supported platforms for the following objects will automatically
update:
Packages and programs
Task sequences
 Compliance settings, for example, endpoint protection
In that initial 24-hour period, existing policies with Windows 10 conditions also apply to Windows 11.
After the site updates the objects, they only apply to Windows 10. You can select Windows 11 as a
supported platform at any time.
You need to manually review and update the supported platforms for the following objects:
Applications
Configuration items
Objects referenced in a task sequence
For these objects, existing policies with Windows 10 conditions also apply to Windows 11. You need to
manually revise the supported platform list.
Configuration Manager console settings aren't saved
Applies to version 2107
When you install the 2107 version of the Configuration Manager console, settings such as column changes,
window size, and searches aren't saved. When you first open the upgraded console, it will appear as if it was
never previously installed on the device. Any console settings made after installing the 2107 version of the
Configuration Manager console will persist when you reopen it.
Console extensions
Applies to version 2103
There's a new hierarchy setting that allows for only using the new style of console extensions. If this setting is
enabled, you can't use any old style extensions that aren't approved through the Console Extensions node.
The setting, Only allow console extensions that are approved for the hierarchy , is enabled by default if
you installed from the 2103 baseline build. If you update the site from version 2010 or earlier, it's disabled by
default.
If the setting was enabled in error, disabling the setting allows the old style extensions to be used again.

CMPivot
Favorite queries lose line breaks or are truncated
Applies to: version 2107 early update ring
After you update the site to version 2107, there are two issues with CMPivot queries that you saved as a
favorite:
When you edit the query, you may see unexpected characters like \r or \t .
The query after the last comma ( , ) is removed.

This issue is fixed in the build of version 2107 that's now generally available for all customers. If you previously
opted in to the early update ring, install the Update for Microsoft Endpoint Configuration Manager version 2107,
early update ring.
 State messages in Configuration Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

State messages contain concise information about conditions on the Configuration Manager client. The state
messaging system is used by specific components of Configuration Manager, such as software updates and
configuration settings.
Configuration Manager clients send state messages to the fallback status point or the management point to
report the current state of operations. You can create reports to view state messages sent by clients.
Each Configuration Manager feature that uses state messages is identified by the topic type of the state
message. The state message topic types listed in this article can be used to define the Configuration Manager
feature that a state message relates to.

NOTE
A state message ID value of zero ( 0 ) typically indicates that the topic type is in an unknown state.

Software updates
300 STATE_TOPICTYPE_SUM_ASSIGNMENT_COMPLIANCE
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Compliant

2 Non-compliant

301 STATE_TOPICTYPE_SUM_ASSIGNMENT_ENFORCEMENT
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Installing updates

2 Waiting for restart

3 Waiting for another installation to complete

4 Successfully installed updates

5 Pending system restart

6 Failed to install the updates

7 Downloading the updates

8 Downloaded updates
 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

9 Failed to download updates

10 Waiting for the maintenance window before installing

11 Waiting for orchestration

12 Waiting for superseding update

302 STATE_TOPICTYPE_SUM_ASSIGNMENT_EVALUATION
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Evaluation activated

2 Evaluation succeeded

3 Evaluation failed

400 STATE_TOPICTYPE_SUM_CI_DETECTION
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Not required

2 Not detected

3 Detected

401 STATE_TOPICTYPE_SUM_CI_COMPLIANCE
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Compliant

2 Non-compliant

3 Conflict detected

4 Error

5 Unknown

6 Partial compliance

7 Compliance not configured

402 STATE_TOPICTYPE_SUM_CI_ENFORCEMENT
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Enforcement started
 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

2 Enforcement waiting for content

3 Waiting for another installation to complete

4 Waiting for the maintenance window before installing

5 Restart required before installing

6 General failure

7 Pending installation

8 Installing update

9 Pending system restart

10 Successfully installed update

11 Failed to install the update

12 Downloading update

13 Downloaded update

14 Failed to download the update

500 STATE_TOPICTYPE_SUM_UPDATE_DETECTION
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Update isn't required

2 Update is required

3 Update is installed

501 STATE_TOPICTYPE_SUM_UPDATE_SOURCE_SCAN
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Scan is waiting for content

2 Scan is running

3 Scan complete

4 Scan is pending retry

5 Scan failed

6 Scan completed with errors

Client deployment
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

700 STATE_TOPICTYPE_RESYNC_STATE_MSG

701 STATE_TOPICTYPE_SYSTEM_HEARTBEAT

702 STATE_TOPICTYPE_CKD_UPDATE

801 STATE_TOPICTYPE_DEVICE_CLIENT_DEPLOYMENT

800 STATE_TOPICTYPE_CLIENT_DEPLOYMENT
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

100 Client deployment started

101 Waiting for download

102 Deployment Scheduled

103 Waiting for the window before deploying

104 Deployment skipped

301 Unknown client deployment failure

302 Failed to create the ccmsetup service

303 Failed to delete the ccmsetup service

304 Can't install over embedded OS with File-Based Write Filter

(FBWF) enabled on the system drive

305 Native security mode isn't valid on Windows 2000

306 Failed to start ccmsetup download process

307 Non-valid ccmsetup command line

308 Failed to download the file over WINHTTP at address

309 Failed to download the files through BITS at address

310 Failed to install BITS version

311 Can't verify that prerequisite file is MS signed

312 Failed to copy the file because the disk is full

STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

313 Client.msi installation failed with MSI error

314 Failed to load ccmsetup.xml manifest file

315 Failed to obtain a client certificate

316 Prerequisite file isn't MS signed

317 Reboot required to continue the installation

318 Can't install the client on the MP because the MP and client
versions do not match

319 Operating system or service pack not supported

320 Deployment not supported

321 Bits Missing

322 Source folder is unavailable

323 App-V not supported

324 Incorrect Site Version

325 Prerequisite hash mismatch

326 MDM Deregistration Failed

327 MDM Registration Detected

328 Intune Detected

329 Metered Network Disallowed

400 Client deployment succeeded

401 Deployment Succeeded Reboot Required

402 Deployment Succeeded Reboot Succeeded

500 Client assignment started

601 Unknown client assignment failure

602 The following site code is invalid

603 Failed to assign to MP

604 Failed to discover default management point

 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

605 Failed to download site signing certificate

606 Failed to auto discover site code

607 Site assignment failed; client version higher than site version

608 Failed to get Site Version from Active Directory Domain

Services and SLP

609 Failed to get client version

700 Client assignment succeeded

810 STATE_TOPICTYPE_CLIENT_COMANAGEMENT
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

100 Enrollment status

101 Enrollment scheduled

102 Enrollment canceled

105 Enrollment started

106 Enrollment succeeded but isn't provisioned

107 Enrollment succeeded and is provisioned

108 Enrollment no active user

110 Enrollment failed

820 STATE_TOPICTYPE_CLIENT_WUFB
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Windows Update for Business client status

Content
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

901 STATE_TOPICTYPE_REMOTE_DP_MONITORING

902 STATE_TOPICTYPE_PULL_DP_MONITORING

903 STATE_TOPICTYPE_DP_USAGE
900 STATE_TOPICTYPE_BRANCH_DP
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Disk Space

Client operations
1000 STATE_TOPICTYPE_CLIENT_FRAMEWORK_COMM
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Client is successfully communicating with the management

point

2 Client failed to communicate with the management point

1001 STATE_TOPICTYPE_CLIENT_FRAMEWORK_LOCAL
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Client successfully retrieved the certificate from the local

certificate store

2 Client failed to retrieve the certificate from the local

certificate store

1100 STATE_TOPICTYPE_CLIENT_FRAMEWORK_MODEREADINESS
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Client not ready for native mode

2 Client ready for native mode

1300 STATE_TOPICTYPE_CLIENT_HEALTH
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Success

2 Not successful

Legacy device client

The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

1002 STATE_TOPICTYPE_DEVICE_CLIENT_FRAMEWORK_COMM

1003 STATE_TOPICTYPE_DEVICE_CLIENT_FRAMEWORK_LOCAL
 TO P IC T Y P E DESC RIP T IO N

1004 STATE_TOPICTYPE_DEVICE_CLIENT_FRAMEWORK_CERTIFICA
TE

1005 STATE_TOPICTYPE_DEVICE_CLIENT_WIPE

1006 STATE_TOPICTYPE_DEVICE_CLIENT_RETIRE

1007 STATE_TOPICTYPE_DEVICE_CLIENT_WIPE_INTUNE

1008 STATE_TOPICTYPE_DEVICE_CLIENT_RETIRE_INTUNE

1009 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICELOCK

1010 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICELOCK_INTUNE

1011 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEPINRESET

1012 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEPINRESET_INTUN
E

1013 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEPINRESET_ONPRE
M

1014 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEALBYPASS

1015 STATE_TOPICTYPE_DEVICE_CLIENT_DEVICEALBYPASS_INTUN
E

Miscellaneous
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

1401 STATE_TOPICTYPE_STATE_REPORT

1500 STATE_TOPICTYPE_CAL_TRACK_UT

1502 STATE_TOPICTYPE_CAL_TRACK_MT

1503 STATE_TOPICTYPE_CAL_TRACK_ML

1600 STATE_TOPICTYPE_USER_AFFINITY
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 User affinity set

2 User affinity removed

1660 STATE_TOPICTYPE_SENSOR_STATUS
 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Sensor off

2 Sensor on

Applications
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

1700 STATE_TOPICTYPE_APP_CI_SCAN

1701 STATE_TOPICTYPE_APP_CI_COMPLIANCE

1703 STATE_TOPICTYPE_APP_CI_ASSIGNMENT_EVALUATION

1704 STATE_TOPICTYPE_APP_CI_LAUNCH

1702 STATE_TOPICTYPE_APP_CI_ENFORCEMENT
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1000 Configuration item succeeded

1001 Configuration item succeeded already installed

1002 Configuration item succeeded preflight

1003 Configuration item fast status succeeded

2000 Configuration item in progress

2001 Configuration item in progress waiting for content

2002 Configuration item in progress installing

2003 Configuration item in progress waiting reboot

2004 Configuration item in progress waiting for maintenance

window

2005 Configuration item in progress waiting schedule

2006 Configuration item in progress downloading dependent

content

2007 Configuration item in progress installing dependencies

2008 Configuration item in progress pending reboot

STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

2009 Configuration item in progress content downloaded

2010 Configuration item in progress pending update

2011 Configuration item in progress waiting user reconnect

2012 Configuration item in progress waiting for user sign-out

2013 Configuration item in progress waiting for user sign-in

2014 Configuration item in progress waiting for install

2015 Configuration item in progress waiting for retry

2016 Configuration item in progress waiting for presentation

mode

2017 Configuration item in progress waiting for orchestration

2018 Configuration item in progress waiting for network

2019 Configuration item in progress pending update VE

2020 Configuration item in progress updating VE

3000 Configuration item requirements not met

3001 Configuration item requirements not met host not

applicable

4000 Configuration item unknown

5000 Configuration item error

5001 Configuration item error evaluating

5002 Configuration item error installing

5003 Configuration item error retrieving content

5004 Configuration item error installing dependency

5005 Configuration item error retrieving content dependency

5006 Configuration item error rules conflict

5007 Configuration item error waiting for retry

5008 Configuration item error uninstalling supersedence

 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

5009 Configuration item error downloading superseded

5010 Configuration item error updating VE

5011 Configuration item error installing license

5012 Configuration item error retrieving allow all trusted apps

5013 Configuration item error no licenses available

5014 Configuration item error OS not supported

6000 Configuration item launch succeeded

6010 Configuration item launch error

6020 Configuration item launch unknown

Events
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

1800 STATE_TOPICTYPE_EVENT_INTRINSIC

1801 STATE_TOPICTYPE_EVENT_EXTRINSIC

Endpoint protection
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

1900 STATE_TOPICTYPE_EP_AM_INFECTION

1901 State_Topictype_Ep_Am_Health

1902 STATE_TOPICTYPE_EP_MALWARE

1950 STATE_TOPICTYPE_ATP_HEALTH_STATUS

2001 STATE_TOPICTYPE_EP_CLIENT_DEPLOYMENT
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Endpoint Protection unmanaged

2 Endpoint Protection waiting for install

 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

3 Endpoint Protection managed

4 Endpoint Protection installation failed

5 Endpoint Protection reboot pending

6 Endpoint Protection not supported

7 Endpoint Protection co-managed

2002 STATE_TOPICTYPE_EP_CLIENT_POLICYAPPLICATION
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Endpoint Protection policy application succeeded

2 Endpoint Protection policy application failed

2003 STATE_TOPICTYPE_CLIENT_ACTION
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Not applicable

2 Failed

3 Succeeded

Wake-up proxy
2100 STATE_TOPICTYPE_WP_CLIENT_DEPLOYMENT
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Wake-up proxy isn't installed

2 Wake-up proxy is waiting for installation

3 Wake-up proxy is installed

4 Wake-up proxy installation failed

5 Wake-up proxy is waiting for reboot

6 Wake-up proxy isn't supported on this OS

7 Wake-up proxy server opt-out

8 Wake-up proxy uninstall failed

 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

9 Wake-up proxy runtime not supported

Mobile device management

The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

2200 STATE_TOPICTYPE_FDM

2201 STATE_TOPICTYPE_CCM_CERT_BINDING

2202 STATE_TOPICTYPE_SERVER_STATISTIC

4000 STATE_TOPICTYPE_MDM_DEVICE_PROPERTY

4002 STATE_TOPICTYPE_MDM_CLIENT_IDENITITY

4003 STATE_TOPICTYPE_MDM_APPLICATION_REQUEST

4004 STATE_TOPICTYPE_MDM_APPLICATION_STATE

4005 STATE_TOPICTYPE_MDM_LICENSE_DEVICE_RELATION

4006 STATE_TOPICTYPE_MDM_LICENSE_KEYS

4007 STATE_TOPICTYPE_MDM_POLICY_ASSIGNMENT

4008 STATE_TOPICTYPE_MDM_ANDROID_COUNT

4009 STATE_TOPICTYPE_MDM_SLK_STATUS

4010 STATE_TOPICTYPE_MDM_USER_COMPANY_TERM_ACCEPTA
NCE

4022 STATE_TOPICTYPE_MDM_DEP_SYNCNOW_STATUS

4023 STATE_TOPICTYPE_MDM_MAM_STORE_APP_SYNC

3000 STATE_TOPICTYPE_DM_WNS_CHANNEL
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

0 Windows Push Notification service channel set

Resource access
5000 STATE_TOPICTYPE_CERTIFICATE_ENROLLMENT
 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Challenge issued

2 Challenge issue failed

3 Request creation failed

4 Request submit failed

5 Challenge validation succeeded

6 Challenge validation failed

7 Issue failed

8 Issue pending

9 Issued

10 Response processing failed

11 Response pending

12 Enrollment succeeded

13 Enrollment not needed

14 Revoked

15 Removed from collection

16 Renew verified

17 Install failed

18 Installed

19 Delete failed

20 Deleted

21 Renewal requested

5001 STATE_TOPICTYPE_CERTIFICATE_CRP
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Challenge issued

2 Challenge issue failed

 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

3 Request creation failed

4 Request submit failed

5 Challenge validation succeeded

6 Challenge validation failed

7 Issue failed

8 Issue pending

9 Issued

10 Response processing failed

11 Response pending

12 Enrollment succeeded

13 Enrollment not needed

14 Revoked

15 Removed from collection

16 Renew verified

17 Install failed

18 Installed

19 Delete failed

20 Deleted

21 Renewal requested

5200 STATE_TOPICTYPE_RESOURCE_ACCESS_STATUS
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Status pin set up succeeded

2 Status pin set up failed

3 Status pin set up not supported

4 Status pin set up in progress

Remote applications
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

6000 STATE_TOPICTYPE_REMOTEAPP_SUBSCRIPTION_STATUS

6001 STATE_TOPICTYPE_REMOTEAPP_SUBSCRIPTION_SYNC_STAT
US

6002 STATE_TOPICTYPE_REMOTEAPP_AUTHCOOKIES_SYNC_STAT
US

6003 STATE_TOPICTYPE_REMOTEAPPLICATIONS_SYNC_STATUS

6004 STATE_TOPICTYPE_REMOTEAPP_LOCK_RESULT

Compliance settings
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

7000 STATE_TOPICTYPE_USER_COMPANY_TERM_ACCEPTANCE

7001 STATE_TOPICTYPE_PFX_CERTIFICATE
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Challenge issued

2 Challenge issue failed

3 Request creation failed

4 Request submit failed

5 Challenge validation succeeded

6 Challenge validation failed

7 Issue failed

8 Issue pending

9 Issued

10 Response processing failed

11 Response pending

12 Enrollment succeeded
 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

13 Enrollment not needed

14 Revoked

15 Removed from collection

16 Renew verified

17 Install failed

18 Installed

19 Delete failed

20 Deleted

21 Renewal requested

7010 STATE_TOPICTYPE_CONDITIONAL_ACCESS_COMPLIANCE
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Compliance success

2 Compliance fail at MP

3 Compliance fail at the client

4 Compliance fail at Intune

5 Compliance fail at Azure AD

6 Compliance comgmt Intune

Peer caching
7200 STATE_TOPICTYPE_SUPER_PEER_UPDATE_CACHE_MAP
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Peer Cache Source added

2 Peer Cache Source removed

7201 STATE_TOPICTYPE_SUPER_PEER_UPDATE_CONFIG
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Peer Cache Source deactivated

 STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

2 Peer Cache Source is active

7202 STATE_TOPICTYPE_DOWNLOAD_AGGREGATE_DATA
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Download aggregate data upload

7203 STATE_TOPICTYPE_PEERSOURCE_REQ_REJECTION_STATS
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Peer source rejection data upload

Proxy
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

7300 STATE_TOPICTYPE_PROXY_TRAFFIC

7301 STATE_TOPICTYPE_PROXY_CONNECTION

7302 STATE_TOPICTYPE_SRS_USAGE_DATA

7303 STATE_TOPICTYPE_PROXY_TRAFFIC_IDENTITY

Health attestation
8001 STATE_TOPICTYPE_HAS_REPORT
STAT E M ESSA GE ID STAT E M ESSA GE DESC RIP T IO N

1 Health attestation is supported

2 Health attestation isn't supported

Client actions
The following topic types have no state IDs:

TO P IC T Y P E DESC RIP T IO N

8002 STATE_TOPICTYPE_DEVICE_CLIENT_EDPLOG

8003 STATE_TOPICTYPE_ENABLE_LOSTMODE

8004 STATE_TOPICTYPE_DISABLE_LOSTMODE
 TO P IC T Y P E DESC RIP T IO N

8005 STATE_TOPICTYPE_LOCATE_DEVICE

8006 STATE_TOPICTYPE_REBOOT_DEVICE

8007 STATE_TOPICTYPE_LOGOUTUSER

8008 STATE_TOPICTYPE_USERSLIST

8009 STATE_TOPICTYPE_DELETEUSER

8010 STATE_TOPICTYPE_CLEANPCRETAININGUSERDATA

8011 STATE_TOPICTYPE_CLEANPCWITHOUTRETAININGUSERDATA

8012 STATE_TOPICTYPE_SETDEVICENAME

9000 STATE_TOPICTYPE_BOOK_CI_COMPLIANCE

9001 STATE_TOPICTYPE_BOOK_CI_ENFORCEMENT

Next steps
Description of state messaging in Configuration Manager
 Unicode and ASCII support in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager creates most objects by using Unicode characters. However, several objects only support
ASCII characters, or they have other limitations.

Objects that use ASCII characters

When you create the following objects, Configuration Manager only supports the ASCII character set:
Site code
All site system server computer names
The following Configuration Manager accounts:

NOTE
These accounts support ASCII characters, and RUS characters on a site that runs in Russian.

Client push installation account

Management point database connect account
Network access account
Package access account
Standard sender account
Site system installation account
Software update point connection account
Software update point proxy server account

NOTE
The accounts that you specify for role-based administration support Unicode.
The reporting services point account supports Unicode, with the exception of RUS characters.

Fully qualified domain name (FQDN) for site servers and site systems
Installation path for Configuration Manager
SQL Server instance name
The path for the following site system roles:
Enrollment point
 Enrollment proxy point
Reporting services point
State migration point
The path for the following folders:
The folder that stores client state migration data
The folder that contains the Configuration Manager reports
The folder that stores the Configuration Manager backup
The folder that stores the installation source files for site setup
The folder that stores the prerequisite downloads for use by setup
The path for the following objects:
IIS website
Virtual application installation path
Virtual application name
Boot media ISO file names
Custom property names

Other limitations
The following limitations are for supported character sets and language versions:
Configuration Manager doesn't support changing the locale of the site server computer.
An enterprise certificate authority (CA) doesn't support client computer names that use double-byte
character sets (DBCS). The client computer names that you can use are restricted by the PKI limitation of
the IA5 character set. Configuration Manager doesn't support CA names or subject name values that use
DBCS.

Objects that aren't localized

The Configuration Manager database supports Unicode for most objects that it stores. When possible, it displays
this information in the OS language that matches the locale of a computer. For the client interface or
Configuration Manager console to display information in the computer's OS language, the computer's locale
must match a client or server language that you install at a site.
Several Configuration Manager objects don't support Unicode. They're stored in the database by using ASCII, or
they have other language limitations. This information is always displayed by using the ASCII character set, or in
the language that was in use when you created the object.

Next steps
Language packs in Configuration Manager
 Management insights in Configuration Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Management insights in Configuration Manager provide information about the current state of your
environment. The information is based on analysis of data from the site database. Insights help you to better
understand your environment and take action based on the insight.

Review management insights

To view the insights, your account needs the Read permission on the Site object.
1. In the Configuration Manager console, go to the Administration workspace, expand Management
Insights , and select All Insights .

NOTE
When you select the Management Insights node, it shows the Management insights dashboard.

2. Open the management insights group name you want to review.

3. In the ribbon, select Show Insights .
The following four tabs are available for review:
All Rules : Gives the complete list of insights for the chosen group.
Complete : Lists insights where no action is needed.
In Progress : Shows insights where some, but not all, prerequisites are complete.
Action Needed : This tab lists insights that need you to take action. Select More Details to show specific
items where action is needed.
The Prerequisites pane lists any required items needed to run the selected insight.
For example, the following screenshot shows an example of the All Rules tab for the Cloud Ser vices group:
To see the details, select an insight, and then select More Details .

Operations
The site reevaluates the applicability of the management insights on a weekly schedule. To manually reevaluate
an insight, right-click the insight, and select Re-evaluate .
The log file for management insights is SMS_DataEngine.log on the site server.
Some insights let you take action. Select an insight, select More Details , and then if available select Take
action . Depending upon the insight, this action has one of the following behaviors:
Automatically navigate in the console to the node where you can take further action. For example, if the
management insight recommends changing a client setting, taking action navigates to the Client
Settings node. Then take further action by modifying the default or a custom client settings object.
Navigate to a filtered view based on a query. For example, taking action on the empty collections insight
shows just these collections in the list of collections. Then take further action, such as deleting a collection
or modifying its membership rules.

Management insights dashboard

Select the Management Insights node to display a graphical dashboard. This dashboard displays an overview
of the insight states, which makes it easier for you to show your progress.
Use the following filters at the top of the dashboard to refine the view:
Show Completed
Optional
Recommended
Critical
The dashboard includes the following tiles:
Management insights index : Tracks overall progress on management insights. The index is a weighted
average. Critical insights are worth the most. This index gives the least weight to optional insights.
Management insights groups : Shows percent of insights in each group, honoring the filters. Select a
group to drill down to the specific insights in this group.
 Management insights priority : Shows percent of insights by priority, honoring the filters.
Top 10 applicable insight rules : A table of insights including priority and state. Use the Filter field at
the top of the table to match strings in any of the available columns. The dashboard sorts the table in the
following order:
Status: Action Needed, Completed, Unknown
Priority: Critical, Recommended, Optional
Last Changed: older dates on top

Groups and insights

Insights are organized into the following management insight groups:
Applications
Cloud services
Collections
Configuration Manager Assessment
Optimize for remote workers
Proactive maintenance
Security
Simplified management
Software Center
Software updates
Windows 10
 NOTE
Your site may not show all of the following groups and insights. Some insights don't appear when you've already
configured the site for the recommendation.

Applications
Insights for your application management.
Applications without deployments or references : Lists the applications in your environment that don't
have active deployments or references. References include dependencies, task sequences, and virtual
environments. This insight helps you find and delete unused applications to simplify the list of applications
displayed in the console. For more information, see Deploy applications.
Cloud services
Helps you integrate with many cloud services, which enable modern management of your devices.
Assess co-management readiness : Helps you understand what steps are needed to enable co-
management. This insight has prerequisites. For more information, see Co-management overview.
Devices not uploaded to Azure AD : This insight lists devices that the site hasn't uploaded to Azure
Active Directory (Azure AD) because you haven't configured it for HTTPS. Configure Enhanced HTTP, or
enable at least one management point for HTTPS. If you already configured the site for HTTPS
communication, this insight doesn't appear.
Enable cloud management gateway : The cloud management gateway (CMG) provides a simple way
to manage Configuration Manager clients over the internet. By deploying the CMG as a cloud service in
Microsoft Azure, you can continue to manage and serve content to clients that roam onto the internet.
With CMG, you don't need any additional on-premises infrastructure exposed to the internet. For more
information, see Overview of CMG.
Enable devices to be hybrid Azure Active Director y joined : Azure AD-joined devices allow users to
sign in with their domain credentials, and make sure devices meet the organization's security and
compliance standards. For more information, see Azure AD hybrid identity design considerations.
Sites that don't have proper HTTPS configuration : This insight lists sites in your hierarchy that
aren't properly configured for HTTPS. This configuration prevents the site from synchronizing collection
membership results to Azure AD groups. It may cause Azure AD sync to not upload all devices.
Management of these clients may not function properly. Configure Enhanced HTTP, or enable at least one
management point for HTTPS. If you already configured the site for HTTPS communication, this insight
doesn't appear.
Update clients to the latest Windows 10 version : Windows 10, version 1709 or above improves
and modernizes the computing experience of your users. For more information, see Stay current with
Windows as a service.
Collections
Insights that help simplify management by cleaning up and reconfiguring collections.
Empty Collections : Lists collections in your environment that have no members. For more information, see
How to manage collections.
Collections with no quer y rules and no direct members : To simplify the list of collections in your
hierarchy, delete these collections.
Collections with the same re-evaluation star t time : These collections have the same re-evaluation
time as other collections. Modify the re-evaluation time so they don't conflict.
 Collections with quer y time over 5 minutes : Review the query rules for this collection. Consider
modifying or deleting the collection.
The following insights include configurations that potentially cause unnecessary load on the site. Review
these collections, then either delete them, or disable collection rule evaluation:
Collections with no quer y rules and incremental updates enabled
Collections with no quer y rules and enabled for any schedule
Collections with no quer y rules and schedule full evaluation selected

NOTE
For more information on managing collections and collection evaluation, see the following articles:
Best practices for collections
Collection evaluation
How to view collection evaluation

Configuration Manager Assessment

This group is courtesy of Microsoft Premier Field Engineering. These insights are a sample of the many more
checks that Microsoft Premier provides in the Services Hub.
Active Director y Security Group Discover y is configured to run too frequently : You typically
don't need to configure Active Directory Security Group Discovery to occur more frequently than every
three hours. A more frequent configuration can have a negative performance impact on Active Directory,
the network, and Configuration Manager. Enable incremental synchronization instead of using a full sync
schedule. For more information, see Active Directory group discovery.
Active Director y System Discover y is configured to run too frequently : You typically don't need
to configure Active Directory System Discovery to occur more frequently than every three hours. A more
frequent configuration can have a negative performance impact on Active Directory, the network, and
Configuration Manager. Enable incremental synchronization instead of using a full sync schedule. For
more information, see Active Directory system discovery.
Active Director y User Discover y is configured to run too frequently : You typically don't need to
configure Active Directory User Discovery to occur more frequently than every three hours. A more
frequent configuration can have a negative performance impact on Active Directory, the network, and
Configuration Manager. Enable incremental synchronization instead of using a full sync schedule. For
more information, see Active Directory user discovery.
Collections limited to All Systems or All Users : Review any collections that use the All Systems or
All Users collections as the limiting collection. Configuration Manager updates the membership of these
default collections with data from the Active Directory discovery methods. This data may not be valid
information for Configuration Manager clients.
Hear tbeat Discover y is disabled : Heartbeat discovery requires that you install the Configuration
Manager client on devices. It's the only discovery method that clients start. All other methods occur on
site servers. Heartbeat discovery is essential to keep client activity status current. It makes sure that the
site doesn't accidentally age out the resource records from the site database. For more information, see
Heartbeat discovery.
Long running collection queries enabled for incremental updates : Collections with a last
incremental refresh time higher than 30 seconds use site server and database resources, which could
potentially impact overall Configuration Manager performance. For more information, see Best practices
 for collections.
Reduce the number of applications and packages on distribution points : Microsoft officially
supports a combined total of up to 10,000 packages and applications on a distribution point. Exceeding
this total can lead to operational problems. For more information, see Size and scale numbers -
distribution point.
Secondar y site installation issues : The installation status of some secondary sites is Pending or
Failed . These states mean that you started the install but it didn't complete successfully. Until the
secondary site install finishes, clients may not communicate properly with the primary site. Check the
Monitoring workspace, and retry the installation. For more information, see Retry installation of a failed
update.
Update all sites to the same version : Use the same version of Configuration Manager in a hierarchy.
This configuration makes sure all sites provide the same functionality. Sites of different versions in the
same hierarchy introduce interoperability scenarios. Later versions of Configuration Manager include
new features and resolve known issues. For more information, see Interoperability between different
versions.
For more information on these insights, see Remediation steps for Configuration Manager management
insights.

TIP
If you're already a customer of Microsoft Unified or Microsoft Premier, sign in to the Services Hub for additional on-
demand assessments.
For more information about Microsoft Services, see Support Solutions.

Operating system deployment

Starting in version 2006, the following management insights help you manage the policy size of task sequences.
When the size of the task sequence policy exceeds 32 MB, the client fails to process the large policy. The client
then fails to run the task sequence deployment.
Large task sequences may contribute to exceeding maximum policy size : If you deploy these
task sequences, clients may not be able to process the large policy objects. Reduce the size of the task
sequence policy to prevent potential policy processing issues.
Total policy size for task sequences exceeds policy limit : Clients can't process the policy for these
task sequences because it's too large. Reduce the size of the task sequence policy to allow the deployment
to run on clients.
For more information, see Reduce the size of task sequence policy.
In version 2006, the following insight moved to this group from the Proactive Maintenance group:
Unused boot images : Boot images not referenced for PXE boot or task sequence use. For more
information, see Manage boot images.
Optimize for remote workers
Starting in version 2006, the following insights help you create better experiences for remote workers and
reduce load on your infrastructure:
Configure VPN connected clients to prefer cloud based content sources : To reduce traffic on the
VPN, enable the boundary group option to Prefer cloud based sources over on-premises sources .
This option allows clients to download content from the internet instead of distribution points across the
VPN. For more information, see Boundary group options.
 Define VPN boundar y groups : Create a VPN boundary and associate it to a boundary group.
Associate VPN-specific site systems to the group, and configure the settings for your environment. This
insight checks for at least one boundary group with at least one VPN boundary in it. From the properties
of this insight, select Review Actions to go to the Boundar y Groups node. For more information, see
VPN boundary type.
Disable peer to peer content sharing for VPN connected clients : To prevent unnecessary peer-to-
peer traffic that likely doesn't benefit the remote clients, disable the boundary group option to Allow
peer downloads in this boundar y group . For more information, see Boundary group options.
Proactive maintenance
The insights in this group highlight potential configuration issues to avoid through upkeep of Configuration
Manager objects.
Boundar y groups with no assigned site systems : Without assigned site systems, boundary groups
can only be used for site assignment. For more information, see Configure boundary groups.
Boundar y groups with no members : Boundary groups aren't applicable for site assignment or
content lookup if they don't have any members. For more information, see Configure boundary groups.
Distribution points not ser ving content to clients : Distribution points that haven't served content
to clients in the past 30 days. This data is based on reports from clients of their download history. For
more information, see Install and configure distribution points.
Enable WSUS Cleanup : Verifies that you've enabled the option to run WSUS cleanup on the properties
of the software update point component. This option helps to improve WSUS performance. For more
information, see Software update maintenance.
Unused configuration items : Configuration items that aren't part of a configuration baseline and are
older than 30 days. For more information, see Create configuration baselines.
Update Microsoft .NET Framework on site systems : Starting in version 2107, Configuration
Manager requires Microsoft .NET Framework version 4.6.2 for site servers, specific site systems, clients,
and the console. Before you run setup to install or update the site, first update .NET and restart the
system. If possible in your environment, install the latest version of .NET version 4.8. For more
information, Site and site system prerequisites.
Upgrade peer cache sources to the latest version of the Configuration Manager client :
Identify clients that serve as a peer cache source but haven't upgraded from a pre-1806 client version.
Pre-1806 clients can't be used as a peer cache source for clients that run version 1806 or later. Select
Take action to open a device view that displays the list of clients.

TIP
In version 2006, the insight for Unused boot images moved to the new OS deployment group.

Security
Insights for improving the security of your infrastructure and devices.
NTLM fallback is enabled : This insight detects if you enabled the less secure NTLM authentication
fallback method for the site. When using the client push method of installing the Configuration Manager
client, the site can require Kerberos mutual authentication. This enhancement helps to secure the
communication between the server and the client. For more information, see How to install clients with
client push.
Unsuppor ted antimalware client versions : More than 10% of clients are running versions of System
 Center Endpoint Protection that aren't supported. For more information, see Endpoint Protection.
Update clients running Windows 7 and Windows Ser ver 2008 : The rule shows clients running
Windows 7, Windows Server 2008 (non-Azure), and Windows Server 2008 R2 (non-Azure) that are no
longer receiving security updates. For more information about updates for these operating systems, see
Extended Security Updates (ESU).
Simplified management
Insights that help you simplify the day-to-day management of your environment.
Connect the site to the Microsoft cloud for Configuration Manager updates : This insight makes
sure your Configuration Manager service connection point has connected to the Microsoft cloud within
the past seven days. This connection is to download content for regular updates. Review
DMPDownloader.log and hman.log. For more information, see Internet access requirements.
Non-CB Client Versions : Lists all clients whose versions aren't a current branch (CB) build. For more
information, see Upgrade clients.
Update clients to a suppor ted Windows 10 version : This insight reports on clients that are running
a version of Windows 10 that's no longer supported.
Software Center
Insights for managing Software Center.
Direct users to Software Center instead of Application Catalog : Check if users have installed or
requested applications from the application catalog in the last 14 days. The primary functionality of
application catalog is now included in Software Center. Support for the application catalog roles ended
with version 1910. For more information, see Deprecated features.
Use the new version of Software Center : The previous version of Software Center is no longer
supported. Set up clients to use the new Software Center by enabling the client setting Use new
Software Center in the Computer Agent group. For more information, see About client settings.
Software updates
Client settings aren't configured to allow clients to download delta content : Some software
updates synchronized in your environment include delta content. Enable the client setting, Allow clients
to download delta content when available . If you don't enable this setting, when you deploy these
updates, client will unnecessarily download more content than they require. For more information, see
Client settings - Software updates.
Enable the software updates product categor y 'Windows 10, version 1903 and later' : There's a
new software updates product category for Windows 10, version 1903 and later. If you synchronize
Windows 10 updates, and have Windows 10, version 1903 or later clients, select the Windows 10,
version 1903 and later product category in the software update point component properties. For
more information, seeConfigure classifications and products to synchronize.
Configure software update points to use TLS/SSL : Detects if your software update points are
configured to use TLS/SSL. Configuring Windows Server Update Services (WSUS) servers and their
corresponding software update points (SUPs) to use TLS/SSL may reduce the ability of a potential
attacker to remotely compromise a client and elevate privileges. This rule was added in Configuration
Manager version 2107.
Windows 10
Insights related to the deployment and servicing of Windows 10. The Windows 10 management insight group is
only available when more than half of clients are running Windows 7, Windows 8, or Windows 8.1.
Configure Windows diagnostic data and commercial ID key : To use data from Desktop Analytics,
configure devices with a Commercial ID key and enable collection of diagnostic data. Set Windows 10
devices to Enhanced (Limited) level or higher. For more information, see Enable data sharing for Desktop
Analytics.
 Community hub and GitHub
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The IT Admin community has developed a wealth of knowledge over the years. Rather than reinventing items
like Scripts and Reports from scratch, we've built a Community hub in Configuration Manager where IT
Admins can share with each other. By leveraging the work of others, you can save hours of work. The
Community hub fosters creativity by building on others work and having other people build on yours. GitHub
already has industry-wide processes and tools built for sharing. Now, the Community hub can leverage those
tools directly in the Configuration Manager console as foundational pieces for driving this new community.

About Community hub

Community hub supports the following objects:
CMPivot queries
Applications
Task sequences
Configuration items
Configuration baselines, including child configuration items
Baselines with software updates or version-specific references aren't supported
PowerShell Scripts
Reports
Power BI report templates
For information about sharing and using Power BI report templates with Community hub, see
Integrate with Power BI Report Server.
Console extensions are available for download, but contributions are currently limited
Content for console extensions isn't hosted by Microsoft. Currently, the source download location
displays in the verbose SmsAdminUi.log for the console that initiates the download.

What's new
Support for downloading signed console extensions and limited contribution, added in July 2021
Filter content when using search, added in June 2021
Support for configuration baselines including child configuration items, added in March 2021
Support for Power BI reports, added in February 2021

Prerequisites
The device running the Configuration Manager console used to access the Community hub needs the
following items:
.NET Framework version 4.6 or later
.NET Framework version 4.6.2 or later is required starting in Configuration Manager 2010
Starting in version 2107, the console requires .NET version 4.6.2, and version 4.8 is
recommended. For more information, see Install the Configuration Manager console.
A supported version of Windows 10 or later
 Windows Server isn't supported before version 2010, so the Configuration Manager console
needs to be installed on a supported Windows client device separate from the site server.
Starting in version 2010, install the Microsoft Edge WebView2 console extension to support
Windows Server.
The logged-in user account can't be the built-in administrator account
The administration service in Configuration Manager needs to be set up and functional.
If your organization restricts network communication with the internet using a firewall or proxy device,
you need to allow the Configuration Manager console to access internet endpoints. For more
information, see Internet access requirements.
A GitHub account is only required to contribute and share content from the Your hub page. If you don't
wish to share, you can use contributions from others without having a GitHub account, For more
information, see Contribute to Community hub.

IMPORTANT
Configuration Manager versions 2006 and earlier won't be able to sign in to GitHub. Configuration Manager
version 2010 or later with the WebView2 console extension installed is required for sign in.

Permissions
To import a script: Create permission for SMS_Scripts class.
To import a report: Full Administrator security role.
Starting in version 2010, Full Administrators can opt in the hierarchy for unreviewed content via hierarchy
settings. Lower hierarchy administrators can't opt in the hierarchy for unreviewed hub items. For more
information, see the Categorize Community hub content section.
Most built-in security roles will have access to the Community hub node:

C O N T RIB UT E H UB
RO L E N A M E VIEW T H E H UB C O N T EN T DO W N LO A D H UB C O N T EN T

Remote Tools Operator No N/A N/A

Read Only Analyst Yes No No

All other roles Yes Yes Yes

Use the Community hub

1. Go to the Community hub node in the Community workspace.
2. Select an item to download.
3. You'll need appropriate permissions in your Configuration Manager site to download objects from the hub
and import them into the site.
To import a script: Create permission for SMS_Scripts class.
To import a report: Full Administrator security role.
4. Downloaded reports are deployed to a report folder called hub on the reporting services point. Downloaded
scripts can be seen in the Run Scripts node. Typically, downloaded items are placed in the console node for
which they're used.
5. View all items downloaded from the hub by your organization by selecting Your downloads from the
Community hub node.
Filter Community hub content when searching
You can filter content in the Community hub when using search. The following filters are available to use when
searching:

F ILT ER N A M E EXA M P L E SEA RC H USES A LIKE F ILT ER

Type type:report Yes

Curated curated:false No

User user:<GitHubUserName> No

Organization org:<GitHubOrganizationName> No

Name name:test_report Yes

Description desc:description Yes

When filtering Community hub items in search:

The filtering on some items is done using like so you don't need to know the exact name of an item you
are trying to find. For instance, using type:task would return task sequences.
You can't use the same filter twice in a search. For instance, using type:report and type:extension would
only return reports since the second filter gets ignored.
Search filtering respects the hierarchy setting for displaying Community hub content categories.
If your hierarchy is set to Display Microsoft and curated community content , then
curated:false is ignored.
If your hierarchy is set to Display Microsoft content , then the curated: filter is ignored.

Direct links to Community hub items

(Introduced in version 2006)
You can navigate to and reference items in the Configuration Manager console Community hub node with a
direct link. Collaborate with your colleagues easily by sharing direct links to Community hub items. These deep
links are currently only for items in the Community hub node of the console.
Prerequisites for direct links:
Configuration Manager console version 2006 or later
You can't use the local built-in administrator account when following a Community hub link.
Share an item:
1. Go the item in the hub and select Share .
2. Paste the copied link and share it with others.
Open a shared link:
1. Open the link from a machine that has the Configuration Manager console installed.
For example, use this link to share the Configure Microsoft Edge Auto Update script (
https://communityhub.microsoft.com/item/7200 ).
2. Select Launch the Community hub when prompted.
3. The console opens directly to the script in the Community hub node.

Categorize Community hub content

(Introduced in version 2010)
Starting in Configuration Manager version 2010, Community hub content is grouped into a Microsoft, curated,
or unreviewed category to allow admins to choose the types of content their environment displays. Admins can
choose from the different categories of content that are provided in the Community hub to match their risk
profile and their willingness to share and use content from those outside Microsoft and outside their own
company. Only Full Administrators can opt in the hierarchy for unreviewed content via hierarchy settings.
Community hub content has three categories for content sources:
Microsoft curated : Content provided by Microsoft
Community curated : Content provided by the community that gets reviewed by Microsoft
Community unreviewed : General content from the community that doesn't get reviewed by Microsoft

Admins can choose the types of content their environment displays from the following options:
Display Microsoft content : Selecting this option means that only content created by Microsoft will be
shown in the Community hub. This content has had some basic testing and scanning validation to confirm no
malware and inappropriate text.
Display Microsoft and curated community content : Show curated content from both Microsoft and
community partners with basic level of review. Selecting this option means that only content that has been
 curated will be shown. The curation process includes basic review to confirm that the content doesn’t have
malware and inappropriate text, but hasn’t necessarily been tested. It will include content from the
community, not just from Microsoft.
Display all content including unreviewed content : Selecting this option means that all content is
shown. This option includes unreviewed open-source type samples from the community, meaning that the
content hasn’t necessarily been reviewed at all. It's provided as-is as open-source type sample content. Doing
your own inspection and testing before using is highly encouraged, which is good practice on any content,
but especially this class of content.

Since the content is open-source style content, admins should always review what is provided before
consuming it. The new curation process is intended to vet the material to make sure there aren't obvious quality
or compliance issues, but it will be somewhat of a cursory review. All content stored within GitHub and accessed
from the Community hub isn’t supported by Microsoft. Microsoft doesn’t validate content collected from or
shared by the general community. For more information, see GitHub Terms of Service and GitHub Privacy
Statement.
Select the content categories to display in Community hub for the environment
1. In the Configuration Manager console, go to Administration > Over view > Site Configuration > Sites .
2. Select the top-level site in your hierarchy and select Hierarchy Settings from the ribbon.
3. On the General tab, change the Community hub setting to Display Microsoft content .
4. Select Ok when you're finished changing the hierarchy setting.
5. Open the Community hub node in the Community workspace.
6. Ensure that only Microsoft content is displayed and available for download.
7. Go back to Hierarchy Settings and select another option such as Display all content, including
unreviewed content .
8. Confirm that only the type of content is displayed and able to be downloaded from the Community hub, that
matches the corresponding hierarchy setting category.

Install the WebView2 console extension

(Introduced in version 2010)
Starting in Configuration Manager 2010, the Microsoft Edge WebView2 console extension enables the full
functionality for Community hub. If WebView2 isn't installed, a banner is shown when you navigate to the
Community hub node. The WebView2 console extension:
Displays the Community hub on Windows Server operating systems
Enables sign in for GitHub
GitHub sign-in is needed for contributing to Community hub but not for downloading items.

IMPORTANT
When you upgrade to Configuration Manager 2107, you will be prompted to install the WebView2 console extension
again.
Configuration Manager versions 2006 and earlier can’t sign into GitHub but can still download items. Using
Community hub on Windows Server requires the WebView2 console extension and Configuration Manager version
2010 or later.
Follow the instructions below to enable the full functionality of Community hub:
1. In the upper-right corner of the console, select the bell icon to display Configuration Manager console
notifications.

2. The notification will say New custom console extensions are available .

3. Select the link Install custom console extensions to launch the install.
4. When the install completes, select Close to restart the console.

5. Confirm that you can view the Community hub node from the machine running the Windows Server
operating system.
You may also notice that a new folder
AdminConsole\bin\Microsoft.WebView2.FixedVersionRuntime.<version>.x86 was created.
The files are automatically downloaded from https://developer.microsoft.com/en-us/microsoft-
edge/webview2/#download-section with the other redistributable files.

TIP
Starting in Configuration Manager version 2103, you can also install the WebView2 extension from the Console
Extensions node. For more information, see Install an extension on a local console.

Known issues
Community hub doesn't load
The Community hub may not load, or load after a long delay if the WebView2 console extension hasn't been
installed. For more information about installing console extensions, see the Install the WebView2 console
extension and Managing console extensions (starting in version 2103).
Unhandled exception occurs when loading Community hub
In certain circumstances, you may encounter the following exception when loading Community hub:
Could not load type 'System.Runtime.InteropServices.Architecture' from assembly 'mscorlib, Version=4.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089'.

Workaround : To work around this issue, update the .NET Framework to version 4.7.1 or later for the machine
running the Configuration Manager console.
Unable to access Community hub node when running console as a different user
If you're signed in as a user with lower rights and choose Run as a different user to open the Configuration
Manager console, you may not be able to access the Community hub node.
Downloaded reports don't get removed from your downloads page
If you delete a downloaded report from the Monitoring > Repor ts node, the report isn't deleted from the
Community hub > Your downloads page and you're unable to download the report again.
Unable to download baseline that contains a previously downloaded configuration item
If you previously downloaded a configuration item from Community hub using Configuration Manager 2010,
you may receive an error when downloading a baseline after upgrading to Configuration Manager version
2103. A download error can occur when the baseline contains an updated version of the configuration item you
previously downloaded with Configuration Manager 2010.
Workaround : To work around this issue, delete the configuration item you previously downloaded, then
download the baseline with the new version of the configuration item.
Unable to sign in when single sign on with multifactor authentication is used
When single sign on with multifactor authentication is used, you may not be able to sign in for the following
features when using Configuration Manager 2103 and earlier:
Community hub
Community hub from CMPivot
Custom tabs in Software Center that load a website that's subject to conditional access policies

Next steps
Contribute to the Configuration Manager Community hub
 Contribute to the Community hub
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Community hub fosters creativity by building on others work and having other people build on yours. GitHub
already has industry-wide processes and tools built for sharing. Now, the Community hub can leverage those
tools directly in the Configuration Manager console as foundational pieces for driving this new community. You
can share the following objects for use by others in the Configuration Manager community:
CMPivot queries
Applications
Task sequences
Configuration items
Configuration baselines, including child configuration items
Baselines with software updates or version-specific references aren't supported
PowerShell Scripts
Reports
Power BI report templates
For information about sharing and using Power BI report templates with Community hub, see
Integrate with Power BI Report Server.
Console extensions are available for download, but contributions are currently limited
Content for console extensions isn't hosted by Microsoft. Currently, the source download location
displays in the verbose SmsAdminUi.log for the console that initiates the download.

Prerequisites
All Community hub prerequisites and permissions
Configuration Manager version 2010 or later
Install the Microsoft Edge WebView2 extension for the Configuration Manager console.
A GitHub account
A GitHub account is only required to contribute and share content from the Your hub page.
If you don't already have a GitHub account, you can create one before you join.
If you don't wish to share, you can use contributions from others without having a GitHub account.

IMPORTANT
Configuration Manager versions 2006 and earlier can’t sign into GitHub but can still download items. Using Community
hub on Windows Server requires the WebView2 console extension and Configuration Manager version 2010 or later.

Most built-in security roles will have access to the Community hub node:

C O N T RIB UT E H UB
RO L E N A M E VIEW T H E H UB C O N T EN T DO W N LO A D H UB C O N T EN T

Remote Tools Operator No N/A N/A

 C O N T RIB UT E H UB
RO L E N A M E VIEW T H E H UB C O N T EN T DO W N LO A D H UB C O N T EN T

Read Only Analyst Yes No No

All other roles Yes Yes Yes

Join the Community hub to contribute content

1. Go to the Community hub node in the Community workspace.
2. Select Your hub and you'll be prompted to sign into GitHub. If you don't have an account, you'll be
redirected to GitHub where you can create one. A GitHub account is only required to contribute and share
content from the Your hub page.
3. Once you've signed into GitHub, select the Join button to join the Community hub.

4. After joining, you'll see your membership request is pending. Your account needs approval by the
Configuration Manager Content Curation team. Approvals are done once a day, so it may take up to one
business day for your approval to be granted.
5. Once you're granted access, you'll get an email from GitHub. Open the link in the email to accept the
invitation.

IMPORTANT
You must accept the invitation sent in the email otherwise you won't be able to contribute content.

Contribute content
Once you've accepted the invitation, you can contribute content.
1. Go to Community > Community hub > Your hub .
2. Select Add an Item to open the Contribute item wizard .

3. Specify the Type of object you want to share from the drop-down menu. The following object types are
available:
 CMPivot queries
Applications
Task sequences
Configuration items
Configuration baselines, including child configuration items
Baselines with software updates or version-specific references aren't supported
PowerShell Scripts
Reports
Power BI report templates
For information about sharing and using Power BI report templates with Community hub, see
Integrate with Power BI Report Server.
Console extensions are available for download, but contributions are currently limited
Content for console extensions isn't hosted by Microsoft. Currently, the source download
location displays in the verbose SmsAdminUi.log for the console that initiates the download.
4. Select Browse to load your environment's object list for the selected type. The object's Name and
Description (if available) will automatically load in the contribution wizard.
5. Edit the following information to reflect what the community should see for your contribution:
Name: Name of your object
Description: The description of the object you're contributing.
6. On the Organization page, select the GitHub Organization to use for organization branding if needed.
None is the default.
If your organization isn't listed, verify that the membership visibility is set to Public in your GitHub
profile.
7. Select Next to submit the contribution.
8. Once the contribution is complete, you'll see the GitHub pull request (PR) link. The link is also emailed to
you. You can paste the link into a browser to view the PR. Your PR will go though the standard GitHub
merge process.
PRs should be submitted through the Configuration Manager console, not directly to the GitHub
repository.
9. Choose Close to exit the contribution wizard.
10. Once the PR has been completed and merged, the new item will display in the Community hub home
page for others to see.

Update contributed content

You can update content you've contributed to the Community hub.
1. Select an item that you previously contributed. Currently, you can only edit items that you contributed.
2. In the item details, select Push Update to open the contribute item wizard.
3. Edit the Description of the item to note what changes were made.
4. Select Next to upload the item.
5. Once the item is uploaded, you'll be given the pull request URL of the change for monitoring.
6. Select Close when you're done to exit the wizard.

Personalization and organization branding of contributed content

Starting in January 2021, your contributions are personalized. By default, your contributions include your
personal GitHub profile picture. The default GitHub Identicon is used if you don't have a profile picture. All
contributions you've submitted before January 2021 are automatically personalized using this default.

Community hub also allows new contributions to be branded instead of using the default personalization. You
can brand a contribution to one of your organization memberships in GitHub that's publicly visible. When you
choose to brand your contribution, the organization's profile picture is used rather than your personal profile
picture. The organization's web page, Twitter handle, and company bio are included on the contribution.
Branding to the organization identity allows for uniformity regardless of which user is submitting the
contribution.

To use branding:
The visibility of the organization membership must be set to Public from the contributor's GitHub profile.
On the Organization page in the Contribute item wizard , select the GitHub Organization to use for
branding. For more information, see the Contribute content section.

Directly link to Community hub items

(Introduced in version 2006)
You can navigate to and reference items in the Configuration Manager console Community hub node with a
direct link. Collaborate with your colleagues easily by sharing direct links to Community hub items. These deep
links are currently only for items in the Community hub node of the console.
Prerequisites for direct links:
Configuration Manager console version 2006 or later
You can't use the local built-in administrator account when following a Community hub link.
Share an item:
1. Go the item in the hub and select Share .
2. Paste the copied link and share it with others.
Open a shared link:
1. Open the link from a machine that has the Configuration Manager console installed.
For example, use this link to share the Configure Microsoft Edge Auto Update script (
https://communityhub.microsoft.com/item/7200 ).
2. Select Launch the Community hub when prompted.
3. The console opens directly to the script in the Community hub node.

Publish query to Community hub from CMPivot

(Applies to version 2107 or later)
Starting in version 2107, you can publish a CMPivot query to the Community hub directly from the CMPivot
window. Submitting your queries directly through CMPivot makes contributing to the Community hub easier.
You'll need the following requirements for CMPivot and for contributing to the Community hub:
Meet all of the CMPivot prerequisites and permissions
Enable Community hub.
If needed, install the Microsoft Edge WebView2 extension from the Configuration Manager console
notification.
A GitHub account that's joined to Community hub
You must accept the invitation sent in the email otherwise you won't be able to contribute content.
1. Go to the Assets and Compliance workspace then select the Device Collections node.
2. Select a target collection, target device, or group of devices then select Star t CMPivot in the ribbon to
launch the tool.
3. From the CMPivot window, select the Community hub icon on the menu.

4. Select Sign in , then sign into GitHub.

5. Create a CMPivot query, then select Run Quer y to verify it functions as expected.
Optionally, select the folder icon to access your favorites list to use a query you've already created.
6. Select the Publish link at top of CMPivot's Community hub window when you're ready to submit your
query.
7. Give your query a Name and Description , then select the Publish button to send your query to the
Community hub.
8. Once the contribution is complete, you can access your query anytime from the Me tab.
9. To view the GitHub pull request (PR), go to https://github.com/Microsoft/configmgr-hub/pulls. You can
also access the PR link from the Your hub page in the Community hub node.
PRs shouldn't be submitted directly to the GitHub repository.

NOTE
Currently, when you publish a query through CMPivot, you can't edit or delete it after publishing.
Community hub is only available in CMPivot when you run it from the Configuration Manager console. Community
hub isn't available from standalone CMPivot.

Object type information

Configuration baselines
When you contribute a configuration baseline, each of the child configuration items is verified. The verification
starts at the lowest nested level. This means that configuration items that are grandchildren are verified before
direct child configuration items are. You can have up to 50 child configuration items and up to 4 nested levels.
The following process occurs to ensure the configuration baseline is usable and complete:
1. Check if the child configuration item is already in the Community hub. If the configuration item doesn't exist,
it's created.
A configuration item with software updates or version-specific references will cause an error and the
contribution will fail.
2. If the configuration item already exists in the Community hub, verify the contributor is the author. If the
contributor isn't the author, a new configuration item is created in Community hub.
3. If the contributor is the author, check for local updates to the configuration item. If the configuration item
changed, update the item in the Community hub.
Console extensions
You contribute extensions the same way you would any other community hub object. However, for there are
additional requirements and additional information you need to supply for an extension. When you contribute a
console extension to Community hub, the content must be signed. Content for console extensions isn't hosted
by Microsoft. When you contribute your item, you'll be asked to provide a location to the signed .cab file along
with other information for the extension. The following items are required for contributing extensions:
Content URL : Location for the downloadable .cab file
SHA-256 hash of the content : SHA-256 hash of the .cab file
License URL : URL of the license for the extension, such as https://mit-license.org/
Privacy statement URL : URL of your privacy statement

Next steps
Learn more about creating and using the following objects:
Create and run PowerShell scripts
Introduction to reporting
Create and manage task sequences
Create and deploy an application
Create configuration items
Create and contribute console extensions
 Console extensions from Community hub
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you use Configuration Manager version 2103 or later, you can download console extensions from the
Community hub and have it applied to all consoles connected to a hierarchy. The Console extensions node
allows you to start managing the approval and installation of console extensions used in your environment.
Getting an extension from community hub doesn't make it immediately available. First, an administrator has to
approve the extension for the site. Then console users can install the extension to their local console.
After you approve an extension, when you open the console, you'll see a console notification. From the
notification, you can start the extension installer. After the installer completes, the console restarts automatically,
and then you can use the extension.

Find extensions in Community hub

Extensions in Community hub are recognizable by their icon. When browsing All objects in the Community
hub, you can easily notice if a new extension has been added.The following icon is used for extensions:

You can also use a search filter to find an extension in Community hub. Start with the search filter for
type:extension , then add additional filters as needed. If you're not finding an extension that's known to be
available, double check the displayed categories hierarchy setting for Community hub.

F ILT ER N A M E EXA M P L E SEA RC H USES A LIKE F ILT ER

Type type:report Yes

Curated curated:false No

User user:<GitHubUserName> No

Organization org:<GitHubOrganizationName> No
 F ILT ER N A M E EXA M P L E SEA RC H USES A LIKE F ILT ER

Name name:test_report Yes

Description desc:description Yes

When filtering Community hub items in search:

The filtering on some items is done using like so you don't need to know the exact name of an item you
are trying to find. For instance, using type:task would return task sequences.
You can't use the same filter twice in a search. For instance, using type:report and type:extension would
only return reports since the second filter gets ignored.
Search filtering respects the hierarchy setting for displaying Community hub content categories.
If your hierarchy is set to Display Microsoft and curated community content , then
curated:false is ignored.
If your hierarchy is set to Display Microsoft content , then the curated: filter is ignored.

Download and deploy the extension

You'll download the extension from Community hub, then use the Console Extensions node to test the
extension and deploy it to other Configuration Manager console users. In-depth instructions for the deployment
process and managing extensions can be found in the Console Extensions article. Below is a high-level overview
of the extension deployment process:
1. Once you've found an extension in Community hub that you want in your environment, select Download .
2. The downloaded extension will appear in the Console Extensions node.
3. Change the security scope for the extension, approve it, then install and test it on a local console. For more
information on this process, see Install and test an extension on a local console.
4. When testing is complete, enable user notifications for installation.

Console extension installation notifications

Users are notified when console extensions are approved for installation. These notifications occur for users
when console extensions are approved and notifications are enabled from Administration > Over view >
Updates and Ser vicing > Console Extensions . When notifications are enabled, users within the security
scope for the extension receive the following prompts:
1. In the upper-right corner of the console, select the bell icon to display Configuration Manager console
notifications.

2. The notification will say New custom console extensions are available .
3. Select the link Install custom console extensions to launch the install.
4. When the install completes, select Close to restart the console and enable the new extension.

NOTE
When you upgrade to Configuration Manager 2107, you will be prompted to install the WebView2 console extension
again. For more information about the WebView2 installation, see the WebView2 installation section if the Community
hub article.

Next steps
Manage console extensions
Import console extensions
Create and contribute your own console extension
 CMPivot overview
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

CMPivot allows you to quickly assess the state of devices in your environment and take action. When you enter
a query, CMPivot will run a query in real time on all currently connected devices in the selected collection. The
data returned can then be filtered, grouped, and refined to answer business questions, troubleshoot issues in
your environment, or respond to security threats. For more information about using CMPivot, see Use CMPivot.

Queries
Queries can be used to search terms, identify trends, analyze patterns, and provide many other insights based
on your data. CMPivot uses a subset of the Azure Log Analytics data flow model for the tabular expression
statement. The typical structure of a tabular expression statement is a composition of client entities and tabular
data operators (such as filters and projections). The composition is represented by the pipe character (|), giving
the statement a regular form that visually represents the flow of tabular data from left to right. Each operator
accepts a tabular data set "from the pipe", and additional inputs (including other tabular data sets) from the
body of the operator, then emits a tabular data set to the next operator that follows:
entity | operator1 | operator2 | ...

In the following example, the entity is CCMRecentlyUsedApplications (a reference to the recently used
applications), and the operator is where (which filter out records from its input according to some per-record
predicate):

CCMRecentlyUsedApplications | where CompanyName like '%Microsoft%' | project CompanyName, ExplorerFileName,

LastUsedTime, LaunchCount, FolderPath

Entities
Entities are objects that can be queried from the client. We currently support the following entities:

EN T IT Y DESC RIP T IO N

AadStatus Status of Azure Active Directory

Administrators Members of the local administrators group

AppCrash Recent application crash reports

AppVClientApplication AppV Client Application

AppVClientPackage AppV Client Package

AutoStartSoftware Software that starts automatically with, or immediately after,

the operating system

BaseBoard BaseBoard
EN T IT Y DESC RIP T IO N

Battery Battery

Bios System BIOS information

BitLocker BitLocker

BitLockerEncryptionDetails BitLocker Encryption Details

BitLockerPolicy BitLocker Policy

BootConfiguration Boot Configuration

BrowserHelperObject Browser Helper Object

BrowserUsage Browser Usage

CcmLog() Lines within 24 hours (by default) from a Ccm Log file

CCMRAX CCM_RAX

CCMRecentlyUsedApplications Recently Used Applications

CCMWebAppInstallInfo Web Applications

CDROM CDROM Drive

ClientEvents Client Events

ComputerSystem Computer System

ComputerSystemEx Computer System Ex

ComputerSystemProduct Computer System Product

ConnectedDevice Connected Device

Connection An active Tcp connection in or out of the device

Desktop Desktop

DesktopMonitor Desktop Monitor

Device Basic information about the device

Disk Local storage device information on a computer system

running Windows

DMA DMA

DMAChannel DMA Channel

EN T IT Y DESC RIP T IO N

DriverVxD Driver - VxD

EmbeddedDeviceInformation Embedded Device Information

Environment Environment

EPStatus Status of antimalware software on the computer gathered by

the Get-MpComputerStatus cmdlet. Supported on
Windows 10 and Server 2016, or later with defender
running.

EventLog() Events within 24 hours (by default) from an event log

File() Information about a specific file

FileShare Active file share information

Firmware Firmware

IDEController IDE Controller

InstalledExecutable Installed Executable

InstalledSoftware An application installed on the device

IPConfig Gets network configuration, including usable interfaces, IP

addresses, and DNS servers

IRQTable IRQ Table

Keyboard Keyboard

LoadOrderGroup Load Order Group

LogicalDisk Logical Disk

MDMDevDetail Device Information

Memory Memory

Modem Modem

Motherboard Motherboard

NetworkAdapter Network Adapter

NetworkAdapterConfiguration Network Adapter Configuration

NetworkClient Network Client

NetworkLoginProfile Network Login Profile

EN T IT Y DESC RIP T IO N

NTEventlogFile NT Eventlog File

Office365ProPlusConfigurations Office 365 Apps Configurations

OfficeAddin Office add-ins

OfficeClientMetric Office Client Metric

OfficeDeviceSummary Office Device Summary

OfficeDocumentMetric Office document metrics

OfficeDocumentSolution Office Document Solution

OfficeMacroError Office Macro Error

OfficeProductInfo Office Product Info

OfficeVbaRuleViolation Office Vba Rule Violation

OfficeVbaSummary Office VBA scan summary

OperatingSystem Operating System

OperatingSystemEx Operating System Ex

OperatingSystemRecoveryConfiguration Operating System Recovery Configuration

OptionalFeature Optional Feature

OS Basic information about the operating system

PageFileSetting Page File Setting

ParallelPort Parallel Port

Partition Disk Partitions

PCMCIAController PCMCIA Controller

PhysicalDisk PhysicalDisk

PhysicalMemory Physical Memory

PNPDEVICEDRIVER PNP Device Driver

PointingDevice Pointing Device

PortableBattery Portable Battery

EN T IT Y DESC RIP T IO N

Ports Ports

PowerCapabilities Power Capabilities

PowerClientOptOutSettings Power Management Exclusion Settings

PowerConfigurations Power Configuration

PowerManagementDaily Power Management Daily Data

PowerManagementInsomniaReasons Power Insomnia Reasons

PowerManagementMonthly Power Management Monthly Data

PowerSettings Power Settings

PrinterConfiguration Printer Configuration

PrinterDevice Printer Device

PrintJobs Print Jobs

Process A process on an operating system

ProcessModule() Modules loaded by specified processes

Processor Processor

ProtectedVolumeInformation Protected Volume Information

Protocol Protocol

QuickFixEngineering Quick Fix Engineering

Registry All values for a specific registry key

Starting in version 2107, Key value was added to the

Registry() entity

SCSIController SCSI Controller

SerialPortConfiguration Serial Port Configuration

SerialPorts Serial Ports

ServerFeature Server Feature

Service A service on a computer system running Windows

Services Services
EN T IT Y DESC RIP T IO N

Shares Shares

SMBConfig SMB Configuration of a device

SMSAdvancedClientPorts Configuration Manager Client Ports

SMSAdvancedClientSSLConfigurations Configuration Manager Client SSL Configurations

SMSAdvancedClientState Configuration Manager Client State

SMSDefaultBrowser Default Browser

SMSSoftwareTag Software Tag

SMSWindows8Application Windows app

SMSWindows8ApplicationUserInfo Windows app User Info

SoftwareShortcut Software Shortcut

SoftwareUpdate A software update applicable but not installed on the device

SoundDevices Sound Devices

SWLicensingProduct Software Licensing Product

SWLicensingService Software Licensing Service

SystemAccount System Account

SystemBootData System Boot Data

SystemBootSummary System Boot Summary

SystemConsoleUsage System Console Usage

SystemConsoleUser System Console User

SystemDevices System Devices

SystemDrivers System Drivers

SystemEnclosure System Enclosure

TapeDrive Tape Drive

TimeZone Time Zone

TPM TPM
 EN T IT Y DESC RIP T IO N

TPMStatus TPM Status

TSIssuedLicense TS Issued License

TSLicenseKeyPack TS License Key Pack

UninterruptiblePowerSupply Uninterruptible Power Supply

USBController USB Controller

USBDevice USB Device

User A user account with an active connection to the device

USMFolderRedirectionHealth Folder Redirection Health

USMUserProfile User Profile Health

VideoController Video Controller

VirtualMachine Virtual Machine

VirtualMachine64 Virtual Machine (64)

Volume Volume

WindowsUpdate Windows Update

WindowsUpdateAgentVersion Windows Update Agent Version

WinEvent() Events within 24 hours (by default) from a Windows event

log

WriteFilterState Write Filter State

Table operators
Table operators can be used filter, summarize, and transform data streams. Currently the following operators are
supported:

TA B L E O P ERATO RS DESC RIP T IO N

count Returns a table with a single record containing the number

of records

distinct Produces a table with the distinct combination of the

provided columns of the input table

join Merge the rows of two tables to form a new table by

matching row for the same device
 TA B L E O P ERATO RS DESC RIP T IO N

order by Sort the rows of the input table into order by one or more
columns

project Select the columns to include, rename or drop, and insert

new computed columns

take Return up to the specified number of rows

top Returns the first N records sorted by the specified columns

where Filters a table to the subset of rows that satisfy a predicate

Scalar Operators
The following table summarizes operators:

O P ERATO RS DESC RIP T IO N EXA M P L E

== Equal 1 == 1, 'aBc' == 'AbC'

!= Not Equal 1 != 2, 'abc' != 'abcd'

< Less 1 < 2, 'abc' < 'DEF'

> Greater 2 > 1, 'xyz' > 'XYZ'

<= Less or Equal 1 <= 2, 'abc' <= 'abc'

>= Greater or Equal 2 >= 1, 'abc' >= 'ABC'

+ Add 2 + 1, now() + 1d

- Subtract 2 - 1, now() - 1h

* Multiply 2 * 2

/ Divide 2 / 1

% Modulo 2 % 1

like Left Hand Side (LHS) contains a match 'abc' like '%B%'
for Right Hand Side (RHS)

!like LHS doesn't contain a match for RHS 'abc' !like '_d_'

contains RHS occurs as a subsequence of LHS 'abc' contains 'b'

!contains RHS doesn't occur in LHS 'team' !contains 'i'

 O P ERATO RS DESC RIP T IO N EXA M P L E

startswith RHS is an initial subsequence of LHS 'team' startswith 'tea'

!startswith RHS isn't an initial subsequence of LHS 'abc' !startswith 'bc'

endswith RHS is a closing subsequence of LHS 'abc' endswith 'bc'

!endswith RHS isn't a closing subsequence of LHS 'abc' !endswith 'a'

and True if and only if RHS and LHS are (1 == 1) and (2 == 2)

true

or True if and only if RHS or LHS is true (1 == 1) or (1 == 2)

Aggregation functions
Aggregation functions can be used with the summarize table operator to calculated summarized values.
Currently the following aggregation functions are supported:

F UN C T IO N DESC RIP T IO N

avg() Returns the average of the values across the group

count() Returns a count of the records per summarization group

countif() Returns a count of rows for which Predicate evaluates to true

dcount() Returns the number of distinct values in the group

max() Returns the maximum value across the group

maxif() Starting in version 2107, you can use maxif with the
summarize table operator.

Returns the maximum value across the group for which

Predicate evaluates to true .

min() Returns the minimum value across the group

minif() Starting in version 2107, you can use minif with the
summarize table operator.

Returns the minimum value across the group for which

Predicate evaluates to true .

percentile() Returns an estimate for the specified nearest-rank percentile

of the population defined by Expr

sum() Returns the sum of the values across the group

sumif() Returns a sum of Expr for which Predicate evaluates to true

Scalar functions
Scalar functions can be used in expressions. Currently the following scalar functions are supported:

F UN C T IO N DESC RIP T IO N

ago() Subtracts the given timespan from the current UTC clock
time

bin() Rounds values down to a number of datetime multiple of a

given bin size

case() Evaluates a list of predicates and returns the first result

expression whose predicate is satisfied

datetime_add() Calculates a new datetime from a specified datepart

multiplied by a specified amount, added to a specified
datetime

datetime_diff() Calculates the difference between two date time values

iif() Evaluates the first argument and returns the value of either
the second or third arguments depending on whether the
predicate evaluated to true (second) or false (third)

indexof() Function reports the zero-based index of the first occurrence

of a specified string within input string

isnotnull() Evaluates its sole argument and returns a Boolean value

indicating if the argument evaluates to a non-null value

isnull() Evaluates its sole argument and returns a Boolean value

indicating if the argument evaluates to a null value

now() Returns the current UTC clock time

strcat() Concatenates between 1 and 64 arguments

strlen() Returns the length, in characters, of the input string

substring() Extracts a substring from a source string starting from some

index to the end of the string

tostring() Converts input to a string representation

Additional entities, operators, and functions for CMPivot from

Configuration Manager
IMPORTANT
These items aren't supported when you run CMPivot from Microsoft Endpoint Manager admin center.
 TYPE IT EM DESC RIP T IO N

Entity AccountSID Account SID

Entity FileContent() Content of a specific file

Entity NAPClient NAP Client

Entity NAPSystemHealthAgent NAP System Health Agent

Entity RegistryKey() Returns all registry keys matching the

given expression (starting in version
2107)

Table operator render Renders results as graphical output

Next steps
To learn more about CMPivot, see Use CMPivot.
 CMPivot for real-time data in Configuration
Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager has always provided a large centralized store of device data, which customers use for
reporting purposes. The site typically collects this data on a weekly basis. Starting in version 1806, CMPivot is a
new in-console utility that now provides access to real-time state of devices in your environment. It immediately
runs a query on all currently connected devices in the target collection and returns the results. Then filter and
group this data in the tool. By providing real-time data from online clients, you can more quickly answer
business questions, troubleshoot issues, and respond to security incidents.
For example, in mitigating speculative execution side channel vulnerabilities, one of the requirements is to
update the system BIOS. You can use CMPivot to quickly query on system BIOS information, and find clients that
aren't in compliance.

IMPORTANT
Some security software may block scripts running from c:\windows\ccm\scriptstore. This can prevent successful
execution of CMPivot queries. Some security software may also generate audit events or alerts when running CMPivot
PowerShell.
Certain anti-malware software may inadvertently trigger events against the Configuration Manager Run Scripts or
CMPivot features. It is recommended to exclude %windir%\CCM\ScriptStore so that the anti-malware software permits
those features to run without interference.

Prerequisites
The following components are required to use CMPivot:
Upgrade the target devices to the latest version of the Configuration Manager client.
Target clients require a minimum of PowerShell version 4.
To gather data for the following entities, target clients require PowerShell version 5.0:
Administrators
Connection
IPConfig
SMBConfig
CMPivot and the Microsoft Edge installer are currently signed with the Microsoft Code Signing PCA
2011 certificate. If you set PowerShell execution policy to AllSigned , then you need to make sure that
devices trust this signing certificate. You can export the certificate from a computer where you've
installed the Configuration Manager console. View the certificate on
"C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\CMPivot.exe" , and then export the
code signing certificate from the certification path. Then import it to the machine's Trusted Publishers
store on managed devices. You can use the process in the following blog, but make sure to export the
code signing certificate from the certification path: Adding a Certificate to Trusted Publishers using
Intune.
Permissions
The following permissions are needed for CMPivot:
Run CMPivot permission on the Collection
Read permission on Inventor y Repor ts
Read permission on the SMS Scripts object
Read for SMS Scripts isn't required starting in version 2107
CMPivot doesn't need Read for SMS Scripts for it's primary scenario starting in version 2107.
However, if the administration service is down and the permission has been removed, then when the
administration service falls back, CMPivot will fail. The SMS Provider still requires Read permission
on SMS Scripts if the administration service falls back to it due to a 503 (Service Unavailable) error,
as seen in the CMPivot.log.
The default scope .
The default scope isn't required starting in version 2107
CMPivot permissions by Configuration Manager version
1902 A N D EA RL IER VERSIO N S 1906 T H RO UGH 2103 2107 O R L AT ER

Run Script permission on the Run CMPivot permission on the Run CMPivot permission on the
Collection Collection Collection

Read permission on Inventor y Read permission on Inventor y Read permission on Inventor y

Repor ts Repor ts Repor ts

Read permission on SMS Scripts Read permission on SMS Scripts N/A

The SMS Provider still requires Read

permission on SMS Scripts if the
administration service falls back to it
due to a 503 (Service Unavailable)
error, as seen in the CMPivot.log.

Default scope permission Default scope permission N/A

Limitations
CMPivot only returns data for clients connected to the current site unless it's run from the central
administration site (CAS).
If a collection contains devices from another site, CMPivot results are only from devices in the current
site unless CMPivot is run from the CAS.
In some environments, additional permissions are needed for CMPivot to run on the CAS. For more
information, see CMPivot changes for version 1902.
You can't customize entity properties, columns for results, or actions on devices.
Only one instance of CMPivot can run at the same time on a computer that is running the Configuration
Manager console.
In CMPivot standalone, you're not able to access CMPivot queries stored in the Community hub.
When single sign on with multifactor authentication is used, you may not be able to sign into Community
hub from CMPivot when using Configuration Manager 2103 and earlier.

Start CMPivot
1. In the Configuration Manager console, connect to the primary site or the CAS. Go to the Assets and
 Compliance workspace, and select the Device Collections node. Select a target collection, and select
Star t CMPivot in the ribbon to launch the tool. If you don't see this option, check the following
configurations:
Confirm with a site administrator that your account has the required permissions. For more
information, see Prerequisites.
2. The interface provides further information about using the tool.
Manually enter query strings at the top, or select the links in the in-line documentation.
Select one of the Entities to add it to the query string.
The links for Table Operators , Aggregation Functions , and Scalar Functions open language
reference documentation in the web browser. CMPivot uses the Kusto Query Language (KQL).
3. Keep the CMPivot window open to view results from clients. When you close the CMPivot window, the
session is complete.
If the query has been sent, then clients still send a state message response to the server.

How to use CMPivot

The CMPivot window contains the following elements:

1. The collection that CMPivot currently targets is in the title bar at the top, and the status bar at the bottom
of the window. For example, "PM_Team_Machines" in the above screenshot.
2. The pane on the left lists the Entities that are available on clients. Some entities rely upon WMI while
others use PowerShell to get data from clients.
Right-click an entity for the following actions:
Inser t : Add the entity to the query at the current cursor position. The query doesn't
automatically run. This action is the default when you double-click an entity. Use this action
when building a query.
Quer y all : Run a query for this entity including all properties. Use this action to quickly
query for a single entity.
Quer y by device : Run a query for this entity and group the results. For example,
Disk | summarize dcount( Device ) by Name
 Expand an entity to see specific properties available for each entity. Double-click a property to add
it to the query at the current cursor position.
3. The Home tab shows general information about CMPivot, including links to sample queries and
supporting documentation.
4. The Quer y tab displays the query pane, results pane, and status bar. The query tab is selected in the
above screenshot example.
5. The query pane is where you build or type a query to run on clients in the collection.
CMPivot uses a subset of the Kusto Query Language (KQL).
Cut, copy, or paste content in the query pane.
By default, this pane uses IntelliSense. For example, if you start typing D , IntelliSense suggests all
of the entities that start with that letter. Select an option and press Tab to insert it. Type a pipe
character and a space | , and then IntelliSense suggests all of the table operators. Insert
summarize and type a space, and IntelliSense suggests all of the aggregation functions. For more
information on these operators and functions, select the Home tab in CMPivot.
The query pane also provides the following options:
Run the query.
To rerun your current CMPivot query on the clients, hold Ctrl while clicking Run .
Move backwards and forwards in the history list of queries.
Create a direct membership collection.
Export the query results to CSV or the clipboard.
6. The results pane displays the data returned by active clients for the query.
The available columns vary based upon the entity and the query.
Select a column name to sort the results by that property.
Right-click on any column name to group the results by the same information in that column, or
sort the results.
Right-click on a device name to take the following additional actions on the device:
Pivot to : Query for another entity on this device.
Starting in version 2006, Pivot to was replaced by Device Pivot . For more information,
see CMPivot changes for version 2006.
Run Script : Launch the Run Script wizard to run an existing PowerShell script on this
device. For more information, see Run a script.
Remote Control : Launch a Configuration Manager Remote Control session on this device.
For more information, see How to remotely administer a Windows client computer.
Resource Explorer : Launch Configuration Manager Resource Explorer for this device. For
more information, see View hardware inventory or View software inventory.
Right-click on any non-device cell to take the following additional actions:
Copy : Copy the text of the cell to the clipboard.
Show devices with : Query for devices with this value for this property. For example, from
 the results of the OS query, select this option on a cell in the Version row:
OS | summarize countif( (Version == '10.0.17134') ) by Device | where (countif_ > 0)

Show devices without : Query for devices without this value for this property. For
example, from the results of the OS query, select this option on a cell in the Version row:
OS | summarize countif( (Version == '10.0.17134') ) by Device | where (countif_ == 0) |
project Device

Bing it : Launch the default web browser to https://www.bing.com with this value as the
query string.
Select any hyperlinked text to pivot the view on that specific information.
The results pane doesn't show more than 20,000 rows. Either adjust the query to further filter the
data, or restart CMPivot on a smaller collection.
7. The status bar shows the following information (from left to right):
The status of the current query to the target collection. This status includes:
The number of active clients that completed the query (3)
The number of total clients (5)
The number of offline clients (2)
Any clients that returned failure (0)
For example: Query completed on 3 of 5 clients (2 clients offline and 0 failure)

The ID of the client operation. For example: id(16780221)

The current collection. For example: PM_Team_Machines

The total number of rows in the results pane. For example, 1 objects

TIP
Starting in version 2107, use the Quer y devices again button, or Ctrl + F5 to force the client to retrieve the data
again for the query. Using Quer y devices again is useful when you expect the data to change on the device since the
last query, such as during troubleshooting. Selecting Run quer y again after the initial results are returned only parses
the data CMPivot has already retrieved from the client.

Publish query to Community hub from CMPivot

(Applies to version 2107 or later)
Starting in version 2107, you can publish a CMPivot query to the Community hub directly from the CMPivot
window. Submitting your queries directly through CMPivot makes contributing to the Community hub easier.
You'll need the following requirements for CMPivot and for contributing to the Community hub:
Meet all of the CMPivot prerequisites and permissions
Enable Community hub.
If needed, install the Microsoft Edge WebView2 extension from the Configuration Manager console
notification.
A GitHub account that's joined to Community hub
You must accept the invitation sent in the email otherwise you won't be able to contribute content.
1. Go to the Assets and Compliance workspace then select the Device Collections node.
2. Select a target collection, target device, or group of devices then select Star t CMPivot in the ribbon to
launch the tool.
3. From the CMPivot window, select the Community hub icon on the menu.

4. Select Sign in , then sign into GitHub.

5. Create a CMPivot query, then select Run Quer y to verify it functions as expected.
Optionally, select the folder icon to access your favorites list to use a query you've already created.
6. Select the Publish link at top of CMPivot's Community hub window when you're ready to submit your
query.

7. Give your query a Name and Description , then select the Publish button to send your query to the
Community hub.
8. Once the contribution is complete, you can access your query anytime from the Me tab.
9. To view the GitHub pull request (PR), go to https://github.com/Microsoft/configmgr-hub/pulls. You can
also access the PR link from the Your hub page in the Community hub node.
PRs shouldn't be submitted directly to the GitHub repository.

NOTE
Currently, when you publish a query through CMPivot, you can't edit or delete it after publishing.
Community hub is only available in CMPivot when you run it from the Configuration Manager console. Community
hub isn't available from standalone CMPivot.

Example scenarios for CMPivot

The following sections provide examples of how you might use CMPivot in your environment:
Example 1: Stop a running service
Your security administrator asks you to stop and disable the Computer Browser service as quickly as possible on
all devices in the accounting department. You start CMPivot on a collection for all devices in accounting, and
select Quer y all on the Ser vice entity.
Service

As results appear, you right-click on the Name column and select Group by .
Service | summarize dcount( Device ) by Name

In the row for the Browser service, you select the hyperlinked number in the dcount_ column.
Service | where (Name == 'Browser') | summarize count() by Device

You multi-select all devices, right-click the selection, and choose Run Script . This action launches the Run Script
wizard, from which you run an existing script you have for stopping and disabling a service. With CMPivot you
quickly respond to the security incident for all active computers, viewing results in the Run Script wizard. You
then followup to create a configuration baseline to remediate other computers in the collection as they become
active in the future.

Example 2: Proactively resolve application failures

To be proactive with operational maintenance, once a week you run CMPivot against a collection of servers that
you manage, and select Quer y all on the AppCrash entity. You right-click the FileName column and select
Sor t Ascending . One device returns seven results for sqlsqm.exe with a timestamp about 03:00 every day. You
select the file name in one of the rows, right-click it, and select Bing It . Browsing the search results in the web
browser, you find a Microsoft support article for this issue with more information and resolution.
Example 3: BIOS version
To mitigate speculative execution side channel vulnerabilities, one of the requirements is to update the system
BIOS. You start with a query for the BIOS entity. You then Group by the Version property. Then right-click a
specific value, such as "LENOVO - 1140", and select Show devices with .
Bios | summarize countif( (Version == 'LENOVO - 1140') ) by Device | where (countif_ > 0)

Example 4: Free disk space

You need to temporarily store a large file on a network file server, but aren't sure which one has enough
capacity. Start CMPivot against a collection of file servers, and query the Disk entity. Modify the query for
CMPivot to quickly return a list of active servers with real-time storage data:
Disk | where (Description == 'Local Fixed Disk') | where isnotnull( FreeSpace ) | order by FreeSpace asc

CMPivot standalone
You can use CMPivot as a standalone app. CMPivot standalone is only available in English. Run CMPivot outside
of the Configuration Manager console to view the real-time state of devices in your environment. This change
enables you to use CMPivot on a device without first installing the console.
You can share the power of CMPivot with other personas, such as helpdesk or security admins, who don't have
the console installed on their computer. These other personas can use CMPivot to query Configuration Manager
alongside the other tools that they traditionally use. By sharing this rich management data, you can work
together to proactively solve business problems that cross roles.
Install CMPivot standalone
1. Set up the permissions needed to run CMPivot. For more information, see prerequisites. You can also use
the Security Administrator role if the permissions are appropriate for the user.
2. Find the CMPivot app installer in the following path: <site install path>\tools\CMPivot\CMPivot.msi . You
can run it from that path, or copy it to another location.
3. When you run the CMPivot standalone app, you'll be asked to connect to a site. Specify the fully qualified
domain name or computer name of either the Central Administration or primary site server.
Each time you open CMPivot standalone you'll be prompted to connect to a site server.
4. Browse to the collection on which you want to run CMPivot, then run your query.
 NOTE
Right-click actions, such as Run Scripts , Resource Explorer , and web search aren't available in CMPivot standalone.
CMPivot standalone's primary use is querying independently from the Configuration Manager infrastructure. To help
security administrators, CMPivot standalone does include the ability to connect to Microsoft Defender Security Center.
You can do local device query evaluation using CMPivot standalone.

Inside CMPivot
CMPivot sends queries to clients using the Configuration Manager "fast channel". This communication channel
from server to client is also used by other features such as client notification actions, client status, and Endpoint
Protection. Clients return results via the similarly quick state message system. State messages are temporarily
stored in the database. For more information about the ports used for client notification, see the Ports article.
The queries and the results are all just text. The entities InstallSoftware and Process return some of the
largest result sets. During performance testing, the largest state message file size from one client for these
queries was less than 1 KB . Scaled to a large environment with 50,000 active clients, this one-time query would
generate less than 50 MB of data across the network. All the items on the welcome page that are underlined, will
return less than 1 KB of info per client.

Starting in Configuration Manager 1810, CMPivot can query hardware inventory data, including extended
hardware inventory classes. These new entities (entities not underlined on the welcome page) may return much
larger data sets, depending on how much data is defined for a given hardware inventory property. For example,
the "InstalledExecutable" entity might return multiple MB of data per client, depending on the specific data you
query on. Be mindful of the performance and scalability on your systems when returning larger hardware
inventory data sets from larger collections using CMPivot.
A query times out after one hour. For example, a collection has 500 devices, and 450 of the clients are currently
online. Those active devices receive the query and return the results almost immediately. If you leave the
CMPivot window open, as the other 50 clients come online, they also receive the query, and return results.

Log files
CMPivot interactions are logged to the following log files:
Ser ver-side:
SmsProv.log
BgbServer.log
StateSys.log
Client-side:
 CcmNotificationAgent.log
Scripts.log
StateMessage.log
For more information, see Log files and Troubleshooting CMPivot.

Next steps
Changes to CMPivot
Troubleshooting CMPivot
Create and run PowerShell scripts
 Changes to CMPivot
2/16/2022 • 22 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the following information to learn about changes made to CMPivot between Configuration Manager
versions:

CMPivot changes for version 2107

Simplified CMPivot permissions requirements
We've simplified the CMPivot permissions requirements. The new permissions are applicable for CMPivot
standalone and CMPivot in the on-premises console. The following changes have been made:
CMPivot no longer requires SMS Scripts read permission
The SMS Provider still requires this permission if the administration service falls back to it due to a
503 (Service Unavailable) error, as seen in the CMPivot.log.
The default scope permission isn't required.
General improvements to CMPivot
We've made the following improvements to CMPivot:
Added maxif and minif aggregators that can be used with the summarize operator
Improvements to query autocomplete suggestions in the query editor
Added a Key value to the Registry entity
Added a new RegistryKey entity that returns all registry keys matching the given expression
To review the difference between the Registry and RegistryKey entities, you can use the following samples:

// Change the path to match your desired registry hive query

Registry('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*')
RegistryKey('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*')

RegistryKey('hklm:\SOFTWARE\Microsoft\SMS\*')
Registry('hklm:\SOFTWARE\Microsoft\SMS\*')

CMPivot changes for version 2103

Starting in version 2103, the following improvements have been made for CMPivot:
Warning message and export CMPivot data option when results are too large
Access the top queries shared in the Community hub from CMPivot
Warning message and export CMPivot data option when results are too large
When results are too large the following warning message is displayed:
Your quer y returned a large number of results. Narrow the results by modifying the quer y, or
select this banner to expor t the results.
This message occurs in the following scenarios:
When results are greater than 100,000 cells.
For instance, the warning threshold is reached for 10,000 devices (rows) with 10 columns of entity
data.
In this case, you'll be given an option to export results to a .csv file
When more than 128 KB of data is requested to be returned from a given device.
For instance, CcmLog('ciagent', 120d) queries log results and is likely to be over the 128 KB limit.
When the results are over 128 KB, you'll get a warning, but you can't export them since they won't be
returned from the client to the server.
Access the top queries shared in the Community hub from CMPivot
Starting in version 2103, you can access the top CMPivot queries shared in the Community hub from on-
premises CMPivot. By using pre-created CMPivot queries shared by the broader community, CMPivot users gain
access to a wider variety of queries. On-premises CMPivot accesses the Community hub and returns a list of the
top downloaded CMPivot queries. Users can review the top queries, customize them, and then run on-demand.
This improvement gives a wider selection of queries for immediate usage without having to construct them and
also allows information sharing on how to build queries for future reference.

NOTE
These queries are available when you run CMPivot from the Configuration Manager console. They're not yet available
from standalone CMPivot.

Prerequisites:
Meet all of the CMPivot prerequisites and permissions
Enable Community hub. You don't need a GitHub account to download content.
Verify which content categories are displayed for community hub
Install the Microsoft Edge WebView2 extension from the Configuration Manager console notification
Use CMPivot to access the top Community hub queries
1. Go to the Assets and Compliance workspace then select the Device Collections node.
2. Select a target collection, target device, or group of devices then select Star t CMPivot in the ribbon to
launch the tool.
3. Use the community hub icon on the menu.

4. Review the list of top shared CMPivot queries.

5. Select one of the top queries to load it into the query pane.
6. Edit the query if needed then select Run Quer y .
7. Optionally, select the folder icon to access your favorites list. Add the original query or your edited
version to your favorites list to run later. Select the community hub icon to search for another query.
8. Keep the CMPivot window open to view results from clients. When you close the CMPivot window, the
session is complete. If the query has been sent, then clients still send a state message response to the
server.

CMPivot changes for version 2006

Starting in version 2006, the following improvements have been made for CMPivot:
CMPivot standalone and CMPivot launched from the admin console have converged. When you launch
CMPivot from the admin console, it uses the same underlying technology as CMPivot standalone to give
you scenario parity.
Improvements for keyboard navigation in CMPivot.
You can run CMPivot from an individual device or multiple devices from the devices node without
needing to select a device collection. This improvement makes it easier for people, such as those working
as the Helpdesk persona, to create CMPivot queries for specific devices outside a pre-created collection.
Select an individual device or multi-select devices in a device collection or then select Star t CMPivot .
 Upon returning devices within a query list view, you can select Device Pivot on one or more devices and
then pivot and query on just those devices to drill in further. This change allows you to drill in without
querying the larger set of devices from the original collection. Device Pivot replaced Pivot to .
Within an existing CMPivot operation, select an individual device or multi-select devices from the
output. Right-click and pivot using the Device Pivot option. This action launches a separate CMPivot
instance scoped to just the devices you selected. This makes it easier to pivot and just query on
devices desired without needing to create a collection for them.
When you run CMPivot for an individual device, the device name is listed at the top of the window. For
multiple devices, the number of devices selected is listed at the top of the window.
The Create Collection option in the Query Summary tab was removed since CMPivot no longer
requires querying against a collection. Perform a Device Pivot to open a new instance of CMPivot
scoped to just the devices you want to query on. Create Collection is still available on the main menu.

CMPivot changes for version 2002

We've made it easier to navigate CMPivot entities. Starting in Configuration Manager version 2002, you can
search CMPivot entities. New icons have also been added to easily differentiate the entities and the entity object
types.

CMPivot changes for version 1910

Starting in version 1910, CMPivot was significantly optimized to reduce network traffic and load on your
servers. Additionally, a number of entities and entity enhancements were added to aid in troubleshooting and
hunting. The following changes were introduced for CMPivot in version 1910:
Optimizations to the CMPivot engine
Additional entities and entity enhancements:
Windows event logs (WinEvent)
File content (FileContent)
Dlls loaded by processes (ProcessModule)
Azure Active Directory information (AADStatus)
Endpoint protection status (EPStatus)
Local device query evaluation using CMPivot standalone
Other enhancements to CMPivot
Optimizations to the CMPivot engine
To reduce network traffic and load on your servers, CMPivot was optimized in 1910. Many query operations are
now performed directly on the client rather than on the servers. This change also means that some CMPivot
operations return minimal data from the first query. If you decide to drill into the data for more information, a
new query might run to fetch the additional data from the client. For instance, previously a large data set was
returned to the server when you ran a "summarized count" query. While returning a large data set offered
immediate drill-down, many times only the summarized count was needed. In 1910 when you choose to drill
into a specific client, another collection of the data occurs to return the additional data you've requested. This
change brings better performance and scalability to queries against a large number of clients.
Examples
The CMPivot optimizations drastically reduce the network and server CPU load needed to run CMPivot queries.
With these optimizations, we can now sift through gigabytes of client data in real time. The following queries
illustrate these optimizations:
Search all event logs on all clients in your enterprise for authentication failures.

EventLog('Security')
| where EventID == 4673
| summarize count() by Device
| order by count_ desc

Search for a file by hash.

Device
| join kind=leftouter ( File('%windir%\\system32\\*.exe')
| where SHA256Hash == 'A92056D772260B39A876D01552496B2F8B4610A0B1E084952FE1176784E2CE77')
| project Device, MalwareFound = iif( isnull(FileName), 'No', 'Yes')

WinEvent(<logname>,[<timespan>])
This entity is used to get events from event logs and event tracing log files. The entity gets data from event logs
that are generated by the Windows Event Log technology. The entity also gets events in log files generated by
Event Tracing for Windows (ETW). WinEvent looks at events that have occurred within the last 24 hours by
default. However, the 24-hour default can be overridden by including a timespan.

WinEvent('Microsoft-Windows-HelloForBusiness/Operational', 1d)
| where LevelDisplayName =='Error'
| summarize count() by Device

FileContent(<filename>)
FileContent is used to get the contents of a text file.

FileContent('c:\\windows\\SMSCFG.ini')
| where Content startswith 'SMS Unique Identifier='
| project Device, SMSId= substring(Content,22)

ProcessModule (<processname>)
This entity is used to enumerate the modules (dlls) loaded by a given process. ProcessModule is useful when
hunting for malware that hides in legitimate processes.

ProcessModule('powershell')
| summarize count() by ModuleName
| order by count_ desc

AadStatus
This entity can be used to get the current Azure Active Directory identity information from a device.

AadStatus
| project Device, IsAADJoined=iif( isnull(DeviceId),'No','Yes')
| summarize DeviceCount=count() by IsAADJoined
| render piechart

EPStatus
EPStatus is used to get the status of antimalware software installed on the computer.
 EPStatus
| project Device, QuickScanAge=datetime_diff('day',now(),QuickScanEndTime)
| summarize DeviceCount=count() by QuickScanAge
| order by QuickScanAge
| render barchart

Local device query evaluation using CMPivot standalone

When using CMPivot outside of the Configuration Manager console, you can query just the local device without
the need for the Configuration Manager infrastructure. You can now leverage the CMPivot Azure Log Analytics
queries to quickly view WMI information on the local device. This also enables validation and refinement of
CMPivot queries, before running them in a larger environment. CMPivot standalone is only available in English.
For more information about CMPivot standalone, see CMPivot standalone.
Known issues for local device query evaluation
If you query on This PC for a WMI entity that you don't have access to, such as a locked down WMI class,
you may see a crash in CMPivot. Run CMPivot using an account with elevated privileges to query those
entities.
If you query non-WMI entities on This PC , you'll see an Invalid namespace or an ambiguous exception.
Run CMPivot standalone from the start menu shortcut, not directly from the path of the executable file.
Other enhancements
You can do regular expression type queries using the new like operator. For example:

//Find BIOS manufacture that contains any word like Micro, such as Microsoft
Bios
| where Manufacturer like '%Micro%'

We've updated the CcmLog() and EventLog() entities to only look at messages in the last 24 hours by
default. This behavior can be overridden by passing in an optional timespan. For example, the following
query will look at events in the last 1 hour:

CcmLog('Scripts',1h)

The File() entity has been updated to collect information about Hidden and System files, and include the
MD5 hash. While an MD5 hash isn't as accurate as the SHA256 hash, it tends to be the commonly
reported hash in most malware bulletins.
You can add comments in queries. This behavior is useful when sharing queries. For example:

//Get the top ten devices sorted by user

Device
| top 10 by UserName

CMPivot automatically connects to the last site. After you start CMPivot, you can connect to a new site if
necessary.
From the Expor t menu, select the new option to Quer y link to clipboard . This action copies a link to
the clipboard that you can share with others. For example:
cmpivot:Ly8gU2FtcGxlIHF1ZXJ5DQpPcGVyYXRpbmdTeXN0ZW0NCnwgc3VtbWFyaXplIGNvdW50KCkgYnkgQ2FwdGlvbg0KfCBvcmRlciBieSBjb3VudF8gYXNjDQp8IHJlbmRlciBiYXJj

This link opens CMPivot standalone with the following query:

// Sample query
OperatingSystem
| summarize count() by Caption
| order by count_ asc
| render barchart

TIP
For this link to work, install CMPivot standalone.

In query results, if the device is enrolled in Microsoft Defender for Endpoint, right-click the device to
launch the Microsoft Defender Security Center online portal.
Known issues for CMPivot in version 1910
The maximum results banner may not be displayed when the limit is reached.
 Each client is limited to 128 KB worth of data per query.
Results may be truncated if the results of the query exceed 128 KB.

CMPivot changes for version 1906

Starting in version 1906, the following items were added to CMPivot:
Joins, additional operators, and aggregators
Added CMPivot permissions to the Security Administrator role
CMPivot standalone
Add joins, additional operators, and aggregators in CMPivot
You now have additional arithmetic operators, aggregators, and the ability to add query joins such as using
Registry and File together. The following items have been added:
Table operators

TA B L E O P ERATO RS DESC RIP T IO N

join Merge the rows of two tables to form a new table by

matching row for the same device

render Renders results as graphical output

The render operator already exists in CMPivot. Support for multiple series and the with statement were added.
For more information, see the examples section and Kusto's join operator article.
Limitations for joins
1. The join column is always implicitly done on the Device field.
2. You can use a maximum of 5 joins per query.
3. You can use a maximum of 64 combined columns.
Scalar operators

O P ERATO R DESC RIP T IO N EXA M P L E

+ Add 2 + 1, now() + 1d

- Subtract 2 - 1, now() - 1d

* Multiply 2 * 2

/ Divide 2 / 1

% Modulo 2 % 1

Aggregation functions

F UN C T IO N DESC RIP T IO N

percentile() Returns an estimate for the specified nearest-rank percentile

of the population defined by Expr

sumif() Returns a sum of Expr for which Predicate evaluates to true

Scalar functions

F UN C T IO N DESC RIP T IO N

case() Evaluates a list of predicates and returns the first result

expression whose predicate is satisfied

iff() Evaluates the first argument and returns the value of either
the second or third arguments depending on whether the
predicate evaluated to true (second) or false (third)

indexof() Function reports the zero-based index of the first occurrence

of a specified string within input string

strcat() Concatenates between 1 and 64 arguments

 F UN C T IO N DESC RIP T IO N

strlen() Returns the length, in characters, of the input string

substring() Extracts a substring from a source string starting from some

index to the end of the string

tostring() Converts input to a string operation

Examples
Show device, manufacturer, model, and OSVersion:

ComputerSystem
| project Device, Manufacturer, Model
| join (OperatingSystem | project Device, OSVersion=Caption)

Show graph of boot times for a device:

SystemBootData
| where Device == 'MyDevice'
| project SystemStartTime, BootDuration, OSStart=EventLogStart, GPDuration, UpdateDuration
| order by SystemStartTime desc
| render barchart with (kind=stacked, title='Boot times for MyDevice', ytitle='Time (ms)')

Added CMPivot permissions to the Security Administrator role

Starting in version 1906, the following permissions have been added to Configuration Manager's built-in
Security Administrator role:
Read on SMS Script
Run CMPivot on Collection
Read on Inventory Report

NOTE
Run Scripts is a super set of the Run CMPivot permission.

CMPivot standalone
You can use CMPivot as a standalone app. CMPivot standalone is only available in English. Run CMPivot outside
of the Configuration Manager console to view the real-time state of devices in your environment. This change
enables you to use CMPivot on a device without first installing the console.
You can share the power of CMPivot with other personas, such as helpdesk or security admins, who don't have
the console installed on their computer. These other personas can use CMPivot to query Configuration Manager
alongside the other tools that they traditionally use. By sharing this rich management data, you can work
together to proactively solve business problems that cross roles.
Install CMPivot standalone
1. Set up the permissions needed to run CMPivot. For more information, see prerequisites. You can also use
the Security Administrator role if the permissions are appropriate for the user.
2. Find the CMPivot app installer in the following path: <site install path>\tools\CMPivot\CMPivot.msi . You
can run it from that path, or copy it to another location.
3. When you run the CMPivot standalone app, you'll be asked to connect to a site. Specify the fully qualified
domain name or computer name of either the Central Administration or primary site server.
Each time you open CMPivot standalone you'll be prompted to connect to a site server.
4. Browse to the collection on which you want to run CMPivot, then run your query.

NOTE
Right-click actions, such as Run Scripts , Resource Explorer , and web search aren't available in CMPivot standalone.
CMPivot standalone's primary use is querying independently from the Configuration Manager infrastructure. To help
security administrators, CMPivot standalone does include the ability to connect to Microsoft Defender Security Center.
You can do local device query evaluation using CMPivot standalone.

CMPivot changes for version 1902

Starting in Configuration Manager version 1902, you can run CMPivot from the central administration site
(CAS) in a hierarchy. The primary site still handles the communication to the client. When running CMPivot from
the central administration site, it communicates with the primary site over the high-speed message subscription
channel. This communication doesn't rely upon standard SQL Server replication between sites.
Running CMPivot on the CAS will require additional permissions when SQL Server or the SMS Provider aren't
on the same machine or in the case of SQL Server Always On availability group configuration. With these
remote configurations, you have a "double hop scenario" for CMPivot.
To get CMPivot to work on the CAS in such a "double hop scenario", you can define constrained delegation. To
understand the security implications of this configuration, read the Kerberos constrained delegation article.
Kerberos needs to work through all of the hops between the machines. If you have more than one remote
configuration such as SQL Server or SMS Provider being colocated with the CAS or not, or multiple trusted
forests, you may require a combination of permission settings. Below are the steps that you may need to take:
CAS has a remote SQL Server
1. Go to each primary site's SQL Server.
a. Add the CAS remote SQL Server and the CAS site server to the Configmgr_DviewAccess group.

2. Go to Active Directory Users and Computers.

a. For each primary site server, right click and select Proper ties .
a. In the delegation tab, choose the third option, Trust this computer for delegation to
specified ser vices only .
b. Choose Use Kerberos only .
c. Add the CAS's SQL Server service with port and instance.
d. Make sure these changes align with your company security policy!
b. For the CAS site, right click and select Proper ties .
a. In the delegation tab, choose the third option, Trust this computer for delegation to
specified ser vices only .
b. Choose Use Kerberos only .
c. Add each primary site's SQL Server service with port and instance.
d. Make sure these changes align with your company security policy!
CAS has a remote provider
1. Go to each primary site's SQL Server.
a. Add the CAS provider machine account and the CAS site server to the Configmgr_DviewAccess group.
2. Go to Active Directory Users and Computers.
a. Select the CAS provider machine, right click and select Proper ties .
a. In the delegation tab, choose the third option, Trust this computer for delegation to
specified ser vices only .
b. Choose Use Kerberos only .
c. Add each primary site's SQL Server service with port and instance.
d. Make sure these changes align with your company security policy!
b. Select the CAS site server, right click and select Proper ties .
a. In the delegation tab, choose the third option, Trust this computer for delegation to
specified ser vices only .
b. Choose Use Kerberos only .
c. Add each primary site's SQL Server service with port and instance.
d. Make sure these changes align with your company security policy!
3. Restart the CAS remote provider machine.
SQL Server Always On availability groups
1. Go to each primary site's SQL Server.
a. Add the CAS site server to the Configmgr_DviewAccess group.
2. Go to Active Directory Users and Computers.
a. For each primary site server, right click and select Proper ties .
a. In the delegation tab, choose the third option, Trust this computer for delegation to
specified ser vices only .
b. Choose Use Kerberos only .
c. Add the CAS's SQL Server service accounts for the SQL Server nodes with port and instance.
d. Make sure these changes align with your company security policy!
b. Select the CAS site server, right click and select Proper ties .
a. In the delegation tab, choose the third option, Trust this computer for delegation to
specified ser vices only .
b. Choose Use Kerberos only .
c. Add each primary site's SQL Server service with port and instance.
d. Make sure these changes align with your company security policy!
3. Make sure the SPN is published for the CAS listener name and each primary listener name.
4. Restart the primary SQL Server nodes.
5. Restart the CAS site server and the CAS SQL Server nodes.

CMPivot changes for version 1810

CMPivot includes the following improvements starting in Configuration Manager version 1810:
CMPivot utility and performance
Scalar functions
Rendering visualizations
Hardware inventory
Scalar operators
Query summary
Audit status messages
CMPivot utility and performance
CMPivot will return up to 100,000 cells rather than 20,000 rows.
If the entity has 5 properties, meaning 5 columns, up to 20,000 rows will be shown.
For an entity with 10 properties, up to 10,000 rows will be shown.
The total data shown will be less than or equal to 100,000 cells.
On the Query Summary tab, select the count of Failed or Offline devices, and then select the option to
Create Collection . This option makes it easy to target those devices with a remediation deployment.
This option was removed in version 2006 since CMPivot no longer requires querying against a
collection.
Save Favorite queries by clicking the folder icon.

Clients updated to the 1810 version return output less than 80 KB to the site over a fast communication
channel.
This change increases the performance of viewing script or query output.
If the script or query output is greater than 80 KB, the client sends the data via a state message.
If the client isn't updated to the 1810 client version, it continues to use state messages.
You may see the following error when you start CMPivot: You can't use CMPivot right now due to
an incompatible script version. This issue may be because the hierarchy is in the process of
upgrading a site. Wait until the upgrade is complete and then tr y again.
If you see this message, it could mean:
The security scope isn't set up properly.
There are issues with Upgrade in the process.
The underlying CMPivot script is incompatible.
Scalar functions
CMPivot supports the following scalar functions:
ago() : Subtracts the given timespan from the current UTC clock time
datetime_diff() : Calculates the calendar difference between two datetime values
now() : Returns the current UTC clock time
bin() : Rounds values down to an integer multiple of a given bin size

NOTE
The datetime data type represents an instant in time, typically expressed as a date and time of day. Time values are
measured in 1-second units. A datetime value is always in the UTC time zone. Always express date time literals in ISO
8601 format, for example, yyyy-mm-dd HH:MM:ss
Examples
datetime(2015-12-31 23:59:59.9) : A specific date time literal
now() : The current time
ago(1d) : The current time minus one day
Rendering visualizations
CMPivot now includes basic support for the KQL render operator. This support includes the following types:
barchar t : First column is x-axis, and can be text, datetime or numeric. The second columns must be numeric
and is displayed as a horizontal strip.
columnchar t : Like barchart, with vertical strips instead of horizontal strips.
piechar t : First column is color-axis, second column is numeric.
timechar t : Line graph. First column is x-axis, and should be datetime. Second column is y-axis.
Example: bar chart
The following query renders the most recently used applications as a bar chart:

CCMRecentlyUsedApplications
| summarize dcount( Device ) by ProductName
| top 10 by dcount_
| render barchart

Example: time chart

To render time charts, use the new bin() operator to group events in time. The following query shows when
devices have started in the last seven days:

OperatingSystem
| where LastBootUpTime <= ago(7d)
| summarize count() by bin(LastBootUpTime,1d)
| render timechart
Example: pie chart
The following query displays all OS versions in a pie chart:

OperatingSystem
| summarize count() by Caption
| render piechart

Hardware inventory
Use CMPivot to query any hardware inventory class. These classes include any custom extensions you make to
hardware inventory. CMPivot immediately returns cached results from the last hardware inventory scan stored
in the site database. At the same time, it updates the results if necessary with live data from any online clients.
The color saturation of the data in the results table or chart indicates if the data is live or cached. For example,
dark blue is real-time data from an online client. Light blue is cached data.
Example

LogicalDisk
| summarize sum( FreeSpace ) by Device
| order by sum_ desc
| render columnchart

Limitations
The following hardware inventory entities aren't supported:
Array properties, for example IP address
Real32/Real64
 Embedded object properties
Inventory entity names must begin with a character
You can't overwrite the built-in entities by creating an inventory entity of the same name
Scalar operators
CMPivot includes the following scalar operators:

NOTE
LHS: string to the left of the operator
RHS: string to the right of the operator

O P ERATO R DESC RIP T IO N EXA M P L E ( Y IEL DS T RUE)

== Equals "aBc" == "aBc"

!= Not equals "abc" != "ABC"

like LHS contains a match for RHS "FabriKam" like "%Brik%"

!like LHS doesn't contain a match for RHS "Fabrikam" !like "%xyz%"

contains RHS occurs as a subsequence of LHS "FabriKam" contains "BRik"

!contains RHS doesn't occur in LHS "Fabrikam" !contains "xyz"

startswith RHS is an initial subsequence of LHS "Fabrikam" startswith "fab"

!startswith RHS isn't an initial subsequence of LHS "Fabrikam" !startswith "kam"

endswith RHS is a closing subsequence of LHS "Fabrikam" endswith "Kam"

!endswith RHS isn't a closing subsequence of LHS "Fabrikam" !endswith "brik"

Query summary
Select the Quer y Summar y tab at the bottom of the CMPivot window. This status helps you identify clients
that are offline, or troubleshoot errors that may occur. Select a value in the Count column to open a list of
specific devices with that status.
For example, select the count of devices with a Failure status. See the specific error message, and export a list of
these devices. If the error is that a specific cmdlet isn't recognized, create a collection from the exported device
list to deploy a Windows PowerShell update.
CMPivot audit status messages
Starting in version 1810, when you run CMPivot, an audit status message is created with MessageID 40805 .
You can view the status messages by going to Monitoring > System Status > Status Message Queries . You
can run All Audit status Messages for a Specific User , All Audit status Messages for a Specific Site ,
or create your own status message query.
The following format is used for the message:
MessageId 40805: User <UserName> ran script <Script-Guid> with hash <Script-Hash> on collection
<Collection-ID>.
7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14 is the Script-Guid for CMPivot.
The Script-Hash can be seen in the client's scripts.log file.
You can also see the hash stored in the client's script store. The filename on the client is <Script-
Guid>_<Script-Hash>.
Example file name: C:\Windows\CCM\ScriptStore\7DC6B6F1-E7F6-43C1-96E0-
E1D16BC25C14_abc1d23e45678901fabc123d456ce789fa1b2cd3e456789123fab4c56789d0123.ps
Next steps
Troubleshooting CMPivot
 CMPivot sample scripts
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Below are a few common query needs and how CMPivot can be used to meet them. CMPivot uses a subset of
the Kusto Query Language (KQL).

Operating system
Gets operating system information.

// Sample query for OS information

OperatingSystem

Recently used applications

The following query gets recently used applications (last 2 hours):

CCMRecentlyUsedApplications
| where (LastUsedTime > ago(2h))
| project CompanyName, ProductName, ProductVersion, LastUsedTime

Device start times

The following query shows when devices have started in the last seven days:

OperatingSystem
| where LastBootUpTime <= ago(7d)
| summarize count() by bin(LastBootUpTime,1d)

Free disk space

The following query shows free disk space:

LogicalDisk
| project Device, DeviceID, Name, Description, FileSystem, Size, FreeSpace
| order by DeviceID asc

Device information
Show device, manufacturer, model, and OSVersion:

ComputerSystem
| project Device, Manufacturer, Model
| join (OperatingSystem | project Device, OSVersion=Caption)
Boot times for a device
Show boot times for devices:

SystemBootData
| project Device, SystemStartTime, BootDuration, OSStart=EventLogStart, GPDuration, UpdateDuration
| order by SystemStartTime desc

Authentication failures
Search the event logs for authentication failures.

EventLog('Security')
| where EventID == 4673

ProcessModule(<processname>)
Enumerates all the modules (dlls) loaded by a given process. ProcessModule is useful when hunting for malware
that hides in legitimate processes.

ProcessModule('powershell')
| summarize count() by ModuleName
| order by count_ desc

Antimalware software status

Gets the status of antimalware software installed on the computer gathered by the Get-MpComputerStatus
cmdlet. The entity is supported on Windows 10 and Server 2016, or later with defender running. |

EPStatus
| project Device, QuickScanAge=datetime_diff('day',now(),QuickScanEndTime)
| summarize DeviceCount=count() by QuickScanAge

Find BIOS Manufacturer that contains any word like Micro

Bios
// Find BIOS Manufacturer that contains any word like Micro, such as Microsoft
| where Manufacturer like '%Micro%'

Find file by its hash

Search for a file by hash.

Device
| join kind=leftouter ( File('%windir%\\system32\\*.exe')
| where SHA256Hash == 'A92056D772260B39A876D01552496B2F8B4610A0B1E084952FE1176784E2CE77')
| project Device, MalwareFound = iif( isnull(FileName), 'No', 'Yes')

Find 'Scripts' in the CCM logs in the last hour

The following query will look at events in the last 1 hour:

CcmLog('Scripts',1h)

Find information in the registry

Search for registry information.

// Change the path to match your desired registry hive query

// The RegistryKey entity (added in version 2107) isn't supported with CMPivot for tenant attached devices.

Registry('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*')
RegistryKey('hklm:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\*')

RegistryKey('hklm:\SOFTWARE\Microsoft\SMS\*')
Registry('hklm:\SOFTWARE\Microsoft\SMS\*')

Next steps
To learn more about CMPivot, see Use CMPivot.
 Troubleshoot CMPivot
2/16/2022 • 6 minutes to read • Edit Online

CMPivot is a tool that provides access to a real-time state of the devices in your environment. CMPivot runs a
query on all currently connected devices in the target collection and returns the results.
Occasionally, you might need to troubleshoot CMPivot. For example, if a state message from a client to CMPivot
gets corrupted, the site server can't process the message. This article helps you understand the flow of
information for CMPivot.

Troubleshoot CMPivot in version 1902 and later

In Configuration Manager versions 1902 and later, you can run CMPivot from the central administration site
(CAS) in a hierarchy. The primary site still handles the communication to the client.
When you run CMPivot from CAS, it uses the high-speed message subscription channel to communicate with
the primary site. CMPivot doesn't use standard SQL Server replication between sites. If your SQL Server
instance or your SMS provider is remote, or if you use a SQL Server Always On availability group, you'll have a
"double hop scenario" for CMPivot. For information on how to define constrained delegation for a "double hop
scenario", see CMPivot starting in version 1902.

IMPORTANT
When troubleshooting CMPivot, enable verbose logging on your management points (MPs) and on the site server's
SMS_MESSAGE_PROCESSING_ENGINE to get more information. Also, if the client's output is larger than 80 KB, enable
verbose logging on the MP and the site server's SMS_STATE_SYSTEM component. For information about how to enable
verbose logging, see Site server logging options.

Get information from the site server

By default, the site server log files are located in C:\Program Files\Microsoft Configuration Manager\logs . This
location might be different if you specified a non-default installation directory or offloaded items like the SMS
Provider to another server. If you run CMPivot from the CAS, the logs are on the primary site server.
Look in smsprov.log for these lines:
Configuration Manager version 1906:

Auditing: User <username> initiated client operation 145 to collection <CollectionId>.

Configuration Manager version 1902:

Type parameter is 135.

Auditing: User <username> ran script 7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14 with hash
dc6c2ad05f1bfda88d880c54121c8b5cea6a394282425a88dd4d8714547dc4a2 on collection <CollectionId>.

7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14 is the Script-Guid for CMPivot. You can also see this GUID in CMPivot
audit status messages.
Next, find the ID in the CMPivot window. This ID is the ClientOperationID .
Find the TaskID from the ClientAction table. The TaskID corresponds to the UniqueID in the ClientAction table.

select * from ClientAction where ClientOperationId=<id>

In BgbServer.log , look for the TaskID you gathered from SQL Server and note the PushID . The TaskID is
labeled TaskGUID . For example:

Starting to send push task (PushID: 9 TaskID: 12 TaskGUID: 9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0 TaskType: 15

TaskParam: PFNjcmlwdENvbnRlbnQgU2NyaXB0R3VpZD0nN0RDNkI2RjEtRTdGNi00M0MxL (truncated log entry)
Finished sending push task (PushID: 9 TaskID: 12) to 2 clients

Client logs
After you have the information from the site server, check the client logs. By default, the client logs are located in
C:\Windows\CCM\Logs .

In CcmNotificationAgent.log , look for log entries that look like the following lines:

Receive task from server with pushid=9, taskid=12, taskguid=9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0,

tasktype=15 and taskParam=PFNjcmlwdEhhc2ggU2NyaXB0SGF (truncated log entry)
Send Task response message <BgbResponseMessage TimeStamp="2019-09-13T17:29:09Z"><PushID>5</PushID>
<TaskID>4</TaskID><ReturnCode>1</ReturnCode></BgbResponseMessage> successfuly.

Check Scripts.log for the . In the following example, you see

TaskID Task ID
{9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0} :

Sending script state message (fast): {9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0}

Result are sent for ScriptGuid: 7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14 and TaskID: {9A4E59D2-2F5B-4067-A9FA-
B99602A3A4A0}

NOTE
If you don't see "(fast)" in the Scripts.log , then the data is likely over 80 KB. In this case, the information is sent to the
site server as a state message. Use client's StateMessage.log and the site server's Statesys.log .
Review messages on the site server
When verbose logging is enabled on the management point, you can see how incoming client messages are
handled. In MP_RelayMsgMgr.log , look for the TaskID .
In the MP_RelayMsgMgr.log example, you can see the client's ID (GUID:83F67728-2E6D-4E4F-8075-ED035C31B783) and
the Task ID {9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0} . A message ID gets assigned to the client's response before
it's sent to the message processing engine:

MessageKey: GUID:83F67728-2E6D-4E4F-8075-ED035C31B783{9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0}
Create message succeeded for message id 22f00adf-181e-4bad-b35e-d18912f39f89
Add message payload succeeded for message id 22f00adf-181e-4bad-b35e-d18912f39f89
Put message succeeded for message id 22f00adf-181e-4bad-b35e-d18912f39f89
CRelayMsgMgrHandler::HandleMessage(): ExecuteTask() succeeded

When verbose logging is enabled on SMS_MESSAGE_PROCESSING_ENGINE.log , the client results are processed. Use
the message ID you found from the MP_RelayMsgMgr.log . The processing log entries are similar to the following
example:

Processing 2 messages with type Instant and IDs 22f00adf-181e-4bad-b35e-d18912f39f89[19], 434d80ae-09d4-

4d84-aebf-28a4a29a9852[20]...
Processed 2 messages with type Instant. Failed to process 0 messages. All message IDs 22f00adf-181e-4bad-
b35e-d18912f39f89[19], 434d80ae-09d4-4d84-aebf-28a4a29a9852[20]

TIP
If you get an exception during processing, you can review it by running the following SQL query and looking at the
Exception column. After the message is processed, it will no longer be in the MPE_RequestMessages_Instant table.

select * from MPE_RequestMessages_Instant where MessageID=<ID from SMS_MESSAGE_PROCESSING_ENGINE.log>

In BgbServer.log , look for the PushID to see the number of clients that reported or failed.

Generated BGB task status report c:\ConfigMgr\inboxes\bgb.box\Bgb5c1db.BTS at 09/16/2019 16:46:39. (PushID:

9 ReportedClients: 2 FailedClients: 0)

Check the monitoring view for CMPivot from SQL Server by using the TaskID .

select * from vSMS_CMPivotStatus where TaskID='{9A4E59D2-2F5B-4067-A9FA-B99602A3A4A0}'

Troubleshoot CMPivot in 1810 and earlier

In Configuration Manager versions 1810 and earlier, your site server handles the communication to the client.
Get information from the site server
By default, the site server log files are located in C:\Program Files\Microsoft Configuration Manager\logs . This
location might be different if you specified a non-default installation directory or offloaded items like the SMS
Provider to another server.
Look in smsprov.log for this line:

Auditing: User <username> initiated client operation 135 to collection <CollectionId>.

Find the ID in the CMPivot window. This ID is the ClientOperationID .

Find the TaskID from the ClientAction table. The TaskID corresponds to the UniqueID in the ClientAction table.

select * from ClientAction where ClientOperationId=<id>

In BgbServer.log , look for the TaskID you gathered from SQL. It's labeled TaskGUID . For example:

Starting to send push task (PushID: 260 TaskID: 258 TaskGUID: F8C7C37F-B42B-4C0A-B050-2BB44DF1098A TaskType:
15
TaskParam: PFNjcmlwdEhhc2ggU2NyaXB0SGF...truncated...to 5 clients with throttling (strategy: 1 param: 42)
Finished sending push task (PushID: 260 TaskID: 258) to 5 clients

Client logs
After you have the information from the site server, check the client logs. By default, the client logs are located in
C:\Windows\CCM\Logs .

In CcmNotificationAgent.log , look for logs that are similar to the following entry:

Error! Bookmark not defined.+PFNjcmlwdEhhc2ggU2NyaXB0SGFzaEFsZz0nU0hBMjU2Jz42YzZmNDY0OGYzZjU3M2MyNTQyNWZiNT

g2ZDVjYTIwNzRjNmViZmQ1NTg5MDZlMWI5NDRmYTEzNmFiMDE0ZGNjPC9TY3JpcHRIYXNoPjxTY3Jp (truncated log entry)

Look in Scripts.log for the . In the following example, we see

TaskID
Task ID {F8C7C37F-B42B-4C0A-B050-2BB44DF1098A} :
 Sending script state message: 7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14
State message: Task Id {F8C7C37F-B42B-4C0A-B050-2BB44DF1098A}

Look in StateMessage.log . In the following example, you see that TaskID is near the bottom of the message
next to <Param> :

StateMessage body: <?xml version="1.0" encoding="UTF-16"?>

<Report><ReportHeader><Identification><Machine><ClientInstalled>1</ClientInstalled><ClientType>1
</ClientType><ClientID>GUID:DBAC52C9-57E6-47D7-A8D6-E0A5A64B57E6</ClientID>
<ClientVersion>5.00.8670.1000</ClientVersion>
<NetBIOSName>R613924</NetBIOSName><CodePage>437</CodePage>
<SystemDefaultLCID>1033</SystemDefaultLCID><Priority>0</Priority></Machine></Identification>
<ReportDetails><ReportContent>State Message Data</ReportContent><ReportType>Full</ReportType>
<Date>20180703184447.673000+000</Date><Version>1.0</Version><Format>1.0</Format>
</ReportDetails></ReportHeader><ReportBody><StateMessage MessageTime="20180703184447.517000+000"><Topic
ID="7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14" Type="9003" IDType="0" User="" UserSID=""/><State ID="1"
Criticality="0"/>
<StateDetails Type="1"><!
[CDATA["PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgAgAGUAbgBjAG8AZABpAG4AZwA9ACIAdQB0AGYALQAxADYAIgA/
AD4APAByAGUAcwB1AGwAdAAgAFIAZQBzAHUAbAB0AEMAbwBkAGUAPQAiADAAIgA+ADwAZQAgAE4AYQBtAGUAPQAiAEkAbgB0AGUAbAAoAFIA
KQAgAFgAZQBvAG4AKABSACkAIABDAFAAVQAgAEUANQAtADIANgA3ADMAIAB2ADQAIABAACAAMgAuADMAMABHAEgAegAiACAATQBhAG4AdQBm
AGEAYwB0AHUAcgBlAHIAPQAiAEEAbQBlAHIAaQBjAGEAbgAgAE0AZQBnAGEAdAByAGUAbgBkAHMAIABJAG4AYwAuACIAIABWAGUAcgBzAGkA
bwBuAD0AIgBWAFIAVABVAEEATAAgAC0AIAA2ADAAMAAxADcAMAAyACIAIABSAGUAbABlAGEAcwBlAEQAYQB0AGUAPQAiADIAMAAxADcALQAw
ADYALQAwADIAIAAwADAAOgAwADAAOgAwADAAIgAgAFMAZQByAGkAYQBsAE4AdQBtAGIAZQByAD0AIgAwADAAMAAwAC0AMAAwADEAOAAtADMA
NgA4ADIALQA0ADcAMAA4AC0ANwA2ADQAMAAtADcANgAwADAALQAzADMAIgAgAFMATQBCAEkATwBTAEIASQBPAFMAVgBlAHIAcwBpAG8AbgA9
ACIAMAA5ADAAMAAwADcAIAAiACAALwA+ADwALwByAGUAcwB1AGwAdAA+AA=="~~]]></StateDetails><UserParameters Flags="0"
Count="2">
<Param>{F8C7C37F-B42B-4C0A-B050-2BB44DF1098A}</Param><Param>0</Param></UserParameters></StateMessage>
</ReportBody></Report>

Successfully forwarded State Messages to the MP StateMessage 7/3/2018 11:44:47 AM 5036 (0x13AC)

Review messages on the site server

Open statesys.log to see if the message is received and processed. In the following example, you see TaskID
near the bottom of the message next to <Param> . Enable verbose logging on the SMS_STATE_SYSTEM
component to see these log entries.

CMessageProcessor - the cmdline to DB exec dbo.spProcessStateReport N'?<?xml version="1.0" encoding="UTF-

16"?>~~<Report><ReportHeader><Identification><Machine><ClientInstalled>1</ClientInstalled><ClientType>1
</ClientType><ClientID>GUID:DBAC52C9-57E6-47D7-A8D6-E0A5A64B57E6</ClientID>
<ClientVersion>5.00.8670.1000</ClientVersion>
<NetBIOSName>R613924</NetBIOSName><CodePage>437</CodePage>
<SystemDefaultLCID>1033</SystemDefaultLCID><Priority>0</Priority></Machine></Identification>
<ReportDetails><ReportContent>State Message Data</ReportContent><ReportType>Full</ReportType>
<Date>20180703184447.673000+000</Date><Version>1.0</Version><Format>1.0</Format>
</ReportDetails></ReportHeader><ReportBody><StateMessage MessageTime="20180703184447.517000+000"><Topic
ID="7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14" Type="9003" IDType="0" User="" UserSID=""/><State ID="1"
Criticality="0"/>
<StateDetails Type="1"><!
[CDATA["PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgAgAGUAbgBjAG8AZABpAG4AZwA9ACIAdQB0AGYALQAxADYAIgA/
AD4APAByAGUAcwB1AGwAdAAgAFIAZQBzAHUAbAB0AEMAbwBkAGUAPQAiADAAIgA+ADwAZQAgAE4AYQBtAGUAPQAiAEkAbgB0AGUAbAAoAFIA
KQAgAFgAZQBvAG4AKABSACkAIABDAFAAVQAgAEUANQAtADIANgA3ADMAIAB2ADQAIABAACAAMgAuADMAMABHAEgAegAiACAATQBhAG4AdQBm
AGEAYwB0AHUAcgBlAHIAPQAiAEEAbQBlAHIAaQBjAGEAbgAgAE0AZQBnAGEAdAByAGUAbgBkAHMAIABJAG4AYwAuACIAIABWAGUAcgBzAGkA
bwBuAD0AIgBWAFIAVABVAEEATAAgAC0AIAA2ADAAMAAxADcAMAAyACIAIABSAGUAbABlAGEAcwBlAEQAYQB0AGUAPQAiADIAMAAxADcALQAw
ADYALQAwADIAIAAwADAAOgAwADAAOgAwADAAIgAgAFMAZQByAGkAYQBsAE4AdQBtAGIAZQByAD0AIgAwADAAMAAwAC0AMAAwADEAOAAtADMA
NgA4ADIALQA0ADcAMAA4AC0ANwA2ADQAMAAtADcANgAwADAALQAzADMAIgAgAFMATQBCAEkATwBTAEIASQBPAFMAVgBlAHIAcwBpAG8AbgA9
ACIAMAA5ADAAMAAwADcAIAAiACAALwA+ADwALwByAGUAcwB1AGwAdAA+AA=="~~]]></StateDetails><UserParameters Flags="0"
Count="2">
<Param>{F8C7C37F-B42B-4C0A-B050-2BB44DF1098A}</Param><Param>0</Param></UserParameters></StateMessage>
</ReportBody></Report>~~'
If the message hasn't been processed, check the state message inbox. The default inbox location is
C:\Program Files\Microsoft Configuration Manager\inboxes\auth\statesys.box\ . Look for the files in these
locations:
Incoming
Corrupted
Process
Check the monitoring view for CMPivot via the following SQL query using the TaskID :

select * from vSMS_CMPivotStatus where TaskID='{F8C7C37F-B42B-4C0A-B050-2BB44DF1098A}'

NOTE
For clients that are using version 1810 or higher, state messaging isn't used unless the output is larger than 80 KB. When
troubleshooting CMPivot in these cases, you can get more information when you enable verbose logging on your MPs
and the site server's SMS_MESSAGE_PROCESSING_ENGINE. For information on how to enable verbose logging, see Site
server logging options.
To troubleshoot, refer to the following logs:
MP_Relay.log
SMS_MESSAGE_PROCESSING_ENGINE.log

Next steps
Using CMPivot
Create and run PowerShell scripts
 Maintenance tasks for Configuration Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager sites and hierarchies require regular maintenance and monitoring to provide services
effectively and continuously. Regular maintenance ensures that the hardware, software, and Configuration
Manager database continue to function correctly and efficiently. Optimal performance greatly reduces the risk of
failure.
To set up alerts and use the status system to monitor the health of Configuration Manager, see Use the status
system and Configure alerts.

Maintenance tasks
Regular maintenance is important to ensure correct site operations. Keep a maintenance log to document
maintenance dates, who did maintenance, and any maintenance-related comments about the tasks. To maintain
your site, consider daily or weekly maintenance. Some tasks might require a different schedule. Common
maintenance can include both the built-in maintenance tasks and other tasks like account maintenance to
maintain compliance with your company policies.
Use the following information as a guide to help you plan when to do different maintenance tasks. Use these
lists as a starting point, and add tasks that you might require.
Daily Tasks
The following are maintenance tasks that you might consider for on a daily schedule:
Check that predefined maintenance tasks that are scheduled to run daily are running successfully.
Check the Configuration Manager database status.
Check site server status.
Check Configuration Manager site system inboxes for file backlogs.
Check site systems status.
Check the operating system event logs from the site systems.
Check the SQL Server error log from the site database computer.
Check system performance.
Check Configuration Manager alerts.
Weekly Tasks
The following are maintenance tasks that you might consider for a weekly schedule:
Check that predefined maintenance tasks that are scheduled to run weekly are running successfully.
Delete unnecessary files from site systems.
Produce and distribute end-user reports if necessary.
Back up application, security, and system event logs and clear them.
Check the site database size and verify there's enough available disk space on the site database server so
 that the site database can grow.
Do SQL Server database maintenance on the site database according to your SQL Server maintenance
plan.
Check available disk space on all site systems.
Run disk defragmentation tools on all site systems.
Periodic Tasks
Some tasks that don't require daily or weekly maintenance are important to ensure overall site health. These
tasks also ensure that security and disaster recovery plans are up-to-date. The following are maintenance tasks
that you might consider for a more periodic schedule than the daily or weekly tasks:
Change accounts and passwords, if it's necessary, according to your security plan.
Review the maintenance plan to check that scheduled maintenance tasks are scheduled correctly and
effectively depending on configured site settings.
Review the Configuration Manager hierarchy design for any required changes.
Check network performance to ensure that changes haven't been made that affect site operations.
Check that Active Directory settings that affect site operations haven't changed. For example, check that
subnets that are assigned to Active Directory sites and that are used as boundaries for Configuration
Manager site haven't changed.
Review your disaster recovery plan for any required changes.
Do a site recovery according to the disaster recovery plan in a test lab by using a backup copy of the
most recent backup that the Backup Site Server maintenance task created.
Check hardware for any errors or for available hardware updates.
Check the overall health of the site.

Maintain the operational health of your site database

While your Configuration Manager site and hierarchy do the tasks that you schedule and set up, site
components continually add data to the Configuration Manager database. As the amount of data grows,
database performance and the free storage space in the database decline. You can set up site maintenance tasks
to remove aged data that you no longer require.
Configuration Manager provides predefined maintenance tasks that you can use to maintain the health of the
Configuration Manager database. Not all maintenance tasks are available at each site, by default. Several tasks
are enabled while some aren't, and all support a schedule that you can set up.
Most maintenance tasks periodically remove out-of-date data from the Configuration Manager database.
Reducing the size of the database by removing unnecessary data improves the performance and the integrity of
the database, which increases the efficiency of the site and hierarchy. Other tasks, like Rebuild Indexes , help
maintain the database efficiency. Other tasks, like the Backup Site Ser ver task, help you prepare for disaster
recovery.
 IMPORTANT
When you plan the schedule of any task that deletes data, consider the use of that data across the hierarchy. When a task
that deletes data runs at a site, the information is removed from the Configuration Manager database, and this change
replicates to all sites in the hierarchy. This deletion can affect other tasks that rely on that data. For example, at the central
administration site, you might set up Discovery to run one time per month to identify non-client computers. You plan to
install the Configuration Manager client to these computers within two weeks of their discovery. However, at one site in
the hierarchy, an admin sets up the Delete Aged Discovery Data task to run every seven days. The result is that seven
days after non-client computers are discovered, they are deleted from the Configuration Manager database. Back at the
central administration site, you prepare to push install the Configuration Manager client to these new computers on day
10. However, because the Delete Aged Discovery Data task has recently run and deleted data that's seven days or older,
the recently discovered computers are no longer available in the database.

After you install a Configuration Manager site, review the available maintenance tasks and enable those tasks
that your operations require. Review the default schedule of each task, and when necessary, set up the schedule
to fine-tune the maintenance task to fit your hierarchy and environment. Although the default schedule of each
task should suit most environments, monitor the performance of your sites and database and expect to fine-
tune tasks to increase your deployment's efficiency. Plan to periodically review the site and database
performance and reconfigure maintenance tasks and their schedules to maintain that efficiency.

Set up maintenance tasks

Each Configuration Manager site supports maintenance tasks that help maintain the operational efficiency of
the site database. By default, several maintenance tasks are enabled in each site, and all tasks support
independent schedules. Maintenance tasks are set up individually for each site and apply to the database at that
site. However, some tasks, like Delete Aged Discover y Data , affect information that is available in all sites in a
hierarchy.
Only the maintenance tasks that you can set up at a site are displayed in the Configuration Manager console. For
a complete list of maintenance tasks by site type, see Reference for maintenance tasks for Configuration
Manager.
Use the following procedure to help you set up the common settings of maintenance tasks.
To set up maintenance tasks for Configuration Manager version 1906
Starting in version 1906, site server maintenance tasks can now be viewed, edited, and monitored from their
own tab on the details view of a site server. You can still edit maintenance tasks by choosing Site Maintenance
in the Settings group like you did in previous Configuration Manager versions.
1. In the Configuration Manager console, go to Administration > Site Configuration >Sites .
2. Select a site from your list, then click on the Maintenance Tasks tab in the detail panel.
3. Only tasks that are available at the selected site are displayed. Right-click one of the maintenance tasks and
choose one of the following options:
Enable - Turn on the task.
Disable - Turn off the task.
Edit - Edit the task schedule or its properties.
The Maintenance Tasks tab gives you information such as:
If the task is enabled
The task schedule
Last start time
Last completion time
If the task completed successfully
To set up maintenance tasks for Configuration Manager version 1902 and prior
1. In the Configuration Manager console, go to Administration > Site Configuration >Sites .
2. Choose the site that has the maintenance task that you want to set up.
3. On the Home tab, in the Settings group, choose Site Maintenance , and then choose the maintenance
task that you want to set up. Only tasks that are available at the selected site are displayed.
4. To set up the task, choose Edit . Ensure the Enable this task check box is checked, and set up a schedule
for when the task runs. If the task also deletes aged data, set up the age of data that will be deleted from
the database when the task runs. Choose OK to close the task Proper ties .

NOTE
For Delete Aged Status Messages , you set up the age of data to delete when you set up status filter rules.

5. To enable or disable the task without editing the task properties, choose the Enable or Disable button.
The button label changes depending on the current configuration of the task.
6. When you're finished configuring the maintenance tasks, choose OK to finish the procedure.

Next steps
Reference for maintenance tasks
 Reference for maintenance tasks in Configuration
Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article lists the details for each of the Configuration Manager site maintenance tasks. Each entry specifies
the site types where the task is available, and whether it's enabled by default.
For more information, see Set up maintenance tasks.

Tasks
Backup Site Server
Use this task to create a backup of your critical information to restore a site and the Configuration Manager
database. For more information, see Back up a Configuration Manager site.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Not enabled

Secondary site Not available

Check Application Title with Inventory Information

Use this task to maintain consistency of software titles between software inventory and the Asset Intelligence
catalog. For more information, see Introduction to Asset Intelligence.

SIT E T Y P E STAT US

Central administration site Enabled

Primary site Not available

Secondary site Not available

Clear Undiscovered Clients

TIP
You may also see this task in the console named Clear Install Flag .

Use this task to remove the installed flag for clients that don't submit a Heartbeat Discovery record during the
Client Rediscover y period. The installed flag prevents automatic client push installation to a computer that
might have an active Configuration Manager client. The default value is 21 days.
 IMPORTANT
Make sure this value is greater than the interval for Heartbeat discovery, which by default is seven days. Otherwise,
clients will unnecessarily reinstall.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Not enabled

Secondary site Not available

Delete Aged Application Request Data

Use this task to delete aged application requests from the database. For more information, see Create and
deploy an application.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Application Revisions

Use this task to delete application revisions that are no longer referenced. For more information, see How to
revise and supersede applications.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Client Download History

Use this task to delete historical data about the download source used by clients. The site uses download source
information to populate the Client Data Sources dashboard.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Client Operations

Use this task to delete from the site database all aged data for client operations. For example, this data includes
the following operations:
Aged or expired client notifications, like download requests for machine or user policy
Endpoint Protection, like requests by an administrative user for clients to run a scan or download updated
definitions
Run Scripts status results

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Client Presence History

Use this task to delete history information about the online status of clients recorded by client notification. It
deletes information for clients with status that's older than the specified time. For more information, see How to
monitor clients.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Cloud Management Gateway Traffic Data

Use this task to delete from the site database all aged data about the traffic that passes through the cloud
management gateway. This data includes:
The number of requests
Total request bytes
Total response bytes
Number of failed requests
Maximum number of concurrent requests

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged CMPivot Results

Use this task to delete from the site database aged information from clients in CMPivot queries. For more
information, see CMPivot for real-time data.
 SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Collected Diagnostic Files

Use this task to delete collected diagnostic files. Collected client logs are stored according to the software
inventory file collection settings. The files are stored on the site server in the Inboxes\sinv.box\FileCol
directory. Delete Aged Collected Diagnostic Files uses a default value of 14 days when looking for
diagnostic files to clean up and doesn't affect other collected files. This maintenance task is enabled by default
and was introduced in Configuration Manager version 2010. Earlier Configuration Manager versions use the
Delete Aged Collected Files task for deleting client diagnostic files.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Collected Files

Use this task to delete from the database aged information about collected files. This task also deletes the
collected files from the site server folder structure at the selected site. By default, the five most-recent copies of
collected files are stored on the site server in the Inboxes\sinv.box\FileCol directory. For more information,
see Introduction to software inventory.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Computer Association Data

Use this task to delete from the database aged OS deployment computer association data. This information is
used when restoring user state during a task sequence. For more information, see Manage user state.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Console Connection Data

This task deletes data from the site database about console connections to the site.
 SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Delete Detection Data

Use this task to delete aged data from the database that has been created by extraction views. It deletes old data
change information used by external systems extracting data from the database.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Device Wipe Record

Use this task to delete from the database aged data about mobile device wipe actions. For more information, see
Protect data with remote wipe, lock, or passcode reset.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Discovery Data

Use this task to delete aged discovery data from the database. This data can include records from:
Heartbeat discovery
Network discovery
Active Directory discovery methods: System, User, and Group
This task also removes aged devices marked as decommissioned. When this task runs at a site, data associated
with that site is deleted, and those changes replicate to other sites. For more information, see Run discovery.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Distribution Point Usage Stats

Use this task to delete from the database aged data for distribution points that has been stored longer than a
specified time.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Endpoint Protection Health Status History Data

Use this task to delete from the database aged status information for Endpoint Protection (EP). For more
information, see How to monitor Endpoint Protection.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Enrolled Devices

Use this task to delete from the site database the aged data about mobile devices that haven't reported any
information to the site for a specified time.
This task applies to devices that are enrolled with Configuration Manager on-premises MDM. For more
information on these devices, see Supported operating systems for clients and devices.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Not enabled

Secondary site Not available

Delete Aged Exchange Partnership

TIP
You may also see this task in the console named Delete Aged Devices Managed by the Exchange Ser ver
Connector .

Use this task to delete aged data about mobile devices managed by the Exchange Server connector. The site
deletes this data according to the Ignore mobile devices that are inactive for more than (days) setting
on the Discover y tab of the Exchange Server connector properties. For more information, see Manage mobile
devices with Configuration Manager and Exchange.

SIT E T Y P E STAT US

Central administration site Not available

 SIT E T Y P E STAT US

Primar y site Enabled

Secondary site Not available

Delete Aged Inventory History

Use this task to delete from the database inventory data that has been stored longer than a specified time. For
more information, see How to use Resource Explorer to view hardware inventory.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Log Data

Use this task to delete from the database aged log data used for troubleshooting. This data isn't related to
Configuration Manager component operations.

IMPORTANT
By default, this task runs daily at each site. At a central administration site and primary sites, the task deletes data that's
older than 30 days. When you use SQL Server Express at a secondary site, make sure that this task runs daily and deletes
data that's inactive for seven days.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondar y site Enabled

Delete Aged Notification Server History

This task deletes aged client presence history.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Notification Task History

Use this task to delete from the site database information about client notification tasks. This task applies to data
that hasn't been updated for a specified time. For more information, see Client notifications.
 SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Passcode Records

Use this task at the top-level site of your hierarchy to delete aged Passcode Reset data for Windows Phone
devices. Passcode Reset data is encrypted, but does include the PIN for devices. By default, this task is enabled,
and deletes data that is older than one day.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Replication Data

Use this task to delete from the database aged data about database replication between Configuration Manager
sites. When you change the configuration of this maintenance task, the configuration applies to each applicable
site in the hierarchy. For more information, see Monitor database replication.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondar y site Enabled

Delete Aged Replication Summary Data

Use this task to delete from the site database aged replication summary data when it hasn't been updated for a
specified time. For more information, see Monitor database replication.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondar y site Enabled

Delete Aged Scenario Health History

Use this task to delete from the database aged data for scenario health activity. For more information, see
Monitor scenario health.
 SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Software Metering Data

Use this task to delete from the database aged data for software metering that has been stored longer than a
specified time. For more information, see Software metering.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Software Metering Summary Data

Use this task to delete from the database aged summary data for software metering that's been stored longer
than a specified time. For more information, see Software metering.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged Status Messages

Use this task to delete from the database aged status message data as configured in status filter rules. For more
information, see Monitor the status system.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Aged Threat Data

Use this task to delete from the database aged Endpoint Protection threat data that's been stored longer than a
specified time. For more information, see Endpoint Protection.

SIT E T Y P E STAT US

Central administration site Not available

 SIT E T Y P E STAT US

Primar y site Enabled

Secondary site Not available

Delete Aged Unknown Computers

Use this task to delete information about unknown computers from the site database when it hasn't been
updated for a specified time. For more information, see Prepare for unknown computer deployments.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Aged User Device Affinity Data

Use this task to delete aged User Device Affinity data from the database. For more information, see Link users
and devices with user device affinity.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Delete Duplicate System Discovery Data

Use this task to delete from the site database any duplicate records generated by system discovery.

SIT E T Y P E STAT US

Central administration site Enabled

Primary site Not available

Secondary site Not available

Delete Expired MDM Bulk Enroll Package Records

Use this task to delete old Bulk Enrollment certificates and corresponding profiles after the enrollment certificate
has expired. For more information, see Create certificate profiles.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

 SIT E T Y P E STAT US

Secondary site Not available

Delete Inactive Client Discovery Data

Use this task to delete from the database discovery data for inactive clients. The site marks clients as inactive
when the client is flagged as obsolete and by configurations that are made for client status.
This task operates only on resources that are Configuration Manager clients. It's different than the Delete Aged
Discover y Data task, which deletes any aged discovery data record. When this task runs at a site, it removes
the data from the database at all sites in a hierarchy. For more information, see How to configure client status.

IMPORTANT
When it's enabled, configure this task to run at an interval greater than the Hear tbeat Discover y schedule. This
configuration enables active clients to send a Heartbeat Discovery record to mark their client record as active so this task
doesn't delete them.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Not enabled

Secondary site Not available

Delete Obsolete Alerts

Use this task to delete from the database expired alerts that have been stored longer than a specified time. For
more information, see Configure alerts.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Obsolete Client Discovery Data

Use this task to delete obsolete client records from the database. A record that's marked as obsolete has usually
been replaced by a newer record for the same client. The newer record becomes the client's current record. For
information about discovery, see Run discovery.

IMPORTANT
When it's enabled, configure this task to run at an interval greater than the Heartbeat Discovery schedule. This
configuration enables the client to send a Heartbeat Discovery record that correctly sets the obsolete status.

SIT E T Y P E STAT US

Central administration site Not available

 SIT E T Y P E STAT US

Primar y site Not enabled

Secondary site Not available

Delete Obsolete Forest Discovery Sites and Subnets

Use this task to delete data about Active Directory sites, subnets, and domains. It removes data that the site
hasn't discovered by the Active Directory Forest Discovery method in the last 30 days. This task removes the
discovery data, but doesn't affect boundaries that you create from this discovery data. For more information, see
Run discovery.

SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Delete Orphaned Client Deployment State Records

Use this task to periodically purge the table that contains client deployment state information. This task cleans
up records associated with obsolete or decommissioned devices.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Evaluate Collection Members

You configure the Collection Membership Evaluation as a site component. For more information, see Site
components.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Monitor Keys
Use this task to monitor the integrity of the Configuration Manager database primary keys. A primary key is a
column or a combination of columns that uniquely identifies one row. The key distinguishes the row from any
other row in a Microsoft SQL Server database table.
 SIT E T Y P E STAT US

Central administration site Enabled

Primar y site Enabled

Secondary site Not available

Rebuild Indexes
Use this task to rebuild the Configuration Manager database indexes. An index is a database structure that's
created on a database table to speed up data retrieval. For example, searching an indexed column is often much
faster than searching a column that isn't indexed.
To improve performance, the Configuration Manager database indexes are frequently updated to remain
synchronized with the constantly changing data that's stored in the database. This task:
Rebuilds indexes when they are more than 10% fragmented
For indexes that are less than 30% fragmented, the index is reorganized
For indexes that are greater than 30% fragmented, the index is rebuilt

SIT E T Y P E STAT US

Central administration site Not enabled

Primar y site Not enabled

Secondar y site Not enabled

Summarize Installed Software Data

Use this task to summarize the data from collected asset intelligence software information through the
hardware inventory to merge multiple records into one general record. Data summarization can compress the
amount of data that's stored in the Configuration Manager database. For more information, see Configure Asset
Intelligence maintenance tasks.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Summarize Software Metering File Usage Metering Data

Use this task to summarize the data from multiple records for software metering file usage into one general
record. Data summarization can compress the amount of data that's stored in the Configuration Manager
database.
To summarize software metering data and to conserve disk space in the database, use this task with the
Summarize Software Metering Monthly Usage Data task. For more information, see Software metering.
 SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Summarize Software Metering Monthly Usage Data

Use this task to summarize the data from multiple records for software metering monthly usage into one
general record. Data summarization can compress the amount of data that's stored in the Configuration
Manager database.
To summarize software metering data and to conserve space in the database, use this task with the Summarize
Software Metering File Usage Data task. For more information, see Software metering.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Update Application Available Targeting

Use this task to have Configuration Manager recalculate the mapping of policy and application deployments to
resources in collections. When you deploy policy or applications to a collection, Configuration Manager creates
an initial mapping between the objects that you deploy and the collection members.
These mappings are stored in a table for quick reference. When a collections membership changes, the site
updates these stored mappings to reflect those changes. However, it's possible for these mappings to fall out of
sync. For example, if the site fails to properly process a notification file, that change might not be reflected in a
change to the mappings. This task refreshes that mapping based on current collection membership.

SIT E T Y P E STAT US

Central administration site Not available

Primar y site Enabled

Secondary site Not available

Update Application Catalog Tables

This task exists in the site, but isn't used. The application catalog is no longer supported.

See also
Maintenance tasks
 Modify your Configuration Manager infrastructure
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install one or more sites, you might have need to modify configurations or take actions that affect
your infrastructure.

Manage the SMS provider

The SMS provider provides the point of administrative contact for one or more Configuration Manager
consoles. When you install multiple SMS providers, you can provide redundancy for contact points to administer
your site and hierarchy.
At each Configuration Manager site, you can rerun setup to:
Add an additional instance of the SMS provider. Each additional instance of the SMS provider must be on
a separate computer.
Remove an instance of the SMS provider. To remove the last SMS provider for a site, you must uninstall
the site.
Monitor the installation or removal of the SMS provider by viewing the ConfigMgrSetup.log in the root folder
of the site server on which you run setup.
Before you modify the SMS provider at a site, see Plan for the SMS provider.
Manage the SMS provider configuration for a site
1. Run Configuration Manager Setup from \BIN\X64\setup.exe in the Configuration Manager site
installation folder.
2. On the Getting Star ted page, select Perform site maintenance or reset this site .
3. On the Site Maintenance page, select Modify SMS provider configuration .
4. On the Manage SMS providers page, select one of the following options:
Add a new SMS provider : Specify the FQDN for a computer to host the SMS provider that
doesn't currently host it.
Uninstall the specified SMS provider : Select the name of the computer from which you want
to remove the SMS provider.

TIP
To move the SMS provider between two computers, first install it to the new computer. Then remove it from the
original location. There's no option to move the SMS provider between computers.

After the setup wizard finishes, the SMS provider configuration is complete. In the site Proper ties , on the
General tab, verify the computers that have an SMS provider installed for a site.

Manage the Configuration Manager console

The following tasks help you manage the Configuration Manager console:
 To modify the language that displays in the Configuration Manager console, see the Manage
Configuration Manager console language section.
To install additional consoles, see Install Configuration Manager consoles.
To configure DCOM permissions to enable consoles that are remote from the site server, see the
Configure DCOM permissions for remote Configuration Manager consoles section.
To modify administrative permissions to limit what users can see and do in the console, see Modify the
administrative scope of an administrative user.
Manage Configuration Manager console language
During site server installation, the Configuration Manager console installation files and supported language
packs for the site are copied to the \Tools\ConsoleSetup subfolder of the Configuration Manager installation
path on the site server.
When you start the Configuration Manager console installation from this folder on the site server, it
copies the Configuration Manager console and supported language pack files to the computer.
When a language pack is available for the current language setting on the computer, the Configuration
Manager console opens in that language.
If the associated language pack isn't available for the Configuration Manager console, the console opens
in English (United States).
For example, you install the Configuration Manager console from a site server that supports English, German,
and French. If you open the Configuration Manager console on a computer with a configured language setting
of French, the console opens in French. If you open the Configuration Manager console on a computer with a
configured language of Japanese, the console opens in English because the Japanese language pack isn't
available.
Each time the Configuration Manager console opens:
Tt determines the configured language settings for the computer
Verifies whether an associated language pack is available for the Configuration Manager console
Opens the console by using the appropriate language pack
When you want to open the Configuration Manager console in English regardless of the configured language
settings on the computer, remove or rename the language pack files on the computer.
Use the following procedures to start the Configuration Manager console in English regardless of the
configured locale setting on the computer.
Install an English-only version of the Configuration Manager console on computers
1. In Windows Explorer, browse to \Tools\ConsoleSetup\LanguagePack in the Configuration Manager
installation path.
2. Rename the .msp and .mst files. For example, you could change <file name>.MSP to <file
name>.MSP.disabled .
3. Install the Configuration Manager console on the computer.

IMPORTANT
When new server languages are configured for the site server, the .msp and .mst files are recopied to the
LanguagePack folder, and you must repeat this procedure to install new Configuration Manager consoles in only
English.
Temporarily disable a console language on an existing Configuration Manager console installation
1. On the computer that is running the Configuration Manager console, close the Configuration Manager
console.
2. In Windows Explorer, browse to <ConsoleInstallationPath>\Bin\ on the Configuration Manager console
computer.
3. Rename the appropriate language folder for the language that is configured on the computer. For
example, if the language settings for the computer were set for German, you could rename the de folder
to de.disabled .
4. To open the Configuration Manager console in the language that is configured for the computer, rename
the folder to the original name. For example, rename de.disabled to de .

Configure DCOM permissions for remote consoles

The user account that runs the Configuration Manager console requires permission to access the site database
by using the SMS provider. However, an administrative user who uses a remote Configuration Manager console
also requires Remote Activation DCOM permissions on:
The site server computer
Each computer that hosts an instance of the SMS provider
The security group named SMS Admins grants access to the SMS provider on a computer, and can also be
used to grant the required DCOM permissions. This group is local to the computer when the SMS provider runs
on a member server. It's a domain local group when the SMS provider runs on a domain controller.

IMPORTANT
The Configuration Manager console uses WMI to connect to the SMS provider, and WMI internally uses DCOM. If the
Configuration Manager console runs on a computer other than the SMS provider computer, it requires permissions to
activate a DCOM server on the SMS provider computer. By default, Remote Activation is granted only to the members of
the built-in Administrators group.
If you allow the SMS Admins group to have Remote Activation permission, a member of this group could attempt DCOM
attacks against the SMS provider computer. This configuration also increases the attack surface of the computer. To
mitigate this threat, carefully monitor the membership of the SMS Admins group.

Use the following procedure to configure each central administration site (CAS), primary site server, and each
computer where the SMS provider is installed to grant remote Configuration Manager console access for
administrative users.
Configure DCOM permissions for remote Configuration Manager console connections
1. As an administrator on the target computer, run Dcomcnfg.exe to open Component Ser vices .
2. Expand Component Ser vices , expand Computers , and then select My Computer . On the Action
menu, select Proper ties .
3. In the My Computer Proper ties window, switch to the COM Security tab. In the Launch and
Activation Permissions section, select Edit Limits .
4. In the Launch and Activation Permissions window, select Add .
5. In the Select Users, Computers, Ser vice Accounts, or Groups window, in the Enter the object
names to select field, type SMS Admins , and then select OK .
 TIP
To locate the SMS Admins group, you might have to change the setting: From this Location . This group is local
to the computer when the SMS provider runs on a member server, and is a domain local group when the SMS
provider runs on a domain controller.

6. In the Permissions for SMS Admins section, to allow remote activation, select the Allow column for
the Remote Activation row.
7. Select OK to save changes and close all windows.
Your computer is now configured to allow remote Configuration Manager console access to members of the
SMS Admins group.
Repeat this procedure on each SMS provider computer that supports remote Configuration Manager consoles.

Modify the site database configuration

After you install a site, you can modify the configuration of the site database and site database server. Run
Configuration Manager setup on a CAS server or primary site server to make changes. You can move the site
database to a new instance of SQL Server on the same computer, or to a different computer that runs a
supported version of SQL Server. These changes aren't supported for the database configuration at secondary
sites.
For more information about the limits of support, see Support policy for manual database changes in a
Configuration Manager environment.

NOTE
When you modify the database configuration for a site, Configuration Manager restarts or reinstalls Configuration
Manager services on the site server and remote site system servers that communicate with the database.

Modify the database configuration

Run Configuration Manager setup on the site server, and select the option Perform site maintenance or
reset this site . Then select the Modify SQL Ser ver configuration option. You can change the following site
database configurations:
The Windows-based server that hosts the database.
The instance of SQL Server in use on a server that hosts the SQL Server database.
The database name.
SQL Server port in use by Configuration Manager.
SQL Server Service Broker port in use by Configuration Manager.
Move the site database
If you move the site database, also review the following configurations:
When you move the site database to a new computer, add the computer account of the site server to the
local Administrators group on the computer that runs SQL Server. If you use a SQL Server Always On
failover cluster instance for the site database, add the computer account to the local Administrators
group of each Windows Server cluster node computer.
When you move the database to a new instance on SQL Server, or to a new SQL Server computer, enable
 common language runtime (CLR) integration. Use SQL Ser ver Management Studio to connect to the
instance of SQL Server that hosts the site database. Then run the following stored procedure as a query:
sp_configure 'clr enabled',1; reconfigure

Make sure the new SQL Server has access to the backup location. When you use a UNC for storing your
site database backup, after moving the database to a new server, make sure the computer account of the
new SQL Server has write permissions to the UNC location. This configuration includes when you move
to a SQL Server Always On availability group or a failover cluster instance.

IMPORTANT
Before you move a database that has one or more database replicas for management points, first remove the database
replicas. After you complete the database move, you can reconfigure database replicas. For more information, see
Database replicas for management points.

Manage the SPN for the site database server

You can choose the account that runs SQL Server services for the site database:
When the services run with the computers system account, it automatically registers the service principal
name (SPN) for you.
When the services run with a domain local user account, manually register the SPN. The SPN allows SQL
Server clients and other site systems to authenticate with Kerberos. Without Kerberos authentication,
communication to the database might fail.
For more information about SPNs and Kerberos connections, see Register a service principal name for Kerberos
connections.
Register an SPN for the SQL Server service account of the site database server by using the Setspn tool. Run
Setspn as a Domain Administrator on a computer in the same domain as the SQL Server.
The following procedures are examples of how to manage the SPN for the SQL Server service account. For
more information about Setspn, see Setspn Overview.
Manually create a domain user SPN for the SQL Server service account
1. Open a command prompt as an administrator.
2. Enter a valid command to create the SPN for both the NetBIOS name and the FQDN:

IMPORTANT
When you create an SPN for a SQL Server Always On failover cluster instance, specify the virtual name of the
failover cluster instance as the SQL Server computer name.

NetBIOS name: setspn -A MSSQLSvc/<SQL Server computer name>:<port> <Domain\Account>

For example: setspn -A MSSQLSvc/sqlserver:1433 contoso\sqlservice

FQDN: setspn -A MSSQLSvc/<SQL Server FQDN>:<port> <Domain\Account>

For example: setspn -A MSSQLSvc/sqlserver.contoso.com:1433 contoso\sqlservice

 NOTE
The command to register an SPN for a SQL Server named instance is the same as that you use when you register
an SPN for a default instance. The only exception is that the port number must match the port that the named
instance uses.

Verify the domain user SPN is registered correctly

1. Open a command prompt as an administrator.
2. Enter the following command: setspn -L <domain\SQL Server service account>

For example: setspn -L contoso\sqlservice

3. Review the registered Ser vicePrincipalName . Make sure that you created a valid SPN for the SQL
Server.
Change the SQL Server service account from local system to a domain user account
1. Create or select a domain or local system user account that you want to use as the SQL Server service
account.
2. Open SQL Ser ver Configuration Manager .
3. Select SQL Ser ver Ser vices , and then open SQL Ser ver<INSTANCE NAME> .
4. Switch to the Log on tab. Select This account , and then enter the user name and password for the
domain user account from step 1.
5. Confirm the service account change and restart the SQL Server service.

Run a site reset

When a site reset runs at a CAS or primary site, the site:
Reapplies the default Configuration Manager file and registry permissions
Reinstalls all site components and all site system roles
Secondary sites don't support site reset.
You can manually reset a site. They can also run automatically after you modify the site configuration. For
example:
If there has been a change to the accounts used by Configuration Manager components, consider a
manual site reset. This action makes sure the site components update to use the new account details.
If you modify the client or server languages at a site, Configuration Manager automatically runs a site
reset. The site requires a reset to use the new languages.

NOTE
A site reset doesn't reset access permissions to non-Configuration Manager objects.

What happens during a site reset

When a site reset runs:
1. Setup stops and restarts the SMS_SITE_COMPONENT_MANAGER service and the thread components
of the SMS_EXECUTIVE service.
2. Setup removes and recreates the site system share folder and the SMS Executive component on the
local computer and on remote site system computers.
3. Setup restarts the SMS_SITE_COMPONENT_MANAGER service, which installs the SMS_EXECUTIVE
and the SMS_SQL_MONITOR services.
Site reset restores the following objects:
The SMS or NAL registry keys, and any default subkeys under these keys.
The Configuration Manager file directory tree, and any default files or subdirectories in this file directory
tree.
Prerequisites for site reset
The account that you use to reset a site must have the following permissions:
To reset the CAS:
A local Administrator on the CAS server
Privileges that are equivalent to the Full Administrator role-based administration security role
To reset a primary site:
A local Administrator on the primary site server
Privileges that are equivalent to the Full Administrator role-based administration security role
If the primary site is in a hierarchy with a CAS, this account must also be a local Administrator on
the CAS server.
Limitations for a site reset
If the hierarchy is configured to support testing client upgrades in a pre-production collection, you can't use a
site reset to change the server or client language packs at sites.
Run a site reset
1. Start Configuration Manager setup on the site server by using one of the following methods:
On the Star t menu, select Configuration Manager Setup .
In the directory for the Configuration Manager installation media, open
\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site version.

In the directory where Configuration Manager is installed, open \BIN\X64\setup.exe .

2. On the Getting Star ted page, select Perform site maintenance or reset this site .
3. On the Site Maintenance page, select Reset site with no configuration changes .
4. Select Yes to begin the site reset.

Manage language packs at a site

After a site installs, you can change the server and client language packs that are in use.
Server language packs
Applies to: Configuration Manager console installations, new installations of applicable site system roles
After you update the server language packs at a site, you can add support for the language packs to
Configuration Manager consoles.
To add support for a server language pack to a Configuration Manager console, install the Configuration
Manager console from the ConsoleSetup folder on a site server that includes the language pack that you want
to use. If the Configuration Manager console is already installed, you must first uninstall it to enable the new
installation to identify the current list of supported language packs.
Client language packs
Changes to the client language packs update the client installation source files. New client installations and
upgrades add support for the updated list of client languages.
After you update the client language packs at a site, install each client that will use the language packs by using
source files that include the client language packs.
For more information about the client and server languages that Configuration Manager supports, see
Language Packs.
Modify the supported language packs at a site
1. Start Configuration Manager setup on the site server by using one of the following methods:
On the Star t menu, select Configuration Manager Setup .
In the directory for the Configuration Manager installation media, open
\SMSSETUP\BIN\X64\setup.exe . Make sure this version is the same as the site version.

In the directory where Configuration Manager is installed, open \BIN\X64\setup.exe .

2. On the Getting Star ted page, select Perform site maintenance or reset this Site .
3. On the Site Maintenance page, select Modify language configuration .
4. On the Prerequisites Downloads page, select one of the following options:
Download required files : Acquire updates to language packs.
Use previously downloaded files : Use previously downloaded files that include the language
packs you want to add to the site.
5. On the Ser ver Language Selection page, select the server languages this site supports.
6. On the Client Language Selection page, select the client languages that this site supports.
7. Complete the wizard to modify language support at the site.

NOTE
Configuration Manager initiates a site reset which also reinstalls all site system roles at the site.

Modify the database server alert threshold

By default, Configuration Manager generates alerts when free disk space on a site database server is low:
Generate a warning when there's 10 GB or less of free disk space
Generate a critical alert when there's 5 GB or less of free disk space
You can modify these values or disable alerts for each site:
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the site that you want to configure. In the ribbon, select Proper ties .
3. Switch to the Aler t tab, and then edit the settings.

Uninstall sites and hierarchies

You may need to uninstall a Configuration Manager site system role, site, or hierarchy. For more information,
see Uninstall roles, sites, and hierarchies.
Starting in version 2002, you can also remove the CAS from a hierarchy, but keep the primary site. For more
information, see Remove the CAS.
 The CD.Latest folder for Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager has a process to deliver updates to the product from within the Configuration Manager
console. To support this new method of updating Configuration Manager, a new folder is created named
CD.Latest . This folder contains a copy of the Configuration Manager installation files for the updated version of
your site.
The CD.Latest folder contains a folder named Redist , which contains the redistributable files that setup
downloads and uses. These files are matched to the version of Configuration Manager files found in that
CD.Latest folder. When you run Setup from a CD.Latest folder, you must use files that are matched to that version
of Setup. You can either direct Setup to download new and current files from Microsoft, or direct Setup to use
the files from the Redist folder included in the CD.Latest folder.
Baseline media doesn't include a Redist folder. The site doesn't create a Redist folder until you install an in-
console update. In the meantime, use the Redist folder that you used when installing sites from the baseline
media.

TIP
Make sure the redistributable files you use are current. If you haven't recently downloaded redistributable files, plan to
allow Setup to do so from Microsoft.

The following scenarios create or update the CD.Latest folder on a central administration site or primary site
server:
When you install an update or hotfix from within the Configuration Manager console, the site creates or
updates the folder in the Configuration Manager installation folder.
When you run the built-in Configuration Manager backup task, the site creates or updates the folder
under the designated backup folder location.
When you install a new site using baseline media, the site creates the CD.Latest folder.

Supported scenarios
The source files from the CD.Latest folder are supported for the following scenarios:
Backup and recovery
To recover a site, use the source files from a CD.Latest folder that matches your site. When you run a site backup
using the built-in site backup task, the CD.Latest folder is included as part of the backup.
When you reinstall a site as part of a site recovery, you install the site from the CD.Latest folder included
in your backup. This action installs the site using the file versions that match your site backup and site
database.
If you don't have access the correct CD.Latest folder version, get the CD.Latest folder with the
correct file versions by installing a site in a lab environment. Then update that site to match the
version you want to recover.
If you don't have the correct CD.Latest folder and its contents available, you can't recover a site. In
 this circumstance, you need to reinstall the site.
When you don't have a CD.Latest folder, but do have a working child primary site or central
administration site, you can use that site as a reference site for a site recovery.
Install a child primary site
When you want to install a new child primary site below a central administration site that has installed one or
more in-console updates, use Setup and the source files from the CD.Latest folder from the central
administration site. This process uses installation source files that match the version of the central
administration site. For more information, see Use the Setup Wizard to install sites.
Expand a stand-alone primary site
When you expand a stand-alone primary site by installing a new central administration site, use Setup and the
source files from the CD.Latest folder from the primary site. This process uses installation source files that match
the version of the primary site. For more information, see Expand a stand-alone primary site.
Install a secondary site
When you want to install a new secondary site below a primary site that has installed one or more in-console
updates, use the source files from the CD.Latest folder from the primary site.
For more information, see Install a secondary site.

Unsupported scenarios
The updated CD.Latest source files aren't supported for:
Installing a new site for a new hierarchy
Upgrading a Microsoft System Center 2012 Configuration Manager site to Configuration Manager current
branch
Installing Configuration Manager clients
Installing Configuration Manager consoles

Next steps
Updates for Configuration Manager
 Upgrade on-premises infrastructure that supports
Configuration Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the information in this article to help you upgrade the server infrastructure that runs Configuration
Manager.
If you want to upgrade from an earlier version to Configuration Manager, current branch, see Upgrade to
Configuration Manager.
If you want to update your Configuration Manager, current branch, infrastructure to a new version, see
Updates for Configuration Manager.

Upgrade the OS of site systems

Configuration Manager supports the in-place upgrade of the server OS that hosts a site server and any site
system role, in the following situations:
If Configuration Manager still supports the resulting service pack level of Windows, it supports in-place
upgrade to a later Windows Server service pack.
In-place upgrade from:
Windows Server 2019 to Windows Server 2022
Windows Server 2016 to Windows Server 2022
Windows Server 2016 to Windows Server 2019
Windows Server 2012 R2 to Windows Server 2019
Windows Server 2012 R2 to Windows Server 2016
Windows Server 2012 to Windows Server 2016
Windows Server 2012 to Windows Server 2012 R2
Windows Server 2008 R2 to Windows Server 2012 R2
To upgrade a server, use the upgrade procedures provided by the OS you're upgrading to. See the following
articles:
Windows Server Upgrade Center
Upgrade and conversion options for Windows Server 2016
Upgrade Options for Windows Server 2012 R2
Upgrade to Windows Server 2016, 2019, or 2022
Use the steps in this section for any of the following upgrade scenarios:
Upgrade either Windows Server 2016 or Windows Server 2019 to Windows Server 2022
Upgrade either Windows Server 2012 R2 or Windows Server 2016 to Windows Server 2019
 Upgrade either Windows Server 2012 or Windows Server 2012 R2 to Windows Server 2016
Before upgrade
(Windows Server 2012 or Windows Server 2012 R2 only): Remove the System Center Endpoint
Protection (SCEP) client. Windows Server now has Windows Defender built in, which replaces the SCEP
client. The presence of the SCEP client can prevent an upgrade to Windows Server.
(Windows Server 2012 or Windows Server 2012 R2 only): Install the latest Cumulative Update and
uninstall Windows Management Framework 5.1 before attempting the upgrade.
Remove the WSUS role from the server if it's installed. You may keep the SUSDB and reattach it once
WSUS is reinstalled.
If you're upgrading the OS of the site server, make sure file-based replication is healthy for the site. Check
all inboxes for a backlog on both sending and receiving sites. If there are lots of stuck or pending
replication jobs, wait until they clear out.
On the sending site, review sender.log .
On the receiving site, review despooler log .
After upgrade
Make sure Windows Defender is enabled, set for automatic start, and running.
Make sure the following Configuration Manager services are running:
SMS_EXECUTIVE
SMS_SITE_COMPONENT_MANAGER
Make sure the Windows Process Activation and WWW/W3svc services are enabled and set for
automatic start. The upgrade process disables these services, so make sure they're running for the
following site system roles:
Site server
Management point
Make sure each server that hosts a site system role continues to meet all prerequisites. For example, you
might need to reinstall BITS, WSUS, or configure specific settings for IIS.
After restoring any missing prerequisites, restart the server one more time to make sure services are
started and operational.
If you're upgrading the primary site server, then run a site reset.
Known issue for remote Configuration Manager consoles
After you upgrade the site server, or an instance of the SMS Provider, you can't connect with the Configuration
Manager console. To work around this problem, manually restore permissions for the SMS Admins group in
WMI. Permissions must be set on the site server, and on each remote server that hosts an instance of the SMS
Provider:
1. On the applicable servers, open the Microsoft Management Console (MMC) and add the snap-in for WMI
Control , and then select Local computer .
2. In the MMC, open the Proper ties of WMI Control (Local) and select the Security tab.
3. Expand the tree below Root, select the SMS node, and then choose Security . Make sure the SMS
Admins group has the following permissions:
Enable Account
 Remote Enable
4. On the Security tab below the SMS node, select the site_<sitecode > node, and then choose Security .
Make sure the SMS Admins group has the following permissions:
Execute Methods
Provider Write
Enable Account
Remote Enable
5. Save the permissions to restore access for the Configuration Manager console.
Known issue for remote site systems
After you upgrade a server that hosts a site system role, the value Software\Microsoft\SMS may be missing from
the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths
If this value is missing after you upgrade Windows on the server, manually add it. Otherwise site system roles
can have issues uploading files to the site server inboxes.
Upgrade to Windows Server 2012 R2
When you upgrade from either Windows Server 2008 R2 or Windows Server 2012 to Windows Server 2012
R2, the following conditions apply:
Before upgrade to Server 2012 R2
On Windows Server 2012: Remove the WSUS role from the server if it's installed. You may keep the
SUSDB and reattach it once WSUS is reinstalled.
On Windows Server 2008 R2: Before you upgrade to Windows Server 2012 R2, you must uninstall
WSUS 3.2 from the server. You may keep the SUSDB and reattach it once WSUS is reinstalled. For more
information, see Windows Server Update Services Overview.
If you're upgrading the OS of the site server, make sure file-based replication is healthy for the site. Check
all inboxes for a backlog on both sending and receiving sites. If there are lots of stuck or pending
replication jobs, wait until they clear out.
On the sending site, review sender.log .
On the receiving site, review despooler log .
After upgrade to Server 2012 R2
The upgrade process disables the Windows Deployment Services. Make sure this service is started and
running for the following site system roles:
Site server
Management point
Make sure the Windows Process Activation and WWW/W3svc services are enabled and set for
automatic start. The upgrade process disables these services, so make sure they're running for the
following site system roles:
Site server
Management point
Make sure each server that hosts a site system role continues to meet all prerequisites. For example, you
might need to reinstall BITS, WSUS, or configure specific settings for IIS.
After restoring any missing prerequisites, restart the server one more time to make sure services are
 started and operational.
Unsupported upgrade scenarios
The following Windows Server upgrade scenarios are commonly asked about, but not supported by
Configuration Manager:
Windows Server 2008 to Windows Server 2012 or later
Windows Server 2008 R2 to Windows Server 2012

Upgrade the OS of clients

Configuration Manager supports an in-place upgrade of the OS for Configuration Manager clients in the
following situations:
If Configuration Manager supports the resulting service pack level, it supports in-place upgrade to a later
Windows service pack.
In-place upgrade of Windows from a supported version to Windows 10 or later. For more information,
see Upgrade Windows to the latest version.
Build-to-build servicing upgrades of Windows 10 or later. For more information, see Manage Windows as
a service.

Upgrade SQL Server

Configuration Manager supports an in-place upgrade of SQL Server on the site database server.
For information about the versions of SQL Server that Configuration Manager supports, see Support for SQL
Server versions.
Upgrade the service pack version of SQL Server
If Configuration Manager still supports the resulting SQL Server service pack level, it supports the in-place
upgrade of SQL Server to a later service pack.
When you have more than one Configuration Manager site in a hierarchy, each site can run a different service
pack version of SQL Server. There's no limitation to the order in which sites upgrade the service pack version of
SQL Server.

IMPORTANT
If you use BitLocker management in Configuration Manager, and you encrypt recovery data in the database, before you
upgrade SQL Server, make sure the certificate is for a supported version. For example, certificates created with SQL Server
2014 or earlier aren't compatible with SQL Server 2016 or later. For more information, see Manage the encryption
certificate on SQL Server upgrade.

Upgrade to a new version of SQL Server

Configuration Manager supports the in-place upgrade of SQL Server to the following versions:
SQL Server 2019
SQL Server 2017
SQL Server 2016
SQL Server 2014
This support includes the upgrade of SQL Server Express to a newer version of SQL Server Express at secondary
sites.
When you upgrade the version of SQL Server that hosts the site database, you must upgrade the SQL Server
version that's used at sites in the following order:
1. Upgrade SQL Server at the central administration site first
2. Upgrade secondary sites before you upgrade a secondary site's parent primary site
3. Upgrade parent primary sites last. These sites include both child primary sites that report to a central
administration site, and stand-alone primary sites that are the top-level site of a hierarchy.
When you upgrade a site database from an earlier version of SQL Server, the database keeps its existing
cardinality estimation level, if it's at the minimum allowed for that instance of SQL Server. If you upgrade SQL
Server with a database at a compatibility level lower than the allowed level, it automatically sets the database to
the lowest compatibility level allowed by SQL Server. For more information, see Supported SQL Server versions:
Database compatibility level.
For more information about upgrading SQL Server, see the following SQL Server articles:
Upgrade to SQL Server 2019
Upgrade to SQL Server 2017
Upgrade to SQL Server 2016
To upgrade SQL Server on the site database server
1. Stop all Configuration Manager services at the site
2. Upgrade SQL Server to a supported version
3. Restart the Configuration Manager services

NOTE
When you change the SQL Server edition in use at the central administration site from Standard to either a Datacenter or
Enterprise, the database partition doesn't change. This database partition limits the number of clients the hierarchy
supports.
 Updates and servicing for Configuration Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager uses an in-console service method called Updates and Ser vicing . This in-console
method makes it easy to find and install recommended updates for your Configuration Manager infrastructure.
In-console servicing is supplemented by out-of-band updates such as hotfixes. The out-of-band updates are
intended for customers who need to resolve issues that might be specific to their environment.

TIP
The terms upgrade, update, and install are used to describe three separate concepts in Configuration Manager. For more
information about how each term is used, see About upgrade, update, and install.

Baseline and update versions

Use the latest baseline version when you install a new site in a new hierarchy.
Also use a baseline version to upgrade from System Center 2012 Configuration Manager.
After upgrading to Configuration Manager current branch, don't use baseline versions to stay current.
Instead, only use in-console updates to update to the newest version.
Periodically, another baseline version is released. When you use the latest baseline version to install a
new hierarchy, you avoid installing an outdated or unsupported version of Configuration Manager,
followed by another update to your infrastructure.
After you install a baseline version, later versions of Configuration Manager are available as in-console updates.
Use these updates to update your infrastructure to the latest version of Configuration Manager.
You install in-console updates to update the version of your top-level site.
Updates you install at the central administration site (CAS) automatically install at child primary sites.
Control this timing by using a service window at the primary site. For more information, see Service
Windows.
Manually update secondary sites to a new update version from within the console.
When you install an update, the update stores installation files for that version on the site server in a folder
named CD.Latest . For more information about these files, see The CD.Latest folder.
Use the files in the CD.Latest folder during site recovery. Also, when your hierarchy no longer runs a
baseline version, use these files to install other sites.
You can't use installation files from CD.Latest to install the first site of a new hierarchy, or to upgrade a site
from System Center 2012 Configuration Manager.
Version details
Some updates for Configuration Manager are available as both an in-console update version for existing
infrastructure, and as a new baseline version.
Supported versions
The following supported versions of Configuration Manager are currently available as a baseline, an update, or
both:

IN - C O N SO L E
VERSIO N AVA IL A B IL IT Y DAT E SUP P O RT EN D DAT E B A SEL IN E UP DAT E

2111 December 1, 2021 June 1, 2023 No Yes

(5.00.9068)

2107 August 2, 2021 February 2, 2023 No Yes

(5.00.9058)

2103 April 5, 2021 October 5, 2022 YesNo te 1 Yes

(5.00.9049)

2010 November 30, 2020 May 30, 2022 No Yes

(5.00.9040)

2006 August 11, 2020 February 11, 2022 No Yes

(5.00.9012)

NOTE
The Availability date in this table is when the early update ring was released. Baseline media will be available on the
VLSC soon after the update is globally available.

N o t e 1 : H o w t o g e t b a se l i n e m e d i a

The baseline media is available as part of the following releases on the Volume License Service Center (VLSC):
Microsoft Endpoint Configmgr (current branch)
System Center Datacenter
System Center Standard

For example, search the VLSC for Microsoft Endpoint Configmgr (current branch) . Find the baseline media in the
list of files, and download for that release.

NOTE
The search string may be different on other media sites. For example, on the Visual Studio Subscriptions Portal, search for
Microsoft Endpoint Configuration Manager .

Historical versions
The following table lists historical versions of Configuration Manager current branch that are out of support:

IN - C O N SO L E
VERSIO N AVA IL A B IL IT Y DAT E SUP P O RT EN D DAT E B A SEL IN E UP DAT E

2002 April 1, 2020 October 1, 2021 Yes Yes

(5.00.8968)

1910 November 29, 2019 May 29, 2021 No Yes

(5.00.8913)

1906 July 26, 2019 January 26, 2021 No Yes

(5.00.8853)
 IN - C O N SO L E
VERSIO N AVA IL A B IL IT Y DAT E SUP P O RT EN D DAT E B A SEL IN E UP DAT E

1902 March 27, 2019 September 27, 2020 Yes Yes

(5.00.8790)

1810 November 27, 2018 December 1, 2020 No Yes

(5.00.8740)

1806 July 31, 2018 January 31, 2020 No Yes

(5.00.8692)

1802 March 22, 2018 September 22, 2019 Yes Yes

(5.00.8634)

1710 November 20, 2017 May 20, 2019 No Yes

(5.00.8577)

1706 July 31, 2017 July 31, 2018 No Yes

(5.00.8540)

1702 March 27, 2017 March 27, 2018 Yes Yes

(5.00.8498)

1610 November 18, 2016 November 18, 2017 No Yes

(5.00.8458)

1606 with October 12, 2016 October 12, 2017 Yes No

KB3186654
(5.00.8412.1307)

1606 July 22, 2016 July 22, 2017 No Yes

(5.00.8412.1000)

1602 March 11, 2016 March 11, 2017 No Yes

(5.00.8355)

1511 December 8, 2015 December 8, 2016 Yes No

(5.00.8325)

How to check the version

To check the version of your Configuration Manager site, in the console go to About Configuration Manager
at the top-left corner of the console. This dialog displays the site and console versions.

NOTE
The console version is slightly different from the site version. The minor version of the console corresponds to the
Configuration Manager release version. For example, in Configuration Manager version 1802 the initial site version is
5.0.8634.1000, and the initial console version is 5.1802 .1082.1700. The build (1082) and revision (1700) numbers may
change with future hotfixes.

In-console updates and servicing

When you use a production-ready installation of Configuration Manager current branch, most updates are
available using the Updates and Ser vicing channel. This method identifies, downloads, and makes available
the updates that apply to your current infrastructure version and configuration. It includes only updates that
Microsoft recommends for all customers.
These updates include:
New versions, like version 2010, 2103, or 2107.
Updates that include new features for your current version.
Hotfixes for your version of Configuration Manager and that all customers should install.

NOTE
In-console hotfixes have supersedence relationships. For more information, see Supersedence for in-console
hotfixes.

The in-console updates deliver increased stability and resolve common issues. They replace the update types
seen for previous product versions such as service packs, cumulative updates, hotfixes that are applicable to all
customers, and the extension for Microsoft Intune.
The in-console updates can apply to one or more of the following systems:
Primary and CAS servers
Site system roles and site system servers
Instances of the SMS Provider
Configuration Manager consoles
Configuration Manager clients
Configuration Manager discovers new updates for you. Synchronize your Configuration Manager service
connection point with the Microsoft cloud service, noting the following behaviors:
When your service connection point is in online mode, your site synchronizes with Microsoft every day. It
automatically identifies new updates that apply to your infrastructure. To download updates and
redistributable files, the computer that hosts the service connection point site system role uses the
System context to access the following internet locations: go.microsoft.com and download.microsoft.com
. For more information about other locations used by the service connection point, see Internet access
requirements.
When your service connection point is in offline mode, use the service connection tool to manually sync
with the Microsoft cloud. For more information, see Use the service connection tool.
In-console updates replace the need to independently locate and install individual updates, service packs,
and new features.
Install only the in-console updates you choose. When installing some updates, you can select individual
features to enable and use. For more information, see Enable optional features from updates.
When you install an in-console update, the following process occurs:
It automatically runs a prerequisite check. You can also manually run this check before starting the
installation.
It installs at the top-level site in your environment. This site is the CAS if there's one. In a hierarchy, the
update automatically installs at primary sites. Control when each primary site server is allowed to update
by using Service windows for site servers.
 After a site server updates, all affected site system roles automatically update. These roles include
instances of the SMS Provider. After the site installs the update, Configuration Manager consoles also
prompt the console user to update the console.
If an update includes the Configuration Manager client, you're offered the option to test the update in
pre-production, or to apply the update to all clients immediately.
After a primary site is updated, secondary sites don't automatically update. Instead, you must manually
start the secondary site update.

NOTE
The Configuration Manager current branch, the long-term servicing branch, and the technical preview branch are
different releases. Updates that apply for one branch aren't available as in-console updates for the other branches. For
more information about available branches, see Which branch of Configuration Manager should I use?.

Supersedence for in-console hotfixes

In-console hotfixes have supersedence relationships. When Microsoft publishes a new Configuration Manager
hotfix, the console doesn't display any hotfixes that are superseded by this new hotfix. This new behavior helps
you better determine which hotfixes to install.
Supersedence example
There are three hotfixes available: Hotfix-A, Hotfix-B, and Hotfix-C. Hotfix-A is superseded by Hotfix-B, and
Hotfix-B is superseded by Hotfix-C.

H OT F IX- A H OT F IX- B H OT F IX- C IN - C O N SO L E VIEW

Not installed Not installed Not installed Show all three hotfixes

Installed Installed Not installed Hotfix-B shows as installed

Hotfix-C shows as ready to
install

Not installed Not installed Installed Hotfix-C shows as installed

Out-of-band hotfixes
Some hotfixes release with limited availability to address specific issues. Other hotfixes are applicable to all
customers but can't install using the in-console method. These fixes are delivered out-of-band and not
discovered from the Microsoft cloud service.
Typically, when you're seeking to fix or address a problem with your deployment of Configuration Manager, you
can learn about out-of-band hotfixes from Microsoft customer support services, a Microsoft support knowledge
base article, or the Configuration Manager team blog.
Install these fixes manually, using one of the following two methods:
Update Registration Tool
This tool manually imports the hotfix into your Configuration Manager console. Then install the update as you
would in-console updates that are discovered automatically.
This method is used for hotfixes that use the following file name structure:
<Product>-<product version>-<KB article ID>-ConfigMgr.Update.exe

For more information, see Use the update registration tool to import hotfixes.
Hotfix Installer
Use this tool to manually install a hotfix that can't be installed using the in-console method.
This method is used for fixes that use the following file name structure:
<Product>-<product version>-<KB article ID>-<platform>-<language>.exe

For more information, see Use the hotfix installer to install updates.

Next steps
The following articles can help you understand how to find and install the different update types for
Configuration Manager:
Install in-console updates
Use the service connection tool
Use the update registration tool to import hotfixes
Use the hotfix installer to install updates
For more information about the technical preview branch, see Technical preview.
 Prepare to install in-console updates for
Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager synchronizes with the Microsoft cloud service to get updates. Use the steps in this
article to prepare your environment.

Get available updates

The site only downloads updates that apply to your infrastructure and version. This synchronization can be
automatic or manual, depending on how you configure the service connection point for your hierarchy:
In online mode , the service connection point automatically connects to the Microsoft cloud service and
downloads applicable updates.
By default, Configuration Manager checks for new updates every 24 hours. Manually check for updates in
the Configuration Manager console. Go to the Administration workspace, select the Updates and
Ser vicing node, and choose Check for Updates in the ribbon.
In offline mode , the service connection point doesn't connect to the Microsoft cloud service. To
download and then import available updates, use the Service Connection Tool.

NOTE
If necessary, import out-of-band fixes into your console. To do so, use the update registration tool. These out-of-band
fixes supplement the updates you get when you synchronize with the Microsoft cloud service.

After updates synchronize, view them in the Configuration Manager console. Go to the Administration
workspace and select the Updates and Ser vicing node.
Updates you haven't installed display as Available .
Updates you've installed display as Installed . Only the most recently installed update is shown. To view
previously installed updates, select Histor y in the ribbon.
Before you configure the service connection point, understand and plan for its use. The following uses might
affect how you configure this site system role:
The site uses the service connection point to upload usage information about your site. This information
helps the Microsoft cloud service identify the updates that are available for the current version of your
infrastructure. For more information, see Diagnostics and usage data.
To better understand what happens when updates are downloaded, see the following flowcharts:
Flowchart - Download updates
Flowchart - Update replication

Permissions
To view updates in the console, a user must have a role-based administration security role that includes the
security class Update packages . This class grants access to view and manage updates in the Configuration
Manager console.
About the Update packages class
By default, the Update packages class (SMS_CM_Updatepackages) is part of the following built-in security
roles with the listed permissions:
Full Administrator with Modify and Read permissions:
A user with this security role and access to the All security scope can view and install updates. The
user can also enable features during the installation, and enable individual features after the site
updates.
A user with this security role and access to the Default security scope can view and install
updates. The user can also enable features during the installation, and view features after the site
updates. But this user can't enable the features after the site updates.
Read-only Analyst with Read permissions:
A user with this security role and access to the Default scope can view updates but not install them.
This user can also view features after the site updates, but can't enable them.
Permissions required for updates and servicing
Use an account to which you assign a security role that includes the Update packages class with both
Modify and Read permissions.
Assign the account to the Default scope.
Permissions to only view updates
Use an account to which you assign a security role that includes the Update packages class with only
the Read permission.
Assign the account to the Default scope.
Permissions required to enable features after the site updates
Use an account to which you assign a security role that includes the Update packages class with both
Modify and Read permissions.
Assign the account to the All scope.

Before you install an in-console update

Review the following steps before you install an update from within the Configuration Manager console.
Step 1: Review the update checklist
Review the applicable update checklist for actions to take before you start the update:
Checklist for installing update 2111
Checklist for installing update 2107
Checklist for installing update 2103
Checklist for installing update 2010
Checklist for installing update 2006
Step 2: Run the prerequisite checker before installing an update
Before you install an update, run the prerequisite checks for that update. If you run the checks before installing
an update:
The site replicates update files to other sites before installing the update.
When you choose to install the update, the prerequisite check automatically runs again.

NOTE
When you start a prerequisite check and then view the status, the Installation phase appears to be active. However, the
site isn't actually installing the update. To run the prerequisite check, the update process extracts the package from the
content library. It then puts the package into a staging folder where it can access the current prerequisite checks. When
you install an update, this same process runs. This behavior is why the Installation phase shows as In progress . Only the
Extract Update package step is shown in the Installation category.

Later, when you install the update, you can configure the update to ignore prerequisite check warnings.
Process to run the prerequisite checker before installing an update
1. In the Configuration Manager console, go to the Administration workspace, and select the Updates
and Ser vicing node.
2. Select the update package for which you want to run the prerequisite check.
3. Select Run prerequisite check in the ribbon.
When you run the prerequisite check, content for the update replicates to child sites. View the
distmgr.log on the site server to confirm that content replicates successfully.
4. To view the results of the prerequisite check:
a. In the Configuration Manager console, go to the Monitoring workspace.
b. Select the Updates and Ser vicing Status node and look for the prerequisite status.
c. For more information, see the ConfigMgrPrereq.log on the site server.

Next steps
Now that you've prepared the environment, you're ready to install the updates.
Install in-console updates
 Install in-console updates for Configuration
Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes how to install updates from within the Configuration Manager console. Before you start,
make sure to Prepare to install in-console updates.
When you're ready to install updates from within the Configuration Manager console, begin with the top-level
site of your hierarchy. This site is either the central administration site (CAS) or a standalone primary site.
Install the update outside of normal business hours for each site to minimize the effect on business operations.
The update installation might include actions like reinstalling site components and site system roles.
Child primary sites automatically start the update after the CAS completes installation of the update. This
process is by default and recommended. To control when a primary site installs updates, use Service
windows for site servers.
After the primary parent site update is complete, manually update secondary sites from within the
Configuration Manager console. Automatic update of secondary site servers isn't supported.
When you use a Configuration Manager console after the site is updated, you're prompted to update the
console.
After the site server successfully completes installation of an update, it automatically updates all
applicable site system roles. However, all distribution points don't reinstall and go offline to update at the
same time. Instead, the site server uses the site's content distribution settings to distribute the update to a
subset of distribution points at a time. The result is that only some distribution points go offline to install
the update. Distribution points that haven't begun to update or that have completed the update remain
online and able to provide content to clients.

Start the install

At the top-level site of your hierarchy, in the Configuration Manager console, go to the Administration
workspace, and select the Updates and Ser vicing node. Select an update with the state of Available , and
then choose Install Update Pack in the ribbon.

NOTE
Your user account requires permissions to install updates. For more information, see Permissions for in-console updates.

Start the update installation at a secondary site

After the parent primary site updates, update the secondary site from within the Configuration Manager
console.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node. Select the secondary site you want to update, and then
choose Upgrade in the ribbon.
2. Select Yes to start the update of the secondary site.
To monitor the update installation on a secondary site, select the secondary site, and choose Show Install
Status in the ribbon. Also add the Version column to the Sites node so that you can view the version of each
secondary site.
The status in the console may not refresh or it might show that the update failed. After a secondary site
successfully updates, use the Retr y installation option. This option doesn't reinstall the update for a secondary
site that successfully installed the update, but forces the console to update the status.

Install process
1. When the update installation starts
You're presented with the Updates Wizard that displays a list of the product areas that the update applies to.
On the General page of the wizard, configure Prerequisite warnings as necessary:
Prerequisite errors always stop the update installation. Fix errors before you can successfully retry
the update installation. For more information, see Retry installation of a failed update.
Prerequisite warnings can also stop the update installation. Fix warnings before you retry the
update installation. For more information, see Retry installation of a failed update.
Ignore any prerequisite check warnings and install this update regardless of missing
requirements : Set a condition for the update installation to ignore prerequisite warnings. This
option allows the update installation to continue. If you don't select this option, the update
installation stops on a warning. Unless you've previously run the prerequisite check and fixed
prerequisite warnings for a site, don't use this option.
In both the Administration and Monitoring workspaces, the Updates and Servicing node
includes a button on the ribbon named Ignore prerequisite warnings . This button becomes
available when an update package fails to complete installation because of prerequisite check
warnings. For example, you install an update without using the option to ignore prerequisite
warnings (from within the Updates Wizard). The update installation stops with a state of
prerequisite warning but no errors. Later, you select Ignore prerequisite warnings in the
ribbon. This action triggers an automatic continuation of that update installation, which ignores
prerequisite warnings. When you use this option, the update installation automatically continues
after a few minutes.
When an update applies to the Configuration Manager client, choose to test the client update with a
limited set of clients. For more information, see How to test client upgrades in a pre-production
collection.
Starting in Configuration Manager 2107, sites that aren't already onboarded to Microsoft Endpoint
Manager will be prompted to optionally cloud attach as part of the upgrade wizard. Environments are
considered cloud attached if at least one of the following features are already enabled:
Tenant attach
Co-management
Endpoint analytics
If you don't wish to onboard, clear both of the Enable Microsoft Endpoint Manager admin center
and Enable automatic client enrollment for co-management options.
2. During the update installation
As part of the update installation, Configuration Manager does the following actions:
Reinstalls any affected components, like site system roles or the Configuration Manager console.
 Manages updates to clients based on the selections that you made for client piloting, and for automatic
client upgrades.
Site system servers generally don't need to restart as part of the update. If a role uses .NET, and the
package updates that prerequisite component, then the site system may restart. For more information,
see Site and site system prerequisites.

TIP
When you install Configuration Manager updates, the site also updates the CD.Latest folder. For more information, see
The CD.Latest folder.

3. Monitor the progress of updates as they install

Use the following steps to monitor progress:
In the Configuration Manager console, go to the Administration workspace, and select the Updates
and Ser vicing node. This node shows the installation status for all update packages.
In the Configuration Manager console, go to the Monitoring workspace, and select the Updates and
Ser vicing Status node. This node shows the installation status of only the current update package that
the site is installing.
The update installation is divided into several phases for easier monitoring. For each of the following
phases, more details in the installation status include which log file to view for more information:
Download : This phase applies only to the top-level site with the service connection point.
Replication
Prerequisites Check
Installation
Post Installation : For more information, see post installation tasks.
View the CMUpdate.log file in <ConfigMgr_Installation_Directory>\Logs on the site server.

NOTE
During the Installation phase, you can see the state of the Upgrade ConfigMgr database task.
If the database upgrade is blocked, then you'll be given the warning In progress, needs attention .
The cmupdate.log will log the program name and sessionid from SQL Server that is blocking the database
upgrade.
When the database upgrade is no longer blocked, the status will be reset to In progress or Complete .
When the database upgrade is blocked, a check is done every 5 minutes to see if it's still blocked.

4. When the update installation completes

After the first site update completes installation:
Child primary sites install the update automatically. No further action is required.
Manually update secondary sites from within the Configuration Manager console. For more information,
see start the update installation at a secondary site.
Until all sites in your hierarchy update to the new version, your hierarchy operates in a mixed version
mode. For more information, see Interoperability between different versions.
5. Update Configuration Manager consoles
After a CAS or primary site updates, each Configuration Manager console that connects to the site must also
update. You're prompted to update a console:
When you open the console
When you go to a new node in an open console
Update the console right away after the site updates.
After the console update completes, verify the console and site versions are correct. Go to About
Configuration Manager at the top-left corner of the console.

NOTE
The console version is slightly different from the site version. The minor version of the console corresponds to the
Configuration Manager release version. For example, in Configuration Manager version 1802 the initial site version is
5.0.8634.1000, and the initial console version is 5.1802 .1082.1700. The build (1082) and revision (1700) numbers may
change with future hotfixes.

Next steps
Continue reading about what happens after the site updates, or what to do if the update fails.
After the site updates
 After the site updates
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install an in-console update for Configuration Manager, the site does additional processing in the
background. There are also additional steps that you may need to take after the update is complete. If something
goes wrong, use the steps below to help troubleshoot and retry the update.

Post-installation tasks
When a site installs an update, there are several tasks that can't start until after the update completes installation
on the site server. This list includes the post-installation tasks that are critical for site and hierarchy operations.
Because they're critical, they're actively monitored. Other tasks that aren't directly monitored include the
reinstallation of site system roles. To view the status of the critical post-installation tasks, select the Post
Installation task while monitoring the update installation for a site.
Not all tasks complete immediately. Some tasks don't start until each site completes installation of the update.
New functionality you might expect can be delayed until these tasks complete. Turning on new features doesn't
start until all sites complete update installation, so new features might not be visible for some time.
The post installation tasks include:
Installing SMS_EXECUTIVE ser vice
Critical service that runs on the site server.
Reinstallation of this service should complete quickly.
Installing SMS_DATABASE_NOTIFICATION_MONITOR component
Critical site component thread of SMS_EXECUTIVE service.
Reinstallation of this service should complete quickly.
Installing SMS_HIERARCHY_MANAGER component
Critical site component that runs on the site server.
Responsible for reinstalling roles on site system servers. Status for individual site system role
reinstallation doesn't display.
Reinstallation of this service should complete quickly.

NOTE
Some Configuration Manager site roles share the client framework. For example, the management point
and pull distribution point. When these roles update, the client version on these servers updates at the
same time. For more information, see How to upgrade clients.

Installing SMS_REPLICATION_CONFIGURATION_MONITOR component

Critical site component that runs on the site server.
Reinstallation of this service should complete quickly.
Installing SMS_POLICY_PROVIDER component
Critical site component that runs only on primary sites.
 Reinstallation of this service should complete quickly.
Monitoring replication initialization
This task only displays at the CAS and child primary sites.
Dependent on the SMS_REPLICATION_CONFIGURATION_MONITOR.
Should complete quickly.
Updating Configuration Manager Client Preproduction Package
This task displays even when client preproduction (also called client piloting) isn't enabled for use.
Doesn't start until all sites in the hierarchy finish installing the update.
Updating Client folder on Site Ser ver
This task doesn't display if you use the client in preproduction.
Should complete quickly.
Updating Configuration Manager Client Package
This task doesn't display if you use the client in preproduction.
Finishes only after all sites install the update.
Turning on Features
This task displays only at the top-tier site of the hierarchy.
Doesn't start until all sites in the hierarchy finish installing the update.
Individual features aren't displayed.

Retry installation of a failed update

When an update fails to install, review the in-console feedback to identify resolutions for warnings and errors.
For more details, view the ConfigMgrPrereq.log on the site server. Before you retry the installation of an
update, you must fix errors, and should fix warnings.

TIP
If an update has problems downloading or replicating, use the update reset tool.

When you're ready to retry the installation of an update, select the failed update, and then choose an applicable
option. The update installation retry behavior depends on the node where you start the retry, and the retry
option that you use.
Retry installation for the hierarchy
Retry the installation of an update for the entire hierarchy when that update is in one of the following states:
Prerequisite checks passed with one or more warnings, and the option to ignore prerequisite check
warnings wasn't set in the Update Wizard. (The update's value for Ignore Prereq Warning in the
Updates and Ser vicing node is No .)
Prerequisite failed
Installation failed
Replication of the content to the site failed
Go to the Administration workspace and select the Updates and Ser vicing node. Select the update, and
then choose one of the following options:
Retr y : When you Retr y from Updates and Ser vicing , the update install starts again and automatically
 ignores prerequisite warnings. If content replication previously failed, content for the update replicates
again.
Ignore prerequisite warnings : If the update install stops because of a warning, you can then choose
Ignore prerequisite warnings . This action allows the installation of the update to continue after a few
minutes, and uses the option to ignore prerequisite warnings.
Retry installation for the site
Retry the installation of an update at a specific site when that update is in one of the following states:
Prerequisite checks passed with one or more warnings, and the option to ignore prerequisite check
warnings wasn't set in the Update Wizard. (The updates value for Ignore Prereq Warning in the
Updates and Servicing node is No .)
Prerequisite failed
Installation failed
Go to the Monitoring workspace, and select the Site Ser vicing Status node. Select the update, and then
choose one of the following options:
Retr y : When you Retr y from Site Ser vicing Status , you restart the installation of the update at only
that site. Unlike running Retr y from the Updates and Ser vicing node, this retry doesn't ignore
prerequisite warnings.
Ignore prerequisite warnings : If the update install stops because of a warning, you can then select
Ignore prerequisite warnings . This action allows the installation of the update to continue after a few
minutes, and uses the option to ignore prerequisite warnings.

Report setup and upgrade failures to Microsoft

Starting in Configuration Manager version 2010, if the setup or update process fails to complete successfully,
you can report the error directly to Microsoft. If a failure occurs, the Repor t update error to Microsoft
button is enabled. When you use the button, an interactive wizard opens allowing you to provide more
information to us. When running setup from the media rather than the console, you'll also be given the Repor t
update error to Microsoft option if setup fails.

IMPORTANT
For business-impacting issues, contact Microsoft support to open a new support request. Reporting setup and upgrade
failures from the console is for providing product feedback on setup errors you may have encountered. Reporting an error
doesn't generate a support request.

To report upgrade failures to Microsoft:

1. In the Configuration Manager console, go to Administration > Over view > Updates and Ser vicing .
2. Select an update then select Repor t update error to Microsoft in the ribbon.

3. Before you submit the feedback, you'll be given options to:

 Attach other files
Provide your email address if you're willing to be contacted about the error.
4. When you submit feedback, you'll be given a transaction ID for the feedback. A status message is also
generated with this information.
Message ID 53900 is a successful submission.
Message ID 53901 is a failed submission.

After a site installs an update

After the site updates, review the post-update checklist for the applicable version:
Post-update checklist for version 2111
Post-update checklist for version 2107
Post-update checklist for version 2103
Post-update checklist for version 2010
Post-update checklist for version 2006

Next steps
Some updates include optional features, which you can enable during or after installation.
Optional features
 Optional features in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When an update includes one or more optional features, you can enable those features in your hierarchy. Enable
features when the update installs, or return to the console later to enable the optional features.
To view available features and their status, in the console go to the Administration workspace, expand
Updates and Ser vicing , and select the Features node. To enable a feature, select it in the list, and then select
Turn on in the ribbon.
Your user account requires permissions to view and enable optional features. For more information, see
Permissions for in-console updates.
When a feature isn't optional, it's automatically available for use. It doesn't appear in the Features node.

IMPORTANT
In a multi-site hierarchy, enable optional or pre-release features only from the central administration site (CAS). This
behavior makes sure there are no conflicts across the hierarchy.

When you enable a new feature or pre-release feature, the Configuration Manager hierarchy manager (HMAN)
must process the change before that feature becomes available. Processing of the change is often immediate.
Depending on the HMAN processing cycle, it can take up to 30 minutes to complete. After the change is
processed, restart the console before you can use the feature.
When new cloud-based features are available in the Microsoft Endpoint Manager admin center, or other
attached cloud services for your on-premises Configuration Manager installation, you can opt in to these new
features in the Configuration Manager console.

List of optional features

The following features are optional in the latest version of Configuration Manager:
Orchestration groups
Task sequence deployment type
Remove the central administration site
BitLocker management
Application groups
Task sequence debugger
Approve application requests for users per device
PFX create
Azure Log Analytics connector
Windows Defender Exploit Guard policy
VPN for Windows
Windows Hello for Business (previously known as Passport for Work)
 TIP
For more information on features that require consent to enable, see pre-release features.
For more information on features that are only available in the technical preview branch, see Technical Preview.

Next steps
The current branch includes pre-release features for early testing in a production environment. For more
information, see pre-release features.
For answers to common questions, see In-console updates FAQ.
 Update reset tool
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Beginning with version 1706, Configuration Manager primary sites, and central administration sites include the
Configuration Manager Update Reset Tool, CMUpdateReset.exe . Use the tool to fix issues when in-console
updates have problems downloading or replicating. The tool is found in the \cd.latest\SMSSETUP\TOOLS
folder of the site server.
You can use this tool with any version of the current branch that remains in support.
Use this tool when an in-console update has not yet installed and is in a failed state. A failed state means that the
update download is in progress but stuck or taking an excessively long time. A long time is considered to be
hours longer than your historical expectations for update packages of similar size. It can also be a failure to
replicate the update to child primary sites.
When you run the tool, it runs against the update that you specify. By default, the tool does not delete
successfully installed or downloaded updates.
Prerequisites
The account you use to run the tool requires the following permissions:
Read and Write permissions to the site database of the central administration site and to each primary site
in your hierarchy. To set these permissions, you can add the user account as a member of the db_datawriter
and db_datareader fixed database roles on the Configuration Manager database of each site. The tool does
not interact with secondary sites.
Local Administrator on the top-level site of your hierarchy.
Local Administrator on the computer that hosts the service connection point.
You need the GUID of the update package that you want to reset. To get the GUID:
1. In the console, go to Administration > Updates and Ser vicing .
2. In the display pane, right-click the heading of one of the columns (like State ), then select Package Guid to
add that column to the display.
3. The column now shows the update package GUID.

TIP
To copy the GUID, select the row for the update package you want to reset, and then use CTRL+C to copy that row. If you
paste your copied selection into a text editor, you can then copy only the GUID for use as a command-line parameter
when you run the tool.

Run the tool

The tool must be run on the top-level site of the hierarchy.
When you run the tool, use command-line parameters to specify:
The SQL Server at the top-tier site of the hierarchy.
The site database name at the top-tier site.
The GUID of the update package you want to reset.
Based on the status of the update, the tool identifies the additional servers it needs to access.
If the update package is in a post download state, the tool does not clean up the package. As an option, you can
force the removal of a successfully downloaded update by using the force delete parameter (See command-line
parameters later in this topic).
After the tool runs:
If a package was deleted, restart the SMS_Executive service at the top-tier site. Then, check for updates so
you can download the package again.
If a package was not deleted, you do not need to take any action. The update reinitializes and then restarts
replication or installation.
Command-line parameters:

PA RA M ET ER DESC RIP T IO N

-S <FQDN of the SQL Ser ver of your top-tier site> Required

Specify the FQDN of the SQL Server that hosts the site
database for the top-tier site of your hierarchy.

-D <Database name> Required

Specify the name of the database at the top-tier site.

-P <Package GUID> Required

Specify the GUID for the update package you want to reset.

-I <SQL Ser ver instance name> Optional

Identify the instance of SQL Server that hosts the site
database.

-FDELETE Optional
Force deletion of a successfully downloaded update package.

Examples:
In a typical scenario, you want to reset an update that has download problems. Your SQL Servers FQDN is
server1.fabrikam.com, the site database is CM_XYZ, and the package GUID is 61F16B3C-F1F6-4F9F-8647-
2A524B0C802C. You run: CMUpdateReset.exe -S ser ver1.fabrikam.com -D CM_XYZ -P 61F16B3C-
F1F6-4F9F-8647-2A524B0C802C
In a more extreme scenario, you want to force deletion of problematic update package. Your SQL Servers FQDN
is server1.fabrikam.com, the site database is CM_XYZ, and the package GUID is 61F16B3C-F1F6-4F9F-8647-
2A524B0C802C. You run: CMUpdateReset.exe -FDELETE -S ser ver1.fabrikam.com -D CM_XYZ -P
61F16B3C-F1F6-4F9F-8647-2A524B0C802C
 Test the database upgrade when installing an
update
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If necessary, you can run a test database upgrade before you install an in-console update for the current branch
of Configuration Manager.

IMPORTANT
The test upgrade is no longer a required or recommend step for most sites.
If your database is suspect, or is modified by customizations not explicitly supported by Configuration Manager, continue
to use this process.

Do I need to run a test upgrade?

The deprecation of this upgrade test is made possible because of changes that are introduced with
Configuration Manager current branch. These changes simplify the process and speed by which setup can
update a production environment to a newer version. This redesign was done to help you stay current with less
risk, and less operational overhead when installing each new update.
The changes are to how updates install, including logic that automatically rolls back a failed update without the
need to run a site recovery. These changes enable the use of the console to manage update installations, and
include an option to retry installation of a failed update.

TIP
When you upgrade to Configuration Manager current branch from an older product, like System Center 2012
Configuration Manager, test database upgrades remain a recommended step.

If you still plan to test the upgrade of a site database when you install an in-console update, the following
information supplements the guidance on installing an in-console update.

Prepare to run a test database upgrade

To run the upgrade test, use the Configuration Manager Setup from the CD.Latest folder. Use the same version
of the source files as the version of Configuration Manager to which you're updating.
For example, to test the database update for version YYMM:
You need at least one site on version YYMM from which you can get that CD.Latest folder.
If you don't have a site that runs the required version, consider installing a site in a lab environment. Then
update that site to the new version. This process creates the CD.Latest folder with the correct version of
source files.
The upgrade test runs against a backup of your site database that you restore to a separate instance of SQL
Server. After the test upgrade completes, discard the upgraded database. It can't be used by a Configuration
Manager site.
Run the test upgrade
1. Use Configuration Manager Setup and the source files from the CD.Latest folder of a site that runs the
version that you plan to update to.
2. Copy the CD.Latest folder to a location on the SQL Server instance that you'll use to run the test
database upgrade.
3. Create a backup of the site database that you want to test upgrade. Then restore a copy of that database
to an instance of SQL Server that doesn't host a Configuration Manager site. The SQL Server instance
needs to be the same edition of SQL Server as your site database. For more information, see Quickstart:
Backup and restore a SQL Server database on-premises.
4. After you restore the database copy, run Setup from the CD.Latest folder. When you run Setup, use the
/TESTDBUPGRADE command-line option. If the SQL Server instance that hosts the database copy isn't
the default instance, provide the command-line options to identify the instance that hosts the site
database copy.
For example, you have a site database with the database name CM_ABC . You restore a copy of this site
database to a supported instance of SQL Server with the instance name DBTest . To test an upgrade of
this copy of the site database, use the following command line: setup.exe /TESTDBUPGRADE DBtest\CM_ABC
You can find Setup.exe in the following location on the source media for Configuration Manager:
SMSSETUP\BIN\X64

5. On the instance of SQL Server where you run the upgrade test, monitor the ConfigMgrSetup.log in the
root of the system drive for progress and success.
If the test upgrade fails, fix any issues related to the site database upgrade failure. Then, create a new
backup of the site database and retest the upgrade of the new copy of the database.

Next steps
After the test database update completes successfully, discard the updated database. It can't be used by a
Configuration Manager site. You can then return to your active site and begin the update installation.
If an update install fails, you shouldn't need to recover the site. Instead, you can retry the update installation
from within the console.
 Flowchart - Download updates for Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This data flow displays the process by which a site with an on-line service connection point downloads in-
console updates.
 Flowchart - Update replication for Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

These data flows display the process by which an in-console update you select to install replicates to additional
sites. These flows also display the process of extracting the update to run prerequisite checks and to install
updates at a central administration site and at primary sites.
 Pre-release features in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Pre-release features are features that are in the current branch for early testing in a production environment.
These features are fully supported, but still in active development. They might receive changes until they move
out of the pre-release category.

Give consent
Before using pre-release features, give consent to use pre-release features. Giving consent is a one-time action
per hierarchy that you can't undo. Until you give consent, you can't enable new pre-release features included
with updates. After you turn on a pre-release feature, you can't turn it off.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. In the ribbon, select Hierarchy Settings .
3. On the General tab of Hierarchy Settings Properties, enable the option to Consent to use pre-release
features .

Enable pre-release features

When you install an update that includes pre-release features, those features are visible in the Updates and
Servicing Wizard with the regular features included in the update.
If you have given consent
In the Updates and Servicing Wizard, enable pre-release features. Select the pre-release features as you would
any other feature.
Optionally, wait to enable pre-release features later from the Features node under Updates and Ser vicing in
the Administration workspace. Select a feature, and then select Turn on in the ribbon. Until you give consent,
this option isn't available for use.
If you haven't given consent
In the Updates and Servicing Wizard, pre-release features are visible but you can't enable them. After the update
is installed, these features are visible in the Features node. However, you can't enable them until you give
consent.

IMPORTANT
In a multi-site hierarchy, you can only enable optional or pre-release features from the central administration site. This
behavior ensures there are no conflicts across the hierarchy.
If you gave consent at a stand-alone primary site, and then expand the hierarchy by installing a new central
administration site, you must give consent again at the central administration site.

When you enable a pre-release feature, the Configuration Manager hierarchy manager (HMAN) must process
the change before that feature becomes available. Processing of the change is often immediate. Depending on
the HMAN processing cycle, it can take up to 30 minutes to complete. After the change is processed, restart the
console before using the feature.

List of pre-release features

F EAT URE A DDED A S P RE- REL EA SE A DDED A S A F UL L F EAT URE

Cloud management gateway with Version 2010 Version 2107

virtual machine scale set

Orchestration groups Version 2002 Version 2111

Task sequence deployment type Version 2002

Remove the central administration site Version 2002 Version 2103

Task sequence debugger Version 1906

Application groups Version 1906 Version 2111

TIP
For more information on non-pre-release features that you must enable first, see Enable optional features from updates.
For more information on features that are only available in the technical preview branch, see Technical Preview.
 Service windows for site servers
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To control when in-console updates can install, configure service windows. You can add service windows at the
central administration site (CAS) and primary sites. Each site can have multiple service windows. The site
determines when it can install an update by the combination of all service windows that it has.

TIP
A service window is for a site server. A maintenance window is for a client. For more information, see How to use
maintenance windows.

Default behavior
When you don't configure a service window:
On your top-tier site, you choose when to start the update installation. The top-tier site is either the CAS
or a stand-alone primary site.
On a child primary site, the update automatically installs after it successfully completes at the CAS.
On a secondary site, updates never start automatically. After the parent primary site updates, manually
start the update from the console.

Behavior with a service window

When you create one or more service windows:
On your top-tier site, you can't start the installation of any new update from the console until the time is
in the service window. Even with a service window, the site still automatically downloads updates so
they're ready to install.
On a child primary site, an update from the CAS downloads to the primary site, but doesn't automatically
start. You can't manually start the install of an update outside of a service window. When service
windows no longer block update installation, the primary site automatically starts the update installation.
Secondary sites don't support service windows, and don't automatically install updates. After the parent
primary site updates, manually start the update from the console.

Configure a service window

1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the site server where you want to configure a service window.
3. In the ribbon, select Proper ties .
4. Switch to the Ser vice Windows tab.
5. To add a new service window, select the new button (gold asterisk).
6. In the Schedule window, specify a name to describe the service window. This name helps you identify
the service window in the console.
7. Configure the date, time, and recurrence pattern as necessary for this site.

After you create a service window, use the edit and delete buttons to make changes.

Next steps
Install in-console updates
 Use the service connection tool for Configuration
Manager
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the ser vice connection tool when your service connection point is in offline mode. You can also use it
when your Configuration Manager site system servers aren't connected to the internet. The tool can help you
keep your site up to date with the latest updates to Configuration Manager.
When you run the tool, it connects to the Configuration Manager cloud service, uploads usage information for
your hierarchy, and downloads updates. Uploading usage data is necessary to enable the cloud service to
provide the correct updates for your environment.

Prerequisites
The site has a service connection point, and you configure it for an Offline, on-demand connection .
Run the tool from a command prompt as an administrator. There's no user interface.
You run the tool from the service connection point and a computer that can connect to the internet. Each
of these computers needs to have a x64-bit OS, and have the following components:
Both the Visual C++ Redistributable x86 and x64 files. By default, Configuration Manager
installs the x64 version on the computer that hosts the service connection point. To download this
component, see Visual C++ Redistributable Packages for Visual Studio 2013.
Starting in version 2107, this tool requires .NET version 4.6.2, and version 4.8 is recommended. In
version 2103 and earlier, this tool requires .NET 4.5.2 or later. For more information, Site and site
system prerequisites.
The account you use to run the tool needs the following permissions:
Local administrator on the computer that hosts the service connection point
Read permissions to the site database
You need a method to transfer the files between the computer with internet access and the service
connection point. For example, a USB drive with sufficient free space to store the files and updates.

Overview
1. Prepare : Run the tool on the service connection point. It puts your usage data into a .cab file at the
location you specify. Copy the data file to the computer with an internet connection.
2. Connect : Run the tool on the computer with an internet connection. It uploads your usage data, and then
downloads Configuration Manager updates. Copy the downloaded updates to the service connection
point.
You can upload multiple data files at one time, each from a different hierarchy. You can also specify a
proxy server and a user for the proxy server.
3. Impor t : Run the tool on the service connection point. It imports the updates, and adds them to your site.
You can then view and install those updates in the Configuration Manager console.
Upload multiple data files
Put all exported data files from separate hierarchies into the same folder. Give each file a unique name. If
necessary, you can manually rename them.
When you run the tool to upload data to Microsoft, you specify the folder that contains the data files.
When you run the tool to import data, the tool only imports the data for that hierarchy.
Specify a proxy server
If the computer with an internet connection requires a proxy server, the tool supports a basic proxy
configuration. Use the optional parameters -proxyser veruri and -proxyusername . For more information, see
Command-line parameters.
Specify the type of updates to download
The tool supports options to control what files you download. By default, the tool downloads only the latest
available update that applies to the version of your site. It doesn't download hotfixes.
To modify this behavior, use one of the following parameters to change what files it downloads:
-downloadall : Download all updates, including updates and hotfixes, whatever the version of your site.
-downloadhotfix : Download all hotfixes whatever the version of your site.
-downloadsiteversion : Downloads updates and hotfixes with a later version than the version of your
site.

IMPORTANT
Because of a known issue in Configuration Manager version 2002, the default behavior doesn't work as expected.
Update to version 2006, or use the -downloadsiteversion parameter to download the necessary updates for
version 2002.

For more information, see Command-line parameters.

TIP
The tool determines the version of your site from the data file. To verify the version, look in the .cab file for the text file
named with the site version.

Use the tool

The service connection tool is in the Configuration Manager installation media at the following path:
SMSSETUP\TOOLS\ServiceConnectionTool\ServiceConnectionTool.exe . Always use the service connection tool that
matches the version of Configuration Manager that you use. All of these files must be in the same folder for the
service connection tool to work.
Copy the Ser viceConnectionTool folder with all of its contents to the computer with an internet connection.
In this procedure, the command-line examples use the following file names and folder locations. You don't need
to use these paths and file names. You can use alternatives that match your environment and preferences.
The path to the Configuration Manager installation media source files on the service connection point:
C:\Source

The path to a USB drive where you store the data to transfer between computers: D:\USB\

The name of the data file that you export from the site: UsageData.cab
 The name of the empty folder where the tool stores downloaded updates for Configuration Manager:
UpdatePacks

Prepare
1. On the computer that hosts the service connection point, open a command prompt as an administrator,
and change directory to the tool location. For example:
cd C:\Source\SMSSETUP\TOOLS\ServiceConnectionTool\

2. Run the following command to prepare the data file:

ServiceConnectionTool.exe -prepare -usagedatadest D:\USB\UsageData.cab

NOTE
If you'll upload data files from more than one hierarchy at the same time, give each data file a unique name. If
necessary, you can rename files later.

The data in the file is based on the level of diagnostic and usage data that you configure for the site. For
more information, see Overview of diagnostics and usage data. You can use the tool to export the data to
a CSV file to view the contents. For more information, see -export.
3. After the tool finishes exporting the usage data, copy the data file to a computer that has access to the
internet.
Connect
1. On the computer with internet access, open a command prompt as an administrator, and change
directory to the tool location. This location is a copy of the entire Ser viceConnectionTool folder. For
example:
cd D:\USB\ServiceConnectionTool\

2. Run the following command to upload the data file and download the Configuration Manager updates:
ServiceConnectionTool.exe -connect -usagedatasrc D:\USB -updatepackdest D:\USB\UpdatePacks

For more examples, see Command line parameters.

NOTE
When you run this command line, you might see the following error:
Unhandled Exception: System.UnauthorizedAccessException: Access to the path
'C:\Users\jqpublic\AppData\Local\Temp\extractmanifestcab\95F8A562.sql' is denied.
You can safely ignore this error. Close the error window to continue.

3. After the tool finishes downloading the updates, copy them to the service connection point.
Import
1. On the computer that hosts the service connection point, open a command prompt as an administrator,
and change directory to the tool location. For example:
cd C:\Source\SMSSETUP\TOOLS\ServiceConnectionTool\

2. Run the following command to import the updates:

ServiceConnectionTool.exe -import -updatepacksrc D:\USB\UpdatePacks
3. After the import completes, close the command prompt. It only imports updates for the applicable
hierarchy.
4. In the Configuration Manager console, go to the Administration workspace, and select the Updates
and Ser vicing node. Imported updates are now available to install. For more information, see Install in-
console updates.

Log files
Ser viceConnectionTool.log : Each time you run the service connection tool, it writes to this log file. The
path of the log file is always the same location as the tool. This log file provides simple details about the
tool usage based on the parameters you use. Each time you run the tool, the tool replaces any existing log
file.
ConfigMgrSetup.log : During the Connect phase, the tool writes to this log file at the root of the system
drive. This log file provides more detailed information. For example, what files the tool downloads, and if
the hash checks are successful.

Command-line parameters
This section lists in alphabetical order all of the available parameters for the service connection tool.
-connect
Use during the Connect phase on the computer with internet access. It connects to the Configuration Manager
cloud service to upload the data file, and download updates.
It requires the following parameters:
-usagedatasrc : The location of the data file to upload
-updatepackdest : A path for the downloaded updates
You can also use the following optional parameters:
-proxyser veruri : The FQDN of the proxy server
-proxyusername : A user name for the proxy server
-downloadall : Download everything, including updates and hotfixes, whatever the version of your site.
-downloadhotfix : Download all hotfixes, whatever the version of your site.
-downloadsiteversion : Download updates and hotfixes that have a later version than the version of your
site.
Example of connect without a proxy server
ServiceConnectionTool.exe -connect -usagedatasrc D:\USB\ -updatepackdest D:\USB\UpdatePacks

Example of connect with a proxy server

ServiceConnectionTool.exe -connect -usagedatasrc D:\USB\Usagedata.cab -updatepackdest D:\USB\UpdatePacks -
proxyserveruri itproxy.contoso.com -proxyusername jqpublic

Example of connect to download only site version applicable updates

ServiceConnectionTool.exe -connect -downloadsiteversion -usagedatasrc D:\USB -updatepackdest
D:\USB\UpdatePacks

-dest
A required parameter with the -expor t parameter to specify the path and file name of the CSV file to export. For
more information, see -export.
-downloadall
An optional parameter with the -connect parameter to download everything, including updates and hotfixes,
whatever the version of your site. For more information, see -connect.
-downloadhotfix
An optional parameter with the -connect parameter to only download all hotfixes, whatever the version of your
site. For more information, see -connect.
-downloadsiteversion
An optional parameter with the -connect parameter to only download updates and hotfixes that have a later
version than the version of your site. For more information, see -connect.
-export
Use during the Prepare phase to export usage data to a CSV file. Run it as an administrator on the service
connection point. This action lets you review the contents of the usage data before you upload to Microsoft. It
requires the -dest parameter to specify the location of the CSV file.
Example of export
-export -dest D:\USB\usagedata.csv

-import
Use during the Import phase on the service connection point to import the updates to the site. It requires the -
updatepacksrc parameter to specify the location of the downloaded updates.
Example of import
ServiceConnectionTool.exe -import -updatepacksrc D:\USB\UpdatePacks

-prepare
Use during the Prepare phase on the service connection point to export usage data from the site. It requires the
-usagedatadest parameter to specify the location of the exported data file.
Example of prepare
ServiceConnectionTool.exe -prepare -usagedatadest D:\USB\UsageData.cab

-proxyserveruri
An optional parameter with the -connect parameter to specify the FQDN of your proxy server. For more
information, see -connect.
-proxyusername
An optional parameter with the -connect parameter to specify the username to authenticate with your proxy
server. For more information, see -connect.
-updatepackdest
A required parameter with the -connect parameter to specify a path for the downloaded updates. For more
information, see -connect.
-updatepacksrc
A required parameter with the -impor t parameter to specify a path of the downloaded updates. For more
information, see -import.
-usagedatadest
A required parameter with the -prepare parameter to specify a path and file name of the exported data file. For
more information, see -prepare.

Next steps
Install in-console updates
How to view diagnostics and usage data
 Use the update registration tool to import hotfixes
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Some updates for Configuration Manager aren't available from the Microsoft cloud service and are only
obtained out-of-band. An example is a limited release hotfix to address a specific issue.
When you must install an out-of-band release, and the update or hotfix file name ends with the extension
update.exe , you use the update registration tool. This tool imports the update to the Configuration Manager
console. It enables you to extract and transfer the update package to the site server, and register the update with
the Configuration Manager console.
If the hotfix file only has the .exe file extension (not update.exe ), use the hotfix installer to install the update.

NOTE
This article provides general guidance about how to install hotfixes that update Configuration Manager. For details about
a specific hotfix or update, refer to the corresponding hotfix article.

Prerequisites
This tool only installs out-of-band updates that end with the full .update.exe file extension.
It is self-contained with the individual updates that you get directly from Microsoft.
The service connection point can be in either online or offline mode.
Run it on the server with the service connection point site system role.
Starting in version 2107, the service connection point requires .NET version 4.6.2, and version 4.8 is
recommended. In version 2103 and earlier, this role requires .NET 4.5.2 or later. For more information,
Site and site system prerequisites.
When you run the tool on the service connection point, the account that you use needs the following
configurations:
A local Administrator
Write permissions to the following folder:
<Configuration Manager installation directory>\EasySetupPayload\offline

Process
1. On the computer that hosts the service connection point, open a command prompt with administrative
privileges. Then change directories to the location that contains the update file. The update file name uses
the following format: <Product>-<product version>-<KB article ID>-ConfigMgr.Update.exe
2. Run the following command to start the update registration tool:
<Product>-<product version>-<KB article ID>-ConfigMgr.Update.exe

After the hotfix is registered, it appears as a new update in the console within 24 hours. To accelerate this
process: in the Configuration Manager console, go to Administration workspace, and select the
Updates and Ser vicing node. In the ribbon, select Check for Updates .
 The update registration tool logs its actions to a .log file on the local computer. The log file has the same
name as the hotfix file and is in the %SystemRoot%/Temp folder.
After the update is registered, you can close the update registration tool.
3. In the Configuration Manager console, go to the Administration workspace, and select the Updates
and Ser vicing node. Hotfixes that you've imported are now available to install.

Next steps
Install in-console updates
 Use the Hotfix Installer to install updates for
Configuration Manager
2/16/2022 • 13 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Some updates for Configuration Manager aren't available from the Microsoft cloud service. These updates are
available out-of-band. An example is a limited release hotfix to address a specific issue.
When you need to install an update that you get from Microsoft:
If the update has the simple file extension .exe : Use the hotfix installer that's included with that download.
Install the update directly to the Configuration Manager site server.
If the hotfix file has the .update.exe file extension: Use the update registration tool to import hotfixes to
Configuration Manager.

Overview
Hotfixes for Configuration Manager are similar to updates for other Microsoft products, such as SQL Server.
They contain either one individual fix or a bundle, which is a rollup of fixes.
Individual updates include a single focused update for a specific version of Configuration Manager.
Update bundles include multiple updates for a specific version of Configuration Manager.
When an update is a bundle, you can't install individual updates from that bundle.
If you plan to create deployments to install updates on other computers, install the update bundle on a central
administration site (CAS) server or primary site server.
When you run the update bundle, the following process happens:
It extracts the update files for each applicable component from the update bundle.
Starts a wizard that guides you through a process to configure the updates and deployment options for
the updates.
After you complete the wizard, the updates in the bundle that apply to the site server are installed on the
site server.
The wizard also creates deployments that you can use to install the updates on other computers. Deploy the
updates to other computers by using a supported deployment method. For example, a software deployment
package or System Center Updates Publisher.
When the wizard runs, it creates a .cab file on the site server for use with Updates Publisher. Optionally, you can
configure the wizard to also create one or more packages for software deployment. You can use these
deployments to install updates on components, such as clients or the Configuration Manager console. You can
also install updates manually on computers that don't run the Configuration Manager client.
You can update the following three groups in Configuration Manager:
Configuration Manager server roles, which include:
CAS
 Primary site
Secondary site
Remote SMS Provider
Configuration Manager console
Configuration Manager client

NOTE
Updates for site system roles are installed as part of the update for site servers. They are serviced by the site component
manager. This behavior includes updates for the site database and the cloud management gateway (CMG).
Pull-distribution points are serviced by distribution manager instead of the site component manager.

Each update bundle for Configuration Manager is a self-extractable .exe file (SFX). This file contains the files that
are necessary to install the update on the applicable components of Configuration Manager. Typically, the SFX
file can contain the following files:

F IL E DETA IL S

<Product version>-QFE-KB<KB article ID>-<platform>- This file is the update. The command line for this file is
<language>.exe managed by Updatesetup.exe. For example:
CM1511RTM-QFE-KB123456-X64-ENU.exe

Updatesetup.exe This MSI wrapper manages the installation of the update

bundle. When you run the update, Updatesetup.exe detects
the display language of the computer where it runs. By
default, the user interface for the update is in English.
However, when the display language is supported, the user
interface displays in the computer's local language.

License_<language>.rtf When applicable, each update contains one or more license

files for supported languages.

<Product&updatetype>-<product version>-<KB article When the update applies to the Configuration Manager
ID>-<platform>.msp console or clients, the update bundle includes separate
Windows Installer patch (.msp) files. For example:
ConfigMgr1511-AdminUI-KB1234567-i386.msp for the
console or ConfigMgr1511-client-KB1234567-x64.msp for
the client.

By default, the update bundle logs its actions to a .log file on the site server. The log file has the same name as
the update bundle and is written to the %SystemRoot%/Temp folder.
When you run the update bundle, it extracts a file with the same name as the update bundle to a temporary
folder on the computer, and then runs Updatesetup.exe. Updatesetup.exe starts the software update wizard.
As applicable to the scope of the update, the wizard creates a series of folders under the Configuration Manager
installation folder on the site server. The folder structure is similar to the following example:
\Hotfix\<KB Number>\<Update Type>\<Platform>

The following table provides details about the folders in the folder structure:
 F O L DER N A M E M O RE IN F O RM AT IO N

<KB Number> This folder is the ID number for this update bundle.

<Update type> This folder is the type of update for Configuration Manager.
The wizard creates a separate folder for each type of update
in the bundle. They include the following types:

- Ser ver : Includes updates to site servers, site database

servers, and SMS Providers.
- Client : Includes updates to the Configuration Manager
client.
- AdminConsole : Includes updates to the Configuration
Manager console

The wizard also creates a folder named SCUP , which

contains the .cab file for Updates Publisher.

<Platform> This folder is platform-specific. It contains update files that

are specific to a type of processor. These folders include: x64
and I386 .

How to install updates

To install updates, first install the update bundle on a site server. When you install an update bundle, it starts an
install wizard for that update. This wizard does the following actions:
Extracts the update files
Helps you configure deployments
Installs applicable updates on the server components of the local computer
After you install the update bundle on a site server, you can then update other components for Configuration
Manager. The following table describes update actions for these various components:

C O M P O N EN T IN ST RUC T IO N S

Site server Deploy updates to a remote site server when you don't
choose to install the update bundle directly on that remote
site server.

Site database For remote site servers, deploy server updates that include
an update to the site database if you don't install the update
bundle directly on that remote site server.

Configuration Manager console After initial installation of the Configuration Manager

console, you can install updates for the console on each
computer that runs it. You can't modify the console
installation files to apply the updates during the initial
installation of the console.

Remote SMS Provider Install updates for each instance of the SMS Provider that
runs on a computer other than the site server where you
installed the update bundle.
 C O M P O N EN T IN ST RUC T IO N S

Configuration Manager clients After initial installation of the Configuration Manager client,
you can install updates for the Configuration Manager client
on each computer that runs the client.

NOTE
You can deploy updates only to computers that run the Configuration Manager client.

If you reinstall a client, Configuration Manager console, or SMS Provider, also reinstall the updates for these
components.
Update servers
Updates for servers can include updates for sites, the site database, and computers that run an instance of the
SMS Provider.
Update a site
To update a Configuration Manager site, you can install the update bundle directly on the site server. You can
also deploy the updates to a site server after you install the update bundle on a different site.
When you install an update on a site server, the update installation process manages other actions that are
required to apply the update, such as updating site system roles. The exception is the site database. The next
section contains information about how to update the site database.
Update a site database
To update the site database, the installation process runs a file named update.sql on the site database. You can
configure the update process to automatically update the site database, or you can manually update the site
database later.
A u t o m a t i c u p d a t e o f t h e si t e d a t a b a se

When you install the update bundle on a site server, you can choose to automatically update the site database
when the server update is installed. This decision applies only to the site server where you install the update
bundle and doesn't apply to deployments that are created to install the updates on remote site servers.

NOTE
When you choose to automatically update the site database, the process updates a database regardless whether the
database is located on the site server or on a remote computer.

IMPORTANT
Before you update the site database, create a backup of the site database. You can't uninstall an update to the site
database. For information about how to create a backup for Configuration Manager, see Backup and recovery for
Configuration Manager.

M a n u a l u p d a t e o f t h e si t e d a t a b a se

If you choose not to automatically update the site database when you install the update bundle on the site
server, the server update doesn't modify the database on the site server where the update bundle runs.
However, deployments that use the package that is created for software deployment or that installs always
update the site database.
 WARNING
When the update includes updates to both the site server and the site database, the update isn't functional until the
update is completed for both the site server and site database. Until the update is applied to the site database, the site is
in an unsupported state.

1. On the site server, stop the SMS_SITE_COMPONENT_MANAGER service. Then stop the
SMS_EXECUTIVE service.
2. Close the Configuration Manager console.
3. Run the update script named update.sql on that site's database. For information about how to run a
script to update a SQL Server database, see the documentation for the version of SQL Server that you
use for your site database server.

TIP
When the update bundle installs, it extracts update.sql to the following location on the site server:
\\<Server Name>\SMS_<Site Code>\Hotfix\<KB Number>\update.sql .

4. Restart the services that you stopped in the previous step.

Update a computer that runs the SMS Provider
After you install an update bundle that includes updates for the SMS Provider, deploy the update to each
computer that runs the SMS Provider. The only exception is the instance of the SMS Provider that was previously
installed on the site server where you install the update bundle. The local instance of the SMS Provider on the
site server is updated when you install the update bundle.
If you remove and then reinstall the SMS Provider on a computer, reinstall the update for the SMS Provider on
that computer.
Update clients
When you install an update that includes updates for the Configuration Manager client, you can automatically
upgrade clients with the update installation, or manually upgrade clients at a later time. For more information
about automatic client upgrade, see How to upgrade clients for Windows computers.
You can deploy updates with Updates Publisher or a software deployment package. You can also manually install
the update on each client. For more information about how to use deployments to install updates, see Deploy
updates for Configuration Manager.

IMPORTANT
When you install updates for clients and the update bundle includes updates for servers, install the server updates on the
primary site to which the clients are assigned.

To manually install the client update, run Msiexec.exe on each Configuration Manager client. Include the
platform-specific client update MSP file in the command line. For example, you can use the following command
line for a client update:
msiexec.exe /p \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\Client\<Platform>\<msp> /L\*v <logfile>
REINSTALLMODE=mous REINSTALL=ALL

Update Configuration Manager consoles

To update a Configuration Manager console, install the update on the computer that runs the console.
 IMPORTANT
When you install updates for the Configuration Manager console, and the update bundle includes updates for servers,
also install the server updates on the site that you use with the Configuration Manager console.

If the computer that you update runs the Configuration Manager client:
You can use a deployment to install the update. For more information about how to use deployments to
install updates, see Deploy updates for Configuration Manager.
If you're signed in to the client computer, run the installation interactively.
To manually install the Configuration Manager console update, run Msiexec.exe . Include the Configuration
Manager console update MSP file in the command line. For example, you can use the following command line to
update a Configuration Manager console:
msiexec.exe /p \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\AdminConsole\<Platform>\<msp> /L\*v <logfile>
REINSTALLMODE=mous REINSTALL=ALL

Deploy updates for Configuration Manager

After you install the update bundle on a site server, you can use one of the following three methods to deploy
updates to other computers.
Use Updates Publisher to install updates
When you install the update bundle on a site server, the installation Wizard creates a catalog file for Updates
Publisher. You can use this file to deploy the updates to applicable computers. The wizard always creates this
catalog, even when you select the option Use package and program to deploy this update .
The catalog for Updates Publisher is named SCUPCatalog.cab . It's in the following location on the computer
where you ran the update bundle: \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\SCUP\SCUPCatalog.cab

IMPORTANT
The SCUPCatalog.cab file is created by using paths that are specific to the site server where the update bundle is installed.
It can't be used on other site servers.

After the wizard is finished, import the catalog to Updates Publisher. Then use software updates to deploy the
updates. For more information, see System Center Updates Publisher.
Import the updates to Updates Publisher
1. Start the Updates Publisher console and select Impor t .
2. On the Impor t Type page of the Import Software Updates Catalog Wizard, select Specify the path to
the catalog to impor t . Then specify the SCUPCatalog.cab file.
3. Select Next , and then select Next again.
4. In the Security Warning - Catalog Validation window, select Accept . Close the wizard after it's
finished.
5. Select the update that you want to deploy, and then select Publish .
6. On the Publish Options page of the Publish Software Updates Wizard, select Full Content , and then
select Next .
7. Complete the wizard to publish the updates.
Use software deployment to install updates
When you install the update bundle on the site server of a primary site or CAS, you can configure the
installation Wizard to create update packages for software deployment. Then deploy each package to a
collection of computers that you want to update.
To create a software deployment package, on the Configure Software Update Deployment page of the
wizard, select each update package type that you want to update. The available types can include servers,
Configuration Manager consoles, and clients. A separate package is created for each type of update that you
select.

NOTE
The package for servers contains updates for the following components:
Site server
SMS Provider
Site database

Next, on the Configure Software Update Deployment Method page of the wizard, select the option I will
use software distribution .
After the wizard is finished, view the packages in the Configuration Manager console. Go to the Packages node
in the Software Librar y workspace. Use your standard process to deploy software packages to Configuration
Manager clients. When a package runs on a client, it installs the updates to the applicable components of
Configuration Manager on the client computer.
For more information about how to deploy packages to Configuration Manager clients, see Packages and
programs.
Create collections for deploying updates to Configuration Manager
You can deploy specific updates to applicable clients. The following information can help you to create device
collections for the different components for Configuration Manager.

C O M P O N EN T O F C O N F IGURAT IO N M A N A GER IN ST RUC T IO N S

CAS server Create a direct membership query and add the CAS server.

All primary site servers Create a direct membership query and add each primary site
server.

All secondary site servers Create a direct membership query and add each secondary
site server.

All x86 clients Create a collection with the following query criteria:
Select * from SMS_R_System inner join
SMS_G_System_SYSTEM on
SMS_G_System_SYSTEM.ResourceID =
SMS_R_System.ResourceId where
SMS_G_System_SYSTEM.SystemType = "X86-based PC"

All x64 clients Create a collection with the following query criteria:
Select * from SMS_R_System inner join
SMS_G_System_SYSTEM on
SMS_G_System_SYSTEM.ResourceID =
SMS_R_System.ResourceId where
SMS_G_System_SYSTEM.SystemType = "X64-based PC"
 C O M P O N EN T O F C O N F IGURAT IO N M A N A GER IN ST RUC T IO N S

All computers that run the Configuration Manager console Create a direct membership query and add each computer.

Remote computers that run an instance of the SMS Provider Create a direct membership query and add each computer.

NOTE
To update a site database, deploy the update to the site server for that site.

For more information, see How to create collections.

 Checklist for installing update 2111 for Configuration
Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-console update for version
2111 to update your hierarchy from a previous version.
To get the update for version 2111, you must use a service connection point at the top-level site of your
hierarchy. This site system role can be in online or offline mode. To download the update when your service
connection point is offline, use the service connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the console. In the
Administration workspace, select the Updates and Ser vicing node.
When the update is listed as Available , the update is ready to install. Before installing version 2111,
review the following information about installing update 2111 and the pre-update checklist for
configurations to make before starting the update.
If the update displays as Downloading and doesn't change, review the hman.log and
dmpdownloader.log for errors.
The dmpdownloader.log may indicate that the dmpdownloader process is waiting for an interval
before checking for updates. To restart the download of the update's redistribution files, restart the
SMS_Executive service on the site server.
Another common download issue occurs when proxy server settings prevent downloads from
required internet endpoints.
For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.

About installing update 2111

Sites
Install update 2111 at the top-level site of your hierarchy. Start the installation from your central administration
site (CAS) or from your stand-alone primary site. After the update is installed at the top-level site, child sites
have the following update behavior:
Child primary sites install the update automatically after the CAS finishes the installation of the update.
You can use service windows to control when a site installs the update. For more information, see Service
windows for site servers.
Manually update each secondary site from within the Configuration Manager console after the primary
parent site finishes the update installation. Automatic update of secondary site servers isn't supported.
Site system roles
When a site server installs the update, it automatically updates all of the site system roles. These roles are on the
site server or installed on remote servers. Before installing the update, make sure that each site system server
meets the current prerequisites for the new update version.
Configuration Manager consoles
The first time you use a Configuration Manager console after the update has finished, you're prompted to
update that console. You can also run the Configuration Manager setup on the computer that hosts the console,
and choose the option to update the console. Install the update to the console as soon as possible. For more
information, see Install the Configuration Manager console.

IMPORTANT
When you install an update at the CAS, be aware of the following limitations and delays that exist until all child primary
sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and pre-production clients. Additionally, you
can't promote pre-production clients to production until the last site completes the update installation. After the last
site completes the update installation, client updates begin based on your configuration choices.
New features you enable with the update aren't available. This behavior is to prevent the CAS replicating data related
to that feature to a site that hasn't yet installed support for that feature. After all primary sites install the update, the
feature is available for use.
Replication links between the CAS and child primary sites display as not upgraded. This state displays in the update
installation status as Completed with warning for monitoring replication initialization. In the Monitoring workspace of
the console, this state displays as Link is being configured.

Early update ring

As of December 15, 2021, version 2111 is globally available for all customers to install. If you previously opted
in to the early update ring, watch for an update to this current branch version.

Pre-update checklist
All sites run a supported version of Configuration Manager
Each site server in the hierarchy must run the same version of Configuration Manager before you can start the
installation. To update to version 2111, use version 2006 or later.
Review the status of your product licensing
You need an active Software Assurance (SA) agreement or equivalent subscription rights to install this update.
When you update the site, the Licensing page presents the option to confirm your Software Assurance
expiration date .
This value is optional. You can specify as a convenient reminder of your license expiration date. This date is
visible when you install future updates. You might have previously specified this value during setup or
installation of an update. You can also specify this value in the Configuration Manager console. In the
Administration workspace, expand Site Configuration , and select Sites . Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
For more information, see Licensing and branches.
Review Microsoft .NET versions
Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site servers, specific site
systems, clients, and the console. Before you run setup to install or update the site, first update .NET and restart
the system. If possible in your environment, install the latest version of .NET version 4.8.
This installation can put the site system server into a reboot pending state and report errors to the
Configuration Manager component status viewer. .NET applications on the server might experience random
failures until you restart the server.
For more information including how to manage restarts, see Site and site system prerequisites.
Review the version of the Windows ADK
The version of the Windows Assessment and Deployment Kit (ADK) should be supported for Configuration
Manager version 2111. For more information, see Support for the Windows ADK. If you need to update the
Windows ADK, do so before you begin the update of Configuration Manager. This order makes sure the default
boot images are automatically updated to the latest version of Windows PE. Manually update any custom boot
images after updating the site.
If you update the site before you update the Windows ADK, see Update distribution points with the boot image.
Review SQL Server Native Client version
Install a minimum version of SQL Server 2012 Native Client, which includes support for TLS 1.2. For more
information, see the List of prerequisite checks.
Review the site and hierarchy status for unresolved issues
A site update can fail because of existing operational problems. Before you update a site, resolve all operational
issues for the following systems:
The site server
The site database server
Remote site system roles on other servers
For more information, see Use the status system.
Review file and data replication between sites
Make sure that file and database replication between sites is operational and current. Delays or backlogs in
either can prevent a successful update.
Database replication
For database replication, to help resolve issues before you start the update, use the Replication Link Analyzer
(RLA). For more information, see Monitor database replication.
Use RLA to answer the following questions:
Is replication per group in a good state?
Are any links degraded?
Are there any errors?
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of records, then the link is in a
bad state. Before updating the site, solve the replication issue. If you need further assistance, contact Microsoft
Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving sites. If there are lots of
stuck or pending replication jobs, wait until they clear out.
On the sending site, review sender.log .
On the receiving site, review despooler log .
Install all applicable critical Windows updates
Before you install an update for Configuration Manager, install any critical OS updates for each applicable site
system. These servers include the site server, site database server, and remote site system roles. If an update that
you install requires a restart, restart the applicable servers before you start the upgrade.
Disable database replicas for management points at primary sites
Configuration Manager can't successfully update a primary site that has a database replica for management
points enabled. Before you install an update for Configuration Manager, disable database replication.
For more information, see Database replicas for management points.
Set SQL Server Always On availability groups to manual failover
If you use an availability group, make sure that the availability group is set to manual failover before you start
the update installation. After the site has updated, you can restore failover to be automatic. For more
information, see Prepare to use an availability group.
Disable site maintenance tasks at each site
Before you install the update, disable any site maintenance task that might run during the time the update
process is active. For example, but not limited to:
Backup Site Server
Delete Aged Client Operations
Delete Aged Discovery Data
When a site database maintenance task runs during the update installation, the update installation can fail.
Before you disable a task, record the schedule of the task so you can restore its configuration after the update
has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
Temporarily stop any antivirus software
Before you update a site, stop antivirus software on the Configuration Manager servers. The antivirus software
can lock some files that need to be updated which causes our update to fail.
Create a backup of the site database
Before you update a site, back up the site database at the CAS and primary sites. This backup makes sure you
have a successful backup to use for disaster recovery.
For more information, see Backup and recovery.
Back up customized files
If you or a third-party product customizes any Configuration Manager configuration files, save a copy of your
customizations.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder of your Configuration
Manager installation directory. After you update Configuration Manager, these customizations don't persist.
Reapply your customizations.
Review hardware inventory customizations
If you changed the state of hardware inventory classes in client settings, when you update the site, some classes
may revert to a default state. For example, if you disable the SMS_Windows8Application or
SMS_Windows8ApplicationUserInfo classes, they're enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, note their configuration before you install the update.
Plan for client piloting
When you install a site update that also updates the client, test that new client update in pre-production before
you update all production clients. To use this option, configure your site to support automatic upgrades for pre-
production before beginning installation of the update.
For more information, see Upgrade clients and How to test client upgrades in a pre-production collection.
 NOTE
When you update to version 2107 or later, clients with PKI certificates will recreate self-signed certificates, but don't
reregister with the site. Clients without a PKI certificate will reregister with the site, which can cause extra processing at
the site. Make sure that your process to update clients allows for randomization. If you simultaneously update lots of
clients, it may cause a backlog on the site server.

Plan to use service windows

To define a period during which updates to a site server can be installed, use service windows. They can help
you control when sites in your hierarchy install the update. For more information, see Service windows for site
servers.
Review supported extensions
If you extend Configuration Manager with other products from Microsoft, Microsoft partners, or third-party
vendors, confirm that those products support and are compatible with version 2111. Check with the product
vendor for this information.

TIP
If you develop a third-party add-on to Configuration Manager, you should test your add-on with every monthly technical
preview branch release. Regular testing helps confirm compatibility, and allows for early reporting of any issues with
standard interfaces.

Disable any custom solutions

If your site has any custom solutions based on the Configuration Manager SDK or PowerShell, disable this code
before you update the site. Make sure to test this custom code in a lab environment to make sure it's compatible
with the new version.

NOTE
Starting in version 2111, third-party add-ons that use Microsoft .NET Framework and rely on Configuration Manager
libraries also need to use .NET 4.6.2 or later. For more information, see External dependencies require .NET 4.6.2.

Read the release notes

Before you start the update, review the current release notes. With Configuration Manager, product release
notes are limited to urgent issues. These issues aren't yet fixed in the product, or detailed in a Microsoft Support
article.
Feature-specific documentation may include information about known issues that affect core scenarios.
For more information, see the Release notes.

Install the update

Run the setup prerequisite checker
When the console lists the update as Available , you can run the prerequisite checker before installing the
update. (When you install the update on the site, prerequisite checker runs again.)
To run a prerequisite check from the console, go to the Administration workspace, and select Updates and
Ser vicing . Select the Configuration Manager 2111 update package, and select Run prerequisite check in
the ribbon.
For more information, see the section to Run the prerequisite checker before installing an update in
Before you install an in-console update.

IMPORTANT
When the prerequisite checker runs, the process updates some product source files that are used for site maintenance
tasks. After running the prerequisite checker, but before installing the update, if you need to do a site maintenance task,
run Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site server.

Update sites
You're now ready to start the update installation for your hierarchy. For more information about installing the
update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when the process will have the
least effect on your business operations. Installing the update and its actions reinstall site components and site
system roles.
For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and configurations.
Confirm version and restart (if necessary)
Make sure each site server and site system role is updated to version 2111. In the console, add the Version
column to the Sites and Distribution Points nodes in the Administration workspace. When necessary, a site
system role automatically reinstalls to update to the new version.
Consider restarting remote site systems that don't successfully update at first. Review your site infrastructure
and make sure that applicable site servers and remote site system servers successfully restarted. Typically, site
servers restart only when Configuration Manager installs .NET as a prerequisite for a site system role.
Confirm site -to -site replication is active
In the Configuration Manager console, go to the following locations to view the status, and make sure that
replication is active:
Monitoring workspace, Site Hierarchy node
Monitoring workspace, Database Replication node
For more information, see the following articles:
Monitor hierarchy and replication infrastructure
About the Replication Link Analyzer
Update Configuration Manager consoles
Update all remote Configuration Manager consoles to the same version. You're prompted to update the console
when:
You open the console.
You go to a new node in the console.
Reconfigure database replicas for management points
After you update a primary site, reconfigure the database replica for management points that you uninstalled
before you updated the site. For more information, see Database replicas for management points.
Reconfigure availability groups
If you use an availability group, reset the failover configuration to automatic. For more information, see Prepare
to use an availability group.
Reconfigure any disabled maintenance tasks
If you disabled database maintenance tasks at a site before installing the update, reconfigure those tasks. Use
the same settings that were in place before the update.
Restore hardware inventory customizations
If you changed the state of hardware inventory classes in client settings, when you update the site, some classes
may revert to a default state. For example, if you disable the SMS_Windows8Application or
SMS_Windows8ApplicationUserInfo classes, they're enabled after installing a Configuration Manager update.

When you customize hardware inventory classes, review their configuration after you install the update to make
sure they are configured as you intend.
Restore user state from active deployments
If you have any active user state migrations, before you update the Configuration Manager client on those
devices, restore the user state. Due to changes to the encryption algorithm in version 2103, the updated client
will fail to restore the user state when it tries to use a different encryption algorithm.
Update clients
Update clients per the plan you created, especially if you configured client piloting before installing the update.
For more information, see How to upgrade clients for Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that supports and is compatible
with Configuration Manager version 2111.
Enable any custom solutions
Enable any custom solutions based on the Configuration Manager SDK or PowerShell that you've already tested
in a lab environment with version 2111.
Update boot images and media
Use the Update Distribution Points action for any boot image that you use, whether it's a default or custom
boot image. This action makes sure that clients can use the latest version. Even if there isn't a new version of the
Windows ADK, the Configuration Manager client components may change with an update. If you don't update
boot images and media, task sequence deployments may fail on devices.
When you update the site, Configuration Manager automatically updates the default boot images. It doesn't
automatically distribute the updated content to distribution points. Use the Update Distribution Points action
on specific boot images when you're ready to distribute this content across your network.

NOTE
For default boot images, the site always uses the current version of the Configuration Manager client that matches the
site's version. Even if you configure automatic client upgrades to use a pre-production collection, that feature doesn't
apply to boot images.

After updating the site, manually update any custom boot images. This action updates the boot image with the
latest client components if necessary, optionally reloads it with the current Windows PE version, and
redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
Update PowerShell help content
To get the latest information for the Configuration Manager PowerShell module, use the Update-Help cmdlet.
Run this cmdlet on all computers with the Configuration Manager console. This help content is the same as
what's published on docs.microsoft.com for the ConfigurationManager module.
For more information, see Configuration Manager PowerShell cmdlets: Update help.

Next steps
Review the release notes. This article can be updated regularly, especially right after a new current branch
release. You can use RSS to be notified when this page is updated. For more information, see How to use the
docs.
 Checklist for installing update 2107 for
Configuration Manager
2/16/2022 • 14 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-console update for version
2107 to update your hierarchy from a previous version.
To get the update for version 2107, you must use a service connection point at the top-level site of your
hierarchy. This site system role can be in online or offline mode. To download the update when your service
connection point is offline, use the service connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the console. In the
Administration workspace, select the Updates and Ser vicing node.
When the update is listed as Available , the update is ready to install. Before installing version 2107,
review the following information about installing update 2107 and the checklist for configurations to
make before starting the update.
If the update displays as Downloading and doesn't change, review the hman.log and
dmpdownloader.log for errors.
The dmpdownloader.log may indicate that the dmpdownloader process is waiting for an interval
before checking for updates. To restart the download of the update's redistribution files, restart the
SMS_Executive service on the site server.
Another common download issue occurs when proxy server settings prevent downloads from
required internet endpoints.
For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.

About installing update 2107

Sites
Install update 2107 at the top-level site of your hierarchy. Start the installation from your central administration
site (CAS) or from your stand-alone primary site. After the update is installed at the top-level site, child sites
have the following update behavior:
Child primary sites install the update automatically after the CAS finishes the installation of the update.
You can use service windows to control when a site installs the update. For more information, see Service
windows for site servers.
Manually update each secondary site from within the Configuration Manager console after the primary
parent site finishes the update installation. Automatic update of secondary site servers isn't supported.
Site system roles
When a site server installs the update, it automatically updates all of the site system roles. These roles are on the
site server or installed on remote servers. Before installing the update, make sure that each site system server
meets the current prerequisites for the new update version.
Configuration Manager consoles
The first time you use a Configuration Manager console after the update has finished, you're prompted to
update that console. You can also run the Configuration Manager setup on the computer that hosts the console,
and choose the option to update the console. Install the update to the console as soon as possible. For more
information, see Install the Configuration Manager console.

IMPORTANT
When you install an update at the CAS, be aware of the following limitations and delays that exist until all child primary
sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and pre-production clients. Additionally, you
can't promote pre-production clients to production until the last site completes the update installation. After the last
site completes the update installation, client updates begin based on your configuration choices.
New features you enable with the update aren't available. This behavior is to prevent the CAS replicating data related
to that feature to a site that hasn't yet installed support for that feature. After all primary sites install the update, the
feature is available for use.
Replication links between the CAS and child primary sites display as not upgraded. This state displays in the update
installation status as Completed with warning for monitoring replication initialization. In the Monitoring workspace of
the console, this state displays as Link is being configured.

Early update ring

As of August 23, 2021, version 2107 is globally available for all customers to install. If you previously opted in to
the early update ring, watch for an update to this current branch version.

Checklist
All sites run a supported version of Configuration Manager
Each site server in the hierarchy must run the same version of Configuration Manager before you can start the
installation of update 2107. To update to 2107, use version 2002 or later.
Review the status of your product licensing
You need an active Software Assurance (SA) agreement or equivalent subscription rights to install this update.
When you update the site, the Licensing page presents the option to confirm your Software Assurance
expiration date .
This value is optional. You can specify as a convenient reminder of your license expiration date. This date is
visible when you install future updates. You might have previously specified this value during setup or
installation of an update. You can also specify this value in the Configuration Manager console. In the
Administration workspace, expand Site Configuration , and select Sites . Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
For more information, see Licensing and branches.
Review Microsoft .NET versions
Configuration Manager now requires Microsoft .NET Framework version 4.6.2 for site servers, specific site
systems, clients, and the console. Before you run setup to install or update the site, first update .NET and restart
the system. If possible in your environment, install the latest version of .NET version 4.8.
This installation can put the site system server into a reboot pending state and report errors to the
Configuration Manager component status viewer. .NET applications on the server might experience random
failures until you restart the server.
For more information including how to manage restarts, see Site and site system prerequisites.
Review the version of the Windows ADK
The version of the Windows Assessment and Deployment Kit (ADK) should be supported for Configuration
Manager version 2107. For more information, see Support for the Windows ADK. If you need to update the
Windows ADK, do so before you begin the update of Configuration Manager. This order makes sure the default
boot images are automatically updated to the latest version of Windows PE. Manually update any custom boot
images after updating the site.
If you update the site before you update the Windows ADK, see Update distribution points with the boot image.
Review SQL Server Native Client version
Install a minimum version of SQL Server 2012 Native Client, which includes support for TLS 1.2. For more
information, see the List of prerequisite checks.
Review the site and hierarchy status for unresolved issues
A site update can fail because of existing operational problems. Before you update a site, resolve all operational
issues for the following systems:
The site server
The site database server
Remote site system roles on other servers
For more information, see Use the status system.
Review file and data replication between sites
Make sure that file and database replication between sites is operational and current. Delays or backlogs in
either can prevent a successful update.
Database replication
For database replication, to help resolve issues before you start the update, use the Replication Link Analyzer
(RLA). For more information, see Monitor database replication.
Use RLA to answer the following questions:
Is replication per group in a good state?
Are any links degraded?
Are there any errors?
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of records, then the link is in a
bad state. Before updating the site, solve the replication issue. If you need further assistance, contact Microsoft
Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving sites. If there are lots of
stuck or pending replication jobs, wait until they clear out.
On the sending site, review sender.log .
On the receiving site, review despooler log .
Install all applicable critical Windows updates
Before you install an update for Configuration Manager, install any critical OS updates for each applicable site
system. These servers include the site server, site database server, and remote site system roles. If an update that
you install requires a restart, restart the applicable servers before you start the upgrade.
Disable database replicas for management points at primary sites
Configuration Manager can't successfully update a primary site that has a database replica for management
points enabled. Before you install an update for Configuration Manager, disable database replication.
For more information, see Database replicas for management points.
Set SQL Server Always On availability groups to manual failover
If you use an availability group, make sure that the availability group is set to manual failover before you start
the update installation. After the site has updated, you can restore failover to be automatic. For more
information, see Prepare to use an availability group.
Disable site maintenance tasks at each site
Before you install the update, disable any site maintenance task that might run during the time the update
process is active. For example, but not limited to:
Backup Site Server
Delete Aged Client Operations
Delete Aged Discovery Data
When a site database maintenance task runs during the update installation, the update installation can fail.
Before you disable a task, record the schedule of the task so you can restore its configuration after the update
has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
Temporarily stop any antivirus software
Before you update a site, stop antivirus software on the Configuration Manager servers. The antivirus software
can lock some files that need to be updated which causes our update to fail.
Create a backup of the site database
Before you update a site, back up the site database at the CAS and primary sites. This backup makes sure you
have a successful backup to use for disaster recovery.
For more information, see Backup and recovery.
Back up customized files
If you or a third-party product customizes any Configuration Manager configuration files, save a copy of your
customizations.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder of your Configuration
Manager installation directory. After you update Configuration Manager, these customizations don't persist.
Reapply your customizations.
Plan for client piloting
When you install a site update that also updates the client, test that new client update in pre-production before
you update all production clients. To use this option, configure your site to support automatic upgrades for pre-
production before beginning installation of the update.
For more information, see Upgrade clients and How to test client upgrades in a pre-production collection.

NOTE
When you update to version 2107 or later, clients with PKI certificates will recreate self-signed certificates, but don't
reregister with the site. Clients without a PKI certificate will reregister with the site, which can cause extra processing at
the site. Make sure that your process to update clients allows for randomization. If you simultaneously update lots of
clients, it may cause a backlog on the site server.

Plan to use service windows

To define a period during which updates to a site server can be installed, use service windows. They can help
you control when sites in your hierarchy install the update. For more information, see Service windows for site
servers.
Review supported extensions
If you extend Configuration Manager with other products from Microsoft, Microsoft partners, or third-party
vendors, confirm that those products support and are compatible with version 2107. Check with the product
vendor for this information.
Disable any custom solutions
If your site has any custom solutions based on the Configuration Manager SDK or PowerShell, disable this code
before you update the site. Make sure to test this custom code in a lab environment to make sure it's compatible
with the new version.
Read the release notes
Before you start the update, review the current release notes. With Configuration Manager, product release
notes are limited to urgent issues. These issues aren't yet fixed in the product, or detailed in a Microsoft Support
article.
Feature-specific documentation may include information about known issues that affect core scenarios.
For more information, see the Release notes.
Run the setup prerequisite checker
When the console lists the update as Available , you can run the prerequisite checker before installing the
update. (When you install the update on the site, prerequisite checker runs again.)
To run a prerequisite check from the console, go to the Administration workspace, and select Updates and
Ser vicing . Select the Configuration Manager 2107 update package, and select Run prerequisite check in
the ribbon.
For more information, see the section to Run the prerequisite checker before installing an update in
Before you install an in-console update.

IMPORTANT
When the prerequisite checker runs, the process updates some product source files that are used for site maintenance
tasks. After running the prerequisite checker, but before installing the update, if you need to do a site maintenance task,
run Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site server.

Update sites
You're now ready to start the update installation for your hierarchy. For more information about installing the
update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when the process will have the
least effect on your business operations. Installing the update and its actions reinstall site components and site
system roles.
For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and configurations.
Confirm version and restart (if necessary)
Make sure each site server and site system role is updated to version 2107. In the console, add the Version
column to the Sites and Distribution Points nodes in the Administration workspace. When necessary, a site
system role automatically reinstalls to update to the new version.
Consider restarting remote site systems that don't successfully update at first. Review your site infrastructure
and make sure that applicable site servers and remote site system servers successfully restarted. Typically, site
servers restart only when Configuration Manager installs .NET as a prerequisite for a site system role.
Confirm site -to -site replication is active
In the Configuration Manager console, go to the following locations to view the status, and make sure that
replication is active:
Monitoring workspace, Site Hierarchy node
Monitoring workspace, Database Replication node
For more information, see the following articles:
Monitor hierarchy and replication infrastructure
About the Replication Link Analyzer
Update Configuration Manager consoles
Update all remote Configuration Manager consoles to the same version. You're prompted to update the console
when:
You open the console.
You go to a new node in the console.
Reconfigure database replicas for management points
After you update a primary site, reconfigure the database replica for management points that you uninstalled
before you updated the site. For more information, see Database replicas for management points.
Reconfigure availability groups
If you use an availability group, reset the failover configuration to automatic. For more information, see Prepare
to use an availability group.
Reconfigure any disabled maintenance tasks
If you disabled database maintenance tasks at a site before installing the update, reconfigure those tasks. Use
the same settings that were in place before the update.
Restore user state from active deployments
If you have any active user state migrations, before you update the Configuration Manager client on those
devices, restore the user state. Due to changes to the encryption algorithm in version 2103, the updated client
will fail to restore the user state when it tries to use a different encryption algorithm.
Update clients
Update clients per the plan you created, especially if you configured client piloting before installing the update.
For more information, see How to upgrade clients for Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that supports and is compatible
with Configuration Manager version 2107.
Enable any custom solutions
Enable any custom solutions based on the Configuration Manager SDK or PowerShell that you've already tested
in a lab environment with version 2107.
Update boot images and media
Use the Update Distribution Points action for any boot image that you use, whether it's a default or custom
boot image. This action makes sure that clients can use the latest version. Even if there isn't a new version of the
Windows ADK, the Configuration Manager client components may change with an update. If you don't update
boot images and media, task sequence deployments may fail on devices.
When you update the site, Configuration Manager automatically updates the default boot images. It doesn't
automatically distribute the updated content to distribution points. Use the Update Distribution Points action
on specific boot images when you're ready to distribute this content across your network.

NOTE
The site always uses the production version of the Configuration Manager client in default boot images. Even if you
configure automatic client upgrades to use a pre-production collection, that feature doesn't apply to boot images.

After updating the site, manually update any custom boot images. This action updates the boot image with the
latest client components if necessary, optionally reloads it with the current Windows PE version, and
redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
Update PowerShell help content
To get the latest information for the Configuration Manager PowerShell module, use the Update-Help cmdlet.
Run this cmdlet on all computers with the Configuration Manager console. This help content is the same as
what's published on docs.microsoft.com for the ConfigurationManager module.
For more information, see Configuration Manager PowerShell cmdlets: Update help.

Next steps
Review the release notes. This article can be updated regularly, especially right after a new current branch
release. You can use RSS to be notified when this page is updated. For more information, see How to use the
docs.
 Checklist for installing update 2103 for
Configuration Manager
2/16/2022 • 14 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-console update for version
2103 to update your hierarchy from a previous version. Version 2103 will also be available as baseline media
soon after global availability, so you can use the installation media to install the first site of a new hierarchy.
To get the update for version 2103, you must use a service connection point at the top-level site of your
hierarchy. This site system role can be in online or offline mode. To download the update when your service
connection point is offline, use the service connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the console. In the
Administration workspace, select the Updates and Ser vicing node.
When the update is listed as Available , the update is ready to install. Before installing version 2103,
review the following information about installing update 2103 and the checklist for configurations to
make before starting the update.
If the update displays as Downloading and doesn't change, review the hman.log and
dmpdownloader.log for errors.
The dmpdownloader.log may indicate that the dmpdownloader process is waiting for an interval
before checking for updates. To restart the download of the update's redistribution files, restart the
SMS_Executive service on the site server.
Another common download issue occurs when proxy server settings prevent downloads from
required internet endpoints.
For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.

About installing update 2103

Sites
Install update 2103 at the top-level site of your hierarchy. Start the installation from your central administration
site (CAS) or from your stand-alone primary site. After the update is installed at the top-level site, child sites
have the following update behavior:
Child primary sites install the update automatically after the CAS finishes the installation of the update.
You can use service windows to control when a site installs the update. For more information, see Service
windows for site servers.
Manually update each secondary site from within the Configuration Manager console after the primary
parent site finishes the update installation. Automatic update of secondary site servers isn't supported.
Site system roles
When a site server installs the update, it automatically updates all of the site system roles. These roles are on the
site server or installed on remote servers. Before installing the update, make sure that each site system server
meets the current prerequisites for the new update version.
Configuration Manager consoles
The first time you use a Configuration Manager console after the update has finished, you're prompted to
update that console. You can also run the Configuration Manager setup on the computer that hosts the console,
and choose the option to update the console. Install the update to the console as soon as possible. For more
information, see Install the Configuration Manager console.

IMPORTANT
When you install an update at the CAS, be aware of the following limitations and delays that exist until all child primary
sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and pre-production clients. Additionally, you
can't promote pre-production clients to production until the last site completes the update installation. After the last
site completes the update installation, client updates begin based on your configuration choices.
New features you enable with the update aren't available. This behavior is to prevent the CAS replicating data related
to that feature to a site that hasn't yet installed support for that feature. After all primary sites install the update, the
feature is available for use.
Replication links between the CAS and child primary sites display as not upgraded. This state displays in the update
installation status as Completed with warning for monitoring replication initialization. In the Monitoring workspace of
the console, this state displays as Link is being configured.

Early update ring

As of April 19, 2021, version 2103 is globally available for all customers to install. If you previously opted in to
the early update ring, watch for an update to this current branch version.

Checklist
All sites run a supported version of Configuration Manager
Each site server in the hierarchy must run the same version of Configuration Manager before you can start the
installation of update 2103. To update to 2103, you must use version 1910 or later.
Review the status of your product licensing
You must have an active Software Assurance (SA) agreement or equivalent subscription rights to install this
update. When you update the site, the Licensing page presents the option to confirm your Software
Assurance expiration date .
This value is optional. You can specify as a convenient reminder of your license expiration date. This date is
visible when you install future updates. You might have previously specified this value during setup or
installation of an update. You can also specify this value in the Configuration Manager console. In the
Administration workspace, expand Site Configuration , and select Sites . Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
For more information, see Licensing and branches.
Review Microsoft .NET versions
When a site installs this update, if the minimum requirement of .NET Framework 4.5 isn't installed,
Configuration Manager automatically installs .NET Framework 4.5.2. When this prerequisite isn't already
installed, the site installs it on each server that hosts one of the following site system roles:
Management point
Service connection point
Enrollment proxy point
Enrollment point
This installation can put the site system server into a reboot pending state and report errors to the
Configuration Manager component status viewer. Additionally, .NET applications on the server might experience
random failures until you restart the server.
For more information, see Site and site system prerequisites.
Review the version of the Windows ADK
The version of the Windows Assessment and Deployment Kit (ADK) should be supported for Configuration
Manager version 2103. For more information, see Support for the Windows ADK. If you need to update the
Windows ADK, do so before you begin the update of Configuration Manager. This order makes sure the default
boot images are automatically updated to the latest version of Windows PE. Manually update any custom boot
images after updating the site.
If you update the site before you update the Windows ADK, see Update distribution points with the boot image.
Review SQL Server Native Client version
Install a minimum version of SQL Server 2012 Native Client, which includes support for TLS 1.2. For more
information, see the List of prerequisite checks.
Review the site and hierarchy status for unresolved issues
A site update can fail because of existing operational problems. Before you update a site, resolve all operational
issues for the following systems:
The site server
The site database server
Remote site system roles on other servers
For more information, see Use the status system.
Review file and data replication between sites
Make sure that file and database replication between sites is operational and current. Delays or backlogs in
either can prevent a successful update.
Database replication
For database replication, to help resolve issues before you start the update, use the Replication Link Analyzer
(RLA). For more information, see Monitor database replication.
Use RLA to answer the following questions:
Is replication per group in a good state?
Are any links degraded?
Are there any errors?
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of records, then the link is in a
bad state. Before updating the site, solve the replication issue. If you need further assistance, contact Microsoft
Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving sites. If there are lots of
stuck or pending replication jobs, wait until they clear out.
On the sending site, review sender.log .
On the receiving site, review despooler log .
Install all applicable critical Windows updates
Before you install an update for Configuration Manager, install any critical OS updates for each applicable site
system. These servers include the site server, site database server, and remote site system roles. If an update that
you install requires a restart, restart the applicable servers before you start the upgrade.
Disable database replicas for management points at primary sites
Configuration Manager can't successfully update a primary site that has a database replica for management
points enabled. Before you install an update for Configuration Manager, disable database replication.
For more information, see Database replicas for management points.
Set SQL Server Always On availability groups to manual failover
If you use an availability group, make sure that the availability group is set to manual failover before you start
the update installation. After the site has updated, you can restore failover to be automatic. For more
information, see Prepare to use an availability group.
Disable site maintenance tasks at each site
Before you install the update, disable any site maintenance task that might run during the time the update
process is active. For example, but not limited to:
Backup Site Server
Delete Aged Client Operations
Delete Aged Discovery Data
When a site database maintenance task runs during the update installation, the update installation can fail.
Before you disable a task, record the schedule of the task so you can restore its configuration after the update
has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
Temporarily stop any antivirus software
Before you update a site, stop antivirus software on the Configuration Manager servers. The antivirus software
can lock some files that need to be updated which causes our update to fail.
Create a backup of the site database
Before you update a site, back up the site database at the CAS and primary sites. This backup makes sure you
have a successful backup to use for disaster recovery.
For more information, see Backup and recovery.
Back up customized files
If you or a third-party product customizes any Configuration Manager configuration files, save a copy of your
customizations.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder of your Configuration
Manager installation directory. After you update Configuration Manager, these customizations don't persist.
Reapply your customizations.
Plan for client piloting
When you install a site update that also updates the client, test that new client update in pre-production before
you update all production clients. To use this option, configure your site to support automatic upgrades for pre-
production before beginning installation of the update.
For more information, see Upgrade clients and How to test client upgrades in a pre-production collection.
Plan to use service windows
To define a period during which updates to a site server can be installed, use service windows. They can help
you control when sites in your hierarchy install the update. For more information, see Service windows for site
servers.
Review supported extensions
If you extend Configuration Manager with other products from Microsoft, Microsoft partners, or third-party
vendors, confirm that those products support and are compatible with version 2103. Check with the product
vendor for this information.
Disable any custom solutions
If your site has any custom solutions based on the Configuration Manager SDK or PowerShell, disable this code
before you update the site. Make sure to test this custom code in a lab environment to make sure it's compatible
with the new version.
Read the release notes
Before you start the update, review the current release notes. With Configuration Manager, product release
notes are limited to urgent issues. These issues aren't yet fixed in the product, or detailed in a Microsoft Support
article.
Feature-specific documentation may include information about known issues that affect core scenarios.
For more information, see the Release notes.
Run the setup prerequisite checker
When the console lists the update as Available , you can run the prerequisite checker before installing the
update. (When you install the update on the site, prerequisite checker runs again.)
To run a prerequisite check from the console, go to the Administration workspace, and select Updates and
Ser vicing . Select the Configuration Manager 2103 update package, and select Run prerequisite check in
the ribbon.
For more information, see the section to Run the prerequisite checker before installing an update in
Before you install an in-console update.

IMPORTANT
When the prerequisite checker runs, the process updates some product source files that are used for site maintenance
tasks. After running the prerequisite checker, but before installing the update, if you need to do a site maintenance task,
run Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site server.

Update sites
You're now ready to start the update installation for your hierarchy. For more information about installing the
update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when the process will have the
least effect on your business operations. Installing the update and its actions reinstall site components and site
system roles.
For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and configurations.
Confirm version and restart (if necessary)
Make sure each site server and site system role is updated to version 2103. In the console, add the Version
column to the Sites and Distribution Points nodes in the Administration workspace. When necessary, a site
system role automatically reinstalls to update to the new version.
Consider restarting remote site systems that don't successfully update at first. Review your site infrastructure
and make sure that applicable site servers and remote site system servers successfully restarted. Typically, site
servers restart only when Configuration Manager installs .NET as a prerequisite for a site system role.
Confirm site -to -site replication is active
In the Configuration Manager console, go to the following locations to view the status, and make sure that
replication is active:
Monitoring workspace, Site Hierarchy node
Monitoring workspace, Database Replication node
For more information, see the following articles:
Monitor hierarchy and replication infrastructure
About the Replication Link Analyzer
Update Configuration Manager consoles
Update all remote Configuration Manager consoles to the same version. You're prompted to update the console
when:
You open the console.
You go to a new node in the console.
Reconfigure database replicas for management points
After you update a primary site, reconfigure the database replica for management points that you uninstalled
before you updated the site. For more information, see Database replicas for management points.
Reconfigure availability groups
If you use an availability group, reset the failover configuration to automatic. For more information, see Prepare
to use an availability group.
Reconfigure any disabled maintenance tasks
If you disabled database maintenance tasks at a site before installing the update, reconfigure those tasks. Use
the same settings that were in place before the update.
Update clients
Update clients per the plan you created, especially if you configured client piloting before installing the update.
For more information, see How to upgrade clients for Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to a version that supports and is compatible
with Configuration Manager version 2103.
Enable any custom solutions
Enable any custom solutions based on the Configuration Manager SDK or PowerShell that you've already tested
in a lab environment with version 2103.
Update boot images and media
Use the Update Distribution Points action for any boot image that you use, whether it's a default or custom
boot image. This action makes sure that clients can use the latest version. Even if there isn't a new version of the
Windows ADK, the Configuration Manager client components may change with an update. If you don't update
boot images and media, task sequence deployments may fail on devices.
When you update the site, Configuration Manager automatically updates the default boot images. It doesn't
automatically distribute the updated content to distribution points. Use the Update Distribution Points action
on specific boot images when you're ready to distribute this content across your network.
 NOTE
The site always uses the production version of the Configuration Manager client in default boot images. Even if you
configure automatic client upgrades to use a pre-production collection, that feature doesn't apply to boot images.

After updating the site, manually update any custom boot images. This action updates the boot image with the
latest client components if necessary, optionally reloads it with the current Windows PE version, and
redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
Update PowerShell help content
To get the latest information for the Configuration Manager PowerShell module, use the Update-Help cmdlet.
Run this cmdlet on all computers with the Configuration Manager console. This help content is the same as
what's published on docs.microsoft.com for the ConfigurationManager module.
For more information, see Configuration Manager PowerShell cmdlets: Update help.

Next steps
Review the release notes. This article can be updated regularly, especially right after a new current branch
release. You can use RSS to be notified when this page is updated. For more information, see How to use the
docs.
 Checklist for installing update 2010 for
Configuration Manager
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-console update for version
2010 to update your hierarchy from a previous version.
To get the update for version 2010, you must use a service connection point at the top-level site of your
hierarchy. This site system role can be in online or offline mode. To download the update when your service
connection point is offline, use the service connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the console. In the
Administration workspace, select the Updates and Ser vicing node.
When the update is listed as Available , the update is ready to install. Before installing version 2010,
review the following information about installing update 2010 and the checklist for configurations to
make before starting the update.
If the update displays as Downloading and doesn't change, review the hman.log and
dmpdownloader.log for errors.
The dmpdownloader.log may indicate that the dmpdownloader process is waiting for an interval
before checking for updates. To restart the download of the update's redistribution files, restart the
SMS_Executive service on the site server.
Another common download issue occurs when proxy server settings prevent downloads from
silverlight.dlservice.microsoft.com , download.microsoft.com , and go.microsoft.com .

For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.

About installing update 2010

Sites
Install update 2010 at the top-level site of your hierarchy. Start the installation from your central administration
site (CAS) or from your stand-alone primary site. After the update is installed at the top-level site, child sites
have the following update behavior:
Child primary sites install the update automatically after the CAS finishes the installation of the update.
You can use service windows to control when a site installs the update. For more information, see Service
windows for site servers.
Manually update each secondary site from within the Configuration Manager console after the primary
parent site finishes the update installation. Automatic update of secondary site servers isn't supported.
Site system roles
When a site server installs the update, it automatically updates all of the site system roles. These roles are on the
site server or installed on remote servers. Before installing the update, make sure that each site system server
meets the current prerequisites for the new update version.
Configuration Manager consoles
The first time you use a Configuration Manager console after the update has finished, you're prompted to
update that console. You can also run the Configuration Manager setup on the computer that hosts the console,
and choose the option to update the console. Install the update to the console as soon as possible. For more
information, see Install the Configuration Manager console.

IMPORTANT
When you install an update at the CAS, be aware of the following limitations and delays that exist until all child primary
sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and pre-production clients. Additionally, you
can't promote pre-production clients to production until the last site completes the update installation. After the last
site completes the update installation, client updates begin based on your configuration choices.
New features you enable with the update aren't available. This behavior is to prevent the CAS replicating data related
to that feature to a site that hasn't yet installed support for that feature. After all primary sites install the update, the
feature is available for use.
Replication links between the CAS and child primary sites display as not upgraded. This state displays in the update
installation status as Completed with warning for monitoring replication initialization. In the Monitoring workspace of
the console, this state displays as Link is being configured.

Early update ring

As of December 11, 2020, version 2010 is globally available for all customers to install. If you previously opted
in to the early update ring, watch for an update to this current branch version.

Checklist
All sites run a supported version of Configuration Manager
Each site server in the hierarchy must run the same version of Configuration Manager before you can start the
installation of update 2010. To update to 2010, you must use version 1906 or later.
Review the status of your product licensing
You must have an active Software Assurance (SA) agreement or equivalent subscription rights to install this
update. When you update the site, the Licensing page presents the option to confirm your Software
Assurance expiration date .
This value is optional. You can specify as a convenient reminder of your license expiration date. This date is
visible when you install future updates. You might have previously specified this value during setup or
installation of an update. You can also specify this value in the Configuration Manager console. In the
Administration workspace, expand Site Configuration , and select Sites . Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
For more information, see Licensing and branches.
Review Microsoft .NET versions
When a site installs this update, if the minimum requirement of .NET Framework 4.5 isn't installed,
Configuration Manager automatically installs .NET Framework 4.5.2. When this prerequisite isn't already
installed, the site installs it on each server that hosts one of the following site system roles:
Management point
Service connection point
Enrollment proxy point
Enrollment point
This installation can put the site system server into a reboot pending state and report errors to the
Configuration Manager component status viewer. Additionally, .NET applications on the server might experience
random failures until you restart the server.
For more information, see Site and site system prerequisites.
Review the version of the Windows ADK
The version of the Windows Assessment and Deployment Kit (ADK) should be supported for Configuration
Manager version 2010. For more information, see Support for the Windows ADK. If you need to update the
Windows ADK, do so before you begin the update of Configuration Manager. This order makes sure the default
boot images are automatically updated to the latest version of Windows PE. Manually update any custom boot
images after updating the site.
If you update the site before you update the Windows ADK, see Update distribution points with the boot image.
Review SQL Server Native Client version
Install a minimum version of SQL Server 2012 Native Client, which includes support for TLS 1.2. For more
information, see the List of prerequisite checks.
Review the site and hierarchy status for unresolved issues
A site update can fail because of existing operational problems. Before you update a site, resolve all operational
issues for the following systems:
The site server
The site database server
Remote site system roles on other servers
For more information, see Use the status system.
Review file and data replication between sites
Make sure that file and database replication between sites is operational and current. Delays or backlogs in
either can prevent a successful update.
Database replication
For database replication, to help resolve issues before you start the update, use the Replication Link Analyzer
(RLA). For more information, see Monitor database replication.
Use RLA to answer the following questions:
Is replication per group in a good state?
Are any links degraded?
Are there any errors?
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of records, then the link is in a
bad state. Before updating the site, solve the replication issue. If you need further assistance, contact Microsoft
Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving sites. If there are lots of
stuck or pending replication jobs, wait until they clear out.
On the sending site, review sender.log .
On the receiving site, review despooler log .
Install all applicable critical Windows updates
Before you install an update for Configuration Manager, install any critical OS updates for each applicable site
system. These servers include the site server, site database server, and remote site system roles. If an update that
you install requires a restart, restart the applicable servers before you start the upgrade.
Disable database replicas for management points at primary sites
Configuration Manager can't successfully update a primary site that has a database replica for management
points enabled. Before you install an update for Configuration Manager, disable database replication.
For more information, see Database replicas for management points.
Set SQL Server Always On availability groups to manual failover
If you use an availability group, make sure that the availability group is set to manual failover before you start
the update installation. After the site has updated, you can restore failover to be automatic. For more
information, see Prepare to use an availability group.
Disable site maintenance tasks at each site
Before you install the update, disable any site maintenance task that might run during the time the update
process is active. For example, but not limited to:
Backup Site Server
Delete Aged Client Operations
Delete Aged Discovery Data
When a site database maintenance task runs during the update installation, the update installation can fail.
Before you disable a task, record the schedule of the task so you can restore its configuration after the update
has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
Temporarily stop any antivirus software
Before you update a site, stop antivirus software on the Configuration Manager servers. The antivirus software
can lock some files that need to be updated which causes our update to fail.
Create a backup of the site database
Before you update a site, back up the site database at the CAS and primary sites. This backup makes sure you
have a successful backup to use for disaster recovery.
For more information, see Backup and recovery.
Back up customized files
If you or a third-party product customizes any Configuration Manager configuration files, save a copy of your
customizations.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder of your Configuration
Manager installation directory. After you update Configuration Manager, these customizations don't persist. You
need to reapply your customizations.
Plan for client piloting
When you install a site update that also updates the client, test that new client update in pre-production before
you update all production clients. To use this option, configure your site to support automatic upgrades for pre-
production before beginning installation of the update.
For more information, see Upgrade clients and How to test client upgrades in a pre-production collection.
Plan to use service windows
To define a period during which updates to a site server can be installed, use service windows. They can help
you control when sites in your hierarchy install the update. For more information, see Service windows for site
servers.
Review supported extensions
If you extend Configuration Manager with other products from Microsoft or Microsoft partners, confirm that
those products support version 2010. Check with the product vendor for this information. For example, see the
Microsoft Deployment Toolkit release notes.
Remove Intune subscription (hybrid MDM )
The hybrid MDM service offering is retired as of September 1, 2019. If your Configuration Manager site had a
Microsoft Intune subscription, you need to remove it. For more information, see Remove hybrid MDM.
Run the setup prerequisite checker
When the console lists the update as Available , you can run the prerequisite checker before installing the
update. (When you install the update on the site, prerequisite checker runs again.)
To run a prerequisite check from the console, go to the Administration workspace, and select Updates and
Ser vicing . Select the Configuration Manager 2010 update package, and select Run prerequisite check in
the ribbon.
For more information, see the section to Run the prerequisite checker before installing an update in
Before you install an in-console update.

IMPORTANT
When the prerequisite checker runs, the process updates some product source files that are used for site maintenance
tasks. Therefore, after running the prerequisite checker but before installing the update, if you need to perform a site
maintenance task, run Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site server.

Update sites
You're now ready to start the update installation for your hierarchy. For more information about installing the
update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when the process will have the
least effect on your business operations. Installing the update and its actions reinstall site components and site
system roles.
For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and configurations.
Confirm version and restart (if necessary)
Make sure each site server and site system role is updated to version 2010. In the console, add the Version
column to the Sites and Distribution Points nodes in the Administration workspace. When necessary, a site
system role automatically reinstalls to update to the new version.
Consider restarting remote site systems that don't successfully update at first. Review your site infrastructure
and make sure that applicable site servers and remote site system servers successfully restarted. Typically, site
servers restart only when Configuration Manager installs .NET as a prerequisite for a site system role.
Confirm site -to -site replication is active
In the Configuration Manager console, go to the following locations to view the status, and make sure that
replication is active:
Monitoring workspace, Site Hierarchy node
Monitoring workspace, Database Replication node
For more information, see the following articles:
Monitor hierarchy and replication infrastructure
About the Replication Link Analyzer
Update Configuration Manager consoles
Update all remote Configuration Manager consoles to the same version. You're prompted to update the console
when:
You open the console.
You go to a new node in the console.
Reconfigure database replicas for management points
After you update a primary site, reconfigure the database replica for management points that you uninstalled
before you updated the site. For more information, see Database replicas for management points.
Reconfigure availability groups
If you use an availability group, reset the failover configuration to automatic. For more information, see Prepare
to use an availability group.
Reconfigure any disabled maintenance tasks
If you disabled database maintenance tasks at a site before installing the update, reconfigure those tasks. Use
the same settings that were in place before the update.
Update clients
Update clients per the plan you created, especially if you configured client piloting before installing the update.
For more information, see How to upgrade clients for Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to the latest version to support Configuration
Manager version 2010.
Update custom boot images and media
Use the Update Distribution Points action for any boot image that you use, whether it's a default or custom
boot image. This action makes sure that clients can use the latest version. Even if there isn't a new version of the
Windows ADK, the Configuration Manager client components may change with an update. If you don't update
boot images and media, task sequence deployments may fail on devices.
When you update the site, Configuration Manager automatically updates the default boot images. It doesn't
automatically distribute the updated content to distribution points. Use the Update Distribution Points action
on specific boot images when you're ready to distribute this content across your network.
After updating the site, manually update any custom boot images. This action updates the boot image with the
latest client components if necessary, optionally reloads it with the current Windows PE version, and
redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
 Checklist for installing update 2006 for
Configuration Manager
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you use the current branch of Configuration Manager, you can install the in-console update for version
2006 to update your hierarchy from a previous version.
To get the update for version 2006, you must use a service connection point at the top-level site of your
hierarchy. This site system role can be in online or offline mode. To download the update when your service
connection point is offline, use the service connection tool.
After your hierarchy downloads the update package from Microsoft, find it in the console. In the
Administration workspace, select the Updates and Ser vicing node.
When the update is listed as Available , the update is ready to install. Before installing version 2006,
review the following information about installing update 2006 and the checklist for configurations to
make before starting the update.
If the update displays as Downloading and doesn't change, review the hman.log and
dmpdownloader.log for errors.
The dmpdownloader.log may indicate that the dmpdownloader process is waiting for an interval
before checking for updates. To restart the download of the update's redistribution files, restart the
SMS_Executive service on the site server.
Another common download issue occurs when proxy server settings prevent downloads from
silverlight.dlservice.microsoft.com , download.microsoft.com , and go.microsoft.com .

For more information about installing updates, see In-console updates and servicing.
For more information about current branch versions, see Baseline and update versions.

About installing update 2006

Sites
Install update 2006 at the top-level site of your hierarchy. Start the installation from your central administration
site (CAS) or from your stand-alone primary site. After the update is installed at the top-level site, child sites
have the following update behavior:
Child primary sites install the update automatically after the CAS finishes the installation of the update.
You can use service windows to control when a site installs the update. For more information, see Service
windows for site servers.
Manually update each secondary site from within the Configuration Manager console after the primary
parent site finishes the update installation. Automatic update of secondary site servers isn't supported.
Site system roles
When a site server installs the update, it automatically updates all of the site system roles. These roles are on the
site server or installed on remote servers. Before installing the update, make sure that each site system server
meets the current prerequisites for the new update version.
Configuration Manager consoles
The first time you use a Configuration Manager console after the update has finished, you're prompted to
update that console. You can also run the Configuration Manager setup on the computer that hosts the console,
and choose the option to update the console. Install the update to the console as soon as possible. For more
information, see Install the Configuration Manager console.

IMPORTANT
When you install an update at the CAS, be aware of the following limitations and delays that exist until all child primary
sites also complete the update installation:
Client upgrades don't start. This includes automatic updates of clients and pre-production clients. Additionally, you
can't promote pre-production clients to production until the last site completes the update installation. After the last
site completes the update installation, client updates begin based on your configuration choices.
New features you enable with the update aren't available. This behavior is to prevent the CAS replicating data related
to that feature to a site that hasn't yet installed support for that feature. After all primary sites install the update, the
feature is available for use.
Replication links between the CAS and child primary sites display as not upgraded. This state displays in the update
installation status as Completed with warning for monitoring replication initialization. In the Monitoring workspace of
the console, this state displays as Link is being configured.

Early update ring

As of August 31, 2020, version 2006 is globally available for all customers to install. If you previously opted in to
the early update ring, watch for an update to this current branch version.

Checklist
All sites run a supported version of Configuration Manager
Each site server in the hierarchy must run the same version of Configuration Manager before you can start the
installation of update 2006. To update to 2006, you must use version 1810 or later.
Review the status of your product licensing
You must have an active Software Assurance (SA) agreement or equivalent subscription rights to install this
update. When you update the site, the Licensing page presents the option to confirm your Software
Assurance expiration date .
This value is optional. You can specify as a convenient reminder of your license expiration date. This date is
visible when you install future updates. You might have previously specified this value during setup or
installation of an update. You can also specify this value in the Configuration Manager console. In the
Administration workspace, expand Site Configuration , and select Sites . Select Hierarchy Settings in the
ribbon, and switch to the Licensing tab.
For more information, see Licensing and branches.
Review Microsoft .NET versions
When a site installs this update, if the minimum requirement of .NET Framework 4.5 isn't installed,
Configuration Manager automatically installs .NET Framework 4.5.2. When this prerequisite isn't already
installed, the site installs it on each server that hosts one of the following site system roles:
Management point
Service connection point
Enrollment proxy point
Enrollment point
This installation can put the site system server into a reboot pending state and report errors to the
Configuration Manager component status viewer. Additionally, .NET applications on the server might experience
random failures until you restart the server.
For more information, see Site and site system prerequisites.
Review the version of the Windows ADK
The version of the Windows Assessment and Deployment Kit (ADK) should be supported for Configuration
Manager version 2006. For more information, see Support for the Windows ADK. If you need to update the
Windows ADK, do so before you begin the update of Configuration Manager. This order makes sure the default
boot images are automatically updated to the latest version of Windows PE. Manually update any custom boot
images after updating the site.
If you update the site before you update the Windows ADK, see Update distribution points with the boot image.
Review SQL Server Native Client version
Install a minimum version of SQL Server 2012 Native Client, which includes support for TLS 1.2. For more
information, see the List of prerequisite checks.
Review the site and hierarchy status for unresolved issues
A site update can fail because of existing operational problems. Before you update a site, resolve all operational
issues for the following systems:
The site server
The site database server
Remote site system roles on other servers
For more information, see Use the status system.
Review file and data replication between sites
Make sure that file and database replication between sites is operational and current. Delays or backlogs in
either can prevent a successful update.
Database replication
For database replication, to help resolve issues before you start the update, use the Replication Link Analyzer
(RLA). For more information, see Monitor database replication.
Use RLA to answer the following questions:
Is replication per group in a good state?
Are any links degraded?
Are there any errors?
If there's a backlog, wait until it clears out. If the backlog is large, such as millions of records, then the link is in a
bad state. Before updating the site, solve the replication issue. If you need further assistance, contact Microsoft
Support.
File-based replication
For file-based replication, check all inboxes for a backlog on both sending and receiving sites. If there are lots of
stuck or pending replication jobs, wait until they clear out.
On the sending site, review sender.log .
On the receiving site, review despooler log .
Install all applicable critical Windows updates
Before you install an update for Configuration Manager, install any critical OS updates for each applicable site
system. These servers include the site server, site database server, and remote site system roles. If an update that
you install requires a restart, restart the applicable servers before you start the upgrade.
Disable database replicas for management points at primary sites
Configuration Manager can't successfully update a primary site that has a database replica for management
points enabled. Before you install an update for Configuration Manager, disable database replication.
For more information, see Database replicas for management points.
Set SQL Server Always On availability groups to manual failover
If you use an availability group, make sure that the availability group is set to manual failover before you start
the update installation. After the site has updated, you can restore failover to be automatic. For more
information, see Prepare to use an availability group.
Disable site maintenance tasks at each site
Before you install the update, disable any site maintenance task that might run during the time the update
process is active. For example, but not limited to:
Backup Site Server
Delete Aged Client Operations
Delete Aged Discovery Data
When a site database maintenance task runs during the update installation, the update installation can fail.
Before you disable a task, record the schedule of the task so you can restore its configuration after the update
has been installed.
For more information, see Maintenance tasks and Reference for maintenance tasks.
Temporarily stop any antivirus software
Before you update a site, stop antivirus software on the Configuration Manager servers. The antivirus software
can lock some files that need to be updated which causes our update to fail.
Create a backup of the site database
Before you update a site, back up the site database at the CAS and primary sites. This backup makes sure you
have a successful backup to use for disaster recovery.
For more information, see Backup and recovery.
Back up customized files
If you or a third-party product customizes any Configuration Manager configuration files, save a copy of your
customizations.
For example, you add custom entries to the osdinjection.xml file in the bin\X64 folder of your Configuration
Manager installation directory. After you update Configuration Manager, these customizations don't persist. You
need to reapply your customizations.
Plan for client piloting
When you install a site update that also updates the client, test that new client update in pre-production before
you update all production clients. To use this option, configure your site to support automatic upgrades for pre-
production before beginning installation of the update.
For more information, see Upgrade clients and How to test client upgrades in a pre-production collection.
Plan to use service windows
To define a period during which updates to a site server can be installed, use service windows. They can help
you control when sites in your hierarchy install the update. For more information, see Service windows for site
servers.
Review supported extensions
If you extend Configuration Manager with other products from Microsoft or Microsoft partners, confirm that
those products support version 2006. Check with the product vendor for this information. For example, see the
Microsoft Deployment Toolkit release notes.
Remove Intune subscription (hybrid MDM )
The hybrid MDM service offering is retired as of September 1, 2019. If your Configuration Manager site had a
Microsoft Intune subscription, you need to remove it. For more information, see Remove hybrid MDM.
Run the setup prerequisite checker
When the console lists the update as Available , you can run the prerequisite checker before installing the
update. (When you install the update on the site, prerequisite checker runs again.)
To run a prerequisite check from the console, go to the Administration workspace, and select Updates and
Ser vicing . Select the Configuration Manager 2006 update package, and select Run prerequisite check in
the ribbon.
For more information, see the section to Run the prerequisite checker before installing an update in
Before you install an in-console update.

IMPORTANT
When the prerequisite checker runs, the process updates some product source files that are used for site maintenance
tasks. Therefore, after running the prerequisite checker but before installing the update, if you need to perform a site
maintenance task, run Setupwpf.exe (Configuration Manager Setup) from the CD.Latest folder on the site server.

Update sites
You're now ready to start the update installation for your hierarchy. For more information about installing the
update, see Install in-console updates.
You may plan to install the update outside of normal business hours. Determine when the process will have the
least effect on your business operations. Installing the update and its actions reinstall site components and site
system roles.
For more information, see Updates for Configuration Manager.

Post-update checklist
After the site updates, use the following checklist to complete common tasks and configurations.
Confirm version and restart (if necessary)
Make sure each site server and site system role is updated to version 2006. In the console, add the Version
column to the Sites and Distribution Points nodes in the Administration workspace. When necessary, a site
system role automatically reinstalls to update to the new version.
Consider restarting remote site systems that don't successfully update at first. Review your site infrastructure
and make sure that applicable site servers and remote site system servers successfully restarted. Typically, site
servers restart only when Configuration Manager installs .NET as a prerequisite for a site system role.
Confirm site -to -site replication is active
In the Configuration Manager console, go to the following locations to view the status, and make sure that
replication is active:
Monitoring workspace, Site Hierarchy node
Monitoring workspace, Database Replication node
For more information, see the following articles:
Monitor hierarchy and replication infrastructure
About the Replication Link Analyzer
Update Configuration Manager consoles
Update all remote Configuration Manager consoles to the same version. You're prompted to update the console
when:
You open the console.
You go to a new node in the console.
Reconfigure database replicas for management points
After you update a primary site, reconfigure the database replica for management points that you uninstalled
before you updated the site. For more information, see Database replicas for management points.
Reconfigure availability groups
If you use an availability group, reset the failover configuration to automatic. For more information, see Prepare
to use an availability group.
Reconfigure any disabled maintenance tasks
If you disabled database maintenance tasks at a site before installing the update, reconfigure those tasks. Use
the same settings that were in place before the update.
Update clients
Update clients per the plan you created, especially if you configured client piloting before installing the update.
For more information, see How to upgrade clients for Windows computers.
Third-party extensions
If you use any extensions to Configuration Manager, update them to the latest version to support Configuration
Manager version 2006.
Update custom boot images and media
Use the Update Distribution Points action for any boot image that you use, whether it's a default or custom
boot image. This action makes sure that clients can use the latest version. Even if there isn't a new version of the
Windows ADK, the Configuration Manager client components may change with an update. If you don't update
boot images and media, task sequence deployments may fail on devices.
When you update the site, Configuration Manager automatically updates the default boot images. It doesn't
automatically distribute the updated content to distribution points. Use the Update Distribution Points action
on specific boot images when you're ready to distribute this content across your network.
After updating the site, manually update any custom boot images. This action updates the boot image with the
latest client components if necessary, optionally reloads it with the current Windows PE version, and
redistributes the content to the distribution points.
For more information, see Update distribution points with the boot image.
 Support for Configuration Manager current branch
versions
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Microsoft plans to release updates for Configuration Manager current branch a few times per year. Each update
version remains in support for 18 months from its general availability release date. Microsoft provides technical
support for the entire period of support. There are two distinct servicing phases that depend on the availability
of the latest current branch version:
Security and Critical Updates servicing phase - When running the latest current branch version of
Configuration Manager, you receive both Security and Critical Updates.
Security Updates (Only) servicing phase - After the release of a new current branch version, Microsoft
only supports security updates to older versions for the remainder of that version's support lifecycle
(shown in Figure 1).

Figure 1. Example of the release cycle overlap for current branch servicing support. This example is for
illustration of the cycle, and doesn't represent actual or expected release dates.

NOTE
The latest current branch version is always in the Security and Critical Updates servicing phase. This support
statement means that if you encounter a code defect that warrants a critical update, you must have the latest current
branch version installed in order to receive a fix. All other supported current branch versions are eligible to receive only
security updates.
All support ends after the 18-month lifecycle has expired for a current branch version.
Update your Configuration Manager environment to the latest version before support for your current version expires.
For a list of the current branch versions, see Version details.
For more information about version numbers, and availability as an in-console update or as a baseline, see
Baseline and update versions.
 Back up a Configuration Manager site
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Prepare backup and recovery approaches to avoid data loss. For Configuration Manager sites, a backup and
recovery approach can help you to recover sites and hierarchies more quickly, and with the least data loss.
The sections in this article can help you back up your sites. To recover a site, see Recovery for Configuration
Manager.

WARNING
The two backup methods supported for Configuration Manager site recovery are:
A successful backup from the Backup Site Ser ver maintenance task
A manually recovered site database backup

Considerations before creating a backup

If you use a SQL Server Always On availability group to host the site database: Modify your backup and
recovery plans as described in Prepare to use an availability group.
Configuration Manager can recover the site database from the Configuration Manager backup task. It can
also use a backup of the site database that you create with another process.
For example, you can restore the site database from a backup that's created as part of a SQL Server
maintenance plan. You can also use a backup that's created by using Data Protection Manager to back up
your site database.
You can also install an additional site server in passive mode. The site server in passive mode is in
addition to your existing site server in active mode. A site server in passive mode is available for
immediate use, when needed. For more information, see Site server high availability. While this role
doesn't remove the need to plan for and practice backup and recovery operations, it significantly reduces
the effort to recover a site when necessary.
Using Data Protection Manager to back up your site database
You can use System Center Data Protection Manager (DPM) to back up your Configuration Manager site
database.
Create a new protection group in DPM for the site database computer. On the Select Group Members page of
the Create New Protection Group Wizard, you select the SMS Writer service from the data source list. Then
select the site database as an appropriate member. For more information about using DPM, see the Data
Protection Manager documentation library.

IMPORTANT
Configuration Manager doesn't support DPM backup for a SQL Server Always On failover cluster instance that uses a
named instance. It does support DPM backup on a failover cluster instance that uses the default instance of SQL Server.

After you restore the site database, follow the steps in setup to recover the site. To use the site database that you
backed up with Data Protection Manager, select the recovery option to Use a site database that has been
manually recovered .

Backup maintenance task

You can automate backup for Configuration Manager sites by scheduling the predefined Backup Site Server
maintenance task. This task has the following features:
Runs on a schedule
Backs up the site database
Backs up specific registry keys
Backs up specific folders and files
Backs up the CD.Latest folder
Plan to run the default site backup task at a minimum of every five days. This schedule is because Configuration
Manager uses a SQL Server change tracking retention period of five days. For more information, see SQL Server
change tracking retention period.
To simplify the backup process, you can create an AfterBackup.bat file. This script automatically runs post-
backup actions after the backup task completes successfully. Use the AfterBackup.bat file to archive the backup
snapshot to a secure location. You can also use the AfterBackup.bat file to copy files to your backup folder, or to
start other backup tasks.
You can back up a central administration site and primary site. Secondary sites or site system servers don't have
backup tasks.
When the Configuration Manager backup service runs, it follows the instructions defined in the backup control
file: <ConfigMgrInstallationFolder>\Inboxes\Smsbkup.box\Smsbkup.ctl . You can modify the backup control file to
change the behavior of the backup service.

NOTE
Modifications of Smsbkup.ctl will apply after a restart of the service SMS_SITE_VSS_WRITER on the Site Server.

Site backup status information is written to the Smsbkup.log file. This file is created in the destination folder
that you specify in the properties of the Backup Site Server maintenance task.
To enable the site backup maintenance task
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the site for which you want to enable the site backup maintenance task.
3. Select Site Maintenance Tasks in the ribbon.
4. Select the Backup Site Ser ver task, and select Edit .
5. Select the option to Enable this task . Select Set Paths to specify the backup destination. You have the
following options:

IMPORTANT
To help prevent tampering of the backup files, store the files in a secure location. The most secure backup path is
to a local drive, so you can set NTFS file permissions on the folder. Configuration Manager doesn't encrypt the
backup data that's stored in the backup path.
 Local drive on site ser ver for site data and database : Specifies that the task stores the
backup files for the site and site database in the specified path on the local disk drive of the site
server. Create the local folder before the backup task runs. The Local System account on the site
server must have Write NTFS file permissions to the local folder for the site server backup. The
Local System account on the computer that's running SQL Server must have Write NTFS
permissions to the folder for the site database backup.
Network path (UNC name) for site data and database : Specifies that the task stores the
backup files for the site and site database in the specified network path. Create the share before
the backup task runs. The computer account of the site server must have Write NTFS and share
permissions to the shared network folder. If SQL Server is installed on another computer, the
computer account of the SQL Server must have the same permissions.
Local drives on site ser ver and SQL Ser ver : Specifies that the task stores the backup files for
the site in the specified path on the local drive of the site server. The task stores the backup files for
the site database in the specified path on the local drive of the site database server. Create the local
folders before the backup task runs. The computer account of the site server must have Write
NTFS permissions to the folder that you create on the site server. The computer account of the SQL
Server must have Write NTFS permissions to the folder that you create on the site database
server. This option is available only when the site database isn't installed on the site server.

NOTE
The option to browse to the backup destination is only available when you specify the network path of the backup
destination.
The folder name or share name that's used for the backup destination doesn't support the use of Unicode
characters.

6. Configure a schedule for the site backup task. Consider a backup schedule that's outside active working
hours. If you have a hierarchy, consider a schedule that runs at least two times a week. If the site fails, this
schedule ensures maximum data retention.
When you run the Configuration Manager console on the same site server that you're configuring for
backup, the backup task uses local time for the schedule. When you run the Configuration Manager
console from another computer, the backup task uses Coordinated Universal Time (UTC) for the schedule.
7. Choose whether to create an alert if the site backup task fails. When selected, Configuration Manager
creates a critical alert for the backup failure. You can review these alerts in the Aler ts node of the
Monitoring workspace.
Verify that the Backup Site Server maintenance task is running
Check the timestamp on the files in the backup destination folder that the task created. Verify that the
timestamp updates to the time when the task was last scheduled to run.
Go to the Component Status node of the Monitoring workspace. Review the status messages for
SMS_SITE_BACKUP . When site backup completes successfully, you see message ID 5035 . This message
indicates that the site backup completed without any errors.
When you configure the backup task to create an alert when it fails, look for backup failure alerts in the
Aler ts node of the Monitoring workspace.
Open Windows Explorer on the site server and browse to <ConfigMgrInstallationFolder>\Logs . Review
Smsbkup.log for warnings and errors. When site backup completes successfully, the log shows
Backup completed with message ID STATMSG: ID=5035 .
 TIP
When the backup maintenance task fails, restart the backup task by stopping and restarting the
SMS_SITE_BACKUP Windows service.

Archive the backup snapshot

The backup task creates a backup snapshot the first time it runs. You can use this snapshot to recover your site
server if it fails. When the backup task runs again on schedule, it creates a new backup snapshot that overwrites
the previous snapshot. As a result, the site has only a single backup snapshot, and you've no way of retrieving an
earlier backup snapshot.
Keep multiple archives of the backup snapshot for the following reasons:
It's common for backup media to fail, get misplaced, or include only a partial backup. Recovering a failed
stand-alone primary site from an older backup is better than recovering without any backup. For a site
server in a hierarchy, the backup must be in the SQL Server change tracking retention period, or the
backup isn't required.
A corruption in the site can go undetected for several backup cycles. You might have to use a backup
snapshot from before the site became corrupted. This reason applies to a stand-alone primary site and to
sites in a hierarchy where the backup is in the SQL Server change tracking retention period.
The site might have no backup snapshot at all. For example, if the Backup Site Server maintenance task
fails. Because the backup task removes the previous backup snapshot before it starts to back up the
current data, there won't be a valid backup snapshot.

Use the AfterBackup.bat file

After successfully backing up the site, the backup task automatically tries to run a script named
AfterBackup.bat . Manually create the AfterBackup.bat file on the site server in
<ConfigMgrInstallationFolder>\Inboxes\Smsbkup.box . If an AfterBackup.bat file exists in the correct folder, it
automatically runs after the backup task completes.
The AfterBackup.bat file lets you archive the backup snapshot at the end of every backup operation. It can
automatically perform other post-backup tasks that aren't part of the Backup Site Server maintenance task. The
AfterBackup.bat file integrates the archive and the backup operations, thereby ensuring that every new backup
snapshot is archived.
If the AfterBackup.bat file isn't present, the backup task skips it without effect on the backup operation. To verify
that the backup task successfully ran this script, go to the Component Status node in the Monitoring
workspace, and review the status messages for SMS_SITE_BACKUP . When the task successfully starts the
AfterBackup.bat command file, you see message ID 5040 .

TIP
To archive your site server backup files with AfterBackup.bat, you must use a copy command tool in the batch file. One
such tool is Robocopy in Windows Server. For example, create the AfterBackup.bat file with the following command:
Robocopy E:\ConfigMgr_Backup \\ServerName\ShareName\ConfigMgr_Backup /MIR

Although the intended use of the AfterBackup.bat is to archive backup snapshots, you can create an
AfterBackup.bat file to run additional tasks at the end of every backup operation.

Supplemental backup tasks

The Backup Site Server maintenance task provides a backup snapshot for the site server files and site database.
There are other items not backed up that you must consider when you create your backup strategy. Use these
sections to help you complete your Configuration Manager backup strategy.
Back up custom reports
If you modify predefined or created custom reports in SQL Server Reporting Services, create a backup for the
report server database files. The report server backup must include the following components:
The source files for reports and models
Encryption keys
Custom assemblies or extensions
Configuration files
Custom SQL Server views used in custom reports
Custom stored procedures

IMPORTANT
When Configuration Manager updates to a newer version, the predefined reports might be overwritten by new reports. If
you modify a predefined report, make sure to back up the report and then restore it in Reporting Services.

For more information about backing up your custom reports in Reporting Services, see Backup and Restore
Operations for Reporting Services.
Back up content files
The content library in Configuration Manager is the location where all content files are stored for all software
deployments. The content library is located on the site server and on each distribution point. The Backup Site
Server maintenance task doesn't back up the content library or package source files. When a site server fails, the
information about the content library is restored to the site database, but you must restore the content library
and package source files.
The content library must be restored before you can redistribute content to distribution points. When you
start content redistribution, Configuration Manager copies the files from the site server's content library
to the distribution points. For more information, see The content library.
The package source files must be restored before you can update content on distribution points. When
you start a content update, Configuration Manager copies new or modified files from the package source
to the content library. It then copies the files to associated distribution points. Run the following SQL
query against the site database to find the package source location for all packages and applications:
SELECT * FROM v_Package . You can identify the package source site by looking at the first three characters
of the package ID. For example, if the package ID is CEN00001, the site code for the source site is CEN.
When you restore the package source files, they must be restored to the same location where they were
before the failure.
Verify that you include both the content library and package source files in your file system backup for the site
server.
Back up custom software updates
System Center Updates Publisher is a stand-alone tool that lets you manage custom software updates. Updates
Publisher uses a local database for its software update repository. When you use Updates Publisher to manage
custom software updates, determine whether you should include the Updates Publisher database in your
backup plan. For more information, see System Center Updates Publisher.
Use the following procedure to back up the Updates Publisher database.
Back up the Updates Publisher database
1. On the computer that runs Updates Publisher, browse to the Updates Publisher database file Scupdb.sdf
in %USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\ . There's a
different database file for each user that runs Updates Publisher.
2. Copy the database file to your backup destination. For example, if your backup destination is
E:\ConfigMgr_Backup , you could copy the Updates Publisher database file to E:\ConfigMgr_Backup\SCUP .

TIP
When there's more than one database file on a computer, consider storing the file in a subfolder that indicates the
user profile associated with the database file. For example, you could have one database file in
E:\ConfigMgr_Backup\SCUP\User1 and another database file in E:\ConfigMgr_Backup\SCUP\User2 .

User state migration data

You can use Configuration Manager task sequences to capture and restore the user state data in OS deployment
scenarios. The properties of the state migration point list the folders that store the user state data. This data isn't
backed up as part of the Site Server Backup maintenance task. As part of your backup plan, you must manually
back up the folders that you specify to store the user state migration data.
Determine the folders used to store user state migration data
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Ser vers and Site System Roles node.
2. Select the site system that hosts the state migration role. Then select State migration point in the Site
System Roles pane.
3. Select Proper ties in the ribbon.
4. The folders that store the user state migration data are listed in the Folder details section on the
General tab.

About the SMS Writer service

The SMS Writer is a service that interacts with the Windows Volume Shadow Copy Service (VSS) during the
backup process. The SMS Writer service must be running for the Configuration Manager site back up to
complete successfully.
Process
1. SMS Writer registers with the VSS service and binds to its interfaces and events.
2. When VSS broadcasts events, or if it sends specific notifications to the SMS Writer, the SMS Writer
responds to the notification and takes the appropriate action.
3. The SMS Writer reads the backup control file smsbkup.ctl located in
<ConfigMgrInstallationPath>\inboxes\smsbkup.box , and determines the files and data to back up.

4. The SMS Writer builds metadata, which consists of various components including specific data from the
SMS registry key and subkeys.
a. It sends the metadata to VSS when it's requested.
b. VSS then sends the metadata to the requesting application, the Configuration Manager Backup
Manager.
5. Backup Manager selects the data to back up, and sends this data to the SMS Writer via VSS.
6. The SMS Writer takes the appropriate steps to prepare for the backup.
7. Later, when VSS is ready to take the snapshot:
a. It sends an event
b. The SMS Writer stops all Configuration Manager services
c. It ensures that the Configuration Manager activities are frozen while the snapshot is created.
8. After the snapshot is complete, the SMS Writer restarts services and activities.
The SMS Writer service is installed automatically. It must be running when the VSS application requests a
backup or restore.
Writer ID
The writer ID for the SMS Writer is 03ba67dd-dc6d-4729-a038-251f7018463b .
Permissions
The SMS Writer service must run under the Local System account.
Volume Shadow Copy service
The VSS is a set of COM APIs that implements a framework to allow volume backups to be performed while
applications on a system continue to write to the volumes. The VSS provides a consistent interface that allows
coordination between user applications that update data on disk (the SMS Writer service) and those that back
up applications (the Backup Manager service). For more information, see the Volume Shadow Copy Service.

Next steps
After you create a backup, practice site recovery with that backup. This practice can help you become familiar
with the recovery process before you need to rely on it. It can also help confirm the backup was successful for its
intended purpose.
 Recover a Configuration Manager site
2/16/2022 • 20 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Run a Configuration Manager site recovery after a site fails or data loss occurs in the site database. Repairing
and resynchronizing data are the core tasks of a site recovery and are required to prevent interruption of
operations.
The sections in this article can help you recover a Configuration Manager site. To create a backup, see Backup for
Configuration Manager.

Considerations before recovering a site

IMPORTANT
This information applies only to site recovery scenarios. When you're upgrading your on-premises infrastructure and not
actively recovering a failed site, review the information in the following articles:
Upgrade on-premises infrastructure
Modify your infrastructure

Prepare the server hardware

Make sure existing configurations aren't present on the site server. Any previous configurations can cause
conflicts during the site recovery process. Use one of the following options for the server hardware:
Use a new server, that meets the general and recovery requirements.
Format the disks, and reinstall the OS on the existing server. Make sure it meets the general and recovery
requirements.
Reuse an existing server that you've cleaned
Use one of the following procedures to clean an existing server:
Clean an existing server for site server recovery only
1. Delete SMS registry keys: HKLM\Software\Microsoft\SMS
2. Delete any registry entries starting with SMS from HKLM\System\CurrentControlSet\Services . For example:
SMS_DISCOVERY_DATA_MANAGER
SMS_EXECUTIVE
SMS_INBOX_MONITOR
SMS_INVENTORY_DATA_LOADER
SMS_LAN_SENDER
SMS_MP_FILE_DISPATCH_MANAGER
SMS_SCHEDULER
SMS_SITE_BACKUP
SMS_SITE_COMPONENT_MANAGER
SMS_SITE_SQL_BACKUP
SMS_SITE_VSS_WRITER
SMS_SOFTWARE_METERING_PROCESSOR
 SMS_STATE_SYSTEM
SMS_STATUS_MANAGER
SMS_WSUS_SYNC_MANAGER
SMSvcHost 3.0.0.0
SMSvcHost 4.0.0.0
3. Uninstall the Configuration Manager console
4. Restart the server
5. Confirm that all of the above registry keys are deleted.
The server is now ready for the Configuration Manager restore procedure.
Clean an existing server for site database recovery only
1. Back up the site database. Also back up any other supporting databases, like WSUS.
2. Make sure to note the SQL Server name and instance name
3. Manually delete the site database from the SQL Server
4. Restart the SQL Server
The server is now ready for the Configuration Manager restore procedure.
Clean an existing server for full recovery
1. Back up the site database. Also back up any other supporting databases, like WSUS.
2. Make a copy of the content library
3. Uninstall the Configuration Manager site
4. Manually delete the site database from the SQL Server
5. Manually delete the Configuration Manager installation folder, and any other Configuration Manager folders
6. Restart the server
7. Restore the content library and other databases like WSUS
The server is now ready for the Configuration Manager restore procedure.
Use a supported version and same edition of SQL Server
If possible, use the same version of SQL Server. However, it's supported to restore a database to a newer version.
Don't change the SQL Server edition. Restoring a site database from Standard edition to Enterprise edition isn't
supported.
Other SQL Server configuration requirements:
SQL Server can't be set to single-user mode .
Make sure the MDF and LDF files are valid. When you recover a site, there's no check for the state of the files.
SQL Server Always On availability groups
If you use SQL Server Always On availability groups to host the site database, modify your recovery plans as
described in Prepare to use SQL Server Always On.
Database replicas
After you restore a site database that you configured for database replicas, reconfigure each replica. Before you
can use the database replicas, recreate both the publications and subscriptions.

Determine your recovery options

There are two main areas to consider for Configuration Manager primary site server and central administration
site (CAS) recovery: the site ser ver and the site database . The following sections can help you select the best
options for your recovery scenario.
 NOTE
When Configuration Manager setup detects an existing site on the server, you can start a site recovery, but the recovery
options for the site server are limited. For example, if you run Setup on an existing site server, when you choose recovery,
you can recover the site database server, but the option to recover the site server is disabled.

Site server recovery options

Start Configuration Manager setup from a copy of the CD.Latest folder that you created outside of the
Configuration Manager installation folder.
If you run setup from the Star t menu on the site server, the Recover a site option isn't available.
If you installed any updates from within the Configuration Manager console before you made your
backup, you can't reinstall the site by using setup from the following locations:
Installation media
The Configuration Manager installation path
Then select the Recover a site option. You have the following recovery options for the failed site server:
Recover the site server using an existing backup
Use this option when you have a Configuration Manager backup of the site server from before the site failure.
The site creates this backup as part of the Backup Site Ser ver maintenance task. The site is reinstalled, and the
site settings are configured based on the site that was backed up.
Reinstall the site server
Use this option when you don't have a backup of the site server. The site server is reinstalled, and you must
specify the site settings as you would during an initial installation.
Use the same site code and site database name that you used when the failed site was first installed.
You can reinstall the site on a new computer that runs a new OS version.
The server must use the same hostname and fully qualified domain name (FQDN) of the original site
server.
Site database recovery options
When you run Configuration Manager setup, you have the following recovery options for the site database:
Recover the site database using a backup set
Use this option when you have a Configuration Manager backup of the site database from before the database
failure. The site creates this backup as part of the Backup Site Ser ver maintenance task. In a hierarchy, when
restoring a primary site, the recovery process retrieves from the CAS any changes made to the site database
after the last backup. When restoring the CAS, the recovery process retrieves these changes from a reference
primary site. When you recover the site database for a standalone primary site, you lose site changes after the
last backup.
When you recover the site database for a site in a hierarchy, the recovery behavior is different for a CAS and
primary site. The behavior is also different when the last backup is inside or outside of the SQL Server change
tracking retention period. For more information, see the Site database recovery scenarios section in this article.

NOTE
If you select to restore the site database by using a backup set, but the site database already exists, the recovery fails.

Create a new database for this site

Use this option when you don't have a backup of the site database. In a hierarchy, the recovery process creates a
new site database. When restoring a child primary site, it recovers the data by replicating from the CAS. When
restoring the CAS, it replicates data from a reference primary site. This option isn't available when you're
recovering a standalone primary site or a CAS that doesn't have primary sites.
Use a site database that has been manually recovered
Use this option when you've already recovered the Configuration Manager site database, but need to complete
the recovery process.
Configuration Manager can recover the site database from any of the following processes:
The Configuration Manager backup maintenance task
A site database backup using Data Protection Manager (DPM)
Another backup process
After you restore the site database by using a method outside Configuration Manager, run Setup,
and select this option to complete the site database recovery.

NOTE
When you use DPM to back up your site database, use the DPM procedures to restore the site database
to a specified location before you continue the restore process in Configuration Manager. For more
information about DPM, see the Data Protection Manager documentation library.

In a hierarchy, when you recover a primary site database, the recovery process retrieves from the CAS
any changes made to the site database after the last backup. When restoring the CAS, the recovery
process retrieves these changes from a reference primary site. When you recover the site database for a
standalone primary site, you lose site changes after the last backup.
Skip database recovery
Use this option when no data loss has occurred on the Configuration Manager site database server. This option
is only valid when the site database is on a different computer than the site server that you're recovering.
SQL Server change tracking retention period
Configuration Manager enables change tracking for the site database in SQL Server. Change tracking lets
Configuration Manager query for information about the changes made to database tables after a previous point
in time. The retention period specifies how long change tracking information is kept. By default, the site
database is configured to have a retention period of five days. When you recover a site database, the recovery
process proceeds differently if your backup is inside or outside the retention period. For example, if your SQL
Server fails, and your last backup is seven days old, it's outside the retention period.
For more information about SQL Server change tracking internals, see the following blog posts from the SQL
Server team: Change Tracking Cleanup - part 1 and Change Tracking Cleanup - part 2.
Reinitialization of site or global data
The process to reinitialize site or global data replaces existing data in the site database with data from another
site database. For example, when site ABC reinitializes data from site XYZ, the following steps occur:
The data is copied from site XYZ to site ABC.
The existing data for site XYZ is removed from the site database on site ABC.
The copied data from site XYZ is inserted into the site database for site ABC.
Example scenario 1: The primary site reinitializes the global data from the CAS
The recovery process removes the existing global data for the primary site in the primary site database and
replaces the data with the global data copied from the CAS.
Example scenario 2: The CAS reinitializes the site data from a primary site
The recovery process removes the existing site data for that primary site in the CAS database. It replaces the
data with the site data copied from the primary site. The site data for other primary sites isn't affected.
Site database recovery scenarios
After a site database is restored from a backup, Configuration Manager tries to restore the changes in site and
global data after the last database backup. Configuration Manager starts the following actions after a site
database is restored from backup:
Recovered site is a CAS
Database backup within change tracking retention period
Global data : The changes in global data after the backup are replicated from all primary sites.
Site data : The changes in site data after the backup are replicated from all primary sites.
Database backup older than change tracking retention period
Global data : The CAS reinitializes the global data from the reference primary site if you specify it.
Then all other primary sites reinitialize the global data from the CAS. If you don't specify a
reference site, all primary sites reinitialize the global data from the CAS. This data is what you
restored from backup.
Site data : The CAS reinitializes the site data from each primary site.
Recovered site is a primary site
Database backup within change tracking retention period
Global data : The changes in global data after the backup are replicated from the CAS.
Site data : The CAS reinitializes the site data from the primary site. Changes after the backup are
lost. Clients regenerate most data when they send information to the primary site.
Database backup older than change tracking retention period
Global data : The primary site reinitializes the global data from the CAS.
Site data : The CAS reinitializes the site data from the primary site. Changes after the backup are
lost. Clients regenerate most data when they send information to the primary site.

Site recovery procedures

Use one of the following procedures to help you recover your site server and site database:
Start a site recovery in the setup wizard
1. Copy the CD.Latest folder to a location outside the Configuration Manager installation folder. From the
copy of the CD.Latest folder, run the Configuration Manager setup wizard.
2. On the Getting Star ted page, select Recover a site , and then select Next .
3. Complete the wizard by using the options that are appropriate for your site recovery.
During the recovery, setup identifies the SQL Server Service Broker (SSB) port used by the SQL
Server. Don't change this port setting during recovery or data replication won't work properly after
the recovery completes.
You can specify the original or a new path to use for the Configuration Manager installation in the
setup wizard.
Start an unattended site recovery
1. Prepare the unattended installation script for the options that you require for the site recovery. For more
information, see Unattended site recovery.
2. Run Configuration Manager setup by using the /script command-line option. For example, you create a
setup initialization file ConfigMgrUnattend.ini . You save it in the C:\Temp directory of the computer on
which you're running setup. Use the following command:
setup.exe /script C:\temp\ConfigMgrUnattend.ini

NOTE
After you recover a CAS, replication of some site data from child sites can fail to be established. This data can include
hardware inventory, software inventory, and status messages.
If this issue occurs, reinitialize the ConfigMgrDRSSiteQueue for database replication. Use SQL Ser ver Manager to
run the following query against the site database for the CAS:

IF EXISTS (SELECT * FROM sys.service_queues WHERE name = 'ConfigMgrDRSSiteQueue' AND is_receive_enabled

= 0)

ALTER QUEUE [dbo].[ConfigMgrDRSSiteQueue] WITH STATUS = ON

Post-recovery tasks
After you recover your site, there are several post-recovery tasks to consider before your site recovery is
complete. Use the following sections to help you complete your site recovery process.
Reenter user account passwords
After a site server recovery, reenter the passwords for any user accounts in the site. These passwords are reset
during the site recovery. The accounts are listed on the Finished page of the setup wizard after site recovery is
completed. The list is also saved to C:\ConfigMgrPostRecoveryActions.html on the recovered site server.
Reenter user account passwords after site recovery
1. Open the Configuration Manager console and connect to the recovered site.
2. Go to the Administration workspace, expand Security , and then select Accounts .
3. For each account, do the following steps to reenter the password:
a. Select the account from the list identified after site recovery.
b. Select Proper ties in the ribbon.
c. On the General tab, select Set , and then reenter the password for the account.
d. Select Verify , choose the appropriate data source for the selected user account, and then select
Test connection . This step tests that the user account can connect to the data source, and verifies
the credentials.
e. Select OK to save the password changes, and then select OK to close the account properties page.
Reenter PXE passwords
1. In the Configuration Manager console, go to the Administration workspace, and select the
Distribution Points node. Any on-premises distribution point with Yes in the PXE column is enabled for
PXE and may have a password to reenter.
2. Select a PXE-enabled distribution point, and select Proper ties in the ribbon.
3. Switch to the PXE tab.
4. If the option to Require a password when computers use PXE is enabled, enter and confirm the
password.
5. Select OK to save and close the properties.
Repeat this process for any other PXE-enabled on-premises distribution point.
Reenter task sequence passwords
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select the Task Sequences node.
2. Select a task sequence, and then in the ribbon, select Edit .
3. Review the following steps for passwords to reenter:
Apply Windows Settings : If you enable and specify the local administrator password, reenter
and confirm the password.
Apply Network Settings : For the account that has permission to join the domain, select Set .
Enter and confirm the password, and then select Verify .
Capture Operating System Image : For the account used to access the destination, select Set .
Enter and confirm the password, and then select Verify .
Connect to Network Folder : For the account used to connect a network folder, select Set . Enter
and confirm the password, and then select Verify .
Enable BitLocker : If you use the key management option TPM and PIN , reenter the PIN.
Join Domain or Workgroup : For the account that has permission to join the domain, select Set .
Enter and confirm the password, and then select Verify .
Run Command Line : If you use the option to Run this step as the following account , select
Set . Enter and confirm the password, and then select Verify .
Run PowerShell Script : If you use the option to Run this step as the following account ,
select Set . Enter and confirm the password, and then select Verify .
Repeat this process for all task sequences.
Recreate bootable media and prestaged media in non-PKI environments
In non-PKI environments, self-signed certs in bootable media and prestaged media are based on the machine
keys of the server where the media was created. For this reason, if the hardware changes or the OS is reinstalled
as part of a recovery, any bootable media and prestaged media created on that server need to be recreated. For
more information on how to create bootable media and prestaged media, see Create bootable media and Create
prestaged media.
Reenter sideloading keys
After a site server recovery, reenter Windows sideloading keys specified for the site. These keys are reset during
site recovery. After you reenter the sideloading keys, the site resets the count in the Activations used column
for Windows sideloading keys.
For example, before the site failure the Total activations count shows as 100 . The number of keys that devices
have used, or Activations used , is 90 . After the site recovery, the Total activations value still displays 100 ,
but the Activations used column incorrectly displays 0 . After 10 new devices use a sideloading key, there are
no more sideloading keys, and the 11th device fails to apply a sideloading key.
Recreate Azure services
After site recovery, you may see the following error in the cloudmgr.log:
Index (zero-based) must be greater than or equal to zero

To resolve this issue, Renew the secret key for each Azure tenant connection.
Delete and recreate subscriptions for external notifications on the CAS
After you recover the CAS, you need to delete and recreate any subscriptions for external notifications. For more
information, see External notifications.
Configure HTTPS for site system roles that use IIS
When you recover site systems that run IIS and you configured for HTTPS, reconfigure IIS to use the web server
certificate.
Reinstall hotfixes
After a site recovery, you must reinstall any out-of-band hotfixes that were applied to the site server. After site
recovery, view the list of the previously installed hotfixes on the Finished page of the setup wizard. This list is
also saved to C:\ConfigMgrPostRecoveryActions.html on the recovered site server.
Recover custom reports
Some customers create custom reports in SQL Server Reporting Services. When this component fails, recover
the reports from a backup of the report server. For more information about restoring your custom reports in
Reporting Services, see Backup and Restore Operations for Reporting Services.
Recover content files
The site database tracks where the site server stores the content files. The content files themselves aren't backed
up or restored as part of the backup and recovery process. To fully recover content files, restore the content
library and package source files to the original location. There are several methods for recovering your content
files. The easiest method is to restore the files from a file system backup of the site server.
If you don't have a file system backup for the package source files, manually copy or download them. This
process is similar to when you originally created the package. Run the following query in SQL Server to find the
package source location for all packages and applications: SELECT * FROM v_Package . Identify the package source
site by looking at the first three characters of the package ID. For example, if the package ID is CEN00001, the
site code for the source site is CEN. When you restore the package source files, they must be restored to the
same location in which they were before the failure.
If you don't have a file system backup that includes the content library, you have the following restore options:
Impor t a prestaged content file : In a Configuration Manager hierarchy, you can create a prestaged
content file with all packages and applications from another location. Then import the prestaged content
file to recover the content library on the site server.
Update content : Configuration Manager copies the content from the package source to the content
library. For this action to finish successfully, the package source files must be available in the original
location. Do this action on each package and application.
Recover custom software updates
When you've included System Center Updates Publisher database files in your backup plan, you can recover the
databases if the Updates Publisher computer fails. For more information about Updates Publisher, see System
Center Updates Publisher.
Restore the Updates Publisher database
1. Reinstall Updates Publisher on the recovered computer.
2. Copy the database file Scupdb.sdf from your backup destination to
%USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\ on the
computer that runs Updates Publisher.
3. When more than one user runs Updates Publisher on the computer, copy each database file to the
appropriate user profile location.
User State Migration data
As part of the state migration point properties, you specify the folders that store user state data. After you
recover a state migration point, manually restore the user state data on the server. Restore it to the same folders
that stored the data before the failure.
Regenerate the certificates for distribution points
After you restore a site, the distmgr.log might list the following entry for one or more distribution points:
Failed to decrypt cert PFX data . This entry indicates that the distribution point certificate data can't be
decrypted by the site. To resolve this issue, regenerate or reimport the certificate for affected distribution points.
Use the Set-CMDistributionPoint PowerShell cmdlet.
Restore database encryption certificates
If you use SQL Server encryption for the entire database or for specific tables, you may need to restore the
certificates after you restore the site database. For example, if you encrypt recovery data for BitLocker
management. For more information, see Restore certificate for BitLocker management.

Recover a secondary site

Configuration Manager doesn't support the backup of the database at a secondary site, but does support
recovery by reinstalling the secondary site. Secondary site recovery is required when a Configuration Manager
secondary site fails.
Requirements
The server must meet all secondary site prerequisites and have appropriate security rights configured.
Use the same installation path that was used for the failed site.
Use a server with the same configuration as the failed server. This configuration includes its fully qualified
domain name (FQDN).
The server must have the same SQL Server configuration as the failed site.
During a secondary site recovery, Configuration Manager doesn't install SQL Server Express if it's
not already installed on the computer.
Use the same version of SQL Server and the same instance of SQL Server that you used for the
secondary site database before the failure.
Procedure
Use the Recover Secondar y Site action from the Sites node in the Configuration Manager console. Unlike
with other types of sites, recovery for a secondary site doesn't use a backup file. This process reinstalls the
secondary site files on the failed server. After the site reinstalls, the secondary site data is reinitialized from the
parent primary site.
During the recovery process, Configuration Manager verifies if the content library exists on the secondary site
server. It also checks that the appropriate content is available. The secondary site uses the existing content
library, if it includes the appropriate content. Otherwise, to recover the content library of a secondary site,
redistribute or prestage the content to the server.
When you have a distribution point that isn't on the secondary site server, you aren't required to reinstall the
distribution point during a recovery of the secondary site. After the secondary site recovery, the site
automatically synchronizes with the distribution point.
You can verify the status of the secondary site recovery by using the Show Install Status action from the Sites
node in the Configuration Manager console.
 Unattended site recovery for Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To recover a Configuration Manager central administration site (CAS) or primary site without user interaction,
create an unattended installation script to use with the /script setup command-line option. The script provides
the same type of information that the setup wizard prompts for, except that there are no default settings. Specify
all values for the setup keys that apply to the type of recovery.
To use the /script setup command-line option, first create an answer file. Then specify this file name on the
command line. The name of the file is your decision, but it requires the .ini file extension. When you reference
this answer file from the command line, provide the full path to the file. For example, if your setup answer file is
named setup.ini , and it's stored in the C:\setup folder, your command line would be:
setup.exe /script c:\setup\setup.ini

IMPORTANT
You need Administrator rights to run Configuration Manager setup. When you run setup with the unattended script,
open the command prompt with the option to Run as administrator .

The script contains section names, key names, and values. Required section key names vary depending on the
recovery type that you need. The order of the keys within sections and the order of sections within the file aren't
important. The keys aren't case-sensitive. When you provide values for keys, the name of the key is followed by
an equal sign ( = ) and the value for the key. For example, Action=RecoverCCAR .
For more information, see the following articles:
Command-line options for setup
Unattended setup script file keys
 Site failure impacts in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The site server and any of the other site systems can fail and cause a loss of the services they regularly provide.
If you install multiple site systems on the same computer, and that computer fails, all services regularly provided
by those site systems are no longer available.
Part of your planning process should include understanding the impact on the service that you provide your
organization. Because each site system in the site provides different functionality, the impact of a failure on the
site differs, depending on the role of the site system that failed.
Use high availability options to help mitigate the failure of any single system. Also plan for and practice a
backup and recovery strategy to reduce the amount of time the service is unavailable.
The following sections describe the impact when the specified site system isn't operational:
Site server
No site administration is possible. You can't connect the console to the site.
The management point collects client information and caches it until the site server is back online.
Users can run existing deployments, and clients can download content from distribution points.
Site database
No site administration is possible.
If the Configuration Manager client already has a policy assignment with new policies, and if the
management point has cached the policy body, the client can make a policy body request and receive the
policy body reply. However, the site can't service any new policy assignment requests.
Clients can run deployments, only if they've already received the policy, and the associated source files
are already cached locally at the client.
Management point
Although you can create new deployments, clients don't receive them until a management point is online.
Clients still collect inventory, software metering, and status information. They store this data locally until
the management point is available.
Clients can run deployments, only if they've already received the policy, and the associated source files
are already cached locally at the client.
Distribution point
Configuration Manager clients can run deployments, only if the associated source files have already been
downloaded locally or are available on a peer source.
 Monitor the hierarchy
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To monitor your hierarchy in Configuration Manager, use the Monitoring workspace in the Configuration
Manager console.

NOTE
The exception to this location is when migrating sites. Monitored this process in the Migration node of the
Administration workspace. For more information, see Operations for migrating to Configuration Manager current
branch.

Along with using the Configuration Manager console for monitoring, use the following features:
Introduction to reporting
Log files.
When you monitor sites, look for signs that indicate problems that require you to take action. For example:
A backlog of files on site servers and site systems.
Status messages that indicate an error or a problem.
Failing intrasite communication.
Error and warning messages in the system event log on servers.
Error and warning messages in the Microsoft SQL Server error log.
Sites or clients that haven't reported status in a long time.
Sluggish response from the SQL Server database.
Signs of hardware failure.
If monitoring tasks reveal any signs of problems, investigate the source of the problem. Then quickly repair it to
minimize the risk of a site failure.

Monitor common management tasks

Configuration Manager provides built-in monitoring from within the Configuration Manager console.
Alerts
For more information, see Monitor alerts.
Compliance settings
For more information, see How to monitor compliance settings.
Content
For general information about monitoring content, see Manage content and content infrastructure.
For more information about monitoring specific types of content:
 Monitor applications
Monitor packages and programs
Monitor content for software updates
Monitor content for OS deployments
Endpoint Protection
For more information, see How to monitor Endpoint Protection.
OS deployment
For more information, see Monitor OS deployments.
Monitor power management
For more information, see How to monitor and plan for power management.
Monitor software metering
For more information, see Monitor app usage with software metering.
Monitor software updates
For more information, see Monitor software updates.

Monitor the site hierarchy

The Site Hierarchy node of the Monitoring workspace provides you with an overview of your Configuration
Manager hierarchy and intersite links.
Use the Site Hierarchy node to monitor the health of each site. Also monitor the intersite replication links and
their relationship to external factors, such as a geographical location.
Both site status and intersite link status replicate as site data and not global data. When you connect your
Configuration Manager console to a child primary site, you can't view the site or link status for other primary
sites or their child secondary sites. For example, in a hierarchy with multiple primary sites, when you connect
the console to a primary site, you can view the status of child secondary sites, the primary site, and the central
administration site. From this view, you can't see the status for other sites below the central administration site.
To control the display in the Site Hierarchy node, use the Configure Settings action. The hierarchy replicates
the settings that you configure in this node.
Hierarchy diagram
The hierarchy diagram displays your sites in a topology map. Select a site, and view a status message summary
from that site. Drill through to view status messages, and access the site Proper ties .
To view high-level status for a site or replication link between sites, hover your mouse pointer over the object.
Replication link status doesn't replicate globally. To view the replication link details between all primary sites in a
hierarchy, connect the console to the central administration site.
The following options modify the hierarchy diagram:
Groups
Configure the number of primary sites and secondary sites that trigger a change in the hierarchy diagram. This
change in the display combines the sites into a single object. Then you see the total number of sites and a high-
level rollup of status messages and site status.
Favorite sites
Specify individual sites to be a favorite site. A star icon identifies a favorite site in the hierarchy diagram. Favorite
sites aren't combined with others sites when you use groups. They're always displayed individually.
Geographical view

IMPORTANT
Starting in August 2020, this feature is deprecated. Use the Hierarchy Diagram option.

The geographical view displays the location of each site on a geographical map. It only displays sites that you
configure with a location. When you select a site in this view, it shows replication links to parent or child sites.
Unlike the hierarchy diagram view, you can't display site status message or replication link details in this view.

NOTE
To use the geographical view, the computer to which your Configuration Manager console connects must have Internet
Explorer installed and be able to access Bing Maps by using the HTTP protocol.

The following option modifies the geographical view:

Site Location
Specify a geographical location for each site using one of the following types:
A street address
A place name such as the name of a city
By latitude and longitude coordinates
For example, to use the latitude and longitude of Redmond, Washington, specify N 47 40 26.3572 W 122 7
17.4432 as the location of the site. You don't need to specify the symbols for the degree, minutes, or seconds of
latitude or longitude. Configuration Manager uses Bing Maps to display the location on the geographical view.
Then you can view your hierarchy with the geographical locations. This view provides insight into regional
issues that might affect specific sites or intersite replication.
When you specify a location, you can use the Location box to search for a specific site in your hierarchy. With
the site selected, enter the location as a city name or street address in the Location column. Configuration
Manager uses Bing Maps to resolve the location.

Next steps
Monitor database replication
 Use the status system in Configuration Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the built-in status message system to understand the state of your Configuration Manager environment.
All major site components generate status messages that provide feedback on site and hierarchy operations.
This information can keep you informed about the health of different site processes. You can tune the alert
system to ignore noise for known problems, and increase early visibility for other issues that might need your
attention.
You generally don't need to configure the Configuration Manager status system. By default, it uses suitable
settings for most environments. You can configure the following components:
Status summarizers : Control the frequency of status messages that indicate a change for the following
four summarizers:
Application deployment summarizer
Application statistics summarizer
Component status summarizer
Site system status summarizer
Status filter rules : Create new status filter rules, modify the priority of rules, disable or enable rules, and
delete unused rules at each site.

NOTE
Status filter rules don't support environment variables to run external commands.

Status repor ting : Configure both server and client component reporting, and specify where they're
sent.

WARNING
Because the default reporting settings are appropriate for most environments, change them with caution. When
you increase the level of status reporting by choosing to report all status details, you can increase the amount of
status messages for the site to process. This change increases the processing load on the Configuration Manager
site. If you decrease the level of status reporting, you might limit the usefulness of the status summarizers.

Because the status system maintains separate configurations for each site, edit each site individually.

Configure status summarizers

1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select a site. Then on the Home tab of the ribbon, in the Settings group, select Status Summarizers .
3. In the Status Summarizers window, select the status summarizer that you want to configure, and select
 Edit .
Application deployment or application statistics summarizers
On the General tab of the summarizer properties page, configure the summarization intervals.
For the application deployment summarizer, these time periods specify how frequently the site updates the
deployment status for applications, task sequences, and packages. It's calculated based on the deployment start
time. The following values show the defaults:
Modified in the last 30 days: 60 minutes
Modified in the last 31 to 90 days: 24 hours
Modified over 90 days ago: 7 days
For the application statistics summarizer, these time periods specify how often the site updates application
statistics. They're based on the date you last modified the application. The following values show the defaults:
Modified in the last 30 days: 240 minutes
Modified in the last 31 to 90 days: 24 hours
Modified over 90 days ago: 7 days
Component status summarizer
1. On the General tab of the summarizer properties page, configure the replication and threshold period
values:
Enable status summarization
Replicate to parent site and select the Replication priority (by default, Normal )
Threshold period (by default, Since 00:00:00 ). In other words, by default component status is reset
at midnight.
2. On the Thresholds tab, select the Message type : Informational, Warning, or Error.
3. Select a component and then select the properties icon. You can also double-click the component, or
right-click and select Proper ty .
4. Specify the threshold for the number of status messages on the component before the site changes the
status.
The following table shows the default values:

M ESSA GE T Y P E WA RN IN G T H RESH O L D C RIT IC A L T H RESH O L D

Informational 2000 5000

Warning 10 50

Error 1 5

For example, if a component generates 2000 informational status messages in the threshold period (by default,
since midnight), the site sets that component's state to warning.
Site system status summarizer
1. On the General tab of the summarizer properties page, configure the replication and schedule values:
Enable status summarization
Replicate to parent site and select the Replication priority (by default, Medium )
Status summarization schedule (by default, every hour on the hour)
2. On the Thresholds tab, specify values for the Default thresholds for free space on any site system. The
 following values are the defaults:
Warning (KB) : 10485760 (10 GB)
Critical (KB) : 5242880 (5 GB)
For example, if a site system reports less than 10 GB of free space on a drive, that site system's status
changes to warning.
3. The site can also monitor specific thresholds for specific Storage objects . By default, it includes
thresholds for the SQL Server database and transaction log for the site database. The default values for
these default objects are the same as the default thresholds.
To modify these thresholds, select the object in the list, and then select the properties icon. (You can also
double-click the object, or right-click to access these actions.)
4. To create a new storage object to monitor, select the gold asterisk "new" icon. Select a storage object from
the list, and specify the free space thresholds.
5. To delete a storage object, select the object, and then select the delete icon.

Manage status filter rules

With status filter rules, the site can take action when specific status message criteria occurs. There are several
default status filter rules, and you can create custom rules.

TIP
Starting in version 2107, you can enable the site to send notifications to an external system or application. This capability
simplifies the process by using a web service-based method. You configure subscriptions to send these notifications.
These notifications are in response to specific, defined events as they occur. For example, status message filter rules. For
more information, see External notifications.

Modify a status filter rule

1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select a site, and then on the Home tab of the ribbon, in the Settings group, select Status Filter Rules .
3. In the Status Filter Rules window, select the rule that you want to modify.
To change the processing order of the status filter rule, select Increase Priority or Decrease
Priority .
To change the status of the rule, select Disable or Enable .
To delete the status filter rule from the site, select Delete
To change the criteria for the status message rule, select Edit .
Create a status filter rule
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select a site, and then on the Home tab of the ribbon, in the Settings group, select Status Filter Rules .
3. Select Create .
4. On the General page of the Create Status Filter Rule Wizard , specify a Name for the new status
filter rule. Select message-matching criteria for the rule, and specify values to match. The following
 criteria are available:
Source: Client, SMS Provider, Site Server
Site code
System
Component
Message type: Milestone, Detail, Audit
Severity: Informational, Warning, Error
Message ID
Property
Property value
5. On the Actions page, specify the actions when a status message matches the specified criteria. The
following actions are available:
Write to the Configuration Manager database
Allow the user to delete messages after how many days
Report to the event log
Replicate to the parent site
Replication priority
Run a program
Specify a command line to run on the site server
Do not forward to status summarizers
Do not process lower-priority status filter rules
6. Complete the wizard.

NOTE
Configuration Manager only requires that a new status filter rule has a name. If you create a rule, but you don't specify
any criteria to process status messages, the status filter rule has no effect. This behavior allows you to create and organize
rules before you configure the criteria for each rule.

Configure status reporting

1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select a site, and then on the Home tab of the ribbon, in the Settings group, select Configure Site
Components , and then select Status Repor ting .
3. In the Status Repor ting Component Proper ties window, specify the server and client component
status messages that you want to report or log:
Repor t : Send status messages to the Configuration Manager status message system. By default,
this option is enabled for All Milestones for both server and client components. The option to
Repor t details on failure is also enabled by default.
Log : Write the type and severity of status messages to the Windows event log. By default, this
option isn't enabled for either server or client components.

Monitor the status system

System status in Configuration Manager provides an overview of the general operations of sites and site server
operations of your hierarchy. It can reveal operational problems for site system servers or components. You can
use the system status to review specific details for different Configuration Manager operations. You monitor
system status from the System Status node of the Monitoring workspace in the Configuration Manager
console.
Most Configuration Manager site system roles and components generate status messages. Status message
details are logged in each component's operational log, but are also submitted to the site database. The site then
summarizes and presents them in a general health rollup for each component or site system. These status
message rollups provide information details for regular operations, and details of warnings and errors. You can
configure the thresholds at which the site triggers warnings or errors. Tune the system in your environment to
make sure rollup information ignores known issues that aren't relevant to you. Also configure it to call attention
to actual problems that you need to investigate.
System status is replicated to other sites in a hierarchy as site data, not global data. This behavior means you can
only see the status for the site to which your Configuration Manager console connects, and any child sites below
that site. When you view system status, use the Configuration Manager console with the top-level site of your
hierarchy. For more information on site data versus global data, see Database replication: Types of data.
There are different system status views in the Configuration Manager console:
Site Status : View a rollup of the status of each site system to review the health of each server. The site
determines site system health by thresholds that you configure for each site in the Site System Status
Summarizer. In this node:
View status messages for each site system
Set thresholds for status messages
Manage the operation of the components on site systems by using the Configuration Manager
Ser vice Manager
Component Status : View a rollup of the status of each Configuration Manager component to review its
operational health. The site determines component health by thresholds that you configure for each site
in the Component Status Summarizer. In this node:
View status messages for each component
Set thresholds for status messages
Manage the operation of components by using the Configuration Manager Ser vice Manager
Conflicting Records : View status messages about clients that might have conflicting records.
Configuration Manager uses the hardware ID to attempt to identify clients that might be duplicates and
alert you to the conflicting records. For example, if you have to reinstall a computer, the hardware ID
would be the same, but the GUID that Configuration Manager uses might change.
Status Message Queries : Query status messages for specific events and related details. Use status
message queries to find the status messages related to specific events. You can identify when a specific
component, operation, or Configuration Manager object was modified, and the account that was used to
make the modification. For example, run the built-in Collections Created, Modified, or Deleted
query to identify when a specific collection was created, and the user account used to create it.

View status messages

1. To view status messages in the Configuration Manager console, select a specific site system server or
component.
2. In the ribbon, select Show Messages , then choose the type of messages to show: All, Error, Warning,
Information.
3. Select the viewing period. Either on or after a specific date and time, or from a specific time period. By
 default, the viewing period is 1 day ago .

4. The Status Message Viewer has many controls to customize the view. For example, to filter the results
based on the status messages details, go to the View menu, and select Filter .
Starting in version 2010, there's an easier way to view status messages for the following objects:
Devices
Users
Content
Deployments
Monitoring workspace
Phased deployments (select Show Deployments from the Phased Deployments node)
Deployments tab in the details pane for:
Packages
Task sequences
Select one of these objects in the Configuration Manager console, and then select Show Status Messages
from the ribbon.

Next steps
Configure alerts
Configuration Manager Service Manager
 Configure alerts in Configuration Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configure alerts to understand the state of your Configuration Manager environment. Configuration Manager
generates alerts by some operations when a specific condition occurs:
Typically, when an error occurs that you need to resolve.
To warn you that a condition exists, so that you can continue to monitor the situation.
Some alerts you configure, such as alerts for endpoint protection and client status. Configuration Manager
automatically configures other alerts.
You can configure subscriptions to alerts. Subscriptions can send details by email, which increases your
awareness of key issues.

Manage general alerts

In the Configuration Manager console, go to the Monitoring workspace, expand Aler ts , and then select Active
Aler ts or All Aler ts .
The following actions are available on alerts in these nodes:
Postpone : Suspend monitoring this alert until the specified date is reached. At that time, the site updates
the state of the alert. You can only postpone an enabled alert. When you postpone an alert, you can also
add a comment.
Edit Comments : Enter a comment for the selected alerts. These comments display with the alert in the
Configuration Manager console.
Configure : Modify the name, severity, and definition for the selected alert. If you change the severity of
the alert, this configuration affects how the alerts are displayed in the Configuration Manager console.
Create subscription : Create an email subscription to the selected alert. For more information, see Email
alerts.

Configure client status alerts

1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Device Collections node.
2. Select the collection for which you want to configure alerts. In the Home tab of the ribbon, in the
Proper ties group, select Proper ties .

NOTE
You can't configure alerts for user collections.

3. Switch to the Aler ts tab, and select Add .

 NOTE
The Aler ts tab is only visible if your security role has permissions for alerts.

4. Choose the alerts that you want the site to generate when client status thresholds fall below a specific
value:
Client check pass or no results for active clients falls below threshold (%)
Client remediation success falls below the threshold (%)
Client activity falls below threshold (%)
5. In the Conditions list of the Aler ts tab, select each client status alert, and then specify the following
information:
Aler t Name : Accept the default name or enter a new name for the alert.
Aler t Severity : Choose the alert level that displays in the Configuration Manager console:
Information, Warning, or Critical.
Raise aler t if...: Specify the threshold percentage for the alert.
6. Select OK to save the alerts and close the collection properties.

Email alerts
You can create an email subscription for alerts. When the site triggers an alert, it can then send you email
notification.
Configure email notification for alerts
Before you can subscribe to email alerts, you need to configure the site to send email notifications. You'll need
information about an SMTP email server.

TIP
If you use Microsoft 365, use the following information:
SMTP ser ver : smtp.office365.com
Por t : 587
This ser ver requires an encr ypted connection (SSL)

1. In the Configuration Manager console, go to the Monitoring workspace, expand Aler ts , and select the
Subscriptions node.
2. On the Home tab of the ribbon, in the Create group, select Configure Email Notification .
3. Specify the following information:
Enable email notification for aler ts : Allow Configuration Manager to use an SMTP server to
send email alerts.
FQDN or IP Address of the SMTP ser ver to send email aler ts : Enter the fully qualified
domain name (FQDN) or IP address for the email server to use for these alerts.
Por t : Specify the SMTP port for the email server to use for these alerts. For example, 587 .
This ser ver requires an encr ypted connection (SSL) : Require that the site creates an
encrypted connection with the SMTP server.
 SMTP Ser ver Connection Account : Specify the authentication method for Configuration
Manager to use to connect the email server.

IMPORTANT
Specify an account that has the least possible permissions to send emails.

Sender address for email aler ts : Specify the email address from which alert emails are sent.
Test SMTP Ser ver : Sends a test email to the email address specified in Sender address for
email aler ts .
4. Select OK to save the settings and to close the window.
Subscribe to email alerts
1. In the Configuration Manager console, go to the Monitoring workspace, expand Aler ts , and select
either Active Aler ts or All Aler ts .
2. Select an alert. On the Home tab of the ribbon, in the Subscription group, select Create subscription .
3. In the New Subscription window, specify the following information:
Subscription name : Enter a name to identify the email subscription. You can use up to 255
characters.
Email address : Enter the recipient email addresses to get this alert. Separate multiple email
addresses with a semicolon ( ; ).
Email language : Select the language for the email.
4. Select OK to close the New Subscription window and to create the email subscription.
To edit or delete a subscription, select the Subscriptions node under Aler ts .

Monitor alerts
You can view alerts in one of the Aler ts node of the Monitoring workspace. Alerts have one of the following
alert states:
Never triggered : The component hasn't met the condition of the alert.
Active : The site triggered the alert when the component met the condition.
Canceled : The condition that caused the alert is now resolved.
Postponed : An administrator suspended monitoring of the alert. Configuration Manager will evaluate
the state of the alert at a later time.
Disabled : An administrator disabled the alert. Configuration Manager doesn't update the alert even if
the state of the alert changes.
When Configuration Manager generates an alert, you can take one of the following actions:
Resolve the condition that caused the alert. For example, you resolve a network issue. After Configuration
Manager detects that the issue no longer exists, the alert state changes to Cancel .
If the alert is a known issue, postpone the alert until a specific time. At that later time, Configuration
Manager updates the alert to its current state.
You can only postpone an alert when it's active.
 Edit the Comment of an alert. This action informs other administrators that you're aware of the alert. For
example, in the comment you can identify how to resolve the condition, provide information about the
current status of the condition, or explain why you postponed the alert.

External notifications
Starting in version 2107, you can enable the site to send notifications to an external system or application. This
capability simplifies the process by using a web service-based method. You configure subscriptions to send
these notifications. These notifications are in response to specific, defined events as they occur. For example,
status message filter rules. For more information, see External notifications.

Next steps
Configure endpoint protection alerts for a collection
Configure client status alerts for a collection
 External notifications
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

In a complex IT environment, you may have an automation system like Azure Logic Apps. Customers use these
systems to define and control automated workflows to integrate multiple systems. You could integrate
Configuration Manager into a separate automation system through the product's SDK APIs. But this process can
be complex and challenging for IT professionals without a software development background.
Starting in version 2107, you can enable the site to send notifications to an external system or application. This
feature simplifies the process by using a web service-based method. You configure subscriptions to send these
notifications. These notifications are in response to specific, defined events as they occur. For example, status
message filter rules.

NOTE
The external system or application defines and provides the methods that this feature calls.

When you set up this feature, the site opens a communication channel with the external system. That system can
then start a complex workflow or action that doesn't exist in Configuration Manager.
Starting in version 2111, use the Configuration Manager console to create or edit subscriptions for external
notifications. This article now focuses on that experience. If you're using version 2107, see Configuration
Manager version 2107.

Prerequisites
Create the subscription on the top-level site of the hierarchy. This site is either a standalone primary site,
or a central administration site (CAS). You can view and modify an existing subscription on any site in a
hierarchy.
The site's service connection point needs to be in online mode. For more information, see About the
service connection point.
Currently, this feature only supports Azure Logic Apps as the external system. An active Azure
subscription with rights to create a logic app is required.
The service connection point needs to communicate with the notification service, for example Azure Logic
Apps. For more information, see Internet access requirements.
To create an event type for an application approval request, the site needs an app that requires approval
and is deployed to a user collection. For more information, see Deploy applications and Approve
applications.
Permissions
You can configure the following permissions to the NotificationSubscription object: Read, Delete, Modify,
Create.
The Full administrator default security role has these permissions.
The Read only analyst default security role has the Read permission.
In version 2107, users also need the All security scope. In version 2111 and later, you can't scope the
subscription objects. If needed, you can use scopes on the Site object, to which users need at least read
permission.
Other permissions may be required for custom roles. Use the following table to understand what's needed:

SIT E:
A L ERT S: SIT E: N OT IF Y : N OT IF Y : N OT IF Y : N OT IF Y : M A N A GE
A C T IO N REA D REA D REA D M O DIF Y C REAT E DEL ET E SF R

View X X
subscriptio
n

Modify X X X X
subscriptio
n

Create X X X X
subscriptio
n No te 1

Delete X X X
subscriptio
n

Create new X X X No te 2 No te 2 X
SFR

Add X X X No te 2 No te 2
existing SFR

Add app X X X No te 2 No te 2
approval

The above table uses the following shorthand:

Notify : Notification subscription objects
SFR : Status filter rule
Note 1: Top-level site in hierarchy
Create the subscription on the top-level site of the hierarchy. This site is either a standalone primary site, or a
CAS. You can view and modify an existing subscription on any site in a hierarchy.
Note 2: Modify and Create permissions for event actions
When managing events on the subscription, the permissions to Modify or Create on the Notification
subscription object depend upon whether you need to modify or create the event. For example, if you have the
Create permission, then you can add a status filter rule to the subscription. If you don't have the Modify
permission, then you can't make changes to the subscription events.

Create an Azure logic app and workflow

Use the following process to create a sample app in Azure Logic Apps to receive the notification from
Configuration Manager.
 NOTE
This process is provided as an example to help you get started. It's not intended for production use.

1. Sign in to the Azure portal.

2. In the Azure search box, enter logic apps , and select Logic Apps .
3. Select Add and choose Consumption . This action creates a new logic app.
4. On the Basics tab, specify the project details as necessary for your environment: subscription name,
resource group, logic app name, and region.
5. Select Review + create . On the validation page, confirm the details that you provided, and select
Create .
6. Under Next steps , select Go to resource .
7. Under the section to Star t with a common trigger , select When a HTTP request is received .
8. At the bottom of the trigger editor, select Use sample payload to generate schema .
9. Paste the following sample payload:

{
"EventID":0,
"EventName":"",
"SiteCode":"",
"ServerName":"",
"MessageID":0,
"Source":"",
"EventPayload":""
}

10. Select Done and then select Save .

11. Copy the generated URL for the logic app. You'll use this URL later when you create the subscription in
Configuration Manager.
12. To add a new step in the designer, select + New Step . Choose an appropriate action when it receives a
notification from Configuration Manager. For example:
To send an email, use the Office 365 Outlook connector.
To post a message to Teams, use the Microsoft Teams connector.
Sign in if necessary and complete the required information for the action. For more information, see the
Create logic apps quickstart in the Azure Logic Apps documentation.
Notification schema
These notifications use the following standardized schema:
 {
"properties": {
"EventID": {
"type": "integer"
},
"EventName": {
"type": "string"
},
"EventPayload": {
"type": "string"
},
"MessageID": {
"type": "string"
},
"ServerName": {
"type": "string"
},
"SiteCode": {
"type": "string"
},
"Source": {
"type": "string"
}
},
"type": "object"
}

Create an event
There are two types of events that are currently supported:
The site raises a status message that matches conditions specified in a status filter rule for external
notification. You can create a new rule or use an existing one.
A user requests approval for an application in Software Center.

NOTE
In a hierarchy, the scope of events depends upon the event type:
Application approval events only happen at primary sites.
Status filter rules apply to the site where you create the rule using the Create external ser vice notification event
wizard .
If you run the wizard to create the event while connected to the CAS, it only triggers on matching events from
the CAS.
To subscribe to events raised by a child primary site, connect to the primary site. Modify the notification
subscription to create a new status filter rule for the child primary site.

Use the following process to create an event:

1. In the Configuration Manager console, connect to the top-level site of the hierarchy. This site is either a
standalone primary site, or a CAS.
2. Go to the Monitoring workspace, expand Aler ts , and select the External ser vice notifications node.
3. In the ribbon, select Create subscription .
4. In the New Subscription window, specify a Name for the subscription to identify it in the Configuration
Manager console. The maximum length is 254 characters. Optionally add a Description .
5. For the External ser vice URL value, paste the URL of the Azure Logic App that you previously copied.

6. Select the gold asterisk to add a new event to the subscription.

a. In the Create External Service Notification Event wizard, on the Event type page, select one of the
following event types:
New status filter rule : Create a new status filter rule to use for this event. Specify a name
for the status filter rule, and then configure the filter criteria. For more information about
criteria for status message rules, see Use the status system.

IMPORTANT
Be cautious with the type of status filter rule that you create. For external notifications, the site can
process 300 status messages every five minutes. If your rule allows more messages than this limit,
it will cause a backlog on the site. Create rules with narrow filters for specific scenarios. Avoid
generic rules that allow a lot of messages.

Existing status filter rule : Reuse a status filter rule for external notification that already
exists. It doesn't display all status filter rules, only the rules that you created using this
wizard.
User submits application request : Send an external notification for application approval
requests.

Manage events
After you create a subscription, use the External ser vice notifications node to do the following actions:
Proper ties : Edit the name, description, or events for a subscription. You can't edit the external service
URL.
Delete : Remove a subscription.

NOTE
You can view and modify an existing subscription on any site in a hierarchy.

When you select a subscription, the details pane shows information about the events that have happened.

Trigger an event
The process to trigger an event depends upon the type of subscription:
For a status filter rule, trigger an event for the site component. For example, use the Configuration
Manager Service Manager to restart the component.
For an app approval request, use Software Center to request an app that requires approval. For more
information, see Software Center user guide.

Monitor the workflow

Within five minutes, the event triggers the logic app workflow. Check the status of the workflow in the Azure
portal. Navigate to the Runs histor y page of the logic app.
For more information, see Monitor run status, review trigger history, and set up alerts for Azure Logic Apps.
Troubleshoot
Use the following Configuration Manager log files on the site server to help troubleshoot this process:
ExternalNotificationsWorker.log : Check if the queue has been processed and notifications are sent to
external system.
statmgr.log : Check if the status filter rules have been processed without errors

Known issues
If you create a status filter rule, you'll see it in the site's list of Status filter rules in the Configuration Manager
console. If you make a change on the Actions tab of the rule properties, the external notification won't work.
After you recover a central administration site (CAS), delete and recreate the subscription.

TIP
Before you remove a CAS, recreate the subscriptions at the child primary site.

Configuration Manager version 2107

IMPORTANT
This section and the PowerShell script only apply to version 2107. In version 2111 and later, use the Configuration
Manager console to create and manage events.

Other prerequisites for version 2107

To create the objects in Configuration Manager version 2107, you need to use the PowerShell script
SetupExternalSer viceNotifications.ps1 . Use the following script sample to properly get the PowerShell
script to use for this feature:

$FileName = ".\SetupExternalServiceNotifications.ps1"
Invoke-WebRequest https://aka.ms/cmextnotificationscript -OutFile $FileName
(Get-Content $FileName -Raw).Replace("`n","`r`n") | Set-Content $FileName -Force
(Get-Content $FileName -Raw).TrimEnd("`r`n") | Set-Content $FileName -Force

NOTE
SetupExternalSer viceNotifications.ps1 is digitally signed by Microsoft. This script sample downloads the file and fixes
the line breaks to preserve the digital signature.

Create an event in version 2107

There are two types of events that are supported in version 2107:
The site raises a status message that matches conditions specified in a status filter rule.
A user requests approval for an application in Software Center.
Create a status message event in version 2107
1. On the site server, run SetupExternalSer viceNotifications.ps1 . Since you're running it on the site
server, enter y to continue.
2. Select option 2 to create a new status filter rule.
3. Specify a name for the new status filter rule.
4. Select message-matching criteria for the rule, and specify values to match. Specify 0 to not use a
criterion.
The following criteria are available:
Source : Client, SMS Provider, Site Server
Site code
System
Component
Message type : Milestone, Detail, Audit
Severity : Informational, Warning, Error
Message ID
Proper ty
Proper ty value
For more information about criteria for status message rules, see Use the status system.

IMPORTANT
Be cautious with the type of status filter rule that you create. For external notifications, the site can process 300
status messages every five minutes. If your rule allows more messages than this limit, it will cause a backlog on
the site. Create rules with narrow filters for specific scenarios. Avoid generic rules that allow a lot of messages.

5. Rerun the PowerShell script. Select option 3 to create a new subscription.

6. Specify a name and description for the subscription. Then specify the logic app URL that you previously
copied from the Azure portal.
7. Select the new status filter rule.
8. Select 0 to exit the script.
Create an app approval event in version 2107

NOTE
This event type requires an application that requires approval and is deployed to a user collection. For more information,
see Deploy applications and Approve applications.

1. On the site server, run SetupExternalSer viceNotifications.ps1 . Since you're running it on the site
server, enter y to continue.
2. Select option 3 to create a new subscription.
3. Specify a name and description for the subscription. Then specify the logic app URL that you previously
copied from the Azure portal.
4. Select the appropriate event for an application request.
5. Select 0 to exit the script.
Remove a subscription in version 2107
If you need to delete a subscription, use the following process:
1. Run the SetupExternalSer viceNotifications.ps1 script with option 1 to list the available
 subscriptions. Note the subscription ID, which is an integer value.
2. Use the NotificationSubscription API of the administration service. Make a DELETE call to the URI
https://<SMSProviderFQDN>/AdminService/v1.0/NotificationSubscription/<Subscription_ID> .

For more information, see How to use the administration service in Configuration Manager.
After you remove the subscription, the site doesn't send notifications to the external system.
Script usage in version 2107
When you run SetupExternalSer viceNotifications.ps1 , it detects whether it's running on a site server:
Y : Continue on the current server
N : Specify the FQDN of a site server to use

If the script doesn't detect a site server, it prompts for an FQDN.

The following actions are then available:
0 : Skip/continue
1 : List available subscriptions
2 : Create a status filter rule to expose status messages
3 : Create a subscription. This option is only available for the top-level site.

NOTE
This script is only supported for sites running version 2107 or later.

Next steps
Use the status system
Configure alerts
 Monitor scenario health in Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can use Configuration Manager to monitor the health of end-to-end scenarios. Monitoring scenario health
enhances awareness of system latency and component backlogs which are critical for cloud service-attached
features. Configuration Manager simulates activities to expose performance metrics and failure points.It
simulates activities to expose performance metrics and failure points. These synthetic activities are similar to
methods that Microsoft uses to monitor some components in its cloud services. Use this additional data to
better understand timeframes for activities. If failures occur, it can help focus your investigation.
Starting in version 2010, Configuration Manager monitors the health for the following two scenarios:
SQL Ser ver Ser vice Broker : Many of the core subsystems in Configuration Manager use the service
broker.
Client action health : Monitor the health of the fast channel used for client actions.
In the Configuration Manager console, go to the Monitoring workspace, and select the Scenario Health node.
The list view displays the available scenarios:

NOTE
If you use a high availability option, scenario health only monitors the active node. For the SQL Server Service Broker
scenario, it only applies to the primary replica of the SQL Server Always On availability group. The client action health
scenario only applies to the site server in active mode.

Prerequisites
Full administrator role in Configuration Manager, with scope to the top-level site

Actions for all scenarios

In the Scenario Health node, when you select a scenario, the following actions are available in the ribbon:
 Show Status : This action is the main one you'll use to view the latest results of tests for the scenario. This
action opens a window with more information. The top section shows the overall status per site. Select a
site, to see more detailed status for that site in the bottom section.

Scenario Settings : Configure the settings for this scenario: such as whether it's enabled, and the time
interval in minutes.
Enable activity simulation and measurement : Enable the scenario health checks.
Run time inter val (minute) : How frequently the site runs the scenario health checks. By default,
Configuration Manager tests scenarios every 30 minutes.
Job timeout (minute) : How long the site waits for a specific test to complete. By default, the timeout
is one hour (60 minutes).
Histor y : Display the previous instances of the synthetic transaction. Use this history to track the
scenario's health over time. From the history node, you can also Show Status of a specific instance.
Run Now : Trigger the site to check the scenario health. If a previous check isn't successful, you might use
this action after you make changes to a site component. This action creates audit status message ID
54099.

SQL Server Service Broker

The SQL Server Service Broker is a required configuration for the site database. Many of the core subsystems in
Configuration Manager use the service broker.
Configuration Manager includes the following tests for this scenario:
Ping all sites through SQL Ser ver ser vices broker
Received ping message
Received acknowledgment : Check the last update times between the first three tests. If there's a long
delay, it will impact Configuration Manager performance.
Check if SQL ser ver ser vice broker queue is enabled : This test makes sure that the
ConfigMgrHMSQueue is enabled. If the queue is disabled, it will impact many core features of Configuration
Manager.

NOTE
Not all sites run all tests.

With this health information, you can see how long it takes for SQL Server to exchange messages via the service
broker. A longer delay or timeout shows a backlog in the processing queue. A failure indicates a larger problem
with the service broker, such as the queue is disabled. Since SQL Server service broker is a core component,
issues with it can impact many other scenarios. For example, client notifications, client status, and some tenant
attach features.

Client action health

Monitor the health of the fast channel used for client actions. If your environment is tenant attached with devices
uploaded, this feature helps you see potential issues with client actions from the Microsoft Endpoint Manager
admin center. You can also use this feature for on-premises client actions. For example, CMPivot, run scripts, and
device wake-up.
Configuration Manager includes the following tests for this scenario:
Created client action : Tests that the site can create a client action using the administration service.
CMPivot configuration : Makes sure that CMPivot is correctly configured on the central administration site
(CAS). For more detail, see rcmctrl.log.
Client action result : Tests that the CAS receives client action results from primary sites. This test can fail if
the SQL Server Service Broker is unhealthy, or the site is in maintenance mode.
Processed client action : For more detail, see objreplmgr.log.
Client action inbox backlog : Checks the backlog for the objmgr.box inbox. If there's a large backlog, it
impacts how quickly the site sends actions to clients. For more detail, see objreplmgr.log.
Message Processing Engine backlog : Checks the backlog for the message processing engine. If there's a
large backlog, it impacts how quickly the site processes results for client actions. For more detail, see
SMS_MESSAGE_PROCESSING_ENGINE.log.
Management point client action backlog : Checks the backlog for the SQL Server service broker queue
ConfigMgrBGBQueue. If there's a large backlog, it impacts how quickly the management point can push
actions to clients. Check the scenario health for the SQL Server service broker. For more detail, see the
management point's bgbserver.log.
Client action result summar y : Checks the task to calculate client operation summary. For more detail, see
statesys.log.
Management point online status : Checks that management points are online and able to send actions to
clients. For details, check the management point's ccmexec.log, bgbsetup.log, and bgbserver.log.
Client health summar y : Checks the client health scheduled task. For more detail, see statesys.log.
Client state system inbox backlog : Checks the backlog for the inbox auth\statesys.box\incoming. If
 there's a large backlog, it impacts how quickly the site processes results for client actions. For more detail, see
statesys.log.

NOTE
Not all sites run all tests.

Next steps
Log file reference
Monitor database replication
 Health attestation for Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can view the status of Windows 10 Device Health Attestation in the Configuration Manager console. Device
health attestation lets you make sure that client computers have the following trustworthy BIOS, TPM, and boot
software configurations enabled:
Early-launch antimalware (ELAM) protects your computer when it starts up and before third-party
drivers initialize. For more information, see theOverview of Early Launch AntiMalware.
Windows BitLocker Drive Encryption encrypts all data stored on the OS and data volumes, including
removable disks. For more information, see Plan for BitLocker management.
Secure Boot is a security standard to help make sure that a device boots using only software that's
trusted by the PC manufacturer. For more information, see Secure Boot.
Code Integrity improves OS security by validating the integrity of a driver or system file each time it's
loaded into memory. For more information, see Enable virtualization-based protection of code integrity.
This functionality is available for on-premises resources managed by Configuration Manager and mobile
devices managed with Microsoft Intune. You can specify whether reporting is done via the cloud or on-premises
infrastructure. On-premises device health attestation monitoring enables you to monitor client PCs without
internet access.

Enable health attestation

Requirements
Client devices running a supported version of Windows 10 or Windows Server 2016 or later, with Device
health attestation enabled.
TPM 1.2 or TPM 2 enabled devices.
When using cloud management, communication between the Configuration Manager client agent and
the management point with has.spserv.microsoft.com (port 443) health attestation service. When on-
premises, the client needs to communicate with the device health attestation-enabled management point.
How to enable health attestation service communication on Configuration Manager client computers
Use this procedure to enable device health attestation monitoring for devices that connect to the internet.
1. In the Configuration Manager console, choose Administration > Over view > Client Settings . Select
the tab for Computer Agent settings.
2. In the Default Settings dialog box, select Computer Agent and then scroll down to Enable
communication with Health Attestation Ser vice .
3. Set Enable communication with Health Attestation Ser vice to Yes , and then select OK .
4. Target the collections of devices that should report device health.
How to enable on-premises health attestation service communication on Configuration Manager client
computers
Use this procedure to enable device health attestation monitoring for on-premises devices that don't connect to
the internet.
You can configure the on-premises device health attestation service URL on the management point to support
client devices without internet access.
1. In the Configuration Manager console, navigate Administration > Over view > Site Configuration >
Sites .
2. Right-click the primary or secondary site with the management point that support on-premises device
health attestation clients, and select Configure site components > Management Point . The
Management Point Component Proper ties page opens.
3. On the Advanced Options tab, select Add and specify a valid on-premises device health attestation
service URL. You can add multiple URLs. If multiple on-premises URLs are specified, clients receive the full
set and randomly choose which to use.
4. In the Configuration Manager console, choose Administration > Over view > Client Settings . Select
the tab for Computer Agent settings.
5. Scroll down to Enable communication with Health Attestation Ser vice , and set to Yes .
6. Select the Use on-premises Health Attestation Ser vice option, and set to Yes .
7. Target the collections of devices that should report device health with the client agent settings to enable
device health attestation reporting.
You can also Edit or Remove device health attestation service URLs.

Monitor device health attestation

To view the device health attestation status, in the Configuration Manager console go to the Monitoring
workspace, expand the Security node, and then select Health Attestation .
Configuration Manager device health attestation displays the following information:
Health Attestation Status - Shows the share of devices in compliant, noncompliant, error, and
unknown states
Devices Repor ting Health Attestation - Shows the percentage of devices reporting Health Attestation
status
Noncompliant Devices by Client Type - Shows share of mobile devices and computers that are
noncompliant
Top Missing Health Attestation Settings - Shows the number of devices missing the health
attestation setting, listed per setting
 Monitor database replication
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Monitor details for database replication with the Database Replication node in the Monitoring workspace of
the Configuration Manager console. You can monitor the status of replication links between sites. It also shows
initialization and replication of replication groups for the site to which you connect.

TIP
Although a Database Replication node also appears under the Hierarchy Configuration node in the
Administration workspace, you can't view the replication status for database replication links from that location.

Replication link status

Database replication between sites involves the replication of several sets of information, called replication
groups. Each replication group sends and receives data with different priorities. By default, you can't modify the
data contained in a replication group and the frequency of replication.
When a replication link is active, and its status isn't failed or degraded, all groups replicate quickly. If one or
more groups fail to complete replication in the expected period of time, the link displays as degraded. Degraded
links can still function, but you should monitor them to make sure they return to active status. Investigate them
to make sure additional degradation or replication failures don't occur.
For each replication link, specify the number of times that an unsuccessfully replicated group retries. After this
number of retries, the site sets the status of the link to degraded or failed. Even if all but one group replicates
successfully, the site sets the status of the link to degraded or failed. It sets this status because the one
replication group fails to complete replication in the specified number of attempts. For more information, see
the Database replication thresholds.
Use the following information to understand the status of replication links that might require further
investigation:
Link is active
No problems have been detected, and communication across the link is current.
While a parent site is updating to a new version, and you view the link status from the child site, the link status
displays as active. After the update, until the child site is at the same version as the parent site, the link status
displays as active when viewed from the parent site. When viewed from the child site, it displays as being
configured.
Link is degraded
Replication is functional, but at least one replication object or group is delayed. Monitor links that are in this
state. Review information from both sites on the link for indications that the link might fail.
A link can also display a status of degraded when the site that receives replicated data is unable to quickly
commit the data to the database. This behavior happens when large volumes of data replicate. For example, you
deploy a software update to a large number of computers. The parent site on the link might take some time to
process this volume of replicated data. A processing lag at the parent site results in it setting the link status to
degraded until it can successfully process the backlog of data.
Link has failed
Replication isn't functional. It's possible that a replication link might recover without further action. To investigate
and help remediate replication on this link, use the Replication Link Analyzer (RLA).
This status can also indicate a problem with the physical network between the parent and child site on the
replication link.

Monitor replication status

Use the Database Replication node in the Monitoring workspace to view the status for a replication link.
View details about the database at each site on the replication link. You can also view details about replication
groups. To view these details, select a replication link, and then select the appropriate tab for the replication
status you want to view.
The following sections give details about the different tabs for replication status:
Summary
View high-level information about the replication of site data and global data between the two sites on a link.
Select View repor ts for historical traffic data to view a report that shows details about the network
bandwidth used by replication across the link.
Parent Site
For the parent site on a replication link, view details about the database, which include:
Firewall ports for the SQL Server
Free disk space
Database file locations
Certificates
Child Site
For the child site on a replication link, view details about the database, which include:
Firewall ports for the SQL Server
Free disk space
Database file locations
Certificates
Initialization Detail
View the initialization status for groups that replicate across the link. This information can help you identify
when initialization of replication data is in progress or has failed.
Use this information to identify when a site might be in interoperability mode. Interoperability mode is when the
child site doesn't run the same version of Configuration Manager as the parent site.
Replication Detail
View the replication status for each group that replicates across the link. Use this information to help identify
problems or delays for the replication of specific data. It can help determine the appropriate database replication
thresholds for this link. For more information, see Database replication thresholds.
 TIP
Replication groups for site data are sent only from the child site to the parent site. Replication groups for global data
replicate in both directions.

Replication Link Analyzer

Configuration Manager includes the Replication Link Analyzer (RLA), which you use to analyze and repair
replication issues. Use RLA to remediate link failures when replication fails. It's also useful when replication
stops working but the site hasn't yet reported it as failed.
Use RLA to remediate replication issues between the following computers in the hierarchy:
Between a site server and the site database server
Between a site's database server and another site's database server, otherwise known as intersite
replication

NOTE
The direction of the replication failure doesn't matter.

Run RLA in either the Configuration Manager console or at a command prompt:

To run in the Configuration Manager console: Go to the Monitoring workspace, and select the Database
Replication node. Select the replication link that you want to analyze, and then in ribbon, select
Replication Link Analyzer .
To run at a command prompt, type the following command:
%ProgramFiles(x86)%\Microsoft Endpoint
Manager\AdminConsole\bin\Microsoft.ConfigurationManager.ReplicationLinkAnalyzer.Wizard.exe <source
site server FQDN> <destination site server FQDN>

IMPORTANT
Starting in version 1910, this path changed to use the Microsoft Endpoint Manager folder. Make sure you don't
use an older version of the file that might exist in another folder.

When you run RLA, it detects problems by using a series of diagnostic rules and checks. You view the problems
that the tool identifies. When it has instructions to resolve an issue, it displays them. If RLA can automatically
remediate a problem, it presents you with that option.
When RLA finishes, it saves the results in the following XML-based report and a log file on the desktop of the
user who runs the tool:
ReplicationAnalysis.xml
ReplicationLinkAnalysis.log
RLA stops the following services while it remediates some problems. It restarts these services when
remediation is complete:
SMS_SITE_COMPONENT_MANAGER
SMS_EXECUTIVE
If RLA fails to complete remediation, restart these services on the site server if necessary.
RLA logs all investigation and remediation actions to provide additional details that it doesn't display in the
wizard.
RLA prerequisites
The account that you use to run RLA must have the following permissions:
Local administrator rights on each computer that's involved in the replication link.
Sysadmin rights on each SQL Server database that's involved in the replication link.

NOTE
The account doesn't require a specific Configuration Manager role-based administration security role. An administrative
user with access to the Database Replication node can run the tool in the Configuration Manager console. A system
administrator with sufficient rights to each computer can run the tool at a command prompt.

RLA known issue

RLA generates SQL Server Service Broker (SSB) certificate errors for primary sites that upgraded from System
Center 2012 Configuration Manager. This issue is because of changes in the names of the certificates in
Configuration Manager current branch. You can safely ignore these errors.

Monitoring database replication

Monitor high-level site -to -site database replication status
1. In the Configuration Manager console, go to the Monitoring workspace.
2. Select the Site Hierarchy node to open the Hierarchy Diagram view.
3. Hover the mouse pointer on the line between the two sites. View the status of global and site data
replication for these sites.
Monitor the status of a replication link
1. In the Configuration Manager console, go to the Monitoring workspace.
2. Select the Database Replication node, and then select the replication link that you want to monitor.
Then select the appropriate tab to view different details about the replication status for that link.
 Troubleshoot SQL Server replication
2/16/2022 • 2 minutes to read • Edit Online

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer data between sites. For
more information, see Database replication.
To better understand and help troubleshoot issues with SQL Server replication, use these diagrams.
SQL Server replication
SQL Server configuration
SQL Server performance
SQL Server replication reinitialization (reinit)
Global data reinit
Site data reinit
Reinit missing message
These troubleshooting diagrams are interconnected. Use the following diagram to understand their
relationships:

For more information, see the following series of blogs from Microsoft Support:
ConfigMgr DRS Synchronization Internals
ConfigMgr 2012 Data Replication Service (DRS) Unleashed
ConfigMgr 2012 DRS – Troubleshooting FAQs
ConfigMgr 2012 DRS Initialization Internals
ConfigMgr 2012: DRS and SQL Server service broker certificate issues
 SQL Server replication
2/16/2022 • 2 minutes to read • Edit Online

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer data between sites. For
more information, see Database replication.
Use the following diagram to start troubleshooting SQL Server replication when a link fails:

Troubleshoot SQL replication

Start Replication link failure

SELECT * FRO M CAS /

RCM_Rep licatio n Lin kStatu s Check if the replication group
Primary link is in degraded or failed state
W HERE Statu s IN (8, 9)

No
Result

Has
Result
DECLARE @cutoffTime DATETIME
SELECT @cutoffTime =
DATEADD(minute, -30, Check if replication group
GETUTCDATE())
SELECT * FROM link is recently calculated
RCM_ReplicationLinkStatus
WHERE UpdateTime >@cutoffTime

SELECT * FRO M ServerData Check SQL maintenance mode No

W HERE Statu s = 120 Result

Has
Result

Has No
Result Result

Continue to Continue to Continue to End

SQL replication reinit SQL performance SQL configuration

Queries
This diagram uses the following queries:
Check if the replication group link is in degraded or failed state

SELECT * FROM RCM_ReplicationLinkStatus

WHERE Status IN (8, 9)

Check if replication group link is recently calculated

 DECLARE @cutoffTime DATETIME
SELECT @cutoffTime = DATEADD(minute, -30, GETUTCDATE())
SELECT * FROM RCM_ReplicationLinkStatus
WHERE UpdateTime >@cutoffTime

Check SQL Server maintenance mode

SELECT * FROM ServerData

WHERE Status = 120

Next steps
SQL Server replication reinitialization (reinit)
SQL Server performance
SQL Server configuration
 SQL Server configuration
2/16/2022 • 2 minutes to read • Edit Online

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer data between sites. For
more information, see Database replication.
Use the following diagram to start troubleshooting SQL Server configuration related to SQL Server Service
Broker:

Troubleshoot SQL configuration

Start Tro u b lesh o o t SQL co n figu ratio n
related to SQL service b ro ker (SSB )

SELECT
tran smissio n _statu s, *
FRO M CAS / Check if SQL can deliver SSB messages
sys.tran smissio n _qu eu e Primary
O RDER B Y en qu eu e_time
DESC

No End
Result
Has
Result

Check transmission_status
Yo u may n eed to refresh th e
p revio u s qu ery as it co u ld b e b lan k

Has Transmission_status
Result is empty

Remediate th e issu es Ru n SQL p ro filer to

End rep o rted fro m End trace SSB even ts
tran smissio n _statu s

Queries
This diagram has the following queries and actions:
Check if SQL Server can deliver SSB messages

SELECT transmission_status, *
FROM sys.transmission_queue
ORDER BY enqueue_time DESC

Remediation actions
Remediate the issues reported from transmission_status
Common issues:
Firewall configuration
 Network configuration
SSB certificate misconfigured
Run SQL Server profiler to trace SSB events
Run SQL Server profiler on the CAS and primary site database to trace events related to the SQL Server Service
Broker:
Audit Broker Login
Audit Broker Conversation
Events in Broker category
 SQL Server performance
2/16/2022 • 2 minutes to read • Edit Online

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer data between sites. For
more information, see Database replication.
Use the following diagram to start troubleshooting SQL Server performance that can impact replication status:

Queries
This diagram uses the following queries:
Make sure SQL Server change tracking table is cleaned up

DECLARE @RetentionUnit INT = 0;

DECLARE @RetentionPeriod INT = 0;
DECLARE @CTCutOffTime DATETIME;
DECLARE @CTMinTime DATETIME;

SELECT @RetentionPeriod=retention_period,
@RetentionUnit=retention_period_units
FROM sys.change_tracking_databases
WHERE database_id = DB_ID();

IF @RetentionUnit = 1
SET @CTCutOffTime = DATEADD(MINUTE,-@RetentionPeriod,GETUTCDATE())
ELSE IF @RetentionUnit = 2
SET @CTCutOffTime = DATEADD(HOUR,-@RetentionPeriod,GETUTCDATE())
ELSE IF @RetentionUnit = 3
SET @CTCutOffTime = DATEADD(DAY,-@RetentionPeriod,GETUTCDATE())

-- give a buffer of two days

SET @CTCutOffTime = DATEADD(DAY, -2, @CTCutOffTime)
select top 1 @CTMinTime=commit_time from sys.dm_tran_commit_table order by commit_ts asc
IF @CTMinTime < @CTCutOffTime
PRINT 'there is change tracking backlog, please contact Microsoft support'

Change current sessions that handle SQL Server service broker messages are blocked

select
req.session_id
,req.blocking_session_id
,req.last_wait_type
,req.wait_type
,req.wait_resource
,t.text
from sys.dm_exec_sessions s
inner join sys.dm_exec_requests req on s.Session_id=req.session_id
cross apply sys.dm_exec_sql_text(sql_handle) t
where program_name='SMS_data_replication_service'

Check sessions asking too much memory

SELECT * FROM sys.dm_exec_query_memory_grants

ORDER BY requested_memory_kb DESC

Check sessions taking too many locks

SELECT TOP 10 request_session_id,

program_name = (SELECT program_name FROM sys.dm_exec_sessions WHERE session_id=request_session_id),
COUNT (*) num_locks
FROM sys.dm_tran_locks
GROUP BY request_session_id
ORDER BY count (*) DESC

See also
SQL Server configuration
 SQL Server replication reinit
2/16/2022 • 2 minutes to read • Edit Online

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer data between sites. For
more information, see Database replication.
Use the following diagram to start troubleshooting SQL Server replication reinitialization (reinit):

Troubleshoot SQL replication reinit

Start SQL replication reinitialization (reinit)

SELECT * FRO M ServerData CAS / Check if site is in maintenance mode

W HERE SiteStatu s = 120 Primary

No End
Result
Has
Result

SELECT * FROM
RCM_DrsInitializationTracking Check which replication group
WHERE InitializationStatus NOT IN hasn't completed reinit
(6,7)

No
Result

Has
Result

SELECT * FROM
RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup =
rg.ReplicationGroup Check global data
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'GLOBAL'

Has No
Result Result

SELECT * FROM
RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = Check site data
rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'Site'

Continue to Continue to Has No Continue to

Global data reinit Site data reinit Result Result SQL configuration

Queries
This diagram uses the following queries:
Check if site is in maintenance mode
 SELECT * FROM ServerData
WHERE Status = 120

Check which replication group hasn't completed reinit

SELECT * FROM RCM_DrsInitializationTracking

WHERE InitializationStatus NOT IN (6,7)

Check global data

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN (6,7)
AND rg.ReplicationPattern=N'GLOBAL'

Check site data

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN (6,7)
AND rg.ReplicationPattern=N'Site'

Next steps
Global data reinit
Site data reinit
SQL Server configuration
 Troubleshoot global data reinit
2/16/2022 • 2 minutes to read • Edit Online

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer data between sites. For
more information, see Database replication.
Use the following diagram to start troubleshooting SQL Server replication reinitialization (reinit) for global data
in a Configuration Manager hierarchy:
 Troubleshoot global data reinit
Start Troubleshoot SQL replication
reinit for global data

SELECT * FROM SELECT * FROM

RCM_DrsInitializationTracking dt RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = ON dt.ReplicationGroup =
rg.ReplicationGroup CAS Check if site replication
hasn't finished reinit rg.ReplicationGroup Primary
WHERE dt.InitializationStatus NOT WHERE dt.InitializationStatus NOT
IN (6,7) IN (6,7)
AND AND
rg.ReplicationPattern=N'Global' rg.ReplicationPattern=N'Global'

No End
Result
Has
Result

SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg Get the TrackingGuid &
ON dt.ReplicationGroup =
rg.ReplicationGroup Status from the primary site
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'Global'

SELECT RequestTrackingGUID,
InitializationStatus Get the TrackingGuid &
FROM RCM_DrsInitializationTracking dt
WHERE Status from the CAS
RequestTrackingGUID=@trackingGuid

No Continue to
Result Reinit missing message

Has
Result

Check InitializationStatus

== 3 or == 99 Continue to
== 4 Reinit failed

== 5
SELECT Status FROM Check request status for
RCM_InitPackageRequest WHERE
RequestTrackingGUID=@trackGuid the tracking ID
Rcmctrl.log (primary site)
RCM on primary site is BCP in the data BcpIn for group <group name>
…
Failed to BCP in for table <table name>

Rcmctrl.log (CAS)
== 1 RCM is preparing the data, check Creating init package for replication
rcmctrl.log on CAS for BCP progress group <replication group> for site
<CAS>

Rcmctrl.log (CAS)

== 2 RCM has finished BCP the data, Created minijob to send compressed
create/compress the package copy of DRS INIT BCP Package to site
<CAS>. Transfer root = <CAB file to
transfer>

File replication Job created. Check Sender.log (CAS)

== 3
sender.log on primary for progress Sending completed [CAB file to transfer]

Despoolr.log (primary site)

Verified Package signature
…
File replication Job done. Check Executing instruction of type
despoolr.log on Primary for progress MICROSOFT|SMS|MINIJOBINSTRUCTION
|DRSINIT
...
Decompressing snapshot package
<compressed file> to [rcm inbox]

Queries
This diagram uses the following queries:
Check if site replication hasn't finished reinit

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN (6,7)
AND rg.ReplicationPattern=N`Global'
Get the TrackingGuid & Status from the primary site

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN (6,7)
AND rg.ReplicationPattern=N`Global'

Get the TrackingGuid & Status from the CAS

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt
WHERE RequestTrackingGUID=@trackingGuid

Check request status for the tracking ID

SELECT Status FROM RCM_InitPackageRequest

WHERE RequestTrackingGUID=@trackGuid

Next steps
Reinit missing message
 Troubleshoot site data reinit
2/16/2022 • 2 minutes to read • Edit Online

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer data between sites. For
more information, see Database replication.
Use the following diagram to start troubleshooting SQL Server replication reinitialization (reinit) for site data in
a Configuration Manager hierarchy:

Troubleshoot site data reinit

Start

SELECT * FROM SELECT * FROM

RCM_DrsInitializationTracking dt RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg INNER JOIN ReplicationData rg
ON dt.ReplicationGroup =
CAS Check if site replication ON dt.ReplicationGroup =
Primary
rg.ReplicationGroup hasn't finished reinit rg.ReplicationGroup
WHERE dt.InitializationStatus NOT WHERE dt.InitializationStatus NOT
IN (6,7) IN (6,7)
AND rg.ReplicationPattern=N'Site' AND rg.ReplicationPattern=N'Site'

No End
Result
Has
Result

SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg Get the TrackingGuid &
ON dt.ReplicationGroup =
rg.ReplicationGroup Status from CAS
WHERE dt.InitializationStatus NOT IN
(6,7)
AND rg.ReplicationPattern=N'Site'

SELECT RequestTrackingGUID,
InitializationStatus Get the TrackingGuid &
FROM RCM_DrsInitializationTracking dt
WHERE Status from the primary site
RequestTrackingGUID=@trackingGuid

No Continue to
Result Reinit missing message
Has
Result

Check InitializationStatus

== 5 == 99 Continue to
== 4 Reinit failed

== 3

SELECT * FROM ServerData

WHERE SiteStatus = 125 Check primary site isn't
AND SiteCode=dbo.fnGetSiteCode() in maintenance mode
AND ServerRole=N'Peer'

No Continue to
Result Global data reinit

Has
Result
 Has
Result

SELECT Status FROM Check request status

RCM_InitPackageRequest WHERE
RequestTrackingGUID=@trackGuid for the tracking ID

== 3
== 2
== 1
Rcmctrl.log (primary site)
RCM is preparing the data, check
rcmctrl.log on primary for BCP progress Creating init package for replication
group <replication group> for site <CAS>

Rcmctrl.log (primary site)

RCM has finished BCP the data, Created minijob to send compressed copy
create/compress the package of DRS INIT BCP Package to site <CAS>.
Tranfer root = <CAB file to transfer>

File replication job created, check Sender.log (primary site)

sender.log on primary for progress Sending completed [CAB file to transfer]

Despoolr.log (CAS)
Verified Package signature
…
File replication job done, check Executing instruction of type
despoolr.log on CAS for progress MICROSOFT|SMS|MINIJOBINSTRUCTION|
DRSINIT
...
Decompressing snapshot package
<compressed file> to [rcm inbox]

Rcmctrl.log (CAS)
RCM on CAS is BCP in the data BcpIn for group <group name>
…
Failed to BCP in for table <table name>

Queries
This diagram uses the following queries:
Check if site replication hasn't finished reinit

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN (6,7)
AND rg.ReplicationPattern=N`Site'

Get the TrackingGuid & Status from the CAS

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN (6,7)
AND rg.ReplicationPattern=N'Site'

Get the TrackingGuid & Status from the primary site

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt
WHERE RequestTrackingGUID=@trackingGuid
Check primary site isn't in maintenance mode

SELECT * FROM ServerData

WHERE SiteStatus = 125
AND SiteCode=dbo.fnGetSiteCode()
AND ServerRole=N'Peer'

Check request status for the tracking ID

SELECT Status FROM RCM_InitPackageRequest

WHERE RequestTrackingGUID=@trackGuid

Next steps
Reinit missing message
Global data reinit
 Reinit missing message
2/16/2022 • 2 minutes to read • Edit Online

In a multi-site hierarchy, Configuration Manager uses SQL Server replication to transfer data between sites. For
more information, see Database replication.
Use the following diagram to start troubleshooting a missing message with SQL Server replication
reinitialization (reinit):

Troubleshoot reinit missing message

Start

SELECT * FROM SELECT * FROM

RCM_DrsInitializationTracking dt RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = Subscriber Check if site replication ON dt.ReplicationGroup = Publishing
rg.ReplicationGroup site hasn't finished reinit rg.ReplicationGroup site
WHERE dt.InitializationStatus NOT WHERE dt.InitializationStatus NOT
IN (6,7) IN (6,7)

No
Result
Has
Result End

SELECT RequestTrackingGUID,
InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg Get the TrackingGuid &
ON dt.ReplicationGroup = Status from subscriber site
rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN
(6,7)

SELECT RequestTrackingGUID,
InitializationStatus Get the TrackingGuid & Status
FROM RCM_DrsInitializationTracking dt
WHERE from the publishing site
RequestTrackingGUID=@trackingGuid

Has No
Result Result

Go to SQL replication reinit Take remediation actions

Queries
This diagram uses the following queries:
Check if site replication hasn't finished reinit

SELECT * FROM RCM_DrsInitializationTracking dt

INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN (6,7)

Get the TrackingGuid & Status from subscriber site

 SELECT RequestTrackingGUID, InitializationStatus
FROM RCM_DrsInitializationTracking dt
INNER JOIN ReplicationData rg
ON dt.ReplicationGroup = rg.ReplicationGroup
WHERE dt.InitializationStatus NOT IN (6,7)

Get the TrackingGuid & Status from the publishing site

SELECT RequestTrackingGUID, InitializationStatus

FROM RCM_DrsInitializationTracking dt
WHERE RequestTrackingGUID=@trackingGuid

Remediation actions
Version 1902 and later
To detect the issue and reinit, run the Replication Link Analyzer.
Version 1810 and earlier
Run the following SQL query to get the ReplicationGroupID :

SELECT rd.ID AS ReplicationGroupID from ReplicationData rd

INNER JOIN RCM_DrsInitializationTracking it ON rd.ReplicationGroup = it.ReplicationGroup
WHERE it.RequestTrackingGUID=@trackingGuid

Then use the InitializeData method on the SMS_ReplicationGroup WMI class with the following values:
ReplicationGroupID: from the SQL query above
SiteCode1: parent site
SiteCode2: child site
For more information, see InitializeData method in class SMS_ReplicationGroup.
Example

Invoke-WmiMethod –Namespace "root\sms\site_CAS" -Class SMS_ReplicationGroup –Name InitializeData -

ArgumentList "20", "CAS", "PR1"

Next steps
SQL Server replication reinitialization (reinit)
 Introduction to queries in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can create and run queries to locate objects in a Configuration Manager hierarchy that match your query
criteria. These objects include items like specific types of computers or user groups. Queries can return most
types of Configuration Manager objects, which include sites, collections, applications, and inventory data.

Query creation overview

When you create a query, you must specify a minimum of two parameters: where you want to search and what
you want to search for. For example, to find the amount of hard drive space that's available on all computers in a
Configuration Manager site, you can create a query to search the Logical Disk attribute class and the Free
Space (MB) attribute for available hard drive space.
After you create an initial query, you can specify additional query criteria. For example, you can specify that the
query results include only computers that are assigned to a specified site. You can also change how results are
displayed so you can view the results in an order that's meaningful to you. For example, you can specify that the
results are sorted by the amount of free hard drive space, in either ascending or descending order.
When you create a query, it's stored by Configuration Manager and displayed in the Queries node in the
Monitoring workspace. From this location, you can create new queries and run, update, and manage existing
queries.
You can also import a query into a query rule in a Configuration Manager collection. For more information, see
How to create collections.

Next steps
How to create queries
 How to manage queries in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article can help you manage queries in Configuration Manager.
For information about how to create queries, see How to create queries.

Manage queries
In the Monitoring workspace, select Queries , select the query to manage, and then select a management task.
The following table provides information about the management tasks.

M A N A GEM EN T TA SK DETA IL S

Run Runs the selected query and displays the results in the
Configuration Manager console.

Install Client Opens the Install Client Wizard , which lets you install the
Configuration Manager client on computers returned by the
selected query.

This option isn't available for queries that return mobile

devices, users, or user groups.

For more information about how to install Configuration

Manager clients by using client push, see Deploy clients to
Windows computers.

Expor t Opens the Expor t Objects Wizard . This wizard lets you
export the query to a Managed Object Format (MOF) file
that you can then import at another site.

Move Opens the Move Selected Items dialog box. This dialog
box lets you move the selected query to a folder that you
previously created under the Queries node.

Next steps
Create queries
 Create queries in Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes how to create and import queries in Configuration Manager.

Create a query
Use this procedure to create a query in Configuration Manager.
1. In the Configuration Manager console, select Monitoring .
2. In the Monitoring workspace, select Queries . On the Home tab, in the Create group, select Create
Quer y .
3. On the General tab of the Create Quer y Wizard , specify a unique name and, optionally, a comment for
the query.
4. If you want to import an existing query to use as a basis for the new query, select Impor t Quer y
Statement . In the Browse Quer y dialog box, select a query that you want to import, and then select
OK .
5. In the Object Type list, select the type of object that you want the query to return. This table describes
some examples of the types of objects you can search for:

O B JEC T T Y P E DESC RIP T IO N

System Resource Use to search for typical system attributes, like the
NetBIOS name of a device, the client version, the client IP
address, and Active Directory Domain Services
information.

User Resource Use to search for typical user information, like user
names, user group names, and security group names.

Deployment Use to search for typical attributes of a deployment, like

the deployment name, the schedule, and the collection
that it was deployed to.

6. Select Edit Quer y Statement to open the <Query Name> Statement Proper ties dialog box.
7. On the General tab of the <Query Name> Statement Proper ties dialog box, specify the attributes that
the query returns and how they should be displayed. Select the New icon to add a new attribute. You can
also select Show Quer y Language to enter or edit the query directly in WMI Query Language (WQL).
For examples of WMI queries, see the Example WQL queries section in this article.
You can use the following reference documentation to help you construct your own WQL queries:
WQL (SQL for WMI)
WHERE Clause
WQL Operators
Starting in Configuration Manager 2010, you can preview the results when you're creating or editing a
query for collection membership. In the Quer y Statement Proper ties , select the green triangle to
 show the Quer y Results Preview window. Select Stop if you want to stop a long running query.
8. On the Criteria tab of the <Query Name> Statement Proper ties dialog box, specify criteria that are
used to refine the results of the query. For example, you could return only resources that have a site code
of XYZ . You can configure multiple criteria for a query.

IMPORTANT
If you create a query that contains no criteria, the query will return all devices in the All Systems collection.

9. On the Joins tab of the <Query Name> Statement Proper ties dialog box, you can combine data from
two different attributes into your query results. Although Configuration Manager automatically creates
query joins when you choose different attributes for your query result, the Joins tab provides more
advanced options. Configuration Manager supports these attribute classes:

JO IN T Y P E DESC RIP T IO N

Inner Displays only matching results. Always used by joins that

are created automatically.

Left Displays all results for the base attribute and only the
matching results for the join attribute.

Right Displays all results for the join attribute and only the
matching results for the base attribute.

Full Displays all results for both the base attribute and the
join attribute.

For more information about how to use join operations, see the SQL Server documentation.
10. Select OK to close the <Query Name> Statement Proper ties dialog box.
11. On the General tab of the Create Quer y Wizard , specify that the results of the query aren't limited to
the members of a collection, that they are limited to the members of a specified collection, or that a
prompt for a collection appears each time the query is run.
12. Complete the wizard to create the query. The new query appears in the Queries node in the Monitoring
workspace.

Import a query
Use this procedure to import a query into Configuration Manager. For information about how to export queries,
see How to manage queries.
1. In the Configuration Manager console, select Monitoring .
2. In the Monitoring workspace, select Queries . On the Home tab, in the Create group, select Impor t
Objects .
3. On the MOF File Name page of the Impor t Objects Wizard , select Browse to select the Managed
Object Format (MOF) file that contains the query that you want to import.
4. Review the information about the query to be imported and then complete the wizard. The new query
appears on the Queries node in the Monitoring workspace.

Example WQL queries

This section contains example WQL queries that you can use in your hierarchy or modify for other purposes. To
use these queries, select Show Quer y Language in the Quer y Statement Proper ties dialog box. Then copy
and paste the query into the Quer y Statement field.

TIP
Use the wildcard character % to signify any string of characters. For example, %Visio% returns Microsoft Office Visio
2010.

Computers that run Windows 10

Use the following query to return the NetBIOS name and operating system version of all computers that run
Windows 7.

select SMS_R_System.NetbiosName,
SMS_R_System.OperatingSystemNameandVersion from
SMS_R_System where
SMS_R_System.OperatingSystemNameandVersion like "%Workstation 10%"

Computers with a specific software package installed

Use the following query to return the NetBIOS name and software package name of all computers that have a
specific software package installed. This example returns all computers with a version of Microsoft Visio
installed. Replace Microsoft%Visio% with the software package that you want to query for.

TIP
This query searches for the software package by using the names that are displayed in the programs list in Windows
Control Panel.

select SMS_R_System.NetbiosName,
SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from
SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on
SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId =
SMS_R_System.ResourceId where
SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Microsoft%Visio%"

Computers in a specific Active Directory Domain Services organizational unit

Use the following query to return the NetBIOS name and organizational unit (OU) name of all computers in a
specified OU. Replace the text OU Name with the name of the OU that you want to query for.

select SMS_R_System.NetbiosName,
SMS_R_System.SystemOUName from
SMS_R_System where
SMS_R_System.SystemOUName = "OU Name"

Computers with a specific NetBIOS name

Use the following query to return the NetBIOS name of all computers that begin with a specific string of
characters. In this example, the query returns all computers with a NetBIOS name that begins with ABC .

select SMS_R_System.NetbiosName from

SMS_R_System where SMS_R_System.NetbiosName like "ABC%"
Devices of a specific type
Device types are stored in the Configuration Manager database under the resource class sms_r_system and
the attribute name AgentEdition . Use this query to retrieve only the devices that match the agent edition of the
device type that you specify:

Select SMS_R_System.ClientEdition from SMS_R_System where SMS_R_System.ClientEdition = <Device ID>

Use one of these values for <Device ID>:

DEVIC E T Y P E VA L UE O F A GEN T EDIT IO N

Windows desktop or laptop computer 0

Windows ARM-based device (running Windows RT) 1

Windows Mobile 6.5 2

Nokia Symbian 3

Windows Phone 4

Mac computer 5

Windows Embedded 7

Intel system on a chip 12

Microsoft HoloLens (MDM) 15

Microsoft Surface Hub (MDM) 16

NOTE
Values that aren't listed in this table are associated with devices that are no longer supported.

For example, if you want to return only Mac computers, use this query:

Select SMS_R_System.ClientEdition from SMS_R_System where SMS_R_System.ClientEdition = 5

Devices that are co -managed

select SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name,

SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client
from SMS_R_System
inner join SMS_Client_ComanagementState on SMS_Client_ComanagementState.ResourceId = SMS_R_System.ResourceId
where SMS_Client_ComanagementState.ComgmtPolicyPresent = 1 AND SMS_Client_ComanagementState.MDMEnrolled = 1
AND MDMProvisioned = 1

Next steps
How to manage queries
 Security and privacy for queries in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Queries in Configuration Manager let you retrieve information from the site database according to criteria that
you specify. Configuration Manager collects site database information during standard operation. For example,
by using information that's been collected during discovery or inventory, you can configure a query to identify
devices that meet specified criteria.
For more information about queries, see Introduction to queries. For security best practices and privacy
information about Configuration Manager operations that collect the data you can retrieve by using queries, see
Security and privacy for Configuration Manager.

Security best practices for queries

Use this security best practice for queries.

SEC URIT Y B EST P RA C T IC E M O RE IN F O RM AT IO N

When you export or import a query that's saved to a Restrict who can access the network folder.
network location, secure the location and the network
channel. Use Server Message Block (SMB) signing or Internet
Protocol security (IPsec) between the network location and
the site server to prevent an attacker from tampering with
the query data before it's imported.

Next steps
Security and privacy for Configuration Manager
 Introduction to reporting in Configuration Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Reporting in Configuration Manager provides a set of tools and resources that help you use the advanced
reporting capabilities of SQL Server Reporting Services (SSRS) and Power BI Report Server. Both reporting
platforms provide rich authoring experiences for custom reports. Reporting helps you gather, organize, and
present information about the wealth of Configuration Manager data in your organization. Configuration
Manager provides many predefined reports in Reporting Services that you can use without changes. You can
duplicate and modify the default reports to meet your requirements, or you can create custom reports.

SQL Server Reporting Services

SQL Server Reporting Services provides a full range of ready-to-use tools and services to help you create,
deploy, and manage reports for your organization. It also has programming features that enable you to extend
and customize your reporting functionality. Reporting Services is a server-based reporting platform that
provides comprehensive reporting functionality for different kinds of data sources.
Configuration Manager uses SQL Server Reporting Services as its primary reporting solution. Integration with
Reporting Services provides the following advantages:
Uses an industry standard reporting system to query the Configuration Manager database.
Displays reports by using the Configuration Manager Report Viewer or by using Report Manager, which
is a web-based connection to the report.
Provides high performance, availability, and scalability.
Provides subscriptions to reports to which users can subscribe. For example, a manager subscribes to an
emailed report each day that details the status of a software update rollout.
Exports reports in different kinds of popular formats.
For more information, see What is SQL Server Reporting Services (SSRS)?

Power BI Report Server

Starting in version 2002, integrate Power BI Report Server with Configuration Manager reporting. This
integration gives you modern visualization and better performance. It adds console support for Power BI reports
similar to what already exists with SQL Server Reporting Services. For more information, see Integrate with
Power BI Report Server.
Power BI Report Server is an on-premises report server with a web portal in which you display and manage
reports. It includes tools to create Power BI reports, paginated reports, mobile reports, and KPIs. For more
information, see What is Power BI Report Server?.

Reporting services point

The reporting services point is a site system role that you add on a server that runs Microsoft SQL Server
Reporting Services. The reporting services point does the following functions:
Copies the Configuration Manager report definitions to Reporting Services
 Creates report folders based on report categories
Sets security policy on the report folders and reports. These policies are based on the role-based permissions
for Configuration Manager administrative users. In a 10-minute interval, the reporting services point
connects to Reporting Services to reapply the security policy if you changed it.
For more information about how to plan for and install a reporting services point, see the following articles:
Plan for reporting
Configure reporting

Configuration Manager reports

Configuration Manager provides report definitions for over 400 reports in over 50 report folders. During the
reporting services point installation process, it copies them to the root report folder in SQL Server Reporting
Services. The Configuration Manager console shows the reports and organizes them in subfolders based on the
report category.
Reports don't propagate up or down the Configuration Manager hierarchy. They run only against the database
of the site in which you create them. Because Configuration Manager replicates global data throughout the
hierarchy, you have access to hierarchy-wide information in reports. When a report retrieves data from a site
database, it has access to site data for the current site and child sites, and global data for every site in the
hierarchy.
Like other Configuration Manager objects, an administrative user must have the appropriate permissions to run
or modify reports. To run a report, an administrative user must have the Run Repor t permission for the object.
To create or modify a report, an administrative user must have the Modify Repor t permission for the object.
Create and modify reports
For Reporting Services-based reports, Configuration Manager uses Microsoft SQL Server Report Builder as the
exclusive authoring and editing tool for model-based and SQL-based reports. When you create or edit a report
in the Configuration Manager console, Report Builder opens. For more information, see Operations and
maintenance for reporting.
Starting in version 2002, to create or edit Power BI reports, the console integrates with Power BI Desktop. For
more information, see Create Power BI reports.
Run reports
When you run a Reporting Services-based report in the Configuration Manager console, Report Viewer opens
and connects to Reporting Services. After you specify any required report parameters, Reporting Services then
retrieves the data and displays the results in the viewer. You can also connect to the SQL Services Reporting
Services, connect to the data source for the site, and run reports.
Starting in version 2002, when you run a Power BI-based report, it opens in the web browser.
Add to Favorites
Configuration Manager ships with several hundred reports by default, and you might add more to that list.
Instead of continually searching for reports you commonly use, starting in version 2103 you can make a report
a favorite. This action allows you to quickly access it from the Favorites node.
For more information, see Operations and maintenance for reporting.
Report prompts
You can configure a report prompt or parameter when you create or modify a report. Create report prompts to
limit or target the data that a report retrieves. A report can contain more than one prompt. Make sure the
prompt names are unique and contain only alphanumeric characters that conform to the SQL Server rules for
identifiers.
When you run a report, the prompt requests a value for a required parameter. Based on the parameter value, it
retrieves the report data. For example, the Computer information for a specific computer report prompts
for a computer name. Reporting Services passes the specified value to a variable defined in the report's SQL
statement.
Report links
Report links in Configuration Manager are used in a source report to provide easy access to other data. For
example, it can link to more detailed information about each of the items in the source report. If the destination
report requires one or more prompts to run, the source report must contain a column with the appropriate
values for each prompt.
The link needs to specify the column number with the value for the prompt. For example:
There's one report that lists computers that the site recently discovered.
You link from it to another report that lists the last messages that the site receives for a specific computer.
You create the link, and specify that column 2 in the source report contains the computer name. This value
is a required prompt for the destination report.
You run the source report, and a link icon appears to the left of each row of data.
You select the icon on a row, and Report Viewer passes the value in the specified column for that row as the
prompt value for the destination report.
You can only configure one link for a report, and that link can only connect to a single destination report.

WARNING
If you move a destination report to a different report folder, the location for the destination report changes.
Configuration Manager doesn't automatically update the report link in the source report with the new location, and the
link won't work in the source report.

Report folders
Report folders provide a method to sort and filter reports that Configuration Manager stores in Reporting
Services. Report folders are useful when you have many reports to manage. When you install a reporting
services point, it copies reports to Reporting Services and organizes them into more than 50 report folders. The
report folders are read-only. You can't modify them in the Configuration Manager console.

Report subscriptions
A report subscription in Reporting Services is a recurring request to deliver a report at a specific time or in
response to an event. You specify in the subscription an application file format. Subscriptions provide an
alternative to running a report on demand. On-demand reporting requires that you actively select the report
each time you want to view the report. In contrast, subscriptions can be used to schedule and then automate the
delivery of a report.
You can manage report subscriptions in the Configuration Manager console. The report server processes the
subscriptions. It distributes them by using delivery extensions that are deployed on the server. By default, you
can create subscriptions that send reports to a shared folder or to an email address.
For more information, see Manage report subscriptions.

Report Builder
For Reporting Services-based reports, Configuration Manager uses Microsoft SQL Server Report Builder as the
exclusive authoring and editing tool for both model-based and SQL-based reports. If you create or edit a report
in the Configuration Manager console, Report Builder opens. When you create or modify a report for the first
time, Report Builder installs automatically. The version of Report Builder associated with the installed version of
SQL Server opens when you run or edit reports.
The Report Builder installation adds support for over 20 languages. When you run Report Builder, it displays
data in the language of the local computer's OS. If Report Builder doesn't support the language, it displays the
data in English. Report Builder supports the full capabilities of SQL Server Reporting Services, which includes
the following capabilities:
Delivers an intuitive report authoring environment with an appearance similar to Microsoft 365 Apps.
Offers the flexible report layout of SQL Server report definition language (RDL).
Provides various forms of data visualization including charts and gauges.
Provides richly formatted text boxes.
Exports to Microsoft Word format.
You can also open Report Builder directly from SQL Server Reporting Services.

Report models in SQL Server Reporting Services

SQL Server Reporting Services uses report models to help you select items from the Configuration Manager
database to include in model-based reports. When you build a report, report models expose only specified
views and items to choose from. To create model-based reports, at least one report model has to be available.
Report models have the following features:
Give logical business names to database fields and views. To produce reports, you don't require
knowledge of the Configuration Manager database structure.
Group items logically.
Define relationships between items.
Secure model elements so that administrative users can see only the data that they have permission to
see.
Although Configuration Manager provides sample report models, you can also define report models to meet
your own business requirements. For more information about how to create report models, see Create custom
report models.

Next steps
Plan for reporting
 Integrate with Power BI Report Server
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can integrate Power BI Report Server with Configuration Manager reporting. This integration gives you
modern visualization and better performance. It adds console support for Power BI reports similar to what
already exists with SQL Server Reporting Services.
Save Power BI Desktop report files (.PBIX) and deploy them to the Power BI Report Server. This process is similar
as with SQL Server Reporting Services report files (.RDL). You can also launch the reports in the browser directly
from the Configuration Manager console.

Prerequisites
Power BI Report Server license. For more information, see Licensing Power BI Report Server.
Download Microsoft Power BI Report Server-September 2019, or later.
Don't install Power BI Report Server right away. For the proper process based on your environment,
see Configure the reporting services point.
Download Microsoft Power BI Desktop (Optimized for Power BI Report Server). Use a version released
between September 2019 and January 2021. For versioning information, see the Change log for Power BI
Report Server.

IMPORTANT
Use versions of Power BI Desktop:
That are from the Microsoft Download Center. Don't use a version from the Microsoft Store
That states they're Optimized for Power BI Repor t Ser ver . Don't use versions that aren't Optimized for
Power BI Repor t Ser ver .
That were released no earlier than September 2019 and no later than January 2021. Microsoft Power BI
Desktop (Optimized for Power BI Report Server - January 2021) is recommended.

Power BI integration uses the same role-based administration for reporting.

Power BI Report Server doesn't support reports that are enabled for role-based access. All report
viewers will see the same results, whatever their assigned scope.

Configure the reporting services point

This process varies depending upon whether you already have this role in the site.
You have a reporting services point
Only use this process if you already have a reporting services point in the site. Do all steps of this process on the
same server:
1. In Repor ting Ser vices Configuration Manager , back up the Encr yption Keys . For more
information, see SSRS Encryption Keys - Back Up and Restore Encryption Keys.
 WARNING
If you skip this step, you'll lose access to any custom reports in SQL Server Reporting Services.

2. Remove the reporting services point role from the site.

3. Uninstall SQL Server Reporting Services, but keep the database.
4. Install Power BI Report Server.
5. Configure the Power BI Report Server
a. Use the previous report server database.
b. Use Repor ting Ser vices Configuration Manager to restore the Encr yption Keys .
Before you add the reporting services point role in Configuration Manager, use SQL Server Reporting
Services Configuration Manager to test and verify the configuration. For more information, see Verify
SQL Server Reporting Services installation.
6. Add the reporting services point role in Configuration Manager.
You don't have a reporting services point
Only use this process if you don't already have a reporting services point in the site. Do all steps of this process
on the same server:
1. Install Power BI Report Server.
2. Add the reporting services point role in Configuration Manager. For more information, see Configure
reporting.

Configure the Configuration Manager console

1. On a computer that has the Configuration Manager console, update the Configuration Manager console
to the latest version.
2. Install Power BI Desktop. Make sure the language is the same and verify the versioning prerequisites.
3. After it installs, launch Power BI Desktop at least once before you open the Configuration Manager
console.

Create Power BI reports

1. In the Configuration Manager console, go to the Monitoring workspace, expand Repor ting , and select
the new Power BI Repor ts node.
2. In the ribbon, select Create Repor t . This action opens Power BI Desktop.
3. Create a report in Power BI Desktop.
In Power BI Desktop, when you connect to a data source, select DirectQuer y for the Connection
settings.
Only use supported SQL views in these reports. For more information, see Creating custom
reports by using SQL Server views in Configuration Manager.
4. When the report is ready to save, go to the File menu, select Save as , then choose Power BI Repor t
Ser ver .
5. In the Power BI Repor t Ser ver Selection window, enter the URL for the reporting services point as the
 New repor t ser ver address . For example, https://rsp.contoso.com/Reports . Select OK .
6. In the Save repor t window, double-click the ConfigMgr_<SiteCode> folder. For example, ConfigMgr_PS1 ,
where PS1 is the ConfigMgr site code. You can optionally choose or create (from the report server) a sub
folder to store it in.

TIP
Reports and report folders with Power BI reports must be located in the ConfigMgr_<SiteCode> folder on the
report server or they won't appear in the Configuration Manager console.

7. In File name , enter a name for the report.

In the Configuration Manager console, you see the new report in the list of Power BI Reports. If you don't see
your reports, verify that you saved the reports to the ConfigMgr_<SiteCode> folder.
There are sample reports available for download. For more information, see Install Power BI sample reports.

Power BI report templates in Community hub

Using Community hub, you can share Power BI report templates you've created and download templates that
others have shared.
Contributing a Power BI report template (PBIT ) files to Community hub
1. Open the Configuration Manager console and go to Community > Community hub
2. If needed, select Sign in to sign into GitHub. You'll see the Your hub link after signing in.
3. Select Your hub then Add an item to launch the Contribute item wizard .
4. For the Type , choose Power BI Repor t Template then select Browse .
5. Choose the .pbit file you want to contribute, then select Open .
6. Edit the Name and Description for the report template then select Next when done.
7. On the Organization page, select the GitHub Organization to use for organization branding if needed.
Select Next to upload the template.
8. Once the item is uploaded, you'll be given the pull request URL of the change for monitoring.
9. Select Close when you're done to exit the wizard.
Downloading a Power BI report template (PBIT ) file from Community hub
1. Open the Configuration Manager console, go to Community > Community hub .
2. From All objects or a search, choose a Power BI report template, then select Download .
3. Select a file location to save the downloaded .pbit file and choose Save .
4. If Power BI Desktop (Optimized for Power BI Report Server) is installed, you'll be prompted to open the
.pbit file.

5. Select Yes and Power BI Desktop (Optimized for Power BI Report Server) will load the .pbit file.
6. Specify your Configuration Manager database name and database server name when prompted, then
select Load .
 NOTE
When loading or applying the data model, ignore any errors if you come across one. For example, if you see the
following error: "Connecting to tables from more than one database isn't supported in DirectQuery mode", select
Close . Then refresh the data source settings:
1. In Power BI Desktop, in the ribbon, select Edit Queries , and then select Data source settings .
2. Select Change Source , confirm your server and database names, and select OK .
3. Close the data source settings window, and then select Apply changes .

7. When the report data is loaded, select File > Save As , then select Power BI Repor t Ser ver .
8. Save the report to a folder on the root Configuration Manager reporting folder on the reporting point.
You may want to create a Downloaded Reports folder for these items.
9. Repeat the steps for any other report templates that were downloaded. When you're done, close
Microsoft Power BI Desktop (Optimized for Power BI Report Server).

Known issues
There's a known issue with Power BI Report Server and email subscriptions. After you configure the email
settings in the Reporting Services Configuration Manager, when you try to create a new subscription, the option
to deliver a report by Email isn't available. To work around this issue, restart the Power BI Report Server service.

Next steps
After you create a report, use the following actions in the Configuration Manager console:
Run in Browser : Opens the Power BI report in the web browser. Share this URL with others, for example:
https://rsp.contoso.com/Reports/POWERBI/ConfigMgr_ABC/Windows%2010/Windows10%20Dashboard?rs:embed=true

TIP
You can only view these reports in the web browser.

Edit : Make changes to the report in Power BI Desktop. For an existing report, use the Save option to save
changes back to the report server.
Add to Favorites : Starting in version 2103, you can make a report a favorite. This action allows you to
quickly access it from the Favorites node. For more information, see Operations and maintenance for
reporting.
For more information on log files to use for reporting, see Log file reference - Reporting.
 Install Power BI sample reports
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can integrate Power BI Report Server with Configuration Manager reporting. There are sample reports
available for download that you can install in Configuration Manager. This article explains how to install the
Power BI sample reports in Configuration Manager.

Prerequisites
Configuration Manager reporting services point with Power BI Report Server integrated
Microsoft Power BI Desktop (Optimized for Power BI Report Server). Use a version released between
September 2019 and January 2021. For versioning information, see the Change log for Power BI Report
Server.

IMPORTANT
Use versions of Power BI Desktop:
That are from the Microsoft Download Center. Don't use a version from the Microsoft Store
That states they're Optimized for Power BI Repor t Ser ver . Don't use versions that aren't Optimized for
Power BI Repor t Ser ver .
That were released no earlier than September 2019 and no later than January 2021. Microsoft Power BI
Desktop (Optimized for Power BI Report Server - January 2021) is recommended.

Download the sample reports

To download the sample reports:
1. Download the Power BI sample reports from the Microsoft Download Center.
2. Save the ConfigMgrSamplePowerBIReports.exe file.
3. Move the file to a computer with Microsoft Power BI Desktop (Optimized for Power BI Report Server)
installed if you downloaded it from a different device.
4. Run the ConfigMgrSamplePowerBIReports.exe file to extract the .pbit files.

NOTE
Some of the sample reports are also available for download in Community hub.
Community hub direct link to the Software Update Compliance Status sample report
Community hub direct link to the Software Update Deployment Status sample report

Install the sample reports

To install the sample reports:
1. On the Power BI Report server, create a new folder called Sample Reports in the root Configuration
 Manager reporting folder.

2. Launch Microsoft Power BI Desktop (Optimized for Power BI Report Server).

3. Select File then Open and navigate to where you saved the extracted .pbit files.
4. Select one of the .pbit files you extracted from the ConfigMgrSamplePowerBIReports.exe file.
5. Specify your Configuration Manager database name and database server name when prompted, then
select Load .

NOTE
When loading or applying the data model, ignore any errors if you come across one. For example, if you see the
following error: "Connecting to tables from more than one database isn't supported in DirectQuery mode", select
Close . Then refresh the data source settings:
1. In Power BI Desktop, in the ribbon, select Edit Queries , and then select Data source settings .
2. Select Change Source , confirm your server and database names, and select OK .
3. Close the data source settings window, and then select Apply changes .

6. When the report data is loaded, select File > Save As , then select Power BI Repor t Ser ver .
 7. Save the report to the Sample Reports folder you created on the reporting point.

8. Repeat the steps for any other sample reports. When you're done, close Microsoft Power BI Desktop
(Optimized for Power BI Report Server).
9. In the Configuration Manager console, go to Monitoring > Power BI Repor ts > Sample Repor ts .
10. Right-click on one of the reports and select Run in Browser to launch the report.

Sample reports
The following sample Power BI reports are included in the download:
Software Update Compliance Status
Software Update Deployment Status
Client Status
Content Status
Microsoft Edge Management
 Plan for reporting in Configuration Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Reporting in Configuration Manager provides a set of tools and resources that help you use the advanced
reporting capabilities of SQL Server Reporting Services or Power BI Report Server. Use the following sections to
help you plan for reporting in Configuration Manager.

Where to install the reporting services point

When you run Configuration Manager reports at a site, the reports have access to the information in the site
database in which it connects. Use the following sections to help you determine where to install the reporting
services point and what data source to use.

NOTE
For more information about planning for site systems in Configuration Manager, see Add site system roles.

Supported site system servers

You can install the reporting services point on a central administration site (CAS) and primary sites. It works on
multiple site systems at a site, and at other sites in the hierarchy. Configuration Manager doesn't support the
reporting services point at secondary sites. The first reporting services point at a site is set as the default report
server. You can add more reporting services points at a site, but Configuration Manager reports actively use the
default report server at each site. Install the reporting services point on the site server or a remote site system.
For best performance, use SQL Server Reporting Services on a remote site system server.
Data replication considerations
Consider the following factors to help you determine where to install your reporting services points:
A reporting services point with the CAS database as its reporting data source has access to all global and
site data in the Configuration Manager hierarchy. If you require reports that contain site data for multiple
sites in a hierarchy, consider installing the reporting services point on a site system at the CAS. Then use
its database as the reporting data source.
A reporting services point with a child primary site database as its reporting data source has access to
global data and site data for only the local primary site and any child secondary sites. Site data for other
primary sites in the Configuration Manager hierarchy doesn't replicate to this primary site. Reporting
Services can't access site data for other primary sites. If you require reports that contain site data for a
specific primary site or global data, and you don't want the user to have access to site data from other
primary sites, install a reporting services point on a site system at the primary site. Then use the primary
site's database as the reporting data source.
For more information on global and site data, see Types of data.
Network bandwidth considerations
Depending on how you configure the site, site systems in the same site communicate with each other by using
server message block (SMB), HTTP, or HTTPS. Configuration Manager doesn't manage this communication. It can
occur at any time without network bandwidth control. Review your available network bandwidth before you
install the reporting services point role on a site system.
For more information about planning for site systems, see Add site system roles.

Plan for role-based administration

Security for reporting is much like other objects in Configuration Manager where you can assign security roles
and permissions to administrative users. Administrative users can only run and modify reports for which they
have appropriate security rights. To run reports in the Configuration Manager console, users need the Read
right for the Site permission and the permissions configured for specific objects.
Unlike other objects in Configuration Manager, the security rights that you set for administrative users in the
Configuration Manager console are also configured in Reporting Services. When you configure security rights in
the Configuration Manager console, the reporting services point connects to Reporting Services and sets
appropriate permissions for reports.
For example, the Software Update Manager security role has the Run Repor t and Modify Repor t
permissions. Users with the Software Update Manager role can only run and modify reports for software
updates. The Configuration Manager console doesn't display reports for other objects to this role. The exception
to this behavior is that some reports aren't associated with specific Configuration Manager securable objects.
For these reports, the administrative user must have the Read right for the Site permission to run the reports
and the Modify right for the Site permission to modify the reports.

IMPORTANT
For users from a different domain than that of the reporting services point account to successfully run reports, establish a
two-way trust between the two domains.

Reports are fully enabled for role-based administration. Configuration Manager filters the data for all included
reports based on the permissions of the user who runs the report. Users with specific roles can only view
information defined for their roles.
For more information about security rights for reporting, see Configure reporting.
For more information about role-based administration in Configuration Manager, see Configure role-based
administration.

Reporting recommendations
Consider the following recommendations and tips for reporting in Configuration Manager:
For best performance, install the reporting services point on a remote site system. Although you can
install it on the site server, the reporting services point performs best when you install it on a remote site
system. When this role does background processing, it can compete for system resources with other
roles. There are many variables to consider with site and role performance, but in general this
configuration improves reporting and overall site performance.
Optimize SQL Server Reporting Services queries. Typically any reporting delays are because of the time it
takes to run queries and retrieve the results. Microsoft SQL Server tools such as Query Analyzer and
Profiler can help you optimize queries.
Schedule report subscription processing to run outside standard office hours. Whenever possible,
processing subscriptions during off-hours can minimize the CPU processing on the Configuration
Manager site database server. This practice also improves availability for unpredicted report requests.
Site updates preserve built-in reports. If you modify a standard report, when the site updates, it renames
the report with an underscore prefix ( _ ). This behavior makes sure that the site update doesn't overwrite
the modified report by the standard report.
Security and privacy
Configuration Manager reports display information that it collects during standard Configuration Manager
management operations. For example, you can display a report of information that Configuration Manager
collected from discovery or inventory. Reports can also contain the current status information for client
management operations, such as deploying software, and checking for compliance.
For more information about any security recommendations and privacy information for Configuration Manager
operations that might generate data that you can view in reports, see Security and privacy for Configuration
Manager.

Next steps
Prerequisites for reporting
 Prerequisites for reporting in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Reporting in Configuration Manager has the following dependencies:
SQL Server Reporting Services
Reporting services point
Power BI Report Server (optional, starting in version 2002)

SQL Server Reporting Services

Before you can use reporting in Configuration Manager, install and configure SQL Server Reporting Services.
For more information about planning and deploying Reporting Services, see the Install SQL Server Reporting
Services.
Install the Reporting Services database on either the default instance or a named instance of a 64-bit SQL
Server installation. Colocate the SQL Server instance with the site system server, or configure it on a remote
computer.
Configuration Manager supports the same versions of SQL Server for reporting as it does for the site database.
For more information, see Supported SQL Server versions.

Reporting services point

Before you can use reporting in Configuration Manager, configure the reporting services point site system role.
For more information, see Site and site system prerequisites.

Power BI Report Server

Starting in version 2002, you can integrate reporting with Power BI Report Server. For more information
including prerequisites, see Integrate with Power BI Report Server.

Next steps
Configure reporting
 List of reports in Configuration Manager
2/16/2022 • 59 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supplies many built-in reports covering many of the reporting tasks that you might
want to do. You can also use the SQL statements in these reports to help you to write your own reports.
The following reports are included with Configuration Manager. The reports appear in various categories.

Administrative security
The following six reports are listed under the Administrative Security category.

REP O RT N A M E DESC RIP T IO N

Administration activity log Displays a record of administrative changes made for

administrative users, security roles, security scopes, and
collections.

Administrative users security assignments Displays administrative users, their associated security roles,
and the security scopes associated with each security role for
each user.

Objects secured by a single security scope Displays objects that an administrator assigned to only the
specified security scope. This report doesn't display objects
that an administrator associates with more than one security
scope.

Security for a specific or multiple Configuration Displays securable objects, the security scopes associated
Manager objects with the objects, and which administrative users have rights
to the objects.

Security roles summar y Displays security roles and the Configuration Manager
administrators associated with each role.

Security scopes summar y Displays security scopes and the Configuration Manager
administrative users and security groups associated with
each scope.

Alerts
The following two reports are listed under the Aler ts category.

REP O RT N A M E DESC RIP T IO N

Aler t scorecard Displays a summary of all postponed alerts that were

generated between the specified start and finish date.

Aler ts Generated Most Often Displays a summary of the alerts that were generated most
often from today back to the specified date for the specified
feature area.
Asset Intelligence
The following 67 reports are listed under the Asset Intelligence category.

REP O RT N A M E DESC RIP T IO N

Hardware 01A - Summar y of computers in a specific Displays an Asset Intelligence summary view of computers in
collection a collection you specify.

Hardware 03A - Primar y computer users Displays users and the count of computers on which they're
the primary user.

Hardware 03B - Computers for a specific primar y Displays all computers for which a specified user is the
console user primary console user.

Hardware 04A - Computers with multiple users Displays computers that don't have a primary user because
(shared) no one user has a signed-in time greater than 66%.

Hardware 05A - Console users on a specific Displays all of the console users on a specified computer.
computer

Hardware 06A - Computers for which console users Helps administrative users identify computers that need to
could not be determined have security logging turned on.

Hardware 07A - USB devices by manufacturer Displays USB devices, grouped by manufacturer.

Hardware 07B - USB devices by manufacturer and Displays USB devices, grouped by manufacturer and
description description.

Hardware 07C - Computers with a specific USB Displays all the computers with a specified USB device.
device

Hardware 07D - USB devices on a specific computer Displays all USB devices on a specified computer.

Hardware 08A - Hardware that is not ready for a Displays hardware that doesn't meet the minimum hardware
software upgrade requirements.

Hardware 09A - Search for computers Displays a summary of computers matching keyword filters.
These filters are computer name, Configuration Manager
site, domain, top console user, operating system,
manufacturer, or model.

Hardware 10A - Computers in a specified collection Displays a list of computers in a specified collection where a
that have changed during a specified timeframe hardware class has changed during a specified time period.

Hardware 10B - Changes on a specified computer Displays the classes that have changed on a specified
within a specified timeframe computer within a specified time period.

License 01A - Microsoft Volume License ledger for Displays an inventory of all Microsoft software titles that are
Microsoft license statements available from the Microsoft Volume Licensing program.

License 01B - Microsoft Volume License ledger item Identifies and displays sales channel for inventoried
by sales channel Microsoft Volume License software.

License 01C - Computers with a specific Microsoft Identifies and displays computers that have a specified item
Volume License ledger item and sales channel from the Microsoft Volume license ledger.
REP O RT N A M E DESC RIP T IO N

License 01D - Microsoft Volume License ledger Identifies and displays all Microsoft Volume license ledger
products on a specific computer items on a specified computer.

License 02A - Count of licenses nearing expiration Displays a count of licenses nearing expiration by a specified
by time ranges time range. The displayed products have their licenses
managed by the Software Licensing Service.

License 02B - Computers with licenses nearing Displays the specified computers with licenses that are
expiration nearing expiration.

License 02C - License information on a specific Displays products on a specified computer that have their
computer licenses managed by the Software Licensing Service.

License 03A - Count of licenses by license status Displays products, by license status, which have their licenses
managed by the Software Licensing Service.

License 03B - Computers with a specific license Displays products, with a specified license status, whose
status licenses are managed by the Software Licensing Service.

License 04A - Count of products managed by Displays a count of products that have their licenses
software licensing managed by the Software Licensing Service.

License 04B - Computers with a specific product Displays computers, managed by the Software Licensing
managed by Software Licensing Ser vice Service, that include a specified product.

License 05A - Computers providing Key Displays computers that act as Key Management Servers.
Management Ser vice

License 06A - Processor counts for per-processor Displays the number of processors on computers using
licensed products Microsoft products that support per-processor licensing.

License 06B - Computers with a specific product Displays a list of computers where a specified Microsoft
that suppor ts per-processor licensing product that supports per-processor licensing is installed.

License 14A - Microsoft Volume Licensing Displays reconciliation on software licenses acquired through
reconciliation repor t Microsoft Volume License Agreement and the actual
inventory count.

License 14B - List of Microsoft software inventor y This report displays Microsoft software titles in use that
not found in MVLS aren't found in the Microsoft Volume License Agreement.

License 15A - General license reconciliation repor t Displays reconciliation on general software licenses acquired
and the actual inventory count.

License 15B - General license reconciliation repor t Displays computers that installed the licensed product with a
by computer specified version.

Software 01A - Summar y of installed software in a Displays a summary of installed software ordered by the
specific collection number of instances found from inventory.

Software 02A - Product families for a specific Displays the product families and the count of software in
collection the family for a specified collection.
REP O RT N A M E DESC RIP T IO N

Software 02B - Product categories for a specific Displays the product categories in a specified product family
product family and the count of software within the category.

Software 02C - Software in a specific product family Displays all software that is in the specified product family
and categor y and category.

Software 02D - Computers with specific software Displays all computers with specified software installed.
installed

Software 02E - Installed software on a specific Displays all software installed on a specified computer.
computer

Software 03A - Uncategorized software Displays the software that is either categorized as unknown
or has no categorization.

Software 04A - Software configured to automatically Displays a list of software configured to automatically run on
run on computers computers.

Software 04B - Computers with specific software Displays all computers with specified software configured to
configured to automatically run automatically run.

Software 04C - Software configured to automatically Displays installed software configured to automatically run
run on a specific computer on a specified computer.

Software 05A - Browser Helper Objects Displays the browser helper objects installed on computers
in a specified collection.

Software 05B - Computers with a specific Browser Displays all of the computers with a specified browser helper
Helper Object object.

Software 05C - Browser Helper Objects on a specific Displays all browser helper objects on the specified
computer computer.

Software 06A - Search for installed software This report provides a summary of installed software. It
searches based on the following criteria: product name,
publisher, or version.

Software 06B - Software by product name Displays a summary of installed software based on a
specified product name.

Software 07A - Recently used executable programs Displays executable programs that users recently used. It
by the count of computers also includes the count of computers on which users used
the program. Software metering must be enabled for this
site to view this report.

Software 07B - Computers that recently used a Displays the computers on which users recently used a
specified executable program specified executable program. This report requires that you
enable the software metering client setting.

Software 07C - Recently used executable programs Displays executable files that users recently used on a
on a specified computer specified computer. This report requires that you enable the
software metering client setting.
REP O RT N A M E DESC RIP T IO N

Software 08A - Recently used executable programs Displays executable programs that users recently used. It
by the count of users also includes a count of users that most recently used the
program. This report requires that you enable the software
metering client setting.

Software 08B - Users that recently used a specified Displays the users that most recently used a specified
executable program executable program. This report requires that you enable the
software metering client setting.

Software 08C - Recently used executable programs Displays executable programs that the specified user used
by a specified user recently. This report requires that you enable the software
metering client setting.

Software 09A - Infrequently used software Displays software titles that users haven't used during a
specified period of time.

Software 09B - Computers with infrequently used Displays computers with installed software that users haven't
software installed used for a specified period of time. The specified period of
time is based on the value specified in the 'Software 09A -
Infrequently used software' report.

Software 10A - Software titles with specific multiple Displays software titles based on matching of all specified
custom labels defined custom label criteria. Up to three custom labels can be
selected to refine a software title search.

Software 10B - Computers with a specific custom- Displays all computers in this collection that have the
labeled software title installed specified custom-labeled software title installed.

Software 11A - Software titles with a specific custom Displays software titles based on matching of at least one of
label defined the specified custom label criteria.

Software 12A - Software titles without a custom Displays all software titles that don't have a custom label
label defined.

Software 14A - Search for software identification tag Displays a count of installed software with a software
enabled software identification tag enabled.

Software 14B - Computers with specific software Displays all computers that have installed software with a
identification tag enabled software installed specified software identification tag enabled.

Software 14C - Installed software identification tag Displays all installed software with a specified software
enabled software on a specific computer identification tag enabled on a specified computer.

Lifecycle 01A - Computers with a specific software View a list of computers on which a specified product is
product detected.

Lifecycle 02A - List of machines with expired View computers that have expired products on them. You
products in the organization can filter this report by product name.

Lifecycle 03A - List of expired products found in the View details for products in your environment that have
organization expired lifecycle dates.

Lifecycle 04A - General Product Lifecycle over view View a list of product lifecycles. Filter the list by product
name and days to expiration.
 REP O RT N A M E DESC RIP T IO N

Lifecycle 05A - Product lifecycle dashboard Starting in version 1810, this report includes similar
information as the in-console dashboard.

Client push
The following four reports are listed under the Client Push category.

REP O RT N A M E DESC RIP T IO N

Client push installation status details Displays information about the client push installation
process for all sites.

Client push installation status details for a specified Displays information about the client push installation
site process for a specified site.

Client push installation status summar y Displays a summary view of the client push installation
status for all sites.

Client push installation status summar y for a Displays a summary view of the client push installation
specified site status for a specified site.

Client status
The following seven reports are listed under the Client Status category.

REP O RT N A M E DESC RIP T IO N

Client remediation details Displays details of client remediation actions for a collection
you specify.

Client remediation summar y Displays a summary of client remediation actions for a

specified collection.

Client status histor y Displays a historical view of overall client status in the site.

Client status summar y Displays the client check results of active clients for a given
collection.

Client time to request policy Displays the percentage of clients that requested policy at
least once in the last 30 days. Each day represents a
percentage of total clients that requested policy since the
first day in the cycle.

Clients with failed client check details Displays details about clients that client check failed for a
specified collection.

Inactive clients details Displays a detailed list of inactive clients for a given
collection.

Company resource access

The following three reports are listed under the Company Resource Access category.
 REP O RT N A M E DESC RIP T IO N

Cer tificate issuance histor y Displays the history of certificates issued by the certificate
registration point to users and devices for the specified date
range.

List of assets by cer tificate issuance status Displays the devices or users in a specified certificate
issuance state following the evaluation of a specified
certificate profile.

List of assets with cer tificates nearing expir y Displays the devices or users with certificates that expire on
or before the specified date.

Compliance and settings management

The following 22 reports are listed under the Compliance and Settings Management category.

REP O RT N A M E DESC RIP T IO N

Compliance histor y of a configuration baseline Displays the history of the changes in compliance of a
configuration baseline for the specified date range.

Compliance histor y of a configuration item Displays the history of the changes in compliance of a
configuration item for the specified date range.

Details of compliant rules of configuration items in a Displays information about the rules evaluated as compliant
configuration baseline for an asset for a specified configuration item for a specified device or
user.

Details of conflicting rules of configuration items in Displays information about rules in a deployed configuration
a configuration baseline for an asset item that conflict with other rules. Include the other rules in
the same or another deployed configuration item.

Details of errors of configuration items in a Displays information about errors generated by a specified
configuration baseline for an asset configuration item for a specified device or user.

Details of non-compliant rules of configuration Displays information about rules that were evaluated as
items in a configuration baseline for an asset noncompliant for a specified configuration item, for a
specified device or user.

Details of remediated rules of configuration items in Displays information about rules that were remediated by a
a configuration baseline for an asset specified configuration item for a specified device or user.

List of assets by compliance state for a Displays the devices or users in a specified compliance state
configuration baseline following the evaluation of a specified configuration baseline.

List of assets by compliance state for a Displays the devices or users in a specified compliance state
configuration item in a configuration baseline following the evaluation of a specified configuration item.

List of noncompliant Apps and Devices for a Displays information about users and devices that have apps
specified user installed that aren't compliant with a policy you specified.

List of rules conflicting with a specified rule for an Displays a list of rules that conflict with a specified rule for a
asset deployed configuration item.
 REP O RT N A M E DESC RIP T IO N

List of unknown assets for a configuration baseline Displays a list of devices or users that haven't yet reported
any compliance data for a specified configuration baseline.

List of unknown assets for a configuration item Displays a list of devices or users that haven't yet reported
any compliance data for a specified configuration item.

Rules and errors summar y of configuration items in Displays a summary of the compliance state of the rules and
a configuration baseline for an asset any setting errors for a specified configuration item. The
configuration item must be deployed to a device or user.

Summar y compliance by configuration baseline Displays a summary of the overall compliance of deployed
configuration baselines in the hierarchy.

Summar y compliance by configuration items for a Displays a summary of the compliance of configuration
configuration baseline items in a specified configuration baseline.

Summar y compliance by configuration policies Displays a summary of the compliance of configuration

policies.

Summar y compliance of a configuration baseline for Displays a summary of the overall compliance of a specified
a collection configuration baseline. The configuration item must be
deployed to the specified collection.

Summar y of Users who have Noncompliant Apps Displays information about users that have apps installed
that aren't compliant with a policy you specified.

Terms and Conditions acceptance Displays Terms and Conditions items and which version each
user has accepted.

Data warehouse
The following seven reports are listed under the Data warehouse category.

REP O RT N A M E DESC RIP T IO N

Application Deployment Historical: View details for application deployment for a

specific application and machine.

Endpoint Protection and Software Update Historical: View computers that are missing software
Compliance updates.

General Hardware Inventor y Historical: View all hardware inventory for a specific machine.

General Software Inventor y Historical: View all software inventory for a specific machine.

Infrastructure Health Over view Historical: Displays an overview of the health of your
Configuration Manager infrastructure.

List of Malware Detected Historical: View malware that has been detected in the
organization.

Software Distribution Summar y Historical: A summary of software distribution for a specific

advertisement and machine.
Device management
The following 37 reports are listed under the Device Management category.

NOTE
Configuration Manager version 2006 dropped support for Windows CE 7.0 as a client. Deprecation was announced with
version 1906.

REP O RT N A M E DESC RIP T IO N

All corporate-owned mobile devices Displays all corporate owned mobile devices.

All mobile device clients Displays information about all mobile device clients. Devices
that are managed by the Exchange Server connector aren't
included.

Cer tificate issues on mobile devices that are Displays detailed information about certificate issues on
managed by the Configuration Manager client for mobile devices that are managed by the Configuration
Windows CE and that are not healthy Manager client for Windows CE.

Client deployment failure for mobile devices that are Displays detailed information about deployment failure for
managed by the Configuration Manager client for mobile devices that are managed by the Configuration
Windows CE Manager client for Windows CE.

Client deployment status details for mobile devices Displays information about the status of mobile devices that
that are managed by the Configuration Manager are managed by the Configuration Manager client for
client for Windows CE Windows CE.

Client deployment success for mobile devices that Displays detailed information about deployment success for
are managed by the Configuration Manager client mobile devices that are managed by the Configuration
for Windows CE Manager client for Windows CE.

Communication issues on mobile devices that are This report contains detailed information about
managed by the Configuration Manager client for communication issues on mobile devices that are managed
Windows CE and that are not healthy by the Configuration Manager client for Windows CE.

Compliance status of default ActiveSync mailbox Displays a summary of the compliance status with the
policy for the mobile devices that are managed by Default Exchange ActiveSync mailbox policy for the mobile
the Exchange Ser ver connector devices managed by the Exchange Server connector.

Count of mobile devices by display configurations This report displays the number of mobile devices by display
settings.

Count of mobile devices by operating system Displays the number of mobile devices by operating system.

Count of mobile devices by program memor y Displays the number of mobile devices by program memory.

Count of mobile devices by storage memor y Count of mobile devices by storage memory configurations
configurations

Health information for mobile devices that are Displays detailed health information for mobile devices that
managed by the Configuration Manager client for are managed by the Configuration Manager client for
Windows CE Windows CE.
REP O RT N A M E DESC RIP T IO N

Health summar y for mobile devices that are Displays health summary information for mobile devices that
managed by the Configuration Manager client for are managed by the Configuration Manager client for
Windows CE Windows CE.

Inactive mobile devices that are managed by the Displays the mobile devices managed by the Exchange
Exchange Ser ver connector Server connector that haven't connected to an Exchange
Server in a specified number of days.

List of devices by Health Attestation state Displays a list of devices with attributes reported by Health
Attestation Service

List of Devices enrolled per user in Microsoft Intune Displays all devices a user has enrolled with Microsoft
Intune.

List of devices in a specific device categor y Displays information for all devices within a specific device
category.

Local client issues on mobile devices that are This report contains detailed information about local client
managed by the Configuration Manager client for issues on mobile devices that are managed by the
Windows CE and that are not healthy Configuration Manager client for Windows CE.

Mobile device client information Displays information about the mobile devices that have the
Configuration Manager client installed. You can use this
report to verify which mobile devices can successfully
communicate with a management point.

Mobile device compliance details for the Exchange Displays the mobile device compliance details for a default
Ser ver connector Exchange ActiveSync mailbox policy that is configured by
using the Exchange Server connector.

Mobile devices by operating system Displays the mobile devices by operating system.

Mobile devices that are jailbroken or a rooted Displays the mobile devices that are jailbroken or a rooted
device device.

Mobile devices that are unmanaged because they Displays the mobile devices that completed enrollment with
enrolled but failed to assign to a site Configuration Manager, have a certificate, but failed to
complete site assignment.

Mobile devices with a specific amount of free Displays all mobile devices with their specified amount of
program memor y free program memory.

Mobile devices with a specific amount of free Displays all mobile devices with the specified amount of free
removable storage memor y removable memory.

Mobile devices with cer tificate renewal issues Displays the enrolled mobile devices that failed to renew
their certificate. If you don't renew the certificate before the
expiry period, the mobile devices become unmanaged.

Mobile devices with low free program memor y (less Displays the mobile devices for which the program memory
than specified KB free) is lower than a specified size in KB.

Mobile devices with low free removable storage Displays the mobile devices for which the removable storage
memor y (less than specified KB free) memory is lower than a specified size in KB.
 REP O RT N A M E DESC RIP T IO N

Number of devices enrolled per user in Microsoft Displays the users enabled for the Microsoft Intune
Intune subscription. It also shows the total number of devices
enrolled for each user.

Pending retire and wipe request for mobile devices Displays the wipe requests that are pending for mobile
devices.

Recently enrolled and assigned mobile devices Displays mobile devices that recently enrolled with
Configuration Manager and successfully assigned to a site.

Recently wiped mobile devices Displays the list of mobile devices that were recently
successfully wiped.

Settings summar y for mobile devices that are Displays the number of mobile devices that apply the
managed by the Exchange Ser ver connector settings for each Default Exchange ActiveSync mailbox policy
managed by the Exchange Server connector.

Windows RT Sideloading Keys Detailed Status Displays detailed status information for a specified Windows
RT sideloading key.

Windows RT Sideloading Keys Summar y Displays the status of Windows RT sideloading keys.

Driver management
The following 13 reports are listed under the Driver Management category.

REP O RT N A M E DESC RIP T IO N

All drivers Displays a list of all drivers.

All drivers for a specific platform Displays all drivers for a specified platform.

All drivers in a specific boot image Displays all drivers in a specified boot image.

All drivers in a specific categor y Displays all drivers in a specified category.

All drivers in a specific package Displays all drivers in a specified package.

Categories for a specific driver Displays categories for a specified driver.

Computers that failed to install drivers for a specific Displays computers that failed to install drivers for a
collection specified collection.

Driver catalog matching repor t for a specific Displays the driver catalog matching report for a specified
collection collection.

Driver catalog matching repor t for a specific Displays the driver catalog matching report for a specified
computer computer.

Driver catalog matching repor t for a specific device Displays the driver catalog matching report for a specified
on a specific computer device on a specified computer.
 REP O RT N A M E DESC RIP T IO N

Driver catalog matching repor t for computers in a Displays driver catalog matching report for computers in a
specific collection with a specific device specified collection with a specified device.

Drivers that failed to install on a specific computer Displays drivers that failed to install on a specified computer.

Suppor ted platforms for a specific Driver Displays supported platforms for a specified driver.

Endpoint Protection
The following six reports are listed under the Endpoint Protection category.

REP O RT N A M E DESC RIP T IO N

Antimalware activity repor t Displays an overview of antimalware activity.

Antimalware overall status and histor y Displays the antimalware overall status and history.

Computer malware details Displays details about a specified computer and the list of
malware found on it.

Infected computers Displays a list of computers with a specified threat detected.

Top users by threats Displays the list of users with the most number of detected
threats.

User threat list Displays the list of threats found for a specified user account.

Hardware - CD-ROM
The following four reports are listed under the Hardware - CD-ROM category.

REP O RT N A M E DESC RIP T IO N

CD-ROM information for a specific computer Displays information about the CD-ROM drives on a
specified computer.

Computers for a specific CD-ROM manufacturer Displays a list of computers that contain a CD-ROM drive
made by a manufacturer you specify.

Count CD-ROM drives per manufacturer Displays the number of CD-ROM drives inventoried per
manufacturer.

Histor y - CD-ROM histor y for a specific computer Displays the inventory history for CD-ROM drives on a
specified computer.

Hardware - Disk
The following eight reports are listed under the Hardware - Disk category.
 REP O RT N A M E DESC RIP T IO N

Computers with a specific hard disk size Displays a list of computers that have hard disks of a
specified size.

Computers with low free disk space (less than Displays a list of computers in a specified collection that have
specified % free) less that the specified free disk space.

Computers with low free disk space (less that Displays a list of computers and disks where the disks are
specified MB free) low on space. The amount of free space to check for is
specified in MB.

Count physical disk configurations Displays the number of hard disks inventoried by disk
capacity.

Disk information for a specific computer - Logical Displays summary information about the logical disks on a
disks specified computer.

Disk information for a specific computer - Par titions Displays summary information about the disk partitions on
a specified computer.

Disk information for a specific computer - Physical Displays summary information about the physical disks on a
disks specified computer.

Histor y - Logical disk space histor y for a specific Displays the inventory history for logical disk drives on a
computer specified computer.

Hardware - General
The following five reports are listed under the Hardware - General category.

REP O RT N A M E DESC RIP T IO N

Computer information for a specific computer Displays summary information for a specified computer.

Computers in a specific workgroup or domain Displays a list of computers in a specified Workgroup or

domain.

Inventor y classes assigned to a specific collection Displays the inventory classes that are assigned to a
specified collection.

Inventor y classes enabled on a specific computer Displays the inventory classes that are enabled on a
specified computer.

Windows AutoPilot Device Information Displays client device information that is needed for
Windows AutoPilot registration.

Hardware - Memory
The following five reports are listed under the Hardware - Memor y category.

REP O RT N A M E DESC RIP T IO N

 REP O RT N A M E DESC RIP T IO N

Computers where physical memor y has changed Displays a list of computers where the amount of RAM has
changed since the last inventory cycle.

Computers with a specific amount of memor y Displays a list of computers that have a specified amount of
RAM (Total Physical Memory rounded to the nearest MB).

Computers with low memor y (less than or equal to Displays a list of computers that are low on memory. The
specified MB) amount of memory to check for is specified in MB.

Count memor y configurations Displays the number of computers inventoried by amount of

RAM.

Memor y information for a specific computer Displays summary information about the memory on a
specified computer.

Hardware - Modem
The following three reports are listed under the Hardware - Modem category.

REP O RT N A M E DESC RIP T IO N

Computers for a specific modem manufacturer Displays a list of computers that have a modem made by a
specified manufacturer.

Count modems by manufacturer Displays the number of modems inventoried for each
modem manufacturer.

Modem information for a specific computer Displays summary information about the modem on a
specified computer.

Hardware - Network adapter

The following three reports are listed under the Hardware - Network Adapter category.

REP O RT N A M E DESC RIP T IO N

Computers with a specific network adapter Displays a list of computers that have a specified network
adapter.

Count network adapters by type Displays the number of inventoried network adapters cards
of each type.

Network adapter information for a specific computer Displays information about the network adapters installed
on a specified computer.

Hardware - Processor
The following five reports are listed under the Hardware - Processor category.
 REP O RT N A M E DESC RIP T IO N

Computers for a specific processor speed Displays a list of computers that have a processor of a
specified speed.

Computers with fast processors (greater than or Displays a list of computers that have processors with a
equal to a specified clock speed) speed that is faster than the specified speed.

Computers with slow processors (less than or equal Displays a list of computers that have processors that run at
to a specified clock speed) or slower than a specified clock speed.

Count processor speeds Displays the number of computers inventoried by processor

speed.

Processor information for a specific computer Displays information about the processors installed on a
specified computer.

Hardware - SCSI
The following five reports are listed under the Hardware - SCSI category.

REP O RT N A M E DESC RIP T IO N

Computers with a specific SCSI card type Displays a list of computers that have a specified SCSI card
installed.

Count SCSI card types Displays the number of inventoried SCSI cards by card type.

SCSI card information for a specific computer Displays information about the SCSI cards installed on a
specified computer.

Hardware - Security
The following one report is listed under the Hardware - Security category.

REP O RT N A M E DESC RIP T IO N

Details of firmware states on devices Displays the details of the states of UEFI, SecureBoot, and
TPM. Note : This report isn't in version 1810.

Hardware - Sound card

The following three reports are listed under the Hardware - SCSI category.

REP O RT N A M E DESC RIP T IO N

Computers with a specific sound card Displays a list of computers that have a specified sound card.

Count sound cards Displays the number of computers inventoried by each

sound card type.

Sound card information for a specific computer Displays summary information about the sound cards on a
specified computer.
Hardware - Video card
The following three reports are listed under the Hardware - Video Card category.

REP O RT N A M E DESC RIP T IO N

Computers with a specific video card Displays a list of computers that have a specified video card.

Count video cards by type Displays a list of all of the video cards installed on
computers. It also shows the number of each type of video
card.

Video card information for a specific computer Displays summary information about the video cards
installed on a specified computer.

Migration
The following five reports are listed under the Migration category.

REP O RT N A M E DESC RIP T IO N

Clients in exclusion list Displays clients that are excluded from migration.

Dependency on a Configuration manager collection Displays the objects that depend on a collection of the
source hierarchy.

Migration job proper ties This report shows the contents of the specified migration
job.

Migration jobs This report shows the list of migration jobs.

Objects that failed to migrate Displays a list of objects that failed to migrate during the last
attempt.

Network
The following six reports are listed under the Network category.

REP O RT N A M E DESC RIP T IO N

Count IP addresses by subnet Displays the number of IP addresses inventoried for each IP
subnet.

IP - All subnets by subnet mask Displays a list of IP subnets and subnet masks.

IP - Computers in a specific subnet Displays a list of computers and IP information for a

specified IP subnet.

IP - Information for a specific computer Displays summary information about IP on a specified

computer.

IP - Information for a specific IP address Displays summary information about a specified IP address.
 REP O RT N A M E DESC RIP T IO N

MAC - Computers for a specific MAC address Displays the computer name and IP address of computers
that have the specified MAC address.

Operating system
The following 10 reports are listed under the Operating System category.

REP O RT N A M E DESC RIP T IO N

Computer operating system version histor y Displays the inventory history for the operating system on a
specified computer.

Computers with a specific operating system Displays computers with a specified operating system.

Computers with a specific operating system and Displays computers with a specified operating system and
ser vice pack service pack.

Count operating system versions Displays the number of computers inventoried by operating
system.

Count operating systems and ser vice packs Displays the number of computers inventoried by operating
system and service pack combinations.

Ser vices - Computers running a specific ser vice Displays a list of computers running a specified service.

Ser vices - Computers running Remote Access Ser ver Displays a list of computers running Remote Access Server.

Ser vices - Ser vices information for a specific Displays summary information about the services on a
computer specified computer.

Windows Ser vicing details for a specific collection Displays general information about Windows servicing for a
specific collection.

Windows Ser ver computers Displays a list of computers that run Windows Server
operating systems.

Power management
The following 18 reports are listed under the Power Management category.

REP O RT N A M E DESC RIP T IO N

Power Management - Computer activity Displays a graph showing monitor, computer, and user
activity for a specified collection over a specified time period.

Power Management - Computer activity by Displays a graph showing monitor, computer, and user
computer activity for a specified computer on a specified date.

Power Management - Computer activity details Displays a list of the sleep and wake capabilities of
computers in the specified collection for a specified date and
time.
 REP O RT N A M E DESC RIP T IO N

Power Management - Computer details Displays detailed information about the power capabilities,
power settings, and power plans applied to a specified
computer.

Power Management - Computer not repor ting Displays a list of computers not reporting any power activity
details for a specified date and time.

Power Management - Computers excluded Displays a list of computers excluded from the power plan.

Power Management - Computers with multiple Displays a list of computers that have multiple, conflicting
power plans power settings applied.

Power Management - Energy consumption Displays the total monthly energy consumption (in kWh) for
a specified collection over a specified time period.

Power Management - Energy consumption by day Displays the total energy consumption (in kWh) for a
specified collection in the last 31 days.

Power Management - Energy cost Displays the total monthly energy consumption cost for a
specified collection over a specified time period.

Power Management - Energy cost by day Displays the total energy consumption cost for a specified
collection over the past 31 days.

Power Management - Environmental impact Displays a graph showing carbon dioxide (CO2) emissions
generated by a specified collection over a specified time
period.

Power Management - Environmental impact by day Displays a graph showing CO2 emissions generated by a
specified collection over the past 31 days.

Power Management - Insomnia computer details Displays detailed information about computers that didn't
sleep or hibernate within a specified time period.

Power Management - Insomnia repor t Displays a list of common causes that prevented computers
from sleeping or hibernating. It also shows the number of
computers affected by each cause over a specified time
period.

Power Management - Power capabilities Displays the power management capabilities of computers in
the specified collection.

Power Management - Power settings Displays an aggregated list of power settings used by
computers in a specified collection.

Power Management - Power settings details Used to display further information about computers that
were specified in the Power Management - Power
settings report.

Replication traffic
The following 10 reports are listed under the Replication Traffic category.
 REP O RT N A M E DESC RIP T IO N

Global Data Replication Traffic Per Link (line char t) Displays total global data replication traffic on a specified link
for a specified number of days.

Global Data Replication Traffic Per Link (pie char t) Displays total global data replication traffic on a specified link
for a specified number of days.

Hierarchy Replication Traffic By Link Displays total replication traffic for each link in the hierarchy
for a specified number of days.

Hierarchy Top Ten Replication Groups Traffic Per Link Displays the replication traffic for the top 10 replication
(pie char t) groups across the entire hierarchy identified by link.

Link Replication Traffic Displays total replication traffic for all data for a specified
number of days.

Replication group traffic per link Displays the replication group network traffic over a specified
database replication link for a specified number of days.

Site Data Replication Traffic Per Link (line char t) Displays total site data replication traffic on a specified link
for a specified number of days.

Site Data Replication Traffic Per Link (pie char t) Displays total site data replication traffic on a specified link
for a specified number of days.

Total Hierarchy Replication Traffic (line char t) Displays hierarchy aggregate global and site data replication
for each direction of every link for a specified number of
days.

Total Hierarchy Replication Traffic (pie char t) Displays hierarchy aggregate global and site data replication
for each direction of every link for a specified number of
days.

Site - Client information

The following 19 reports are listed under the Site - Client Information category.

REP O RT N A M E DESC RIP T IO N

Client assignment detailed status repor t Displays detailed information about client assignment status.

Client assignment failure details Displays detailed information about client assignment
failures.

Client assignment status details Displays overview information about client assignment
status.

Client assignment success details Displays detailed information about successfully assigned
clients.

Client deployment failure repor t Displays detailed information for clients that have failed to
deploy.
 REP O RT N A M E DESC RIP T IO N

Client deployment status details Displays summary information for the status of client
installations.

Client deployment success repor t Displays detailed information for clients that have
successfully deployed.

Clients incapable of HTTPS communication Displays detailed information about each client that runs the
HTTPS Communication Readiness Tool, and reports to be
incapable of communicating over HTTPS.

Computers assigned but not installed for a Displays a list of computers assigned to a specified site, but
par ticular site aren't reporting to that site.

Computers with a specific Configuration Manager Displays a list of computers running a specified version of
client version the Configuration Manager client software.

Count of clients and protocol used for Displays a summary of the communication methods used by
communication clients (HTTP or HTTPS).

Count of clients assigned and installed for each site Displays the number of computers assigned and installed for
each site. Clients with a network location associated to
multiple sites are only counted as installed if they're
reporting to that site.

Count of clients capable of HTTPS communication Displays detailed information about each client that runs the
HTTPS Communication Readiness Tool, and reports to be
either capable or incapable of communicating over HTTPS.

Count of clients for each site Displays the number of Configuration Manager clients
installed by site code.

Count of Configuration Manager clients by client Displays the number of computers discovered by
versions Configuration Manager client version.

Problem details repor ted to the fallback status point Displays detailed information for issues reported by clients in
for a specified collection a specified collection. These clients must have an assigned
fallback status point.

Problem details repor ted to the fallback status point Displays detailed information about issues reported by
for a specified site clients in a specified site. These clients must have an
assigned fallback status point.

Summar y of problems repor ted to the fallback Displays information about all the issues reported by clients.
status point These clients must have an assigned fallback status point.

Summar y of problems repor ted to the fallback Displays summary information for issues reported by clients
status point for a specific collection in a specified collection. These clients must have an assigned
fallback status point.

Site - Discovery and inventory information

The following 10 reports are listed under the Site - Discover y and Inventor y Information category.
 REP O RT N A M E DESC RIP T IO N

Clients that have not repor ted recently (in a Displays a list of clients that haven't reported discovery data,
specified number of days) hardware inventory, or software inventory in a specified
number of days.

Computers discovered by a specific site Displays a list of all computers that the specified site
discovered. It also shows the date of the most recent
discovery.

Computers discovered recently by discover y method Displays a list of computers that the site discovered within
the specified number of days. It also lists the agents that
discovered them. If multiple agents discovered a computer, it
may appear more than once in the list.

Computers not discovered recently (in a specified Displays a list of computers that the site hasn't recently
number of days) discovered. It also shows the number of days since the site
discovered the computer.

Computers not inventoried recently (in a specified Displays a list of computers that the site hasn't recently
number of days) inventoried. It also shows the last times the client
inventoried the computer.

Computers that might share the same Configuration Displays a list of computers that have changed their names.
Manager unique identifier A change in name is a possible symptom that a computer
shares a Configuration Manager Unique Identifier with
another computer.

Computers with duplicate MAC addresses Displays computers that share MAC address.

Count computers in resource domains or Displays the number of computers in each resource domain
workgroups or workgroup.

Discover y information for a specific computer Displays a list of the agents and sites that discovered a
specified computer.

Inventor y dates for a specific computer Displays the date and time inventory was last run on a
specified computer.

Site - General
The following three reports are listed under the Site - General category.

REP O RT N A M E DESC RIP T IO N

Computers in a specific site Displays a list of client computers in a specified site.

Site status for the hierarchy Displays the list of sites in the hierarchy with site version and
site status information.

Status of Configuration Manager update within Displays information about Configuration Manager site
hierarchy updates for the hierarchy.

Site - Server information

The following one report is listed under the Site - Ser ver Information category.
 REP O RT N A M E DESC RIP T IO N

Site system roles and site system ser vers for a Displays a list of site system server and their site system
specific site roles for a specified site.

Software - Companies and products

The following 15 reports are listed under the Software - Companies and Products category.

REP O RT N A M E DESC RIP T IO N

All inventoried products for a specific software Displays a list of the inventoried software products and
company versions from a specified software company.

All software companies Displays a list of all companies manufacturing inventoried

software.

All Windows apps Displays a summary of installed Windows apps. It searches

using the following criteria: application name, architecture, or
publisher.

Computers with a specific product Displays a list of the computers that a specified product is
inventoried on, and the versions of that product.

Computers with a specific product name and version Displays a list of the computers that a specified version of a
product is inventoried on.

Computers with specific software registered in Add Displays a summary of all computers with specified software
Remove Programs registered in Add Remove Programs or Programs and
Features.

Count all inventoried products and versions Displays a list of the inventoried software products and
versions, and the number of computers each is installed on.

Count inventoried products and versions for a Displays a list of the inventoried versions of a specified
specific product product, and the number of computers each is installed on.

Count of all instances of software registered with Displays a summary of all instances of software installed and
Add or Remove Programs registered with Add or Remove Programs or Programs and
Features on computers within the specified collection.

Count of instances of specific software registered Displays a count of instances for specified software packages
with Add or Remove Programs installed and registered in Add or Remove Programs or
Programs and Features.

Default Browser counts Shows the count of clients with a specific web browser as the
Windows default.
Use the following reference for common BrowserProgIDs:
- AppXq0fevzme2pys62n3e0fbqa7peapykr8v: Microsoft
Edge
- IE.HTTP: Microsoft Internet Explorer
- ChromeHTML: Google Chrome
- OperaStable: Opera Software
- FirefoxURL-308046B0AF4A39CB: Mozilla Firefox
- Unknown: the client OS doesn't support the query, the
query hasn't run, or a user hasn't logged on
 REP O RT N A M E DESC RIP T IO N

Installations of specified Windows apps This report lists all computers with a specified Windows app.

Products on a specific computer Displays a summary of the inventoried software products

and their manufacturers on a specified computer.

Software registered in Add Remove Programs on a Displays a summary of the software installed on a specified
specific computer computer that is registered in Add Remove Programs or
Programs and Features.

Windows apps installed to the specified user Displays all Windows apps installed to the specified user

Software - Files
The following five reports are listed under the Software - Files category.

REP O RT N A M E DESC RIP T IO N

All inventoried files for a specific product Display a summary of the files inventoried that are
associated with a specified software product.

All inventoried files on a specific computer Display a summary of all the files inventoried on a specified
computer.

Compare software inventor y on two computers Displays the differences between the software inventories
reported for two specified computers.

Computers with a specific file Displays a list of computers that have collected software
inventory for a specified file name. If a computer contains
multiple copies of the file, it might appear more than once in
the list.

Count computers with a specific file name Displays the number of computers that have collected
software inventory for a specified file.

Software distribution - Application monitoring

The following 10 reports are listed under the Software Distribution - Application Monitoring category.

REP O RT N A M E DESC RIP T IO N

All application deployments (advanced) Displays detailed summary information for all application
deployments.

All application deployments (basic) Displays summary information for all application
deployments.

Application compliance Displays compliance information for the specified application

within the specified collection.

Application deployments per asset Displays applications deployed to a specified device or user.
 REP O RT N A M E DESC RIP T IO N

Application infrastructure errors Displays application infrastructure errors. These errors

include internal infrastructure issues, or errors resulting from
invalid requirement rules.

Application Usage Detailed Status Displays usage details for installed applications.

Application Usage Summar y Status Displays a usage summary for installed applications.

Task sequence deployments containing application Displays task sequence deployments that install a specified
application.

Software distribution - Collections

The following three reports are listed under the Software Distribution - Collections category.

REP O RT N A M E DESC RIP T IO N

All collections Displays all the collections in the hierarchy.

All resources in a specific collection Displays all the resources in a specified collection.

Maintenance windows available to a specified client Displays all maintenance windows that are applicable to the
specified client.

Software distribution - Content

The following 16 reports are listed under the Software Distribution - Content category.

REP O RT N A M E DESC RIP T IO N

All active content distributions Displays all distributions points on which content is currently
being installed or removed.

All content Displays all applications and packages at a site.

All content on a specific distribution point Displays all content currently installed on a specified
distribution point.

All distribution points Displays information about the distribution points for each
site.

All status messages for a specific package on a Displays all status messages for a specified package on a
specific distribution point specified distribution point.

Application content distribution status Displays information about the distribution status for
application content.

Applications targeted to distribution point group Displays information about application content that was
deployed to a specified distribution point group.
 REP O RT N A M E DESC RIP T IO N

Applications that are out of synchronization on a Displays the applications for which associated content files
specified distribution point group haven't been updated with the latest version on a specified
distribution point group.

Distribution point group Displays information about a specified distribution point

group.

Distribution point usage summar y Displays the distribution point usage summary for each
distribution point.

Distribution status of specified package Displays the distribution status for specified package content
on each distribution point.

Packages targeted to distribution point group Displays information about packages that target a specified
distribution point group.

Packages that are out of synchronization on a Displays packages for which associated content files haven't
specified distribution point group been updated with the latest version on a specified
distribution point group.

Peer cache source content rejection Displays the number of peer cache source rejections per
boundary group.

Peer cache source content rejection by condition Displays the peer cache sources that rejected to serve
content based on a condition.

Peer cache source content rejection details Displays the name of the content that was rejected by a peer
source.

Software distribution - Package and program deployment

The following five reports are listed under the Software Distribution - Package and Program
Deployment category.

REP O RT N A M E DESC RIP T IO N

All deployments for a specified package and Displays information about all deployments of a specified
program package and program.

All package and program deployments Displays all of the package and program deployments at this
site.

All package and program deployments to a specified Displays all of the package and program deployments to a
collection specified collection.

All package and program deployments to a specified Displays all of the package and program deployments that
computer apply to a specified computer.

All package and program deployments to a specified Displays all of the package and program deployments to a
user specified user.

Software distribution - Package and program deployment status

The following five reports are listed under the Software Distribution - Package and Program
Deployment Status category.

REP O RT N A M E DESC RIP T IO N

All system resource package and program Displays all package and program deployments for the site
deployments with status with a summary status of each deployment.

All system resources for a specified package and Displays a list of resources that are in a specified state for a
program deployment in a specified state specified package and program deployment.

Char t - Hourly package and program deployment Displays the percentage of computers that successfully
completion status installed the package. The list organizes for every hour since
an administrator creates the package and program
deployment. It can be used to track the average time for a
package and program deployment.

Package and program deployment status for a Displays the status messages reported for a specified
specified client and deployment computer and package and program deployment.

Status of a specified package and program Displays the status summary for a specified package and
deployment program deployment.

Software metering
The following 13 reports are listed under the Software Metering category.

REP O RT N A M E DESC RIP T IO N

All software metering rules applied to this site Displays a list of all software metering rules at the site.

Computers that have a metered program installed Displays all computers with the specified metered
but haven't run the program since a specified date application, but no user has run the program since the
specified date.

Computers that have run a specific metered Displays a list of computers that have run programs
software program matching the specified software metering rule within the
specified month and year.

Concurrent usage for all metered software programs Displays the maximum number of users who concurrently
ran each metered software program during the specified
month and year.

Concurrent usage trend analysis of a specific Displays the maximum number of users who concurrently
metered software program ran the specified metered software program during each
month for the past year.

Install base for all metered software programs Displays the number of computers that have metered
software programs installed as reported by software
inventory. This report requires that the computer collects
software inventory.

Software metering summarization progress Displays the time at which the most recently summarized
metering data was processed on the site server. The software
metering reports only reflect metering data processed
before these dates.
 REP O RT N A M E DESC RIP T IO N

Time of day usage summar y for a specific metered Displays the average number of usages of a particular
software program program for the past 90 days, broken down by hour and
day.

Total usage for all metered software programs Displays the number of users who ran programs within the
specified month and year, and that match each software
metering rule. These rules are for locally installed software, or
using Terminal Services.

Total usage for all metered software programs on Displays the number of users who ran programs matching
Windows Terminal Ser vers each software metering rule using Terminal Services within
the specified month and year.

Total usage trend analysis for a specific metered Displays the number of users who ran programs during each
software program month for the past year, and that match the specified
software metering rule. These rules are for locally installed
software, or using Terminal Services.

Total usage trend analysis for a specific metered Displays the number of users who ran programs during each
software program on Windows Terminal Ser vers month for the past year, and that match the specified
software metering rule. These rules are for using Terminal
Services.

Users that have run a specific metered software Displays a list of users who have run programs within the
program specified month and year, and that match the specified
software metering rule.

Software updates - A Compliance

The following eight reports are listed under the Software Updates - A Compliance category.

REP O RT N A M E DESC RIP T IO N

Compliance 1 - Overall compliance Displays the overall compliance data for a software update
group.

Compliance 2 - Specific software update Displays the compliance data for a specified software update.

Compliance 3 - Update group (per update) Displays the compliance data for software updates defined in
a software update group.

Compliance 4 - Updates by vendor month year Displays the compliance data for software updates released
by a vendor during a specified month and year.

Compliance 5 - Specific computer This report returns the software update compliance data for
a specified computer. To limit the amount of information
returned, you can specify the vendor and software update
classification.

Compliance 6 - Specific software update states Displays the count and percentage of computers in each
(secondar y) compliance state for the specified software update.

Compliance 7 - Computers in a specific compliance Displays all computers in a collection that have a specified
state for an update group (secondar y) overall compliance state against a software update group.
 REP O RT N A M E DESC RIP T IO N

Compliance 8 - Computers in a specific compliance Displays all computers in a collection that have a specified
state for an update (secondar y) compliance state for a software update.

Compliance 9 - Overall health and compliance Displays the overall health and compliance data for a
software update group. (starting in version 1806)

Software updates - B Deployment management

The following eight reports are listed under the Software Updates - B Deployment Management category.

REP O RT N A M E DESC RIP T IO N

Management 1 - Deployments of an update group Displays all deployments that include all of the software
updates defined in a specified software update group.

Management 2 - Updates required but not deployed Displays all vendor-specific software updates that clients
detect as required, but an administrator hasn't deployed to a
specified collection.

Management 3 - Updates in a deployment Displays the software updates that are contained in a
specified deployment.

Management 4 - Deployments that target a Displays all software update deployments that target a
collection specified collection.

Management 5 - Deployments that target a Displays all software update deployments that are deployed
computer to a specified computer.

Management 6 - Deployments that contain a Displays all deployments that include a specified software
specific update update and the associated target collection for the
deployment.

Management 7 - Updates in a deployment missing Displays the software updates in a specified deployment that
content don't have all of the associated content retrieved. This state
prevents clients from installing the update, which prevents
the deployment from achieving 100% compliance.

Management 8 - Computers missing content Displays all computers requiring the specified software
(secondar y) update, but the associated content isn't yet distributed to a
distribution point.

Software updates - C Deployment states

The following six reports are listed under the Software Updates - C Deployment States category.

REP O RT N A M E DESC RIP T IO N

States 1 - Enforcement states for a deployment Displays the enforcement states for a specified software
update deployment, which is typically the second phase of a
deployment assessment.
 REP O RT N A M E DESC RIP T IO N

States 2 - Evaluation states for a deployment Displays the evaluation state for a specified software update
deployment, which is typically the first phase of a
deployment assessment.

States 3 - States for a deployment and computer Displays the states for all software updates in the specified
deployment for a specified computer.

States 4 - Computers in a specific state for a Displays all computers in a specified state for a software
deployment (secondar y) update deployment.

States 5 - States for an update in a deployment Displays a summary of states for a specified software update
(secondar y) targeted by a specified deployment.

States 6 - Computers in a specific enforcement state Displays all computers in a specified enforcement state for a
for an update (secondar y) specified software update.

Software updates - D Scan

The following four reports are listed under the Software Updates - D Scan category.

REP O RT N A M E DESC RIP T IO N

Scan 1 - Last scan states by collection Specify a collection to display the count of computers in each
compliance scan state. The clients return the state during the
last compliance scan.

Scan 2 - Last scan states by site Specify a site to display the count of computers in each
compliance scan state. The clients return the state during the
last compliance scan.

Scan 3 - Clients of a collection repor ting a specific Displays all computers for a specified collection and a
state (secondar y) specified compliance scan state during their last compliance
scan.

Scan 4 - Clients of a site repor ting a specific state Specify a site to display all computers with a specified
(secondar y) compliance scan state. The clients return the state during
their last compliance scan.

Software updates - E Troubleshooting

The following four reports are listed under the Software Updates - E Troubleshooting category.

REP O RT N A M E DESC RIP T IO N

Troubleshooting 1 - Scan errors Displays scan errors at the site and a count of computers
that are experiencing each error.

Troubleshooting 2 - Deployment errors Displays the deployment errors at the site and a count of
computers that are experiencing each error.

Troubleshooting 3 - Computers failing with a Displays a list of the computers that failed a scan because of
specific scan error (secondar y) a specified error.
 REP O RT N A M E DESC RIP T IO N

Troubleshooting 4 - Computers failing with a Displays a list of the computers on which the deployment of
specific deployment error (secondar y) update is failing because of a specified error.

State migration
The following three reports are listed under the State Migration category.

REP O RT N A M E DESC RIP T IO N

State migration information for a specific source Displays state migration information for a specified
computer computer.

State migration information for a specific state Displays state migration information for a specified state
migration point migration point.

State migration points for a specific site Displays the state migration points for a specified site.

Status messages
The following 12 reports are listed under the Status Messages category.

REP O RT N A M E DESC RIP T IO N

All messages for a specific message ID Displays a list of status messages that have a specified
message ID.

Clients repor ting errors in the last 12 hours for a Displays a list of computers and components reporting
specific site errors in the last 12 hours, and the number of errors
reported.

Component messages for the last 12 hours Displays a list of component messages for the last 12 hours
for a specified site code, computer, and component.

Component messages for the last hour Displays a list of the status messages created in the last hour
by a specified component on a specified computer at a
specified site.

Count component messages for the last hour for a Displays the number of status messages by component and
specific site severity reported in the last hour at a specified site.

Count errors in the last 12 hours Displays the number of server component error status
messages in the last 12 hours.

Fatal errors (by component) Displays a list of computers reporting fatal errors by
component.

Fatal errors (by computer name) Displays a list of computers reporting fatal errors by
computer name.

Last 1000 messages for a specific computer (Errors Displays a summary of the last 1000 error and warning
and Warnings) component status messages for a specified computer.
 REP O RT N A M E DESC RIP T IO N

Last 1000 messages for a specific computer (Errors Displays a summary of the last 1000 error, warning, and
Warnings and Information) informational component status messages for a specified
computer.

Last 1000 messages for a specific computer (Errors) Displays a summary of the last 1000 error server
component status messages for a specified computer.

Last 1000 messages for a specific ser ver component Displays a summary of the most recent 1000 status
messages for a specified server component.

Status messages - Audit

The following three reports are listed under the Status Messages - Audit category.

REP O RT N A M E DESC RIP T IO N

All audit messages for a specific user Displays a summary of all audit status messages for a
specified user. Audit messages describe actions taken in the
Configuration Manager console that add, modify, or delete
objects in Configuration Manager.

Remote Control - All computers remote controlled Displays a summary of status messages indicating remote
by a specific user control of client computers by a specified user.

Remote Control - All remote control information Displays a summary of status messages related to the
remote control of client computers.

Task sequence - Deployment status

The following 11 reports are listed under the Task Sequence - Deployment Status category.

REP O RT N A M E DESC RIP T IO N

All system resources for a task sequence Displays a list of the destination computers for the specified
deployment in a specific state task sequence deployment in a specified deployment state.

All system resources for a task sequence Displays a list of the destination computers for the specified
deployment that is in a specific state and that is task sequence deployment that is in the specified
available to unknown computers deployment state.

Count of system resources that have task sequence Displays the number of computers that have accepted task
deployments assigned but not yet run sequences, but haven't run the task sequence.

Histor y of a task sequence deployment on a Displays the status of each step of the specified task
computer sequence deployment on the specified destination computer.
If no record is returned, the task sequence hasn't started on
the computer.

List of computers that exceeded a specific length of Displays the list of destination computers that exceeded the
time to run a task sequence deployment specified length of time to run a task sequence.

Run time for a specific task sequence deployment on Displays the total time that it took to successfully complete a
a specific destination computer specified task sequence on a specified computer.
 REP O RT N A M E DESC RIP T IO N

Run time for each step of a task sequence Displays the time that it took to complete each step of the
deployment on a specific destination computer specified task sequence deployment on the specified
destination computer.

Status of a specific task sequence deployment for a Displays the status summary of a specified task sequence
specific computer deployment on a specified computer.

Status of a task sequence deployment on an Displays the status of the specified task sequence
unknown destination computer deployment on the specified unknown destination computer.

Status summar y of a specific task sequence Displays a status summary of all resources that have been
deployment targeted by a deployment.

Status summar y of a specific task sequence Displays the status summary of all resources targeted by the
deployment available to unknown computers specified deployment that is available to a collection
containing unknown computers.

Task sequence - Deployments

The following 11 reports are listed under the Task Sequence - Deployments category.

REP O RT N A M E DESC RIP T IO N

All system resources currently in a specific group or Displays a list of computers that are currently running in a
phase of a specific task sequence deployment specified group or phase of a specified task sequence
deployment.

All system resources where a task sequence Displays a list of computers that failed within a specified
deployment failed within a specific group or phase group/phase of the specified task sequence deployment.

All task sequence deployments Displays details of all task sequence deployments initiated
from the current site.

All task sequence deployments available to unknown Displays details of all the task sequence deployments
computers initiated from the site, and deployed to collections that
contain unknown computers.

Count of failures in each phase or group of a Displays the number of failures in each phase or group of
specific task sequence the specified task sequence.

Count of failures in each phase or group of a Displays the number of failures in each phase or group of
specific task sequence deployment the specified task sequence deployment.

Deployment status of all task sequence deployments Displays the overall progress of all task sequence
deployments.

Progress of a running task sequence Displays the progress of the specified task sequence.

Progress of a running task sequence deployment Displays the summary information for the specified task
sequence deployment.

Progress of all deployments for a specific task Displays the progress of all deployments for the specified
sequence task sequence.
 REP O RT N A M E DESC RIP T IO N

Summar y repor t for a task sequence deployment Displays the summary information for the specified task
sequence deployment.

Task sequence - Progress

The following five reports are listed under the Task Sequence - Progress category.

REP O RT N A M E DESC RIP T IO N

Char t - Weekly progress of a task sequence Displays the weekly progress of a task sequence, starting
from the deployment date.

Progress of a task sequence Displays the progress of the specified task sequence.

Progress of all task sequences Displays a summary of the progress of all task sequences.

Progress of task sequences for operating system Displays the progress of all task sequences that deploy
deployments operating systems.

Status of all unknown computers Displays a list of computers that were unknown at the time
they ran a task sequence deployment, and whether they're
now known computers.

Task sequences - References

The following one report is listed under the Task Sequences - References category.

REP O RT N A M E DESC RIP T IO N

Content referenced by a specific task sequence Displays content that is referenced by a specified task
sequence.

User - Device affinity

The following two reports are listed under the User - Device Affinity category.

REP O RT N A M E DESC RIP T IO N

Pending user device affinity associations by This report shows all pending user device affinity
collection assignments based on usage data, for members of a
collection.

User device affinity associations per collection Displays all user device associations for the specified
collection, and groups the results by collection type (for
example, user or device).

User data and profiles health

The following four reports are listed under the User Data and Profiles Health category.
 REP O RT N A M E DESC RIP T IO N

Folder Redirection Health Repor t - Details Displays the health state details of folder redirection for each
of the redirected folders for a given user.

Roaming User Profiles Health Repor t - Details Displays the health state details of the roaming user profile
for a specified user.

User Data and Profiles Health Repor t - Details Displays the error or warning details of folder redirection or
roaming user profiles. This report is the details target from
the summary report.

User Data and Profiles Health Repor t - Summar y Displays the summary of health states for folder redirection
and roaming user profiles.

Users
The following three reports are listed under the Users category.

REP O RT N A M E DESC RIP T IO N

Computers for a specific user name Displays a list of the computers that were used by a specified
user.

Count users by domain Displays the number of users in each domain.

Users in a specific domain Displays a list of users and their computers in a specified
domain.

Virtual applications
The following seven reports are listed under the Vir tual Applications category.

REP O RT N A M E DESC RIP T IO N

App-V Vir tual Environment Results Displays information about a specified virtual environment
that is in a specified state for a specified collection.

App-V Vir tual Environment Results For Asset Displays information about a specified virtual environment
for a specified asset. It also shows any deployment types for
the specified virtual environment.

App-V Vir tual Environment Status Displays compliance information for a specified virtual
environment for a specified collection.

Computers with a specific vir tual application Displays a summary of computers that have the specified
App-V application shortcut as created using the Application
Virtualization Management Sequencer.

Computers with a specific vir tual application Displays a summary of computers that have the specified
package App-V application package.

Count of all instances of vir tual application Display a count of detected App-V application packages.
packages
 REP O RT N A M E DESC RIP T IO N

Count of all instances of vir tual applications Display a count of detected App-V applications.

Vulnerability assessment
The following one report is listed under the Vulnerability Assessment category.

REP O RT N A M E DESC RIP T IO N

Vulnerability Assessment Overall Repor t Identifies security, administrative, and compliance

vulnerabilities for a specific computer

Wake On LAN
The following seven reports are listed under the Wake On L AN category.

REP O RT N A M E DESC RIP T IO N

All computers targeted for Wake On L AN activity Specify the type of deployment to display a list of computers
targeted for Wake on LAN activity.

All objects pending wake-up activity Displays objects that are scheduled for wakeup.

All sites that are enabled for Wake On L AN Displays a list of all sites in the hierarchy that are enabled for
Wake On LAN.

Errors received while sending wake-up packets for a Displays errors received while sending wake-up packets to
defined period computers for a defined period.

Histor y of Wake On L AN activity Displays a history of the wakeup activity that has occurred
since a certain period.

Wake-Up Proxy Deployment State Details Displays information about the deployment status of Wake-
Up Proxy for each device in a specified collection.

Wake-Up Proxy Deployment State Summar y Displays a summary of the deployment status of wake-up
proxy for a specified collection.
 Configure reporting in Configuration Manager
2/16/2022 • 14 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you can create, modify, and run reports in the Configuration Manager console, there are several
configuration tasks to complete. Use this article to help you configure reporting in your Configuration Manager
hierarchy.
Before you install and configure SQL Server Reporting Services in your hierarchy, review the following
Configuration Manager reporting articles:
Introduction to reporting
Plan for reporting

SQL Server Reporting Services

SQL Server Reporting Services is a server-based reporting platform that provides comprehensive reporting
functionality for different kinds of data sources. The reporting services point in Configuration Manager
communicates with SQL Server Reporting Services to:
Copy Configuration Manager reports to a specified report folder
Configure Reporting Services settings
Configure Reporting Services security settings
When you run a report, the Reporting Services component connects to the Configuration Manager site database
to retrieve data.
Before you can install the reporting services point in a Configuration Manager site, install and configure SQL
Server Reporting Services on the target site system. For more information, see Install SQL Server Reporting
Services.
Verify SQL Server Reporting Services installation
Use the following procedure to verify that SQL Server Reporting Services is installed and running correctly.
1. Go to the Star t menu on the site system, and open Repor t Ser ver Configuration Manager . You may
find it in the Configuration Tools section of the Microsoft SQL Ser ver group.
2. In the Repor ting Ser vices Configuration Connection window, enter the name of the server that
hosts SQL Server Reporting Services. Select the instance of SQL Server on which you installed SQL
Server Reporting Services. Then select Connect to open Reporting Services Configuration Manager.
3. On the Repor t Ser ver Status page, verify that Repor t Ser vice Status is Star ted . If it's not in this
state, select Star t .
4. On the Web Ser vice URL page, select the URL in Repor t Ser vice Web Ser vice URLs . This action
tests the connection to the report folder. The browser might prompt you for credentials. Verify that the
webpage opens successfully.
5. On the Database page, verify that the Repor t Ser ver Mode is set to Native .
6. On the Repor t Manager URL page, select the URL in Repor t Manager Site Identification . This
action tests the connection to the virtual directory for Report Manager. The browser might prompt you
 for credentials. Verify that the webpage opens successfully.

NOTE
Reporting in Configuration Manager doesn't require Reporting Services Report Manager. You only need it if you
want to run reports in the browser or manage reports by using Report Manager.

7. Select Exit to close Reporting Services Configuration Manager.

Configure reporting to use Report Builder 3.0

1. On the computer running the Configuration Manager console, open the Windows Registry Editor.
2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI\Reporting .
3. Open the Repor tBuilderApplicationManifestName key to edit the value data.
4. Change the value to ReportBuilder_3_0_0_0.application , and then select OK to save.
5. Close the Windows Registry Editor.

Install a reporting services point

To manage reports at the site, install the reporting services point. The reporting services point:
Copies report folders and reports to SQL Server Reporting Services
Applies the security policy for the reports and folders
Sets configuration settings in Reporting Services
Requirements and limitations
Before you can view or manage reports in the Configuration Manager console, you need a reporting services
point. Configure this site system role on a server with Microsoft SQL Server Reporting Services. For more
information, see Prerequisites for reporting.
When you select a site to install the reporting services point, users who will access the reports must be in
the same security scope as the site where you install the role.
After you install a reporting services point on a site system, don't change the URL for the report server.
For example, you create the reporting services point. You then modify the URL for the report server in
Reporting Services Configuration Manager. The Configuration Manager console continues to use the old
URL. You can't run, edit, or create reports from the console.
If you need to change the report server URL, first remove the existing reporting services point. Change
the URL, and then reinstall the reporting services point.
When you install a reporting services point, specify a Reporting services point account. For users from a
different domain to run a report, create a two-way trust between domains. Otherwise the report fails to
run.
Install the reporting services point on a site system
For more information about configuring site systems, see Install site system roles.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and then select the Ser vers and Site System Roles node.
2. Add the reporting services point to a new or existing site system server:
 New site system: On the Home tab of the ribbon, in the Create group, select Create Site
System Ser ver . The Create Site System Ser ver Wizard opens.
Existing site system: Select the target server. On the Home tab of the ribbon, in the Ser ver group,
select Add Site System Role . The Add Site System Roles Wizard opens.
3. On the General page, specify the general settings for the site system server. When you add the reporting
services point to an existing server, verify the values that you previously configured.
4. On the System Role Selection page, select Repor ting ser vices point in the list of available roles, and
then select Next .
5. On the Repor ting ser vices point page, configure the following settings:
Site database ser ver name : Specify the name of the server that hosts the Configuration
Manager site database. The wizard typically retrieves the fully qualified domain name (FQDN) for
the server. To specify a database instance, use the format <server name>&lt;instance name>. For
example, sqlserver\named1 .
Database name : Specify the Configuration Manager site database name. Select Verify to confirm
that the wizard has access to the site database.

IMPORTANT
The user account you use to create the reporting services point must have Read access to the site
database. If the connection test fails, a red warning icon appears. Contextual hover text on the icon has
the details of the failure. Correct the failure, and then select Test again.

Folder name : Specify the folder name to create and use for Configuration Manager reports in
Reporting Services.
Repor ting Ser vices ser ver instance : Select the instance of SQL Server for Reporting Services.
If this page doesn't list any instances, verify that SQL Server Reporting Services is installed,
configured, and started.

IMPORTANT
Configuration Manager makes a connection in the context of the current user to WMI on the selected site
system. It uses this connection to retrieve the instance of SQL Server for Reporting Services. The current
user must have Read access to WMI on the site system, or the wizard can't get the Reporting Services
instances.

Repor ting ser vices point account : Select Set , and then select an account to use. SQL Server
Reporting Services on the reporting services point uses this account to connect to the
Configuration Manager site database. This connection is to retrieve the data for a report. Select
Existing account to specify a Windows user account that you previously configured as a
Configuration Manager account. Select New account to specify a Windows user account that's
not currently configured for use. Configuration Manager automatically grants the specified user
access to the site database.
The account that runs Reporting Services must belong to the domain local security group
Windows Authorization Access Group . This grants the account Allow Read permissions on
the tokenGroupsGlobalAndUniversal attribute for all user objects within the domain. Users in
a different domain than the reporting services point account need a two-way trust between the
domains to successfully run reports.
 The specified Windows user account and password are encrypted and stored in the Reporting
Services database. Reporting Services retrieves the data for reports from the site database by
using this account and password.

IMPORTANT
The account that you specify must have the Log on locally permission on the server that hosts the
Reporting Services database.

6. Complete the wizard.

After the wizard completes, Configuration Manager creates the report folders in Reporting Services. It then
copies its reports to the specified report folders.

TIP
To list only site systems that host the reporting services point site role, right-click Ser vers and Site System Roles , and
select Repor ting ser vices point .

Languages for reports

When Configuration Manager creates report folders and copies reports to the report server, it determines the
appropriate language for the objects.
Create report folders, copy reports
Create objects using locale of the site server OS
If the specific language pack isn't available, default to English (ENU)
View reports in a web browser
Folder and report names: the same locale as the site server
Report contents: dynamic based on the browser locale
View reports in the Configuration Manager console
Folder and report names: dynamic based on the locale of the console
Report contents: dynamic based on the locale of the console
When you install a reporting services point on a site without language packs, the reports are installed in English.
If you install a language pack after you install the reporting services point, you must uninstall and reinstall the
reporting services point for the reports to be available in the appropriate language pack language.
For more information, see Language packs.
File installation and report folder security rights
Configuration Manager does the following actions to install the reporting services point and to configure
Reporting Services:

IMPORTANT
The site does these actions in the context of the account that's configured for the SMS_Executive service. Typically, this
account is the site server local System account.

Install the reporting services point site role.

 Create the data source in Reporting Services with the stored credentials that you specified in the wizard.
This account is the Windows user account and password that Reporting Services uses to connect to the
site database when you run reports.
Create the Configuration Manager root folder in Reporting Services.
Add the ConfigMgr Repor t Users and ConfigMgr Repor t Administrators security roles in
Reporting Services.
Create subfolders, and then deploy Configuration Manager reports from %ProgramFiles%\SMS_SRSRP on
the site server to Reporting Services.
Add the ConfigMgr Repor t Users role in Reporting Services to the root folders for all user accounts in
Configuration Manager that have Site Read rights.
Add the ConfigMgr Repor t Administrators role in Reporting Services to the root folders for all user
accounts in Configuration Manager that have Site Modify rights.
Retrieve the mapping between report folders and Configuration Manager secured object types.
Configuration Manager maintains this map in the site database.
Configure the following rights for administrative users in Configuration Manager to specific report
folders in Reporting Services:
Add users and assign the ConfigMgr Repor t Users role to the associated report folder for
administrative users who have Run Repor t permissions for the Configuration Manager object.
Add users and assign the ConfigMgr Repor t Administrators role to the associated report
folder for administrative users who have Modify Repor t permissions for the Configuration
Manager object.
Configuration Manager connects to Reporting Services and sets the permissions for users on the Configuration
Manager and Reporting Services root folders and specific report folders. After the initial installation of the
reporting services point, Configuration Manager connects to Reporting Services every 10 minutes to verify that
the user rights configured on the report folders are the associated rights that are set for Configuration Manager
users. When users are added or user rights are modified on the report folder by using Reporting Services
Report Manager, Configuration Manager overwrites those changes by using the role-based assignments stored
in the site database. Configuration Manager also removes users that don't have Reporting rights in
Configuration Manager.
Reporting Services security roles
When Configuration Manager installs the reporting services point, it adds the following security roles in
Reporting Services:
ConfigMgr Repor t Users : Users assigned with this security role can only run Configuration Manager
reports.
ConfigMgr Repor t Administrators : Users assigned with this security role can do all tasks related to
reporting in Configuration Manager.

Verify installation
Verify the installation of the reporting services point by looking at specific status messages and log file entries.
Use the following procedure to verify that the reporting services point installation was successful.
 NOTE
If you see reports in the Repor ts subfolder of the Repor ting node in the Monitoring workspace in the Configuration
Manager console, you can skip this procedure.

Verify installation by status message

1. In the Configuration Manager console, go to the Monitoring workspace, expand System Status , and
select the Component Status node.
2. Select the SMS_SRS_REPORTING_POINT component.
3. On the Home tab of the ribbon, in the Component group, select Show Messages , and then choose All .
4. Specify a date and time for a period before you installed the reporting services point, and then select OK .
5. Verify status message ID 1015 . This status message indicates that the reporting services point was
successfully installed.
Verify installation by log file
Open the Srsrp.log file, located in the Logs directory of the Configuration Manager installation path. Look for
the string Installation was successful .
Step through this log file starting from the time that the reporting services point was successfully installed.
Verify that the report folders were created, the reports were deployed, and the security policy on each folder
was confirmed. After the last line of security policy confirmations, look for the string
Successfully checked that the SRS web service is healthy on server .

Configure a certificate to author reports

There are many options for you to author reports in SQL Server Reporting Services. When you create or edit
reports in the Configuration Manager console, Configuration Manager opens Report Builder to use as the
authoring environment. Regardless of how you author your Configuration Manager reports, you need a self-
signed certificate for server authentication to the site database server.

NOTE
For more information about authoring reports with SQL Server Reporting Services, see Report Builder authoring
environment.

Configuration Manager automatically installs the certificate on the site server and any SMS Provider roles. You
can create or edit reports from the Configuration Manager console when you run it from one of these servers.
When you create or modify reports from a Configuration Manager console on a different computer, export the
certificate from the site server. The specific certificate's friendly name is the FQDN of the site server in the
Trusted People certificate store for the local computer. Add this certificate to the Trusted People certificate
store on the computer that runs the Configuration Manager console.

Modify reporting services point settings

After you install this role, you can modify the site database connection and authentication settings in the
reporting services point properties.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and then select the Ser vers and Site System Roles node.
 TIP
To list only site systems that host the reporting services point, right-click the Ser vers and Site System Roles
node, and select Repor ting ser vices point .

2. Select the site system that hosts the reporting services point. Then select the Repor ting ser vice point
site system roles in the details pane.
3. On the Site Role tab of the ribbon, in the Proper ties group, select Proper ties .
4. You can modify the following settings in the Repor ting Ser vices Point Proper ties :
Site database ser ver name
Database name
User account
5. Select OK to save the changes and close the properties.
For more information about these settings, see the descriptions in the section to Install the reporting services
point on a site system.

Power BI Report Server

Starting in version 2002, you can integrate reporting with Power BI Report Server. For more information on
configuring it, see Integrate with Power BI Report Server.

Upgrade SQL Server

To upgrade SQL Server and SQL Server Reporting Services, first remove the reporting services point from the
site. After you upgrade SQL Server, then reinstall the reporting services point in Configuration Manager.
If you don't follow this process, you'll see errors when you run or edit reports from the Configuration Manager
console. You can continue to run and edit reports successfully from a web browser.

Configure report options

You can select the default reporting services point that you use to manage reports. The site can have more than
one reporting services point, but it only uses the default server to manage reports. Use the following procedure
to configure report options for your site.
1. In the Configuration Manager console, go to the Monitoring workspace, expand Repor ting , and then
select the Repor ts node.
2. On the Home tab of the ribbon, in the Settings group, select Repor t Options .
3. Select the default report server in the list, and then select OK .
If it doesn't show any servers, verify that you installed and configured a reporting services point in the site. For
more information, see Verify installation.
Make sure your computer runs a version of SQL Server Report Builder that matches the version of SQL Server
that you use for your report server. Otherwise you'll see an error, the default report server won't save, and you
can't create or edit reports.

Next steps
Operations and maintenance for reporting
 Operations and maintenance for reporting in
Configuration Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After the infrastructure is in place for reporting in Configuration Manager, there are many operations that you
typically do to manage reports and subscriptions.

NOTE
This article focuses on reports in SQL Server Reporting Services. Starting in version 2002, you can integrate reporting
with Power BI Report Server. For more information, see Integrate with Power BI Report Server.

Run a report from Reporting Services

Configuration Manager stores its reports in SQL Server Reporting Services. The report retrieves data from the
Configuration Manager site database. You can access reports in the Configuration Manager console or by using
Report Manager via a web browser. Open reports from a web browser on any computer that can access the
reporting services point, and the user has sufficient rights to view the reports. To run reports, you need Read
rights for the Site permission and the Run Repor t permission for specific objects.
When you run a report, it displays the report title, description, and category in the language of the local OS. For
more information, see Languages for reports.

NOTE
Report Manager is a web-based report access and management tool. You can use it to administer a single report server
instance over an HTTPS connection. Use Report Manager for operational tasks: view reports, modify report properties,
and manage associated report subscriptions. This article provides the steps to view a report and modify report properties
in Report Manager. For more information about other options in Report Manager, see What is Report Manager?

Use the following procedures to run a Configuration Manager report.

Run a report in the Configuration Manager console
1. In the Configuration Manager console, go to the Monitoring workspace. Expand Repor ting , and then
select Repor ts . This node lists the available reports.

TIP
If this node doesn't list any reports, verify that the reporting services point is installed and configured. For more
information, see Configure reporting.

2. Select the report that you want to run. On the Home tab of the ribbon, in the Repor t Group section,
select Run to open the report.
3. If there are required parameters, specify them and then select View Repor t .
Run a report in a web browser
1. In your web browser, go to the Report Manager URL, for example, https://Server1/Reports . Find this
address on the Repor t Manager URL page in Reporting Services Configuration Manager.
2. In Report Manager, select the report folder for Configuration Manager, for example, ConfigMgr_CAS .

TIP
If Report Manager doesn't list any reports, verify that the reporting services point is installed and configured. For
more information, see Configure reporting.

3. Select the report category for the report that you want to run, and then select the specific report. The
report opens in Report Manager.
4. If there are required parameters, specify them and then select View Repor t .

Modify the properties of a report

Report properties include the report name and description. You can view the properties for a report n the
Configuration Manager console.
To change the properties, use Report Manager:
1. In your web browser, go to the Report Manager URL, for example, https://Server1/Reports .
2. In Report Manager, select the report folder for Configuration Manager, for example, ConfigMgr_CAS .
3. Select the report category, and then select the specific report. The report opens in Report Manager.
4. Select the Proper ties tab. Modify the report name and description, and then select Apply .
Report Manager saves the report properties on the report server. The Configuration Manager console shows
the updated report properties for the report.

Edit a report
When an existing Configuration Manager report doesn't retrieve the information that you want, edit it in Report
Builder. You can also use Report Builder to change the layout or design of the report. While you can directly edit
a default report, it's best to clone it. Open the report to edit, and then select Save As .
To edit a report, you need Site Modify permission and Modify Repor t permissions on the specific objects in
the report.

IMPORTANT
Site updates preserve built-in reports. If you modify a standard report, when the site updates, it renames the report with
an underscore prefix ( _ ). This behavior makes sure that the site update doesn't overwrite the modified report by the
standard report.
If you modify predefined reports, before you install a site update, back up your custom reports. After the update, restore
the report in Reporting Services. If make significant changes to a predefined report, create a new report instead. New
reports that you create before you upgrade a site are not overwritten.

Use the following procedure to edit the properties for a Configuration Manager report.
1. In the Configuration Manager console, go to the Monitoring workspace. Expand Repor ting , and then
select the Repor ts node.
2. Select the report that you want to modify. On the Home tab of the ribbon, in the Repor t Group section,
 select Edit . It may prompt you to enter credentials. If Report Builder isn't installed on the computer,
Configuration Manager prompts you to install it. Report Builder is required to modify and create reports.
3. In Report Builder, modify the appropriate report settings. Select Save to save the report to the report
server.

Create reports
There are two types of reports that you can create:
A model-based repor t lets you interactively select the items you want to include in your report. For
more information about creating custom report models, see Create custom report models for
Configuration Manager in SQL Server Reporting Services.
A SQL-based repor t lets you retrieve data that's based on a report SQL statement.

IMPORTANT
To create a new report, your account needs Site Modify permission. You can only create a report in folders for which you
have Modify Repor t permissions.

Create a model-based report

Use the following procedure to create a model-based Configuration Manager report.
1. In the Configuration Manager console, go to the Monitoring workspace, expand Repor ting , and select
the Repor ts node.
2. On the Home tab of the ribbon, in the Create section, select Create Repor t . This action opens the
Create Repor t Wizard .
3. On the Information page, configure the following settings:
Type : Select Model-based Repor t .
Name : Specify a name for the report.
Description : Specify a description for the report.
Ser ver : Displays the name of the report server where you create this report.
Path : Select Browse to specify a folder in which to store the report.
4. On the Model Selection page, select an available model in the list to create this report. The Preview
section displays the SQL Server views and entities that are available in this report model.
5. Complete the Create Report Wizard.
6. Open Report Builder to configure the report settings. For more information, see Edit a Configuration
Manager report.
7. In Report Builder, create the report layout, select data in the available SQL Server views, and add
parameters to the report.
8. Select Run to run your report. Verify that the report provides the information that you expect. If needed,
select Design to modify the report further.
9. Select Save to save the report to the report server.
Create a SQL -based report
When you create an SQL statement for a custom report, don't directly reference SQL Server tables. Always
reference supported reporting SQL Server views from the site database. These views have names that start with
v_ . For more information, see Creating custom reports by using SQL Server views in Configuration Manager.

You can also reference public stored procedures from the site database. These stored procedures have names
that start with sp_ .
Use the following procedure to create a SQL-based Configuration Manager report.
1. In the Configuration Manager console, go to the Monitoring workspace, expand Repor ting , and select
the Repor ts node.
2. On the Home tab of the ribbon, in the Create section, select Create Repor t . This action opens the
Create Repor t Wizard .
3. On the Information page, configure the following settings:
Type : Select SQL-based Repor t .
Name : Specify a name for the report.
Description : Specify a description for the report.
Ser ver : Displays the name of the report server where you create this report.
Path : Select Browse to specify a folder in which to store the report.
4. Complete the Create Report Wizard.
5. Open Report Builder to configure the report settings. For more information, see Edit a Configuration
Manager report.
6. In Report Builder, provide the SQL statement for the report. You can also build the SQL statement by
using columns in available views. If needed, add parameters to the report.
7. Select Run to run your report. Verify that the report provides the information that you expect. If needed,
select Design to modify the report further.
8. Select Save to save the report to the report server.

Manage report subscriptions

Report subscriptions in SQL Server Reporting Services let you configure the automatic delivery of specified
reports by email or to a file share at scheduled intervals. To configure report subscriptions, use the Create
Subscription Wizard in Configuration Manager.
Create a report subscription to deliver a report to a file share
When you create a report subscription to deliver a report to a file share, Reporting Services copies the report in
the specified format to the file share that you specify. You can subscribe to and request delivery for only one
report at a time.
When you create a subscription that uses a file share, specify an existing shared folder as the destination. The
report server doesn't create the folder or network share. When you specify the destination folder in a
subscription, use a UNC path and don't include trailing backslashes ( \ ) in the folder path. The following
example is a valid UNC path for the destination folder: \\server\reportfiles\operations\2001 .

NOTE
When you create the subscription, you specify a user name and password. This account needs access to this share with
Write permissions to the destination folder.
Reporting Services can render reports in different file formats. For example, MHTML or Excel. You select the
format when you create the subscription. Although you can select any supported rendering format, some
formats work better than others when rendering to a file.
Limitations for report subscriptions to a file share
The following list includes the limitations of report subscriptions to a file share:
Unlike reports that you host and manage on a report server, Reporting Services delivers reports to a
shared folder as static files.
Interactive features of the report don't work for reports stored as files. The report represents any
interactive features as static elements.
If the report includes charts, it uses the default presentation.
If the report links through to another report, it renders the link as static text.
If you want to keep interactive features in a delivered report, use email delivery. For more information, see
Create a report subscription to deliver a report by email.
Process to create a report subscription for a file share
Use the following procedure to create a report subscription to deliver a report to a file share.
1. In the Configuration Manager console, go to the Monitoring workspace, expand Repor ting , and select
the Repor ts node.
2. Select a report folder, then select the report to which you want to subscribe. On the Home tab of the
ribbon, in the Repor t Group section, select Create Subscription . This action opens the Create
Subscription Wizard .
3. On the Subscription Deliver y page, configure the following settings:
Repor t delivered by : Select Windows File Share .
File Name : Specify the file name for the report. By default, the report file doesn't include a file
name extension. Select Add file extension when created to automatically add a file name
extension based on the format.
Path : Specify a UNC path to an existing folder where you want to deliver this report. For example,
\\server\reportfiles\operations .

Render Format : Select one of the following formats for the report file:
XML file with repor t data
CSV (comma delimited)
TIFF file
Acrobat (PDF) file
HTML 4.0

NOTE
If your report has images, the HTML 4.0 format doesn't include them.

MHTML (web archive)

RPL Renderer (Report Page Layout)
Excel
Word
 User Name : Specify a Windows user account with write permissions to the specified Path .
Password : Specify the password for the above Windows user account.
Over write option : Select one of the following options to configure the behavior when a file of
the same name exists in the destination folder:
Over write an existing file with a newer version
Do not over write an existing file
Increment file names as newer versions are added : This option appends a number to the
new report's file name to distinguish it from earlier versions.
Description : Optionally, specify additional information about this report subscription.
4. On the Subscription Schedule page, select one of the following delivery schedule options for the
report subscription:
Use shared schedule : A shared schedule is a previously defined schedule that can be used by
other report subscriptions. When you select this option, also select a shared schedule. If there are
no shared schedules, select the option to create a new schedule.
Create new schedule : Configure the schedule on which this report runs. The schedule includes
the interval, start time and date, and the end date for this subscription. By default, a new
subscription creates a new schedule to run every hour starting at the current date and time.
5. On the Subscription Parameters page, specify any parameters that this report requires to run
unattended. If the report has no parameters, the wizard doesn't display this page.
6. Complete the wizard.
7. Verify that Configuration Manager successfully created the report subscription. Select the Subscriptions
node to view and modify report subscriptions.
Create a report subscription to deliver a report by email
When you create a report subscription to deliver a report by email, Reporting Services sends an email to the
recipients that you configure. The email includes the report as an attachment. The report server doesn't validate
email addresses or get them from an email server. You can email reports to any valid email account within or
outside of your organization.

NOTE
To enable the Email subscription option, you need to configure the email settings in Reporting Services. For more
information, see Email delivery in reporting services.

You can select one or both of the following email delivery options:
Send a notification with a link to the generated report.
Send an embedded or attached report. The rendering format and browser determine whether it embeds
or attaches the report.
If your browser supports HTML 4.0 and MHTML, and you select the MHTML (web archive) format,
the email embeds the report in the message.
All other formats deliver reports as attachments.
Reporting Services doesn't check the size of the attachment or message before it sends the report. If
the attachment or message exceeds the maximum limit allowed by your mail server, the report isn't
delivered.
Use the following procedure to create a report subscription to deliver a report by using email.
1. In the Configuration Manager console, go to the Monitoring workspace, expand Repor ting , and select
the Repor ts node.
2. Select a report folder, then select the report to which you want to subscribe. On the Home tab of the
ribbon, in the Repor t Group section, select Create Subscription . This action opens the Create
Subscription Wizard .
3. On the Subscription Deliver y page, configure the following settings:
Repor t delivered by : Select E-mail .
To : Specify a valid email address as the recipient.

NOTE
To enter multiple recipients, separate each email address with a semicolon ( ; ).

Cc : Optionally, specify an email address to receive a copy of this report.

Bcc : Optionally, specify an email address to receive a blind copy of this report.
Reply To : Specify the reply address. If the recipient replies to the email message, the reply goes to
this address.
Subject : Specify a subject line for the subscription email message.
Priority : Select the priority flag for this email message: Low , Normal , or High . Microsoft
Exchange uses this flag to indicate the importance of the email message.
Comment : Specify text for the body of the subscription email message.
Description : Optionally, specify additional information about this report subscription.
Include Link : Include the URL for this report in the body of the email message.
Include Repor t : Attach the report to the email message. Use the Render Format option to
specify the report format to attach.
Render Format : Select one of the following formats for the attached report file:
XML file with repor t data
CSV (comma delimited)
TIFF file
Acrobat (PDF) file
MHTML (web archive)
Excel
Word
4. On the Subscription Schedule page, select one of the following delivery schedule options for the
report subscription:
Use shared schedule : A shared schedule is a previously defined schedule that can be used by
other report subscriptions. When you select this option, also select a shared schedule. If there are
no shared schedules, select the option to create a new schedule.
Create new schedule : Configure the schedule on which this report runs. The schedule includes
the interval, start time and date, and the end date for this subscription. By default, a new
 subscription creates a new schedule to run every hour starting at the current date and time.
5. On the Subscription Parameters page, specify any parameters that this report requires to run
unattended. If the report has no parameters, the wizard doesn't display this page.
6. Complete the wizard.
7. Verify that Configuration Manager successfully created the report subscription. Select the Subscriptions
node to view and modify report subscriptions.

Favorites
Configuration Manager ships with several hundred reports by default, and you may have added more to that
list. Instead of continually searching for reports you commonly use, starting in version 2103, you can make a
report a favorite. This action allows you to quickly access it from the new Favorites node.
The list of favorites is per user, not per site or hierarchy.
Prerequisites for report favorites
The version of SQL Server Reporting Services on the site's reporting service point needs to be SQL Server 2017
or later.

NOTE
All instances of SQL Server Reporting Services on the server need to be version 2017 or later.

Add a favorite
1. In the Configuration Manager console, go to the Monitoring workspace. Expand the Repor ting node,
and select either the Repor ts or Power BI Repor ts node.
2. Select a report that you frequently use. Then in the ribbon, select Add to Favorites . The report's icon
changes to a yellow star, which indicates that it's a favorite.
 TIP
You can select more than one report to add them all as favorites.

To remove a report from the list of favorites, select it, and then select Remove from Favorites . When
you remove a favorite, Configuration Manager doesn't delete the report.
3. Under the Repor ting node, expand the new Favorites node. To view your list of favorites, select either
the Repor ts or Power BI Repor ts node.

TIP
You can directly connect to your favorite reports in your browser. For example,
https://rsp.contoso.com/Reports/favorites .

You can manage the reports the same from the list of favorites.
 Creating custom report models for Configuration
Manager in SQL Server Reporting Services
2/16/2022 • 17 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Sample report models are included in Configuration Manager, but you can also define report models to meet
your own business requirements, and then deploy the report model to Configuration Manager to use when you
create new model-based reports. The following table provides the steps to create and deploy a basic report
model.

NOTE
For the steps to create a more advanced report model, see the Steps for Creating an Advanced Report Model in SQL
Server Reporting Services section in this topic.

ST EP DESC RIP T IO N M O RE IN F O RM AT IO N

Verify that SQL Server Business Report models are designed and built For more information about SQL
Intelligence Development Studio is by using SQL Server Business Server Business Intelligence
installed Intelligence Development Studio. Verify Development Studio, see the SQL
that SQL Server Business Intelligence Server 2008 documentation.
Development Studio is installed on the
computer on which you are creating
the custom report model.

Create a report model project A report model project contains the For more information, see the To
definition of the data source (a .ds file), create the report model project section
the definition of a data source view (a in this topic.
.dsv file), and the report model (an
.smdl file).

Define a data source for a report After creating a report model project, For more information, see the To
model you have to define one data source define the data source for the report
from which you extract business data. model section in this topic.
Typically, this is the Configuration
Manager site database.
 ST EP DESC RIP T IO N M O RE IN F O RM AT IO N

Define a data source view for a report After defining the data sources that For more information, see the To
model you use in your report model project, define the data source view for the
the next step is to define a data source report model section in this topic.
view for the project. A data source
view is a logical data model based on
one or more data sources. Data source
views encapsulate access to the
physical objects, such as tables and
views, contained in underlying data
sources. SQL Server Reporting Services
generates the report model from the
data source view.

Data source views facilitate the model

design process by providing you with a
useful representation of the data that
you specified. Without changing the
underlying data source, you can
rename tables and fields, and add
aggregate fields and derived tables in a
data source view. For an efficient
model, add only those tables to the
data source view that you intend to
use.

Create a report model A report model is a layer on top of a For more information, see the To
database that identifies business create the report model section in this
entities, fields, and roles. When topic.
published, by using these models,
Report Builder users can develop
reports without having to be familiar
with database structures or
understand and write queries. Models
are composed of sets of related report
items that are grouped together under
a friendly name, with predefined
relationships between these business
items and with predefined calculations.
Models are defined by using an XML
language called Semantic Model
Definition Language (SMDL). The file
name extension for report model files
is .smdl.

Publish a report model To build a report by using the model For more information, see the To
that you just created, you must publish the report model for use in
publish it to a report server. The data SQL Server Reporting Services section
source and data source view are in this topic.
included in the model when it is
published.

Deploy the report model to Before you can use a custom report For more information, see the To
Configuration Manager model in the Create Repor t Wizard deploy the custom report model to
to create a model-based report, you Configuration Manager section in this
must deploy the report model to topic.
Configuration Manager.

Steps for creating a basic report model in SQL Server Reporting

Services
You can use the following procedures to create a basic report model that users in your site can use to build
particular model-based reports based on data in a single view of the Configuration Manager database. You
create a report model that presents information about the client computers in your site to the report author. This
information is taken from the v_R_System view in the Configuration Manager database.
On the computer where you perform these procedures, ensure that you have installed SQL Server Business
Intelligence Development Studio and that the computer has network connectivity to the reporting services point
server. For detailed information about SQL Server Business Intelligence Development Studio, see the SQL Server
2008 documentation.
To create the report model project
1. On the desktop, click Star t , click Microsoft SQL Ser ver 2008 , and then click SQL Ser ver Business
Intelligence Development Studio .
2. After SQL Ser ver Business Intelligence Development Studio opens in Microsoft Visual Studio, click
File , click New , and then click Project .
3. In the New Project dialog box, select Repor t Model Project in the Templates list.
4. In the Name box, specify a name for this report model. For this example, type Simple_Model .
5. To create the report model project, click OK .
6. The Simple_Model solution is displayed in Solution Explorer .

NOTE
If you cannot see the Solution Explorer pane, click View , and then click Solution Explorer .

To define the data source for the report model

1. In the Solution Explorer pane of SQL Ser ver Business Intelligence Development Studio , right-
click Data Sources to select Add New Data Source .
2. On the Welcome to the Data Source Wizard page, click Next .
3. On the Select how to define the connection page, verify that Create a data source based on an
existing or new connection is selected, and then click New .
4. In the Connection Manager dialog box, specify the following connection properties for the data source:
Ser ver name : Type the name of your Configuration Manager site database server, or select it in
the list. If you are working with a named instance instead of the default instance, type <database
server>\<instance name>.
Select Use Windows Authentication .
In Select or enter a database name list, select the name of your Configuration Manager site
database.
5. To verify the database connection, click Test Connection .
6. If the connection succeeds, click OK to close the Connection Manager dialog box. If the connection
does not succeed, verify that the information you entered is correct, and then click Test Connection
again.
7. On the Select how to define the connection page, verify that Create a data source based on an
existing or new connection is selected, verify that the data source you have just specified is selected in
 Data connections , and then click Next .
8. In Data source name , specify a name for the data source, and then click Finish . For this example, type
Simple_Model .
9. The data source Simple_Model.ds is now displayed in Solution Explorer under the Data Sources
node.

NOTE
To edit the properties of an existing data source, double-click the data source in the Data Sources folder of the
Solution Explorer pane to display the data source properties in Data Source Designer.

To define the data source view for the report model

1. In Solution Explorer , right-click Data Source Views to select Add New Data Source View .
2. On the Welcome to the Data Source View Wizard page, click Next . The Select a Data Source page
is displayed.
3. In the Relational data sources window, verify that the Simple_Model data source is selected, and then
click Next .
4. On the Select Tables and Views page, select the following view in the Available objects list to be
used in the report model: v_R_System (dbo) .

TIP
To help locate views in the Available objects list, click the Name heading at the top of the list to sort the objects
in alphabetical order.

5. After selecting the view, click > to transfer the object to the Included objects list.
6. If the Name Matching page is displayed, accept the default selections, and click Next .
7. When you have selected the objects that you require, click Next , and then specify a name for the data
source view. For this example, type Simple_Model .
8. Click Finish . The Simple_Model.dsv data source view is displayed in the Data Source Views folder of
Solution Explorer .
To create the report model
1. In Solution Explorer , right-click Repor t Models to select Add New Repor t Model .
2. On the Welcome to the Repor t Model Wizard page, click Next .
3. On the Select Data Source Views page, select the data source view in the Available data source
views list, and then click Next . For this example, select Simple_Model.dsv .
4. On the Select repor t model generation rules page, accept the default values, and then click Next .
5. On the Collect Model Statistics page, verify that Update model statistics before generating is
selected, and then click Next .
6. On the Completing the Wizard page, specify a name for the report model. For this example, verify that
Simple_Model is displayed.
7. To complete the wizard and create the report model, click Run .
8. To exit the wizard, click Finish . The report model is shown in the Design window.
 To publish the report model for use in SQL Server Reporting Services
1. In Solution Explorer , right-click the report model to select Deploy . For this example, the report model
is Simple_Model.smdl .
2. Examine the deployment status at the lower left corner of the SQL Ser ver Business Intelligence
Development Studio window. When the deployment has finished, Deploy Succeeded is displayed. If
the deployment fails, the reason for the failure is displayed in the Output window. The new report model
is now available on your SQL Server Reporting Services website.
3. Click File , click Save All , and then close SQL Ser ver Business Intelligence Development Studio .
To deploy the custom report model to Configuration Manager
1. Locate the folder in which you created the report model project. For example,
%USERPROFILE%\Documents\Visual Studio 2008\Projects\<Project Name>.
2. Copy the following files from the report model project folder to a temporary folder on your computer:
<Model Name> .dsv
<Model Name> .smdl
3. Open the preceding files by using a text editor, such as Notepad.
4. In the file <Model Name>.dsv , locate the first line of the file, which reads as follows:
<DataSourceView xmlns="https://schemas.microsoft.com/analysisservices/2003/engine">

Edit this line to read as follows:

<DataSourceView xmlns="<https://schemas.microsoft.com/analysisservices/2003/engine>"
xmlns:xsi="RelationalDataSourceView">

5. Copy the entire contents of the file to the Windows Clipboard.

6. Close the file <Model Name>.dsv .
7. In the file <Model Name>.smdl , locate the last three lines of the file, which appear as follows:
</Entity>

</Entities>

</SemanticModel>

8. Paste the contents of the file <Model Name>.dsv directly before the last line of the file
(<SemanticModel> ).
9. Save and close the file <Model Name>.smdl .
10. Copy the file <Model Name>.smdl to the folder %programfiles%\Microsoft Configuration Manager
\AdminConsole\XmlStorage\Other on the Configuration Manager site server.

IMPORTANT
After copying the report model file to the Configuration Manager site server, you must exit and restart the
Configuration Manager console before you can use the report model in the Create Repor t Wizard .

Steps for Creating an Advanced Report Model in SQL Server

Reporting Services
You can use the following procedures to create an advanced report model that users in your site can use to build
particular model-based reports based on data in multiple views of the Configuration Manager database. You
create a report model that presents information about the client computers and the operating system installed
on these computers to the report author. This information is taken from the following views in the Configuration
Manager database:
V_R_System : Contains information about discovered computers and the Configuration Manager client.
V_GS_OPERATING_SYSTEM : Contains information about the operating system installed on the client
computer.
Selected items from the preceding views are consolidated into one list, given friendly names, and then
presented to the report author in Report Builder for inclusion in particular reports.
On the computer where you perform these procedures, ensure that you have installed SQL Server
Business Intelligence Development Studio and that the computer has network connectivity to the
reporting services point server. For detailed information about SQL Server Business Intelligence
Development Studio, see the SQL Server documentation.
To create the report model project
1. On the desktop, click Star t , click Microsoft SQL Ser ver 2008 , and then click SQL Ser ver Business
Intelligence Development Studio .
2. After SQL Ser ver Business Intelligence Development Studio opens in Microsoft Visual Studio, click
File , click New , and then click Project .
3. In the New Project dialog box, select Repor t Model Project in the Templates list.
4. In the Name box, specify a name for this report model. For this example, type Advanced_Model .
5. To create the report model project, click OK .
6. The Advanced_Model solution is displayed in Solution Explorer .

NOTE
If you cannot see the Solution Explorer pane, click View , and then click Solution Explorer .

To define the data source for the report model

1. In the Solution Explorer pane of SQL Ser ver Business Intelligence Development Studio , right-
click Data Sources to select Add New Data Source .
2. On the Welcome to the Data Source Wizard page, click Next .
3. On the Select how to define the connection page, verify that Create a data source based on an
existing or new connection is selected, and then click New .
4. In the Connection Manager dialog box, specify the following connection properties for the data source:
Ser ver name : Type the name of your Configuration Manager site database server, or select it in
the list. If you are working with a named instance instead of the default instance, type <database
server>\<instance name>.
Select Use Windows Authentication .
In the Select or enter a database name list, select the name of your Configuration Manager
site database.
5. To verify the database connection, click Test Connection .
6. If the connection succeeds, click OK to close the Connection Manager dialog box. If the connection
does not succeed, verify that the information you entered is correct, and then click Test Connection
again.
7. On the Select how to define the connection page, verify that Create a data source based on an
existing or new connection is selected, verify that the data source you have just specified is selected in
the Data connections list box, and then click Next .
8. In Data source name , specify a name for the data source and then click Finish . For this example, type
Advanced_Model .
9. The data source Advanced_Model.ds is displayed in Solution Explorer under the Data Sources
node.

NOTE
To edit the properties of an existing data source, double-click the data source in the Data Sources folder of the
Solution Explorer pane to display the data source properties in Data Source Designer.

To define the data source view for the report model

1. In Solution Explorer , right-click Data Source Views to select Add New Data Source View .
2. On the Welcome to the Data Source View Wizard page, click Next . The Select a Data Source page
is displayed.
3. In the Relational data sources window, verify that the Advanced_Model data source is selected, and
then click Next .
4. On the Select Tables and Views page, select the following views in the Available objects list to be
used in the report model:
v_R_System (dbo)
v_GS_OPERATING_SYSTEM (dbo)
After selecting each view, click > to transfer the object to the Included objects list.

TIP
To help locate views in the Available objects list, click the Name heading at the top of the list to sort the objects
in alphabetical order.

5. If the Name Matching dialog box appears, accept the default selections, and click Next .
6. When you have selected the objects you require, click Next , and then specify a name for the data source
view. For this example, type Advanced_Model .
7. Click Finish . The Advanced_Model.dsv data source view is displayed in the Data Source Views folder
of Solution Explorer .
To define relationships in the data source view
1. In Solution Explorer , double-click Advanced_Model.dsv to open the Design window.
2. Right-click the title bar of the v_R_System window to select Replace Table , and then click With New
Named Quer y .
3. In the Create Named Quer y dialog box, click the Add Table icon (typically the last icon in the ribbon).
4. In the Add Table dialog box, click the Views tab, select V_GS_OPERATING_SYSTEM in the list, and
 then click Add .
5. Click Close to close the Add Table dialog box.
6. In the Create Named Quer y dialog box, specify the following information:
Name: Specify the name for the query. For this example, type Advanced_Model .
Description: Specify a description for the query. For this example, type Example Repor ting
Ser vices repor t model .
7. In the v_R_System window, select the following items in the list of objects to display in the report model:
ResourceID
ResourceType
Active0
AD_Domain_Name0
AD_SiteName0
Client0
Client_Type0
Client_Version0
CPUType0
Hardware_ID0
User_Domain0
User_Name0
Netbios_Name0
Operating_System_Name_and0
8. In the v_GS_OPERATING_SYSTEM box, select the following items in the list of objects to display in the
report model:
ResourceID
Caption0
Countr yCode0
CSDVersion0
Description0
InstallDate0
LastBootUpTime0
Locale0
Manufacturer0
Version0
WindowsDirector y0
 9. To present the objects in these views as one list to the report author, you must specify a relationship
between the two tables or views by using a join. You can join the two views by using the object
ResourceID , which appears in both views.
10. In the v_R_System window, click and hold the ResourceID object and drag it to the ResourceID object
in the v_GS_OPERATING_SYSTEM window.
11. Click OK.
12. The Advanced_Model window replaces the v_R_System window and contains all of the necessary
objects required for the report model from the v_R_System and the v_GS_OPERATING_SYSTEM
views. You can now delete the v_GS_OPERATING_SYSTEM window from the Data Source View
Designer. Right-click the title bar of the v_GS_OPERATING_SYSTEM window to select Delete Table
from DSV . In the Delete Objects dialog box, click OK to confirm the deletion.
13. Click File , and then click Save All .
To create the report model
1. In Solution Explorer , right-click Repor t Models to select Add New Repor t Model .
2. On the Welcome to the Repor t Model Wizard page, click Next .
3. On the Select Data Source View page, select the data source view in the Available data source
views list, and then click Next . For this example, select Simple_Model.dsv .
4. On the Select repor t model generation rules page, do not change the default values, and click Next .
5. On the Collect Model Statistics page, verify that Update model statistics before generating is
selected, and then click Next .
6. On the Completing the Wizard page, specify a name for the report model. For this example, verify that
Advanced_Model is displayed.
7. To complete the wizard and create the report model, click Run .
8. To exit the wizard, click Finish .
9. The report model is shown in the Design window.
To modify object names in the report model
1. In Solution Explorer , right-click a report model to select View Designer . For this example, select
Advanced_Model.smdl .
2. In the report model Design view, right-click any object name to select Rename .
3. Type a new name for the selected object, and then press Enter. For example, you could rename the object
CSD_Version_0 to read Windows Ser vice Pack Version .
4. When you have finished renaming objects, click File , and then click Save All .
To publish the report model for use in SQL Server Reporting Services
1. In Solution Explorer , right-click Advanced_Model.smdl to select Deploy .
2. Examine the deployment status at the lower left corner of the SQL Ser ver Business Intelligence
Development Studio window. When the deployment has finished, Deploy Succeeded is displayed. If
the deployment fails, the reason for the failure is displayed in the Output window. The new report model
is now available on your SQL Server Reporting Services website.
3. Click File , click Save All , and then close SQL Ser ver Business Intelligence Development Studio .
To deploy the custom report model to Configuration Manager
 1. Locate the folder in which you created the report model project. For example,
%USERPROFILE%\Documents\Visual Studio 2008\Projects\<Project Name>.
2. Copy the following files from the report model project folder to a temporary folder on your computer:
<Model Name> .dsv
<Model Name> .smdl
3. Open the preceding files by using a text editor, such as Notepad.
4. In the file <Model Name>.dsv , locate the first line of the file, which reads as follows:
<DataSourceView xmlns="https://schemas.microsoft.com/analysisservices/2003/engine">

Edit this line to read as follows:

<DataSourceView xmlns="<https://schemas.microsoft.com/analysisservices/2003/engine>"
xmlns:xsi="RelationalDataSourceView">

5. Copy the entire contents of the file to the Windows Clipboard.

6. Close the file <Model Name>.dsv .
7. In the file <Model Name>.smdl , locate the last three lines of the file, which appear as follows:
</Entity>

</Entities>

</SemanticModel>

8. Paste the contents of the file <Model Name>.dsv directly before the last line of the file
(<SemanticModel> ).
9. Save and close the file <Model Name>.smdl .
10. Copy the file <Model Name>.smdl to the folder %programfiles%\Microsoft Endpoint
Manager\AdminConsole\XmlStorage\Other on the Configuration Manager site server.

IMPORTANT
After copying the report model file to the Configuration Manager site server, you must exit and restart the
Configuration Manager console before you can use the report model in the Create Repor t Wizard .
 The data warehouse service point for Configuration
Manager
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the data warehouse service point to store and report on long-term historical data for your Configuration
Manager deployment.
The data warehouse supports up to 2 TB of data, with timestamps for change tracking. The data warehouse
stores data by automatically synchronizing data from the Configuration Manager site database to the data
warehouse database. This information is then accessible from your reporting service point. Data synchronized
to the data warehouse database is kept for three years. Periodically, a built-in task removes data that's older than
three years.
Data that is synchronized includes the following from the global data and site data groups:
Infrastructure health
Security
Compliance
Malware
Software deployments
Inventory details (however, inventory history isn't synchronized)
When the site system role installs, it installs and configures the data warehouse database. It also installs several
reports so you can easily search for and report on this data.

Prerequisites
The data warehouse site system role is supported only at the top-tier site of your hierarchy. For example,
a central administration site (CAS) or standalone primary site.
Starting in version 2107, the server where you install this site system role requires .NET version 4.6.2, and
version 4.8 is recommended. In version 2103 and earlier, this role requires .NET 4.5.2 or later. For more
information, Site and site system prerequisites.
Grant the Repor ting Ser vices Point Account the db_datareader permission on the data warehouse
database.
To synchronize data with the data warehouse database, Configuration Manager uses the computer
account of the site system role. This account requires the following permissions:
Administrator on the computer that hosts the data warehouse database.
DB_Creator permission on the data warehouse database.
Either DB_owner or DB_reader with execute permissions to the top-tier site's database.
The data warehouse database requires the use of SQL Server 2012 or later. The edition can be Standard,
Enterprise, or Datacenter. The SQL Server version for the data warehouse doesn't need to be the same as
the site database server.
The warehouse database supports the following SQL Server configurations:
 A default or named instance
SQL Server Always On availability group
SQL Server Always On failover cluster instance
If you use distributed views, install the data warehouse service point on the same server that hosts the
CAS's database.
For more information on SQL Server licensing, see the product and licensing FAQ.
Size the data warehouse database the same as your site database. While the data warehouse is smaller at first, it
will grow over time.

Install
Each hierarchy supports a single instance of this role, on any site system of the top-tier site. The SQL Server that
hosts the database for the warehouse can be local to the site system role, or remote. The data warehouse works
with the reporting services point installed at the same site. You don't need to install the two site system roles on
the same server.
To install the role, use the Add Site System Roles Wizard or the Create Site System Ser ver Wizard . For
more information, see Install site system roles. On the System Role Selection page of the wizard, select the
Data Warehouse ser vice point role.
When you install the role, Configuration Manager creates the data warehouse database for you on the instance
of SQL Server that you specify. If you specify the name of an existing database, Configuration Manager doesn't
create a new database. Instead it uses the one you specify. This process is the same as when you move the data
warehouse database to a new SQL Server.
Configure properties
General page
SQL Ser ver fully qualified domain name : Specify the full qualified domain name (FQDN) of the
server that hosts the data warehouse service point database.
SQL Ser ver instance name, if applicable : If you don't use a default instance of SQL Server, specify
the named instance.
Database name : Specify a name for the data warehouse database. Configuration Manager creates the
data warehouse database with this name. If you specify a database name that already exists on the
instance of SQL Server, Configuration Manager uses that database.
SQL Ser ver por t used for connection : Specify the TCP/IP port number used by the SQL Server that
hosts the data warehouse database. The data warehouse synchronization service uses this port to
connect to the data warehouse database. By default, it uses SQL Server port 1433 for communication.
Data warehouse ser vice point account : Set the User name that SQL Server Reporting Services uses
when it connects to the data warehouse database.
Synchronization settings page
Data Synchronization custom setting : Choose the option to Select tables . In the Database tables
window, select the table names to synchronize to the data warehouse database. Use the filter to search by
name, or select the drop-down list to choose specific groups. Select OK when complete to save.

NOTE
You can't remove tables that the role selects by default.
 Star t time : Specify the time that you want the data warehouse synchronization to start.
Recurrence pattern
Daily : Specify that synchronization runs every day.
Weekly : Specify a single day each week, and weekly recurrence for synchronization.

Reporting
After you install a data warehouse service point, several reports become available on the reporting services
point for the site. If you install the data warehouse service point before installing a reporting services point, the
reports are automatically added when you later install the reporting services point.

NOTE
The data warehouse point supports alternative credentials. Specify credentials that SQL Server Reporting Services uses to
connect to the data warehouse database. Data warehouse reports don't open until you add credentials.
To specify an account, set the User name for the data warehouse service point account in the role properties. For more
information, see Configure properties.

The data warehouse site system role includes the following reports, under the Data Warehouse category:
Application Deployment - Historical : View details for application deployment for a specific
application and machine.
Endpoint Protection and Software Update Compliance - Historical : View computers that are
missing software updates.
General Hardware Inventor y - Historical : View all hardware inventory for a specific machine.
General Software Inventor y - Historical : View all software inventory for a specific machine.
Infrastructure Health Over view - Historical : Displays an overview of the health of your
Configuration Manager infrastructure.
List of Malware Detected - Historical : View malware that has been detected in the organization.
Software Distribution Summar y - Historical : A summary of software distribution for a specific
advertisement and machine.

Site expansion
Before you can install a CAS to expand an existing standalone primary site, first uninstall the data warehouse
service point role. After you install the CAS, you can then install the site system role at the CAS.
Unlike a move of the data warehouse database, this change results in a loss of the historic data you have
previously synchronized at the primary site. It isn't supported to back up the database from the primary site and
restore it at the CAS.

Move the database

Use the following steps to move the data warehouse database to a new SQL Server:
1. Use SQL Server Management Studio to back up the data warehouse database. Then, restore that
database to a SQL Server on the new computer that hosts the data warehouse.
 NOTE
After you restore the database to the new server, make sure the database access permissions are the same on the
new data warehouse database as they were on the original data warehouse database.

2. Use the Configuration Manager console to remove the data warehouse service point role from the
current server.
3. Reinstall the data warehouse service point. Specify the name of the new SQL Server and instance that
hosts the restored data warehouse database.
4. After the site system role installs, the move is complete.

Troubleshoot
Log files
Use the following logs to investigate problems with the installation of the data warehouse service point, or
synchronization of data:
DWSSMSI.log and DWSSSetup.log : Use these logs to investigate errors when installing the data
warehouse service point.
Microsoft.ConfigMgrDataWarehouse.log : Use this log to investigate data synchronization between
the site database to the data warehouse database.
Set up failure
When the data warehouse service point role is the first one that you install on a remote server, installation fails
for the data warehouse.
To work around this issue, make sure that the computer on which you install the data warehouse service point
already hosts at least one other role.
Synchronization failed to populate schema objects
Synchronization fails with the following message in Microsoft.ConfigMgrDataWarehouse.log :
failed to populate schema objects

To work around this issue, make sure that the computer account of the site system role is a db_owner on the
data warehouse database.
Reports fail to open
Data warehouse reports fail to open when the data warehouse database and reporting service point are on
different site systems.
To work around this issue, grant the Repor ting Ser vices Point Account the db_datareader permission on
the data warehouse database.
Error opening reports
When you open a data warehouse report, it returns the following error:

An error has occurred during report processing. (rsProcessingAborted)

Cannot create a connection to data source 'AutoGen__39B693BB_524B_47DF_9FDB_9000C3118E82_'.
(rsErrorOpeningConnection)
A connection was successfully established with the server, but then an error occurred during the pre-login
handshake. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not
trusted.)
This issue should only occur when the site database and data warehouse database are on separate SQL Servers.
To work around this issue, use the following steps to configure certificates:
1. On the server that hosts the data warehouse database:
a. Create a self-signed certificate. Open IIS, select Ser ver Cer tificates , and then select the Create Self-
Signed Cer tificate action. Specify the "friendly name" of the certificate name as Data Warehouse
SQL Ser ver Identification Cer tificate . Select the certificate store as Personal .

TIP
If this server doesn't already have IIS, install it first.

a. Manage the certificate. Open the Microsoft Management Console (MMC), and add the
Cer tificates snap-in. Select Computer account of the local machine. Expand the Personal
folder, and select Cer tificates .
a. Give the SQL Server service account read permissions to the certificate. Select the Data
Warehouse SQL Ser ver Identification Cer tificate certificate, then go to the Action
menu, select All Tasks , and select Manage Private Keys . Add the SQL Server service
account, and allow Read permission.
b. Export the Data Warehouse SQL Ser ver Identification Cer tificate as a DER encoded
binar y X.509 (.CER) file.
b. Reconfigure SQL. Open SQL Ser ver Configuration Manager .
a. Under SQL Ser ver Network Configuration , right-click to select Proper ties under
Protocols for MSSQLSERVER . Switch to the Cer tificate tab, select Data Warehouse
SQL Ser ver Identification Cer tificate as the certificate, and then save the changes.
b. Under SQL Ser ver Ser vices , restart the SQL Ser ver ser vice . If SQL Server Reporting
Services is also installed on the server that hosts the data warehouse database, restart
Repor ting Ser vice services as well.
2. On the server that hosts SQL Server Reporting Services, open the MMC, and add the Cer tificates snap-
in. Select Computer account . Under the Trusted Root Cer tificate Authorities folder, import the
Data Warehouse SQL Ser ver Identification Cer tificate .

Data flow
Data storage and synchronization
ST EP DETA IL S

1 The site server transfers and stores data in the site database.

2 Based on its schedule and configuration, the data warehouse

service point gets data from the site database.

3 The data warehouse service point transfers and stores a

copy of the synchronized data in the data warehouse
database.

Reporting flow
ST EP DETA IL S

A Using built-in reports, a user requests data. This request is

passed to the reporting service point using SQL Server
Reporting Services.

B Most reports are for current information, and these requests

are run against the site database.

C When a report requests historical data by using one of the

reports with a Category of Data Warehouse , the request
runs against the data warehouse database.
 Support Center for Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use Support Center for client troubleshooting, real-time log viewing, or capturing the state of a Configuration
Manager client computer for later analysis. Support Center is a single tool to combine many administrator
troubleshooting tools.

About
Support Center aims to reduce the challenges and frustration when troubleshooting Configuration Manager
client computers. Previously, when working with support to address an issue with Configuration Manager
clients, you would need to manually collect log files and other information to help troubleshoot the issue. It was
easy to accidentally forget a crucial log file, causing headaches for you and the support personnel who you're
working with.
Use Support Center to streamline the support experience. It lets you:
Create a troubleshooting bundle (.zip file) that contains the Configuration Manager client log files. You
then have a single file to send to support personnel.
View Configuration Manager client log files, certificates, registry settings, debug dumps, client policies.
Real-time diagnostic of inventory (replaces ContentSpy), policy (replaces PolicySpy), and client cache.
Starting in version 2103, Support Center is split into the following tools:
Suppor t Center Client Data Collector : Collects data from a device to view in the Support Center
Viewer. This separate tool encompasses the existing Support Center action to Collect selected data.
Suppor t Center Client Tools : The other Support Center troubleshooting functionality, except for
Collect selected data .
The following tools are still a part of Support Center:
Suppor t Center Viewer
Suppor t Center OneTrace
Suppor t Center Log File Viewer
Support Center viewer
Support Center includes Support Center Viewer, a tool that support personnel use to open the bundle of files
that you create using Support Center. Support Center's data collector collects and packages diagnostic logs from
a local or remote Configuration Manager client. To view data collector bundles, use the viewer application.
Support Center log file viewer
Support Center includes a modern log viewer. This tool replaces CMTrace and provides a customizable interface
with support for tabs and dockable windows. It has a fast presentation layer, and can load large log files in
seconds.
Support Center OneTrace (Preview)
OneTrace is a new log viewer with Support Center. It works similarly to CMTrace, with improvements. For more
information, see Support Center OneTrace.
PowerShell cmdlets
Support Center also includes PowerShell cmdlets. Use these cmdlets to create a remote connection to another
Configuration Manager client, to configure the data collection options, and to start data collection. These
cmdlets are in separate PowerShell module named ConfigMgrSuppor tCenter.PS . After you install Support
Center, use the following command to import this module:

Import-Module "C:\Program Files (x86)\Configuration Manager Support Center\ConfigMgrSupportCenter.PS.psd1"

Prerequisites
Install the following components on the server or client computer on which you install Support Center:
Any Windows OS version supported by Configuration Manager. For more information, see Supported OS
versions for clients. Support Center doesn't support mobile devices or macOS.
Starting in version 2107, the all site and client components require .NET version 4.6.2, and version 4.8 is
recommended. For more information, Site and site system prerequisites. In version 2103 and earlier, this
tool requires .NET 4.5.2 or later.

Install
Find the Support Center installer on the site server at the following path:
cd.latest\SMSSETUP\Tools\SupportCenter\SupportCenterInstaller.msi .

After you install it, find the following items on the Start menu in the Microsoft Endpoint Manager group:
Support Center Client Data Collector (starting in version 2103)
Support Center Client Tools (starting in version 2103)
Support Center (version 2010 and earlier)
Support Center Log File Viewer
Support Center OneTrace
Support Center Viewer
Starting in version 2103, the Start menu group for Support Center includes these five tools:

TIP
When installing Support Center, you can install tools individually. To install only the OneTrace log viewer, use the
Advanced option when using the Support Center installer. You can also use the ADDLOCAL property, for example
supportcenterinstaller.msi ADDLOCAL=OneTraceApplication
Command line options
Starting in version 2111, the following new command-line options have been added to the Support Center Data
Collector and Client Tools:

O P T IO N DESC RIP T IO N USE C A SE

-l Specifies to launch as current user If -l is used, no elevation is

without elevation requested and local connections are
disabled

-l can be used exclusively from -m

and -p . If -m and/or -p is used
without -l , elevation will still be
requested.

-m <machinename> Allows specifying a machine name If -m <machinename> is used, an

attempt is made to connect to the
specified machine name using
integrated authentication (unless -p
is used)

-p Disables integrated authentication If -p is used, the connection screen is

launched when the client tools are
opened. If used with -m , the machine
name gets pre-populated with the
specified value

--help Displays help

NOTE
When using -m <machinename> , the account making the connection needs administrator access on the target machine
to collect the data.

Known issues
Remote connections must include computer name or domain as part of the user name
If you connect to a remote client from Support Center, you must provide the machine name or domain name for
the user account when establishing the connection. If you use a shorthand computer name or domain name
(such as .\administrator ), the connection succeeds, but Support Center doesn't collect data from the client.
To avoid this issue, use the following user name formats to connect to a remote client:
ComputerName\UserName
DomainName\UserName

Scripted server message block connections to remote clients might require removal
When connecting to remote clients using the New-CMMachineConnection PowerShell cmdlet, Support Center
creates a server message block (SMB) connection to each remote client. It keeps those connections after you
complete data collection. To avoid exceeding the maximum number of remote connections for Windows, use the
net use command to see the currently active set of remote connections. Then disable any unneeded
connections by using the following command: net use <connection_name> /d where <connection_name> is the
name of the remote connection.
Next steps
Support Center quickstart
 Support Center quickstart guide
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Support Center has powerful capabilities including troubleshooting and real-time log viewing. It can also be
used in just a few minutes to capture the state of a Configuration Manager client computer. This ability includes
accessing remote clients.
Create a complete troubleshooting bundle file (.zip) that captures the client state. The bundle doesn't only
contain log files. It can include other types of data such as registry settings and client configurations. Provide the
bundle to a support technician who uses Support Center Viewer.

Prerequisites
Local administrative rights to a Configuration Manager client
The Support Center installer. This file is on the site server at
cd.latest\SMSSETUP\Tools\SupportCenter\SupportCenterInstaller.msi . For more information, see Support
Center - Install.

Step 1: Create a data bundle on a local client

1. Install Support Center on the Configuration Manager client.
2. Go to the Star t menu, in the Microsoft Endpoint Manager group, select the option based on your site
version:
For version 2103 and later: Select Suppor t Center Client Data Collector .
For version 2010 and earlier: Select Suppor t Center .
3. On the Home tab of the ribbon, select Collect selected data .
By default, Support Center only collects the minimum data set:
Client log files : All log files from the Configuration Manager clients, by default in
C:\Windows\CCM\logs . It also includes log files for client setup, by default in
C:\Windows\ccmsetup\Logs .

Client configuration : Information from the Configuration Manager client. For example, the
version, the assigned site and management point, and if it's internet facing. This option is always
enabled.
Operating system : Information about the computer. For example, Windows install, network
adapters, and system services. This option is always enabled.
4. Save the troubleshooting bundle file (.zip) to a folder on the computer. By default, the file name is similar
to the following example: Support_c885cdfed3c7482bba4f9e662978ec07.zip .

Step 2: View the data bundle using Support Center Viewer

1. Start Suppor t Center Viewer . This action can happen on any computer with Support Center.
2. Select Open bundle , browse to the bundle file, and select Open .
3. After Support Center Viewer processes the file, switch to each available tab. View the types of data that
Support Center collects by default:
Configuration tab
Configuration Manager client configuration
Operating system
Computer
Services
Network adapters
Logs tab: Choose one or more entries in the list, and select Open . This action opens the selected
log files in Log Viewer. Use this feature to look up error codes, and use advanced filters to help you
more quickly analyze log files.

Collect more data

Beyond these basic capabilities, Support Center can also collect a wide variety of other client state information.
Open Suppor t Center Client Data Collector and select Collect all data . This process typically lasts several
minutes, even on newer computers. Support Center collects the following data:

Policy : Configuration Manager policy settings, including both the requested policy configuration and the
actual policy configuration.
Client WMI : Client configuration information from WMI. Support Center doesn't collect client policy.
Cer tificates : Public key information for client certificates. Support Center doesn't collect certificate
private keys.
Debug dumps : Collect a debug dump of client and related processes. Debug dumps can be large. Only
enable this option when troubleshooting issues with client performance.

WARNING
Collecting debug dumps will cause data bundles to become very large. In some cases, the size can be several
hundred MB.
Debug dumps may contain sensitive information, including passwords, cryptographic secrets, or user data. Only
collect debug dumps on the recommendation of Microsoft Support personnel. Carefully handle data bundles that
contain debug dumps to protect them from unauthorized access.
This data type isn't supported when you make a remote connection to another client.

Client registr y : Collects client configuration information from the registry. Support Center only collects
Configuration Manager registry information.
 Troubleshooting : Real-time troubleshooting data to help diagnose common client problems with Active
Directory, management points, networking, policy assignments, and registration.

NOTE
This data type isn't supported when you make a remote connection to another client.

Windows Update log files : Collects log files for Windows Updates, which are necessary when
troubleshooting issues with software updates.

Next steps
User interface reference
 Support Center OneTrace
2/16/2022 • 2 minutes to read • Edit Online

OneTrace is a new log viewer with Support Center. It works similarly to CMTrace, with the following
improvements:
A tabbed view
Dockable windows
Improved search capabilities
Ability to enable filters without leaving the log view
Scrollbar hints to quickly identify clusters of errors
Fast log opening for large files
Windows jump lists for recently opened files (version 2103 and later)
Status messages are displayed in an easy to read format (version 2111 and later)
Entries starting with >> are status messages that are automatically converted into a readable format
when a log is opened. Search or filter on the >> string to find status messages in the log.

OneTrace works with many types of log files, such as:

Configuration Manager client logs
Configuration Manager server logs
Status messages
Windows Update ETW log file on Windows 10 or later
 Windows Update log file on Windows 7 & Windows 8.1

Prerequisites
Starting in version 2107, the all site and client components require .NET version 4.6.2, and version 4.8 is
recommended. For more information, Site and site system prerequisites.
In version 2103 and earlier, this tool requires .NET 4.6 or later.

Install
OneTrace installs with Support Center. Find the Support Center installer on the site server at the following path:
cd.latest\SMSSETUP\Tools\SupportCenter\SupportCenterInstaller.msi .

By default, the OneTrace application is installed at

C:\Program Files (x86)\Configuration Manager Support Center\CMPowerLogViewer.exe .

NOTE
Support Center Log File Viewer and OneTrace use Windows Presentation Foundation (WPF). This component isn't
available in Windows PE. Continue to use CMTrace in boot images with task sequence deployments.

Log groups
OneTrace supports customizable log groups, similar to the feature in Support Center. Log groups allow you to
open all log files for a single scenario. OneTrace currently includes groups for the following scenarios:
Application management
Compliance settings (also referred to as Desired Configuration Management)
Software updates
To show log groups, go to the View menu, and select Log groups .

Customize log groups

You can customize these groups by modifying the configuration XML, which by default is in the following path:
C:\Program Files (x86)\Configuration Manager Support Center\LogGroups.xml .
The following example is one portion of the default configuration file:

<LogGroups>
<LogGroup Name="Desired Configuration Management" GroupType="1" GroupFilePath="">
<LogFile>CIAgent.log</LogFile>
<LogFile>CIDownloader.log</LogFile>
<LogFile>CIStateStore.log</LogFile>
<LogFile>CIStore.log</LogFile>
<LogFile>CITaskMgr.log</LogFile>
<LogFile>ccmsdkprovider.log</LogFile>
<LogFile>DCMAgent.log</LogFile>
<LogFile>DCMReporting.log</LogFile>
<LogFile>DcmWmiProvider.log</LogFile>
</LogGroup>
</LogGroups>

The GroupType property accepts the following values:

0 : Unknown or other
1 : Configuration Manager client logs
2 : Configuration Manager server logs

The GroupFilePath property can include an explicit path for the log files. If it's blank, OneTrace relies upon the
registry configuration for the group type. For example, if you set GroupType=1 , by default OneTrace will
automatically look in C:\Windows\CCM\Logs for the logs in the group. In this example, you don't need to specify
GroupFilePath .

Open recent files

Starting in version 2103, OneTrace supports Windows jump lists for recently opened files. Jump lists let you
quickly go to previously opened files, so you can work faster.
There are three methods to open recent files in OneTrace:
Windows taskbar jump list
Windows Start menu recently opened list
In OneTrace from File menu or Recently opened tab.
Windows taskbar jump list
When the OneTrace icon is on the Windows taskbar, right-click it, and then select a file from the Recently
opened list.

Windows Start menu recently opened list

Go to the Star t menu, and type onetrace . Select a file from the Recently opened list.
OneTrace recently opened list
There are two locations in OneTrace that show the list of recently opened files:
The Recently opened tab in the lower right corner.
Go to the File menu and select a file at the bottom of the menu.

Next steps
User interface reference
 Support Center user interface reference
2/16/2022 • 25 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article is a reference that describes the user interfaces (UI) of the following Support Center tools:
Support Center Client Data Collector
Support Center Client Tools
Support Center Viewer
Support Center Log File Viewer

NOTE
In version 2010 and earlier, the Client Data Collector and Client Tools are combined into a single tool called Suppor t
Center .

The Support Center suite also includes OneTrace . For more information, see Support Center OneTrace.

Support Center Client Data Collector

NOTE
In version 2010 and earlier, this tool is part of the Suppor t Center tool. The Collect selected data action is on the
Home tab of the Suppor t Center tool.

Window menu (Client Data Collector)

In the upper left corner of the Support Center Client Data Collector window, select the arrow in the blue box to
open this menu.
Local Machine Connection : Gather data from the client that's running Support Center Client Data
Collector.
Remote Connection : Establish a remote connection with another Configuration Manager client. After
connecting, gather data from the remote client.
About : Provides information about Support Center Client Data Collector, such as the version.
Options :
Reduce the movement of animated user interface elements
Change the default save location for data bundle files
Change the location of temporary files
Reset warnings. Any warning messages that you previously suppressed appear again when triggered.
Reset temporary file path to the default,
%UserProfile%\AppData\Local\Microsoft\ConfigMgrSupportCenter

Exit : Close Support Center Client Data Collector.

Home tab
Collect selected data
Support Center Client Data Collector collects information from the Configuration Manager client. You can then
view this information using Support Center Viewer. By default, it collects the following types:
Client log files
Client configuration collector
Operating system
To collect other types of information, select the checkbox next to the name for that type.
Select the drop-down at the bottom of the Collect selected data button in the ribbon, and select Collect all
data . This action collects the complete set of client state data.
While Support Center Client Data Collector is collecting data, select Cancel collection to stop it.
For more information, see Support Center quickstart guide.
Data types
When you select the checkbox for an option, Support Center Client Data Collector collects that type of data the
next time you select Collect selected data . The following types are available:
Log files : Client log files including setup logs.
Policy : Client policy collection.
Cer tificates : Public key information for client certificates. Support Center Client Data Collector doesn't
collect certificate private keys.
Client configuration collector : Configuration Manager client information. You can't disable this data
type.
Client registr y : Collects client configuration information from the registry. Support Center Client Data
Collector only collects Configuration Manager registry information.
Client WMI : Client configuration information from WMI. Support Center Client Data Collector doesn't
collect client policy.
Troubleshooting : Real-time troubleshooting data to help diagnose common client problems with Active
Directory, management points, networking, policy assignments, and registration.

NOTE
This data type isn't supported when you make a remote connection to another client.

Debug dumps : Create a debug dump of client and related processes. Debug dumps can be large. Only
enable this option when troubleshooting issues with client performance.

WARNING
Collecting debug dumps will cause data bundles to become very large. In some cases, the size can be several
hundred MB.
Debug dumps contain may contain sensitive information, including passwords, cryptographic secrets, or user data.
Only collect debug dumps on the recommendation of Microsoft Support personnel. Carefully handle data bundles
that contain debug dumps to protect them from unauthorized access.
This data type isn't supported when you make a remote connection to another client.

Operating system : Collects configuration information about the local machine. This data includes
information about the Windows installation, network adapters, and system service configuration. You
 can't disable this data type.

Support Center Client Tools

This section describes the user interface for the Suppor t Center Client Tools tool.

NOTE
In version 2010 and earlier, this tool is called Suppor t Center .
Starting in version 2103, use the Support Center Client Data Collector for the Collect selected data action.

Window menu
Client tab
Policy tab
Content tab
Inventory tab
Troubleshooting tab
Logs tab
Window menu (Client Tools)
In the upper left corner of the Support Center Client Tools window, select the arrow in the blue box to open this
menu.
Local Machine Connection : Gather log files and troubleshoot the client that's running Support Center.
Remote Connection : Establish a remote connection with another Configuration Manager client. After
connecting, gather log files and troubleshoot the remote client.
About : Provides information about Support Center Client Tools, such as the version.
Options :
Reduce the movement of animated user interface elements
Change the default save location for data bundle files
Change the location of temporary files
Reset warnings. Any warning messages that you previously suppressed appear again when triggered.
Reset temporary file path to the default,
%UserProfile%\AppData\Local\Microsoft\ConfigMgrSupportCenter
Exit : Close Support Center Client Tools.
Client tab
Load or Refresh (Client)
Load or refresh details for the Configuration Manager client.
Client information
When you load client details, this tool shows the following properties:
Client ID : A unique identifier that Configuration Manager uses to identify the client.
Hardware ID : A unique identifier that Configuration Manager uses to identify the client hardware.
Approved : Indicates whether the client is approved in Configuration Manager.
Registration State : Indicates whether the client is registered with Configuration Manager.
Internet-facing : Indicates whether the client is on the internet.
 Version : The version number of the installed Configuration Manager client.
Site Code : The site code for the primary site to which the client is assigned.
Assigned MP : The fully qualified domain name (FQDN) of the client's currently assigned management
point.
Resident MP : The FQDN of the resident management point.
Proxy MP : The hostname or FQDN of the proxy management point (if it exists).
Proxy Site Code : The site code for the secondary site (if it exists).
Proxy State : The state of the Configuration Manager client's proxy management point. For example,
Active or Pending .
Maintenance windows
List all maintenance windows currently defined for this client. The next maintenance window displays a different
status than future windows.
Control client agent service
Do one of the following actions for the Configuration Manager client agent service (ccmexec) on the connected
client:
Restar t client

IMPORTANT
If the client agent service doesn't successfully restart, the client isn't manageable by Configuration Manager until
the service starts.

Star t client
Stop client

IMPORTANT
The client isn't manageable by Configuration Manager until the service starts.

Policy tab (Client Tools)

Use the actions on this tab instead of the older PolicySpy tool.
Load policy
This option varies depending upon the view:
Load Actual policy : Select Actual in the View group, and then select this option in the Policy group.
Load the client policy that you've currently selected.
Load Requested policy : Select Requested in the View group, and then select this option in the Policy
group. Load the client policy requested of the client.
Load Default policy : Select Default in the View group, and then select this option in the Policy group.
Load the default policy for this client.
Select the drop-down list at the bottom of this button for other options:
Load or Refresh all : Load or refresh the actual, requested, and default policy at the same time.
Actual view
Opens the actual policy view.
Requested view
Opens the requested policy view.
Default view
Opens the default policy view. This policy is what devices get when you install the Configuration Manager client.
Request and evaluate policy
Request the client policy from the management point, and then evaluate that policy on the client.
Select the drop-down list at the bottom of this button for other options:
Request policy : Request the client policy from the management point.
Evaluate policy : Evaluate the client policy on the client.
Reset policy to default : Tell the Configuration Manager client to reapply the default policy. It removes
all machine and user policies on the client.
Listen for policy events
Listen for policy events. Select this option again to disable listening for policy events. To view Policy events ,
select the arrow at the bottom of this tab.
Clear events
Clear any policy events.
Content tab
View content on the client, including cached content. Monitor the progress of software update and application
deployments.
Load or Refresh (Content)
Applies to the Content and Cache views
Load or refresh the list of content currently on the client.
Invoke trigger (Content)
The following items on this menu request a client action related to content:
Location ser vices
Refresh content locations : Refreshes the distribution points used by any active content
downloads.
Refresh management points : Updates the internal list of management points used by the client.
Time out content requests : If any content location requests have been running for too long, this
action stops the request.
Application deployment evaluation : Starts a task that evaluates deployed applications.
Software updates deployment evaluation : Starts a task that evaluates deployed software updates.
Software updates source scan : Starts a task that scans update source locations.
Windows Installer source list update : Starts a task that updates the source location for Windows
Installer (MSI) installations.
Deployment view
See applications, packages, and updates that are loaded on the client. When you select an application, package,
or update, you can view details on that content. For some applications, you can also do the following actions:
Refresh : Refresh the details view.
 Verify or Download : Verify that an application is available for download.
Install : Install the application.
Uninstall : Uninstall the application.
Starting in Configuration Manager version 2107, the view is grouped by Categor y and Status . The view can be
sorted and filtered to help you find the deployments you're interested in. Select a deployment in the results pane
to display the following information in the details pane:
Proper ties tab
Name : The name of the deployment property.
Value : The value assigned to the deployment property.
Policy tab
Display name : Display name of the items in the deployment.
Version : Version for the item in the deployment.
Model name : Model name for the item in the deployment.
CI XML : XML for the configuration item.
Repor ting tab
Time : Timestamp of the state message.
State The state that was reported by the client.
Topic ID : ID of what the state message is reporting on, used to map to events in log files. In this
context, it will typically be the Assignment ID of the deployment.
Topic type : The state message type.
Topic type ID : The subtype of the state message.
State ID : The result of the action that you're monitoring.

NOTE
In Configuration Manager versions 2103 and earlier Deployment view is named Content view .

Cache view
View the client cache configuration and details about the cache contents. When you connect Support Center
Client Tools to a local client, you can also do the following actions:
To change the cache location, select Change next to the Cache location field.
To adjust the size of the cache, select Change next to the Cache size field.
To clear the client cache, select Clear next to the Cache in use field.
This view shows the following properties:
Location : The location of each cache folder. Select the link to open the folder in Windows Explorer.
Content ID
Cache ID
Size
Last Referenced : This property is the date when the client last read from or wrote to this item in the cache.
Monitoring view
View the active progress of software update and application update deployments. This view shows state
messages raised from application and software updates event WMI messages.
For each event, the view shows the following properties:
Time : The time that the client raised the event.
Topic type : The state message type.
Topic ID : ID of the state message, used to map to events in log files.
Topic ID type : The subtype of the state message.
State ID : The result of the action that you're monitoring.
Details and Event data : More information on the state messages shown in this view. State details may
sometimes be blank.
All updates view
View details about software updates:
State
Article ID
Bulletin
Name
Update ID
Scan Time
Source Version
Source Unique ID
Inventory tab
Load or Refresh (Inventory )
Load or refresh the client inventory list for the currently selected view.
Invoke trigger (Inventory )

NOTE
For tasks other than Software metering repor t cycle :
If you request the task when another inventory task is already running, the client queues the new task to run after it
completes the current task and other queued tasks.
Track the progress of the task in Inventor yAgent.log .

The following items on this menu request client action related to inventory:
Discover y data collection cycle (hear tbeat) : Triggers the client task used to collect device discovery
information.
File collection cycle : Triggers the client task used to collect local files.
Hardware inventor y cycle : Triggers the client task used to collect hardware inventory data.
IDMIF collection cycle : Triggers the client task used to collect IDMIF data.
Software inventor y cycle : Triggers the client task used to collect software inventory data.
Software metering repor t cycle : Triggers the client task used to build a software metering report and
send it to the management point. Track the progress of this task in SWMTRRepor tGen.log .
Send unsent state messages in queue : Triggers the client task to flush the queue of state messages.
Advanced
Hardware inventor y cycle (full resynchronization)
Software inventor y cycle (full resynchronization)
Views
If a feature isn't enabled, the view doesn't display any data.
Status : Show the inventory data sets the client has collected.
DDR : Information about the client discovery data collected from the client.
HINV : Information about the hardware inventory data collected from the client.
SINV : Information about the software inventory data collected from the client.
File collection : Information about the files collected from the client.
IDMIF : Information about the IDMIF and NOIDMIF data collected from the client.
Metering : Information about the software metering data collected from the client.
Troubleshooting tab (Client Tools)
Troubleshoot some of the most common issues with Configuration Manager clients:
Issues with Active Directory
Windows networking
Configuration Manager
Management points
Policy assignment
Registration

NOTE
This tab isn't available when you connect to a remote Configuration Manager client.

Start
Starts troubleshooting the client.
Active Director y : Queries Active Directory to retrieve published Configuration Manager site information.
MPCERTIFICATE : Gets management point certificates.
MPLIST : Gets a list of management points.
MPKEYINFORMATION : Gets management point cryptographic key information.
Networking : Troubleshoots issues with networking.
Policy Assignments : Retrieves policy assignments.
Registration : Verifies that the client is registered with the site.
View selected log
After you select a row on the Troubleshooting tab, select this action to view the log file.
Keep previous results
If you troubleshoot the client, and then want to try troubleshooting again, choose this option to keep results
from your first attempt. Otherwise, it overwrites previous troubleshooting log files.
Logs tab
This tab of Support Center Client Tools is almost identical to the Log Viewer tool. The Log Viewer tool doesn't
include the Configure client logging and Log groups features. The Support Center Log File Viewer section
details the other options available on this tab.
Tasks: Configure client logging
Set the following options:
 Client log level : Log verbosity and file size
Maximum file count : Allow more than one log file of a given type
Maximum file size : The size in bytes of any given log file before the client creates a new log

NOTE
If you set these values too low, the client may not log any useful information. If you set these values too high, the client
logs can consume large amounts of storage.

For more information, see About log files.

Log groups
Instead of manually selecting log files using the Open logs button, use this drop-down list to open all log files
associated with the following feature areas:
Desired Configuration Management
Inventor y
Software Distribution
Software Updates
Application Management
Policy
Client Registration
Operating System Deployment

Support Center Viewer

This section describes the user interface (UI) for the Configuration Manager Suppor t Center Viewer tool. The
available tabs vary based on the contents of the troubleshooting bundle. The Window menu and Home tab
show by default.
Window menu
Home tab
Configuration tab
Logs tab
Debug dumps tab
WMI tab
Registry tab
Policy tab
Certificates tab
Troubleshooting tab
Window menu (Viewer)
In the upper left corner of the Support Center Viewer window, select the arrow in the blue box to open this
menu.
Open bundle : Browse to the location of a data bundle created by one of the following tools:
Version 2103 and later: Support Center Client Data Collector
Version 2010 and earlier: Support Center
About : Displays information about Support Center Viewer, such as the version.
Options :
 Reduce the movement of animated user interface elements.
Change the location of temporary files.
Reset warnings. Any warning messages that you previously suppressed appear again when triggered.
Reset temporary file path to the default,
%UserProfile%\AppData\Local\Microsoft\ConfigMgrSupportCenterViewer
Exit : Exits Support Center Viewer.
Home tab (Viewer)
Open bundle
Browse to the location of a data bundle created by one of the following tools:
Version 2103 and later: Support Center Client Data Collector
Version 2010 and earlier: Support Center
Open log file
Select one or more log files to open.
Decode certificate (Viewer: Home)
In the Decode cer tificate window, paste the serialized certificate value for any certificate on the client. Find this
value in the registry, in log files, or in WMI. Select Process to view general information and details on the
certificate. This information includes its certification path. Select Expor t to export the certificate as a .cer file.
Configuration tab
The Configuration tab of the Support Center Viewer tool provides the following views using data retrieved
from WMI providers:
Client : This view displays the same information shown on the Client tab of Support Center.
Operating system : Details for the client's OS. It uses the Win32_OperatingSystem class.
Computer : Details for the client computer. It uses the Win32_OperatingSystem class.
Ser vices : Details for services running on the client computer. It uses the Win32_Service class.
Network adapters : Details for network adapters installed on the client computer. It uses the
Win32_NetworkAdapterConfiguration class.
Logs tab (Viewer)
The Logs tab shows a list of the log files included in the bundle. Each row on this tab provides the path, name,
and size of the log file.
Open
After selecting a log file, select this button to open the Log Viewer . It provides a subset of the functionality seen
on the Support Center Client Tools Logs tab.
Decode certificate (Viewer: Logs )
In the Decode cer tificate window, paste the serialized certificate value for any certificate on the client. Find this
value in the registry, in log files, or in WMI. Select Process to view general information and details on the
certificate. This information includes its certification path. Select Expor t to export the certificate as a .cer file.
Debug dumps tab
Each row on this tab provides details on the debug dump files that are available to export. Use this tab to export
debug dump files (.dmp) for further analysis. This analysis uses a debugging tool such as WinDbg.
 WARNING
Debug dumps may contain sensitive information, including passwords, cryptographic secrets, or user data. Only collect
debug dumps on the recommendation of Microsoft Support personnel. Carefully handle data bundles that contain debug
dumps to protect them from unauthorized access.

Export (Viewer: Debug dumps )

Save a copy of the selected debug dump file.
WMI tab
This tab shows the set of WMI data from the Configuration Manager client that the data bundle includes.
Find (Viewer: WMI)
Opens the Find window, which has the following features:
Find what : Enter a string to search for in the WMI data set. It supports wildcard characters.
Look at : Choose whether you want to search within the WMI data set for a matching Class or instance
name , Proper ty , or Value .
Match whole string only : By default, it searches for strings that contain the string for which you're
looking. Choose this checkbox to only find strings that are an exact match to the string that you provided.
Find next (Viewer: WMI)
Open the next instance of the search string in the WMI data set.
Decode certificate (Viewer: WMI)
In the Decode cer tificate window, paste the serialized certificate value for any certificate on the client. Find this
value in the registry, in log files, or in WMI. Select Process to view general information and details on the
certificate. This information includes its certification path. Select Expor t to export the certificate as a .cer file.
Registry tab
Use the Registr y tab to view registry data included in the data bundle, and to export that data for further
analysis.
Export (Viewer: Registry )
Save a copy of the registry key and subkeys that you select as a registry (.reg) file.
Find (Viewer: Registry )
Opens the Find window, which has the following features:
Find what : Enter a string to search for in the WMI data set. It supports wildcard characters.
Look at : Choose whether you want to search within the WMI data set for a matching Class or instance
name , Proper ty , or Value .
Match whole string only : By default, it searches for strings that contain the string for which you're
looking. Choose this checkbox to only find strings that are an exact match to the string that you provided.
Find next (Viewer: Registry )
Open the next instance of the search string in the WMI data set.
Decode certificate (Viewer: Registry )
In the Decode cer tificate window, paste the serialized certificate value for any certificate on the client. Find this
value in the registry, in log files, or in WMI. Select Process to view general information and details on the
certificate. This information includes its certification path. Select Expor t to export the certificate as a .cer file.
Policy tab (Viewer)
The Policy tab is used to view policy data included in the data bundle.
Find (Viewer: Policy )
Opens the Find window, which has the following features:
Find what : Enter a string to search for in the WMI data set. It supports wildcard characters.
Look at : Choose whether you want to search within the WMI data set for a matching Class or instance
name , Proper ty , or Value .
Match whole string only : By default, it searches for strings that contain the string for which you're
looking. Choose this checkbox to only find strings that are an exact match to the string that you provided.
Find next (Viewer: Policy )
Open the next instance of the search string in the WMI data set.
Decode certificate (Viewer: Policy )
In the Decode cer tificate window, paste the serialized certificate value for any certificate on the client. Find this
value in the registry, in log files, or in WMI. Select Process to view general information and details on the
certificate. This information includes its certification path. Select Expor t to export the certificate as a .cer file.
Certificates tab
Use the Cer tificates tab to view certificates included in the data bundle, and to export them.
View certificate
Displays information about a selected certificate.
Export (Viewer: Certificates )
Save a copy of the certificate that you select.
Troubleshooting tab (Viewer)
Use the Troubleshooting tab to view log files created using the Troubleshooting tab of Support Center Client
Tools.
View log
After you select a row on the Troubleshooting tab, select this option to view the log file with Log File Viewer.

Support Center Log File Viewer

This section describes the user interface for the Suppor t Center Log File Viewer tool.
Window menu
Home tab
This tool is almost identical to the Logs tab of Suppor t Center Client Tools . The main difference is that this
tool doesn't include the options to Configure client logging and Log groups .
Starting in version 2111, Support Center Log File Viewer display status messages in an easy to read format.
Entries starting with >> are status messages that are automatically converted into a readable format when a
log is opened. Search or filter on the >> string to find status messages in the log.
Window menu (Log File Viewer)
In the upper left corner of the Support Center Log File Viewer window, select the arrow in the blue box to open
this menu.
Open logs : Browse to the location of log files to open.
Options :
Reduce the movement of animated user interface elements.
Register Log File Viewer as the default app for log files with the .log and .lo_ file extensions.
 Reset warnings. Any warning messages that you previously suppressed appear again when triggered.
About : Displays information about Support Center Log File Viewer, such as the version.
Close : Closes Support Center Log File Viewer
Home tab (Log File Viewer)
Open logs
Support Center Log File Viewer prompts you to select one or more log files to open.
Select the drop-down at the bottom of the Open logs button in the ribbon, and select one of the following
options:
Open logs in current view : Opens the selected log files in the current view.
Open logs in new window : Opens the selected log files in a new Log Viewer window.
Close and clear logs
Closes any open log files. Also clears any displayed log file entries from the window. Support Center Log File
Viewer won't display these entries in the future.
Select the drop-down at the bottom of the Close and clear logs button in the ribbon, and select one of the
following options:
Clear all entries : Clears any displayed log file entries from the window. Support Center Log File Viewer
won't display these entries in the future.
Close all logs : Closes any open log files.
Find (Log File Viewer)
Opens the Find window. Enter a string to search for. To avoid matches on short strings in other strings, you can
choose to match whole words. You can also choose to do a case-sensitive match for the string.
Find next (Log File Viewer)
After finding a match for the string that you're searching for, this option takes you to the next match.
Find previous (Log File Viewer)
After finding two or more matches for the string that you're searching for, this option takes you to the previous
match.
Options
Live updating : Monitor a currently open log file for changes. This feature doesn't function when
multiple log files are open. This option is enabled by default.
Auto-scroll : If you also chose the Live updating option, this option automatically scrolls the log view to
show newly added entries. This feature doesn't function when multiple log files are open. This option is
enabled by default.
Show details : When you select a log file message, the bottom of the Logs tab displays the details of the
log file message. This option is enabled by default.
Quick filter : Filter the log file messages across all open log files to find a specific string. You can filter by
log text, component name, and thread ID. To find similar log messages, right-click a log message and
select Quick filter on log text.
Wrap log text : Wrap long and multi-line messages to fit into a single column. This behavior makes
these messages easier to read. This option is enabled by default.
Raw log entr y display : Displays unprocessed log lines.
Advanced filters : Open the Advanced filters window. For more information, see Advanced log file
filters.
 Error code links : Error codes in log text are highlighted and clickable. This option is enabled by default.
Error lookup
Enter an error code to search for that error code in currently open log files. Use the following error code
formats:
32-bit integer (signed) : For example, -2147024891
32-bit integer (unsigned) : For example, 2147942405
32-bit hexadecimal : For example, 0x80070005
Decode certificate (Log File Viewer)
In the Decode cer tificate window, paste the serialized certificate value for any certificate on the client. Find this
value in the registry, in log files, or in WMI. Select Process to view general information and details on the
certificate. This information includes its certification path. Select Expor t to export the certificate as a .cer file.

Advanced log file filters

Advanced log file filters allow you to include, exclude, or highlight specific strings. These strings can occur in a
log file or log file group when looking at log file entries. Use wildcard searches when creating a filter. When you
have a useful combination of filters, save them as a filter set.
Advanced log file filters supersede quick filters. Use both together, but quick filters only apply to the displayed
log data. Advanced filters determine what data is initially displayed before any it applies any quick filters.
In the Advanced filters window, you can create complex filter sets. These filter sets search for strings across
many log file components. These components include messages, threads, logging levels, and components. A
filter set contains multiple filter statements that you use to include, exclude, or highlight log file messages. A
filter defines a log file column to search within, an operator, and a value. The value can contain regular
expressions, such as the wildcard character * .
Add a filter
1. In the Log File Viewer tool, or on the Support Center Client Tools Logs tab, select Advanced filters .
2. In the Advanced filters window, select Add . Then select one of the following options to act on log entries
that match your filter:
Include
Exclude
Highlight
3. In the Advanced filter configuration window, choose a column and an operator:
Column : Choose where to look for strings that match your filter:
Log text : Search within the text of a log file
Log severity : Search for logs with a specific severity level. Set these severity levels in the
Value field.
Component : Search for a specific component by name
Thread ID : Search for log messages with a specific thread ID
Source file : Search for log messages that occur in a specific log file
Operator : Choose an operator for your filter
4. Enter a value to filter on in the Value field. If your value contains regular expressions, select Enable
regular expression matching .
Manage filter sets
To edit a filter, select the filter, and then select Edit .
To delete a filter, select the filter, and then select Delete .
To clear all filters, select Clear .
To save the current filter set, select Save filters . Then save your filter set as a .filterset file.
To load a saved filter set, select Load filters . Then browse to a previously saved .filterset file.
 Customize Support Center
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Support Center tool includes a configuration file that you can customize. By default, when you install
Support Center, this file is in the following path:
C:\Program Files (x86)\Configuration Manager Support Center\ConfigMgrSupportCenter.exe.config . The
configuration file changes the behavior of the program:
Customize data collection: Edit the sets of registry keys and WMI namespaces that it includes during data
collection.
Customize log groups: Define new groups of log files using regular expressions. Also add other log files
to log groups.
Collect other log files using wildcards: Use wildcard searches to collect more log files.
To make these changes, you need local administrative permissions on the client where you've installed Support
Center. Make these customizations using a text or XML editor, such as Notepad or Visual Studio.

IMPORTANT
The Support Center configuration file is an XML-formatted file. It's essential to the operation of Support Center. Modifying
this file is only recommended for users who are familiar with XML and regular expressions.

Before you customize the Support Center configuration file, save a backup of the original. This backup allows
you to recover the original Support Center functionality if you make mistakes while editing the file. If you don't
create a backup, and Support Center doesn't function correctly after you modify the configuration file, reinstall
Support Center. You can also copy a configuration file from another installation of Support Center.

Customize data collection

To customize the collection of data on the client, modify the Support Center configuration file using XML
elements contained within the <dataCollectorSettings> element.
WMI data collection
The <CcmWmiDataCollector> element contains a <collectionScopes> element. Use this element to change the
WMI namespaces from which Support Center collects data. It also includes an <ignoreScopes> element. Use this
element to filter out the collection of data from portions of the namespaces defined in the <collectionScopes>
element.
Example for WMI data collection
The default configuration file collects data from the root\ccm namespace. It includes this path in an <add/>
element in <collectionScopes> .
It also ignores everything under the \cimodels , \invagt , \events , and \policy paths for this namespace. It
includes these paths in <add/> elements contained within <ignoreScopes> .
 <CcmWmiDataCollector>
<collectionScopes>
<!-- Collect these namespaces (ignoring the sub-scopes in the ignoreScopes block) -->
<add key="root\ccm"/>
<add key="root\cimv2\sms"/>
</collectionScopes>
<ignoreScopes>
<!-- Collecting these namespaces is known to be problematic/unnecessary -->
<add key="root\ccm\cimodels"/>
<add key="root\ccm\invagt"/>
<add key="root\ccm\events"/>
<!-- Do not collect policy, there's already a separate policy collector.-->
<add key="root\ccm\policy"/>
</ignoreScopes>
</CcmWmiDataCollector>

Registry data collection

The <RegistryDataCollector> element contains a <registryKeys> element. Use this element to change the
registry keys and subkeys that Support Center collects under the HKEY_LOCAL_MACHINE path. Support Center
doesn't support the collection of registry data from other root registry paths.
Example for registry data collection
To collect registry keys for the classic programs installed on the device, add the following <add/> element in the
<registryKeys> element: <add key="software\\microsoft\\windows\\currentversion\\uninstall"/>

<RegistryDataCollector>
<registryKeys>
<!-- Registry keys (and all subkeys) to collect -->
<add key="software\\microsoft\\ccm"/>
<add key="software\\microsoft\\sms"/>
<add key="software\\microsoft\\ccmsetup"/>
<add key="software\\microsoft\\windows\\currentversion\\uninstall"/>
</registryKeys>
</RegistryDataCollector>

Customize log file groups

To customize which log files Support Center collects, and how it presents them in the Log groups list, use
elements in the <logGroups> element. When you start Support Center, it scans this section of the configuration
file. It then creates a group on the Log groups list for each unique key attribute value found in the <add/>
elements contained in the <logGroups> element.
Component log group : The <componentLogGroup> element uses a key attribute to define the name of
the log group that appears in the list. It also uses a value attribute that contains a regular expression
(regex). It uses this regex to collect a set of related log files.
Static log group: The <staticLogGroup> element uses a key attribute to define the name of the log
group that appears in the list. It also uses a value attribute that defines a log file name.
If the same key attribute value is used in an <add/> element within both the <componentLogGroup> element and
the <staticLogGroup> element, Support Center creates a single group. This group includes the log files defined
by both elements that use the same key.
Example for log file groups
 <logGroups>
<componentLogGroup>
<add key="Application Management"
value="^(app.*|ci.*|contentaccess|contenttransfermanager|datatransferservice|dcm.*|execmgr.*|UserAffinity.*|
.*Handler$|.*Provider$)"/>
<add key="Client Registration" value="^(clientregistration|locationservices|ccmmessaging|ccmexec)"/>
<add key="Inventory"
value="^(ccmmessaging|inventoryagent|mtrmgr|swmtrreportgen|virtualapp|mtr.*|filesystemfile)"/>
<add key="Policy" value="^(ccmmessaging|policyagent_.*|policyevaluator_.*)"/>
<add key="Software Updates"
value="^(ci.*|contentaccess|contenttransfermanager|datatransferservice|dcm.*|update.*|wuahandler|xmlstore|sc
anagent)"/>
<add key="Software Distribution"
value="^(datatransferservice|execmgr.*|contenttransfermanager|locationservices|contentaccess|filebits)"/>
<add key="Desired Configuration Management" value="^(ci.*|dcm.*)"/>
<add key="Operating System Deployment" value="^(ts.*)"/>
</componentLogGroup>
<staticLogGroup>
<add key="Application Management" value="ccmsdkprovider.log"/>
<add key="Desired Configuration Management" value="ccmsdkprovider.log"/>
<add key="Software Updates" value="ccmsdkprovider.log"/>
</staticLogGroup>
</logGroups>

Collect other log files with wildcards

To collect other log files, use wildcards in the file path or filename. These wildcards include system-wide
environment variables such as %WINDIR% , but exclude user-scoped environment variables such as
%USERPROFILE% . To collect other log files using this non-recursive log file search, use an <add/> element within
the <additionalLogFiles> element.
These examples show how Support Center uses this feature in the default configuration file.
Example 1: Collect all Windows Update log files in the Windows directory
The following element collects any file named WindowsUpdate.log found in the Windows directory:
<add key="%WINDIR%\WindowsUpdate.log" />

Example 2: Collect all log files in the Windows Logs directory

The following element collects any file that ends in .log found in the Windows logs directory:
<add key="%WINDIR%\logs\*.log" />

Full example XML

<CcmLogDataCollector>
<additionalLogFiles>
<!-- Collect these additional log files. Can pass in a wildcard for the filename. System variables are
also supported. -->
<!--
<add key="%WINDIR%\WindowsUpdate.log" />
<add key="%WINDIR%\logs\*.log" />
-->
</additionalLogFiles>
</CcmLogDataCollector>
 Accessibility features in Support Center
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Support Center has many helpful accessibility features that make it easier for everyone to use.

Use the keyboard to move around the ribbon

Use keyboard shortcuts to access every menu of the Support Center ribbon. This ribbon contains all commands
used by Support Center.
Press Alt or F10 to see keyboard shortcuts for each menu.
To switch to a menu, press the associated shortcut key. For example, to go to the Logs menu, press Alt
and then L .

Use the keyboard to perform common tasks

You can also use a keyboard to perform common tasks in the Support Center suite of tools. The following table
lists the most common tasks that you can perform with the keyboard:

TA SK K EY B O A RD SH O RTC UT

Open application configuration options F4

Exit Alt + F4

Load or Refresh client details F5

(on the Support Center Client Details tab)

Load selected policy view F5

(on the Support Center Client Policy tab)

Refresh a policy F5
(on the Support Center Client Policy tab, after selecting a
policy)

Copy as MOF Ctrl + Shift + C

(on the Support Center Client Policy tab, after selecting a
policy; also available for WMI events)

Copy a policy as local client MOF Ctrl + Shift + X

(on the Support Center Client Policy tab, after selecting a
policy)

Request policy Ctrl + R

(on the Support Center Client Policy tab)

Evaluate policy Ctrl + E

(on the Support Center Client Policy tab)
 TA SK K EY B O A RD SH O RTC UT

Load or refresh content view F5

(on the Support Center Content tab)

Load inventory F5
(on the Support Center Inventor y tab)

Start troubleshooting F5
(on the Support Center Troubleshooting tab)

Open data bundle Ctrl + O

(on the Support Center Viewer Home tab)

Open log files Ctrl + O

(on the Support Center Logs tab, and in the Log Viewer
window)

Open log files in current view Ctrl + Shift + O

(on the Support Center Logs tab, and in the Log Viewer
window)

Open log files in a new Log Viewer window Ctrl + N

(on the Support Center Logs tab, and in the Log Viewer
window)

Close all log files Ctrl + W

(on the Support Center Logs tab, and in the Log Viewer
window)

Search in log files - Ctrl + F : Opens the Find dialog to enter search string
- F3 : Find the next match
- Shift + F3 : Find the previous match

Look up an error code Ctrl + L

(on Logs tab, and in the Log Viewer window)

Copy from a log file - Ctrl + C : Copies log file text

- Ctrl + Shift + C : Copies the log entry without formatting

Quick filter using log file text Ctrl + Shift + C

(on Logs tab, and in the Log Viewer window)

Annotate a log file Ctrl + Shift + N No te 1

(on Logs tab, and in the Log Viewer window)

Open Help F1

Note 1: Annotate a log file

Support Center stores annotations in memory. You can only use them within a log viewing session. To retain an
annotation for future use, take a screen capture to save the resulting image.

Next steps
Accessibility features in Configuration Manager
 Configuration Manager Tools
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Configuration Manager tools primarily include client-based and server-based tools. Use these tools to help
support and troubleshoot your Configuration Manager infrastructure.
These tools are included in the CD.Latest\SMSSETUP\Tools folder on the site server. No further installation is
required. Use these versions of the tools with supported versions of Configuration Manager current branch.
All Windows operating systems listed as supported clients in Supported operating systems for clients and
devices are supported for use with these tools.

NOTE
The System Center 2012 R2 Configuration Manager Toolkit is still available from the Microsoft Download Center. For
supported versions of Configuration Manager current branch, use the versions of the tools in the CD.Latest folder on the
site server. Some tools were formerly in the toolkit but not included current branch. These legacy tools are no longer
supported.

Client tools
These tools are in the ClientTools subfolder:
Client Spy: Troubleshoot issues related to software distribution, inventory, and metering
Deployment Monitoring Tool: Troubleshoot applications, updates, and baseline deployments
Policy Spy: View policy assignments
Power Viewer Tool: View status of power management feature
Send Schedule Tool: Trigger schedules and evaluations of configuration baselines

NOTE
The ClientTools folder also includes the file Microsoft.Diagnostics.Tracing.EventSource.dll. Several client tools require
this library. You can't directly use it.

Server tools
These tools are in the ServerTools subfolder:
DP Job Queue Manager: Troubleshoots content distribution jobs to distribution points
Collection Evaluation Viewer: View collection evaluation details
 IMPORTANT
Starting in Configuration Manager version 2103, this standalone tool isn't supported. The tool is no longer
included with the Configuration Manager installation source. Starting in version 2010, its functionality is built-in to
the console. For more information, see, How to view collection evaluation.

Content Library Explorer: View contents of the content library single instance store
Content Library Transfer: Transfers content library between drives
Content Ownership Tool: Changes ownership of orphaned packages. These packages exist in the site
without an owning site server.
Role-based Administration and Auditing Tool: Helps administrators audit roles configuration

NOTE
Starting in version 2107, RBAViewer has moved from <installdir>\tools\servertools\rbaviewer.exe . It's
now located in the Configuration Manager console directory. After you install the console, RBAViewer.exe will be in
the same directory. The default location is
C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\rbaviewer.exe .

Run Meter Summarization Tool: Run metering summarization task and analyze metering data

NOTE
The ServerTools folder also includes the following files:
AdminUI.WqlQueryEngine.dll
Microsoft.ConfigurationManagement.ManagementProvider.dll
Microsoft.Diagnostics.Tracing.EventSource.dll
Several server tools require these libraries. You can't directly use them.

More tools in the folder

The following tools are in the CD.Latest\SMSSETUP\TOOLS folder on the site server:
CMTrace: View, monitor, and analyze Configuration Manager log files.
CMPivot: Use the standalone version of this tool to query real-time data from clients.
Update reset tool: Fix issues when in-console updates have problems downloading or replicating.
Configuration Manager group policy administrative template: Configure and assign client installation
properties by using a group policy object.
Content library cleanup tool: Remove orphaned content from a distribution point.
Desktop Analytics log collector: Helps to troubleshoot Desktop Analytics device enrollment issues.
Extend and migrate on-premises site to Microsoft Azure: Helps you to programmatically create Azure
virtual machines (VMs) for Configuration Manager.
Synchronize Microsoft 365 Apps updates from a disconnected software update point
(OfflineUpdateExporter): Import Microsoft 365 Apps updates from an internet connected WSUS server
into a disconnected Configuration Manager environment.
 Configure client communication ports: Reconfigure the port numbers for existing clients.
Service Connection Tool: Keep your site up to date when your service connection point is offline.
Support Center: Gather information from clients for easier analysis when troubleshooting.
OneTrace is a modern log viewer with Support Center. It works similarly to CMTrace, with improvements.
For more information, see Support Center OneTrace.
Send feedback that you saved for later submission (UploadOfflineFeedback): Save your product feedback
locally and submit it later.

Other tools
Hierarchy Maintenance Tool: Use Preinst.exe in the \<SiteServerName>\SMS_<SiteCode>\bin\X64\00000409
shared folder on the site server to pass commands to the hierarchy manager component.
Microsoft Deployment Toolkit (MDT): A collection of tools, processes, and guidance for automating
desktop and server OS deployments.
System Center Updates Publisher (SCUP): A stand-alone tool to manage and import custom software
updates.
Package Conversion Manager: Convert legacy packages into applications.
 CMTrace
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

CMTrace is one of the Configuration Manager tools. It allows you to view and monitor log files, including the
following types:
Log files in Configuration Manager or Client Component Manager (CCM) format
Plain ASCII or Unicode text files, such as Windows Installer logs
The tool helps to analyze log files by highlighting, filtering, and error lookup.

NOTE
CMTrace isn't automatically registered with Windows to open the .log file extension. For more information, see File
associations.

Configuration Manager version 2107 includes multiple performance improvements to the CMTrace log viewer.

Locations
Configuration Manager automatically installs CMTrace in the following locations:
The site server's tools directory. For example: cd.latest\SMSSETUP\Tools\CMTrace.exe
The Management point's installation directory. For example: C:\SMS_CCM\CMTrace.exe
The client installation directory. For example: C:\Windows\CCM\CMTrace.exe
OS deployment boot images. For example: X:\sms\bin\x64\CMTrace.exe
If you have a copy of CMTrace in another location, consider removing it and using a copy in one of the default
paths. If it's in a custom location that meets your business requirements, then make sure you have a process to
keep it up to date. If your custom location might be of benefit to other customers, file product feedback.
A script is available in the Community Hub to help you locate and update versions of CMTrace to the latest
version: CMTraceUpdate. For more information, see Direct links to Community hub items.

Usage
Run CMTrace.exe . The first time you run the tool, you see a prompt for file association. For more information,
see File associations.
You take most actions in CMTrace from the following menus:
File
Tools
File menu
The following actions are available in the File menu:
Open
Open on Server
 Print
Preferences
The File menu also lists the last eight recent files. Quickly reopen one of these logs by selecting it from the File
menu.
Open
Displays the Open dialog box to browse for a log file.
Filter the view for files of the following types:
Log files (*.log)
Old log files (*.lo_)
All files (*.*)
The following two options aren't selected by default:
Ignore existing lines : When selected, CMTrace ignores the existing contents of the selected log file and
displays new lines only as they're added. Use this option to monitor only new actions when you don't
need the full history of the log file.
Merge selected files : If you enable this option and select more than one log file, CMTrace merges the
selected logs in the view. It displays them as if they're a single log file. The merged log updates the same,
and supports all other CMTrace features as if it's a single log file.
Open on Server
Browse the Configuration Manager logs folder on a site system computer with the standard Browse dialog box.
You can also browse the network for a remote computer.
When you select a remote computer to browse, CMTrace checks for the Configuration Manager share. If it can't
find a share with Configuration Manager log files, it displays an error message.
To connect directly to a known computer without browsing, use the Open action. Then enter a server name and
share using the UNC format.
Print
Display the standard Windows Print dialog box. This action sends the current log file to a printer. It formats the
output according to the settings on the Printing tab of CMTrace Preferences.
Preferences
Configure settings for CMTrace. The following options are available:
General tab
Update Inter val : Controls how often CMTrace checks for changes to log files and loads new lines.
By default, this value is 500 milliseconds.
Highlight : Sets the color that CMTrace uses when highlighting log lines that you choose. By
default, this color is basic yellow (Red: 255, Green: 255, Blue: 0).
Columns : Configures the columns that are visible in the log view and the order in which they
appear. By default, it displays Log Text, Component, Date/Time, and Thread.
Printing tab
Columns : Configure which columns it uses when printing log files and the order in which they
appear. By default, it prints the same columns as it displays.
Orientation : Sets the default print orientation when printing log files. Override this setting in the
Print dialog box. By default, it uses Portrait orientation.
 Advanced tab
Refresh Inter val : Forces CMTrace to update the log view at a specified interval when loading a
large number of lines. By default, this option is disabled with a value of zero.

NOTE
In general, don't modify the Refresh Inter val. It can significantly increase the amount of time it takes to
open large log files.

Tools menu
The following actions are available in the Tools menu:
Find
Find Next
Copy to Clipboard
Highlight
Filter
Error Lookup
Pause
Show/Hide Details
Show/Hide Info Pane
Find
Search the open log file for a specified text string.
Find Next
Finds the next matching string, as you previously specified in the Find dialog box.
Copy to Clipboard
Copies the selected lines as plain text to the Windows clipboard. If you're examining Configuration Manager and
CCM log files, it copies the columns in the same order as the view. It separates each column by a tab character.
Use this action when copying logs into email messages or other documents.
Highlight
Enter a string that CMTrace uses to search the text of each log entry. It then highlights any log text that matches
the string you enter.
The highlight uses the color you specified in Preferences.
To turn off highlighting, clearing the string from this field.
If you enter a decimal or hexadecimal number, CMTrace tries to match the value to the Thread column.
Use this behavior to highlight the processing of a single thread, without filtering out other threads that
might interact with it.
To compare strings by case, enable the option for Case sensitive .
Filter
Show or hide log lines based on the specified criteria. Apply filters to any of the four columns regardless of
whether they're visible. These settings apply to each opened log file.
Examples:
Filter smsts.log on entry text containing "the action" or "the group".
Filter Inventor yAgent.log where entry text contains "destination".
Error Lookup
Type or paste an error code in either decimal or hexadecimal format to display a description. Possible error
sources include: Windows, WMI, or Winhttp.
Pause
Suspend or restart log monitoring. The following use cases are some of the possible reasons to use this action:
When CMTrace is displaying log file information too quickly
When you pause log monitoring, the information that CMTrace displays isn't lost if the current file rolls
over to a new log
When you want to stop CMTrace from displaying new data while you examine the log file
Show/Hide Details
Show or hide all columns other than the log text. It also expands the log text column to the width of the window.
Use this action when you're viewing logs on a computer with low display resolution. It displays more of the log
text.

NOTE
When viewing plain-text files, CMTrace automatically hides details because they're always empty.

Show/Hide Info Pane

Show or hide the Info pane. Use this action when you're viewing logs on a computer with low display resolution.
It displays more logging details.

Log pane
The log pane is at the top of the CMTrace window. It displays lines from log files.
When you select a line, it's temporarily highlighted using the Windows selection color scheme.
Highlighted lines match the criteria you define with the Highlight option in the Tools menu. The highlight uses
the color that you specify in Preferences .
CMTrace displays lines with errors using a red background and yellow text color. In CCM-format logs, log entries
have an explicit type value that indicates the entry as an error. For other log formats, CMTrace does a case-
insensitive search in each entry for any text string matching "error".
It displays lines with warnings using a yellow background. In CCM-format logs, log entries have an explicit type
value that indicates the entry as a warning. For other log formats, CMTrace does a case-insensitive search in
each entry for any text string matching "warn".

Info pane
The Info pane is at the bottom of the CMTrace window. It includes the following features:
Details about the currently selected log entry
A text box that displays the log text
It displays carriage returns so that formatted text is easier to read
Easier to read long entries that aren't fully visible in the Log pane
Show or hide the Info pane with the Show/Hide Info Pane option on the Tools menu. If the Info pane takes up
more than half of the log window, CMTrace automatically hides it.
Progress bar
When you first open a log file, CMTrace replaces the Info pane by a progress bar. This progress indicates how
much of the existing file contents it's loaded. The progress reaches 100 percent, CMTrace removes the progress
bar, and replaces it with the Info pane. When you load large files, this behavior provides you with an indication
of how long the load might take.
Status bar
For Configuration Manager-format and CCM-format log files, the status bar displays the elapsed time for the
selected log entries. If you select a single entry, the tool displays the time from the first log entry to the selected
entry. If you select multiple entries, it calculates the time from the top-most selected entry to the bottom-most
selected entry. CMTrace formats this information as follows:
Elapsed time is <hours>h <minutes>m <seconds>s <milliseconds>ms (<seconds+milliseconds> seconds)

Windows shell integration

CMTrace supports file associations and drag-and-drop.
File associations
CMTrace can associate itself with .log and .lo_ file name extensions. When the program starts, it checks the
registry to determine whether it's already associated with these file name extensions. If CMTrace isn't already
associated with any file name extensions, you're prompted to associate the file name extensions with CMTrace. If
you select Do not ask me this again , CMTrace skips this check whenever it's run on this computer.
Drag-and-drop
CMTrace supports basic drag-and-drop functionality. Drag a log file from Windows Explorer into CMTrace to
open it.

Other tips
Last Directory registry key
By default, CMTrace saves the last log location that you opened. This behavior is useful on the site server, as it
defaults to the logs path every time.
The first time you launch it on a client, it defaults to the current working directory. This location may be the path
where you saved CMTrace, or a path like %userprofile%\Desktop .
The Last Director y value in the registry key HKEY_CURRENT_USER\Software\Microsoft\Trace32 controls this default
location. If you set this value to %windir%\CCM\Logs on your clients, then CMTrace opens files in the client log
location the first time you run it.

Next steps
Log files
Support Center log file viewer
OneTrace is the log viewer with Support Center. It works similarly to CMTrace, with improvements. For more
information, see Support Center OneTrace.
 Client Spy
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Client Spy is one of the Configuration Manager tools. It's a tool for troubleshooting software distribution,
inventory, and software metering on Configuration Manager clients.
Most of the information retrieved by the tool pertains to software deployments:
All current software deployments
Software distribution history
The client cache configuration
Cached items
Pending required deployments
Available deployments
It also displays the following inventory information
The latest inventory cycle date
The last report date
Software inventory major and minor versions
File collection
Hardware inventory
IDMIF collection
Discovery data records (DDRs)
Software metering rules are also displayed.

NOTE
To improve performance, the tool only collects information for each tab when you select it. Similarly, when you click
Refresh , it only refreshes the information for the currently displayed tab.

Usage
Tools menu
The following actions are available in the Tools menu:
Connect
Retrieve information from a different computer.
By default, the tool displays information from the current computer.
Connect using the remote computer name, user name, and password for the account. The tool makes a
connection to the IPC$ share on the remote computer. It deletes the connection when either the tool exits
or you connect to another computer.
It requires an account with sufficient credentials to obtain the information.
If you don't specify a user name and password, Client Spy uses the security context of the currently
 signed-in user to attempt to make the connection.
When you connect to a remote computer, all tabs that are displayed show information from the remote
computer.
Software Distribution
Displays the Software Distribution tabs and hides the other tabs. By default, Client Spy displays the Software
Distribution tabs.
Inventory
Displays the Inventory tab and hides the other tabs.
Software Metering
Displays the Software Metering tab and hides the other tabs.
Save current tab to file
Saves the information in the currently displayed tab to a text file that you specify.
Save all tabs to file
Saves the information in all tabs to a text file that you specify. It only saves information your account can see.

Software Distribution tab

Configure settings on the following four tabs:
Software Distribution Execution Requests
Software Distribution History
Software Distribution Cache Information
Software Distribution Pending Executions
Software Distribution Execution Requests
This tab displays all existing deployments, including both device- and user-targeted deployments.
Each tree item in the Software Distribution Execution Requests tab contains the following four attributes:
Advertisement ID. This value might be blank, if it's an available deployment.
Package ID
Program Name
User. This might be the targeted user SID or the SID of the user who initiated the request. If both are system
requests, the displayed user is System.
For each run request, it also displays the following information in a subtree structure:
Program Name
Package ID
Package Name
Request Creation Time
State
Running State, if State is Running
Execution Context (User or Admin)
History State (Success, Failure, or NotRun)
LastRunTime (Never, if the program hasn't been run before)
RetryCount, if State is WaitingRetry
ContentAccess (Retry Count, if State is WaitingRetry)
FailureCode, if State is WaitingRetry
FailureReason, if State is WaitingRetry
If the request requires content, the state is WaitingContent. The Software Distribution Cache Information tab
shows the details for this download request.
If the run request is a download request, it also displays the number of bytes downloaded.

NOTE
It uses different icons for varying states of a run request.

Software Distribution History

This tab contains information about all previously run programs. This information is stored in the registry.
The main branches of this tree are the different user histories, including System. It displays a subtree containing
the list of packages from which programs have been run for each user.
The package ID and package name for each package subtree displays a list of programs that have run. It displays
the following attributes for each:
Program name
Run state
Last run time
Failure code
Failure reason
The failure code and failure reason are blank when a program was successfully run.
Software Distribution Cache Information
Cache Config
Contains information about the Configuration Manager Client cache. This information includes the cache
location, the cache size, and whether it's currently in use.
Cached Items
Contains a subtree of all items currently in the cache. Each tree item includes the following information about
each item:
The item's location (folder) in the cache
Current state
Package ID
Package name
Package version
Package size
Current reference count
Last referenced time (UTC)
Downloading Items
These are the items that the client is currently downloading. Each of them shows the same information
displayed by the cached items, and the number of kilobytes downloaded.
Software Distribution Pending Executions
This tab contains information that details past and future required deployments and a list of available
deployments.
Each tree branch is for each user account with deployments available, including System.
For each user, a sub tree contains the following three items:
Mandatory Advertisements With Future Executions
These are mandatory advertisements that still have programs remaining to be run. These can be either
recurring, one-time, or multiple schedule advertisements. Each displays the advertisement ID, the next run time,
and the schedule on which the advertisement runs.
Optional Advertisements
Displays a list of all advertisements that are published. It also displays details such as advertisement ID, program
name, and package name for each.
Past Mandatory Advertisements With No Future Scheduled Executions
This is a list of advertisements that exist on the client that have no future programs scheduled to run. The
advertisement ID, package name, and program name are displayed. A subtree item is displayed for any
advertisements that are optional.

NOTE
Package name information is only available for packages that have advertised policies associated to them on the
computer being viewed. Packages that no longer have available policies associated to them display the message "Package
Name No Longer Available".

Inventory tab
There's only one tab containing inventory information. The main tree contains the following five items:
Software Inventor y : Contains the date that the last cycle started, the date of the last report, and the
minor and major versions of the last report.
File Collection : Contains the date that the last cycle started, the date of the last report, and the minor
and major versions of the last report.
Hardware Inventor y : Contains the date that the last cycle started, the date of the last report, and the
minor and major versions of the last report.
IDMIF Collection : Contains the date that the last cycle started, the date of the last report, and the minor
and major versions of the last report.
DDR : Contains the date that the last cycle started, the date of the last report, and the minor and major
versions of the last report. The DDR information is also displayed in a subtree.

Software Metering tab

This tab displays information as a subtree, and includes all software metering rules. It displays each rule as a
node, which it identifies by the file name and rule ID. Expand each node in the tree, and view the following
information:
Explorer file name
Original file name
Rule ID
File version
Language
 Deployment Monitoring Tool
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Deployment Monitoring Tool is one of the Configuration Manager tools. It's a graphical user interface
designed to assist in troubleshooting application, software update, and configuration baseline deployments on a
Configuration Manager client. The tool is read-only as it doesn't change any state on the client. You can safely
use it to diagnose common deployment scenarios.

Features
Run it as an administrator to troubleshoot deployments on a local client.
Troubleshoot deployments on a remote client. Launch the tool and connect to a remote machine as an
administrator.
Export to XML all the data collected in the tool. Share the XML file with others, and use it as a common
platform for talking about troubleshooting deployments.
Import previously exported data to a different machine, and use it to run the tool in offline mode.

Usage
The Deployment Monitoring Tool supports graphical user interface only. To launch the tool, run
DeploymentMonitoringTool.exe as an administrator. There are three views:
Client Proper ties : A list of useful attributes about the device and the Configuration Manager client. This
view is the default.
Deployments : View all of the currently targeted deployments. Select a deployment in the results pane to
view more information in the details pane.
All Updates : View all of the software updates and their status.
To copy data in any view, select a cell, and press CTRL + C .
Actions menu
The following actions are available in the Actions menu:
Connect to remote machine : Select a computer to connect to. When you don't specify a user name
and password, it uses the current credentials. Click Save to connect to remote computer.
Expor t Data : Select the file to write the data into, and click Save . Use the exported XML file for remote
troubleshooting on a different computer.
Impor t Data : Select a file to import into the tool.
View Log : Opens an associated log file, depending upon the view:
Client Properties: \\<hostname>\c$\Windows\CCM\Logs\PolicyAgent.log
Deployments: \\<hostname>\c$\Windows\CCM\Logs\PolicyAgent.log
All Updates: C:\Windows\WindowsUpdate.log
See also
Deploy applications
Deploy software updates
Deploy configuration baselines
 Policy Spy
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Policy Spy is one of the Configuration Manager tools. It's a tool for viewing and troubleshooting the policy
system on Configuration Manager clients. Run PolicySpy.exe to open the user interface. For more information
on command-line usage, see Command-line syntax.

IMPORTANT
Run Policy Spy as an administrator. If you don't Run as administrator , you see the following error in Client Info:
There is no client installed on this machine. Connection to client policy failed with error 80041003

Command-line syntax
Policy Spy is primarily intended for use through its user interface. It does provide limited command-line options
to support automation and batch processing.
PolicySpy.exe [/export <ExportFilename> [<computername>]]

Option: /export

This option silently exports the policy of the local or remote computer. <ExportFilename> is the file name to
which the tool saves the XML exported policy. If you specify the <computername> option, Policy Spy exports the
policy of that computer instead of the local computer.

NOTE
This command-line option doesn't provide a way to specify user credentials. To use alternative credentials to access a
remote computer, use the runas command to open a new command prompt with the required security credentials.

Usage
Tools menu
The following actions are available in the Tools menu:
Open Remote : Connects to the Configuration Manager client policy on a remote computer. Use the
Connect dialog box to retrieve the name of the remote computer and optional user credentials. If the
connection fails, it displays error information in the Client Info pane. If the connection fails again, try
connecting by selecting Refresh on the Edit menu, or by pressing F5.
Open File : Opens a policy export file (XML) created by the Expor t Policy option. The tool displays the
exported policy exactly the same as a live policy. It disables some features that only apply when you
connect to an actual client.
Request Machine Assignments : Triggers a request for machine policy assignments on the target
computer. This feature is disabled when viewing exported policy.
Evaluate Machine Policy : Triggers a machine policy evaluation on the target computer. This feature is
disabled when viewing an exported policy.
 Request User Assignments : Triggers a request for user policy assignments for the currently signed-in
user. This feature is only available when viewing a policy on the local computer.
Evaluate User Policy : Triggers a user policy evaluation for the currently signed-in user. This feature is
only available when viewing a policy on the local computer.
Reset Policy : Removes all non-default policies and resets the policy cookies for the site. It then triggers a
request for machine policy assignments. This feature is disabled when viewing an exported policy.
Expor t Policy : Exports the target computer's policy to an XML file. View this file on any computer with
Policy Spy. To open the export file, select Open File on the Tools menu. This feature is disabled when
viewing an exported policy.
Edit menu
The following actions are available in the Edit menu:
Delete : Deletes the instance selected in the Results pane. This action is only supported for policy
instances. If you try to delete anything other than policy instances, the tool displays an error message.
This feature is disabled when viewing an exported policy.
Refresh : Refreshes all results to view the latest information. All tree nodes that are expanded before
refreshing are automatically expanded afterward. If Policy Spy hasn't successfully connected to the target
computer's policy, it tries to connect again. This feature is disabled when viewing an exported policy.
Clear Events : Clears all items from the Events tab.

Results pane
The results pane displays different views of the policy system on the target computer. Access these views by
clicking on one of the following four tabs:
Actual
Requested
Default
Events
Actual
This tab displays the current policy of the client. The current policy determines a client's behavior and the
behavior of its client agents, such as software distribution and inventory. The tab displays results in a tree format
with a root node for the computer namespace and each user-specific namespace. Expand a namespace node to
display a list of classes. Expand a class to display a list of its instances. The class list includes only classes that
have instances.
Requested
This tab displays the policy assignments that the client retrieved from its assigned site. The tab displays results
in tree format with a root node for the Machine namespace and each user-specific namespace. Expanding a
namespace node displays the following nodes:
Configuration : Displays a list of configuration classes derived from CCM_Policy_Config, which includes
policy object, assignments, and others.
Settings : Displays all active settings generated by policies. Settings are displayed under the
Configuration node.
 NOTE
Multiple instances can exist with the same name because the client hasn't merged these settings into a final resultant set.
Policy Spy displays instances under this node by using the RealKey properties instead of their true policy keys. Correlate
these instances to the resultant set displayed on the Actual tab.

Default
This tab displays the same information as the Requested tab. It also includes contents of the DefaultMachine
and DefaultUser namespaces.
Events
This tab displays policy agent events as they happen. The view creates a WMI event subscription for all events
derived from CCM_PolicyAgent_Event. The view shows a maximum of 200 events. It removes the oldest events
from the top of the list, as necessary. If you select the last item in the list, the list automatically scrolls down as it
adds new events. Otherwise, the view maintains its current position, and you must scroll down or press the End
key to view new events. This view is always empty when viewing an exported policy.

Client Info pane

The Client Info pane displays a list of properties for the target computer. It displays the following properties, if
available:
Name
ID
Version
Site
Assigned MP
Resident MP
Proxy MP
Proxy State

Details pane
The Details pane displays detailed information about the current selection. If no selection is active, it displays
information about Policy Spy itself, including the version. Otherwise, it displays a Manage Object Format (MOF)
representation of the selected item.
Policy Spy uses its own MOF-generation routine to create a more user-friendly HTML display than the plain-text
MOF generated by WMI. This behavior allows Policy Spy to add the following features to make the MOF more
legible:
Syntax highlighting
Indented objects and arrays
Properties are arranged into system, inherited, and local groups. By default, it collapses the system and
inherited groups. You can immediately see which properties the instance actually uses.
Copy MOF or copy plain-text MOF to the clipboard. This feature is useful for pasting the MOF into other
applications by directly calling the MofComp tool.
For instances of Policy objects derived from CCM_Policy_Policy, the details pane displays the policy body below
the MOF that displays. If the client hasn't downloaded the policy body, Policy Spy displays a hyperlink. Click the
link to download the policy body directly from the client's management point. If the tool successfully downloads
the policy body, it replaces the hyperlink with the contents of the reply. Otherwise, Policy Spy updates the
display indicating that the request failed.
 Power Viewer Tool
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Power Viewer tool is one of the Configuration Manager tools. Use it to view the status of the power
management feature on a Configuration Manager client.
Run PowerVwr.exe as an administrator. When the tool launches, it displays the power capabilities and power
settings of the local computer on the Power Config tab.
To view the power management data of a remote computer:
1. Go to the File menu, and click Connect .
2. Enter the Computer name, and a Username and Password , if necessary.
There are three tabs in Power Viewer:
Power Config : View the power capabilities and power settings of the targeted computer.
Daily Activity : View the daily activity charts of the client, which includes the following information:
Computer on : The power status of the computer in one day. Sleep mode is considered as power
off.
Monitor on : On or off status of monitor in one day.
User Active : User activity information in one day.
Power Events : View all of the daily power events. The client summarizes these events at 12:00 AM. This
summarization generates data for the daily activity chart.
 Send Schedule Tool
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Send Schedule Tool is one of the Configuration Manager tools. Use it to trigger a schedule on a client or
trigger the evaluation of a specified configuration baseline. It works for the local computer or targeting a remote
client.
For example, use the tool to trigger an inventory schedule or compliance evaluation. If a number of
Configuration Manager clients haven't recently reported inventory or compliance status, run the tool to initiate
the necessary schedule on each client.

Usage
Run SendSchedule.exe as an administrator.
SendSchedule /L [Computer Name] SendSchedule "<Message GUID | DCM UID>" [Computer Name]

After you trigger a message (GUID), see SMSClientMethodProvider.log . For more information about
available message GUIDs, see Message IDs.
After you trigger the evaluation of a configuration baseline (DCM UID), see DCMAgent.log .

Command-line options
Option: /L

List all Message GUID or DCM UID available for sending. Display the meaningful name of messages in the data
table for each one. If the computer name is absent, it uses the local computer. If you specify a message without a
machine name, then it sends the message to the local machine.

Examples
List the available messages on the local machine
SendSchedule /L

List the available messages on the client MyPC:

SendSchedule /L MyPC

Trigger hardware inventory on the local machine

SendSchedule {00000000-0000-0000-0000-000000000001}

Trigger hardware inventory on MyPC:

SendSchedule {00000000-0000-0000-0000-000000000001} MyPC

Trigger the evaluation of a specific configuration baseline on MyPC:

SendSchedule ScopeId_611E8382-C064-4B62-B0DE-EFFB52AE8994/Baseline_36722778-69dd-4423-9632-b61148b2b67e MyPC

Message IDs
M ESSA GE ID DISP L AY N A M E

{00000000-0000-0000-0000-000000000001} Hardware Inventory

{00000000-0000-0000-0000-000000000002} Software Inventory

{00000000-0000-0000-0000-000000000003} Discovery Inventory

{00000000-0000-0000-0000-000000000010} File Collection

{00000000-0000-0000-0000-000000000011} IDMIF Collection

{00000000-0000-0000-0000-000000000021} Request Machine Assignments

{00000000-0000-0000-0000-000000000022} Evaluate Machine Policies

{00000000-0000-0000-0000-000000000023} Refresh Default MP Task

{00000000-0000-0000-0000-000000000024} LS (Location Service) Refresh Locations Task

{00000000-0000-0000-0000-000000000025} LS Timeout Refresh Task

{00000000-0000-0000-0000-000000000026} Policy Agent Request Assignment (User)

{00000000-0000-0000-0000-000000000027} Policy Agent Evaluate Assignment (User)

{00000000-0000-0000-0000-000000000031} Software Metering Generating Usage Report

{00000000-0000-0000-0000-000000000032} Source Update Message

{00000000-0000-0000-0000-000000000037} Clearing proxy settings cache

{00000000-0000-0000-0000-000000000040} Machine Policy Agent Cleanup

{00000000-0000-0000-0000-000000000041} User Policy Agent Cleanup

{00000000-0000-0000-0000-000000000042} Policy Agent Validate Machine Policy / Assignment

{00000000-0000-0000-0000-000000000043} Policy Agent Validate User Policy / Assignment

{00000000-0000-0000-0000-000000000051} Retrying/Refreshing certificates in AD on MP

{00000000-0000-0000-0000-000000000061} Peer DP Status reporting

{00000000-0000-0000-0000-000000000062} Peer DP Pending package check schedule

{00000000-0000-0000-0000-000000000063} SUM Updates install schedule

{00000000-0000-0000-0000-000000000101} Hardware Inventory Collection Cycle

{00000000-0000-0000-0000-000000000102} Software Inventory Collection Cycle

M ESSA GE ID DISP L AY N A M E

{00000000-0000-0000-0000-000000000103} Discovery Data Collection Cycle

{00000000-0000-0000-0000-000000000104} File Collection Cycle

{00000000-0000-0000-0000-000000000105} IDMIF Collection Cycle

{00000000-0000-0000-0000-000000000106} Software Metering Usage Report Cycle

{00000000-0000-0000-0000-000000000107} Windows Installer Source List Update Cycle

{00000000-0000-0000-0000-000000000108} Software Updates Policy Action Software Updates

Assignments Evaluation Cycle

{00000000-0000-0000-0000-000000000109} PDP Maintenance Policy Branch Distribution Point

Maintenance Task

{00000000-0000-0000-0000-000000000110} DCM policy

{00000000-0000-0000-0000-000000000111} Send Unsent State Message

{00000000-0000-0000-0000-000000000112} State System policy cache cleanout

{00000000-0000-0000-0000-000000000113} Update source policy

{00000000-0000-0000-0000-000000000114} Update Store Policy

{00000000-0000-0000-0000-000000000115} State system policy bulk send high

{00000000-0000-0000-0000-000000000116} State system policy bulk send low

{00000000-0000-0000-0000-000000000121} Application manager policy action

{00000000-0000-0000-0000-000000000122} Application manager user policy action

{00000000-0000-0000-0000-000000000123} Application manager global evaluation action

{00000000-0000-0000-0000-000000000131} Power management start summarizer

{00000000-0000-0000-0000-000000000221} Endpoint deployment reevaluate

{00000000-0000-0000-0000-000000000222} Endpoint AM policy reevaluate

{00000000-0000-0000-0000-000000000223} External event detection

 DP Job Queue Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Distribution Point (DP) Job Queue Manager is one of the Configuration Manager tools. Use it to
troubleshoot and manage ongoing content distribution jobs to Configuration Manager distribution points.
The tool displays the list of jobs that the package transfer manager component has in its queue. It also shows
the status of the jobs: ready to be executed, running, or retrying. It lets you manipulate the jobs in the queue,
move jobs higher on the list, cancel a job, or manually start running a job.
It also gets information from the site server on which distribution point is running a job. The tool connects
through the provider to the site server. It doesn't connect to every remote distribution point to gather this
information. Because it triggers actions and gets information through the provider, there's a delay in reflecting
changes from remote distribution points.

Usage
Run DPJobMgr.exe . The main menu of the tool contains the following tabs:
Connect: Establish the initial connection to the primary site server
Overview: Summarizes in a single view all the jobs that are running on all distribution points
Distribution Point Info: Multi-select distribution points to track them, and manage a single job of interest
Manage Jobs: Shows in one flat view a list of all the jobs and their statuses. Manipulate jobs, move them
up, cancel, or manually start.
Connect tab
Use this tab to establish the initial connection to the primary site server. It uses the currently signed-in user's
credentials. You can't connect to the central administration site or secondary sites. The connection requires the
Full Administrator security role.
Once the tool successfully establishes a connection, a notification at the bottom of the tool confirms that it's
connected to the site server.
Overview tab
Shows a summary of all the jobs on all distribution points. See the following columns:
Distribution Point : Lists the names of the distribution points
Running Jobs : Shows the number of concurrent jobs that are running on a particular distribution point.

TIP
The number of concurrent software distributions is a site setting. Modified this setting in the Software Distribution
Component Properties.

Total Jobs : Shows the number of all the jobs targeted to a particular distribution point. This number
includes the jobs that are running, retrying, or waiting to be executed.
Total Retries : Shows the number of times jobs have been retrying in a particular distribution point. A
 higher number may represent a general problem with that particular distribution point.

TIP
To sort each column in this tab, click on the column name
Manually refresh the information in this tab by clicking Refresh
Automatically refresh the information in this tab by clicking Star t Auto Refresh and setting the auto refresh
interval. The default refresh interval is two minutes.

Distribution Point Info tab

Shows the list of all the distribution points under the connected site. The pane on the left lists all the distribution
points. Click Select All or Unselect All as necessary, or multi-select specific distribution points in this list. The
pane on the right shows the jobs for the selected distribution points.
There are eight columns:
Status Icon : There are three possible status icons:
Ready : Indicates that a particular job has finished all the verification steps. It's ready to be added
to the running concurrent jobs. Jobs in this state are usually in a waiting stage. They wait for the
current running processes to finish to open up a space for them.
Running : Indicates that a particular job is currently running on a distribution point. For long
running jobs (large packages), usually there's time to get the progress (%) towards completion. It
shows this percentage in the Progress column in this view. For small packages, the Progress
column may stay empty. The job may already be completed by the time it receives status from the
remote distribution point.
Retr y : Indicates that a particular job has failed and is now in a retry state. This job is retried after
the retry interval. This interval is configurable, and set to 30 minutes by default.
Software : Name of the package that's targeted to a particular distribution point
Package ID : Package ID of the package that's targeted to a particular distribution point
Size : Size of the package in KB
Progress : Job completion percentage. For more information, see the Running status icon description.
Star t/Restar t Time : For a running job, this value is the start time (green). For a retry job, this value is
the time that it will retry the job.
Retries : Number of times it has retried this package.
Distribution Point Name : The fully qualified domain name (FQDN) of the distribution point

TIP
To sort each column in this tab, click on the column name
Manually refresh the information in this tab by clicking Refresh
Automatically refresh the information in this tab by clicking Star t Auto Refresh and setting the auto refresh
interval. The default refresh interval is two minutes.
If you need to modify a particular job, right-click the job in this view, and select Manage Job . This action opens
the Manage Jobs tab.
Manage Jobs tab
Shows in one flat view a list of all the jobs and their statuses. It contains the same eight columns as the
Distribution Point Info tab. In this view, right-click the jobs for the following actions:
Run : Starts a job that's in any state other than running
Move To Top : Moves one or more jobs to the top of the queue. This action may result in the jobs running
immediately. A lower priority job may pause because of this action.
Move Up : Moves a particular job one row above. A lower priority job may pause running because of this
action.
Move Down : Moves a particular job one row below.
Move To Bottom : Moves one or more jobs to the bottom of the queue.

TIP
Drag-and-drop jobs in the list to move them.

Cancel : Tries to cancel one or more jobs.

NOTE
You can't cancel jobs near their final completion time. If the site server is also a distribution point, you can't cancel
jobs on the site server.

See also
Fundamental concepts for content management
Package transfer manager
 Collection Evaluation Viewer
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Collection Evaluation Viewer is one of the Configuration Manager tools. Use it to view and troubleshoot the
collection evaluation process on the primary site server.

IMPORTANT
Starting in Configuration Manager version 2103, this standalone tool isn't supported. The tool is no longer included with
the Configuration Manager installation source. Starting in version 2010, its functionality is built-in to the console. For
more information, see, How to view collection evaluation.

The tool displays the following information:

Both historic and live information for full and incremental collection evaluations
The evaluation queue status
The time for collection evaluations to complete
Which collections are currently being evaluated
The estimated time that a collection evaluation will start and complete

About collection evaluation

The collection evaluation process runs by evaluating the membership rules of a collection to update its
members. The site places a collection that it's evaluating in one of four different queues:
Manual Queue : For collections that an administrator has manually selected for evaluation from the
console
New Queue : For newly created collections
Full Queue : For collections due for full evaluation
Incremental Queue : For collections with incremental evaluation
There are four threads that run to evaluate the collections in the above queues. Each queue includes a series of
arrays, and each array includes the collections to be evaluated. The thread that's running for the queue selects a
collection from the array and runs the evaluation. The queue length indicates the number of arrays in the queue.

Requirements
Run the tool on the site server
Run the tool by an administrative user with at least the Read-Only Analyst role
The user also requires Read permission to the site database in SQL
SQL must be on the default port
Usage
Run CEViewer.exe . The main menu of the tool contains the following tabs:
Connect: Establish the initial connection to the primary site server and SQL Server
Full Evaluation: Lists the detailed information about all past full evaluations
Incremental evaluation: Lists the detailed information about all past incremental evaluations
All Queues: Summarizes the current collection evaluations for all four queues
Manual Queue: Lists the detailed information about the current collection evaluation in the manual queue
New Queue: Lists the detailed information about the current collection evaluation in the new queue
Full Queue: Lists the detailed information about the current collection evaluation in the full queue
Incremental Queue: Lists the detailed information about the current collection evaluation in the
incremental queue
Connect tab
This tab allows you to establish the initial connection to the primary site server. The tool also establishes a
connection to the SQL Server that hosts the site database.
The connections to both primary site server and SQL Servers use the current signed-in user credential.
Connections to the central administration site or a secondary site aren't supported. No collection evaluation
process runs on those sites.
Once the tool successfully establishes a connection, see a notification at the bottom of the Collection Evaluation
Viewer that confirms the tool's connection to the SQL Server.
Full Evaluation tab
Shows detailed information about past full collection evaluations. There are eight columns:
Collection Name : Name of the collection
Site ID : Site ID of the collection
Run Time : How long the last collection evaluation ran, in seconds
Last Evaluation Completion Time : When the last collection evaluation completed
Next Evaluation Time : When the next full evaluation starts
Member Changes : The member changes in the last collection evaluation. These changes are either plus
(members added) or minus (members removed).
Last Member Change Time : The most recent time that there was a membership change in the
collection evaluation
Percent : The percentage of evaluation time for this collection over the total (all collections) evaluation
time
Incremental evaluation tab
Shows detailed information about past incremental collection evaluations. There are seven columns:
Collection Name : Name of the collection
Site ID : Site ID of the collection
Run Time : How long the last collection evaluation ran, in seconds
 Last Evaluation Completion Time : When the last collection evaluation completed
Member Changes : The member changes in the last collection evaluation. These changes are either plus
(members added) or minus (members removed).
Last Member Change Time : The most recent time that there was a membership change in the
collection evaluation
Percent : The percentage of evaluation time for this collection over the total (all collections) evaluation
time
All Queues tab
Summarizes the live collection evaluations for all four queues. There are six sections:
Summar y : Lists the total collection number and the queue length for all collections in all four queues
Running Evaluation : Lists which collection is currently being evaluated in each queue, and how long it
has been running
Manual Update : Shows a brief summary of the collections being evaluated, the estimated completion
time, and the order of the evaluation in the manual queue
New Collection : Shows a brief summary of the collections being evaluated, the estimated completion
time, and the order of the evaluation in the new collection queue
Full Evaluation : Shows a brief summary of the collections being evaluated, the estimated completion
time, and the order of the evaluation in the full evaluation queue
Incremental Evaluation : Shows a brief summary of the collections being evaluated, the estimated
completion time, and the order of the evaluation in the incremental evaluation queue
Manual Queue tab
Shows information about the manual collection evaluation currently being evaluated. The order in the list is the
order in which the collection will be evaluated. There are four columns:
Collection Name : Name of the collection
Site ID : Site ID of the collection
Estimated Completion Time : When the evaluation is estimated to complete
Estimated Run Time : How long the evaluation is estimated to run, in day:hour:minute:second format
New Queue tab
Shows the live information about the new collection evaluation being evaluated. The order in the list is the order
in which the collection will be evaluated. There are four columns:
Collection Name : Name of the collection
Site ID : Site ID of the collection
Estimated Completion Time : When the evaluation is estimated to complete
Estimated Run Time : How long the evaluation is estimated to run, in day:hour:minute:second format
Full Queue tab
Shows information about the full collection evaluation currently being evaluated. The order in the list is the
order in which the collection will be evaluated. There are four columns:
Collection Name : Name of the collection
 Site ID : Site ID of the collection
Estimated Completion Time : When the evaluation is estimated to complete
Estimated Run Time : How long the evaluation is estimated to run, in day:hour:minute:second format
Incremental Queue tab
Shows information about the incremental collection evaluation currently being evaluated. The order in the list is
the order in which the collection will be evaluated. There are four columns:
Collection Name : Name of the collection
Site ID : Site ID of the collection
Estimated Completion Time : When the evaluation is estimated to complete
Estimated Run Time : How long the evaluation is estimated to run, in day:hour:minute:second format
 Content Library Explorer
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Content Library Explorer is one of the Configuration Manager tools. Use the tool for the following activities:
Explore the content library on a specific distribution point
Troubleshoot issues with the content library
Copy packages, contents, folders, and files out of the content library
Redistribute packages to the distribution point
Validate packages on remote distribution points

Requirements
Run the tool using an account that has administrative access to:
The target distribution point
The WMI provider on the site server
The Configuration Manager provider
Only the Full Administrator and Read-Only Analyst roles have sufficient rights to view all
information from this tool.
Other roles, such as Application Administrator , can view partial information. For more
information, see Disabled packages.
The Read-Only Analyst can't redistribute packages from this tool.
Run the tool from any computer, as long as it can connect to:
The target distribution point
The primary site server
The Configuration Manager provider
If the distribution point is colocated with the site server, it's still necessary to have administrative access
to the site server.

Usage
When you start ContentLibrar yExplorer.exe , enter the fully qualified domain name (FQDN) of the target
distribution point. It then connects to the distribution point. If the distribution point is part of a secondary site, it
prompts you for the FQDN of the primary site server, and the primary site code.
In the left pane, view the packages that are distributed to this distribution point. Expand the packages, and
explore their folder structure. This structure matches the folder structure from which you created the package.
When you select a folder, it displays in the right pane any files within the folder. This view includes the following
information:
 File name
File size
Which drive it's on
Other packages that use the same file on the drive
When the file was last changed on the distribution point
The tool also connects to the Configuration Manager provider. This connection is to determine which packages
are distributed to the distribution point, and whether they're actually in the distribution point's content library.
For instance, a package that's pending distribution may not yet exist in the content library. Such a package
would appear as "PENDING" in the tool, and no actions are enabled for this package.
Disabled packages
Some packages are present on the distribution point but not visible in the Configuration Manager console.
These packages are marked with an asterisk (*). No actions may be performed on these packages. Other
packages may also be marked with an asterisk and have actions disabled.
There are three primary reasons for disabled packages:
The package is the Configuration Manager client upgrade. This package includes "ccmsetup.exe".
Your user account can't access the package, likely due to role-based administration. For instance, the
Application Author role can't see driver packages in the console, so any driver packages on the
distribution point are marked as disabled.
The package is orphaned on the distribution point.
Validate packages
Validate packages by using Package > Validate on the toolbar. First select a package node in the left pane Don't
select a content or a folder. The tool connects to the WMI provider on the distribution point for this action. When
the tool starts, packages that are missing one or more contents are marked invalid. Validating the package
reveals which content is missing. If all content is present but the data is corrupted, validation detects the
corruption.
Redistribute packages
Redistribute packages using Package > Redistribute on the toolbar. First select a package node in the left
pane. This action requires permissions to redistribute packages.
Other actions
Use Edit > Copy to copy packages, contents, folders, and files out of the content library to a specified folder. You
can't copy the content library itself. Select more than one file, but you can't select multiple folders.
Search for packages using Edit > Find Package . This action searches for your query in the package name and
package ID.

Limitations
The tool can't manipulate the content library directly in any way. Changes to the content library may
result in malfunctions.
The tool can redistribute packages, but only to the target distribution point.
When you colocate the distribution point with the site server, you can't validate package data. Use the
Configuration Manager console instead. The tool still inspects the package to make sure that all the
content is present, though not necessarily intact.
You can't delete content with this tool.
See also
Fundamental concepts for content management
The content library
 Content Library Transfer tool
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Content Library Transfer tool is one of the Configuration Manager tools. It transfers content from one disk
drive to another. The tool is designed to run on distribution point site systems. It supports distribution points
colocated with a site or remote site systems.
The tool is useful for the scenario when the disk drive hosting the content library becomes full. First add or
identify another hard disk with sufficient space to host the content library. Then use
ContentLibrar yTransfer.exe to transfer content from the old filled hard disk to the new, empty drive.
Once the transfer is complete, content is accessible to client computers from the new location.

Usage
Run ContentLibrar yTransfer.exe as a user with administrative permissions on the distribution point.
Syntax
ContentLibraryTransfer.exe –SourceDrive <drive letter of source drive> –TargetDrive <drive letter of
destination drive>

Example
ContentLibraryTransfer –SourceDrive E –TargetDrive G

Limitations
Run the tool locally on the distribution point. You can't run it from a remote computer.
Only use it when clients aren't actively accessing the distribution point. If you run the tool while clients
are accessing content, the content library on the destination drive may have incomplete data. The data
transfer might fail altogether leading to an unusable content library.
Don't distribute content to the distribution point when you run the tool. If you run the tool while content
is being written to the distribution point, the content library on the destination drive may have
incomplete data. The data transfer might fail altogether leading to an unusable content library.

See also
Fundamental concepts for content management
The content library
 Content Ownership Tool
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Content Ownership Tool is one of the Configuration Manager tools. It changes ownership of orphaned packages
in Configuration Manager. Orphaned packages don't have an owning site server. Packages can become
orphaned by removing the site server while they're still owned by this site server.
Run the Content Ownership Tool on any site server in the Configuration Manager hierarchy. Sign in as an
administrative user with sufficient package permissions.

TIP
Use ContentLibrar yCleanup.exe in CD.Latest\SMSSETUP\TOOLS\ContentLibraryCleanup to remove orphaned
content from a distribution point. For more information, see Content library cleanup tool.

Features
Display all orphaned packages
Display all packages, even if they're not orphaned
View the status of the connection to a site
Filter packages by name, site code, or package type
Sort by any displayed column
Change assignment of one or more packages with a single action
View progress of the ownership transfer activity

Usage
Run ContentOwnershipTool.exe to start the tool. Local administrator permissions on the computer aren't
required to run the tool.
There are no command-line parameters.

IMPORTANT
This tool changes the ownership of an orphaned package. The package itself doesn't move from the distribution point
that it's stored on. This ownership change doesn't cause the package to update on distribution points. It also doesn't
cause clients to reevaluate policy for deployment of the package. After the ownership changes, make sure that the new
site server can access the source files. It should have at least Read permissions to the source files of each package.

See also
Fundamental concepts for content management
The content library
 Extend and migrate an on-premises site to
Microsoft Azure
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Starting in version 1910, this tool helps you to programmatically create Azure virtual machines (VMs) for
Configuration Manager. It can install with default settings site roles like a passive site server, management
points, and distribution points. Once you validate the new roles, use them as additional site systems for high
availability. You can also remove the on-premises site system role and only keep the Azure VM role.

Prerequisites
An Azure subscription
Starting in version 2010, it supports environments with virtual networks other than ExpressRoute. In
version 2006 and earlier, it requires an Azure virtual network with ExpressRoute gateway.
Starting in version 2010, you can use the tool in a hierarchy or a standalone primary site. In version 2006
and earlier, it only works with a standalone primary site.
Starting in version 2010, it supports a site with a collocated site database. In version 2006 and earlier, it
requires the database to be on a remote SQL Server.
Your user account needs to be a Configuration Manager Full Administrator and have administrator
rights on the primary site server.
To add a site server in passive mode, the site server must meet the high availability requirements. For
example, it requires a remote content library.
Required Azure permissions
You'll need the following permissions in Azure when you run the tool:
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/deployments/validate/action
Microsoft.Compute/virtualMachines/extensions/read
Microsoft.Compute/virtualMachines/extensions/write
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkSecurityGroups/write
 Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Storage/storageAccounts/write
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/listServiceSas/action
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.KeyVault/vaults/deploy/action
Microsoft.KeyVault/vaults/read
For more information about permissions and assigning roles, see Add or remove Azure role assignments using
the Azure portal.
Virtual network support
Starting in version 2010, to support other virtual networks other than ExpressRoute, make the following
configurations:
In the configuration of the virtual network, go to the DNS ser vers settings. Add a Custom DNS server
with the IP address of a domain controller.
On the site server where you'll run the tool, set the following registry value:
HKCU\Software\Microsoft\ConfigMgr10\ExtendToAzure, SkipVNetCheck = 1

Run the tool

1. Sign on to the site server and run the following tool in the Configuration Manager installation directory:
Cd.Latest\SMSSETUP\TOOLS\ExtendMigrateToAzure\ExtendMigrateToAzure.exe

2. Review the information on the General tab, and then switch to the Azure Information tab.
3. On the Azure Information tab, choose your Azure environment , and then Sign in .

TIP
You may need to add https://*.microsoft.com to your trusted websites list to correctly sign in.
4. After you sign in, select your Subscription ID and Vir tual network .

NOTE
In version 2006 and earlier, the tool only lists networks with an ExpressRoute gateway.

Site server high availability

1. On the Site Ser ver High Availability tab, select Check to evaluate your site's readiness.
If any of the checks fail, select More detail to determine how to remediate the problem. For more
information about these prerequisites, see Site server high availability.
2. If you want to extend or migrate your site server to Azure, select Create a site ser ver in Azure . Then
fill in the following fields:

NAME DESC RIP T IO N

Subscription Read only. Shows the subscription name and ID.

Resource group Lists available resource groups. If you need to create a

new resource group, use the Azure portal, and then
rerun this tool.

Location Read only. Determined by your virtual network's location

VM Size Choose a size to fit your workload. Microsoft

recommends the Standard_DS3_v2 .

Operating system Read only. The tool uses Windows Server 2019.
 NAME DESC RIP T IO N

Disk type Read only. The tool uses Premium SSD for best
performance.

Vir tual network Read only.

Subnet Select the subnet to use. If you need to create a new

subnet, use the Azure portal.

Machine name Enter the name of the passive site server VM in Azure.
It's the same name shown in the Azure portal.

Local admin username Enter the name of the local administrative user that the
Azure VM creates before it joins the domain.

Local admin password The password of the local administrative user. To protect
the password during Azure deployment, store the
password as a secret in Azure Key Vault. Then, use the
reference here. If needed, create a new one from the
Azure portal.

Domain FQDN The fully qualified domain name for the Active Directory
domain to join. By default, the tool gets this value from
your current machine.

Domain username The name of the domain user allowed to join the
domain. By default, the tool uses the name of the
currently signed in user.

Domain password The password of the domain user to join the domain.
The tool verifies it after you select Star t . To protect the
password during Azure deployment, store the password
as a secret in Azure Key Vault. Then, use the reference
here. If needed, create a new one from the Azure portal.

Domain DNS IP Used for joining the domain. By default, the tool uses the
current DNS from your current machine.

Type Read only. It shows Passive Site Server as the type.

IMPORTANT
By default the virtual machines are set to No for Use existing Windows Ser ver license . If you want to utilize
your on-premises Windows Server licenses with Software Assurance, configure this setting in the Azure portal
after the virtual machines are provisioned. For more information, see Azure Hybrid Benefit for Windows Server.

3. To start provisioning the Azure VM, select Star t . To monitor the deployment status, switch to the
Deployments in Azure tab in the tool. To get the latest status, select Refresh deployment status .

TIP
You can also use the Azure portal to check the status, find errors, and determine potential fixes.

4. When the deployment finishes, go to your SQL Servers, and grant permissions for the new Azure VM. For
 more information, see Site server high availability - Prerequisites.
5. To add the Azure VM as a site server in passive mode, select Add site ser ver in passive mode .
6. Once the site adds the site server in passive mode, the Site Ser ver High Availability tab shows the
status.

7. Next, switch to the Deployments in Azure tab to finish the deployment.

Site database
The tool doesn't currently have any tasks to migrate the database from on-premises to Azure. You can choose to
move the database from an on-premises SQL Server to an Azure SQL Server VM. The tool lists the following
articles on the Site Database tab to help:
Backup and restore the database
Configure a SQL Server Always On availability group and allow the data to replicate
Migrate a SQL Server database to an Azure SQL Server VM

Site system roles

1. Switch to the Site System Roles tab. To provision a new site system role with the default settings, select
Create new . You can provision roles such as the management point, distribution point, and software
update point. Not all roles are currently available in the tool.
2. In the provisioning window, fill in the fields to provision the site role's VM in Azure. These details are
similar to the above list for the site server.
3. To start provisioning the Azure VM, select Star t . To monitor the deployment status, switch to the
Deployments in Azure tab in the tool. To get the latest status, select Refresh deployment status .

TIP
You can also use the Azure portal to check the status, find errors, and determine potential fixes.

4. Repeat this process to add more site system roles.

5. Next, go to the Deployments in Azure tab to finish the deployment.
6. When the deployment finishes, go to the Configuration Manager console to make additional changes to
the site role.

Deployments in Azure
1. Once Azure creates the VM, switch to the Deployments in Azure tab in the tool. Select Deploy to
configure the role with the default settings.
2. Select Run to start the PowerShell script.
3. Repeat this process to configure more roles.

Add site roles to an existing VM

Starting in Configuration Manager version 2002, the tool supports provisioning multiple site system roles on a
single Azure VM. You can add site system roles after the initial Azure VM deployment has completed. To add a
new role to an existing VM, do the following steps:
1. On the Deployments in Azure tab, select on a virtual machine deployment that has a Completed
status.
2. Select Create new to add an additional role to the virtual machine.

Next steps
Review your changes in the Azure portal
 Role-based administration and auditing tool
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The role-based administration and auditing tool is one of the Configuration Manager tools. Use this tool for the
following tasks:
Model security roles with specific permissions
Audit the security scopes and security roles that other users have

Requirements
Run it on the same computer as the Configuration Manager site server
You have the Full Administrator , Read-only Analyst , or Security Administrator role
Assign your account to the All security scope and all collections
(Optional) To analyze report folder security, you need SQL Server access
(Optional) To analyze report drill-through, run this tool on the site system server with the reporting
services point role

Procedures
Model permissions for a new role
Use the following procedure to model permissions for a new role that you want to create:
1. Run RBAViewer.exe .
2. Select the base security roles you want to build on, or start from an empty permission set. Select the
necessary permissions.
3. Select Analyze to see the user interface this custom role will see.

NOTE
To see whether there's an existing security role that meets your requirements, switch to the Similarity tab.

4. Select Expor t to save the role as an XML file. Then import it to the Configuration Manager console. For
more information, see Create custom security roles.
Audit existing security scopes
Use the following procedure to audit all existing administrative users, collections, and security scopes in
Configuration Manager:
1. Run RBAViewer.exe .
2. Select the Audit RBA button in the toolbar.
a. To view the collection-limited relationships in a tree view, switch to the Collection Summar y tab.
b. To view objects assigned to a security role, switch to the Scope Summar y tab.
Audit a specific user
Use the following procedure to audit the role-based administration configuration for a specific user:
1. Run RBAViewer.exe .
2. Select the Run As button in the toolbar.
3. Input the specific user name to check the permissions for that account.
4. The tool displays the security roles assigned to the user or the security group the user belongs to. It also
displays the objects this user can see and the actions they can take in the console.

See also
Fundamentals of role-based administration
Configure role-based administration
 Run Meter Summarization Tool
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Run Meter Summarization Tool is one of the Configuration Manager tools. Use it to immediately trigger the
maintenance tasks for software metering summarization on primary sites. By default, these tasks run as
scheduled in Site Maintenance tasks, which start after 12:00 AM every day.
These tasks summarize the data in the MeterData SQL Server table, and write the summary results into the
FileUsageSummar y and MonthlyUsageSummar y tables. Then you see the summarized result in software
metering reports. Any Configuration Manager administrative user who can connect to the primary site database
can use this tool to run summarization.
This tool runs the File Usage Summar y and Monthly Usage Summar y software metering data
summarization tasks. It summarizes all existing meter data without the usual 12-hour waiting period. Run it on
the SQL Server that hosts the site database. If summarization is successful, the exit code is set to 0 . If there was
an error, the exit code is 1 .

Usage
Command Line
runmetersumm [sms database name] <delay in hours for summarization <default=0>>

Options
Database name
The name of the site database on the SQL Server.
Delay in hours for summarization
The tool summarizes the software metering usage generated before the delay. By default, this delay is zero.
Example
Summarize the software metering usage generated 12 hours ago
runmetersumm CCM_ABC <12>

See also
Maintenance tasks
Monitor app usage with software metering
 Settings to manage high-risk deployments for
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

With Configuration Manager, you can configure deployment verification site settings. These settings warn
administrators if they create a high-risk task sequence deployment. A high-risk deployment is:
A deployment that's automatically installed
Has the potential to cause unwanted results
For example, a task sequence with a purpose of Required that deploys an operating system is considered high-
risk.

WARNING
If you use PXE deployments, and configure device hardware with the network adapter as the first boot device, these
devices can automatically start an OS deployment task sequence without user interaction. Deployment verification doesn't
manage this configuration. While this configuration may simplify the process and reduce user interaction, it puts the
device at greater risk for accidental reimage.

Deployment verification settings

To reduce the risk of an unwanted high-risk deployment, you can configure size limits in these deployment
verification settings:
Collection size limits : When you create a deployment, hide collections that include more clients than
your limit.
Default size : When you create a deployment, this setting hides collections by default that include
more clients than this limit. You can still see these collections when creating the deployment, but
they're hidden by default. The default value is 100 . To ignore this setting, enter a value of 0 .
Maximum size : When you create a deployment, this setting always hides collections with more
clients than this limit. The default value is 0 , which ignores this setting. The Maximum size value
must be greater than the Default size value.
For example, you set Default size to 100 and the Maximum size to 1000. When you create a
high-risk deployment, the Select Collection window only displays collections that include fewer
than 100 clients. If you clear the setting to Hide collections with a member count greater
than the site's minimum size configuration , the window displays collections that include
fewer than 1000 clients.
Collections with site system ser vers : When the target collection includes a computer with a site
system role, block deployments or require verification before creating the deployment. When a
deployment is blocked, select a different collection that meets the deployment verification criteria to
continue creating the deployment.
 NOTE
High-risk deployments are always limited to custom collections, collections that you create, and the built-in Unknown
Computers collection. When you create a high-risk deployment, you can't select a built-in collection such as All
Systems .

Configure deployment verification

1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , select Sites , and then select the primary site to configure.
2. In the ribbon, select Proper ties , and then switch to the Deployment Verification tab.
3. Configure the settings you want to use, and then select OK to save the configuration and close the
properties.

Next steps
Manage task sequences - high-impact settings
Configure sites and hierarchies
 Client installation methods in Configuration
Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can use different methods to install the Configuration Manager client software. Use one method, or a
combination of methods. This article describes each method, so you can learn which one works best for your
organization.

Client push installation

Suppor ted client platform : Windows
Advantages
Can be used to install the client on a single computer, a collection of computers, or to the results from a
query.
Can be used to automatically install the client on all discovered computers.
Automatically uses client installation properties defined on the Client tab in the Client Push
Installation Proper ties dialog box.
Disadvantages
Can cause high network traffic when pushing to large collections.
Can only be used on computers that have been discovered by Configuration Manager.
Can't be used to install clients in a workgroup.
A client push installation account must be specified that has administrative rights to the intended client
computer.
Windows Firewall must be configured with exceptions on client computers.
You can't cancel client push installation. Configuration Manager tries to install the client on all discovered
resources. It retries any failures for up to seven days.
For more information, see How to install clients with client push.

Software update point-based installation

Suppor ted client platform : Windows
Advantages
Can use your existing software updates infrastructure to manage the client software.
If Windows Server Update Services (WSUS) and group policy settings in Active Directory Domain
Services are configured correctly, it can automatically install the client software on new computers.
Doesn't require computers to be discovered before the client can be installed.
Computers can read client installation properties that have been published to Active Directory Domain
Services.
 If the client is removed, this method reinstalls it.
Doesn't require you to configure and maintain an installation account for the intended client computer.
Disadvantages
Requires a functioning software updates infrastructure as a prerequisite.
Must use the same server for client installation and software updates. This server must reside in a
primary site.
To install new clients, you must configure a group policy object in Active Directory Domain Services with
the client's active software update point and port.
If the Active Directory schema isn't extended for Configuration Manager, you must use group policy
settings to provision computers with client installation properties.
For more information, see How to install clients with software update-based installation.

Group policy installation

Suppor ted client platform : Windows
Advantages
Doesn't require computers to be discovered before the client can be installed.
Can be used for new client installations or for upgrades.
Computers can read client installation properties that have been published to Active Directory Domain
Services.
Doesn't require you to configure and maintain an installation account for the intended client computer.
Disadvantages
If a large number of clients are being installed, it can cause high network traffic.
If the Active Directory schema isn't extended for Configuration Manager, you must use group policy
settings to add client installation properties to computers in your site.
For more information, see How to install clients with group policy.

Logon script installation

Suppor ted client platform : Windows
Advantages
Doesn't require computers to be discovered before the client can be installed.
Supports using command-line properties for CCMSetup.
Disadvantages
If a large number of clients are being installed over a short time period, it can cause high network traffic.
If users don't frequently log on to the network, it can take a long time to install on all client computers.
For more information, see How to install clients with logon scripts.

Manual installation
Suppor ted client platform : Windows, macOS X
Advantages
 Doesn't require computers to be discovered before the client can be installed.
Can be useful for testing purposes.
Supports using command-line properties for CCMSetup.
Disadvantages
No automation, therefore time consuming.
For more information about how to manually install the client on each of platform, see the following articles:
How to deploy clients to Windows computers
How to deploy clients to Macs

Microsoft Intune MDM installation

Suppor ted client platforms : Windows 10 or later
Advantages
Doesn't require computers to be discovered before the client can be installed.
Doesn't require you to configure and maintain an installation account for the intended client computer.
Can use modern authentication with Azure Active Directory.
Can install and assign computers on the internet.
Can automate with Windows AutoPilot and Microsoft Intune for co-management.
Disadvantages
Requires additional technologies outside of Configuration Manager.
Requires the device have access to the internet, even if it is not internet-based.
For more information, see the following articles:
How to install clients to Intune MDM-managed Windows devices
Install and assign Configuration Manager clients using Azure AD for authentication
 Prerequisites for deploying clients to Windows
computers
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Deploying Configuration Manager clients in your environment has the following external dependencies and
dependencies within the product. Additionally, each client deployment method has its own dependencies that
must be met for client installations to be successful.
For more information on the minimum hardware and OS requirements for the Configuration Manager client,
see Supported configurations.

NOTE
The software version numbers shown in this article only list the minimum version numbers required.

Use the following information to determine the prerequisites for when you install the Configuration Manager
client on Windows devices.

Dependencies external to Configuration Manager

Windows components
Many of these components are services or features that Windows enables by default. Don't disable these
components on Configuration Manager clients.

C O M P O N EN T DESC RIP T IO N

Windows Installer Required to support the use of Windows Installer files for
applications and software updates.

Background Intelligent Transfer Service (BITS) Required to allow throttled data transfers between the client
computer and Configuration Manager site systems.

Task Scheduler Required for client operations, such as regularly evaluating

the health of the Configuration Manager client.

Remote Differential Compression (RDC) Required to optimize data transmission over the network.

SHA-2 code signing support Clients require support for the SHA-2 code signing
algorithm. For more information, see SHA-2 code signing
support.

SHA-2 code signing support

Because of weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft now only signs
Configuration Manager binaries using the more secure SHA-2 algorithm. Legacy Windows OS versions require
an update for SHA-2 code signing support. For more information, see 2019 SHA-2 code signing support
requirement for Windows and WSUS.
If you don't update these OS versions, you can't install a supported version of the Configuration Manager
current branch client. This behavior applies to either a new client install or updating it from a previous version.
If you need to manage a client on a version of Windows that's not updated, or older than the versions listed
above, use the Configuration Manager extended interoperability client (EIC) version 1902. For more information,
see Extended interoperability client.

TIP
If you don't use automatic client update, and update clients with another mechanism, make sure to update the version of
ccmsetup. An older version of ccmsetup may not properly validate the new SHA-2 code signing certificate on client
binaries. For example, if you copy ccmsetup.exe to a file share, or use ccmsetup.msi with group policy.
The following client update mechanisms aren't affected:
Client push installation: It uses the client package from the site.
Software update-based installation: The site update republishes to WSUS.
Intune MDM-managed Windows devices: The supported version for this mechanism already supports SHA-2 code
signing, but it's still important to use the latest ccmsetup.msi.

Components automatically downloaded during installation

The Configuration Manager client has external dependencies. These dependencies depend on the OS version
and the installed software on the client computer. If the client requires these dependencies to complete the
installation, it automatically installs them.

C O M P O N EN T DESC RIP T IO N

Microsoft Visual C++ 2015-2019 Redistributable version (Version 2107 and later) Required to support client
14.28.29914.0 ( vcredist_x*.exe ) operations. When you install this update on client
computers, it might require a restart to complete the
installation.

Microsoft Visual C++ 2013 Redistributable version (Version 2103 and earlier) Required to support client
12.0.40660.0 ( vcredist_x*.exe ) operations. When you install this update on client
computers, it might require a restart to complete the
installation.

Windows Imaging APIs 6.0.6001.18000 or later ( Required to allow Configuration Manager to manage
wimgapi.msi ) Windows image (.wim) files.

Microsoft Policy Platform 1.2.3514.0 or later ( Required to allow clients to evaluate compliance settings.
MicrosoftPolicyPlatformSetup.msi )

Microsoft .NET Framework version 4.6.2 or later ( Version 2107 and later: Required to support client
NDP462-KB3151800-x86-x64-AllOS-ENU.exe ) operations. Automatically installed on the computer if it
doesn't have this version installed. For more information, see
More details about Microsoft .NET.

Microsoft .NET Framework version 4.5.2 or later ( Version 2103 and earlier: Required to support client
NDP452-KB2901907-x86-x64-AllOS-ENU.exe ) operations. Automatically installed on the computer if it
doesn't have this version installed. For more information, see
More details about Microsoft .NET.

Microsoft SQL Server Compact Edition (CE) 4.0 SP1 Required to store information related to client operations.
components
 C O M P O N EN T DESC RIP T IO N

Microsoft Monitoring Agent version 10.20.18053.0 ( Installed as needed by devices that you onboard to
MMASetup-*.exe ) Microsoft Defender for Endpoint.

Windows Firewall configuration ( Required for certain endpoint protection policies.

WindowsFirewallConfigurationProvider.msi )

Microsoft WebView2 ( Installed as needed when you use Software Center custom
Microsoft.WebView2.FixedVersionRuntime.x86.cab ) tabs.

More details about Microsoft .NET

When you install or update the Configuration Manager client, if the device doesn't have at least the required
version of the .NET Framework, CCMSetup installs it. Starting in version 2107, the minimum required version is
4.6.2.
Microsoft recommends that you install the latest version of .NET version 4.8 to get the latest performance and
security improvements. CCMSetup doesn't automatically install .NET version 4.8. A later version of Configuration
Manager will require .NET version 4.8.

NOTE
.NET Framework version 4.6.2 is preinstalled with Windows Server 2016 and Windows 10 version 1607. Later versions of
Windows are preinstalled with a later version of the .NET Framework.
.NET Framework version 4.8 isn't supported on some OS versions, such as Windows 10 2015 LTSB.
For more information, see .NET Framework system requirements.

Whether you update .NET before updating the Configuration Manager client, or CCMSetup updates it, .NET may
require a restart to complete its installation. CCMSetup suppresses a restart if necessary. The user sees a
Restar t required notice in the Windows notification area.

IMPORTANT
When the Configuration Manager client updates to version 2111 or later, client notifications are dependent upon .NET
4.6.2 or later. Until you update .NET to version 4.6.2 or later, and restart the device, users won't see notifications from
Configuration Manager. Other client-side functionality may be affected until the device is updated and restarted.

The following scenarios are common reasons why .NET requires the computer to restart:
.NET applications or services are running on the computer.
One or more software updates required for .NET installation are missing.
The computer is pending a restart from prior installation of .NET framework software updates.
After .NET Framework is installed, it may require other updates. These updates may also require the computer to
restart.
If you need to manage the device restarts before you update the Configuration Manager client, use the
following recommended process:
1. Install the latest baseline .NET version. For example, starting in version 2107, install .NET version 4.8.
2. Restart the device.
3. Scan for software updates and install the latest .NET cumulative update.
4. Restart the device.
5. Install the latest Configuration Manager client version.
K n o w n i ssu e w i t h .N E T v e r si o n 4 .6 .2 o n W i n d o w s Se r v e r 2 0 0 8 SP 2

The release of .NET version 4.6.2 that Configuration Manager redistributes doesn't install on Windows Server
2008 SP2. This version of the OS is covered under the Extended Security Updates (ESU) program. While
products under this program are no longer supported for use with Configuration Manager, you can use the
latest released version of Configuration Manager current branch to deploy and install Windows security updates
released under the ESU program.
Microsoft recommends updating the OS to a later version that's fully supported. If your business requirements
necessitate use of this OS version, download the latest release of .NET version 4.6.2 published on 6/23/2021 or
later. For more information, see The .NET Framework 4.6.2 offline installer for Windows. This .NET release does
install on Server 2008 SP2. Manually update .NET on devices with this OS version before you update the
Configuration Manager client to version 2107.

Configuration Manager dependencies

For more information, see Determine the site system roles for clients.

C O M P O N EN T DESC RIP T IO N

Management point To deploy the Configuration Manager client, you don't

require a management point. Clients require a management
point to transfer information with the site. Without a
management point, you can't manage client computers.

Distribution point The distribution point is an optional, but recommended site

system role for client deployment and management. All
distribution points host the client source files. Clients find
the nearest distribution point from which to download the
source files during client deployment or update. If the site
doesn't have a distribution point, computers download the
client source files from their management point.

Fallback status point The fallback status point is an optional, but recommended
site system role for client deployment. The fallback status
point tracks client deployment and enables computers in the
Configuration Manager site to send state messages when
they can't communicate with a management point.

Reporting services point The reporting services point is an optional, but

recommended site system role. It displays reports related to
client deployment and management. For more information,
see Introduction to reporting.

Installation method dependencies

The following prerequisites are specific to the various methods of client installation.
Client push installation
The site uses client push installation accounts to connect to computers to install the client. Specify these
accounts on the Accounts tab of the Client Push Installation Properties. The account must be a member
of the local Administrators group on the destination computer.
If you don't specify a client push installation account, the site server uses its computer account.
The site needs to discover the computer on which you're installing the client. At least one Configuration
 Manager discovery method is needed.
The computer has an ADMIN$ share.
To automatically push the Configuration Manager client to discovered resources, select the option to
Enable client push installation to assigned resources in the Client Push Installation Properties.
The client computer needs to communicate with a distribution point or a management point to download
the source files.
When you require Kerberos mutual authentication, clients must be in a trusted Active Directory forest.
Kerberos in Windows relies upon Active Directory for mutual authentication.
To use client push, you need the following security permissions:
To configure the client push installation account: Modify and Read permission for the Site object.
To use client push to install the client to collections, devices and queries: Modify Resource and Read
permission for the Collection object.
The Infrastructure Administrator default security role includes the required permissions to manage client
push installations.
Software update point-based installation
If you haven't extended the Active Directory schema, or you're installing clients from another forest, use
group policy to provision installation parameters for CCMSetup.exe. For more information, see How to
provision client installation properties.
Publish the Configuration Manager client to the software update point.
To download the source files, the client computer needs to communicate with a distribution point or a
management point.
For the security permissions required to manage Configuration Manager software updates, see Prerequisites for
software updates.
Group policy-based installation
If you haven't extended the Active Directory schema, or you're installing clients from another forest, use
group policy to provision installation parameters for CCMSetup.exe. For more information, see How to
provision client installation properties.
To download the source files, the client computer needs to communicate with a distribution point or a
management point.
Logon script-based installation
To download the source files, the client computer needs to communicate with a distribution point or a
management point. Unless you specified CCMSetup.exe with the following command-line parameter:
ccmsetup /source

Manual installation
To download the source files, the client computer needs to communicate with a distribution point or a
management point. Unless you specified CCMSetup.exe with the following command-line parameter:
ccmsetup /source

Microsoft Intune MDM installation

Requires a Microsoft Intune subscription and appropriate licenses.
Requires the device has internet access, even if it isn't internet-based.
 Depending upon the use case, you may also require one or both of the following technologies:
Azure Active Directory
Cloud management gateway
Workgroup computer installation
To access resources in the Configuration Manager site server's domain, configure a network access account for
the site.
For more information about how to configure the network access account, see the Fundamental concepts for
content management.
Software distribution-based installation (for upgrades only)
If you haven't extended the Active Directory schema, or you're installing clients from another forest, use
group policy to provision installation parameters for CCMSetup.exe. For more information, see How to
provision client installation properties.
To download the source files, the client computer needs to communicate with a distribution point or a
management point.
For the security permissions required to upgrade the Configuration Manager client using application
management, see Security and privacy for application management.
Automatic client upgrades
You must be a member of the Full Administrator security role to configure automatic client upgrades.

Firewall requirements
If there's a firewall between the site system servers and the computers onto which you want to install the
Configuration Manager client, see Windows Firewall and port settings for clients.

Next steps
Windows firewall and port settings for clients
Prerequisites for deploying clients to mobile devices
 Prerequisites for deploying clients to mobile devices
in Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

IMPORTANT
On-premises MDM and the Configuration Manager client for macOS are both deprecated.
Migrate management of macOS and mobile devices to Microsoft Intune. For more information, see Supported clients and
devices.

Deploying Configuration Manager clients in your environment has the following external dependencies and
dependencies within the product.
For more information on the minimum hardware and OS requirements for the Configuration Manager client,
see Supported configurations.

NOTE
The software version numbers shown in this article only list the minimum version numbers required.

When you install the Configuration Manager client on mobile devices and enroll them, use this information to
determine the prerequisites.

Dependencies external to Configuration Manager

A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the
certificates required for mobile devices.
The issuing CA must automatically approve certificate requests from the mobile device users during the
enrollment process.
For more information about the certificate requirements, see Security and privacy for certificate profiles.
A security group that contains the users that can enroll their mobile devices.
This security group is used to configure the certificate template that is used during mobile device
enrollment.
Optional but recommended: a DNS alias (CNAME record) named ConfigMgrEnroll . Configure this alias
for the server name of the enrollment proxy point.
This DNS alias is required to support automatic discovery for the enrollment service. If you don't
configure this DNS record, users must manually specify the name of the enrollment proxy point as part
of the enrollment process.
Site system role dependencies for the computers that run the enrollment point and the enrollment proxy
point.
For more information, see Supported operating systems for site system servers.
Configuration Manager dependencies
For more information, see Determine the site system roles for clients.
Management point configurations:
HTTPS client connections
Enabled for mobile devices
An internet FQDN
Accept client connections from the internet
Enrollment point and enrollment proxy point
An enrollment proxy point manages enrollment requests from mobile devices and the enrollment point
completes the enrollment process. The enrollment point must be in the same Active Directory forest as
the site server, but the enrollment proxy point can be in another forest.
Client settings for mobile device enrollment
Configure client settings to allow users to enroll mobile devices and configure at least one enrollment
profile.
Reporting services point
The reporting services point is an optional, but recommended site system role. It can display reports
related to mobile device enrollment and client management. For more information, see Introduction to
reporting.
To configure enrollment for mobile devices, your account needs the following security permissions:
To add, modify, and delete the enrollment site system roles: Modify permission for the Site object.
To configure client settings for enrollment: Default client settings require Modify permission for
the Site object, and custom client settings require Client agent permissions.
The Full Administrator default security role includes the required permissions to configure the
enrollment site system roles.
To manage enrolled mobile devices, your account needs the following security permissions:
To wipe or retire a mobile device: Delete resource for the Collection object.
To cancel a wipe or retire command: Delete resource for the Collection object.
To allow and block mobile devices: Modify resource for the Collection object.
To remote lock, or reset the passcode on a mobile device: Modify resource for the Collection
object.
The Operations Administrator default security role includes the required permissions to manage
mobile devices.
For more information about how to configure security permissions, see Fundamentals of role-based
administration and Configure role-based administration.

Firewall requirements
Intervening network devices such as routers and firewalls, and Windows Firewall if applicable, must allow the
traffic associated with mobile device enrollment.
Between mobile devices and the enrollment proxy point: HTTPS (by default, TCP 443)
 Between the enrollment proxy point and the enrollment point: HTTPS (by default, TCP 443)
If you use a proxy web server, configure it for SSL tunneling. SSL bridging isn't supported for mobile devices.

Next steps
Windows firewall and port settings for clients
 Windows Firewall and port settings for clients in
Configuration Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Client computers in Configuration Manager that run Windows Firewall often require you to configure
exceptions to allow communication with their site. The exceptions that you must configure depend on the
management features that you use with the Configuration Manager client.
Use the following sections to identify these management features and for more information about how to
configure Windows Firewall for these exceptions.

Modifying the Ports and Programs Permitted by Windows Firewall

Use the following procedure to modify the ports and programs on Windows Firewall for the Configuration
Manager client.
To modify the ports and programs permitted by Windows Firewall
1. On the computer that runs Windows Firewall, open Control Panel.
2. Right-click Windows Firewall , and then click Open .
3. Configure any required exceptions and any custom programs and ports that you require.

Programs and Ports that Configuration Manager Requires

The following Configuration Manager features require exceptions on the Windows Firewall:
Queries
If you run the Configuration Manager console on a computer that runs Windows Firewall, queries fail the first
time that they are run and the operating system displays a dialog box asking if you want to unblock statview.exe.
If you unblock statview.exe, future queries will run without errors. You can also manually add Statview.exe to the
list of programs and services on the Exceptions tab of the Windows Firewall before you run a query.
Client Push Installation
To use client push to install the Configuration Manager client, add the following as exceptions to the Windows
Firewall:
Outbound and inbound: File and Printer Sharing
Inbound: Windows Management Instrumentation (WMI)
Client Installation by Using Group Policy
To use Group Policy to install the Configuration Manager client, add File and Printer Sharing as an exception
to the Windows Firewall.
Client Requests
For client computers to communicate with Configuration Manager site systems, add the following as exceptions
to the Windows Firewall:
Outbound: TCP Port 80 (for HTTP communication)
Outbound: TCP Port 443 (for HTTPS communication)

IMPORTANT
These are default port numbers that can be changed in Configuration Manager. For more information, see How to How to
configure client communication ports. If these ports have been changed from the default values, you must also configure
matching exceptions on the Windows Firewall.

Client Notification
For the management point to notify client computers about an action that it must take when an administrative
user selects a client action in the Configuration Manager console, such as download computer policy or initiate a
malware scan, add the following as an exception to the Windows Firewall:
Outbound: TCP Port 10123
If this communication does not succeed, Configuration Manager automatically falls back to using the existing
client-to-management point communication port of HTTP, or HTTPS:
Outbound: TCP Port 80 (for HTTP communication)
Outbound: TCP Port 443 (for HTTPS communication)

IMPORTANT
These are default port numbers that can be changed in Configuration Manager. For more information, see How to
configure client communication ports. If these ports have been changed from the default values, you must also configure
matching exceptions on the Windows Firewall.

Remote Control
To use Configuration Manager remote control, allow the following port:
Inbound: TCP Port 2701
Remote Assistance and Remote Desktop
To initiate Remote Assistance from the Configuration Manager console, add the custom program Helpsvc.exe
and the inbound custom port TCP 135 to the list of permitted programs and services in Windows Firewall on
the client computer. You must also permit Remote Assistance and Remote Desktop . If you initiate Remote
Assistance from the client computer, Windows Firewall automatically configures and permits Remote
Assistance and Remote Desktop .
Wake -Up Proxy
If you enable the wake-up proxy client setting, a new service named ConfigMgr Wake-up Proxy uses a peer-to-
peer protocol to check whether other computers are awake on the subnet and to wake them up if necessary.
This communication uses the following ports:
Outbound: UDP Port 25536
Outbound: UDP Port 9
These are the default port numbers that can be changed in Configuration Manager by using the Power
Management clients settings of Wake-up proxy por t number (UDP) and Wake On L AN por t number
(UDP) . If you specify the Power Management : Windows Firewall exception for wake-up proxy client
setting, these ports are automatically configured in Windows Firewall for clients. However, if clients run a
different firewall, you must manually configure the exceptions for these port numbers.
In addition to these ports, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request
messages from one client computer to another client computer. This communication is used to confirm whether
the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands.
For more information about wake-up proxy, see Plan how to wake up clients.
Windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics
To access Windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics from the
Configuration Manager console, enable File and Printer Sharing as an exception on the Windows Firewall.

Ports Used During Configuration Manager Client Deployment

The following tables list the ports that are used during the client installation process.

IMPORTANT
If there is a firewall between the site system servers and the client computer, confirm whether the firewall permits traffic
for the ports that are required for the client installation method that you choose. For example, firewalls often prevent
client push installation from succeeding because they block Server Message Block (SMB) and Remote Procedure Calls
(RPC). In this scenario, use a different client installation method, such as manual installation (running CCMSetup.exe) or
Group Policy-based client installation. These alternative client installation methods do not require SMB or RPC.

For information about how to configure Windows Firewall on the client computer, see Modifying the Ports and
Programs Permitted by Windows Firewall.
Ports that are used for all installation methods
DESC RIP T IO N UDP TC P

Hypertext Transfer Protocol (HTTP) -- 80 (See note 1, Alternate Por t

from the client computer to a fallback Available )
status point, when a fallback status
point is assigned to the client.

Ports that are used with client push installation

DESC RIP T IO N UDP TC P

Server Message Block (SMB) between -- 445

the site server and client computer.

RPC endpoint mapper between the 135 135

site server and the client computer.

RPC dynamic ports between the site -- DYNAMIC

server and the client computer.

Hypertext Transfer Protocol (HTTP) -- 80 (See note 1, Alternate Por t

from the client computer to a Available )
management point when the
connection is over HTTP.

Secure Hypertext Transfer Protocol -- 443 (See note 1, Alternate Por t

(HTTPS) from the client computer to a Available )
management point when the
connection is over HTTPS.

Ports that are used with software update point-based installation

 DESC RIP T IO N UDP TC P

Hypertext Transfer Protocol (HTTP) -- 80 or 8530 (See note 2, Windows

from the client computer to the Ser ver Update Ser vices )
software update point.

Secure Hypertext Transfer Protocol -- 443 or 8531 (See note 2, Windows

(HTTPS) from the client computer to Ser ver Update Ser vices )
the software update point.

Server Message Block (SMB) between -- 445

the source server and the client
computer when you specify the
CCMSetup command-line property
/source:<Path> .

Ports that are used with Group Policy-based installation

DESC RIP T IO N UDP TC P

Hypertext Transfer Protocol (HTTP) -- 80 (See note 1, Alternate Por t

from the client computer to a Available )
management point when the
connection is over HTTP.

Secure Hypertext Transfer Protocol -- 443 (See note 1, Alternate Por t

(HTTPS) from the client computer to a Available )
management point when the
connection is over HTTPS.

Server Message Block (SMB) between -- 445

the source server and the client
computer when you specify the
CCMSetup command-line property
/source:<Path> .

Ports that are used with manual installation and logon script-based installation
DESC RIP T IO N UDP TC P

Server Message Block (SMB) between -- 445

the client computer and a network
share from which you run
CCMSetup.exe.

When you install Configuration

Manager, the client installation source
files are copied and automatically
shared from the
<InstallationPath>\Client folder on
management points. However, you can
copy these files and create a new share
on any computer on the network.
Alternatively, you can eliminate this
network traffic by running
CCMSetup.exe locally, for example, by
using removable media.
 DESC RIP T IO N UDP TC P

Hypertext Transfer Protocol (HTTP) -- 80 (See note 1, Alternate Por t

from the client computer to a Available )
management point when the
connection is over HTTP, and you do
not specify the CCMSetup command-
line property /source:<Path> .

Secure Hypertext Transfer Protocol -- 443 (See note 1, Alternate Por t

(HTTPS) from the client computer to a Available )
management point when the
connection is over HTTPS, and you do
not specify the CCMSetup command-
line property /source:<Path> .

Server Message Block (SMB) between -- 445

the source server and the client
computer when you specify the
CCMSetup command-line property
/source:<Path> .

Ports that are used with software distribution-based installation

DESC RIP T IO N UDP TC P

Server Message Block (SMB) between -- 445

the distribution point and the client
computer.

Hypertext Transfer Protocol (HTTP) -- 80 (See note 1, Alternate Por t

from the client to a distribution point Available )
when the connection is over HTTP.

Secure Hypertext Transfer Protocol -- 443 (See note 1, Alternate Por t

(HTTPS) from the client to a Available )
distribution point when the connection
is over HTTPS.

Notes
1 Alternate Por t Available In Configuration Manager, you can define an alternate port for this value. If a
custom port has been defined, substitute that custom port when you define the IP filter information for IPsec
policies or for configuring firewalls.
2 Windows Ser ver Update Ser vices You can install Windows Server Update Service (WSUS) either on the
default Web site (port 80) or a custom Web site (port 8530).
After installation, you can change the port. You do not have to use the same port number throughout the site
hierarchy.
If the HTTP port is 80, the HTTPS port must be 443.
If the HTTP port is anything else, the HTTPS port must be 1 higher. For example, 8530 and 8531.
 Determine the site system roles for Configuration
Manager clients
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article can help you determine the site system roles that you need to deploy Configuration Manager clients.
For more information about where to install these roles in the hierarchy, see Design a hierarchy of sites.
For more information about how to install and configure these roles, see Install site system roles.

Management point
By default, all Windows client computers use a distribution point to install the Configuration Manager client.
They can fall back to a management point when a distribution point is unavailable. However, you can install
Windows clients on computers from an alternative source when you use the CCMSetup command-line property
/source:<Path> . For example, you might do this action if you install clients on the internet. Another scenario is
when you want to avoid sending network packets between the computer and the management point during
client installation. This scenario is because a firewall blocks the required ports or because you have a low-
bandwidth connection. However, all clients must communicate with a management point to assign to a site and
to be managed by Configuration Manager.
For more information about client command-line properties, see About client installation properties.
When you install more than one management point in the hierarchy, clients automatically connect to one point
based on their forest membership and network location. You can't install more than one management point in a
secondary site.
Mac computer clients and mobile device clients that you enroll with Configuration Manager always require a
management point for client installation. This management point must be in a primary site, must be configured
to support mobile devices, and must accept client connections from the Internet. These clients can't use
management points in secondary sites or connect to management points in other primary sites.

Distribution point
You don't need a distribution point to install Configuration Manager clients on Windows computers. By default,
Configuration Manager uses a distribution point to install the client source files on Windows computers. It can
fall back to downloading these files from a management point. Distribution points aren't used to install mobile
device clients that are enrolled by Configuration Manager, but are used if you install the mobile device legacy
client. If you install the Configuration Manager client as part of an OS deployment, the OS image is stored and
retrieved from a distribution point.
Although you might not need distribution points to install most Configuration Manager clients, you'll need them
to install software such as applications and software updates on the clients.

Fallback status point

You can use a fallback status point to monitor client deployment for Windows computers. You can also identify
the Windows computer clients that are unmanaged because they can't communicate with a management point.
The following client types don't use a fallback status point:
 Mac computers
Mobile devices that are enrolled by Configuration Manager
Mobile devices that are managed by using the Exchange Server connector
A fallback status point isn't required to monitor client activity and client health.
The fallback status point always communicates with clients over HTTP, which uses unauthenticated connections
and sends data in clear text. This behavior makes the fallback status point vulnerable to attack, particularly when
it's used with internet-based client management. To help reduce the attack surface, always dedicate a server to
running the fallback status point. Don't install other site system roles on the same server in a production
environment.
Install a fallback status point if all the following conditions apply:
You want client communication errors from Windows computers to be sent to the site, even if these client
computers can't communicate with a management point.
You want to use the Configuration Manager client deployment reports, which display the data that's sent
by the fallback status point.
You have a dedicated server for this site system role and have additional security measures to help
protect the server from attack.
The benefits of using a fallback status point outweigh any security risks associated with unauthenticated
connections and clear text transfers over HTTP traffic.
Don't install a fallback status point if the security risks of running a website with unauthenticated connections
and clear text transfers outweigh the benefits of identifying client communication problems.

Reporting services point

Configuration Manager provides many reports to help you monitor the installation, assignment, and
management of clients in the Configuration Manager console. Some of the client deployment reports require
that clients are assigned to a fallback status point.
The reports aren't needed to deploy clients. You can see some deployment information in the Configuration
Manager console or use the client log files for detailed information. However, the client reports provide valuable
information to help monitor and troubleshoot client deployment.

Enrollment point and enrollment proxy point

IMPORTANT
With the deprecation of on-premises MDM and the Configuration Manager client for macOS, these site system roles are
also deprecated. For more information, see Removed and deprecated features for Configuration Manager.

Configuration Manager requires the enrollment point and the enrollment proxy point to enroll mobile devices
and to enroll certificates for Mac computers. You don't need these site system roles in the following situations:
You plan to manage mobile devices by using the Exchange Server connector
You install the mobile device legacy client
You request and install the client certificate on Mac computers independently from Configuration Manager

Cloud management gateway connector point

You need a cloud management gateway connector point if you're setting up a cloud management gateway to
manage clients on the internet.
 Security and privacy for Configuration Manager
clients
2/16/2022 • 20 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes security and privacy information for Configuration Manager clients. It also includes
information for mobile devices that are managed by the Exchange Server connector.

Security guidance for clients

The Configuration Manager site accepts data from devices that run the Configuration Manager client. This
behavior introduces the risk that the clients could attack the site. For example, they could send malformed
inventory, or attempt to overload the site systems. Deploy the Configuration Manager client only to devices that
you trust.
Use the following security guidance to help protect the site from rogue or compromised devices.
Use public key infrastructure (PKI ) certificates for client communications with site systems that run IIS
As a site property, configure Site system settings for HTTPS only . For more information, see
Configure security.
Install clients with the UsePKICert CCMSetup property.
Use a certificate revocation list (CRL). Make sure that clients and communicating servers can always
access it.
Mobile device clients and some internet-based clients require these certificates. Microsoft recommends these
certificates for all client connections on the intranet.
For more information on the use of certificates in Configuration Manager, see Plan for certificates.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

Automatically approve client computers from trusted domains and manually check and approve other
computers
When you can't use PKI authentication, approval identifies a computer that you trust to be managed by
Configuration Manager. The hierarchy has the following options to configure client approval:
Manual
Automatic for computers in trusted domains
Automatic for all computers
The most secure approval method is to automatically approve clients that are members of trusted domains. This
option includes cloud-domain joined clients from connected Azure Active Directory (Azure AD) tenants. Then
manually check and approve all other computers. Automatically approving all clients isn't recommended, unless
you have other access controls to prevent untrustworthy computers from accessing your network.
For more information about how to manually approve computers, see Manage clients from the devices node.
Don't rely on blocking to prevent clients from accessing the Configuration Manager hierarchy
Blocked clients are rejected by the Configuration Manager infrastructure. If clients are blocked, they can't
communicate with site systems to download policy, upload inventory data, or send state or status messages.
Blocking is designed for the following scenarios:
To block lost or compromised boot media when you deploy an OS to clients
When all site systems accept HTTPS client connections
When site systems accept HTTP client connections, don't rely on blocking to protect the Configuration Manager
hierarchy from untrusted computers. In this scenario, a blocked client could rejoin the site with a new self-signed
certificate and hardware ID.
Certificate revocation is the primary line of defense against potentially compromised certificates. A certificate
revocation list (CRL) is only available from a supported public key infrastructure (PKI). Blocking clients in
Configuration Manager offers a second line of defense to protect your hierarchy.
For more information, see Determine whether to block clients.
Use the most secure client installation methods that are practical for your environment
For domain computers, group policy client installation and software update-based client installation
methods are more secure than client push installation.
If you apply access controls and change controls, use imaging and manual installation methods.
Use Kerberos mutual authentication with client push installation.
Of all the client installation methods, client push installation is the least secure because of the many
dependencies it has. These dependencies include local administrative permissions, the Admin$ share, and
firewall exceptions. The number and type of these dependencies increase your attack surface.
When using client push, the site can require Kerberos mutual authentication by not allowing fallback to NTLM
before establishing the connection. This enhancement helps to secure the communication between the server
and the client. For more information, see How to install clients with client push.
For more information about the different client installation methods, see Client installation methods.
Wherever possible, select a client installation method that requires the least security permissions in
Configuration Manager. Restrict the administrative users that are assigned security roles with permissions that
can be used for purposes other than client deployment. For example, configuring automatic client upgrade
requires the Full Administrator security role, which grants an administrative user all security permissions.
For more information about the dependencies and security permissions required for each client installation
method, see Prerequisites for computer clients.
If you must use client push installation, secure the client push installation account
The client push installation account must be a member of the local Administrators group on each computer
that installs the Configuration Manager client. Never add the client push installation account to the Domain
Admins group. Instead, create a global group, and then add that global group to the local Administrators
group on your clients. Create a group policy object to add a Restricted Group setting to add the client push
installation account to the local Administrators group.
For greater security, create multiple client push installation accounts, each with administrative access to a limited
number of computers. If one account is compromised, only the client computers to which that account has
access are compromised.
Remove certificates before imaging clients
When you deploy clients by using OS images, always remove certificates before capturing the image. These
certificates include PKI certificates for client authentication, and self-signed certificates. If you don't remove
these certificates, clients might impersonate each other. You can't verify the data for each client.
For more information, see Create a task sequence to capture an OS.
Make sure that Configuration Manager client gets an authorized copy of certificates
The Configuration Manager trusted root key certificate
When both of the following statements are true, clients rely on the Configuration Manager trusted root key to
authenticate valid management points:
You haven't extended the Active Directory schema for Configuration Manager
Clients don't use PKI certificates when they communicate with management points
In this scenario, clients have no way to verify that the management point is trusted for the hierarchy unless they
use the trusted root key. Without the trusted root key, a skilled attacker could direct clients to a rogue
management point.
When clients don't use PKI certificates and can't download the trusted root key from the Active Directory global
catalog, pre-provision the clients with the trusted root key. This action makes sure that they can't be directed to a
rogue management point. For more information, see Planning for the trusted root key.
The site server signing certificate
Clients use the site server signing certificate to verify that the site server signed the policy downloaded from a
management point. This certificate is self-signed by the site server and published to Active Directory Domain
Services.
When clients can't download this certificate from the Active Directory global catalog, by default they download it
from the management point. If the management point is exposed to an untrusted network like the internet,
manually install the site server signing certificate on clients. This action makes sure that they can't download
tampered client policies from a compromised management point.
To manually install the site server signing certificate, use the CCMSetup client.msi property SMSSIGNCERT.
If the client downloads the trusted root key from the first management point it contacts, don't use automatic
site assignment
To avoid the risk of a new client downloading the trusted root key from a rogue management point, only use
automatic site assignment in the following scenarios:
The client can access Configuration Manager site information that's published to Active Directory Domain
Services.
You pre-provision the client with the trusted root key.
You use PKI certificates from an enterprise certification authority to establish trust between the client and
the management point.
For more information about the trusted root key, see Planning for the trusted root key.
Make sure that maintenance windows are large enough to deploy critical software updates
Maintenance windows for device collections restrict the times that Configuration Manager can install software
on these devices. If you configure the maintenance window to be too small, the client may not install critical
software updates. This behavior leaves the client vulnerable to any attack that the software update mitigates.
Take security precautions to reduce the attack surface on Windows Embedded devices with write filters
When you enable write filters on Windows Embedded devices, any software installations or changes are only
made to the overlay. These changes don't persist after the device restarts. If you use Configuration Manager to
disable the write filters, during this period the embedded device is vulnerable to changes to all volumes. These
volumes include shared folders.
Configuration Manager locks the computer during this period so that only local administrators can sign in.
Whenever possible, take other security precautions to help protect the computer. For example, enable
restrictions on the firewall.
If you use maintenance windows to persist changes, plan these windows carefully. Minimize the time that write
filters are disabled, but make them long enough to allow software installations and restarts to complete.
Use the latest client version with software update -based client installation
If you use software update-based client installation, and install a later version of the client on the site, update the
published software update. Then clients receive the latest version from the software update point.
When you update the site, the software update for client deployment that's published to the software update
point isn't automatically updated. Republish the Configuration Manager client to the software update point and
update the version number.
For more information, see How to install Configuration Manager clients by using software update-based
installation.
Only suspend BitLocker PIN entry on trusted and restricted-access devices
Only configure the client setting to Suspend BitLocker PIN entr y on restar t to Always for computers that
you trust and that have restricted physical access.
When you set this client setting to Always , Configuration Manager can complete the installation of software.
This behavior helps install critical software updates and resume services. If an attacker intercepts the restart
process, they could take control of the computer. Use this setting only when you trust the computer, and when
physical access to the computer is restricted. For example, this setting might be appropriate for servers in a data
center.
For more information on this client setting, see About client settings.
Don't bypass PowerShell execution policy
If you configure the Configuration Manager client setting for PowerShell execution policy to Bypass , then
Windows allows unsigned PowerShell scripts to run. This behavior could allow malware to run on client
computers. When your organization requires this option, use a custom client setting. Assign it to only the client
computers that must run unsigned PowerShell scripts.
For more information on this client setting, see About client settings.

Security guidance for mobile devices

Install the enrollment proxy point in a perimeter network and the enrollment point in the intranet
For internet-based mobile devices that you enroll with Configuration Manager, install the enrollment proxy point
in a perimeter network and the enrollment point in the intranet. This role separation helps to protect the
enrollment point from attack. If an attacker compromises the enrollment point, they could obtain certificates for
authentication. They can also steal the credentials of users who enroll their mobile devices.
Configure the password settings to help protect mobile devices from unauthorized access
For mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to
configure the password complexity as the PIN. Specify at least the default minimum password length.
For mobile devices that don't have the Configuration Manager client installed but are managed by the Exchange
Server connector: Configure the Password Settings for the Exchange Server connector such that the password
complexity is the PIN. Specify at least the default minimum password length.
Only allow applications to run that are signed by companies that you trust
Help prevent tampering of inventory information and status information by allowing applications to run only
when they're signed by companies that you trust. Don't allow devices to install unsigned files.
For mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to
configure the security setting Unsigned applications as Prohibited . Configure Unsigned file installations
to be a trusted source.
For mobile devices that don't have the Configuration Manager client installed but are managed by the Exchange
Server connector: Configure the Application Settings for the Exchange Server connector such that Unsigned
file installation and Unsigned applications are Prohibited .
Lock mobile devices when not in use
Help prevent elevation of privilege attacks by locking the mobile device when it isn't used.
For mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to
configure the password setting Idle time in minutes before mobile device is locked .
For mobile devices that don't have the Configuration Manager client installed but are managed by the Exchange
Server connector: Configure the Password Settings for the Exchange Server connector to set the Idle time in
minutes before mobile device is locked .
Restrict the users who can enroll their mobile devices
Help prevent elevation of privileges by restricting the users who can enroll their mobile devices. Use a custom
client setting rather than default client settings to allow only authorized users to enroll their mobile devices.
User device affinity guidance for mobile devices
Don't deploy applications to users who have mobile devices enrolled by Configuration Manager in the following
scenarios:
The mobile device is used by more than one person.
The device is enrolled by an administrator on behalf of a user.
The device is transferred to another person without retiring and then re-enrolling the device.
Device enrollment creates a user device affinity relationship. This relationship maps the user who does
enrollment to the mobile device. If another user uses the mobile device, they can run the applications deployed
to the original user, which might result in an elevation of privileges. Similarly, if an administrator enrolls the
mobile device for a user, applications deployed to the user aren't installed on the mobile device. Instead,
applications deployed to the administrator might be installed.
Protect the connection between the Configuration Manager site server and the Exchange Server
If the Exchange Server is on-premises, use IPsec. Hosted Exchange automatically secures the connection with
HTTPS.
Use the principle of least privileges for the Exchange connector
For a list of the minimum cmdlets that the Exchange Server connector requires, see Manage mobile devices with
Configuration Manager and Exchange.

Security guidance for macOS devices

Store and access the client source files from a secured location
Before installing or enrolling the client on a macOS computer, Configuration Manager doesn't verify whether
these client source files have been tampered with. Download these files from a trustworthy source. Securely
store and access them.
Monitor and track the validity period of the certificate
Monitor and track the validity period of the certificates that you use for macOS computers. Configuration
Manager doesn't support automatic renewal of this certificate, or warn you that the certificate is about to expire.
A typical validity period is one year.
For more information about how to renew the certificate, see Renewing the macOS client certificate manually.
Configure the trusted root certificate for SSL only
To help protect against elevation of privileges, configure the certificate for the trusted root certificate authority
so that it's only trusted for the SSL protocol.
When you enroll Mac computers, a user certificate to manage the Configuration Manager client is automatically
installed. This user certificate includes the trusted root certificates in its trust chain. To restrict the trust of this
root certificate to the SSL protocol only, use the following procedure:
1. On the Mac computer, open a terminal window.
2. Enter the following command:
sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access

3. In the Keychain Access dialog box, in the Keychains section, select System . Then in the Categor y
section, select Cer tificates .
4. Locate and open the root CA certificate for the Mac client certificate.
5. In the dialog box for the root CA certificate, expand the Trust section, and then make the following
changes:
a. When using this cer tificate : Change the Always Trust setting to Use System Defaults .
b. Secure Sockets Layer (SSL) : Change no value specified to Always Trust .
6. Close the dialog box. When prompted, enter the administrator's password, and then select Update
Settings .
After you complete this procedure, the root certificate is only trusted to validate the SSL protocol. Other
protocols that are now untrusted with this root certificate include Secure Mail (S/MIME), Extensible
Authentication (EAP), or code signing.

NOTE
Also use this procedure if you installed the client certificate independently from Configuration Manager.

Security issues for clients

The following security issues have no mitigation:
Status messages aren't authenticated
The management point doesn't authenticate status messages. When a management point accepts HTTP client
connections, any device can send status messages to the management point. If the management point accepts
HTTPS client connections only, a device must have a valid client authentication certificate, but could also send
any status message. The management point discards any invalid status message received from a client.
There are a few potential attacks against this vulnerability:
An attacker could send a bogus status message to gain membership in a collection that's based on status
message queries.
Any client could launch a denial of service against the management point by flooding it with status
messages.
If status messages are triggering actions in status message filter rules, an attacker could trigger the status
 message filter rule.
An attacker could send status message that would render reporting information inaccurate.
Policies can be retargeted to non-targeted clients
There are several methods that attackers could use to make a policy targeted to one client apply to an entirely
different client. For example, an attacker at a trusted client could send false inventory or discovery information
to have the computer added to a collection to which it shouldn't belong. That client then receives all the
deployments to that collection.
Controls exist to help prevent attackers from directly modifying policy. However, attackers could take an existing
policy that reformats and redeploys an OS and send it to a different computer. This redirected policy could
create a denial of service. These types of attacks would require precise timing and extensive knowledge of the
Configuration Manager infrastructure.
Client logs allow user access
All the client log files allow the Users group with Read access, and the special Interactive user with access to
write data. If you enable verbose logging, attackers might read the log files to look for information about
compliance or system vulnerabilities. Processes such as software that the client installs in a user's context must
write to logs with a low-rights user account. This behavior means an attacker could also write to the logs with a
low-rights account.
The most serious risk is that an attacker could remove information in the log files. An administrator might need
this information for auditing and intrusion detection.
A computer could be used to obtain a certificate that's designed for mobile device enrollment
When Configuration Manager processes an enrollment request, it can't verify the request originated from a
mobile device rather than from a computer. If the request is from a computer, it can install a PKI certificate that
then allows it to register with Configuration Manager.
To help prevent an elevation of privilege attack in this scenario, only allow trusted users to enroll their mobile
devices. Carefully monitor device enrollment activities in the site.
A blocked client can still send messages to the management point
When you block a client that you no longer trust, but it established a network connection for client notification,
Configuration Manager doesn't disconnect the session. The blocked client can continue to send packets to its
management point until the client disconnects from the network. These packets are only small, keep-alive
packets. This client can't be managed by Configuration Manager until it's unblocked.
Automatic client upgrade doesn't verify the management point
When you use automatic client upgrade, the client can be directed to a management point to download the
client source files. In this scenario, the client doesn't verify the management point as a trusted source.
When users first enroll macOS computers, they're at risk from DNS spoofing
When the macOS computer connects to the enrollment proxy point during enrollment, it's unlikely that the
macOS computer already has the trusted root CA certificate. At this point, the macOS computer doesn't trust the
server, and prompts the user to continue. If a rogue DNS server resolves the fully qualified domain name
(FQDN) of the enrollment proxy point, it could direct the macOS computer to a rogue enrollment proxy point to
install certificates from an untrusted source. To help reduce this risk, follow DNS guidance to avoid spoofing in
your environment.
macOS enrollment doesn't limit certificate requests
Users can re-enroll their macOS computers, each time requesting a new client certificate. Configuration
Manager doesn't check for multiple requests or limit the number of certificates requested from a single
computer. A rogue user could run a script that repeats the command-line enrollment request. This attack could
cause a denial of service on the network or on the issuing certificate authority (CA). To help reduce this risk,
carefully monitor the issuing CA for this type of suspicious behavior. Immediately block from the Configuration
Manager hierarchy any computer that shows this pattern of behavior.
A wipe acknowledgment doesn't verify that the device has been successfully wiped
When you start a wipe action for a mobile device, and Configuration Manager acknowledges the wipe, the
verification is that Configuration Manager successfully sent the message. It doesn't verify that the device acted
on the request.
For mobile devices managed by the Exchange Server connector, a wipe acknowledgment verifies that the
command was received by Exchange, not by the device.
If you use the options to commit changes on Windows Embedded devices, accounts might be locked out
sooner than expected
If the Windows Embedded device is running an OS version earlier than Windows 7, and a user attempts to sign
in while the write filters are disabled by Configuration Manager, Windows allows only half of the configured
number of incorrect attempts before the account is locked out.
For example, you configure the domain policy for Account lockout threshold to six attempts. A user mistypes
their password three times, and the account is locked out. This behavior effectively creates a denial of service. If
users must sign in to embedded devices in this scenario, caution them about the potential for a reduced lockout
threshold.

Privacy information for clients

When you deploy the Configuration Manager client, you enable client settings for Configuration Manager
features. The settings that you use to configure the features can apply to all clients in the Configuration Manager
hierarchy. This behavior is the same whether they're directly connected to the internal network, connected
through a remote session, or connected to the internet.
Client information is stored in the Configuration Manager site database in your SQL Server, and isn't sent to
Microsoft. Information is kept in the database until it's deleted by the site maintenance task Delete Aged
Discovery Data every 90 days. You can configure the deletion interval.
Some summarized or aggregate diagnostics and usage data is sent to Microsoft. For more information, see
Diagnostics and usage data.
You can learn more about Microsoft's data collection and use in the Microsoft Privacy Statement.
Client status
Configuration Manager monitors the activity of clients. It periodically evaluates the Configuration Manager
client and can remediate issues with the client and its dependencies. Client status is enabled by default. It uses
server-side metrics for the client activity checks. Client status uses client-side actions for self-checks,
remediation, and for sending client status information to the site. The client runs the self-checks according to a
schedule that you configure. The client sends the results of the checks to the Configuration Manager site. This
information is encrypted during transfer.
Client status information is stored in the Configuration Manager database in your SQL Server, and isn't sent to
Microsoft. The information isn't stored in encrypted format in the site database. This information is kept in the
database until it's deleted according to the value configured for the Retain client status histor y for the
following number of days client status setting. The default value for this setting is every 31 days.

Privacy information for the Exchange Server Connector

The Exchange Server Connector finds and manages devices that connect to an on-premises or hosted Exchange
Server by using the ActiveSync protocol. The records found by the Exchange Server Connector are stored in the
Configuration Manager database in your SQL Server. The information is collected from the Exchange Server. It
doesn't contain any additional information from what the mobile devices send to Exchange Server.
The mobile device information isn't sent to Microsoft. The mobile device information is stored in the
Configuration Manager database in your SQL Server. Information is kept in the database until it's deleted by the
site maintenance task Delete Aged Discovery Data every 90 days. You configure the deletion interval.
You can learn more about Microsoft's data collection and use in the Microsoft Privacy Statement.
 Recommendations for client deployment in
Configuration Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Planning
Use a phased rollout to manage CPU usage
To minimize the effect of the CPU processing requirements on the site server, use a phased rollout of clients.
Deploy clients outside of business hours. This practice allows other services to have more available bandwidth
during the day. It also doesn't disrupt user productivity if their computer slows down or requires a restart.
Prepare required PKI certificates in advance
PKI certificates enable the following scenarios:
HTTPS-enabled client communication
Manage devices on the internet
Enroll mobile devices for on-premises MDM
Enroll macOS devices
You need certificates on certain site systems and the client devices. The most common site systems are
management points and distribution points. On production networks, you might require change management
approval to use new certificates or restart site system servers. Users may also need to sign out of Windows to
get new group membership. Make sure to allow sufficient time for replication of security permissions and new
certificate templates.
For more information, see PKI certificate requirements.

Before you begin

Extend the Active Directory schema and publish the site so that you can run CCMSetup without command-
line options
When you extend the Active Directory schema for Configuration Manager, and publish the site to Active
Directory Domain Services, the site publishes many client installation properties to Active Directory. If a
computer can locate these client installation properties, it can use them during Configuration Manager client
deployment. Because the site automatically generates this information, it eliminates the risk of human error
associated with manually entering installation properties.
For more information, see About client installation properties published to Active Directory Domain Services.
Install client language packs
Before you deploy the client, install any necessary client language packs to enable other languages. If you install
client language packs on a site after you install clients, you need to reinstall the clients before they can use the
new languages.
For more information, see Language packs.
Configure any required client settings and maintenance windows
Although you can configure client settings and maintenance windows before or after you install clients, it's
better to configure required settings before you install clients. Then the client can use them as soon as it installs.
For more information about settings download during the client assignment process, see How to assign clients
to a site.
Configure maintenance windows for servers and for Windows Embedded devices to support business
continuity on critical devices. Maintenance windows make sure that required software updates and antimalware
software don't restart the computer during business hours.
For more information, see Configure client settings and How to use maintenance windows.

Installation
If you install the client with client.msi properties, use SMSMP and FSP
The SMSMP property specifies the initial management point for the client. It removes the dependency on
service location solutions such as Active Directory Domain Services and DNS.
Use the FSP property and install a fallback status point. It allows you to better monitor client installation and
assignment, and identify any communication problems.
For more information about these options, see About client installation properties.
Use software update -based client installation for Active Directory computers
This client deployment method has the following benefits:
Uses existing Windows technologies
Integrates with your Active Directory infrastructure
Requires the least configuration in Configuration Manager
Is the easiest to configure for firewalls
Is the most secure
By using security groups and WMI filtering for the group policy configuration, you also have flexibility to control
which computers install the Configuration Manager client.
For more information, see How to install Configuration Manager clients by using software update-based
installation.
Enable automatic upgrade after your main client deployment finishes
Performance improvements in Configuration Manager can allow you to use automatic upgrades as a primary
client upgrade method. However, performance will depend on your hierarchy infrastructure, such as the number
of clients.
If you use another client installation method as the primary upgrade method, use automatic client upgrade to
catch computers that it missed. For example, devices that were offline during the main deployment.
For more information, see Automatic client upgrades.
Assign site systems as clients to the same site
If you install the Configuration Manager client on site systems, assign them to the same site. Roles like the
management point and distribution point have shared binary files between the role and the client. These
collocated clients should always be the same version as the site system role.
For example, for a management point in site XYZ, assign the client installed on this site system server to site
XYZ.

Other device types

Plan your user enrollment experience for Mac computers and mobile devices
If users will enroll their own macOS computers and mobile devices with Configuration Manager, plan the user
experience. For example, you might script the installation and enrollment process by using a web page. Then
users only enter the minimum amount of information necessary. You can also send instructions with a link by
email.
Write filters for Windows Embedded devices
Embedded devices that use enhanced write filters (EWF) are likely to experience state message
resynchronization. For example, they send full inventory rather than delta inventory. If you have just a few
embedded devices that use Enhanced Write Filters, you might not notice anything. However, when you have
many embedded devices that resynchronize their information, this behavior can generate a noticeable increase
in network packets and higher CPU processing on the site server.
When you have a choice of which type of write filter to enable, choose file-based write filters (FBWF) or unified
write filters (UWF). Configure exceptions to persist client state and inventory data between device restarts. These
exceptions improve network and CPU efficiency on the Configuration Manager client. For more information, see
Plan for client deployment to Windows Embedded devices.
For more information about the maximum number of Windows Embedded clients that a primary site can
support, see Supported operating systems for clients and devices.

IMPORTANT
For Windows computers that you plan to protect with a unified write filter (UWF), configure the device for UWF before
you install the client. This configuration enables Configuration Manager to install the client with a custom credential
provider that locks out low-rights users from signing in to the device during maintenance mode.

Next steps
How to deploy clients to Windows computers
 Determine whether to block clients in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If a client computer or client mobile device is no longer trusted, you can block the client in the System Center
2012 Configuration Manager console. Blocked clients are rejected by the Configuration Manager infrastructure
so that they cannot communicate with site systems to download policy, upload inventory data, or send state or
status messages.
You must block and unblock a client from its assigned site rather than from a secondary site or a central
administration site.

IMPORTANT
Although blocking in Configuration Manager can help to secure the Configuration Manager site, do not rely on this
feature to protect the site from untrusted computers or mobile devices if you allow clients to communicate with site
systems by using HTTP, because a blocked client could rejoin the site with a new self-signed certificate and hardware ID.
Instead, use the blocking feature to block lost or compromised boot media that you use to deploy operating systems, and
when site systems accept HTTPS client connections.

Clients that access the site by using the ISV Proxy certificate cannot be blocked. For more information about the
ISV Proxy certificate, see the Configuration Manager Software Development Kit (SDK).
If your site systems accept HTTPS client connections and your public key infrastructure (PKI) supports a
certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against
potentially compromised certificates. Blocking clients in Configuration Manager offers a second line of defense
to protect your hierarchy.

Considerations for blocking clients

This option is available for HTTP and HTTPS client connections, but has limited security when clients
connect to site systems by using HTTP.
Configuration Manager administrative users have the authority to block a client, and the action is taken in
the Configuration Manager console.
Client communication is rejected from the Configuration Manager hierarchy only.

NOTE
The same client could register with a different Configuration Manager hierarchy.

The client is immediately blocked from the Configuration Manager site.

Helps to protect site systems from potentially compromised computers and mobile devices.

Considerations for using certificate revocation

This option is available for HTTPS Windows client connections if the public key infrastructure supports a
certificate revocation list (CRL).
Mac clients always perform CRL checking and this functionality cannot be disabled.
Although mobile device clients do not use certificate revocation lists to check the certificates for site
systems, their certificates can be revoked and checked by Configuration Manager.
Public key infrastructure administrators have the authority to revoke a certificate, and the action is taken
outside the Configuration Manager console.
Client communication can be rejected from any computer or mobile device that requires this client
certificate.
There is likely to be a delay between revoking a certificate and site systems downloading the modified
certificate revocation list (CRL).
For many PKI deployments, this delay can be a day or longer. For example, in Active Directory Certificate
Services, the default expiration period is one week for a full CRL, and one day for a delta CRL.
Helps to protect site systems and clients from potentially compromised computers and mobile devices.

NOTE
You can further protect site systems that run IIS from unknown clients by configuring a certificate trust list (CTL)
in IIS.
 Planning for client deployment to Mac computers in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

IMPORTANT
Starting in January 2022, this feature of Configuration Manager is deprecated. For more information, see Mac computers.

You can install the Configuration Manager client on Mac computers that run macOS X and use the following
management capabilities:
Hardware inventor y
You can use Configuration Manager hardware inventory to collect information about the hardware and
installed applications on Mac computers. This information can then be viewed in Resource Explorer in the
Configuration Manager console and used to create collections, queries and reports. For more
information, see How to use Resource Explorer to view hardware inventory.
Configuration Manager collects the following hardware information from Mac computers:
Processor
Computer System
Disk Drive
Disk Partition
Network Adapter
Operating System
Service
Process
Installed Software
Computer System Product
USB Controller
USB Device
CDROM Drive
Video Controller
Desktop Monitor
Portable Battery
Physical Memory
Printer
 IMPORTANT
You cannot extend the hardware information that is collected from Mac computers during hardware inventory.

Compliance settings
You can use Configuration Manager compliance settings to view the compliance of and remediate macOS
X preference (.plist) settings. For example, you could enforce settings for the home page in the Safari web
browser or ensure that the Apple firewall is enabled. You can also use shell scripts to monitor and
remediate settings in macOS X.
Application management
Configuration Manager can deploy software to Mac computers. You can deploy the following software
formats to Mac computers:
Apple disk image (.DMG)
Meta package file (.MPKG)
macOS X installer package (.PKG)
macOS X application (.APP)
When you install the Configuration Manager client on Mac computers, you cannot use the following
management capabilities that are supported by the Configuration Manager client on Windows-based
computers:
Client push installation
Operating system deployment
Software updates

NOTE
You can use Configuration Manager application management to deploy required macOS X software updates to
Mac computers. In addition, you can use compliance settings to make sure that computers have any required
software updates.

Maintenance windows
Remote control
Power management
Client status client check and remediation
For more information about how to install and configure the Configuration Manager Mac client, see How
to deploy clients to Macs.
 Planning for client deployment to Windows
Embedded devices in Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If your Windows Embedded device does not include the Configuration Manager client, you can use any of the
client installation methods if the device meets the required dependencies. If the embedded device supports
write filters, you must disable these filters before you install the client, and then re-enable the filters again after
the client is installed and assigned to a site.
Note that when you disable the filters, you should not disable the filter drivers. Typically these drivers are started
automatically when the computer is started. Disabling the drivers will either prevent installation of the client, or
interfere with write filter orchestration which will cause client operations to fail. These are the services
associated with each write filter type that must remain running:

W RIT E F ILT ER T Y P E DRIVER TYPE DESC RIP T IO N

EWF ewf Kernel Implements sector-level I/O

redirection on protected
volumes.

FBWF fbwf File system Implements file-level I/O

redirection on protected
volumes.

UWF uwfreg Kernel UWF Registry Redirector

UWF uwfs File System UWF File Redirector

UWF uwfvol Kernel UWF Volume Manager

Write filters control how the operating system on the embedded device is updated when you make changes,
such as when you install software. When write filters are enabled, instead of making the changes directly to the
operating system, these changes are redirected to a temporary overlay. If the changes are only written to the
overlay, they are lost when the embedded device shuts downs. However, if the write filters are temporarily
disabled, the changes can be made permanent so that you do not have to make the changes again (or reinstall
software) every time that the embedded device restarts. However, temporarily disabling and then re-enabling
the write filters requires one or more restarts, so that you typically want to control when this happens by
configuring maintenance windows so that restarts occur outside business hours.
You can configure options to automatically disable and re-enable the write filters when you deploy software
such as applications, task sequences, software updates, and the Endpoint Protection client. The exception is for
configuration baselines with configuration items that use automatic remediation. In this scenario, the
remediation always occurs in the overlay so that it is available only until the device is restarted. The remediation
is applied again at the next evaluation cycle, but only to the overlay, which is cleared at restart. To force
Configuration Manager to commit the remediation changes, you can deploy the configuration baseline and then
another software deployment that supports committing the change as soon as possible.
If the write filters are disabled, you can install software on Windows Embedded devices by using Software
Center. However, if the write filters are enabled, the installation fails and Configuration Manager displays an
error message that you have insufficient permissions to install the application.

WARNING
Even if you do not select the Configuration Manager options to commit the changes, the changes might be committed if
another software installation or change is made that commits changes. In this scenario, the original changes will be
committed in addition to the new changes.

When Configuration Manager disables the write filters to make changes permanent, only users who have local
administrative rights can log on and use the embedded device. During this period, low-rights users are locked
out and see a message that the computer is unavailable because it is being serviced. This helps protect the
device while it is in a state where changes can be permanently applied, and this servicing mode lockout
behavior is another reason to configure a maintenance window for a time when users will not log on to these
devices.
Configuration Manager supports managing the following types of write filters:
File-Based Write Filter (FBWF) - For more information, see File-Based Write Filter.
Enhanced Write Filter (EWF) RAM - For more information, see Enhanced Write Filter.
Unified Write Filter (UWF) - For more information, see Unified Write Filter.
Configuration Manager does not support write filter operations when the Windows Embedded device is
in EWF RAM Reg mode.

IMPORTANT
If you have the choice, use File-Based Write Filters (FBWF) with Configuration Manager for increased efficiency and higher
scalability.
For devices that use FBWF only: Configure the following exceptions to persist client state and inventory data
between device restarts:
CCMINSTALLDIR\*.sdf
CCMINSTALLDIR\ServiceData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem
Devices that run Windows Embedded 8.0 and later do not support exclusions that contain wildcard characters. On
these devices, you must configure the following exclusions individually:
All files in CCMINSTALLDIR with the extension .sdf, typically:
UserAffinityStore.sdf
InventoryStore.sdf
CcmStore.sdf
StateMessageStore.sdf
CertEnrollmentStore.sdf
CCMINSTALLDIR\ServiceData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem
For devices that use FBWF and UWF only: When clients in a workgroup use certificates for authentication to
management points, you must also exclude the private key to ensure the client continues to communicate with the
management point. On these devices, configure the following exceptions:
c:\Windows\System32\Microsoft\Protect
c:\ProgramData\Microsoft\Crypto
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SMS\Certificates
 NOTE
No additional exceptions are needed by the Configuration Manager client other than those documented in the above
Impor tant box. Adding additional Configuration Manager or WMI (WBEM) related exceptions may lead to failures of the
Configuration Manager including devices getting stuck in servicing mode or devices experiencing reboot loops. Unneeded
exceptions include the Configuration Manager client directory, the CCMcache directory, the CCMSetup directory, the Task
Sequence cache directory, the WBEM directory, and Configuration Manager related registry keys.

For an example scenario to deploy and manage write-filter-enabled Windows Embedded devices in
Configuration Manager see Example scenario for deploying and managing Configuration Manager clients on
Windows Embedded devices.
For more information about how to build images for Windows Embedded devices and configure write filters,
see your Windows Embedded documentation, or contact your OEM.

NOTE
When you select the applicable platforms for software deployments and configuration items, these display the Windows
Embedded families rather than specific versions.
 Example scenario for deploying and managing
Configuration Manager clients on Windows
Embedded devices
2/16/2022 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This scenario demonstrates how you can manage write-filter-enabled Windows Embedded devices with
Configuration Manager.If your embedded devices do not support write filters, they behave as standard
Configuration Manager clients and these procedures don't apply.
Coho Vineyard & Winery is opening a visitor center and needs kiosks that run Windows Embedded to run
interactive presentations. The building for the new visitor center is not close to the IT department, so the kiosks
must be managed remotely. In addition to the software that runs the presentations, these devices must run up-
to-date antimalware protection software to comply with the company security policies. The kiosks must run 7
days a week, with no downtime while the visitor center is open.
Coho already runs Configuration Manager to manage devices on their network. Configuration Manager is
configured to run Endpoint Protection, and install software updates and applications. However, because the IT
team has not managed Windows Embedded devices before, the Configuration Manager administrator runs a
pilot to manage two kiosks in the reception lobby.
To manage these Windows Embedded devices that are write-filter-enabled, Configuration Manager
administrator performs the following steps to install the Configuration Manager client, protect the client by
using Endpoint Protection, and install the interactive presentation software.
1. The Configuration Manager administrator (the Admin) reads how Windows Embedded devices uses write
filters and how Configuration Manager can make this easier by automatically disabling and then re-
enabling the writer filters to persist a software installation.
For more information, see Planning for client deployment to Windows Embedded devices.
2. Before the Admin installs the Configuration Manager client, the Admin creates a new query-based device
collection for the Windows Embedded devices. Because the company uses standard naming formats to
identify their computers, the Admin can uniquely identify Windows Embedded devices by the first six
letters of the computer name: WEMDVC . The Admin uses the following WQL query to create this
collection: select SMS_R_System.NetbiosName from SMS_R_System where
SMS_R_System.NetbiosName like "WEMDVC%"
This collection allows the Admin to manage the Windows Embedded devices with different configuration
options from the other devices. The Admin will use this collection to control restarts, deploy Endpoint
Protection with client settings, and deploy the interactive presentation application.
See How to create collections.
3. The Admin configures the collection for a maintenance window to ensure that restarts that might be
required for installing the presentation application and any upgrades do not occur during opening hours
for the visitor center. Opening hours will be 09:00 through 18:00, Monday through Sunday. The Admin
configures the maintenance window for every day, 18:30 through 06:00.
4. For more information, see How to use maintenance windows.
5. The Admin then configures a custom device client setting to install the Endpoint Protection client by
selecting Yes for the following settings, and then deploys this custom client setting to the Windows
Embedded device collection:
Install Endpoint Protection client on client computers
For Windows Embedded devices with write filters, commit Endpoint Protection client
installation (requires restar t)
Allow Endpoint Protection client installation and restar t to be performed outside
maintenance windows
When the Configuration Manager client is installed, these settings install the Endpoint Protection
client and ensure that it is persisted in the operating system as part of the installation, rather than
written to the overlay only. The company security policies require that the antimalware software is
always installed and the Admin does not want to run the risk of the kiosks being unprotected for
even a short period of time if they restart.

NOTE
The restarts that are required to install the Endpoint Protection client are a one-time occurrence, which happen
during the setup period for the devices and before the visitor center is operational. Unlike the periodic
deployment of applications or software definition updates, the next time the Endpoint Protection client is installed
on the same device will probably be when the company upgrades to the next version of Configuration Manager.

For more information, see Configuring Endpoint Protection.

6. With the configuration settings for the client now in place, the Admin prepares to install the
Configuration Manager clients. Before the Admin can install the clients, they must manually disable the
write filter on the Windows Embedded devices. The Admin reads the OEM documentation that
accompanies the kiosks and follows their instructions to disable the write filters.
The Admin renames the device so it uses the company standard naming format, and then installs the
client manually by running CCMSetup with the following command from a mapped drive that holds the
client source files: CCMSetup.exe /MP:mpser ver.cohovineyardandwiner y.com
SMSSITECODE=CO1
This command installs the client, assigns the client to the management point that has the intranet FQDN
of mpser ver.cohovineyardandwiner y.com , and assigns the client to the primary site named CO1 .
The Admin knows that it always takes a while for clients to install and send back their status to the site. So
the Admin waits before they confirm that the clients successfully install, assign to the site, and appear as
clients in the collection that they created for Windows Embedded devices.
As additional confirmation, the Admin checks the properties of Configuration Manager in Control Panel
on the devices and compares them to standard Windows computers that are managed by the site. For
example, on the Components tab, the Hardware Inventor y Agent displays Enabled , and on the
Actions tab, there are 11 available actions, which include Application Deployment Evaluation Cycle
and Discover y Data Collection Cycle .
Confident that the clients are successfully installed, assigned, and receiving client policy from the
management point, the Admin then manually enables the write filters by following the instructions from
the OEM.
For more information, see:
How to deploy clients to Windows computers
 How to assign clients to a site
7. Now that the Configuration Manager client is installed on the Windows Embedded devices, the Admin
confirms that they can manage them in the same way as they manage the standard Windows clients. For
example, from the Configuration Manager console, the Admin can remotely manage them by using
remote control, initiate client policy for them, and view client properties and hardware inventory.
Because these devices are joined to an Active Directory domain, the Admin does not have to manually
approve them as trusted clients and confirms from the Configuration Manager console that they are
approved.
For more information, see How to manage clients.
8. To install the interactive presentation software, the Admin runs the Deploy Software Wizard and
configures a required application. On the User Experience page of the wizard, in the Write filter
handling for Windows Embedded devices section, they accept the default option that selects
Commit changes at deadline or during a maintenance window (requires restar ts) .
The Admin keeps this default option for write filters to ensure that the application persists after a restart,
so that it is always available to the visitors using the kiosks. The daily maintenance window provides a
safe period during which the restarts for installation and any updates can occur.
The Admin deploys the application to the Windows Embedded devices collection.
For more information, see How to deploy applications with Configuration Manager.
9. To configure definition updates for Endpoint Protection, the Admin uses software updates and runs the
Create Automatic Deployment Rule Wizard. They select the Definition Updates template to prepopulate
the wizard with settings that are appropriate for Endpoint Protection.
These settings include the following on the User Experience page of the wizard:
Deadline behavior : The Software Installation check box is not selected.
Write filter handling for Windows Embedded devices : The Commit changes at deadline
or during a maintenance window (requires restar ts) check box is not selected.
The Admin keeps these default settings. Together, these two options with this configuration allow
any software update definitions for Endpoint Protection to be installed in the overlay during the
day and not wait to be installed and committed during the maintenance window. This
configuration best meets the company security policy for computers to run up-to-date
antimalware protection.

NOTE
Unlike software installations for applications, software update definitions for Endpoint Protection can occur
very frequently, even multiple times a day. They are often small files. For these types of security-related
deployments, it can often be beneficial to always install to the overlay rather than wait until the
maintenance window. The Configuration Manager client will quickly re-install the software definition
updates if the device restarts because this action initiates an evaluation check and does not wait until the
next scheduled evaluation.

The Admin selects the Windows Embedded devices collection for the automatic deployment rule.
For more information, see
Step 3: Configure Configuration Manager Software Updates to Deliver Definition Updates to Client
Computers in Configuring Endpoint Protection
10. The Admin decides to configure a maintenance task that periodically commits all changes on the overlay.
This task is to support the software update definitions deployment, to reduce the number of updates that
accumulate and must be installed again, each time the device restarts. In the Admin's experience, this
helps the antimalware programs run more efficiently.

NOTE
These software update definitions would be automatically committed to the image if the embedded devices ran
another management task that supported committing the changes. For example, installing a new version of the
interactive presentation software would also commit the changes for software update definitions. Or, installing
standard software updates every month that install during the maintenance window could also commit the
changes for software update definitions. However, in this scenario, where standard software updates do not run
and the interactive presentation software is unlikely to be updated very often, it might be months before the
software definition updates are automatically committed to the image.

The Admin first creates a custom task sequence that has no settings other than the name. They run the
Create Task Sequence Wizard:
a. On the Create a New Task Sequence page, the Admin selects Create a new custom task
sequence , and then clicks Next .
b. On the Task Sequence Information page, the Admin enters Maintenance task to commit
changes on embedded devices for the task sequence name, and then clicks Next .
c. On the Summar y page, the Admin selects Next , and completes the wizard.
The Admin then deploys this custom task sequence to the Windows Embedded devices collection,
and configures the schedule to run every month. As part of the deployment settings, they select
the Commit changes at deadline or during a maintenance window (requires restar ts)
check box to persist the changes after a restart. To configure this deployment, the Admin selects
the custom task sequence that they just created, and then on the Home tab, in the Deployment
group, they click Deploy to start the Deploy Software Wizard:
d. On the General page, the Admin selects the Windows Embedded devices collection, and then
clicks Next .
e. On the Deployment Settings page, the Admin selects the Purpose of Required , and then clicks
Next .
f. On the Scheduling page, the Admin clicks New to specify a weekly schedule during the
maintenance window, and then clicks Next .
g. The Admin completes the wizard without any further changes.
For more information, see
Manage task sequences to automate tasks.
11. For the kiosks to run automatically, the Admin writes a script to configure the devices for the following
settings:
Automatically log on, using a guest account that has no password.
Automatically run the interactive presentation software on startup.
The Admin uses packages and programs to deploy this script to the Windows Embedded devices
collection. When the Admin runs the Deploy Software Wizard, they again select the Commit
changes at deadline or during a maintenance window (requires restar ts) check box to
persist the changes after a restart.
 For more information, see Packages and programs.
12. The following morning, the Admin checks the Windows Embedded devices. They confirm the following:
The kiosk is automatically logged on by using the guest account.
The interactive presentation software is running.
The Endpoint Protection client is installed and has the latest software update definitions.
That the device restarted during the maintenance window.
For more information, see:
How to monitor Endpoint Protection
Monitor applications with Configuration Manager
13. The Admin monitors the kiosks and reports the successful management of them to their manager. As a
result, 20 kiosks are ordered for the visitor center.
To avoid the manual installation of the Configuration Manager client, which requires manually disabling
and then enabling the write filters, the Admin ensures that the order includes a customized image that
already includes the installation and site assignment of the Configuration Manager client. In addition, the
devices are named according to the company naming format.
The kiosks are delivered to the visitor center a week before it opens. During this time, the kiosks are
connected to the network, all device management for them is automatic, and no local administrator is
required. The Admin confirms that the kiosks are functioning as required:
The clients on the kiosks complete site assignment and download the trusted root key from Active
Directory Domain Services.
The clients on the kiosks are automatically added to the Windows Embedded devices collection
and configured with the maintenance window.
The Endpoint Protection client is installed and has the latest software update definitions for
antimalware protection.
The interactive presentation software is installed and runs automatically, ready for visitors.
14. After this initial setup, any restarts that might be required for updates occur only when the visitor center
is closed.
 Plan how to wake up clients in Configuration
Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supports traditional wake-up packets to wake up computers in sleep mode when you
want to install required software, such as software updates and applications.

NOTE
This article describes how an older version of Wake on LAN functions. This functionality still exists in Configuration
Manager version 1810, which also includes a newer version of Wake on LAN too. Both versions of Wake on LAN can, and
in many cases will, be enabled simultaneously. For more information about how the new version of Wake on LAN
functions starting in 1810 and enabling either or both versions, see How to configure Wake on LAN.

How to wake up clients in Configuration Manager

Configuration Manager supports traditional wake-up packets to wake up computers in sleep mode when you
want to install required software, such as software updates and applications.
You can supplement the traditional wake-up packet method by using the wake-up proxy client settings. Wake-up
proxy uses a peer-to-peer protocol and elected computers to check whether other computers on the subnet are
awake, and to wake them if necessary. When the site is configured for Wake On LAN and clients are configured
for wake-up proxy, the process works as follows:
1. Computers with the Configuration Manager client installed and that aren't asleep on the subnet check
whether other computers on the subnet are awake. They do this check by sending each other a TCP/IP
ping command every five seconds.
2. If there's no response from other computers, they're assumed to be asleep. The computers that are awake
become manager computer for the subnet.
Because it's possible that a computer might not respond because of a reason other than it's asleep (for
example, it's turned off, removed from the network, or the proxy wake-up client setting is no longer
applied), the computers are sent a wake-up packet every day at 2 P.M. local time. Computers that don't
respond will no longer be assumed to be asleep and will not be woken up by wake-up proxy.
To support wake-up proxy, at least three computers must be awake for each subnet. To achieve this
requirement, three computers are non-deterministically chosen to be guardian computers for the subnet.
This state means that they stay awake, despite any configured power policy to sleep or hibernate after a
period of inactivity. Guardian computers honor shutdown or restart commands, for example, as a result
of maintenance tasks. If this action happens, the remaining guardian computers wake up another
computer on the subnet so that the subnet continues to have three guardian computers.
3. Manager computers ask the network switch to redirect network traffic for the sleeping computers to
themselves.
The redirection is achieved by the manager computer broadcasting an Ethernet frame that uses the
sleeping computer's MAC address as the source address. This behavior makes the network switch behave
as if the sleeping computer has moved to the same port that the manager computer is on. The manager
 computer also sends ARP packets for the sleeping computers to keep the entry fresh in the ARP cache.
The manager computer also responds to ARP requests on behalf of the sleeping computer and replies
with the MAC address of the sleeping computer.

WARNING
During this process, the IP-to-MAC mapping for the sleeping computer remains the same. Wake-up proxy works
by informing the network switch that a different network adapter is using the port that was registered by another
network adapter. However, this behavior is known as a MAC flap and is unusual for standard network operation.
Some network monitoring tools look for this behavior and can assume that something is wrong. Consequently,
these monitoring tools can generate alerts or shut down ports when you use wake-up proxy.
Do not use wake-up proxy if your network monitoring tools and services do not allow MAC flaps.

4. When a manager computer sees a new TCP connection request for a sleeping computer and the request
is to a port that the sleeping computer was listening on before it went to sleep, the manager computer
sends a wake-up packet to the sleeping computer, and then stops redirecting traffic for this computer.
5. The sleeping computer receives the wake-up packet and wakes up. The sending computer automatically
retries the connection and this time, the computer is awake and can respond.
Wake-up proxy has the following prerequisites and limitations:

IMPORTANT
If you have a separate team that is responsible for the network infrastructure and network services, notify and include this
team during your evaluation and testing period. For example, on a network that uses 802.1X network access control,
wake-up proxy will not work and can disrupt the network service. In addition, wake-up proxy could cause some network
monitoring tools to generate alerts when the tools detect the traffic to wake-up other computers.

All Windows operating systems listed as supported clients in Supported operating systems for clients
and devices are supported for Wake On LAN.
Guest operating systems that run on a virtual machine are not supported.
Clients must be enabled for wake-up proxy by using client settings. Although wake-up proxy operation
does not depend on hardware inventory, clients do not report the installation of the wake-up proxy
service unless they are enabled for hardware inventory and submitted at least one hardware inventory.
Network adapters (and possibly the BIOS) must be enabled and configured for wake-up packets. If the
network adapter is not configured for wake-up packets or this setting is disabled, Configuration Manager
will automatically configure and enable it for a computer when it receives the client setting to enable
wake-up proxy.
If a computer has more than one network adapter, you cannot configure which adapter to use for wake-
up proxy; the choice is non-deterministic. However, the adapter chosen is recorded in the
SleepAgent_<DOMAIN>@SYSTEM_0.log file.
The network must allow ICMP echo requests (at least within the subnet). You cannot configure the five-
second interval that is used to send the ICMP ping commands.
Communication is unencrypted and unauthenticated, and IPsec is not supported.
The following network configurations are not supported:
802.1X with port authentication
Wireless networks
 Network switches that bind MAC addresses to specific ports
IPv6-only networks
DHCP lease durations less than 24 hours
If you want to wake up computers for scheduled software installation, you must configure each primary site to
use wake-up packets.
To use wake-up proxy, you must deploy Power Management wake-up proxy client settings in addition to
configuring the primary site.
Decide whether to use subnet-directed broadcast packets, or unicast packets, and what UDP port number to use.
By default, traditional wake-up packets are transmitted by using UDP port 9, but to help increase security, you
can select an alternative port for the site if this alternative port is supported by intervening routers and firewalls.

Choose Between Unicast and Subnet-Directed Broadcast for Wake-

on-LAN
If you chose to wake up computers by sending traditional wake-up packets, you must decide whether to
transmit unicast packets or subnet-direct broadcast packets. If you use wake-up proxy, you must use unicast
packets. Otherwise, use the following table to help you determine which transmission method to choose.

T RA N SM ISSIO N M ET H O D A DVA N TA GE DISA DVA N TA GE

Unicast More secure solution than subnet- Wake-up packets do not find
directed broadcasts because the destination computers that have
packet is sent directly to a computer changed their subnet address after the
instead of to all computers on a last hardware inventory schedule.
subnet.
Switches might have to be configured
Might not require reconfiguration of to forward UDP packets.
routers (you might have to configure
the ARP cache). Some network adapters might not
respond to wake-up packets in all
Consumes less network bandwidth sleep states when they use unicast as
than subnet-directed broadcast the transmission method.
transmissions.

Supported with IPv4 and IPv6.

T RA N SM ISSIO N M ET H O D A DVA N TA GE DISA DVA N TA GE

Subnet-Directed Broadcast Higher success rate than unicast if you Less secure solution than using unicast
have computers that frequently because an attacker could send
change their IP address in the same continuous streams of ICMP echo
subnet. requests from a falsified source
address to the directed broadcast
No switch reconfiguration is required. address. This causes all of the hosts to
reply to that source address. If routers
High compatibility rate with computer are configured to allow subnet-
adapters for all sleep states, because directed broadcasts, the additional
subnet-directed broadcasts were the configuration is recommended for
original transmission method for security reasons:
sending wake-up packets.
- Configure routers to allow only IP-
directed broadcasts from the
Configuration Manager site server, by
using a specified UDP port number.
- Configure Configuration Manager to
use the specified non-default port
number.

Might require reconfiguration of all

intervening routers to enable subnet-
directed broadcasts.

Consumes more network bandwidth

than unicast transmissions.

Supported with IPv4 only; IPv6 is not

supported.

WARNING
There are security risks associated with subnet-directed broadcasts: An attacker could send continuous streams of
Internet Control Message Protocol (ICMP) echo requests from a falsified source address to the directed broadcast
address, which cause all the hosts to reply to that source address. This type of denial of service attack is commonly called
a smurf attack and is typically mitigated by not enabling subnet-directed broadcasts.
 Manage Configuration Manager clients in a virtual
desktop infrastructure (VDI)
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager supports installing the Configuration Manager client on the following virtual desktop
infrastructure (VDI) scenarios:
Personal vir tual machines : The virtual machine (VM) maintains user data and settings between
sessions.
Remote Desktop Ser vices sessions : Host multiple, concurrent client sessions on a centralized server.
Users connect to a session and run applications on that server.
Pooled vir tual machines/Non-Persistent : The VM doesn't persist between sessions. When a user
closes a session, the virtual environment discards all data and settings. Pooled virtual machines are useful
when you can't use Remote Desktop Services. For example, if a required application can't run on the
Windows Server that hosts the client sessions.
Azure Vir tual Desktop : A desktop and app virtualization service that runs on Microsoft Azure. Starting
in version 1906, use Configuration Manager to manage these virtual devices running Windows in Azure.

Personal VMs
Configuration Manager treats personal VMs the same as a physical computer. You can preinstall the
Configuration Manager client on the VM image or after you provision it.
For more information, see Support for virtualization environments.

Remote Desktop Services

You don't install the Configuration Manager client for individual Remote Desktop sessions. Install it once on the
server that hosts Remote Desktop Services. You can use all Configuration Manager client features on the
Remote Desktop Services server.
For more information, see Welcome to Remote Desktop Services.

Pooled VMs/Non-Persistent
When you decommission a pooled virtual machine, any changes made by Configuration Manager are lost.
Because the VM might only be operational for a short length of time, some Configuration Manager features
may not return relevant data. For example, hardware inventory, software inventory, and software metering.
Consider excluding pooled VM from inventory tasks.

Azure Virtual Desktop

For more information, see Supported operating systems for clients and devices.

Other considerations
Because virtualization supports running multiple Configuration Manager clients on the same physical computer,
many client operations have a built-in randomized delay for scheduled actions. For example, hardware and
software inventory, antimalware scans, software installations, and software update scans. This delay helps
distribute the CPU processing and data transfer for a server that has multiple VMs that run the Configuration
Manager client.
Except for Windows Embedded clients in servicing mode, Configuration Manager clients not in virtualized
environments also use this randomized delay. This behavior helps avoid peaks in network bandwidth. It also
reduces the CPU processing on site systems, such as the management point and site server. The delay interval
varies according to the Configuration Manager capability. For example, see About client settings - Disable
deadline randomization.
To help with Configuration Manager client performance in virtual environments that support multiple user
sessions, it disables user policy by default. Starting in version 1910, you can enable user policy in this scenario.
For more information, see About client settings - Enable user policy for multiple user sessions.
 How to configure client communication ports in
Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can change the request port numbers that Configuration Manager clients use to communicate with site
systems that use HTTP and HTTPS for communication. Although HTTP or HTTPS is more likely to be already
configured for firewalls, client notification that uses HTTP or HTTPS requires more CPU usage and memory on
the management point computer than if you use a custom port number. You can also specify the site port
number to use if you wake up clients by using traditional wake-up packets.
When you specify HTTP and HTTPS request ports, you can specify both a default port number and an alternative
port number. If communication fails with the default port, clients automatically try the alternative port. You can
specify port settings for HTTP and HTTPS data communication.
The default values for client request ports are 80 for HTTP traffic and 443 for HTTPS traffic. Change them only if
you don't want to use these default values. A typical scenario for using custom ports is when you use a custom
website in IIS rather than the default website. If you change the default port numbers for the default website in
IIS, and other applications also use the default website, they're likely to fail.

IMPORTANT
Don't change the port numbers in Configuration Manager without understanding the consequences. For example:
If you change the port numbers for the client request services as a site configuration, and existing clients aren't
reconfigured to use the new port numbers, these clients will be unmanaged.
Before you configure a non-default port number, make sure that firewalls and all intervening network devices support
this configuration. If you will manage clients on the internet, and change the default HTTPS port number of 443,
routers and firewalls on the internet might block this communication.

To make sure that clients don't become unmanaged after you change the request port numbers, configure
clients to use the new request port numbers. When you change the request ports on a primary site, any
attached secondary sites automatically inherit the same port configuration.

How clients get the port configuration

When the Configuration Manager site is published to Active Directory Domain Services, new and existing clients
that can access this information will automatically be configured with their site port settings. You don't need to
take further action.
Clients that can't access this information published to Active Directory include:
Workgroup clients
Clients from another Active Directory forest
Clients that are configured for internet-only
Clients that are currently on the internet.
If you change the default port numbers after you install these clients, reinstall them.
Install any new clients by using one of the following methods:
 Reinstall the clients by using the Client Push Installation Wizard. Client push installation automatically
configures clients with the current site port configuration. For more information, see How to install
Configuration Manager clients with client push.
Reinstall the clients by using CCMSetup.exe and the client.msi installation properties of CCMHTTPPORT
and CCMHTTPSPORT . For more information, see About client installation properties.
Reinstall the clients by using a method that searches Active Directory Domain Services for Configuration
Manager client installation properties. For more information, see About client installation properties
published to Active Directory Domain Services.
To reconfigure the port numbers for existing clients, you can also use the script Por tswitch.vbs . Find this script
on the installation media in the SMSSETUP\Tools\PortConfiguration folder.

IMPORTANT
For existing and new clients that are currently on the internet, configure the non-default port numbers by using the
CCMSetup.exe client.msi properties of CCMHTTPPORT and CCMHTTPSPORT .

After changing the request ports on the site, when you install new clients with the site-wide client push
installation method, they're automatically configured with the current port numbers for the site.

Configure ports for a site

1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the primary site to configure.
3. On the Home tab of the ribbon, select Proper ties .
4. Switch to the Por ts tab.
5. Select a service, and then select the Properties icon to open the Por t Detail window.

6. Specify the port number and description for the item, and then select OK .
7. If you want to use the custom website SMSWeb for site systems that run IIS, select Use custom web
site . For more information, see Websites for site system servers.
8. Select OK to save the configuration and close the site properties window.
Repeat this procedure for all primary sites in the hierarchy.
 Configure client computers to find management
points by using DNS publishing
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Clients in Configuration Manager must locate a management point to complete site assignment and as an on-
going process to remain managed. Active Directory Domain Services provides the most secure method for
clients on the intranet to find management points. However, if clients cannot use this service location method
(for example, you have not extended the Active Directory schema, or clients are from a workgroup), use DNS
publishing as the preferred alternative service location method.
Before you use DNS publishing for management points, make sure that DNS servers on the intranet have
service location resource records (SRV RR) and corresponding host (A or AAA) resource records for the site's
management points. The service location resource records can be created automatically by Configuration
Manager or manually, by the DNS administrator who creates the records in DNS.
For more information about DNS publishing as a service location method for Configuration Manager clients,
see Understand how clients find site resources and services for Configuration Manager.
By default, clients search DNS for management points in their DNS domain. However, if there are no
management points published in the clients' domain, you must manually configure clients with a management
point DNS suffix. You can configure this DNS suffix on clients either during or after client installation:
To configure clients for a management point suffix during client installation, configure the CCMSetup
Client.msi properties.
To configure clients for a management point suffix after client installation, in Control Panel, configure the
Configuration Manager Proper ties .
To configure clients for a management point suffix during client installation
Install the client with the following CCMSetup Client.msi property:
DNSSUFFIX= <management point domain>
If the site has more than one management point and they are in more than one domain, specify
just one domain. When clients connect to a management point in this domain, they download a list
of available management points, which will include the management points from the other
domains.
For more information about the CCMSetup command-line properties, see About client installation
properties.
To configure clients for a management point suffix after client installation
1. In Control Panel of the client computer, navigate to Configuration Manager , and then double-click
Proper ties .
2. On the Site tab, specify the DNS suffix of a management point, and then click OK .
If the site has more than one management point and they are in more than one domain, specify just one
domain. When clients connect to a management point in this domain, they download a list of available
management points, which will include the management points from the other domains.
 How to configure client settings in Configuration
Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You manage all client settings in Configuration Manager from the Client Settings node of the Administration
workspace in the console. When you want to configure settings for all users and devices in the hierarchy, modify
the default settings. If you want to apply different settings to just some users or devices, create custom settings
and deploy to collections. Custom client settings override the default settings.
For information about each client setting, see About client settings.

NOTE
You can also use configuration items to manage clients to assess, track, and remediate the configuration compliance of
devices. For more information, see Ensure device compliance.

Configure default client settings

1. In the Configuration Manager console, go to the Administration workspace, and select the Client
Settings node.
2. Select Default Client Settings . On the Home tab of the ribbon, select Proper ties .
3. View and configure the client settings for each group of settings in the navigation pane.

TIP
Configuration Manager configures clients with these settings when they next download policy. To start policy retrieval for
a single client, see Start policy retrieval for a Configuration Manager client.

Create and deploy custom client settings

When you deploy these custom settings, they override the default client settings. Before you begin this
procedure, make sure that you have a collection the deployment. The collection should contain the users or
devices that require these custom client settings.
1. In the Configuration Manager console, go to the Administration workspace, and select the Client
Settings node.
2. On the Home tab of the ribbon, in the Create group, select Create Custom Client Settings . Then
choose either Create Custom Client Device Settings or Create Custom Client User Settings .
a. Specify a unique name and optional description.
b. Select one or more of the settings groups.
c. Select each group of settings from the navigation pane, configure the available settings, and then
select OK to save the settings.
3. Select the custom client setting that you created. On the Home tab of the ribbon, in the Client Settings
 group, choose Deploy .
4. In the Select Collection window, select the appropriate collection, and then choose OK . To verify the
targeted collection, switch to the Deployments tab in the details pane of the Client Settings node.
5. View the order of the custom client setting that you created. When you have multiple custom client
settings, they're applied according to their order number. If there are any conflicts between settings, the
setting that has the lowest order number overrides the other settings. To change the order number, on the
Home tab of the ribbon, in the Client Settings group, choose Move Item Up or Move Item Down .

TIP
Configuration Manage configures clients with these settings when they next download policy. To start policy retrieval for a
single client, see Start policy retrieval for a Configuration Manager client.

View client settings

When you deploy multiple client settings to the same device, user, or user group, the prioritization and
combination of settings is complex.
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select either
the Devices or Users node.
2. Select a device or user, and in the Client Settings group of the ribbon, select Resultant Client
Settings .
3. Select a client setting from the left pane, and it displays the settings. In this view, the settings are read-
only.

NOTE
To view the client settings, your account needs Read access to client settings.

Automate with PowerShell

Optionally, you can use the Configuration Manager PowerShell cmdlets to automate client settings. For more
information, see the following articles in the PowerShell documentation:
Get-CMClientSetting: Get an existing client settings object.
New-CMClientSetting: Create a new client settings object.
Remove-CMClientSetting: Remove a client settings object.
Use the following cmdlets to configure client settings for the specific group:
Set-CMClientSettingBackgroundIntelligentTransfer
Set-CMClientSettingClientCache
Set-CMClientSettingClientPolicy
Set-CMClientSettingCloudService
Set-CMClientSettingComplianceSetting
Set-CMClientSettingComputerAgent
Set-CMClientSettingComputerRestart
Set-CMClientSettingDeliveryOptimization
Set-CMClientSettingEndpointProtection
 Set-CMClientSettingEnrollment
Set-CMClientSettingGeneral
Set-CMClientSettingHardwareInventory
Set-CMClientSettingMeteredInternetConnection
Set-CMClientSettingPowerManagement
Set-CMClientSettingRemoteTool
Set-CMClientSettingSoftwareCenter
Set-CMClientSettingSoftwareDeployment
Set-CMClientSettingSoftwareInventory
Set-CMClientSettingSoftwareMetering
Set-CMClientSettingSoftwareUpdate
Set-CMClientSettingStateMessaging
Set-CMClientSettingUserAndDeviceAffinity
Use the following cmdlets to manage deployments of custom client settings:
New-CMClientSettingDeployment
Remove-CMClientSettingDeployment

Next steps
About client settings
 About client settings in Configuration Manager
2/16/2022 • 46 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Manage all client settings in the Configuration Manager console from the Client Settings node in the
Administration workspace. Configuration Manager comes with a set of default settings. When you change the
default client settings, these settings are applied to all clients in the hierarchy. You can also configure custom
client settings, which override the default client settings when you assign them to collections. For more
information, see How to configure client settings.
The following sections describe settings and options in further detail.

Background Intelligent Transfer Service (BITS)

Limit the maximum network bandwidth for BITS background transfers
When this option is Yes , clients use BITS bandwidth throttling. To configure the other settings in this group, you
must enable this setting.
Throttling window start time
Specify the local start time for the BITS throttling window.
Throttling window end time
Specify the local end time for the BITS throttling window. If the end time is equal to the Throttling window
star t time , BITS throttling is always enabled.
Maximum transfer rate during throttling window (Kbps)
Specify the maximum transfer rate that clients can use during the window.
Allow BITS downloads outside the throttling window
Allow clients to use separate BITS settings outside the specified window.
Maximum transfer rate outside the throttling window (Kbps)
Specify the maximum transfer rate that clients can use outside the BITS throttling window.

Client cache settings

Configure BranchCache
Set up the client computer for Windows BranchCache. To allow BranchCache caching on the client, set Enable
BranchCache to Yes .
Enable BranchCache : Enables BranchCache on client computers.
Maximum BranchCache cache size (percentage of disk) : The percentage of the disk that you allow
BranchCache to use.

TIP
If you set Configure BranchCache to No , then Configuration Manager doesn't configure any BranchCache settings.
To disable BranchCache, set Configure BranchCache to Yes , and then set Enable BranchCache to No .
Configure client cache size
The Configuration Manager client cache on Windows computers stores temporary files used to install
applications and programs. If this option is set to No , the default size is 5,120 MB.
If you choose Yes , then specify:
Maximum cache size (MB)
Maximum cache size (percentage of disk) : The client cache size expands to the maximum size in
megabytes (MB), or the percentage of the disk, whichever is less.
Enable as peer cache source
Enables peer cache for Configuration Manager clients. Choose Yes , and then specify the port through which the
client communicates with the peer computer.
Por t for initial network broadcast (default UDP 8004): Configuration Manager uses this port in
Windows PE or the full Windows OS. The task sequence engine in Windows PE sends the broadcast to get
content locations before it starts the task sequence.
Por t for content download from peer (default TCP 8003): Configuration Manager automatically
configures Windows Firewall rules to allow this traffic. If you use a different firewall, you must manually
configure rules to allow this traffic.
For more information, see Ports used for connections.
Minimum duration before cached content can be removed (minutes)
Specify the minimum time for the Configuration Manager client to keep cached content. This client setting
defines the minimum amount of time Configuration Manager agent should wait before it can remove content
from the cache in case more space is needed.
By default this value is 1,440 minutes (24 hours). The maximum value for this setting is 10,080 minutes (one
week).
This setting gives you greater control over the client cache on different types of devices. You might reduce the
value on clients that have small hard drives and don't need to keep existing content before another deployment
runs.

Client policy
Client policy polling interval (minutes)
Specifies how frequently the following Configuration Manager clients download client policy:
Windows computers (for example, desktops, servers, laptops)
Mobile devices that Configuration Manager enrolls
Mac computers
This value is 60 minutes by default. Reducing this value causes clients to poll the site more frequently. With
many clients, this behavior can have a negative impact on the site performance. The size and scale guidance is
based on the default value. Increasing this value causes clients to poll the site less often. Any changes to client
policies, including new deployments, take longer for clients to download and process.
Enable user policy on clients
When you set this option to Yes , and use user discovery, then clients receive applications and programs
targeted to the signed-in user.
If this setting is No , users don't receive required applications that you deploy to users. Users also don't receive
any other management tasks in user policies.
This setting applies to users when their computer is on either the intranet or the internet. It must be Yes if you
also want to enable user policies on the internet.
Enable user policy requests from internet clients
Set this option to Yes for users to receive the user policy on internet-based computers. The following
requirements also apply:
The client and site are configured for internet-based client management or a cloud management gateway.
The Enable user policy on clients setting is Yes .
The internet-based management point successfully authenticates the user by using Windows
authentication (Kerberos or NTLM). For more information, see Considerations for client communications
from the internet.
The cloud management gateway successfully authenticates the user by using Azure Active Directory. For
more information, see Prerequisites to deploy user-available applications.
If you set this option to No , or any of the previous requirements aren't met, then a computer on the internet
only receives computer policies. If this setting is No , but Enable user policy on clients is Yes , users don't
receive user policies until the computer is connected to the intranet.

NOTE
For internet-based client management, application approval requests from users don't require user policies or user
authentication. The cloud management gateway doesn't support application approval requests.

Enable user policy for multiple user sessions

By default, this setting is disabled. Even if you enable user policies, the client disables them by default on any
device that allows multiple concurrent active user sessions. For example, terminal servers or Windows
Enterprise multi-session in Azure Virtual Desktop.
The client only disables user policy when it detects this type of device during a new installation. For an existing
client of this type that you update to a later client version, the previous behavior persists. On an existing device,
it configures the user policy setting even if it detects that the device allows multiple user sessions.
If you require user policy in this scenario, and accept any potential performance impact, enable this client
setting.

Cloud services
Allow access to cloud distribution point
Set this option to Yes for clients to obtain content from a content-enabled CMG. This setting doesn't require the
device to be internet-based.
Automatically register new Windows 10 or later domain joined devices with Azure Active Directory
When you configure Azure Active Directory (Azure AD) to support hybrid join, Configuration Manager
configures Windows 10 or later devices for this functionality. For more information, see How to configure hybrid
Azure AD joined devices.
Enable clients to use a cloud management gateway
By default, all internet-roaming clients use any available cloud management gateway. An example of when to
configure this setting to No is to scope usage of the service, such as during a pilot project or to save costs.

Compliance settings
Enable compliance evaluation on clients
Set this option to Yes to configure the other settings in this group.
Schedule compliance evaluation
Select Schedule to create the default schedule for configuration baseline deployments. This value is
configurable for each baseline in the Deploy Configuration Baseline dialog box.
Enable User Data and Profiles
Choose Yes if you want to deploy user data and profiles configuration items.

Computer agent
User notifications for required deployments
For more information about the following three settings, see User notifications for required deployments:
Deployment deadline greater than 24 hours, remind user ever y (hours)
Deployment deadline less than 24 hours, remind user ever y (hours)
Deployment deadline less than 1 hour, remind user ever y (minutes)
Legacy settings for the application catalog
The following client settings still appear in the Computer Agent group, but the functionality is no longer
supported:
Default Application Catalog website point
Add default Application Catalog website to Internet Explorer trusted sites zone
Allow Silverlight applications to run in elevated trust mode
For more information, see Removed and deprecated features.
Organization name displayed in Software Center
Type the name that users see in Software Center. This branding information helps users to identify this
application as a trusted source. For more information about the priority of this setting, see Branding Software
Center.
Use new Software Center
The default setting is Yes .
The previous version of Software Center and the application catalog are no longer supported.
Enable communication with Health Attestation Service
Set this option to Yes for Windows 10 or later devices to use Health attestation. When you enable this setting,
the following setting is also available for configuration.
Use on-premises Health Attestation Service
Set this option to Yes for devices to use an on-premises service. Set to No for devices to use the Microsoft
cloud-based service.
Install permissions
Configure how users can install software, software updates, and task sequences:
All Users : Users with any permission except Guest.
Only Administrators : Users must be a member of the local Administrators group.
Only Administrators and primar y users : Users must be a member of the local Administrators group,
or a primary user of the computer.
 No Users : No users signed in to a client computer can install software, software updates, and task
sequences. Required deployments for the computer always install at the deadline. Users can't install
software from Software Center.
Suspend BitLocker PIN entry on restart
If computers require BitLocker PIN entry, then this option bypasses the requirement to enter a PIN when the
computer restarts after a software installation.
Always : Configuration Manager temporarily suspends BitLocker after it has installed software that
requires a restart, and it restarts the computer. This setting only applies when Configuration Manager
restarts the computer. This setting doesn't suspend the requirement to enter the BitLocker PIN when the
user restarts the computer. The BitLocker PIN entry requirement resumes after Windows startup.
Never : Configuration Manager doesn't suspend BitLocker after it has installed software that requires a
restart. In this scenario, the software installation can't finish until the user enters the PIN to complete the
standard startup process and load Windows.
Additional software manages the deployment of applications and software updates
Enable this option only if one of the following conditions applies:
You use a vendor solution that requires this setting to be enabled.
You use the Configuration Manager software development kit (SDK) to manage client agent notifications,
and the installation of applications and software updates.

WARNING
If you choose this option when neither of these conditions apply, the client doesn't install software updates and required
applications. This setting doesn't prevent users from installing available software from Software Center, including
applications, packages, and task sequences.
When you enable this setting, toast notifications for new software or required software don't occur on clients.

PowerShell execution policy

Configure how Configuration Manager clients can run Windows PowerShell scripts. You might use these scripts
for detection in configuration items for compliance settings. You might also send the scripts in a deployment as
a standard script.
Bypass : The Configuration Manager client bypasses the Windows PowerShell configuration on the client
computer, so that unsigned scripts can run.
Restricted : The Configuration Manager client uses the current PowerShell configuration on the client
computer. This configuration determines whether unsigned scripts can run.
All Signed : The Configuration Manager client runs scripts only if a trusted publisher has signed them.
This restriction applies independently from the current PowerShell configuration on the client computer.
This option requires at least Windows PowerShell version 2.0. The default is All Signed .
 TIP
If unsigned scripts fail to run because of this client setting, Configuration Manager reports this error in the following ways:
The Monitoring workspace in the console displays deployment status error ID 0x87D00327 . It also displays the
description Script is not signed .
Reports display the error type Discover y Error . Then reports display either error code 0x87D00327 and the
description Script is not signed , or error code 0x87D00320 and the description The script host has not been
installed yet . An example report is: Details of errors of configuration items in a configuration baseline for
an asset .
The DcmWmiProvider.log file displays the message Script is not signed (Error : 87D00327; Source: CCM) .

Show notifications for new deployments

Choose Yes to display a notification for deployments available for less than a week. This message appears each
time the client agent starts.
Disable deadline randomization
After the deployment deadline, this setting determines whether the client uses an activation delay of up to two
hours to install required software updates. By default, the activation delay is disabled.
For virtual desktop infrastructure (VDI) scenarios, this delay helps distribute the CPU processing and data
transfer for a host machine with multiple virtual machines. Even if you don't use VDI, having many clients
installing the same updates at the same time can negatively increase CPU usage on the site server. This behavior
can also slow down distribution points, and significantly reduce the available network bandwidth.
If clients must install required software updates at the deployment deadline without delay, then configure this
setting to Yes .

IMPORTANT
Disabling randomization only applies to manual software update deployments. The setting doesn't apply to automatic
deployment rules for software updates or for other deployments such as applications.

Grace period for enforcement after deployment deadline (hours)

If you want to give users more time to install required application or software update deployments beyond the
deadline, set a value for this option. This grace period is for a computer turned off for an extended time, and the
user needs to install many application or update deployments. For example, this setting is helpful if a user
returns from vacation, and has to wait for a long time while the client installs overdue application deployments.
Set a grace period of 0 to 120 hours. Use this setting along with the deployment property Delay enforcement
of this deployment according to user preferences . For more information, see Deploy applications.
Enable Endpoint analytics data collection
Enables local data collection on the client for upload to Endpoint analytics. Set to Yes to configure devices for
local data collection. Set to No to disable local data collection. For more information, see Enroll Configuration
Manager devices into Endpoint analytics.

Computer restart
For more information about these settings, see Device restart notifications.

Delivery Optimization
You use Configuration Manager boundary groups to define and regulate content distribution across your
corporate network and to remote offices. Windows Delivery Optimization is a cloud-based, peer-to-peer
technology to share content between Windows devices. Configure Delivery Optimization to use your boundary
groups when sharing content among peers.

NOTE
Delivery Optimization is only available on Windows 10 or later clients.
Internet access to the Delivery Optimization cloud service is a requirement to utilize its peer-to-peer functionality. For
information about the needed internet endpoints, see Frequently asked questions for Delivery Optimization.
When using a CMG for content storage, the content for third-party updates won't download to clients if the
Download delta content when available client setting is enabled.

Use Configuration Manager Boundary Groups for Delivery Optimization Group ID

Choose Yes to apply the boundary group identifier as the Delivery Optimization group identifier on the client.
When the client communicates with the Delivery Optimization cloud service, it uses this identifier to locate peers
with the content. Enabling this setting also sets the Delivery Optimization download mode to the Group (2)
option on targeted clients.

NOTE
Microsoft recommends allowing the client to configure this setting via local policy rather than group policy. This allows the
boundary group identifier to be set as the Delivery Optimization group identifier on the client. For more information, see
Delivery Optimization.

Enable devices managed by Configuration Manager to use Microsoft Connected Cache servers for content
download
Choose Yes to allow clients to download content from an on-premises distribution point that you enable as a
Microsoft Connected Cache server. For more information, see Microsoft Connected Cache in Configuration
Manager.

Endpoint Protection
TIP
In addition to the following information, you can find details about using Endpoint Protection client settings in Example
scenario: Using Endpoint Protection to protect computers from malware.

Manage Endpoint Protection client on client computers

Choose Yes if you want to manage existing Endpoint Protection and Windows Defender clients on computers in
your hierarchy.
Choose this option if you've already installed the Endpoint Protection client, and want to manage it with
Configuration Manager. This separate installation includes a scripted process that uses a Configuration Manager
application or package and program. Windows 10 or later devices don't need to have the Endpoint Protection
agent installed. However, those devices will still need Manage Endpoint Protection client on client
computers enabled.
Install Endpoint Protection client on client computers
Choose Yes to install and enable the Endpoint Protection client on client computers that aren't already running
the client. Windows 10 or later clients don't need to have the Endpoint Protection agent installed.
 NOTE
If the Endpoint Protection client is already installed, choosing No doesn't uninstall the Endpoint Protection client. To
uninstall the Endpoint Protection client, set the Manage Endpoint Protection client on client computers client
setting to No . Then, deploy a package and program to uninstall the Endpoint Protection client.

Allow Endpoint Protection client installation and restarts outside maintenance windows. Maintenance
windows must be at least 30 minutes long for client installation
Set this option to Yes to override typical installation behaviors with maintenance windows. This setting meets
business requirements for the priority of system maintenance for security purposes.
For Windows Embedded devices with write filters, commit Endpoint Protection client installation (requires
restarts)
Choose Yes to disable the write filter on the Windows Embedded device, and restart the device. This action
commits the installation on the device.
If you choose No , the client installs on a temporary overlay that clears when the device restarts. In this scenario,
the Endpoint Protection client doesn't fully install until another installation commits changes to the device. This
configuration is the default.
Suppress any required computer restarts after the Endpoint Protection client is installed
Choose Yes to suppress a computer restart after the Endpoint Protection client installs.

IMPORTANT
If the Endpoint Protection client requires a computer restart and this setting is No , then the computer restarts regardless
of any configured maintenance windows.

Allowed period of time users can postpone a required restart to complete the Endpoint Protection
installation (hours)
If a restart is necessary after the Endpoint Protection client installs, this setting specifies the number of hours
that users can postpone the required restart. This setting requires that you disable the following setting:
Suppress any required computer restar ts after the Endpoint Protection client is installed .
Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services,
or UNC shares) for the initial definition update on client computers
Choose Yes if you want Configuration Manager to install only the initial definition update on client computers.
This setting can be helpful to avoid unnecessary network connections, and reduce network bandwidth, during
the initial installation of the definition update.

Enrollment
Polling interval for mobile device legacy clients
Select Set Inter val to specify the length of time, in minutes or hours, that legacy mobile devices poll for policy.
These devices include macOS.
Polling interval for modern devices (minutes)
Enter the number of minutes that modern devices poll for policy. This setting is for Windows devices that are
managed through on-premises mobile device management (MDM).
Allow users to enroll mobile devices and Mac computers
To enable user-based enrollment of legacy devices, set this option to Yes , and then configure the following
setting:
 Enrollment profile : Select Set Profile to create or select an enrollment profile. For more information, see
Configure client settings for enrollment.
Allow users to enroll modern devices
To enable user-based enrollment of modern devices, set this option to Yes , and then configure the following
setting:
Modern device enrollment profile : Select Set Profile to create or select an enrollment profile. For more
information, see Create an enrollment profile that allows users to enroll modern devices.

Hardware inventory
Enable hardware inventory on clients
By default, this setting is Yes . For more information, see Introduction to hardware inventory.
Hardware inventory schedule
Select Schedule to adjust the frequency that clients run the hardware inventory cycle. By default, this cycle
occurs every seven days.
Maximum random delay (minutes)
Specify the maximum number of minutes for the Configuration Manager client to randomize the hardware
inventory cycle from the defined schedule. This randomization across all clients helps load-balance inventory
processing on the site server. You can specify any value between 0 and 480 minutes. By default, this value is set
to 240 minutes (4 hours).
Maximum custom MIF file size (KB )
Specify the maximum size, in kilobytes (KB), allowed for each custom Management Information Format (MIF) file
that the client collects during a hardware inventory cycle. The Configuration Manager hardware inventory agent
doesn't process any custom MIF files that exceed this size. You can specify a size of 1 KB to 5,120 KB. By default,
this value is set to 250 KB. This setting doesn't affect the size of the regular hardware inventory data file.

NOTE
This setting is available only in the default client settings.

Hardware inventory classes

Select Set Classes to extend the hardware information that you collect from clients without manually editing
the sms_def.mof file. For more information, see How to configure hardware inventory.
Collect MIF files
Use this setting to specify whether to collect MIF files from Configuration Manager clients during hardware
inventory.
For a MIF file to be collected by hardware inventory, it must be in the correct location on the client computer. By
default, the files are located in the following paths:
IDMIF files should be in the Windows\System32\CCM\Inventory\Idmif folder.
NOIDMIF files should be in the Windows\System32\CCM\Inventory\Noidmif folder.

NOTE
This setting is available only in the default client settings.
Metered internet connections
Manage how Windows 8 and later computers use metered internet connections to communicate with
Configuration Manager. Internet providers sometimes charge by the amount of data that you send and receive
when you're on a metered internet connection.

NOTE
The configured client setting isn't applied in the following scenarios:
If the computer is on a roaming data connection, the Configuration Manager client doesn't perform any tasks that
require data to be transferred to Configuration Manager sites.
If the Windows network connection properties are configured as non-metered, the Configuration Manager client
behaves as if the connection is non-metered, and so transfers data to the site.

Client communication on metered internet connections

Choose one of the following options for this setting:
Allow : All client communications are allowed over the metered internet connection, unless the client
device is using a roaming data connection.
Limit : The client only communicates over the metered internet connection for the following behaviors:
Download client policy
Send client state messages
Request software installs from Software Center
Download additional policy and content for required deployments at the installation deadline

NOTE
On an application deployment, enable the option to Allow clients on a metered Internet
connection to download content after the installation deadline . This option is only available for
deployments with a purpose of Required . For more information, see Deploy applications.

If the client reaches the data transfer limit for the metered internet connection, the client no longer
communicates with the site.
Block : When the device is on a metered internet connection, the Configuration Manager client doesn't try
to communicate with the site. This option is the default.

IMPORTANT
The client always permits software installations from Software Center, regardless of the metered internet connection
settings. If the user requests a software installation while the device is on a metered network, Software Center honors the
user's intent.

Client install and update both work when you configure this client setting to Allow or Limit . This behavior
allows the client to stay current, but still manage the client communication on a metered network. You can
control this behavior during client install with the ccmsetup parameter /AllowMetered . For more information,
see About client installation parameters and properties.

Power management
Allow power management of devices
Set this option to Yes to enable power management on clients. For more information, see Introduction to power
management.
Allow users to exclude their device from power management
Choose Yes to let users of Software Center exclude their computer from any configured power management
settings.
Allow network wake -up
When you enable this setting, the client configures the power settings on the computer to allow the network
adapter to wake up the device. If you disable this setting, the computer's network adapter can't wake up the
device.
Enable wake -up proxy
Specify Yes to supplement the site's Wake On LAN setting, when it's configured for unicast packets.
For more information about wake-up proxy, see Plan how to wake up clients.

WARNING
Don't enable wake-up proxy in a production network without first understanding how it works and evaluating it in a test
environment.

Then, configure the following additional settings as needed:

Wake-up proxy por t number (UDP) : The port number that clients use to send wake-up packets to
sleeping computers. Keep the default port 25536, or change the number to a value of your choice.
Wake On L AN por t number (UDP) : Keep the default value of 9, unless you've changed the Wake On
LAN (UDP) port number on the Por ts tab of the site Proper ties .

IMPORTANT
This number must match the number in the site Proper ties . If you change this number in one place, it isn't
automatically updated in the other place.

Windows Defender Firewall exception for wake-up proxy : The Configuration Manager client
automatically configures the wake-up proxy port number on devices that run Windows Defender
Firewall. Select Configure to specify the firewall profiles.
If clients run a different firewall, manually configure it to allow the Wake-up proxy por t number
(UDP) .
IPv6 prefixes if required for DirectAccess or other inter vening network devices. Use a
comma to specify multiple entries : Enter the necessary IPv6 prefixes for wake-up proxy to function
on your network.

Remote tools
Enable Remote Control on clients, and Firewall exception profiles
Select Configure to enable the Configuration Manager remote control feature. Optionally, configure firewall
settings to allow remote control to work on client computers.
Remote control is disabled by default.
 IMPORTANT
If you don't configure firewall settings, remote control might not work correctly.

Users can change policy or notification settings in Software Center

Choose whether users can change remote control options from within Software Center.
Allow Remote Control of an unattended computer
Choose whether an admin can use remote control to access a client computer that is logged off or locked. Only
a logged-on and unlocked computer can be remotely controlled when this setting is disabled.
Prompt user for Remote Control permission
Choose whether the client computer shows a message asking for the user's permission before allowing a
remote control session.
Prompt user for permission to transfer content from shared clipboard
Before transferring content from the shared clipboard in a remote control session, allow your users the
opportunity to accept or deny file transfers. Users only need to grant permission once per session. The viewer
can't give themselves permission to transfer the file.
Grant Remote Control permission to local Administrators group
Choose whether local admins on the server that starts the remote control connection can establish remote
control sessions to client computers.
Access level allowed
Specify the level of remote control access to allow. Choose from the following settings:
No Access
View Only
Full Control
Permitted viewers of Remote Control and Remote Assistance
Select Set Viewers to specify the names of the Windows users who can establish remote control sessions to
client computers.
Show session notification icon on taskbar
Configure this setting to Yes to show an icon on the client's Windows taskbar to indicate an active remote
control session.
Show session connection bar
Set this option to Yes to show a high-visibility session connection bar on clients, to indicate an active remote
control session.
Play a sound on client
Set this option to use sound to indicate when a remote control session is active on a client computer. Select one
of the following options:
No sound
Beginning and end of session (default)
Repeatedly during session
Manage unsolicited Remote Assistance settings
Configure this setting to Yes to let Configuration Manager manage unsolicited Remote Assistance sessions.
In an unsolicited Remote Assistance session, the user at the client computer didn't request assistance to start the
session.
Manage solicited Remote Assistance settings
Set this option to Yes to let Configuration Manager manage solicited Remote Assistance sessions.
In a solicited Remote Assistance session, the user at the client computer sent a request to the admin for remote
assistance.
Level of access for Remote Assistance
Choose the level of access to assign to Remote Assistance sessions that are started in the Configuration
Manager console. Select one of the following options:
None (default)
Remote Viewing
Full Control

NOTE
The user at the client computer must always grant permission for a Remote Assistance session to occur.

Manage Remote Desktop settings

Set this option to Yes to let Configuration Manager manage Remote Desktop sessions for computers.
Allow permitted viewers to connect by using Remote Desktop connection
Set this option to Yes to add users specified in the permitted viewer list to the Remote Desktop local user group
on clients.
Require network level authentication on computers that run Windows Vista operating system and later
versions
Set this option to Yes to use network-level authentication (NLA) to establish Remote Desktop connections to
client computers. NLA initially requires fewer remote computer resources, because it finishes user
authentication before it establishes a Remote Desktop connection. Using NLA is a more secure configuration.
NLA helps protect the computer from malicious users or software, and it reduces the risk from denial-of-service
attacks.

Software Center
Select the user portal
If you deploy the Company Portal to co-managed devices, configure this setting to Company Por tal . This
setting makes sure that notifications from Configuration Manager and Intune both launch the Company Portal.
If a Configuration Manager notification is for a scenario that the Company Portal doesn't support, selecting the
notification launches Software Center.
If you install the Company Portal on a co-managed device, but configure this setting to Software Center , then
notifications from Configuration Manager launch Software Center. Notifications from Intune launch the
Company Portal. This behavior may be confusing to users to interact with different portals.
The behavior of the Company Portal depends upon your co-management workload configuration. For more
information, see Use the Company Portal app on co-managed devices.
Select these new settings to specify company information
Set this option to Yes , and then select Customize to configure Software Center settings for your organization.
This action opens the Software Center Customization window.
Software Center settings
Software Center Customization - General
Company name : Specify the organization name that users see in Software Center.
Color scheme for Software Center : Select the primary color that Software Center uses. You can
choose from 48 basic colors, or define a custom color. By default, this color is Microsoft blue (Red: 0,
Green: 120, Blue: 212).
Foreground color for Software Center : Starting in version 2103, configure a custom color for the
foreground font. By default, this color is white (Red: 255, Green: 255, Blue: 255). For some customers,
their brand color doesn't work well with the default white font color for a selected item. This setting better
supports these customers and improves accessibility.
Select a logo for Software Center : Enable this setting, and then Browse to select an image to appear
in Software Center. The logo for Software Center has the following requirements:
A JPG, PNG, or BMP file.
Dimensions of 400 x 100 pixels.
A maximum file size of 750 KB.
No spaces in the file name.
Select a logo for notifications : Starting in version 2111, enable this setting to display a logo with
notifications on devices running Windows 10 or later. Because of how the image is used, it's separate
from the Software Center logo. The logo for notifications has the following requirements:
A JPG, PNG, or BMP file.
Square aspect ratio. For example, 100 x 100 pixels.
A maximum file size of 2 MB.
No spaces in the file name.
Hide unapproved applications in Software Center : When you enable this option, user-available
applications that require approval are hidden in Software Center.
Hide installed applications in Software Center : When you enable this option, applications that are
already installed no longer show in the Applications tab. This option is enabled by default. Installed
applications are still available for review under the Installation Status tab.
Hide Application Catalog link in Software Center : Enable this setting. The application catalog is no
longer supported. This link would appear on the Installation Status tab of Software Center.
Software Center Customization - Tabs
Choose which tabs should be visible in Software Center. To move a tab to Visible tabs list, select Add . To move
it to the Hidden tabs list, select Remove . To change the order of the tabs in Software Center, select Move Up
or Move Down .
Default tabs:
Applications
Updates
Operating Systems
Installation Status
Device Compliance
Options
You can also add up to five custom tabs:
1. Select Add tab .
2. Specify the Tab name and Content URL for your custom tab. Configuration Manager doesn't validate this
URL.
Select Delete Tab to remove a custom tab. Select Edit tab to change the configuration of a custom tab.

IMPORTANT
Some website features may not work in a custom tab in Software Center. Make sure to test the results before deploying
this to clients.
Specify only trusted or intranet website addresses when you add a custom tab.

D i sp l a y c u st o m t a b s w i t h M i c r o so ft Ed g e W e b Vi e w 2 r u n t i m e

Applies to version 2103 and later

Enable this option for Software Center to use the Microsoft Edge WebView2 browser control. The WebView2
browser control provides improved security and user experience. For example, more websites should work with
these custom tabs without displaying script errors or security warnings.
If it's not already installed, the Configuration Manager client installs the Microsoft Edge WebView2 runtime
(fixed version) on the device. Clients download the WebView2 redistributable installation file from the
management point. The installer is over 100 MB in size. If you need to enable this setting on a large number of
clients, and are concerned about the effect of network usage, predeploy the WebView2 runtime as an
application. Use the software distribution features of Configuration Manager to better control the content
distribution and timing of software installation.

NOTE
If the client device isn't running .NET Framework version 4.6.2 or later, it falls back to use the Internet Explorer browser
control. Starting in version 2107, the client requires .NET version 4.6.2, and version 4.8 is recommended. For more
information, see Prerequisites for deploying clients to Windows computers.
When using custom tabs in certain circumstances, you may encounter the following exception:
Could not load type 'System.Runtime.InteropServices.Architecture' from assembly 'mscorlib
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
. To work around the issue, update .NET Framework to version 4.7.1 or later for the client.

If you don't enable this option, Software Center uses the Windows built-in Internet Explorer browser control.
Software Center Customization - Defaults
Configure the Default application filter as either All or only Required applications. By default, it
shows all applications.
Software Center always uses your default setting. Users can change this filter, but Software Center doesn't
persist their preference.
Set the Default application view as either Tile view or List view . By default, it uses the tile view.
If a user changes this configuration, Software Center persists the user's preference in the future.
For more information on the appearance of these settings, see the Software Center user guide.

Software deployment
Schedule re -evaluation for deployments
Configure a schedule for when Configuration Manager reevaluates the requirement rules for all deployments.
The default value is every seven days.
 IMPORTANT
This setting is more invasive to the local client than it is to the network or site server. A more aggressive reevaluation
schedule negatively affects the performance of your network and client computers. Microsoft doesn't recommend setting
a lower value than the default. If you change this value, closely monitor performance.

Start this action from a client as follows: in the Configuration Manager control panel, from the Actions tab,
select Application Deployment Evaluation Cycle .

Software inventory
Enable software inventory on clients
This option is set to Yes by default. For more information, see Introduction to software inventory.
Schedule software inventory and file collection
Select Schedule to adjust the frequency that clients run the software inventory and file collection cycles. By
default, this cycle occurs every seven days.
Inventory reporting detail
Specify one of the following levels of file information to inventory:
File only
Product only
Full details (default)
Inventory these file types
If you want to specify the types of file to inventory, select Set Types , and then configure the following options:

NOTE
If multiple custom client settings are applied to a computer, the inventory that each setting returns is merged.

Select New to add a new file type to inventory. Then specify the following information in the
Inventoried File Proper ties dialog box:
Name : Provide a name for the file that you want to inventory. Use an asterisk ( * ) wildcard to
represent any string of text, and a question mark ( ? ) to represent any single character. For
example, if you want to inventory all files with the extension .doc, specify the file name *.doc .
Location : Select Set to open the Path Proper ties dialog box. Configure software inventory to
search all client hard disks for the specified file, search a specified path (for example, C:\Folder ),
or search for a specified variable (for example, %windir% ). You can also search all subfolders under
the specified path.
Exclude encr ypted and compressed files : When you choose this option, any compressed or
encrypted files aren't inventoried.
Exclude files in the Windows folder : When you choose this option, any files in the Windows
folder and its subfolders aren't inventoried.
Select OK to close the Inventoried File Proper ties dialog box. Add all the files that you want to
inventory, and then select OK to close the Configure Client Setting dialog box.
Collect files
If you want to collect files from client computers, select Set Files , and then configure the following settings:

NOTE
If multiple custom client settings are applied to a computer, the inventory that each setting returns is merged.

In the Configure Client Setting dialog box, select New to add a file to be collected.
In the Collected File Proper ties dialog box, provide the following information:
Name : Provide a name for the file that you want to collect. Use an asterisk ( * ) wildcard to
represent any string of text, and a question mark ( ? ) to represent any single character.
Location : Select Set to open the Path Proper ties dialog box. Configure software inventory to
search all client hard disks for the file that you want to collect, search a specified path (for example,
C:\Folder ), or search for a specified variable (for example, %windir% ). You can also search all
subfolders under the specified path.
Exclude encr ypted and compressed files : When you choose this option, any compressed or
encrypted files aren't collected.
Stop file collection when the total size of the files exceeds (KB) : Specify the file size, in
kilobytes (KB), after which the client stops collecting the specified files.

NOTE
The site server collects the five most recently changed versions of collected files, and stores them in the
<ConfigMgr installation directory>\Inboxes\Sinv.box\Filecol directory. If a file hasn't changed since the
last software inventory cycle, the file isn't collected again.
Software inventory doesn't collect files larger than 20 MB.
The value Maximum size for all collected files (KB) in the Configure Client Setting dialog box shows the
maximum size for all collected files. When this size is reached, file collection stops. Any files already collected are
retained and sent to the site server.

IMPORTANT
If you configure software inventory to collect many large files, this configuration might negatively affect the
performance of your network and site server.

For information about how to view collected files, see How to use Resource Explorer to view software
inventory.
Select OK to close the Collected File Proper ties dialog box. Add all the files that you want to collect,
and then select OK to close the Configure Client Setting dialog box.
Set Names
The software inventory agent retrieves manufacturer and product names from file header information. These
names aren't always standardized in the file header information. When you view software inventory in Resource
Explorer, different versions of the same manufacturer or product name can appear. To standardize these display
names, select Set Names , and then configure the following settings:
Name type : Software inventory collects information about both manufacturers and products. Choose
whether you want to configure display names for a Manufacturer or a Product .
 Display name : Specify the display name that you want to use in place of the names in the Inventoried
names list. To specify a new display name, select New .
Inventoried names : To add an inventoried name, select New . This name is replaced in software
inventory by the name chosen in the Display name list. You can add multiple names to replace.

Software Metering
Enable software metering on clients
This setting is set to Yes by default. For more information, see Software metering.
Schedule data collection
Select Schedule to adjust the frequency that clients run the software metering cycle. By default, this cycle
occurs every seven days.

Software updates
Enable software updates on clients
Use this setting to enable software updates on Configuration Manager clients. When you disable this setting,
Configuration Manager removes existing deployment policies from clients. When you re-enable this setting, the
client downloads the current deployment policy.

IMPORTANT
When you disable this setting, compliance policies that rely on software updates will no longer function.

Software update scan schedule

Select Schedule to specify how often the client starts a compliance assessment scan. This scan determines the
state for software updates on the client (for example, required or installed). For more information about
compliance assessment, see Software updates compliance assessment.
By default, this scan uses a simple schedule to start every seven days. You can create a custom schedule. You can
specify an exact start day and time, use Universal Coordinated Time (UTC) or the local time, and configure the
recurring interval for a specific day of the week.

NOTE
If you specify an interval of less than one day, Configuration Manager automatically defaults to one day.

WARNING
The actual start time on client computers is the start time plus a random amount of time, up to two hours. This
randomization prevents client computers from initiating the scan and simultaneously connecting to the active software
update point.

Schedule deployment re -evaluation

Select Schedule to configure how often the software updates client agent reevaluates software updates for
installation status on Configuration Manager client computers. When previously installed software updates are
no longer found on clients but are still required, the client reinstalls the software updates.
Adjust this schedule based on company policy for software update compliance, and whether users can uninstall
software updates. Every deployment re-evaluation cycle results in network and client computer processor
activity. By default, this setting uses a simple schedule to start the deployment re-evaluation scan every seven
days.

NOTE
If you specify an interval of less than one day, Configuration Manager automatically defaults to one day.

Allow user proxy for software update scans

(Introduced in version 2010)
Beginning with the September 2020 cumulative update, HTTP-based WSUS servers will be secure by default. A
client scanning for updates against an HTTP-based WSUS will no longer be allowed to leverage a user proxy by
default. Set this option to Yes to allow these connections if you require a user proxy despite the security trade-
offs. By default, this setting is set to No . For more information about the changes for scanning WSUS, see
September 2020 changes to improve security for Windows devices scanning WSUS. To ensure that the best
security protocols are in place, we highly recommend that you use the TLS/SSL protocol to help secure your
software update infrastructure.
Enforce TLS certificate pinning for Windows Update client for detecting updates
(Introduced in version 2103)
Further increase the security of HTTPS scans against WSUS by enforcing certificate pinning. To use certificate
pinning, ensure your WSUS server is enabled for TLS/SSL, and add the certificates for the WSUS servers to the
new WindowsServerUpdateServices certificate store on your clients. For more information about certificate
pinning for devices scanning HTTPS-configured WSUS servers, see secure your software update infrastructure.
The following settings are available starting in Configuration Manager version 2103:
No : Don't enable enforcement of TLS certificate pinning for WSUS scanning
Yes : Enables enforcement of TLS certificate pinning for devices during WSUS scanning (default)
When any software update deployment deadline is reached, install all other software update deployments
with deadline coming within a specified period of time
Set this option to Yes to install all software updates from required deployments with deadlines occurring within
a specified period of time. When a required software update deployment reaches a deadline, the client starts
installation for the software updates in the deployment. This setting determines whether to install software
updates from other required deployments that have a deadline within the specified time.
Use this setting to speed up installation for required software updates. This setting also has the potential to
increase client security, decrease notifications to the user, and decrease client restarts. By default, this setting is
set to No .
Period of time for which all pending deployments with deadline in this time will also be installed
Use this setting to specify the period of time for the previous setting. You can enter a value from 1 to 23 hours,
and from 1 to 365 days. By default, this setting is configured for seven days.
Allow clients to download delta content when available
Set this option to Yes to allow clients to use delta content files. This setting allows the Windows Update Agent
on the device to determine what content is needed and selectively download it.
Before enabling this client setting, ensure Delivery Optimization is configured appropriately for your
environment. For more information, see Windows Delivery Optimization and the Delivery Optimization
client setting.
This client setting replaces Enable installation of Express installation files on clients . Set this
option to Yes to allow clients to use express installation files. For more information, see Manage Express
 installation files for Windows 10 updates.
When this option is set, delta download is used for all Windows update installation files, not just express
installation files.
When using a CMG for content storage, the content for third-party updates won't download to clients if
the Download delta content when available client setting is enabled.
Port that clients use to receive requests for delta content
This setting configures the local port for the HTTP listener to download delta content. It's set to 8005 by default.
You don't need to open this port in the client firewall.

NOTE
This client setting replaces Por t used to download content for Express installation files .

If content is unavailable from distribution points in the current boundary group, immediately fallback to a
neighbor or the site default
(Introduced in version 2010)
If delta content is unavailable from distribution points in the current boundary group, you can allow immediate
fallback to a neighbor or the site default boundary group distribution points. This setting is useful when using
delta content for software updates since the timeout setting per download job is 5 minutes. The following
options are available:
Yes : For delta content, the client doesn't wait to reach the fallback time (in minutes) defined by the
Boundary Group relationship. Clients immediately fall back to a neighbor or the site default content
distribution points when both of the following conditions are met: - Delta content is unavailable from
distribution points in the current boundary group. - The software update deployment allows fallback.
No (default): The client honors the fallback time (in minutes) defined by the Boundary Group relationship
when it's allowed on the software update deployment. Delta download content may fail with a timeout
even if the update content is available on a neighbor or the site default distribution point group.

NOTE
This setting is for delta content only.

Enable management of the Office 365 Client Agent

When you set this option to Yes , it enables the configuration of Microsoft 365 Apps installation settings. It also
enables downloading files from Office Content Delivery Networks (CDNs), and deploying the files as an
application in Configuration Manager. For more information, see Manage Microsoft 365 Apps.
Enable update notifications from Microsoft 365 Apps
(Introduced in version 2111)
You can configure the end-user experience for Microsoft 365 Apps updates. This client setting allows you to
enable or disable notifications from Microsoft 365 Apps for these updates. The following options are available
for the setting:
No : Doesn't display Microsoft 365 Apps updates notifications from Microsoft 365 Apps (default)
Yes : Displays Microsoft 365 Apps updates notifications from Microsoft 365 Apps
Which notifications are displayed to the user about updates for Microsoft 365 Apps is also determined by the
settings for per deployment notifications from Software Center. If the deployment's user notifications from
Software Center are disabled (found on the User Experience page for the deployment), then the end user
won't receive any notifications from either Software Center or Microsoft 365 Apps, regardless of how
notifications from Microsoft 365 Apps are set. If notifications from both Software Center and Microsoft 365
Apps are enabled, then the end user will receive notifications from Software Center and Microsoft 365 Apps.
Below is a chart of which notifications for Microsoft 365 Apps updates are displayed to the end user for these
settings:

DISP L AY P ER DEP LO Y M EN T SO F T WA RE H IDE P ER DEP LO Y M EN T SO F T WA RE

C EN T ER N OT IF IC AT IO N S C EN T ER N OT IF IC AT IO N S

Enable update notifications from User receives notifications from No notifications from Software Center
Microsoft 365 Apps: Yes Software Center
No notifications from Microsoft 365
User receives notifications from Apps
Microsoft 365 Apps

Enable update notifications from User receives notifications from No notifications from Software Center
Microsoft 365 Apps: No Software Center
No notifications from Microsoft 365
No notifications from Microsoft 365 Apps
Apps

Enable installation of software updates in "All deployments" maintenance window when "Software Update"
maintenance window is available
When you set this option to Yes , and the client has at least one "Software Update" maintenance window defined,
software updates will install during an "All deployments" maintenance window.
By default, this setting is set to No . This value uses the same behavior as before: if both types exist, it ignores the
window.

NOTE
This setting also applies to maintenance windows that you configure to apply to Task sequences .
If the client only has an All deployments window available, it still installs software updates or task sequences in that
window.

Maintenance window example

For example, you configure the following maintenance windows:
All deployment : 02:00 - 04:00
Software updates : 04:00 - 06:00
By default, the client only installs software updates during the second maintenance window. It ignores the
maintenance window for all deployments in this scenario. When you change this setting to Yes , the client installs
software updates between 02:00 - 06:00.
Specify thread priority for feature updates
You can adjust the priority with which supported versions of Windows 10 or later clients install a feature update
through Windows servicing. This setting has no impact on Windows in-place upgrade task sequences.
This client setting provides the following options:
Not Configured : Configuration Manager doesn't change the setting. Admins can pre-stage their own
setupconfig.ini file. This value is the default.
 Normal : Windows Setup uses more system resources and updates faster. It uses more processor time, so
the total installation time is shorter, but the user's outage is longer.
Configures the setupconfig.ini file on the device with the /Priority Normal Windows setup command-
line option.
Low : You can continue to work on the device while it downloads and updates in the background. The
total installation time is longer, but the user's outage is shorter. You may need to increase the update max
run time to avoid a time-out when you use this option.
Removes the /Priority Windows setup command-line option from the setupconfig.ini file.
Enable third party software updates
When you set this option to Yes , it sets the policy for Allow signed updates for an intranet Microsoft
update ser vice location and installs the signing certificate to the Trusted Publisher store on the client.
Enable Dynamic Update for feature updates
Use this setting to configure Dynamic Update for Windows. Dynamic Update installs language packs, features
on demand, drivers, and cumulative updates during Windows setup by directing the client to download these
updates from the internet. When this setting is set to either Yes or No , Configuration Manager modifies the
setupconfig file that is used during feature update installation.
Not Configured - The default value. No changes are made to the setupconfig file.
Dynamic Update is enabled by default on all supported versions of Windows 10 or later.
For Windows 10, version 1803 and earlier, Dynamic Update checks the device's WSUS server
for approved dynamic updates. In Configuration Manager environments, dynamic updates are
never directly approved in the WSUS server so these devices don't install them.
Starting with Windows 10, version 1809, Dynamic Update uses the device's internet connection
to get dynamic updates from Microsoft Update. These dynamic updates aren't published for
WSUS use.
Yes - Enables Dynamic Update.
No - Disables Dynamic Update.

State Messaging
State message reporting cycle (minutes)
Specifies how often clients report state messages. This setting is 15 minutes by default.

User and device affinity

User device affinity usage threshold (minutes)
Specify the number of minutes before Configuration Manager creates a user device affinity mapping. By default,
this value is 2880 minutes (two days).
User device affinity usage threshold (days)
Specify the number of days over which the client measures the threshold for usage-based device affinity. By
default, this value is 30 days.

NOTE
For example, you specify User device affinity usage threshold (minutes) as 60 minutes, and User device affinity
usage threshold (days) as 5 days. Then the user must use the device for 60 minutes over a period of 5 days to create
automatic affinity with the device.
Automatically configure user device affinity from usage data
Choose Yes to create automatic user device affinity based on the usage information that Configuration Manager
collects.
Allow user to define their primary devices
When this setting is Yes , users can identify their own primary devices in Software Center. For more information,
see the Software Center user guide.

NOTE
Default values are:
User device affinity usage threshold (minutes): 2880
User device affinity usage threshold (days): 30
Automatically configure user device affinity from usage data: No
Allow user to define their primary devices: No

Windows Diagnostic Data

IMPORTANT
This group was previously called Windows Analytics . Microsoft retired the Windows Analytics service on January 31,
2020. For more information, see KB 4521815: Windows Analytics retirement on January 31, 2020.
Desktop Analytics is the evolution of Windows Analytics. Use Desktop Analytics to manage Windows diagnostic data
settings. For more information, see What is Desktop Analytics.
 Device restart notifications in Configuration
Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The notifications a user receives for a pending device restart can vary depending on the Computer restart client
settings and which version of Configuration Manager you use. This article helps you configure the user
experience for pending device restart notifications.

NOTE
By default, Windows 11 enables focus assist for the first hour after a user signs on for the first time. For more
information, see Reaching the Desktop and the Quiet Period.
Software Center notifications are currently suppressed during this time. For more information, see Turn Focus assist on or
off in Windows.

Deployment types for restart notifications

The Computer restart client settings change the user experience for all required deployments that require a
restart of the following types:
Application
Task sequence
Software update

Restart notification types

When a device requires a restart, the client shows a notification to the end user of the upcoming restart.
Toast notification
A Windows toast notification informs the user that the device needs to restart. The information in the toast
notification can be different depending on which version of Configuration Manager you're running. This type of
notification is native to the Windows OS. You may also see third-party software using this type of notification.

Software Center notification with snooze

Software Center shows a notification with a snooze option and the time remaining before it forces the devices to
restart. The message may be different depending on your version of Configuration Manager.
Software Center final countdown notification
Software Center shows this final countdown notification that the user can't close or snooze.

Starting in version 1906, the user won't see a progress bar in the restart notification until the pending restart is
less than 24 hours away.
Software Center notification before deadline
If the user proactively installs required software before the deadline, and it requires a restart, they'll see a
different notification. The following notification occurs when both the user experience setting allows
notifications and you don't use toast notifications for the deployment. For more information about configuring
these settings, see Deployment User Experience settings and User notifications for required deployments.
Available apps
When you don't use toast notifications, the dialog for software marked as Available is similar to proactively
installed software. For Available software, the notification doesn't have a deadline for the restart and the user
can choose their own snooze interval. For more information, see Approval settings.

Software Center notification of required restart

Starting in version 2006, you can configure client settings to prevent devices from automatically restarting
when a deployment requires it. When a required deployment needs the device to restart, but you disable the
client setting Configuration Manager can force a device to restar t , you see the following notification:
If you Snooze this notification, it will show again based on how you configure the frequency of restart reminder
notifications. The device won't restart until you select Restar t or manually restart Windows.

NOTE
By default, Configuration Manager can still force devices to restart.

Client settings
To control the client restart behaviors, configure the following device client settings in the Computer Restar t
group. For more information, see How to configure client settings.
Configuration Manager can force a device to restart
Starting in version 2006, you can configure client settings to prevent devices from automatically restarting
when a deployment requires it. Configuration Manager enables this setting by default.

IMPORTANT
This client setting applies to all application, software update, and package deployments to the device. Until a user
manually restarts the device:
Software updates and app revisions may not be fully installed
Additional software installs may not happen

When you disable this setting, you can't specify the amounts of time after the deadline that the device is
restarted or the user is presented a final countdown notification.

NOTE
To take full advantage of new Configuration Manager features, after you update the site, also update clients to the latest
version. While new functionality appears in the Configuration Manager console when you update the site and console, the
complete scenario isn't functional until the client version is also the latest.

Specify the amount of time after the deadline before a device gets restarted (minutes)
This setting must be shorter in duration than the shortest maintenance window applied to the computer. For
more information about maintenance windows, see How to use maintenance windows.
The default value is 90 minutes. Starting in version 1906, the maximum value increased from 1440 minutes (24
hours) to 20160 minutes (two weeks).

NOTE
This setting was previously titled Display a temporar y notification to the user that indicates the inter val
before the user is logged off or the computer restar ts (minutes) .

Specify the amount of time that a user is presented a final countdown notification before a device gets
restarted (minutes)
This setting must be shorter in duration than the shortest maintenance window applied to the computer. For
more information about maintenance windows, see How to use maintenance windows.
The default value is 15 minutes.
 NOTE
This setting was previously titled Display a dialog box that the user cannot close, which displays the
countdown inter val before the user is logged off or the computer restar ts (minutes) .

Specify the frequency of reminder notifications presented to the user, after the deadline, before a device
gets restarted (minutes)
Starting in version 1906
This frequency duration value should be less than the value of Specify the amount of time after the
deadline before a device gets restar ted (minutes) minus the value of Specify the amount of time that
a user is presented a final countdown notification before a device gets restar ted (minutes) .
Otherwise, the reminder notifications won't work.
The default value is 240 minutes.

NOTE
This setting was previously titled Specify the snooze duration for computer restar t countdown notifications
(minutes) .

When a deployment requires a restart, show a dialog window to the user instead of a toast notification
To change the user experience to be more intrusive, configure this setting to Yes . This setting applies to all
deployments of applications, task sequences, and software updates. For more information, see User
notifications.
When a deployment requires a restart, allow low-rights users to restart a device running Windows Server
For a low-rights user on a device that runs Windows Server, by default they aren't assigned the user rights to
restart Windows. When you target a deployment to this device, this user can't manually restart. For example,
they can't restart Windows to install software updates. Starting in version 2010, you can now control this
behavior as needed.

IMPORTANT
Allowing low-rights users to restart a server can potentially impact other users or services.

Device restart notifications

Some customers prefer frequent restart notifications and allowing users a short time frame to postpone. Others
allow users to postpone a restart for longer periods of time, and infrequently notify users of the pending restart.
You have control over the timing and frequency of restart notifications.
Install required software at or after the deadline
When required software is installed at or after the deadline, your users will see notifications depending on what
client settings you selected.
If the setting When a deployment requires a restar t, show a dialog window to the user instead of a
toast notification is set to:
No : Windows shows toast notifications until the deployment reaches the final countdown notification.
Yes : Software Center shows a notification:
If the restart is greater than 24 hours away, it shows an estimated restart time. The timing of this
 notification is based on the setting: Specify the amount of time after the deadline before a
device gets restar ted (minutes) .

If the restart is less than 24 hours away, it shows a progress bar. The timing of this notification is
based on the setting: Specify the amount of time after the deadline before a device gets
restar ted (minutes) .

If the user selects Snooze , another temporary notification shows after the snooze period elapses. This behavior
assumes it hasn't yet reached the final countdown. The timing of the next notification is based on the setting:
Specify the frequency of reminder notifications presented to the user, after the deadline, before a
device gets restar ted (minutes) . If the user selects Snooze , and your snooze interval is one hour, then
Software Center notifies the user again in 60 minutes. This behavior assumes it hasn't yet reached the final
countdown.
When it reaches the final countdown, Software Center shows the user a notification they can't close. The
progress bar is in red and the user can't Snooze it.
Proactively install required software before the deadline
If the user proactively installs required software that needs restart before the deadline, they'll see a different
notification. For more information about configuring these settings, see Deployment User Experience settings
and User notifications for required deployments.
The following notification occurs when both the user experience setting allows notifications and you don't use
toast notifications for the deployment:

Once the deployment reaches its deadline, Software Center follows the behavior to Install required software at
or after the deadline.

Example configurations
The following examples describe how to configure the client settings to achieve specific behaviors.

NOTE
If the user puts the device to sleep, it doesn't pause or interrupt a countdown. For example, a restart countdown is
halfway into a four-hour timer, and the user puts the device to sleep. 12 hours later the user wakes up the device. The
device restarts, as it's past the deadline.

Reminders are off

SET T IN G VA L UE

Specify the amount of time after the deadline before a device 180
gets restarted (minutes)

Specify the amount of time that a user is presented a final 60

countdown notification before a device gets restarted
(minutes)

Specify the frequency of reminder notifications presented to 240

the user, after the deadline, before a device gets restarted
(minutes)
 SET T IN G VA L UE

When a deployment requires a restart, show a dialog No

window to the user instead of a toast notification

The device will restart three hours (180 minutes) after the deployment deadline. One hour (60 minutes) before
it restarts, the user sees a countdown that they can't close or snooze. The first reminder notification is set to start
four hours (240 minutes) after the deadline, which is after the restart. So the user doesn't see any reminders.
Low reminder frequency
SET T IN G VA L UE

Specify the amount of time after the deadline before a device 7200
gets restarted (minutes)

Specify the amount of time that a user is presented a final 120

countdown notification before a device gets restarted
(minutes)

Specify the frequency of reminder notifications presented to 900

the user, after the deadline, before a device gets restarted
(minutes)

When a deployment requires a restart, show a dialog Yes

window to the user instead of a toast notification

The device will restart five days (7200 minutes) after the deployment deadline. Two hours (120 minutes) before
it restarts, the user sees a countdown that they can't close or snooze. This configuration allows for 118 hours to
show reminders ( (7200 - 120) / 60 ). 15 hours (900 minutes) after the deadline, Software Center displays the
first reminder. It displays a maximum of six additional reminders every 15 hours (900 minutes ). The user sees
the reminder as a window on the screen, instead of a notification that disappears in a few seconds.
High reminder frequency
SET T IN G VA L UE

Specify the amount of time after the deadline before a device 2880
gets restarted (minutes)

Specify the amount of time that a user is presented a final 60

countdown notification before a device gets restarted
(minutes)

Specify the frequency of reminder notifications presented to 30

the user, after the deadline, before a device gets restarted
(minutes)

When a deployment requires a restart, show a dialog Yes

window to the user instead of a toast notification

The device will restart two days (2880 minutes) after the deployment deadline. One hour (60 minutes) before it
restarts, the user sees a countdown that they can't close or snooze. This configuration allows for 47 hours to
show reminders ( (2880 - 60) / 60 ). 30 minutes after the deadline, Software Center displays the first reminder.
It displays a maximum of 92 additional reminders every 30 minutes . The user sees the reminder as a window
on the screen, instead of a notification that disappears in a few seconds.
Log files
To troubleshoot device restarts, use the RebootCoordinator.log and SCNotify.log files on the client. Based on
the specific type of deployment, you may also have to use additional client log files.

Next steps
How to configure client settings
Application deployment User Experience settings
User notifications for required app deployments
 How to configure Wake on LAN in Configuration
Manager
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Specify Wake on LAN (WoL) settings for Configuration Manager when you want to bring computers out of a
sleep state.

Wake on LAN starting in version 1810

Starting in Configuration Manager 1810, there's a new way to wake up sleeping machines. You can wake up
clients from the Configuration Manager console, even if the client isn't on the same subnet as the site server. If
you need to do maintenance or query devices, you're not limited by remote clients that are asleep. The site
server uses the client notification channel to identify other clients that are awake on the same remote subnet,
then uses those clients to send a wake on LAN request (magic packet). Using the client notification channel
helps avoid MAC flaps, which could cause the port to be shut down by the router. The new version of Wake on
LAN can be enabled at the same time as the older version.
Prerequisites and limitations
At least one client in the target subnet must be awake.
This feature doesn't support the following network technologies:
IPv6
802.1x network authentication
802.1x network authentication may work with additional configuration depending on the
hardware and its configuration.
DHCP lease durations can't be set to infinite.
With Configuration Manager version 2010 and later, if the DHCP lease is set to infinite a client won't
be woken up or used as a peer to wake other devices.
With Configuration Manager version 2006 and earlier, you may see the
SleepAgent_<domain>@SYSTEM_0.log become very large and possibly a broadcast storm in
environments where DHCP leases are set to infinite.
Limitations for Configuration Manager version 2006 and earlier:
Machines only wake when you notify them through the Wake Up client notification.
For wake-up when a deadline occurs, the older version of Wake on LAN is used.
Starting in Configuration Manager version 2010, you can wake up at deadline with the new
version of WoL. For more information, see Notify client to wake when a deployment deadline
occurs.
If the older version isn't enabled, client wake-up won't occur for deployments created with the settings
Use Wake-on-L AN to wake up clients for required deployments or Send wake-up packets .
Security role permissions
Notify resource under the Collection category
Configure the clients to use Wake on LAN starting in version 1810
Previously you had to manually enable the client for wake on LAN in the properties of the network adapter.
Configuration Manager 1810 includes a new client setting called Allow network wake-up . Configure and
deploy this setting instead of modifying the properties of the network adapter.
1. Under Administration , go to Client Settings .
2. Select the client settings you want to edit, or create new custom client settings to deploy. For more
information, see How to configure client settings.
3. Under the Power Management client settings, select Enable for the Allow network wake-up setting.
For more information about this setting, see About client settings.
4. Starting in Configuration Manager 1902, the new version of Wake on LAN honors the custom UDP port
you specify for the Wake On L AN por t number (UDP) client setting. This setting is shared by both the
new and older version of Wake on LAN.
Wake up a client using client notification starting in 1810
You can wake up a single client or any sleeping clients in a collection. For devices that are already awake in the
collection, no action is taken for them. Only clients that are asleep will be sent a Wake on LAN request. For more
information on how to notify a client to wake, see Client notification.
To wake up a single client: Right-click on the client, go to Client Notification , then select Wake up .

To wake up all sleeping clients in a collection: Right-click on the device collection, go to Client
Notification , then select Wake up .
This action can't be run on built-in collections.
When you have a mix of asleep and awake clients in a collection, only the clients that are asleep are
sent a Wake on LAN request.
Starting in Configuration Manager 2002, this action is available from a console connected to a Central
Administration site, a stand-alone site, or child primary site.
In versions 1910 and earlier, this action is only active when the Configuration Manager console is
connected to a stand-alone or child primary site. When connected to a Central Administration Site, the
action isn't available.
Wake machine at deployment deadline using peer clients on the same remote subnet
(Introduced in version 2010)
Starting in Configuration Manager version 2010, you can allow the site to wake devices at the deadline of a
deployment, using the client notification channel. Instead of the site server issuing the magic packet directly, the
site uses the client notification channel to find an online machine in the last known subnet of the target device(s)
and instructs the online client to issue the WoL packet for the target device.
Prerequisites for waking a client at deadline using the client notification channel
Target computer prerequisites:
 Offline
Updated to latest Configuration Manager client version
Targeted with a Required deployment with a Deadline and the Send wake-up packages option enabled.
Prerequisites for the computer sending the WoL magic packet to the target computer:
Online
Updated to latest client version
On the same subnet as the target computer
Enable waking a client at deadline using the client notification channel
1. At the site level, enable Wake on LAN:
a. In the Configuration Manager console, go to Administration > Site Configuration > Sites .
b. Select the primary site to configure, and then choose Proper ties .
c. In the Wake on L AN tab, select Enable Wake On L AN for this site and send the wake-up packets
Using client notification channel .
d. Select OK and repeat the procedure for all primary sites in the hierarchy.

2. Verify Allow network wake-up under the Power Management client settings is enabled.
3. Create a deployment as Required with the Send wake-up packages option and a Deadline . Clients
are sent a notification when a deadline is received on deployments such as task sequences, software
distribution, or software updates installation.
What to expect when only the new version of Wake on LAN is
enabled
When you have only the new version of Wake on LAN enabled, only the Wake Up client notification is enabled.
Clients aren't sent a notification when a deadline is received on deployments such as task sequences, software
distribution, or software updates installation. Once a sleeping machine is back online, it will be reflected in the
console when it checks in with the Management Point.
Starting in Configuration Manager version 1902, you can specify the Wake on LAN port. This setting is
shared by both the new and older version of Wake on LAN.
Starting in Configuration Manager version 2010, you can use the client notification channel to wake
clients when a deadline is received on deployments such as task sequences, software distribution, or
software updates installation. For more information, see Use the client notification channel to wake a
client when a deployment deadline occurs.

What to expect when both versions of Wake on LAN are enabled

When you have both versions of Wake on LAN enabled, you can use the Wake Up client notification and wake
up on deadline. The client notification functions a little differently than traditional Wake on LAN. For a brief
explanation of how the client notification works, see the Wake on LAN starting in version 1810 section. The new
client setting Allow network wake-up will change the NIC properties to allow Wake on LAN. You no longer
need to manually change it for new machines that are added to your environment. All other functionality of
Wake on LAN hasn't been changed.
Starting in version 1902, the Wake Up client notification honors your existing Wake On L AN por t
number (UDP) setting.
Starting in Configuration Manager version 2010, you can use the client notification channel to wake clients
when a deadline is received on deployments such as task sequences, software distribution, or software
 updates installation. For more information, see Use the client notification channel to wake a client when a
deployment deadline occurs.

Wake on LAN for version 1806 and earlier

Specify Wake on LAN settings for Configuration Manager when you want to bring computers out of a sleep
state to install required software, such as software updates, applications, task sequences, and programs.
You can supplement Wake on LAN by using the wake-up proxy client settings. However, to use wake-up proxy,
you must first enable Wake on LAN for the site and specify Use wake-up packets only and the Unicast
option for the Wake on LAN transmission method. This wake-up solution also supports ad-hoc connections,
such as a remote desktop connection.
Use the first procedure to configure a primary site for Wake on LAN. Then, use the second procedure to
configure the wake-up proxy client settings. This second procedure configures the default client settings for the
wake-up proxy settings to apply to all computers in the hierarchy. If you want these settings to apply to only
selected computers, create a custom device setting and assign it to a collection that contains the computers that
you want to configure for wake-up proxy. For more information about how to create custom client settings, see
How to configure client settings.
A computer that receives the wake-up proxy client settings will likely pause its network connection for 1-3
seconds. This pause occurs because the client must reset the network interface card to enable the wake-up proxy
driver on it.

WARNING
To avoid unexpected disruption to your network services, first evaluate wake-up proxy on an isolated and representative
network infrastructure. Then use custom client settings to expand your test to a selected group of computers on several
subnets. For more information about how wake-up proxy works, see Plan how to wake up clients.

To configure Wake on LAN for a site for version 1806 and earlier
To use Wake on LAN, you need to enable it for each site in a hierarchy.
1. In the Configuration Manager console, go to Administration > Site Configuration > Sites .
2. Select the primary site to configure, and then choose Proper ties .
3. In the Wake on L AN tab, and configure the options that you require for this site. To support wake-up proxy,
make sure you select Use wake-up packets only and Unicast . For more information, see Plan how to
wake up clients.
4. Select OK and repeat the procedure for all primary sites in the hierarchy.
To configure wake -up proxy client settings
1. In the Configuration Manager console, go to Administration > Client Settings .
2. Select Default Client Settings , and then choose Proper ties .
3. Select Power Management and then choose Yes for Enable wake-up proxy .
4. Review and if necessary, configure the other wake-up proxy settings. For more information on these settings,
see Power management settings.
5. Select OK to close the dialog box, and then OK to close the Default Client Settings dialog box.
You can use the following Wake On LAN reports to monitor the installation and configuration of wake-up proxy:
Wake-Up Proxy Deployment State Summary
Wake-Up Proxy Deployment State Details

TIP
To test whether wake-up proxy is working, test a connection to a sleeping computer. For example, connect to a shared
folder on that computer, or try connecting to the computer using Remote Desktop. If you use Direct Access, check that
the IPv6 prefixes work by trying the same tests for a sleeping computer that is currently on the Internet.
 How to deploy clients to Windows computers in
Configuration Manager
2/16/2022 • 25 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article provides details on how to deploy the Configuration Manager client to Windows computers. For
more information on planning and preparing for client deployment, see these articles:
Client installation methods
Prerequisites for deploying clients to Windows computers
Security and privacy for Configuration Manager clients
Best practices for client deployment

Client push installation

There are three main ways to use client push:
When you configure client push installation for a site, client installation automatically runs on computers
that the site discovers. This method is scoped to the site's configured boundaries when those boundaries
are configured as a boundary group.
Start client push installation by running the Client Push Installation Wizard for a specific collection or
resource within a collection.
Use the Client Push Installation Wizard to install the Configuration Manager client, which you can use to
query the result. The installation will succeed only if one of the items returned by the query is the
ResourceID attribute of the System Resource class.
If the site server can't contact the client computer or start the setup process, it automatically retries the
installation every hour. The server continues to retry for up to seven days.
To help track the client installation process, install a fallback status point before you install the clients. When you
install a fallback status point, it's automatically assigned to clients when they're installed by the client push
installation method. To track client installation progress, view the client deployment and assignment reports.
Client log files provide more detailed information for troubleshooting. The log files don't require a fallback
status point. For example, the CCM.log file on the site server records any problems that occur when the site
server connects to the computer. The CCMSetup.log file on the client records the installation process.

IMPORTANT
Client push only succeeds if all prerequisites are met. For more information, see Installation method dependencies.

Configure the site to automatically use client push for discovered computers
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the site for which you want to configure automatic site-wide client push installation.
3. On the Home tab of the ribbon, in the Settings group, select Client Installation Settings , and then
 select Client Push Installation .
4. On the General tab of the Client Push Installation Properties window, select Enable automatic site-
wide client push installation .
5. Starting in version 1806, when you update the site, a Kerberos check for client push is enabled. The
option to Allow connection fallback to NTLM is enabled by default, which is consistent with previous
behavior. If the site can't authenticate the client by using Kerberos, it retries the connection by using
NTLM. The recommended configuration for improved security is to disable this setting, which requires
Kerberos without NTLM fallback.

NOTE
When it uses client push to install the Configuration Manager client, the site server creates a remote connection
to the client. Starting in version 1806, the site can require Kerberos mutual authentication by not allowing fallback
to NTLM before establishing the connection. This enhancement helps to secure the communication between the
server and the client.
Depending on your security policies, your environment might already prefer or require Kerberos over the older
NTLM authentication. For more information on the security considerations of these authentication protocols, read
about the Windows security policy setting to restrict NTLM.
To use this feature, clients must be in a trusted Active Directory forest. Kerberos in Windows relies on Active
Directory for mutual authentication.

6. Select the system types to which Configuration Manager should push the client software. Select whether
you want to install the client on domain controllers.
7. On the Accounts tab, specify one or more accounts for Configuration Manager to use when it connects
to the target computer. Select the Create icon, enter the User name and Password (no more than 38
characters), confirm the password, and then select OK . Specify at least one client push installation
account. This account must have local administrator rights on the target computer to install the client. If
you don't specify a client push installation account, Configuration Manager tries to use the site system
computer account. Cross-domain client push fails when using the site system computer account.

NOTE
To use client push from a secondary site, specify the account at the secondary site that initiates the client push.
For more information about the client push installation account, see the next procedure, Use the Client Push
Installation Wizard.

8. Specify any required installation properties on the Installation Proper ties tab.
If you've extended the Active Directory schema for Configuration Manager, the site publishes the
specified client installation properties to Active Directory Domain Services. When CCMSetup runs
without installation properties, it reads these properties from Active Directory.

NOTE
If you enable client push installation on a secondary site, set the SMSSITECODE property to the Configuration
Manager site code of its parent primary site. If you've extended the Active Directory schema for Configuration
Manager, to automatically find the correct site assignment, set this property to AUTO .

Use the Client Push Installation Wizard

1. In the Configuration Manager console, go to the Administration workspace, expand Site
 Configuration , and select the Sites node.
2. Select the site for which you want to configure automatic site-wide client push installation.
3. On the Home tab of the ribbon, in the Settings group, select Client Installation Settings , and then
select Client Push Installation .
4. Specify any required installation properties on the Installation Proper ties tab.
If you've extended the Active Directory schema for Configuration Manager, the site publishes the
specified client installation properties to Active Directory Domain Services. When CCMSetup runs
without installation properties, it reads these properties from Active Directory.
5. In the Configuration Manager console, go to the Assets and Compliance workspace.
6. In the Devices node, select one or more computers. Or select a collection of computers in the Device
Collections node.
7. On the Home tab of the ribbon, choose one of these options:
To push the client to one or more devices, in the Device group, select Install Client .
To push the client to a collection of devices, in the Collection group, select Install Client .
8. On the Before You Begin page of the Install Configuration Manager Client Wizard, review the
information, and then select Next .
9. Select the appropriate options on the Installation Options page.
10. Review the installation settings, and then complete the wizard.

NOTE
Use this wizard to install clients even if the site isn't configured for client push.

Software update-based installation

Software update-based client installation publishes the client to a software update point as a software update.
Use this method for a first-time installation or upgrade.
If the Configuration Manager client is installed on a computer, the computer receives client policy from the site.
This policy includes the software update-point server name and port from which to get software updates.

IMPORTANT
For software update-based installation, use the same Windows Server Update Services (WSUS) server for client
installation and software updates. This server must be the active software update point in a primary site. For more
information, see Install a software update point.

If the Configuration Manager client isn't installed on a computer, configure and assign a Group Policy Object. The
Group Policy specifies the server name of the software update point.
You can't add command-line properties to a software update-based client installation. If you've extended the
Active Directory schema for Configuration Manager, the client installation automatically queries Active Directory
Domain Services for the installation properties.
If you haven't extended the Active Directory schema, use Group Policy to provision client installation settings.
These settings are automatically applied to any software update-based client installation. For more information,
see the section on How to provision client installation properties and the article on How to assign clients to a
site.
Use the following procedures to configure computers without a Configuration Manager client to use the
software update point. There's also a procedure for publishing the client software to the software update point.

TIP
If computers are in a pending restart state following a previous software installation, a software update-based client
installation might cause the computer to restart.

Configure a Group Policy Object to specify the software update point

1. Use the Group Policy Management Console to open a new or existing Group Policy Object.
2. Expand Computer Configuration , Administrative Templates , and Windows Components , and
then select Windows Update .
3. Open the properties of the setting Specify intranet Microsoft update ser vice location , and then
select Enabled .
4. Set the intranet update ser vice for detecting updates : Specify the name and port of the software
update point server.
If you've configured the Configuration Manager site system to use a fully qualified domain name
(FQDN), use that format.
If the Configuration Manager site system isn't configured to use an FQDN, use a short name
format.

TIP
To determine the port number, see How to determine the port settings used by WSUS.

Example in the FQDN format: http://server1.contoso.com:8530

5. Set the intranet statistics ser ver : This setting is typically configured with the same server name.
6. Assign the Group Policy Object to the computers on which you want to install the client and receive
software updates.
Publish the Configuration Manager client to the software update point
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the site for which you want to configure software update-based client installation.
3. On the Home tab of the ribbon, in the Settings group, select Client Installation Settings , and then
select Software Update-Based Client Installation .
4. Select Enable software update-based client installation .
5. If the site's client version is more recent than the version on the software update point, the Later Version
of Client Package Detected dialog box opens. Select Yes to publish the most recent version.

NOTE
If you haven't already published the client software to the software update point, this dialog box is blank.
The software update for the Configuration Manager client isn't automatically updated when there's a new
version. When you update the site, repeat this procedure to update the client.

Group Policy installation

Use Group Policy in Active Directory Domain Services to publish or assign the Configuration Manager client.
The client installs when the computer starts. When you use Group Policy, the client appears in Add or Remove
Programs in Control Panel. The user can install it from there.
Use the Windows Installer package CCMSetup.msi for Group Policy-based installations. This file is found in the
<ConfigMgr installation directory>\bin\i386 folder on the site server. You can't add properties to this file to
change installation behavior.

IMPORTANT
You must have administrator permissions to access the client installation files.

If you've extended the Active Directory schema for Configuration Manager, and you selected the domain
on the Publishing tab of the Site Proper ties dialog box, client computers automatically search Active
Directory Domain Services for installation properties. For more information, see About client installation
properties published to Active Directory Domain Services.
If you haven't extended the Active Directory schema, see the section on provisioning client installation
properties for information about storing installation properties in the Windows registry of computers.
The client uses these installation properties when it installs.
For more information, see How to use Group Policy to remotely install software.

Manual installation
Manually install the client software on computers by using CCMSetup.exe. You can find this program and its
supporting files in the Client folder in the Configuration Manager installation folder on the site server. The site
shares this folder to the network as:
\\<site server name>\SMS_<site code>\Client\

<site server name> is the primary site server name. <site code> is the primary site code to which the client is
assigned. To run CCMSetup.exe from the command line on the client, connect to this network location, and then
run the command.

IMPORTANT
You must have administrator permissions to access the client installation files.

CCMSetup.exe copies all necessary prerequisites to the client computer and calls the Windows Installer package
(Client.msi) to install the client. You can't run Client.msi directly.
To modify the behavior of the client installation, specify command-line options for both CCMSetup.exe and
Client.msi. Make sure that you specify CCMSetup parameters that begin with / before you specify Client.msi
properties. For example:
CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=AUTO FSP=SMSFP01

In this example, the client installs with the following options:

 O P T IO N DESC RIP T IO N

/mp:SMSMP01 This CCMSetup parameter specifies the management point

SMSMP01 for downloading the required client installation
files.

/logon This CCMSetup parameter specifies that the installation

should stop if an existing Configuration Manager client is
found on the computer.

SMSSITECODE=AUTO This Client.msi property specifies that the client tries to

locate the Configuration Manager site code to use, by using
Active Directory Domain Services, for example.

FSP=SMSFP01 This Client.msi property specifies that the fallback status

point named SMSFP01 is used to receive state messages
sent from the client computer.

For more information, see About client installation parameters and properties.

TIP
For the procedure to install the Configuration Manager client on a modern Windows device by using Azure Active
Directory (Azure AD) identity, see Install and assign Configuration Manager clients using Azure AD for authentication.
That procedure is for clients on an intranet or the internet.

Manual installation examples

These examples are for Active Directory-joined clients on an intranet. They use the following values:
MPSERVER : server hosting the management point
FSPSERVER : server hosting the fallback status point
ABC : site code
contoso.com : domain name
Assume that you've configured all site system servers with an intranet FQDN and published the site information
to Active Directory.
Start with the following steps on the client computer:
1. Sign in as a local administrator.
2. Map drive Z to \\MPSERVER\SMS_ABC\Client .
3. Switch the command prompt to drive Z.
Then run one of the following commands:
Manual example 1
CCMSetup.exe

This command installs the client with no additional parameters or properties. The client is automatically
configured with the client installation properties published to Active Directory Domain Services, including these
settings:
Site code: This setting requires the client's network location to be included in a boundary group that you've
configured for client assignment.
Management point.
Fallback status point.
 Communicate using HTTPS only.
For more information, see About client installation properties published to Active Directory Domain Services.
Manual example 2
CCMSetup.exe /MP:mpserver.contoso.com /UsePKICert SMSSITECODE=ABC CCMHOSTNAME=server05.contoso.com
CCMFIRSTCERT=1 FSP=server06.constoso.com

This command overrides the automatic configuration that Active Directory Domain Services provides. It doesn't
require that you include the client's network location in a boundary group that's configured for client
assignment. Instead, the installation specifies these settings:
Site code
Intranet management point
Internet-based management point
Fallback status point that accepts connections from the internet
Use a client public key infrastructure (PKI) certificate (if available) that has the longest validity period

Logon script installation

Configuration Manager supports using logon scripts to install the Configuration Manager client software. Use
the program file CCMSetup.exe in a logon script to trigger the client installation.
Logon script installation uses the same methods as manual client installation. Specify the /logon installation
parameter for CCMSsetup.exe. If any version of the client already exists on the computer, this parameter
prevents the client from installing. This behavior prevents reinstallation of the client each time the logon script
runs.
If you don't specify an installation source by using the /Source parameter and no management point from
which to obtain installation is specified by the /MP parameter, CCMSetup.exe locates the management point by
searching Active Directory Domain Services. This behavior occurs only if you've extended the schema for
Configuration Manager and published the site to Active Directory Domain Services. Alternatively, the client can
use DNS to locate a management point.

Package and program installation

Use Configuration Manager to create and deploy a package and program that upgrades the client software for
selected devices. Configuration Manager supplies a package definition file that populates the package properties
with typically used values. Customize the behavior of the client installation by specifying additional command-
line parameters and properties.

NOTE
You can't upgrade Configuration Manager 2007 clients by using this method. Instead, use automatic client upgrade,
which automatically creates and deploys a package that contains the latest version of the client. For more information, see
Upgrade clients.
For more information about how to migrate from older versions of the Configuration Manager client, see Planning a client
migration strategy.

Create a package and program for the client software

Use the following procedure to create a Configuration Manager package and program that you can deploy to
Configuration Manager client computers to upgrade the client software.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the Packages node.
2. On the Home tab of the ribbon, in the Create group, select Create Package from Definition .
3. On the Package Definition page of the wizard, select Microsoft from the Publisher list, and select
Configuration Manager Client Upgrade from the Package definition list.
4. On the Source Files page, select Always obtain files from a source folder .
5. On the Source Folder page, select Network path (UNC Name) . Then enter the network path of the
server and share that contains the client installation files.

NOTE
The computer on which the Configuration Manager deployment runs must have access to the specified network
folder. Otherwise, the client installation fails.

To change any of the client installation properties, modify the CCMSetup.exe command line on the
General tab of the Configuration Manager agent silent upgrade Proper ties program dialog box.
The default installation properties are /noservice SMSSITECODE=AUTO .
6. Distribute the package to all distribution points that you want to host the client upgrade package. Then
deploy the package to device collections that contain clients that you want to upgrade.

Intune MDM-managed Windows devices

Deploy the Configuration Manager client to devices that are enrolled with Microsoft Intune.
This procedure is for a traditional client that's connected to an intranet. It uses traditional client authentication
methods. To make sure the device remains in a managed state after it installs the client, it must be on the
intranet and within a Configuration Manager site boundary.
For the procedure to install the Configuration Manager client on a Windows device by using Azure AD identity,
see Install and assign Configuration Manager clients using Azure AD for authentication.
After you install the Configuration Manager client, devices don't unenroll from Intune. They can use the
Configuration Manager client and MDM enrollment at the same time. For more information, see Co-
management overview.

NOTE
You can use other client installation methods to install the Configuration Manager client on an Intune-managed device.
For example, if an Intune-managed device is on the intranet, and joined to the Active Directory domain, you can use
group policy to install the Configuration Manager client.

Install the Configuration Manager client by using Intune

1. In Intune, add a Windows line-of-business app that contains the Configuration Manager client installation
file CCMSetup.msi . You can find this file in the \bin\i386 folder of the Configuration Manager
installation directory on the site server.
2. In the Intune Software Publisher, enter command-line parameters. For example, use this command with a
traditional client on an intranet:
CCMSETUPCMD="/MP:<FQDN of management point> SMSMP=<FQDN of management point> SMSSITECODE=<your site
code> DNSSUFFIX=<DNS suffix of management point>"
 NOTE
For an example of a command to use with a Windows client using Azure AD authentication, see How to prepare
internet-based devices for co-management.

3. Assign the app to a group of the enrolled Windows computers.

OS image installation
Preinstall the Configuration Manager client on a reference computer that you use to create an OS image.

IMPORTANT
When you use the Configuration Manager task sequence to deploy an OS image, the Prepare ConfigMgr Client step
completely removes the Configuration Manager client.

Prepare the client computer for imaging

1. Manually install the Configuration Manager client software on the reference computer. For more
information, see How to install Configuration Manager clients manually.

IMPORTANT
Don't specify a Configuration Manager site code for the client in the CCMSetup.exe command-line properties.

2. At a command prompt, type net stop ccmexec to stop the SMS Agent Host service (CcmExec.exe) on the
reference computer.
3. Delete the SMSCFG.INI file from the Windows folder on the reference computer.
4. Remove the certificates from the local computer's SMS certificate store.
5. Remove any other valid client authentication certificates that are stored in the local computer store on the
reference computer. For example, if you use PKI certificates, before you image the computer, remove the
certificates in the Personal store for Computer and User .
6. If the clients are installed in a different Configuration Manager hierarchy than the hierarchy of the
reference computer, remove the trusted root key from the reference computer.

NOTE
If clients can't query Active Directory Domain Services to locate a management point, they use the trusted root
key to determine trusted management points. If you deploy all imaged clients in the same hierarchy as that of the
master computer, leave the trusted root key in place.
If you deploy the clients in different hierarchies, remove the trusted root key. Also provision these clients with the
new trusted root key. For more information, see Planning for the trusted root key.

7. Use your imaging software to capture an image of the reference computer.

8. Deploy the image to the destination computers.

Workgroup computers
Configuration Manager supports client installation for computers in workgroups. Install the client on workgroup
computers by using the method specified in How to install Configuration Manager clients manually.
Prerequisites
Manually install the client on each workgroup computer. During installation, the interactive user must
have local administrator rights.
To access resources in the Configuration Manager site server domain, configure the network access
account for the site. Specify this account in the software distribution site component. For more
information, see Site components.
Limitations
Workgroup clients can't locate management points from Active Directory Domain Services. Instead, they
use DNS or another management point.
Global roaming isn't supported. Workgroup clients can't query Active Directory Domain Services for site
information.
Active Directory discovery methods can't discover computers in workgroups.
You can't deploy software to users of workgroup computers.
You can't use the client push installation method to install the client on workgroup computers.
Workgroup clients can't use Kerberos for authentication, and they might require manual approval.
You can't configure a workgroup client as a distribution point. Configuration Manager requires that
distribution point computers be members of a domain.
Install the client on workgroup computers
Check the prerequisites, and then follow the directions in the section How to install Configuration Manager
clients manually.
Workgroup example 1
This example does the following actions:
Installs the client for intranet client management
Specifies the site code
Specifies the DNS suffix to locate a management point
CCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=constoso.com

Workgroup example 2
This example requires the client to be on a network location that's configured in a boundary group. If this
requirement isn't met, automatic site assignment won't work. The command includes a fallback status point on
server FSPSERVER. This property helps to track client deployment and to identify any client communication
issues.
CCMSetup.exe FSP=fspserver.constoso.com

Internet-based client management

NOTE
This section doesn't apply to clients that use a cloud management gateway. To install internet-based clients by using a
cloud management gateway, see Install and assign Configuration Manager clients using Azure AD for authentication.

When the Configuration Manager site supports internet-based client management for clients that are
sometimes on an intranet and sometimes on the internet, you have two options when you install clients on the
intranet:
Include the Client.msi property CCMHOSTNAME=<internet FQDN of the internet-based management point>
when you install the client, by using manual installation or client push, for example. When you use this
method, directly assign the client to the site. You can't use automatic site assignment. See the How to
install Configuration Manager clients manually section, which provides an example of this configuration
method.
Install the client for intranet client management, and then assign an internet-based client management
point to the client. Change the management point by using the client properties on the Configuration
Manager page in Control Panel, or by using a script. When you use this method, you can use automatic
client assignment. For more information, see the How to configure clients for internet-based client
management after client installation section.
To install clients that are on the internet, choose one of the following supported methods:
Provide a mechanism for these clients to temporarily connect to the intranet with a VPN. Then install the
client by using any appropriate client installation method.
Use an installation method that's independent of Configuration Manager. For example, package the client
installation source files onto removable media and send the media to users. The client installation source
files are located in the <installation path>\Client folder on the Configuration Manager site server. On
the media, include a script to manually copy over the client folder. From this folder, install the client by
using CCMSetup.exe and all the appropriate CCMSetup command-line properties.

NOTE
Configuration Manager doesn't support installing a client directly from the internet-based management point or from the
internet-based software update point.

Clients that are managed over the internet must communicate with internet-based site systems. Ensure that
these clients also have public key infrastructure (PKI) certificates before you install the client. Install these
certificates independently from Configuration Manager. For more information, see PKI certificate requirements.
Install clients on the internet by specifying CCMSetup command-line properties
1. Follow the directions in the section How to install Configuration Manager clients manually. Always
include the following options:
CCMSetup command-line parameter /source:<local path of the copied Client folder>

CCMSetup command-line parameter /UsePKICert

Client.msi property CCMHOSTNAME=<FQDN of internet-based management point>

Client.msi property SMSSIGNCERT=<local path of exported site server signing certificate>

Client.msi property SMSSITECODE=<site code of internet-based management point>

NOTE
If the site has more than one internet-based management point, it doesn't matter which one you specify for the
CCMHOSTNAME property. When a Configuration Manager client connects to the specified internet-based
management point, it sends the client a list of available internet-based management points in the site. The client
randomly selects one from the list.
2. If you don't want the client to check the certificate revocation list (CRL), specify the CCMSetup command-
line parameter /NoCRLCheck .
3. If you're using an internet-based fallback status point, specify the Client.msi property
FSP=<internet FQDN of the internet-based fallback status point> .

4. If you're installing the client for internet-only client management, specify the Client.msi property
CCMALWAYSINF=1 .

5. Determine whether you have to specify additional CCMSetup command-line parameters. For example, if
the client has more than one valid PKI certificate, you might have to specify a certificate selection
criterion. For a list of available properties, see About client installation parameters and properties.
Internet-based example
CCMSetup.exe /source: D:\Clients /UsePKICert CCMHOSTNAME=server1.contoso.com SMSSIGNCERT=siteserver.cer
SMSSITECODE=ABC FSP=server2.contoso.com CCMALWAYSINF=1 CCMFIRSTCERT=1

This example installs the client with the following behaviors:

Use source files from a folder on drive D.
Use a client PKI certificate.
Select the certificate with the longest validity period.
Internet-only client management.
Assign the client to use the internet-based management point named SERVER1.
Assign the internet-based fallback status point in the contoso.com domain.
Assign the client to the ABC site.
To configure clients for internet-based client management after client installation
To assign the internet-based management point after you install the client, use one of these procedures. The first
requires manual configuration and is appropriate for a few clients. The second is more appropriate for
configuring many clients.
Configure clients for internet-based client management after client installation from the Configuration Manager control panel
1. Open the Configuration Manager control panel on the client.
2. On the Internet tab, enter the fully qualified domain name (FQDN) of the internet-based management
point as the Internet FQDN .

NOTE
The Internet tab is available only if the client has a client PKI certificate.

3. If the client accesses the internet by using a proxy server, enter the proxy server settings.
Configure clients for internet-based client management after client installation by using a script
P o w e r Sh e l l

1. Open a PowerShell in-line editor, like PowerShell ISE or Visual Studio Code. You can also use a text editor,
like Notepad.
2. Copy and insert the following lines of code into the editor. Replace 'mp.contoso.com' with the internet
FQDN of your internet-based management point.
 $newInternetBasedManagementPointFQDN = 'mp.contoso.com'
$client = New-Object -ComObject Microsoft.SMS.Client
$client.SetInternetManagementPointFQDN($newInternetBasedManagementPointFQDN)
Restart-Service CcmExec
$client.GetInternetManagementPointFQDN()

NOTE
The last line is there only to verify the new internet management point value.
To delete a specified internet-based management point, remove the server FQDN value inside the quotation
marks. The line becomes $newInternetBasedManagementPointFQDN = '' .

3. Save the file with a .ps1 extension.

4. Run the script with elevated rights on client computers. Use one of these methods:
Deploy the file to existing Configuration Manager clients by using a package and a program.
Run the file locally on existing Configuration Manager clients by double-clicking the script file in
File Explorer.
You might have to restart the client for the changes to take effect.

Provision client installation properties

Provision client installation properties for group policy and software update-based client installations. Use
Windows Group Policy to provision computers with Configuration Manager client installation properties. These
properties are stored in the registry of the computer. The client reads them when it installs. This procedure isn't
normally required, but it might be needed for some client installation scenarios, such as:
You're using the group policy settings or software update-based client installation methods. You haven't
extended the Active Directory schema for Configuration Manager.
You want to override client installation properties on specific computers.

NOTE
If any installation properties are supplied on the CCMSetup.exe command line, installation properties provisioned on
computers aren't used.

A group policy administrative template named ConfigMgrInstallation.adm is supplied on the Configuration

Manager installation media. Use this template to provision client computers with installation properties.

TIP
By default, ConfigMgrInstallation.adm doesn't support strings larger than 255 characters. This configuration can
impact adding multiple parameters or parameters with long values, such as CCMCERTISSUERS.
To workaround this issue:
1. Edit ConfigMgrInstallation.adm in Notepad.
2. For the property VALUENAME SetupParameters , change the MAXLEN value to a larger integer. For example,
MAXLEN 511 .

Configure and assign client installation properties by using a group policy object
1. Import the ConfigMgrInstallation.adm administrative template into a new or existing group policy object
(GPO) by using an editor like Windows Group Policy Object Editor. You can find this file in the
TOOLS\ConfigMgrADMTemplates folder on the Configuration Manager installation media.

2. Open the properties of the imported setting Configure Client Deployment Settings .
3. Select Enabled .
4. In the CCMSetup box, enter the required CCMSetup command-line properties. For a list of all CCMSetup
command-line properties and examples of their use, see About client installation parameters and
properties.
5. Assign the GPO to the computers that you want to provision with Configuration Manager client
installation properties.
 About client installation parameters and properties
in Configuration Manager
2/16/2022 • 27 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the CCMSetup.exe command to install the Configuration Manager client. If you provide client installation
parameters on the command line, they modify the installation behavior. If you provide client installation
properties on the command line, they modify the initial configuration of the installed client agent.

About CCMSetup.exe
The CCMSetup.exe command downloads needed files to install the client from a management point or a source
location. These files might include:
The Windows Installer package client.msi that installs the client software
Client prerequisites
Updates and fixes for the Configuration Manager client

NOTE
You can't directly install client.msi.

CCMSetup.exe provides command-line parameters to customize the installation. Parameters are prefixed with a
slash ( / ) and are generally lower case. You specify the value of a parameter when necessary using a colon ( : )
immediately followed by the value. For more information, see CCMSetup.exe command-line parameters.
You can also supply properties at the CCMSetup.exe command line to modify the behavior of client.msi.
Properties by convention are upper case. You specify a value for a property using an equal sign ( = )
immediately followed by the value. For more information, see Client.msi properties.

IMPORTANT
Specify CCMSetup parameters before you specify properties for client.msi.

CCMSetup.exe and the supporting files are on the site server in the Client folder of the Configuration Manager
installation folder. Configuration Manager shares this folder to the network under the site share. For example,
\\SiteServer\SMS_ABC\Client .

At the command prompt, the CCMSetup.exe command uses the following format:
CCMSetup.exe [<Ccmsetup parameters>] [<client.msi setup properties>]

For example:
CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=S01 FSP=SMSFSP01

This example does the following things:

Specifies the management point named SMSMP01 to request a list of distribution points to download the
client installation files.
Specifies that installation should stop if a version of the client already exists on the computer.
Instructs client.msi to assign the client to the site code S01.
Instructs client.msi to use the fallback status point named SMSFP01.

TIP
If a parameter value has spaces, surround it with quotation marks.

If you extend the Active Directory schema for Configuration Manager, the site publishes many client installation
properties in Active Directory Domain Services. The Configuration Manager client automatically reads these
properties. For more information, see About client installation properties published to Active Directory Domain
Services

CCMSetup.exe command-line parameters

/?
Shows available command-line parameters for ccmsetup.exe.
Example: ccmsetup.exe /?

/AllowMetered
Starting in version 2006, use this parameter to control the client's behavior on a metered network. This
parameter takes no values. When you allow client communication on a metered network for ccmsetup, it
downloads the content, registers with the site, and downloads the initial policy. Any further client
communication follows the configuration of the client setting from that policy. For more information, see About
client settings.
If you reinstall the client on an existing device, it uses the following priority to determine its configuration:
1. Existing local client policy
2. The last command line stored in the Windows registry
3. Parameters on the ccmsetup command line
/AlwaysExcludeUpgrade
This parameter specifies whether or not a client will auto upgrade when you enable Automatic client
upgrade .
Supported values:
TRUE : The client won't automatically upgrade
FALSE : The client automatically upgrades (default)
For example:
CCMSetup.exe /AlwaysExcludeUpgrade:TRUE

For more information, see Extended interoperability client.

NOTE
When using the /AlwaysExcludeUpgrade parameter, the auto upgrade still runs. However when CCMSetup runs to
perform the upgrade, it will note that /AlwaysExcludeUpgrade parameter has been set and will log the following line in
the ccmsetup.log :
Client is stamped with /alwaysexcludeupgrade. Stop proceeding.

CCMSetup will then immediately exit and not perform the upgrade.

/BITSPriority
When the device downloads client installation files over an HTTP connection, use this parameter to specify the
download priority. Specify one of the following possible values:
FOREGROUND

HIGH

NORMAL (default)
LOW

Example: ccmsetup.exe /BITSPriority:HIGH

/config
This parameter specifies a text file that lists client installation properties.
If CCMSetup runs as a service, place this file in the CCMSetup system folder: %Windir%\Ccmsetup .
If you specify the /noser vice parameter, place this file in the same folder as CCMSetup.exe.
Example: CCMSetup.exe /config:"configuration file name.txt"

To provide the correct file format, use the mobileclienttemplate.tcf file in the \bin\<platform> folder in the
Configuration Manager installation directory on the site server. This file has comments about the sections and
how to use them. Specify the client installation properties in the [Client Install] section, after the following
text: Install=INSTALL=ALL .
Example [Client Install] section entry: Install=INSTALL=ALL SMSSITECODE=ABC SMSCACHESIZE=100

/downloadtimeout
If CCMSetup fails to download the client installation files, this parameter specifies the maximum timeout in
minutes. After this timeout, CCMSetup stops trying to download the installation files. The default value is 1440
minutes (one day).
Use the /retr y parameter to specify the interval between retry attempts.
Example: ccmsetup.exe /downloadtimeout:100

/ExcludeFeatures
This parameter specifies that CCMSetup.exe doesn't install the specified feature.
Example: CCMSetup.exe /ExcludeFeatures:ClientUI doesn't install Software Center on the client.

NOTE
ClientUI is the only value that the /ExcludeFeatures parameter supports.

/forceinstall
Specify that CCMSetup.exe uninstalls any existing client, and installs a new client.
/forcereboot
Use this parameter to force the computer to restart if necessary to complete the installation. If you don't specify
this parameter, CCMSetup exits when a restart is necessary. It then continues after the next manual restart.
Example: CCMSetup.exe /forcereboot

/logon
If any version of the client is already installed, this parameter specifies that the client installation should stop.
Example: ccmsetup.exe /logon

/mp
Specifies a source management point for computers to connect to. Computers use this management point to
find the nearest distribution point for the installation files. If there are no distribution points, or computers can't
download the files from the distribution points after four hours, they download the files from the specified
management point.
For more information on how ccmsetup downloads content, see Boundary groups - client installation. That
article also includes details of ccmsetup behavior if you use both /mp and /source parameters.

IMPORTANT
This parameter specifies an initial management point for computers to find a download source, and can be any
management point in any site. It doesn't assign the client to the specified management point.

Computers download the files over an HTTP or HTTPS connection, depending on the site system role
configuration for client connections. The download can also use BITS throttling if you configure it. If you
configure all distribution points and management points for HTTPS client connections only, verify that the client
computer has a valid client certificate.
You can use the /mp command-line parameter to specify more than one management point. If the computer
fails to connect to the first one, it tries the next in the specified list. When you specify multiple management
points, separate the values by semicolons.
If the client connects to a management point using HTTPS, specify the FQDN not the computer name. The value
must match the management point PKI certificate's Subject or Subject Alternative Name . Although
Configuration Manager supports using a computer name in the certificate for connections on the intranet, using
an FQDN is recommended.
Example with the computer name: ccmsetup.exe /mp:SMSMP01

Example with the FQDN: ccmsetup.exe /mp:smsmp01.contoso.com

This parameter can also specify the URL of a cloud management gateway (CMG). Use this URL to install the
client on an internet-based device. To get the value for this parameter, use the following steps:
Create a CMG. For more information, see Set up a CMG.
On an active client, open a Windows PowerShell command prompt as an administrator.
Run the following command:

(Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object

{$_.Type -eq "Internet"}).MP

Append the https:// prefix to use with the /mp parameter.

Example for when you use the cloud management gateway URL:
ccmsetup.exe /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057598037248100

IMPORTANT
When specifying the URL of a cloud management gateway for the /mp parameter, it must start with https:// .

/NoCRLCheck
Specifies that a client shouldn't check the certificate revocation list (CRL) when it communicates over HTTPS with
a PKI certificate. When you don't specify this parameter, the client checks the CRL before it establishes an HTTPS
connection. For more information about client CRL checking, see Planning for PKI certificate revocation.
Example: CCMSetup.exe /UsePKICert /NoCRLCheck

/noservice
This parameter prevents CCMSetup from running as a service, which it does by default. When CCMSetup runs
as a service, it runs in the context of the Local System account of the computer. This account might not have
sufficient rights to access required network resources for the installation. With /noser vice , CCMSetup.exe runs
in the context of the user account that you use to start the installation.
Example: ccmsetup.exe /noservice

/regtoken
Use this parameter to provide a bulk registration token. An internet-based device uses this token in the
registration process through a cloud management gateway (CMG). For more information, see Token-based
authentication for CMG.
When you use this parameter, also include the following parameters and properties:
/mp
CCMHOSTNAME
SMSSITECODE
SMSMP
The following example command line includes the other required setup parameters and properties:
ccmsetup.exe /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSITECODE=A
/regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh5T2lacHFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob3JpdHkiOiJTQ0N
gvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4i5ukJdl3KQ07YPRhwpuXmwxRf1vsiawXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y57LvU_brBfLUL6JUpk3ri-LSpwPFarRXzZ

TIP
If CCMSetup returns error 0x87d0027e, try removing the /mp parameter from the command line.

/retry
If CCMSetup.exe fails to download installation files, use this parameter to specify the retry interval in minutes.
CCMSetup continues to retry until it reaches the limit specified in the /downloadtimeout parameter.
Example: ccmsetup.exe /retry:20

/service
Specifies that CCMSetup should run as a service that uses the Local System account.

TIP
If you're using a script to run CCMSetup.exe with the /ser vice parameter, CCMSetup.exe exits after the service starts. It
might not correctly report installation details to the script.

Example: ccmsetup.exe /service

/skipprereq
This parameter specifies that CCMSetup.exe doesn't install the specified prerequisite. You can enter more than
one value. Use the semicolon character ( ; ) to separate each value.
Examples:
CCMSetup.exe /skipprereq:filename.exe

CCMSetup.exe /skipprereq:filename1.exe;filename2.exe

For more information on client prerequisites, see Windows client prerequisites.

/source
Specifies the file download location. Use a local or UNC path. The device downloads files using the server
message block (SMB) protocol. To use /source , the Windows user account for client installation needs Read
permissions to the location.
For more information on how ccmsetup downloads content, see Boundary groups - client installation. That
article also includes details of ccmsetup behavior if you use both /mp and /source parameters.

TIP
You can use the /source parameter more than once in a command line to specify alternative download locations.

Example: ccmsetup.exe /source:"\\server\share"

/uninstall
Use this parameter to uninstall the Configuration Manager client. For more information, see Uninstall the client.
Example: ccmsetup.exe /uninstall

NOTE
Starting in version 2111, when you uninstall the client it also removes the client bootstrap, ccmsetup.msi, if it exists.

/UsePKICert
Specify this parameter for the client to use a PKI client authentication certificate. If you don't include this
parameter, or if the client can't find a valid certificate, it filters out all HTTPS management points, including cloud
management gateways (CMG). The client uses an HTTP connection with a self-signed certificate.
Example: CCMSetup.exe /UsePKICert

If a device uses Azure Active Directory (Azure AD) for client authentication and also has a PKI-based client
authentication certificate, if you use include this parameter the client won't be able to get Azure AD onboarding
information from a cloud management gateway (CMG). For a client that uses Azure AD authentication, don't
specify this parameter, but include the AADRESOURCEURI and AADCLIENTAPPID properties.

NOTE
In some scenarios, you don't have to specify this parameter, but still use a client certificate. For example, client push and
software update-based client installation. Use this parameter when you manually install a client and use the /mp
parameter with an HTTPS-enabled management point.
Also specify this parameter when you install a client for internet-only communication. Use CCMALWAYSINF=1 together
with the properties for the internet-based management point (CCMHOSTNAME ) and the site code (SMSSITECODE ).
For more information about internet-based client management, see Considerations for client communications from the
internet or an untrusted forest.

/IgnoreSkipUpgrade
Specify this parameter to manually upgrade an excluded client. For more information, see How to exclude clients
from upgrade.

CCMSetup.exe return codes

The CCMSetup.exe command provides the following return codes. To troubleshoot, review
%WinDir%\ccmsetup\Logs\ccmsetup.log on the client for context and additional detail about return codes.

RET URN C O DE M EA N IN G

0 Success

6 Error

7 Reboot required

8 Setup already running

 RET URN C O DE M EA N IN G

9 Prerequisite evaluation failure

10 Setup manifest hash validation failure

Ccmsetup.msi properties
The following properties can modify the installation behavior of ccmsetup.msi.
CCMSETUPCMD
Use this ccmsetup.msi property to pass additional command-line parameters and properties to ccmsetup.exe.
Include other parameters and properties inside quotation marks ( " ). Use this property when you bootstrap the
Configuration Manager client with the Intune MDM installation method.
Example: ccmsetup.msi CCMSETUPCMD="/mp:https://mp.contoso.com CCMHOSTNAME=mp.contoso.com"

TIP
Microsoft Intune limits the command line to 1024 characters.

Client.msi properties
The following properties can modify the installation behavior of client.msi, which ccmsetup.exe installs.
AADCLIENTAPPID
Specifies the Azure Active Directory (Azure AD) client app identifier. You create or import the client app when
you configure Azure services for Cloud Management. An Azure administrator can get the value for this property
from the Azure portal. For more information, see get application ID. For the AADCLIENTAPPID property, this
application ID is for the Native application type.
Example: ccmsetup.exe AADCLIENTAPPID=aa28e7f1-b88a-43cd-a2e3-f88b257c863b

AADRESOURCEURI
Specifies the Azure AD server app identifier. You create or import the server app when you configure Azure
services for Cloud Management. When you create the server app, in the Create Server Application window, this
property is the App ID URI .
An Azure administrator can get the value for this property from the Azure portal. In Azure Active Director y ,
find the server app under App registrations . Look for application type Web app / API . Open the app, select
Settings , and then select Proper ties . Use the App ID URI value for this AADRESOURCEURI client
installation property.
Example: ccmsetup.exe AADRESOURCEURI=https://contososerver

AADTENANTID
Specifies the Azure AD tenant identifier. Configuration Manager links to this tenant when you configure Azure
services for Cloud Management. To get the value for this property, use the following steps:
On a device that runs Windows 10 or later and is joined to the same Azure AD tenant, open a command
prompt.
Run the following command: dsregcmd.exe /status

In the Device State section, find the TenantId value. For example,
TenantId : 607b7853-6f6f-4d5d-b3d4-811c33fdd49a

NOTE
An Azure administrator can also obtain this value in the Azure portal. For more information, see get tenant ID.

Example: ccmsetup.exe AADTENANTID=607b7853-6f6f-4d5d-b3d4-811c33fdd49a

CCMADMINS
Specifies one or more Windows user accounts or groups to be given access to client settings and policies. This
property is useful when you don't have local administrative credentials on the client computer. Specify a list of
accounts that are separated by semicolons ( ; ).
Example: CCMSetup.exe CCMADMINS="domain\account1;domain\group1"

CCMALLOWSILENTREBOOT
If necessary, allow the computer to silently restart after the client installation.

IMPORTANT
When you use this property, the computer restarts without warning. This behavior occurs even if a user is signed in to
Windows.

Example: CCMSetup.exe CCMALLOWSILENTREBOOT

CCMALWAYSINF
To specify that the client is always internet-based and never connects to the intranet, set this property value to
1 . The client's connection type displays Always Internet .

Use this property with CCMHOSTNAME to specify the FQDN of the internet-based management point. Also use
it with the CCMSetup parameter UsePKICert and the SMSSITECODE property.
For more information about internet-based client management, see Considerations for client communications
from the internet or an untrusted forest.
Example: CCMSetup.exe /UsePKICert CCMALWAYSINF=1 CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSITECODE=ABC

CCMCERTISSUERS
Use this property to specify the certificate issuers list. This list includes certificate information for the trusted
root certification authorities (CA) that the Configuration Manager site trusts.
This value is a case-sensitive match for subject attributes that are in the root CA certificate. Separate attributes
by a comma ( , ) or a semicolon ( ; ). Specify more than one root CA certificate by using a separator bar ( | ).
Example:
CCMCERTISSUERS="CN=Contoso Root CA; OU=Servers; O=Contoso, Ltd; C=US | CN=Litware Corporate Root CA;
O=Litware, Inc."

TIP
Use the value of the Cer tificateIssuers attribute in the mobileclient.tcf file for the site. This file is in the
\bin\<platform> subfolder of the Configuration Manager installation directory on the site server.

For more information about the certificate issuers list and how clients use it during the certificate selection
process, see Planning for PKI client certificate selection.
CCMCERTSEL
If the client has more than one certificate for HTTPS communication, this property specifies the criteria for it to
select a valid client authentication certificate.
Use the following keywords to search the certificate Subject Name or Subject Alternative Name:
Subject : Find an exact match
SubjectStr : Find a partial match
Examples:
CCMCERTSEL="Subject:computer1.contoso.com" : Search for a certificate with an exact match to the computer
name computer1.contoso.com in the Subject Name or the Subject Alternative Name.
CCMCERTSEL="SubjectStr:contoso.com" : Search for a certificate that contains contoso.com in the Subject
Name or the Subject Alternative Name.
Use the SubjectAttr keyword to search for the Object Identifier (OID) or distinguished name attributes in the
Subject Name or Subject Alternative Name.
Examples:
CCMCERTSEL="SubjectAttr:2.5.4.11 = Computers" : Search for the organizational unit attribute expressed as
an object identifier and named Computers .
CCMCERTSEL="SubjectAttr:OU = Computers" : Search for the organizational unit attribute expressed as a
distinguished name, and named Computers .

IMPORTANT
If you use the Subject Name, the Subject keyword is case-sensitive, and the SubjectStr keyword is case-insensitive.
If you use the Subject Alternative Name, both the Subject and the SubjectStr keywords are case-insensitive.

For the complete list of attributes that you can use for certificate selection, see Supported attribute values for
PKI certificate selection criteria.
If more than one certificate matches the search, and you set CCMFIRSTCERT to 1 , then the client installer
selects the certificate with the longest validity period.
CCMCERTSTORE
If the client installer can't locate a valid certificate in the default Personal certificate store for the computer, use
this property to specify an alternate certificate store name.
Example: CCMSetup.exe /UsePKICert CCMCERTSTORE="ConfigMgr"

CCMDEBUGLOGGING
This property enables debug logging when the client installs. This property causes the client to log low-level
information for troubleshooting. Avoid using this property in production sites. Excessive logging can occur,
which might make it difficult to find relevant information in the log files. Also enable CCMENABLELOGGING .
Supported values:
0 : Turn off debug logging (default)
1 : Turn on debug logging
Example: CCMSetup.exe CCMDEBUGLOGGING=1

For more information, see About log files.

CCMENABLELOGGING
Configuration Manager enables logging by default.
Supported values:
TRUE : Turn on logging (default)
FALSE : Turn off logging
Example: CCMSetup.exe CCMENABLELOGGING=TRUE
For more information, see About log files.
CCMEVALINTERVAL
The frequency in minutes at which the client health evaluation tool (ccmeval.exe) runs. Specify an integer value
from 1 to 1440 . By default, ccmeval runs once a day (1440 minutes).
Example: CCMSetup.exe CCMEVALINTERVAL=1440

For more information on client health evaluation, see Monitor clients.

CCMEVALHOUR
The hour during the day when the client health evaluation tool (ccmeval.exe) runs. Specify an integer value from
0 (midnight) to 23 (11:00 PM). By default, ccmeval runs at midnight.

For more information on client health evaluation, see Monitor clients.

CCMFIRSTCERT
If you set this property to 1 , the client selects the PKI certificate with the longest validity period.
Example: CCMSetup.exe /UsePKICert CCMFIRSTCERT=1

CCMHOSTNAME
If the client is managed over the internet, this property specifies the FQDN of the internet-based management
point.
Don't specify this option with the installation property of SMSSITECODE=AUTO . Directly assign internet-based
clients to an internet-based site.
Example: CCMSetup.exe /UsePKICert CCMHOSTNAME="SMSMP01.corp.contoso.com"

This property can specify the address of a cloud management gateway (CMG). To get the value for this property,
use the following steps:
Create a CMG. For more information, see Set up a CMG.
On an active client, open a Windows PowerShell command prompt as an administrator.
Run the following command:

(Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object

{$_.Type -eq "Internet"}).MP

Use the returned value as-is with the CCMHOSTNAME property.

For example: ccmsetup.exe CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057598037248100

IMPORTANT
When you specify the address of a CMG for the CCMHOSTNAME property, don't append a prefix such as https:// .
Only use this prefix with the /mp URL of a CMG.

CCMHTTPPORT
Specifies the port for the client to use when it communicates over HTTP to site system servers. By default, this
value is 80 .
Example: CCMSetup.exe CCMHTTPPORT=80

CCMHTTPSPORT
Specifies the port for the client to use when it communicates over HTTPS to site system servers. By default, this
value is 443 .
Example: CCMSetup.exe /UsePKICert CCMHTTPSPORT=443

CCMINSTALLDIR
Use this property to set the folder to install the Configuration Manager client files. By default, it uses
%WinDir%\CCM .

TIP
Regardless of where you install the client files, it always installs the ccmcore.dll file in the %WinDir%\System32 folder. On
a 64-bit OS, it installs a copy of ccmcore.dll in the %WinDir%\SysWOW64 folder. This file supports 32-bit applications that
use the 32-bit version of the client APIs from the Configuration Manager SDK.

Example: CCMSetup.exe CCMINSTALLDIR="C:\ConfigMgr"

CCMLOGLEVEL
Use this property to specify the level of detail to write to Configuration Manager log files.
Supported values:
0 : Verbose
1 : Default
2 : Warnings and errors
3 : Errors only

Example: CCMSetup.exe CCMLOGLEVEL=0

For more information, see About log files.

CCMLOGMAXHISTORY
When a Configuration Manager log file reaches the maximum size, the client renames it as a backup and creates
a new log file. This property specifies how many previous versions of the log file to keep. The default value is 1 .
If you set the value to 0 , the client doesn't keep any log file history.
Example: CCMSetup.exe CCMLOGMAXHISTORY=5

For more information, see About log files.

CCMLOGMAXSIZE
This property specifies the maximum log file size in bytes. When a log grows to the specified size, the client
renames it as a history file, and creates a new one. The default size is 250,000 bytes, and the minimum size is
10,000 bytes.
Example: CCMSetup.exe CCMLOGMAXSIZE=300000 (300,000 bytes)
DISABLESITEOPT
Set this property to TRUE to block administrators from changing the assigned site in the Configuration
Manager control panel.
Example: CCMSetup.exe DISABLESITEOPT=TRUE
DISABLECACHEOPT
If set to TRUE, this property disables the ability of administrative users from changing the client cache folder
settings in the Configuration Manager control panel.
Example: CCMSetup.exe DISABLECACHEOPT=TRUE

DNSSUFFIX
Specify a DNS domain for clients to locate management points that you publish in DNS. When the client locates
a management point, it tells the client about other management points in the hierarchy. This behavior means
that the management point that the client finds from DNS can be any one in the hierarchy.

NOTE
You don't have to specify this property if the client is in the same domain as a published management point. In that case,
the client's domain is automatically used to search DNS for management points.

For more information about DNS publishing as a service location method for Configuration Manager clients,
see Service location and how clients determine their assigned management point.

NOTE
By default, Configuration Manager doesn't enable DNS publishing.

Example: CCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=contoso.com

FSP
Specify the fallback status point that receives and processes state messages sent by Configuration Manager
clients.
For more information, see Determine if you need a fallback status point.
Example: CCMSetup.exe FSP=SMSFP01

IGNOREAPPVVERSIONCHECK
If you set this property to TRUE , the client installer doesn't check the minimum required version of Microsoft
Application Virtualization (App-V).

IMPORTANT
If you install the Configuration Manager client without installing App-V, you can't deploy virtual applications.

Example: CCMSetup.exe IGNOREAPPVVERSIONCHECK=TRUE

NOTIFYONLY
When you enable this property, the client reports status, but doesn't remediate problems that it finds.
Example: CCMSetup.exe NOTIFYONLY=TRUE

For more information, see How to configure client status.

PROVISIONTS
Use this property to start a task sequence on a client after it successfully registers with the site.

NOTE
If the task sequence installs software updates or applications, clients need a valid client authentication certificate. Token
authentication alone doesn't work. For more information, see Release notes - OS deployment.

For example, you provision a new Windows device with Windows Autopilot, auto-enroll it to Microsoft Intune,
and then install the Configuration Manager client for co-management. If you specify this new option, the newly
provisioned client then runs a task sequence. This process gives you additional flexibility to install applications
and software updates, or configure settings.
Use the following process:
1. Create a non-OS deployment task sequence to install apps, install software updates, and configure
settings.
2. Deploy this task sequence to the new built-in collection, All Provisioning Devices . Note the task
sequence deployment ID, for example PRI20001 .
 TIP
The deployment's purpose can be either available or required. Since you specify the deployment ID as the
property value, the purpose doesn't matter.

3. Install the Configuration Manager client on a device using ccmsetup.msi , and include the following
property: PROVISIONTS=PRI20001 . Set the value of this property as the task sequence deployment ID.
If you're installing the client from Intune during co-management enrollment, see How to prepare
internet-based devices for co-management.

NOTE
This method may have additional prerequisites. For example, enrolling the site to Azure Active Directory,
or creating a content-enabled cloud management gateway.
Regardless the method, only use this property with ccmsetup.msi.

After the client installs and properly registers with the site, it starts the referenced task sequence. If client
registration fails, the task sequence won't start.

NOTE
The task sequence launched by PROVISIONTS uses the Default Client Settings . This task sequence starts
immediately after the client registers, so it won't be part of any collection to which you've deployed custom client settings.
The client doesn't process or apply custom client settings before this task sequence runs.
For the task sequence to work properly, you may need to change certain settings in the Default Client Settings . For
example,
Cloud Ser vices group: Enable clients to use a cloud management gateway and Allow access to cloud
distribution point
Computer Agent group: PowerShell execution policy
If devices don't need these client settings after the task sequence completes, deploy new custom client settings to reverse
the default settings.
For more information, see About client settings.

RESETKEYINFORMATION
If a client has the wrong Configuration Manager trusted root key, it can't contact a trusted management point to
receive the new trusted root key. Use this property to remove the old trusted root key. This situation may occur
when you move a client from one site hierarchy to another. This property applies to clients that use HTTP and
HTTPS client communication. For more information, see Planning for the trusted root key.
Example: CCMSetup.exe RESETKEYINFORMATION=TRUE

SITEREASSIGN
Enables automatic site reassignment for client upgrades when used with SMSSITECODE=AUTO.
Example: CCMSetup.exe SMSSITECODE=AUTO SITEREASSIGN=TRUE

SMSCACHEDIR
Specifies the location of the client cache folder on the client computer. By default, the cache location is
%WinDir%\ccmcache .

Example: CCMSetup.exe SMSCACHEDIR="C:\Temp"

Use this property with the SMSCACHEFL AGS property to control the client cache folder location. For example,
to install the client cache folder on the largest available client disk drive:
CCMSetup.exe SMSCACHEDIR=Cache SMSCACHEFLAGS=MAXDRIVE

SMSCACHEFLAGS
Use this property to specify further installation details for the client cache folder. You can use
SMSCACHEFL AGS properties individually or in combination separated by semicolons ( ; ).
If you don't include this property:
The client installs the cache folder according to the SMSCACHEDIR property
The folder isn't compressed
The client uses the SMSCACHESIZE property as the size limit in MB of the cache
When you upgrade an existing client, the client installer ignores this property.
Values for the SMSCACHEFLAGS property
PERCENTDISKSPACE : Set the cache size as a percentage of the total disk space. If you specify this
property, also set SMSCACHESIZE to a percentage value.
PERCENTFREEDISKSPACE : Set the cache size as a percentage of the free disk space. If you specify this
property, also set SMSCACHESIZE as a percentage value. For example, the disk has 10 MB free, and you
specify SMSCACHESIZE=50 . The client installer sets the cache size to 5 MB. You can't use this property with
the PERCENTDISKSPACE property.
MAXDRIVE : Install the cache on the largest available disk. If you specify a path with the SMSCACHEDIR
property, the client installer ignores this value.
MAXDRIVESPACE : Install the cache on the disk drive with the most free space. If you specify a path with
the SMSCACHEDIR property, the client installer ignores this value.
NTFSONLY : Only install the cache on an NTFS-formatted disk drive. If you specify a path with the
SMSCACHEDIR property, the client installer ignores this value.
 COMPRESS : Store the cache in a compressed form.
FAILIFNOSPACE : If there's insufficient space to install the cache, remove the Configuration Manager
client.
Example: CCMSetup.exe SMSCACHEFLAGS=NTFSONLY;COMPRESS

SMSCACHESIZE

IMPORTANT
Client settings are available for specifying the client cache folder size. The addition of those client settings effectively
replaces using SMSCACHESIZE as a client.msi property to specify the size of the client cache. For more information, see
the client settings for cache size.

When you upgrade an existing client, the client installer ignores this setting. The client also ignores the cache
size when it downloads software updates.
Example: CCMSetup.exe SMSCACHESIZE=100

NOTE
If you reinstall a client, you can't use SMSCACHESIZE or SMSCACHEFL AGS to set the cache size to be smaller than it
was previously. The previous size is the minimum value.

SMSCONFIGSOURCE
Use this property to specify the location and order that the client installer checks for configuration settings. It's a
string of one or more characters, each defining a specific configuration source:
R : Check for configuration settings in the registry.
For more information, see Provision client installation properties.
P : Check for configuration settings in the installation properties from the command line.
M : Check for existing settings when you upgrade an older client.
U : Upgrade the installed client to a newer version and use the assigned site code.
By default, the client installer uses PU . It first checks the installation properties ( P ) and then the existing
settings ( U ).
Example: CCMSetup.exe SMSCONFIGSOURCE=RP

SMSMP
Specifies an initial management point for the Configuration Manager client to use.

IMPORTANT
If the management point only accepts client connections over HTTPS, prefix the management point name with https://
.

Examples:
CCMSetup.exe SMSMP=smsmp01.contoso.com

CCMSetup.exe SMSMP=https://smsmp01.contoso.com

SMSMPLIST
Specifies MP list for the Configuration Manager client to use. Use semi-colon as delimiter when specifying
multiple MP.

IMPORTANT
If the management point only accepts client connections over HTTPS, prefix the management point name with https://
.

Examples:
CCMSetup.exe SMSMPLIST=https://smsmp01.contoso.com;https://smsmp02.contoso.com;smsmp03.contoso.com

CCMSetup.exe SMSMPLIST=https://smsmp01.contoso.com;smsmp02.contoso.com;smsmp03.contoso.com

SMSPUBLICROOTKEY
If the client can't get the Configuration Manager trusted root key from Active Directory Domain Services, use
this property to specify the key. This property applies to clients that use HTTP and HTTPS communication. For
more information, see Planning for the trusted root key.
Example: CCMSetup.exe SMSPUBLICROOTKEY=<keyvalue>

TIP
Get the value for the site's trusted root key from the mobileclient.tcf file on the site server. For more information, see Pre-
provision a client with the trusted root key by using a file.

SMSROOTKEYPATH
Use this property to reinstall the Configuration Manager trusted root key. It specifies the full path and name of a
file that contains the trusted root key. This property applies to clients that use HTTP and HTTPS client
communication. For more information, see Planning for the trusted root key.
Example: CCMSetup.exe SMSROOTKEYPATH=C:\folder\trk

SMSSIGNCERT
Specifies the full path and name of the exported self-signed certificate on the site server. The site server stores
this certificate in the SMS certificate store. It has the Subject name Site Ser ver and the friendly name Site
Ser ver Signing Cer tificate .
Export the certificate without the private key, store the file securely, and access it only from a secured channel.
Example: CCMSetup.exe /UsePKICert SMSSIGNCERT=C:\folder\smssign.cer

SMSSITECODE
This property specifies a Configuration Manager site to which you assign the client. This value can either be a
three-character site code or the word AUTO . If you specify AUTO , or don't specify this property, the client
attempts to determine its site assignment from Active Directory Domain Services or from a specified
management point. To enable AUTO for client upgrades, also set SITEREASSIGN=TRUE.

NOTE
If you also specify an internet-based management point with the CCMHOSTNAME property, don't use AUTO with
SMSSITECODE . Directly assign the client to its site by specifying the site code.

Example: CCMSetup.exe SMSSITECODE=XZY

Attribute values for certificate selection criteria

Configuration Manager supports the following attribute values for the PKI certificate selection criteria:

O ID AT T RIB UT E DIST IN GUISH ED N A M E AT T RIB UT E AT T RIB UT E DEF IN IT IO N

0.9.2342.19200300.100.1.25 DC Domain component

1.2.840.113549.1.9.1 E or E-mail Email address

2.5.4.3 CN Common name

2.5.4.4 SN Subject name

2.5.4.5 SERIALNUMBER Serial number

2.5.4.6 C Country code

2.5.4.7 L Locality

2.5.4.8 S or ST State or province name

2.5.4.9 STREET Street address

2.5.4.10 O Organization name

2.5.4.11 OU Organizational unit

2.5.4.12 T or Title Title

2.5.4.42 G or GN or GivenName Given name

2.5.4.43 I or Initials Initials

2.5.29.17 (no value) Subject Alternative Name

Client push installation

If you use the client push installation method, use the following options on the Client tab of the Client Push
Installation Proper ties in the Configuration Manager console:
Any of the Client.msi properties
The following subset of CCMSetup.exe command-line parameters are allowed for client push:
/AllowMetered (starting in version 2103)
/AlwaysExcludeUpgrade
/BITSPriority
/downloadtimeout
/ExcludeFeatures
/forcereboot
/logon
/skipprereq
/UsePKICert
 About client installation properties published to
Active Directory Domain Services
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you extend the Active Directory schema for Configuration Manager, and the site is published to Active
Directory Domain Services, many client installation properties are published to Active Directory Domain
Services. If a computer can locate these client installation properties, it can use them during Configuration
Manager client deployment.
The advantages of using Active Directory Domain Services to publish client installation properties include the
following:
Software update point-based client installations and Group Policy client installations do not require setup
parameters to be set up on each computer.
Because this information is automatically generated, the risk of human error associated with manually
entering installation properties is eliminated.

NOTE
For more information about how to extend the Active Directory schema for Configuration Manager, and how to publish a
site, see Schema extensions for Configuration Manager.

Client installation properties published to Active Directory Domain

Services
The following is a list of client installation properties. For more information about each item listed below, see
About client installation properties.
The Configuration Manager site code.
The site server signing certificate.
The trusted root key.
The client communication ports for HTTP and HTTPS.
The fallback status point. If the site has multiple fallback status points, only the first one that was installed
is published to Active Directory Domain Services.
A setting to indicate that the client must communicate by using HTTPS only.
Settings related to PKI certificates:
Whether to use a client PKI certificate.
The selection criteria for certificate selection. This may be required because the client has more
than one valid PKI certificate that can be used for Configuration Manager.
A setting to determine which certificate to use if the client has multiple valid certificates after the
certificate selection process.
 The certificate issuers list that contains a list of trusted root CA certificates.
Client.msi installation properties that are specified in the Client tab of the Client Push Installation
Proper ties dialog box.
Client installation (CCMSetup) uses the properties that are published to Active Directory Domain Services only if
no other properties are specified by using either of the following:
The manual installation method (described later in this article)
The Group Policy installation method (described later in this article)

NOTE
The client installation properties are used to install the client. These properties might be overwritten with new settings
from its assigned site after the client is installed and has successfully been assigned to a Configuration Manager site.

Use the details in the following sections to determine which Configuration Manager client installation methods
use Active Directory Domain Services to obtain client installation properties.

Client push installation

Client push installation does not use Active Directory Domain Services to obtain installation properties.
Instead, you can specify client installation properties in the Installation Proper ties tab of the Client Push
Installation Proper ties dialog box. These options and client-related site settings are stored in a file that the
client reads during client installation.

NOTE
You do not have to specify any CCMSetup properties for client push installation, or the fallback status point, or the
trusted root key in the Installation Proper ties tab. These settings are automatically supplied to clients when they are
installed by using client push installation. In addition to Client.msi properties, CCMSetup supports the following
parameters: /forcereboot, /skipprereq, /logon, /BITSPriority, /downloadtimeout, /forceinstall

Any properties that you specify in the Installation Proper ties tab are published to Active Directory Domain
Services if the site is published to Active Directory Domain Services. These settings are read by client
installations where CCMSetup is run with no installation properties.

Software update point-based installation

The software update point-based installation method does not support the addition of installation properties to
the CCMSetup command line.
If no command line properties have been provisioned on the client computer by using Group Policy, CCMSetup
searches Active Directory Domain Services for installation properties.

Group Policy installation

The Group Policy installation method does not support the addition of installation properties to the CCMSetup
command line.
If no command line properties have been provisioned on the client computer, CCMSetup searches Active
Directory Domain Services for installation properties.
Manual installation
CCMSetup searches Active Directory Domain Services for installation properties under the following
circumstances:
No command line properties are specified after the CCMSetup.exe command.
The computer has not been provisioned with installation properties by using Group Policy.

Logon script installation

CCMSetup searches Active Directory Domain Services for installation properties under the following
circumstances:
No command line properties are specified after the CCMSetup.exe command.
The computer has not been provisioned with installation properties by using Group Policy.

Software distribution installation

CCMSetup searches Active Directory Domain Services for installation properties under the following
circumstances:
No command line properties are specified after the CCMSetup.exe command.
The computer has not been provisioned with installation properties by using Group Policy.

Installations for clients that cannot access Active Directory Domain

Services
These client computers cannot read or access the published installation properties from Active Directory
Domain Services.
These clients include:
Workgroup computers.
Clients that are assigned to a Configuration Manager site that is not published to Active Directory
Domain Services.
Clients that are installed when they are on the Internet.
 Prepare to deploy client software to Macs
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

IMPORTANT
Starting in January 2022, this feature of Configuration Manager is deprecated. For more information, see Mac computers.

Follow these steps to make sure that you're ready to deploy the Configuration Manager client to Mac computers.
For the list of supported versions, see Supported operating systems for clients and devices.

Certificate requirements
Client installation and management for Mac computers requires public key infrastructure (PKI) certificates. PKI
certificates secure the communication between the Mac computers and the Configuration Manager site by using
mutual authentication and encrypted data transfers. Configuration Manager can request and install a user client
certificate. It uses Certificate Services with an enterprise certification authority, and the Configuration Manager
enrollment point and enrollment proxy point. You can also request and install a computer certificate
independently from Configuration Manager. This certificate must meet the Configuration Manager certificate
requirements.
Configuration Manager Mac clients always check for certificate revocation. You can't disable this function.
If Mac clients can't locate the certificate revocation list (CRL), they can't connect to Configuration Manager site
systems. Especially for Mac clients in a different forest to the issuing certification authority, check your CRL
design. Make sure that Mac clients can locate and download a CRL.
Before you install the Configuration Manager client on a Mac computer, decide how to install the client
certificate:
Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment process doesn't
support automatic certificate renewal. Re-enroll Mac computers before the certificate expires.
Use a certificate request and installation method that's independent from Configuration Manager.
For more information about Mac client certificate requirements, see PKI certificate requirements for
Configuration Manager.
Mac clients are automatically assigned to the Configuration Manager site that manages them. Mac clients install
as internet-only clients, even if communication is restricted to the intranet. This configuration means that they
communicate with internet-enabled management points and distribution points in their assigned site. Mac
computers don't communicate with site systems outside their assigned site.

IMPORTANT
The Configuration Manager client for macOS can't be used to connect to a management point that's configured to use a
database replica.

Deploy a web server certificate to site system servers

If these site systems don't have it, deploy a web server certificate to the computers that have these site system
roles:
Management point
Distribution point
Enrollment point
Enrollment proxy point
The web server certificate must include the internet FQDN that's specified in the site system properties. The
server doesn't have to be accessible from the internet to support Mac computers. If you don't require internet-
based client management, you can specify the intranet FQDN value for the internet FQDN.
Specify the site system's internet FQDN value in the web server certificate for the management point, the
distribution point, and the enrollment proxy point.
For more information of an example deployment, see Deploying the web server certificate for site systems that
run IIS.

Deploy a client authentication certificate to site system servers

If these site systems don't have it, deploy a client authentication certificate to the computers that host these site
system roles:
Management point
Distribution point
For an example deployment that creates and installs the client certificate for management points, see the
Deploying the client certificate for Windows computers.
For an example deployment that creates and installs the client certificate for distribution points, see the
Deploying the client certificate for distribution points.

IMPORTANT
To deploy the client to devices running macOS Sierra, the subject name of the management point certificate must be
configured correctly. For example, use the FQDN of the management point server.

Prepare the client certificate template for Macs

The certificate template must have Read and Enroll permissions for the user account that enrolls the certificate
on the Mac computer.
For more information, see Deploying the client certificate for Mac computers.

Configure the management point and distribution point

Configure management points for the following options:
HTTPS
Allow client connections from the internet. This configuration value is required to manage Mac
computers. However, it doesn't mean that site system servers must be accessible from the internet.
Allow mobile devices and Mac computers to use this management point
Distribution points aren't required to install the client for Mac. If you want to deploy software to these
computers after you install the client, configure distribution points to allow client connections from the internet.
To configure management points and distribution points to support Macs
Before you start this procedure, make sure to configure the management point and distribution point with an
internet FQDN. If these servers don't support internet-based client management, specify the intranet FQDN as
the internet FQDN value.
The site system roles must be in a primary site.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Ser vers and Site System Roles node. Then select the server that has
the right site system roles.
2. In the details pane, select the Management point role, and select Proper ties in the ribbon. In the
Management point Proper ties window, configure these options:
a. Choose HTTPS .
b. Choose Allow internet-only client connections or Allow intranet and internet client
connections . These options require an internet or intranet FQDN.
c. Choose Allow mobile devices and Mac computers to use this management point .
d. Select OK to save this configuration.
3. In the details pane of the Server and Site System Roles node, select the Distribution point role, and
select Proper ties in the ribbon. In the Distribution point Proper ties window, configure these options:
Choose HTTPS .
Choose Allow internet-only client connections or Allow intranet and internet client
connections . These options require an internet or intranet FQDN.
Choose Impor t cer tificate , browse to the exported client distribution point certificate file, and
then specify the password.
4. Repeat this procedure for all management points and distribution points in primary sites that manage
Mac computers.

Configure the enrollment proxy point and the enrollment point

Install both roles in the same site. You don't have to install them on the same site system server, or in the same
Active Directory forest.
For more information about site system role placement and considerations, see Site system roles.
To add the site system roles to support Mac computers, see Install site system roles.
On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of
available roles.

Install the reporting services point

For more information, see Install the reporting services point.

Next steps
Deploy the Configuration Manager client to Mac computers
 How to deploy clients to Macs
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

IMPORTANT
Starting in January 2022, this feature of Configuration Manager is deprecated. For more information, see Mac computers.

This article describes how to deploy and maintain the Configuration Manager client on Mac computers. To learn
about what you have to configure before deploying clients to Mac computers, see Prepare to deploy client
software to Macs.
When you install a new client for Mac computers, you might have to also install Configuration Manager updates
to reflect the new client information in the Configuration Manager console.
In these procedures, you have two options for installing client certificates. Read more about client certificates for
Macs in Prepare to deploy client software to Macs.
Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment process doesn't
support automatic certificate renewal. Re-enroll the Mac computer before the installed certificate expires.
Use a certificate request and installation method that is independent from Configuration Manager.

IMPORTANT
To deploy the client to devices running macOS Sierra, correctly configure the Subject name of the management point
certificate. For example, use the FQDN of the management point server.

Configure client settings

Use the default client settings to configure enrollment for Mac computers. You can't use custom client settings.
To request and install the certificate, the Configuration Manager client for Mac requires the default client
settings.
1. In the Configuration Manager console, go to the Administration workspace. Select the Client Settings
node, and then select Default Client Settings .
2. On the Home tab of the ribbon, in the Proper ties group, choose Proper ties .
3. Select the Enrollment section, and then configure the following settings:
a. Allow users to enroll mobile devices and Mac computers : Yes
b. Enrollment profile: Choose Set Profile .
4. In the Mobile Device Enrollment Profile dialog box, choose Create .
5. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile. Then configure
the Management site code . Select the Configuration Manager primary site that contains the
management points for these Mac computers.
 NOTE
If you can't select the site, make sure that you configure at least one management point in the site to support
mobile devices.

6. Choose Add .
7. In the Add Cer tification Authority for Mobile Devices window, select the certification authority
server that issues certificates to Mac computers.
8. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you
previously created.
9. Select OK to close the Enrollment Profile dialog box, and then the Default Client Settings dialog box.

TIP
If you want to change the client policy interval, use Client policy polling inter val in the Client Policy client
setting group.

The next time the devices download client policy, Configuration Manager applies these settings for all users. To
initiate policy retrieval for a single client, see Initiate policy retrieval for a Configuration Manager client.
In addition to the enrollment client settings, make sure that you have configured the following client device
settings:
Hardware inventor y : Enable and configure this feature if you want to collect hardware inventory from
Mac and Windows client computers. For more information, see How to extend hardware inventory.
Compliance settings : Enable and configure this feature if you want to evaluate and remediate settings
on Mac and Windows client computers. For more information, see Plan for and configure compliance
settings.
For more information, see How to configure client settings.

Download the client for macOS

NOTE
The macOS client installation package isn't available for new deployments, but existing deployments are supported until
December 31, 2022.

1. Save ConfigmgrMacClient.msi to a computer that runs Windows. This file isn't on the Configuration
Manager installation media.
2. Run the installer on the Windows computer. Extract the Mac client package, Macclient.dmg , to a folder
on the local disk. The default path is
C:\Program Files\Microsoft\System Center Configuration Manager for Mac client .

3. Copy the Macclient.dmg file to a folder on the Mac computer.

4. On the Mac computer, run Macclient.dmg to extract the files to a folder on the local disk.
5. In the folder, make sure that it contains the following files:
Ccmsetup : Installs the Configuration Manager client on your Mac computers using
 CMClient.pkg
CMDiagnostics : Collects diagnostic information related to the Configuration Manager client on
your Mac computers
CMUninstall : Uninstalls the client from your Mac computers
CMAppUtil : Converts Apple application packages into a format that you can deploy as a
Configuration Manager application
CMEnroll : Requests and installs the client certificate for a Mac computer so that you can then
install the Configuration Manager client

Enroll the Mac client

Enroll individual clients with the Mac computer enrollment wizard.
To automate enrollment for many clients, use the CMEnroll tool.
Enroll the client with the Mac computer enrollment wizard
1. After you install the client, the Computer Enrollment wizard opens. To manually start the wizard, select
Enroll from the Configuration Manager preference page.
2. On the second page of the wizard, provide the following information:
User name : The user name can be in the following formats:
domain\name . For example: contoso\mnorth

user@domain . For example: mnorth@contoso.com

IMPORTANT
When you use an email address to populate the User name field, Configuration Manager
automatically populates the Ser ver name field. It uses the default name of the enrollment proxy
point server and the domain name of the email address. If these names don't match the name of
the enrollment proxy point server, fix the Ser ver name during enrollment.

The user name and corresponding password must match an Active Directory user account
that has Read and Enroll permissions on the Mac client certificate template.
Ser ver name : The name of the enrollment proxy point server.
Client and certificate automation with CMEnroll
Use this procedure for automation of client installation and requesting and enrollment of client certificates with
the CMEnroll tool. To run the tool, you must have an Active Directory user account.
1. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file.
2. Enter the following command: sudo ./ccmsetup

3. Wait until you see the Completed installation message. Although the installer displays a message that
you must restart now, don't restart, and continue to the next step.
4. From the Tools folder on the Mac computer, type the following command:
sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u '<user_name>'

After the client installs, the Mac Computer Enrollment wizard opens to help you enroll the Mac computer.
For more information, see Enroll the client by using the Mac computer enrollment wizard.
 Example: If the enrollment proxy point server is named ser ver02.contoso.com , and you grant
contoso\mnor th permissions for the Mac client certificate template, type the following command:
sudo ./CMEnroll -s server02.contoso.com -ignorecertchainvalidation -u 'contoso\mnorth'

NOTE
If the user name includes any of the following characters, enrollment fails: <>"+=, . Use an out-of-band certificate
with a user name that doesn't include these characters.
For a more seamless user experience, script the installation steps. Then users only have to supply their user name
and password.

5. Type the password for the Active Directory user account. When you enter this command, it prompts for
two passwords. The first password is for the super user account to run the command. The second prompt
is for the Active Directory user account. The prompts look identical, so make sure that you specify them in
the correct sequence.
6. Wait until you see the Successfully enrolled message.
7. To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window
and make the following changes:
a. Enter the command
sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

b. In the Keychain Access window, in the Keychains section, choose System . Then in the
Categor y section, choose Keys .
c. Expand the keys to view the client certificates. Find the certificate with a private key that you
installed, and open the key.
d. On the Access Control tab, choose Confirm before allowing access .
e. Browse to /Librar y/Application Suppor t/Microsoft/CCM , select CCMClient , and then choose
Add .
f. Choose Save Changes and close the Keychain Access dialog box.
8. Restart the Mac computer.
To verify that the client installation is successful, open the Configuration Manager item in System
Preferences on the Mac computer. Also update and view the All Systems collection in the Configuration
Manager console. Confirm that the Mac computer appears in this collection as a managed client.

TIP
To help troubleshoot the Mac client, use the CMDiagnostics tool included with the Mac client package. Use it to collect
the following diagnostic information:
A list of running processes
The macOS X operating system version
macOS X crash reports relating to the Configuration Manager client including CCM*.crash and System
Preference.crash .
The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation.
The contents of the folder /Librar y/Application Suppor t/Microsoft/CCM/Logs .
The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is
named cmdiag-<hostname>-<datetime>.zip
Manage certificates external to Configuration Manager
You can use a certificate request and installation method independent from Configuration Manager. Use the
same general process, but include the following additional steps:
When you install the Configuration Manager client, use the MP and SubjectName command-line
options. Enter the following command:
sudo ./ccmsetup -MP <management point internet FQDN> -SubjectName <certificate subject name> . The
certificate subject name is case-sensitive, so type it exactly as it appears in the certificate details.
Example: The management point's internet FQDN is ser ver03.contoso.com . The Mac client certificate
has the FQDN of mac12.contoso.com as a common name in the certificate subject. Use the following
command: sudo ./ccmsetup -MP server03.contoso.com -SubjectName mac12.contoso.com
If you have more than one certificate that contains the same subject value, specify the certificate serial
number to use for the Configuration Manager client. Use the following command:
sudo defaults write com.microsoft.ccmclient SerialNumber -data "<serial number>" .

For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data "17D4391A00000003DB"

Renew the Mac client certificate

This procedure removes the SMSID. The Configuration Manager client for Mac requires a new ID to use a new or
renewed certificate.

IMPORTANT
After you replace the client SMSID, when you delete the old resource in the Configuration Manager console, you also
delete any stored client history. For example, hardware inventory history for that client.

1. Create and populate a device collection for the Mac computers that must renew the computer certificates.
2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard .
3. On the General page of the wizard, specify the following information:
Name : Remove SMSID for Mac
Type : Mac OS X
4. On the Suppor ted Platforms page, select all macOS X versions.
5. On the Settings page, select New . In the Create Setting window, specify the following information:
Name : Remove SMSID for Mac
Setting type : Script
Data type : String
6. In the Create Setting window, for Discover y script , select Add script . This action specifies a script to
discover Mac computers configured with an SMSID.
7. In the Edit Discover y Script window, enter the following shell script:

defaults read com.microsoft.ccmclient SMSID

8. Choose OK to close the Edit Discover y Script window.

 9. In the Create Setting window, for Remediation script (optional) , choose Add script . This action
specifies a script to remove the SMSID when it's found on Mac computers.
10. In the Create Remediation Script window, enter the following shell script:

defaults delete com.microsoft.ccmclient SMSID

11. Choose OK to close the Create Remediation Script window.

12. On the Compliance Rules page, choose New . Then in the Create Rule window, specify the following
information:
Name : Remove SMSID for Mac
Selected setting : Choose Browse and then select the discovery script that you previously
specified.
In the following values field: The domain/default pair of (com.microsoft.ccmclient,
SMSID) does not exist .
Enable the option to Run the specified remediation script when this setting is
noncompliant .
13. Complete the wizard.
14. Create a configuration baseline that contains this configuration item. Deploy the baseline to the target
collection.
For more information, see How to create configuration baselines.
15. After you install a new certificate on Mac computers that have the SMSID removed, run the following
command to configure the client to use the new certificate:

sudo defaults write com.microsoft.ccmclient SubjectName -string <subject_name_of_new_certificate>

See also
Prepare to deploy clients to Macs
Maintain Mac clients
 How to assign clients to a site in Configuration
Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install the Configuration Manager client, before you can manage the client, it needs to join a
Configuration Manager primary site. The site that a client joins is called its assigned site. You can't assign a client
to a central administration site or a secondary site.
The assignment process happens after you successfully install the client and it determines which site manages
the computer. You can either directly assign the client to a site, or use automatic site assignment. With automatic
assignment, the client finds an appropriate site based on its current network location. The client may assign to a
fallback site, if you configure it for the hierarchy.

NOTE
Always assign clients to sites running the same version of Configuration Manager. Avoid assigning a client from a later
release to a site on an earlier release. If necessary, update the primary site to the same Configuration Manager version
that you use for the clients.

After the client assigns to a site, it remains assigned to that site, even if it changes its IP address or roams to
another site. Only an administrator can manually assign the client to another site or remove the client
assignment.

WARNING
An exception to a client remaining assigned to a site is if you assign the client on a Windows Embedded device with write
filters enabled. If you don't first disable write filters before you assign the client, the site assignment status of the client
reverts to its original state when the device next restarts. For example, if you configure the client for automatic site
assignment, it reassigns on startup and might assign to a different site. If the client requires manual site assignment, you
have to manually reassign it before you can manage it.
To avoid this behavior, disable the write filters before you assign the client on embedded devices. Then enable the write
filters after you have verified that site assignment was successful.

If assignment fails, the client remains installed, but you can't manage it. A client is considered unmanaged when
it's installed but not assigned to a site. It's also unmanaged when it's assigned to a site but it can't communicate
with a management point.

Manual site assignment

You can manually assign client computers to a site by using the following two methods:
Use a client installation property that specifies the site code. For more information, see Client installation
properties - SMSSITECODE.
In the Windows Control Panel for Configuration Manager , specify the site code.
 NOTE
If you manually assign a client to a site code that doesn't exist, the site assignment fails.

Automatic site assignment

Automatic site assignment typically happens during client deployment. To manually start automatic site
assignment, select Find Site on the Advanced tab of the Configuration Manager control panel. The
Configuration Manager client compares its network location with the boundaries for the hierarchy. When the
network location of the client falls within a boundary group you enabled for site assignment, or the hierarchy is
configured for a fallback site, the client is automatically assigned to that site. This behavior lets clients easily
assign to a site and you don't have to specify a site code.

NOTE
If a client computer has multiple network adapters and multiple IP addresses, the IP address used to evaluate client site
assignment is assigned randomly.

For more information about how to configure boundary groups for site assignment, see Define site boundaries
and boundary groups.
Configuration Manager clients that use automatic site assignment attempt to find site boundary groups that you
publish to Active Directory Domain Services. If this process fails, clients can get boundary group information
from a management point. This process can fail if you don't extend the Active Directory schema for
Configuration Manager, or clients are workgroup computers.
When you install the client, you can specify a management point for it to use, or the client can locate a
management point automatically. For more information, see How clients find site resources and services.
If the client can't find a site in a boundary group for its network location, and the hierarchy doesn't have a
fallback site, the client retries every 10 minutes. It repeats this process until it assigns to a site.
Configuration Manager clients can't automatically assign to a site if any of the following conditions apply:
They are currently assigned to a site.
They are on the internet or configured as internet-only clients.
Their network location doesn't fall within one of the boundary groups in the hierarchy, and there's no
fallback site.
If any of these conditions apply, you have to manually assign the client.

Check site compatibility

After a client has found its assigned site, the site checks the version of the Configuration Manager client and OS.
This check is to make sure that the site can manage the client. For example, a current branch site can't manage a
Configuration Manager 2007 client, or a client that runs Windows 2000.
If you try to assign a client that runs a legacy OS version, site assignment fails. When you assign a Configuration
Manager 2007 client or a System Center 2012 Configuration Manager client to a current branch site,
assignment succeeds to support automatic client upgrade. However, until you upgrade the older generation
clients, you can't manage it.
 NOTE
To support the site assignment of a Configuration Manager 2007 or a System Center 2012 Configuration Manager client
to a current branch site, configure automatic client upgrade for the hierarchy. For more information, see the How to
upgrade clients for Windows computers.

Configuration Manager also checks that you've assigned the current branch client to a site that supports it.
The site compatibility check requires one of the following conditions:
The client can access site information published to Active Directory Domain Services.
The client can communicate with a management point in the site.
If the site compatibility check fails to finish successfully, the site assignment fails. The client remains unmanaged
until the site compatibility check runs again and succeeds.
An exception to this site compatibility check is when you configure a client for an internet-based management
point. In this case, Configuration Manager doesn't check site compatibility. If you assign clients to a site that
contains internet-based site systems, and you specify an internet-based management point, make sure that you
assign the client to the correct site.
Scenarios for assignment of legacy clients
The following scenarios might occur during migration from previous versions of Configuration Manager:
You use automatic site assignment and boundaries overlap between versions of Configuration Manager
In this case, the client automatically tries to find a current branch site.
The client first checks Active Directory Domain Services. If it finds a current branch site published, site
assignment succeeds. If this check fails, the client then checks for site information from its assigned
management point.

NOTE
You can specify an initial management point for the client during client installation. For more information, see Client
installation properties - SMSMP.

If both these methods fail, site assignment fails. You need to manually assign the client.
Accidental manual assignment to a legacy site version
For example, you assign a current branch client with a specific site code, and mistakenly specify a site code for a
version of Configuration Manager earlier than System Center 2012 R2 Configuration Manager.
In this case, site assignment fails. Manually reassign the client to a current branch site.

Locate a management point

After the client assigns to a site, it then tries to locate a management point. This process in itself can be complex,
depending upon the situation. For more information about how the client locates management points and other
site resources, see How clients find site resources and services.

Download site settings

After the client finds a management point, it needs to get client-related site settings. These settings include:
The client certificate selection criteria
 Whether to use a certificate revocation list
The client request port numbers
The client continues to check these settings on a periodic basis.
Clients get these settings from one of the following methods:
If the client used Active Directory Domain Services for its site compatibility check, it downloads these
settings for its assigned site from the domain.
When clients can't get site settings from Active Directory, they download them from the management
point.
You specify the settings during client installation. For more information, see About client installation
properties.

Download client settings

All clients download the default client settings policy and any applicable custom client settings policies. For
more information, see About client settings.
Software Center relies on these client configuration policies. It notifies users that it can't run until the client
downloads the configuration information. Depending on the client settings that you configure, the initial
download of client settings might take a while. Some client management tasks might not run until this process
is complete.

Verify site assignment

You can verify site assignment success by any of the following methods:
For clients on Windows computers, use the Configuration Manager control panel. Verify that it shows
the correct site code on the Site tab.
In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Devices node. Verify that the computer shows Yes in the Client column and the correct primary site
code in the Site Code column.
Use the reports for client assignment.
Use the LocationSer vices.log file on the client.

Roaming to other sites

A client on the internal network is assigned to a primary site. You change the client computer's network location.
It's now in a boundary group for another site. In this scenario, the client is roaming in the other site. When this
site is a secondary site for the client's assigned site, the client can use a management point in the secondary site
to download policy and upload data. This behavior avoids sending this data over a potentially slow network. If
the client roams into the boundary of another primary site, it still uses a management point in its assigned site
to download policy and upload data.
Clients that roam to other sites can always use management points in other sites for content location requests.
Management points in the current site can give clients a list of distribution points that have the requested
content.
When you configure clients for internet-only client management, they only communicate with management
points in their assigned site. These clients never communicate with management points in secondary sites or
with management points in other primary sites. This behavior is the same for macOS and on-premises MDM
devices that you enroll to Configuration Manager.
Next steps
How to monitor client deployment status
Monitor and manage clients
 How to configure client status in Configuration
Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you can monitor Configuration Manager clients and remediate problems, configure the site's client status
settings. These settings specify the parameters that the site uses to mark clients as inactive. Also configure
options to alert you if client activity falls below a specified threshold.

Configure client status

1. In the Configuration Manager console, go to the Monitoring workspace, and select the Client Status
node. On the Home tab of the ribbon, in the Client Status group, select Client Status Settings .
2. Configure the following settings:

NOTE
If a client doesn't meet any of the settings, the site marks it as inactive.

Client policy requests during the following days: Specify the number of days since the client
requested policy from the site. The default value is 7 days.
Compare this value to the Client policy polling inter val setting in the Client Policy group of
client settings. Its default is 60 minutes. In other words, a client should poll the site for policy every
hour. If it doesn't request policy after one week, the site marks it as inactive.
Hear tbeat discover y during the following days: Specify the number of days since the client
sent a heartbeat discovery record to the site. The default value is 7 days.
Compare this value to the schedule for the Heartbeat discovery method. By default, the site runs
heartbeat discovery once a week.
Hardware inventor y during the following days: Specify the number of days since the client
sent a hardware inventory record to the site. The default value is 7 days.
Compare this value to the Hardware inventor y schedule setting in the Hardware Inventor y
group of client settings. Its default is seven days.
Software inventor y during the following days: Specify the number of days since the client
sent a software inventory record to the site. The default value is 7 days.
Compare this value to the Schedule software inventor y and file collection setting in the
Software Inventor y group of client settings. Its default is seven days.
Status messages during the following days: Specify the number of days since the client sent
any status messages to the site. The default value is 7 days. The client can send status messages
for different kinds of activities, such as running a task sequence. The site deletes old status
messages as part of the maintenance task, Delete Aged Status Messages .
3. Specify the following value to determine how long the site keeps client status history data:
 Retain client status histor y for the following number of days: By default, the site keeps client
status information for 31 days. This setting doesn't have any impact on client or site behavior. It's
similar to a maintenance task for client status history.

Configure the schedule

1. In the Configuration Manager console, go to the Monitoring workspace, and select the Client Status
node. On the Home tab of the ribbon, in the Client Status group, select Schedule Client Status
Update .
2. Configure the interval at which you want client status to update.

NOTE
When you change the schedule for client status updates, it doesn't take effect until the next scheduled client
status update on the previous schedule.

Configure alerts
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Device Collections node.
2. Select the collection for which you want to configure alerts. On the Home tab of the ribbon, in the
Proper ties group, select Proper ties .

NOTE
You can't configure alerts for user collections.

3. Switch to the Aler ts tab, and select Add .

TIP
You can only view the Aler ts tab if your security role has permissions for alerts.

Choose the alerts that you want the site to generate for client status thresholds, and select OK .
4. In the Conditions list of the Aler ts tab, select each client status alert, and then specify the following
information:
Aler t Name : Accept the default name or enter a new name for the alert.
Aler t Severity : Choose the alert level that the Configuration Manager console displays.
Raise aler t : Specify the threshold percentage for the alert.

Automatic remediation exclusion

1. On the client computer where you want to disable automatic remediation, open the registry editor.
 WARNING
If you use the registry editor incorrectly, you can cause serious problems that could require you to reinstall
Windows. Microsoft can't guarantee that you can solve problems that result from using the registry editor
incorrectly. Use it at your own risk.

2. Navigate to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\CcmEval .

3. Change the value for the NotifyOnly entry:
TRUE : The client won't automatically remediate any problems that it finds. The site still notifies you
in the Monitoring workspace about any problems with this client.
FALSE : This setting is the default. The client automatically remediates problems when it finds
them, and the site notifies you in the Monitoring workspace.
When you install clients, you can exclude them from automatic remediation with the NotifyOnly installation
property. For more information, see About client installation properties.

Next steps
Monitor clients
 How to monitor client deployment status in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Deploying clients across your site takes time and some installations are not successful the first time. The
Configuration Manager console provides a way to keep an eye on client deployments within a collection by
reporting client deployment status in real time.

NOTE
The best and most reliable way to monitor client deployment is with the Configuration Manager console (as described in
this article). The Client Status section of the Monitoring workspace in the console provides client deployment status
accurately and in real time. You can monitor client deployments with other tools, such as Server Manager in Windows
Server or System Center Operations Manager, but you may receive alarms from normal client installation activity. Because
of how the client installation program (CCMSetup.exe) runs in various environments, these other tools may generate false
alarms and warnings that do not accurately reflect the state of client deployments.

In the Monitoring workspace of the console, you can monitor the following statuses for client deployments
taking place within a collection that you specify:
Compliant
In progress
Not compliant
Failed
Unknown
Configuration Manager reports on deployments for production clients or pre-production clients. The
Configuration Manager console also provides a chart of failed client deployments over a specified period
of time to help you determine if actions you to take to troubleshoot deployments are improving the
deployment success rate over time.

To monitor client deployments

In the Configuration Manager console, click Monitoring > Client Status .
Click Production Client Deployment or Pre-production Client Deployment depending on the
version of client you want to monitor.
Review the charts of client deployment status and client deployment failure.
If you want to change the scope of the report, click Browse... and choose a different collection.
To learn more about pre-production client deployments, see How to test client upgrades in a pre-
production collection.
 NOTE
The deployment status on computers hosting site system roles in a pre-production collection may be reported as
Not compliant even when the client was successfully deployed. When you promote the client to production, the
deployment status is reported correctly.

To monitor the status of deployed clients, see How to monitor clients

You can use Configuration Manager reports to find out more information about the status of clients in
your site. For more information about how to run reports, see Introduction to reporting.
 Monitor and manage clients in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you install the client on devices in your organization, Configuration Manager provides several ways to
monitor and manage it. You can monitor clients to check their status, and Configuration Manager can
automatically fix some problems it detects. Use the Configuration Manager console to manage clients for
individual devices or device collections.
How to monitor clients
How to manage clients
Configure the content cache
Manage clients on the internet
Use collections
Co-management enables you to concurrently manage Windows devices by using both Configuration Manager
and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new
functionality. When you enable co-management, you can use Intune for additional client management actions.
For more information, see What is co-management?.
 How to monitor clients in Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Once you install the Configuration Manager client on the Windows devices in your site, monitor their health and
activity in the Configuration Manager console.

About client status

Configuration Manager provides the following types of information as client status:
Client online status : The site considers a device as online if it's connected to its assigned management
point. To indicate that the client is online, it sends ping-like messages to the management point. If the
management point doesn't receive a message in five minutes, the site considers the client as offline .

TIP
These messages use the client notification channel. For more information, see Ports used in Configuration
Manager.

Client activity : The site considers the client as active if it has communicated with Configuration
Manager in the past seven days. The site considers the client inactive if it hasn't done the following
actions in seven days:
Requested policy update
Sent a heartbeat message
Sent hardware inventory
Client check : The state of the periodic evaluation that the Configuration Manager client runs on the
device. The evaluation checks the device and can remediate some of the problems it finds. For more
information, see Client health checks.
Client check runs automatically during the Windows maintenance window.
You can configure remediation not to run on specific devices, for example, a business-critical server. For
more information, see How to configure client status.
If there are more items that you want to evaluate, use Configuration Manager compliance settings to
monitor other configurations. For more information about compliance settings, see Plan for and
configure compliance settings.
Decommissioned : The site has marked the device record for deletion. This behavior can happen when a
new registration for same device assigns to the same or a different primary site in a hierarchy. The site
deletes these devices the next time it runs the site maintenance task Delete Aged Discover y Data .
Obsolete : The site has discovered a new device record with the same hardware ID, so it marks the old
record as obsolete. Reports don't count obsolete records of the same device multiple times. You can still
target policies to obsolete devices. If the site doesn't get a heartbeat for an obsolete record after 90 days
of inactivity, it removes the obsolete device when it runs the site maintenance task Delete Obsolete
Client Discover y Data .
 TIP
The Power BI sample reports for Configuration Manager includes a report called Client Status . This report can also help
with monitoring clients.

Monitor individual clients

1. In the Configuration Manager console, go to the Assets and Compliance workspace. Select either the
Devices node or choose a collection under Device Collections .
The icons at the beginning of each row indicate the online status of the device:

IC O N DESC RIP T IO N

Device is online.

Device is offline.

Online status is unknown.

Client isn't installed on the device.

2. For more detailed online status, add the client online status information to the device view. Right-click the
column header and select the online status fields you want to add:
Device Online Status : Indicates whether the client is currently online or offline. (This status is the
same information given by the icons.)
Last Online Time : Indicates when the client online status changed to online.
Last Offline Time indicates when the status changed to offline.
3. Select an individual client in the list pane to see more status in the detail pane. This information includes
client activity and client check status.

Monitor the status of all clients

1. In the Configuration Manager console, go to the Monitoring workspace, and select the Client Status
node. Review the overall statistics for client activity and client checks across the site. Change the scope of
the information by choosing a different collection.
2. To drill down into detail about the reported statistics, choose the name of the reported information. For
example, Active clients that have passed client check or no results . Then review the information
about the individual clients.
3. Select Client Activity to see charts showing the client activity in your Configuration Manager site.
4. Select Client Check to see charts showing the status of client checks in your Configuration Manager site.
Configure alerts to notify you when client check results or client activity drops below a specified
percentage. The site can also alert you when remediation fails on a specified percentage of clients. For
more information, see How to configure client status.
For more information on the client's regular checks to keep healthy, see Client health checks.

Next steps
Use the client health dashboard to view your client health, scenario health, and common errors. Filter the
view by several attributes to see any potential issues by OS and client versions. For more information, see Client
health dashboard.
For more information about the log files used by client deployment and management operations, see Log files.
 Client health dashboard
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You deploy software updates and other apps to help secure your environment, but these deployments only
reach healthy clients. Unhealthy Configuration Manager clients adversely effect overall compliance. Determining
client health can be challenging depending upon the denominator: how many total devices should be in your
scope of management? For example, if you discover all systems from Active Directory, even if some of those
records are for retired machines, this process increases your denominator.
Configuration Manager provides a dashboard with information about the health of clients in your environment.
View your client health, scenario health, and common errors. Filter the view by several attributes to see any
potential issues by OS and client versions.
By default, the client health dashboard shows online clients, and clients active in the past three days. So you may
see different numbers in this dashboard than in other historical sources of client health. For example, other
nodes under Client Status , or reports in the client status category.
In the Configuration Manager console, go to the Monitoring workspace. Expand Client status , and select the
Client health dashboard node.

NOTE
Configuration Manager version 2111 includes improvements to this dashboard. This article mainly focuses on the current
experience. For more information on the dashboard appearance and behavior in version 2107 and earlier, see Version
2107 and earlier.

To view this dashboard your account needs the Read Client Status Settings permission on the Site object.

Configure
There are two actions in the ribbon to configure client health and the dashboard:

Choose Default Collection : Set a persistent user preference for the collection to scope the dashboard.
When you set the collection on the Filter tile of the dashboard, that selection resets when you refresh the
dashboard.
Client Status Settings : Adjust the evaluation periods for scenario health. By default, if a client doesn't
send scenario-specific data in 7 days , Configuration Manager considers it unhealthy for that scenario.

TIP
You can also configure these settings from the ribbon of the Client Status node.
Scenario health isn't measured from your configuration of client settings. These values can vary based upon the
resultant set of policy per device.

Filters
The single Filter tile at the top of the dashboard lets you adjust the data that it displays. It includes the following
filters:
Include client health for offline clients : By default, the dashboard displays only online clients. This
state comes from the client notification channel that updates a client's status every five minutes. For more
information, see About client status.
Only show unhealthy client details : Scope the view to only devices that are reporting a client health
failure.

TIP
Combine this filter with the tiles for Client Versions and OS Versions . For more information, see Version tiles.

Clients active in last number of days : By default, the dashboard displays clients that are active in the
last three days.
Client health for clients in the following collections : By default, the dashboard displays devices in
the All Systems collection. Browse for a device collection to scope the view to a subset of devices in a
specific collection.

TIP
This filter is temporary. When you refresh the dashboard, it'll reset to the default. To change the collection scope
so it's persistent, use the Choose default collection action in the ribbon. For more information, see Configure
the dashboard.

Overall client health

This tile shows the percentage of all clients reporting healthy in your hierarchy. This percentage should be as
close to 100% as possible. It's on the top row, which makes it easier to see when you view the dashboard.
A healthy Configuration Manager client has the following properties:
Online
Actively sending data
Passes all client health evaluation checks
For more information, see About client status.
A healthy client successfully communicates with the site. It reports all data based on the defined schedules.
Select a segment of this chart to drill down to a device list view.

Clients with any failure

This tile shows the percentage of clients that report any health issue. This percentage should be as close to 0%
as possible.
Hover over the segment to see the number of devices that are unhealthy. Select it to drill down to a device list
view.

TIP
This tile replaces the Combined (All) and Combined (Any) scenarios from earlier versions.

Version tiles
 C L IEN T VERSIO N S O S VERSIO N S

There are two tiles that show client health by Configuration Manager Client versions and OS versions . These
tiles are useful when you make changes to the filters, such as Failure only . They can help highlight whether any
issues are consistent across a specific version. Use this information to help you make upgrade decisions.
Select a segment of these charts to drill down to a device list view.
Select Show table to switch to a table view of the data. You can select and copy the data from the table. Select
Show char t to show the donut chart. The following example shows a chart of Configuration Manager client
versions:

Scenario health

This bar chart shows the overall health for the following core scenarios:
Client health evaluation (client policy)
Policy request
 Software inventory
Hardware inventory
Heartbeat discovery
Status messaging operational (status messages)

Health trends by scenario

This tile shows the percentage of healthy clients for the selected scenario. To adjust the number of days the chart
displays, use the slider control at the top of the tile.

NOTE
The maximum value for the slider control is the same as the Retain client status histor y for the following number
of days in Client Status Settings . It's 31 days by default.
It's limited by the amount of client health data in the site database. For example, you configure it to display 31 days of
history. There's only three days of available data, so the chart shows three days.

Top 10 client health failures

This chart lists the most common failures in your environment. These errors come from Windows or
Configuration Manager.
Select a row of this table to drill down to a device list view. This action lets you easily create a collection of
devices to target a remediation action or for more detailed reporting.

Version 2107 and earlier

 NOTE
This section applies to version 2107 and earlier.

Filters in 2107 and earlier

At the top of the dashboard, there's a set of filters to adjust the data displayed in the dashboard.
Client health for clients in the following collections : By default, the dashboard displays devices in
the All Systems collection. Select a device collection to scope the view to a subset of devices in a specific
collection.
Client active in last number of days : By default, the dashboard displays clients that are active in the
last three days.
Include client health for offline clients : By default, the dashboard displays only online clients. This
state comes from the client notification channel that updates a client's status every five minutes. For more
information, see About client status.
Only show unhealthy client details : Scope the view to only devices that are reporting a client health
failure.

TIP
Use this filter along with the client version and OS version tiles. For more information, see Version tiles.

Overall client health in 2107 and earlier

This tile shows the overall client health in your hierarchy.
A healthy Configuration Manager client has the following properties:
Online
Actively sending data
Passes all client health evaluation checks
For more information, see About client status.
A healthy client successfully communicates with the site. It reports all data based on the defined schedules in
client settings.
Select a segment of this chart to drill down to a device list view.
Version tiles in 2107 and earlier
There are two tiles that show client health by Configuration Manager client version and OS version. These tiles
are useful when you make changes to the filters, such as Failure only . They can help highlight whether any
issues are consistent across a specific version. Use this information to help you make upgrade decisions.
Select a segment of these charts to drill down to a device list view.
Scenario health in 2107 and earlier
This bar chart shows the overall health for the following core scenarios:
Client policy
Heartbeat discovery
Hardware inventory
Software inventory
Status messages
Use the selectors to adjust the focus on specific scenarios in the chart.
The following two bars are always shown:
Combined (All) : the combination of all scenarios (AND)
Combined (Any) : at least one of the scenarios (OR)
Top 10 client health failures in 2107 and earlier
This chart lists the most common failures in your environment. These errors come from Windows or
Configuration Manager.

Next steps
For more information on the client's regular checks to keep healthy, see Client health checks.
Use the Surface device dashboard to see the use of Surface devices in your environment.
 Client health checks
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Configuration Manager client regularly runs the checks and remediations to keep healthy. For more
information, see How to monitor clients.

Client checks
Verify that the client was installed correctly
If the client isn't correctly installed, start by troubleshooting client install. Review the ccmsetup.log. Often,
remediation requires that you reinstall the client.
Verify that client prerequisites are installed
Verify that the client prerequisites are installed. It reads the file ccmsetup.xml in the client installation folder to
discover the prerequisites. By default: C:\Windows\ccmsetup\ccmsetup.xml
Most client prerequisites are available by default in Windows, or installed automatically by the Configuration
Manager client. To remediate problems with prerequisites, you can try to install them manually, or reinstall the
client.
Verify the client service
There are three checks for the SMS Agent Host client service ( CcmExec ):
First, it verifies that the service exists. If it doesn't exist, you need to reinstall the client.
Next, it verifies that the service startup type is automatic. To remediate a failure with this check, reset the
service startup type to automatic. Check group policies to make sure something isn't automatically
configuring the service startup type.
Then it verifies that the client service is running. The remediation for this check is to start the client
service. Then monitor it to make sure it keeps running. Review Windows event logs to see if there are any
related activities that might be stopping the service. Review client logs to make sure it's not failing to
start.
Verify that client check has recently run
Verify that the client check scheduled task ( CcmEval ) has run at least one time in the past three days. You can
manually run the scheduled task. Make sure that Windows can run scheduled tasks.
Verify that the client database is healthy
The client uses Microsoft SQL Server Compact Edition (CE) to locally store information. If this check fails,
reinstall the Configuration Manager client to remediate.
Verify WMI
There are several checks specific to WMI. The first three checks are for the Windows Management
Instrumentation (WMI) service ( Winmgmt ).
Verify that the service exists. WMI is a fundamental component of Windows. If this service doesn't exist,
you may need to reinstall Windows.
Verify that the service startup type is automatic. To remediate a failure with this check, reset the service
 startup type to automatic. Check group policies to make sure something isn't automatically configuring
the service startup type.
Verify that the service is running. The remediation for this check is to start the WMI service. Then monitor
it to make sure it keeps running. Review Windows event logs to see if there are any related activities that
might be stopping the service.
There are two other checks to test the overall health of WMI on the device:
The WMI repository integrity test checks that Configuration Manager client entries exist in WMI. If this
check fails, reinstall the Configuration Manager client.
The WMI event sink test checks whether the Configuration Manager-related WMI event sink is lost. If this
check fails, restart the client service.
Verify the antimalware service
There are two checks for whatever antimalware service is registered with Windows:
Verify that the antimalware service startup type is automatic. To remediate a failure with this check, reset
the service startup type to automatic. Check group policies to make sure something isn't automatically
configuring the service startup type.
Verify that the antimalware service is running. The remediation for this check is to start the antimalware
service. Then monitor it to make sure it keeps running. Review Windows event logs to see if there are any
related activities that might be stopping the service.
If you're using Windows Defender, the Configuration Manager client also verifies the Windows Defender
Antivirus Network Inspection Ser vice ( WdNisSvc ). It checks to make sure the service startup type is manual.
Verify Windows Update service
This check verifies that the Windows Update service ( wuauserv ) startup type is automatic or manual. To
remediate a failure with this check, reset the service startup type to automatic. Check group policies to make
sure something isn't automatically configuring the service startup type.
Verify the policy platform
There are three checks for the Microsoft Policy Platform service ( lppsvc ):
Verify that the service exists. The policy platform is one of the prerequisite components that the
Configuration Manager client automatically installs. If this service doesn't exist, reinstall the Configuration
Manager client.
Verify that the service startup type is manual. To remediate a failure with this check, reset the service
startup type to manual. Check group policies to make sure something isn't automatically configuring the
service startup type.
Policy platform WMI integrity test. Repair the policy platform.
Verify BITS service
There are two checks for the Background Intelligent Transfer Ser vice ( BITS ):
Verify that the service exists. BITS is a fundamental component of Windows. If this service doesn't exist,
you may need to reinstall Windows.
Verify that the service startup type is automatic or manual. To remediate a failure with this check, reset
the service startup type to automatic. Check group policies to make sure something isn't automatically
configuring the service startup type.
Verify remote control
If you enable the remote control agent in client settings, there are two checks for the Configuration Manager
Remote Control service ( CmRcService ):
Verify that the service type is automatic or manual. To remediate a failure with this check, reset the
service startup type to automatic. Check group policies to make sure something isn't automatically
configuring the service startup type.
Verify that the service is running. The remediation for this check is to start the remote control service.
Then monitor it to make sure it keeps running. Review Windows event logs to see if there are any related
activities that might be stopping the service.
Verify wake -up proxy
If you enable the wake-up proxy in client settings, there are two checks for the Configuration Manager
Wake-up Proxy service:
Verify that the service startup type is automatic. To remediate a failure with this check, reset the service
startup type to automatic. Check group policies to make sure something isn't automatically configuring
the service startup type.
Verify that the service is running. The remediation for this check is to start the wake-up proxy service.
Then monitor it to make sure it keeps running. Review Windows event logs to see if there are any related
activities that might be stopping the service.

Most common check failures

The following checks have the most commonly reported failures. The numbers are included to provide scale
between the checks.
Verify CcmEval task has run in recent cycles (4,950)
Verify client prerequisites (554)
Verify Windows Update service startup type (399)
Verify Configuration Manager Remote Control service status (345)
Verify Configuration Manager Remote Control service startup type (294)
Verify SMS Agent Host service status (249)
Verify SQL Server CE database is healthy (157)
Verify client WMI Provider (131)
Verify client installation (120)
WMI event sink test (93)

Next steps
Client health dashboard
How to configure client status
How to deploy clients to Windows computers
Configuration Manager troubleshooting
 Surface device dashboard in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Surface device dashboard gives you information about Surface devices found in your environment at a
single glance.

How to open
To open the Surface device dashboard, use the following steps:
1. Open the Configuration Manager console.
2. Select the Monitoring workspace.
3. To load the dashboard, select the Surface Devices node.

Review information
The Surface device dashboard shows three graphs:
Percent of Surface devices : The percentage of Surface devices throughout your environment.
Surface Models : The number of devices per Surface model. Hover over a graph section to see the
percentage of Surface devices for that model.

Select a graph section to go through to a device list for that model.

Top five firmware versions : The top five firmware models in your environment. Hover over a graph
section to see the number of Surface devices with that firmware version. Select a graph section to go
through to a device list.
Next steps
You can use Configuration Manager to deploy Surface firmware updates. For more information, see Managing
Surface driver updates.
For more information about Surface devices, see the Surface website.
 How to manage clients in Configuration Manager
2/16/2022 • 14 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When the Configuration Manager client installs on a device and successfully assigns to a site, you see the device
in the Assets and Compliance workspace in the Devices node, and in one or more collections in the Device
Collections node. Select the device or a collection, and then run management operations. However, there are
other ways to manage the client, which might involve other workspaces in the console, or tasks outside of the
console.

NOTE
If you install the Configuration Manager client, but it hasn't yet successfully assigned to a site, it might not display in the
console. After the client assigns to a site, update collection membership, and then refresh the console view.
A device can also display in the console when the Configuration Manager client isn't installed. This behavior happens if the
site discovers a device but the client isn't installed and assigned.
Mobile devices managed with the Exchange Server connector or on-premises MDM don't install the Configuration
Manager client.
To manage a device from the console, use the Client column in the Devices node to determine whether the client is
installed.

Manage clients from the Devices node

Depending on the device type, some of these options might not be available.
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Devices node.
2. Select one or more devices, and then select one of these client management tasks from the ribbon. You
can also right-click the device.
Import user device affinity
Configure the associations between users and devices, so you can efficiently deploy software to users.
For more information, see Link users and devices with user device affinity.
Import computer information
Launch the Impor t Computer Information Wizard to import new computer information into the
Configuration Manager database. You can import multiple computers using a file, or specify information for a
single computer.
Add selected items
Provides the following options:
Add selected items to existing device collection : Opens the Select Collection dialog box. Select
the collection to which you want to add this device. The device is included in this collection by using a
Direct membership rule.
Add selected items to new device collection : Opens the Create Device Collection Wizard where
you can create a new collection. The selected collection is included in this collection by using a Direct
 membership rule.
For more information, see How to create collections.
Install client
Opens the Install Client Wizard . This wizard uses client push installation to install or reinstall the
Configuration Manager client on the selected device.

TIP
There are many different ways to install the Configuration Manager client. Although the Client Push wizard offers a
convenient client installation method from the console, this method has many dependencies and isn't suitable for all
environments. For more information about the dependencies, see Prerequisites for deploying clients to Windows
computers. For more information about the other client installation methods, see Client installation methods.

For more information, see How to install Configuration Manager clients by using client push.
Run script
Opens the Run Script wizard to run a PowerShell script on the selected device.
For more information, see Create and run PowerShell scripts.
Install application
Install an application to a device in real time. This feature can help reduce the need for separate collections for
every application.
Starting in version 2111, select the Install Application Group action for an app group.
For more information, see Install applications for a device.
Reassign site
Reassign one or more clients, including managed mobile devices, to another primary site in the hierarchy. You
can individually reassign clients or select more than one to reassign them in bulk.
Client settings - Resultant client settings
When you deploy multiple client settings to the same device, the prioritization and combination of settings is
complex. Use this option to view the resultant set of client settings deployed to this device.
For more information, see How to configure client settings.
Start
Run Resource Explorer to see the hardware and software inventory information from a Windows client.
For more information, see the following articles:
How to use Resource Explorer to view hardware inventory
How to use Resource Explorer to view software inventory
Remotely administer the device by using Remote Control , Remote Assistance , or Remote Desktop
Client . For more information, see How to remotely administer a Windows client computer.
Approve
When the client communicates with site systems using HTTP and a self-signed certificate, you must approve
these clients to identify them as trusted computers. By default, the site configuration automatically approves
clients from the same Active Directory forest, trusted forests, and connected Azure Active Directory (Azure AD)
tenants. This default behavior means that you don't have to manually approve each client. Manually approve
workgroup computers or clients from an untrusted forest that you trust, and any other unapproved computers
that you trust.

IMPORTANT
Although some management functions might work for unapproved clients, this is an unsupported scenario for
Configuration Manager.

You don't have to approve clients that always communicate to site systems using HTTPS, or clients that use a PKI
certificate when they communicate to site systems using HTTP. These clients establish trust by using the PKI
certificates.
Block or unblock
Block a client that you no longer trust. Blocking prevents the client from receiving policy, and prevents site
systems from communicating with the client.

IMPORTANT
Blocking a client only prevents communication from the client to Configuration Manager site systems. It doesn't prevent
communication to other devices. When the client communicates to site systems by using HTTP instead of HTTPS, there
are some security limitations.

You can also unblock a client that is blocked.

For more information, see Determine whether to block clients.
Clear required PXE deployments
You can redeploy a required PXE deployment by clearing the status of the last PXE deployment assigned to a
Configuration Manager collection or a computer. This action resets the status of that deployment and reinstalls
the most recent required deployments.
For more information, see Use PXE to deploy Windows over the network.
Client notification
For more information, see Client notifications.
Endpoint Protection
For more information, see Client notifications.
Edit primary users
View users of this device in the last 90 days, or specify the primary users of this device.
For more information, see Link users and devices with user device affinity.
Wipe a mobile device
You can wipe mobile devices that support the wipe command. This action permanently removes all data on the
mobile device, including personal settings and personal data. Typically, this action resets the mobile device back
to factory defaults. Wipe a mobile device when it's no longer trusted. For example, if the device is lost or stolen.

TIP
Check the manufacturer's documentation for more information about how the mobile device processes a remote wipe
command.

There's often a delay until the mobile device receives the wipe command:
 If the mobile device is enrolled by Configuration Manager, the client receives the command when it
downloads its client policy.
If the mobile device is managed by the Exchange Server connector, it receives the command when it
synchronizes with Exchange.
To monitor when the device receives the wipe command, use the Wipe Status column. Until the device sends a
wipe acknowledgment to Configuration Manager, you can cancel the wipe command.
Retire a mobile device
The Retire option is supported only by mobile devices enrolled by on-premises MDM.
For more information, see Help protect your data with remote wipe, remote lock, or passcode reset.
Change ownership
If a device isn't domain-joined and doesn't have the Configuration Manager client installed, use this option to
change the ownership to Company or Personal .
You can use this value in application requirements to control deployments, and to control how much inventory
is collected from users' devices.
You may need to add the Device Owner column to the view by right-clicking any column heading and
choosing it.
Delete

WARNING
Don't delete a client if you want to uninstall the Configuration Manager client or remove it from a collection.

The Delete action manually removes the client record from the Configuration Manager database. Only use this
action to troubleshoot a problem. If you delete the object, but the client is still installed and communicating with
the site, Heartbeat Discovery recreates the client record. It reappears in the Configuration Manager console,
although the client history and any previous associations are lost.

NOTE
When you delete a mobile device client that was enrolled by Configuration Manager, this action also revokes the issued
PKI certificate. This certificate is then rejected by the management point, even if IIS doesn't check the certificate revocation
list (CRL).
Certificates on mobile device legacy clients are not revoked when you delete these clients.

To uninstall the client, see Uninstall the Configuration Manager client.

To assign the client to a new primary site, see How to assign clients to a site.
To remove the client from a collection, reconfigure the collection properties. For more information, see How to
manage collections.
Refresh
Refresh the console view with the latest data in the database. For example, if a device appears in the list from
discovery, but doesn't show as installed. After you install the client and make sure it's assigned to the site, select
Refresh .
Properties
View the discovery data and deployments targeted for the client.
Switch to the Variables tab to configure variables that task sequences use to deploy an OS to the device. For
more information, see Create task sequence variables for devices and collections.
Starting in version 2111, switch to the Custom proper ties tab to manually set custom properties on the
device for reporting or to create collections. For more information, see Custom properties for devices.

Manage clients from the Device Collections node

Many of the tasks that are available for devices in the Devices node are also available on collections. The
console automatically applies the operation to all eligible devices in the collection. This action on an entire
collection generates more network packets and increases CPU usage on the site server.
Consider the following questions before you run collection-level tasks. Once started, you can't stop the task
from the console.
How many devices are in the collection?
Are the devices connected by low-bandwidth network connections?
How much time does this task need to complete for all the devices?
For more information, see How to manage collections.

Restart clients
Use the Configuration Manager console to identify clients that require a restart. Then use a client notification
action to restart them.

TIP
Enable automatic client upgrade to keep your clients up-to-date with less effort. For more information, see About
automatic client upgrade.

To identify devices that are pending a restart, go to the Assets and Compliance workspace in the
Configuration Manager console and select the Devices node. Then view the status for each device in the details
pane in a new column named Pending Restar t . Each device has one or more of the following values:
No : there's no pending restart
Configuration Manager : this value comes from the client reboot coordinator component
(RebootCoordinator.log)
File rename : this value comes from Windows reporting a pending file rename operation (
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager, PendingFileRenameOperations )
Windows Update : this value comes from the Windows Update Agent reporting a pending restart is
required for one or more updates (
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired )
Add or remove feature : this value comes from the Windows component-based servicing reporting the
addition or removal of a Windows feature requires a restart (
HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Reboot Pending )

Create the client notification to restart a device

1. Select the device you want to restart within a collection in the Device Collections node of the console.
2. In the ribbon, select Client Notification , and then select Restar t . An information window opens about the
restart. Select OK to confirm the restart request.
When the notification is received by a client, a Software Center notification window opens to inform the user
about the restart. By default, the restart occurs after 90 minutes. You can modify the restart time by configuring
client settings. Settings for the restart behavior are found on the Computer restart tab of the default settings.

Configure the client content cache

The client cache stores temporary files for when clients install applications and programs. Software updates also
use the client cache, but always attempt to download to the cache whatever the size setting. Configure the cache
settings, such as size and location, when you manually install the client, when you use client push installation, or
after installation.
For more information, see Configure the client content cache.

Uninstall the client

You can uninstall the Configuration Manager client software from a computer by using CCMSetup.exe with the
/Uninstall property. Run CCMSetup.exe on an individual computer from the command prompt, or deploy a
package to uninstall the client for a collection of computers.

NOTE
You can't uninstall the Configuration Manager client from a mobile device. If you must remove the Configuration Manager
client from a mobile device, you must wipe the device, which deletes all data on the mobile device.

1. Open a Windows command prompt as an administrator. Change the folder to the location in which
CCMSetup.exe is located, for example: cd %windir%\ccmsetup
2. Run the following command: CCMSetup.exe /uninstall

TIP
The uninstall process displays no results on the screen. To verify that the client successfully uninstalls, see the following log
file: %windir%\ccmsetup\logs\CCMSetup.log
If you need to wait for the uninstall process to complete before doing something else, run Wait-Process CCMSetup in
PowerShell. This command can pause a script until the CCMSetup process completes.

Starting in version 2111, when you uninstall the client it also removes the client bootstrap, ccmsetup.msi, if it
exists.

Manage conflicting records

Configuration Manager uses the hardware identifier to attempt to identify clients that might be duplicates and
alert you to the conflicting records. For example, if you reinstall a computer, the hardware identifier would be the
same but the GUID used by Configuration Manager might be changed.
Configuration Manager automatically resolves conflicts by using Windows authentication of the computer
account or a PKI certificate from a trusted source. When Configuration Manager can't resolve the conflict of
duplicate hardware identifiers, a hierarchy setting determines the behavior.
Change the hierarchy setting for managing conflicting records
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. In the ribbon, select Hierarchy Settings .
3. Switch to the Client Approval and Conflicting Records tab, and select one of the following options:
 Automatically resolve conflicting records
Manually resolve conflicting records
Manually resolve conflicting records
1. In the Configuration Manager console, go to the Monitoring workspace, expand System Status , and
select the Conflicting Records node.
2. Select one or more conflicting records, and then choose Conflicting Record .
3. Select one of the following options:
Merge : Combine the newly detected record with the existing client record.
New : Create a new record for the conflicting client record.
Block : Create a new record for the conflicting client record, but mark it as blocked.

Manage duplicate hardware identifiers

You can provide a list of hardware identifiers that Configuration Manager ignores for PXE boot and client
registration. This list helps to address two common issues:
1. Many new devices don't include an onboard Ethernet port. Technicians use a USB-to-Ethernet adapter to
establish a wired connection for purposes of OS deployment. These adapters are often shared because of
cost and general usability. The site uses the MAC address of this adapter to identify the device. So reusing
the adapter becomes problematic without other administrator actions between each deployment. To
reuse the adapter in this scenario, exclude its MAC address.
2. While the SMBIOS attribute should be unique, some specialty hardware devices have duplicate identifiers.
Exclude this duplicate identifier and rely on the unique MAC address of each device.
Use the following process to add hardware identifiers for Configuration Manager to ignore:
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. On the Home tab of the ribbon, in the Sites group, choose Hierarchy Settings .
3. Switch to the Client Approval and Conflicting Records tab. To add new hardware identifiers, choose
Add in the Duplicate hardware identifiers section.
PowerShell for duplicate hardware IDs
You can use the following PowerShell cmdlets to automate the management of duplicate hardware identifiers:
Get-CMDuplicateHardwareIdGuid
New-CMDuplicateHardwareIdGuid
Remove-CMDuplicateHardwareIdGuid
Get-CMDuplicateHardwareIdMacAddress
New-CMDuplicateHardwareIdMacAddress
Remove-CMDuplicateHardwareIdMacAddress

Start policy retrieval

A Configuration Manager client downloads its client policy on a schedule that you configure as a client setting.
You can also start on-demand policy retrieval from the client. For example, for troubleshooting or testing
situations.
Client notification
 The client control panel
Support Center
A script
Start client policy retrieval with client notification
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select
Devices .
2. Select the device that you want to download policy. On the Home tab of the ribbon, in the Device group,
select Client Notification , and then choose Download Computer Policy .

NOTE
You can also use client notification to start policy retrieval for all devices in a collection.

Start client policy retrieval from the Configuration Manager client control panel
1. Open the Configuration Manager control panel on the computer.
2. Switch to the Actions tab. Select Machine Policy Retrieval & Evaluation Cycle to start the computer
policy, and then select Run Now .
3. Select OK to confirm the prompt.
4. Repeat the previous steps for any other actions. For example, User Policy Retrieval & Evaluation
Cycle for user client settings.
Start client policy retrieval with Support Center Client Tools
Use Support Center Client Tools to request and view client policy. For more information, see Support Center
reference.
Start client policy retrieval by script
1. Open a script editor, such as Notepad or Windows PowerShell ISE.
2. Copy and insert the following sample PowerShell code into the file:

$trigger = "{00000000-0000-0000-0000-000000000021}"
Invoke-WmiMethod -Namespace root\ccm -Class sms_client -Name TriggerSchedule $trigger

TIP
For more information about the schedule IDs, see Message IDs.

3. Save the file with a .ps1 extension.

4. Run the script on the client.

Next steps
Configure the content cache for clients
Client notification
 Configure the content cache for Configuration
Manager clients
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The client cache stores temporary files for when clients install applications and programs. Software updates also
use the client cache, but always attempt to download to the cache whatever of the size setting. Configure the
cache settings, such as size and location, when you manually install the client, when you use client push
installation, or after installation.
You can specify the cache folder size using client settings in the Configuration Manager console. For more
information, see Client cache settings.
The default location for the Configuration Manager client cache is %windir%\ccmcache and the default disk space
is 5120 MB.

IMPORTANT
Don't encrypt the folder used for the client cache. Configuration Manager can't download content to an encrypted folder.

About
The Configuration Manager client downloads the content for required software soon after the deployment's
available time but waits to run it until the deployment's scheduled time. At the scheduled time, the Configuration
Manager client checks to see whether the content is available in the cache. If content is in the cache and it's the
correct version, the client uses the cached content. When the required version of the content changes, or if the
client deletes the content to make room for another package, the client downloads the content to the cache
again.
If the client attempts to download content for a program or application that's greater than the size of the cache,
the deployment fails because of insufficient cache size. The client generates status message 10050 for
insufficient cache size. If you increase the cache size later, the result is:
For a required program: The client doesn't automatically retry to download the content. Redeploy the
package and program to the client.
For a required application: The client automatically retries to download the content when it downloads its
client policy.
If the client attempts to download content that's less than the size of the cache, but the cache is full, all required
deployments keep retrying until:
The cache space is available
The download times out
The retry count reaches its limit
If you later increase the cache size, the client attempts to download the content again during the next retry
interval. The client tries to download the content every four hours until it tries 18 times.
Cached content isn't automatically deleted and is only removed if new content requires its disk space. It remains
in the cache for the configured number of minutes after the client uses that content. If you configure the content
with the option to persist content in the client cache, the client doesn't automatically delete it. If the cache space
is used by content that was downloaded within the configured number of minutes, and the client must
download new content, either increase the cache size or choose the option to delete persisted cache content. For
more information, see About client settings.

IMPORTANT
Don't manually delete files from the client cache folder using Windows Explorer or the command line. This action can
cause issues with the Configuration Manager client. The client manages the cache and tracks the content apart from the
file system. Always use a supported method to delete files in the cache.

For applications only, if the content for a related deployment currently exists in the cache, then the client
downloads only new or changed files. Related deployments include those deployments for older revisions of the
same deployment type and superseded applications.

Configure
Use the following procedures to configure the client cache during manual client installation or after you install
the client.
Configure the cache during manual client installation
Run the CCMSetup.exe command from the install source location and specify the following properties that you
require, and separated by spaces:
DISABLECACHEOPT
SMSCACHEDIR
SMSCACHEFLAGS

NOTE
Use the cache size settings available in Client Settings in the Configuration Manager console instead of SMSCACHESIZE.
For more information, see Client cache settings.

For more information about how to use these command-line properties for CCMSetup.exe, see About client
installation properties.
Configure the cache during client push installation
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the appropriate site. On the Home tab of the ribbon, in the Settings group, select Client
Installation Settings , and choose Client Push Installation . Switch to the Installation Proper ties
tab.
3. Specify the following properties, separated by spaces:
DISABLECACHEOPT
SMSCACHEDIR
SMSCACHEFLAGS
 NOTE
Use the cache size settings available in Client Settings in the Configuration Manager console instead of
SMSCACHESIZE. For more information, see Client cache settings.

For more information about how to use these command-line properties for CCMSetup.exe, see About client
installation properties.
Configure the cache on the client computer
1. On the client computer, open the Configuration Manager control panel.
2. Switch to the Cache tab. Set the space and location properties. The default location is %windir%\ccmcache .
3. To delete the files in the cache folder, choose Delete Files .

IMPORTANT
Don't manually delete files from the ccmcache folder using Windows Explorer or the command line. This action can
cause issues with the Configuration Manager client. The client manages the cache and tracks the content apart
from the file system. Always use a supported method to delete files in the cache. For example, the Delete Files
option on the control panel.

Configure client cache size in Client Settings

Adjust the size of the client cache without having to reinstall the client. Use the cache size settings available in
Client Settings in the Configuration Manager console. For more information, see Client cache settings.

Next steps
Client notification
 Client notification in Configuration Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To take immediate action on remote clients, send a client notification action from the Configuration Manager
console. Start these actions on an individual device or on a collection of devices.

Actions
The following actions are on the ribbon in the Device or Collection group of the Home tab.
Install client
Opens the Install Client Wizard . This wizard uses client push installation to install a Configuration Manager
client. For more information, see Client push installation.
Permissions - Install client
This action requires the Modify Resource and Read permissions on the Collection object.
The following built-in roles have these permissions by default:
Application Administrator
Full Administrator
Infrastructure Administrator
Operations Administrator
OS Deployment Manager
Add these permissions to any custom roles that need to push the client.
Run script
Opens the Run Script wizard to run a PowerShell script on all of the clients in the collection. For more
information, see Create and run PowerShell scripts.
Permissions - Run script
This action requires the Run Script permission on the Collection object.
The following built-in roles have this permission by default:
Full Administrator
Infrastructure Administrator
Operations Administrator
Add this permission to any custom roles that need to run scripts.
Start CMPivot
Starts CMPivot , which runs real-time queries against the targeted devices. For more information, see CMPivot.
Permissions - Start CMPivot
This action requires the Run CMPivot permission on the Collection object.

Client notification
These actions are under the Client notification menu, on the ribbon in the Device or Collection group of the
Home tab.
You can start a Client Notification from the Devices node or within a collection membership view.
Permissions - Client notification
Client notification actions require the Notify Resource permission on the Collection object. This permission
applies to all actions under the Client notification menu.
The following built-in roles have this permission by default:
Full Administrator
Operations Administrator
Add this permission to any custom roles that need to use client notification actions.
Download computer policy
Refresh the device policy. For more information, see Initiate policy retrieval for a Configuration Manager client.
Download user policy
Refresh the user policy.
Collect discovery data
Trigger clients to send a discovery data record (DDR). For more information, see Heartbeat discovery.
Collect software inventory
Trigger clients to run a software inventory cycle. For more information, see Introduction to software inventory.
Collect hardware inventory
Trigger clients to run a hardware inventory cycle. For more information, see Introduction to hardware inventory.
Evaluate application deployments
Trigger clients to run an application deployment evaluation cycle. For more information, see Schedule re-
evaluation for deployments.
Evaluate software update deployments
Trigger clients to run a software updates deployment evaluation cycle. For more information, see Introduction to
software updates.
Switch to the next software update point
Trigger clients to switch to the next available software update point. For more information, see Software update
point switching.
Evaluate device health attestation
Trigger Windows 10 or later clients to check and send their latest device health state. For more information, see
Health attestation.
Check conditional access compliance
Trigger clients to check compliance for conditional access policies. For more information, see Conditional access.
Wake Up
Trigger devices configured to support Wake-on-LAN to wake up using other devices on the same subnet to send
the Wake-on-LAN package. For more information, see How to configure Wake on LAN.
Restart
Trigger the selected devices to restart. For more information, see Restart clients.

Client diagnostics
Use the following actions to help troubleshoot clients:
Enable verbose logging : Change the global log level for the CCM component to verbose, and enable
debug logging.
Disable verbose logging : Change the global log level to default, and disable debug logging.
Collect Client Logs : The site sends a client notification message to the selected clients to gather the
CCM logs. The client sends the logs to the management point using the same channel as software
inventory file collection. You don't need to enable software inventory in client settings.
The size limit for the compressed client logs is 100 MB.
Use Resource Explorer manage and view these files.

IMPORTANT
These actions only change the log verbosity, not the size or history. More verbose logging can generate more log
content.
The management point role also uses the CCM component. If the targeted device is also a management point, this
action also applies to that role.

For more information about these settings, see About log files.
Track the status of the task in the diagnostics.log on the client. When client logs are collected, additional
information is logged in MP_SinvCollFile.log on the management point and sinvproc.log on the site server.

NOTE
Starting in version 2107, you can inventory client log file settings such as log levels and size. Enable the hardware
inventory class, Client Diagnostics (CCM_ClientDiagnostics) . For more information, see Enable or disable existing
hardware inventory classes.

Prerequisites - Client diagnostics

Update the target client to the latest version.
Your Configuration Manager administrative user needs the Notify resource permission.
The following built-in roles have this permission by default:
Full Administrator
Infrastructure Administrator
Add this permission to any custom roles that need to use client notification actions.
Cleanup aged client diagnostic files
Collected client logs are stored according to the software inventory file collection settings. The files are stored
on the site server in the Inboxes\sinv.box\FileCol directory. There's no defined limit to the number of
versions.
The maintenance task to delete aged diagnostic files varies depending on your Configuration Manager version:
Version 2010 and later uses the Delete Aged Collected Diagnostic Files site maintenance task to delete
 diagnostic files.
Version 2006 and earlier uses the Delete Aged Collected Files site maintenance task to delete diagnostic
files.
For more information, see Reference for maintenance tasks in Configuration Manager.

Endpoint Protection
The following actions are under the Endpoint Protection menu. This menu is on the ribbon in the Collection
group of the Home tab. When you select one or more devices, these actions are on the Selected Object tab of
the ribbon.
For more information, see Endpoint Protection in Configuration Manager.
Permissions - Endpoint Protection
This action requires the Enforce Security permission on the Collection object.
The following built-in roles have this permission by default:
Full Administrator
Endpoint Protection Manager
Operations Administrator
Add this permission to any custom roles that need to trigger Endpoint Protection actions.
Full Scan
Trigger Endpoint Protection or Windows Defender to run a full antimalware scan.
Quick Scan
Trigger Endpoint Protection or Windows Defender to run a quick antimalware scan.
Download Definition
Trigger Endpoint Protection or Windows Defender to download the latest antimalware definitions.

Monitor client operations

Monitor the operations sent to clients by using the Client Operations node under the Monitoring workspace.
For some instances, you can cancel the operation by using the Cancel option in the ribbon. Use the Delete
option to remove the operation from the console's view.
Next steps
How to manage clients
How to manage collections
 Maintain Mac clients
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

IMPORTANT
Starting in January 2022, this feature of Configuration Manager is deprecated. For more information, see Mac computers.

Here are procedures for uninstalling Mac clients and for renewing their certificates.

Uninstalling the Mac client

1. On a Mac computer, open a terminal window and navigate to the folder containing macclient.dmg .
2. Navigate to the Tools folder and enter the following command-line:
./CMUninstall -c

NOTE
The -c property instructs the client uninstall to also remove client crash logs and log files. We recommend this to
avoid confusion if you later reinstall the client.

3. If required, manually remove the client authentication certificate that Configuration Manager was using,
or revoke it. CMUnistall does not remove or revoke this certificate.

Renewing the Mac client certificate

Use one of the following methods to renew the Mac client certificate:
Renew certificate wizard
Renew certificate manually
Renew certificate wizard
1. Configure the following values as strings in the ccmclient.plist file that controls when the Renew
Certificate Wizard opens:
RenewalPeriod1 - Specifies, in seconds, the first renewal period in which users can renew the
certificate. The default value is 3,888,000 seconds (45 days). Don't configure a value less than 300,
as the period will revert to the default.
RenewalPeriod2 - Specifies, in seconds, the second renewal period in which users can renew the
certificate. The default value is 259,200 seconds (3 days). If this value is configured and is greater
than or equal to 300 seconds and is less than or equal to RenewalPeriod1 , the value will be used.
If RenewalPeriod1 is greater than 3 days, a value of 3 days will be used for RenewalPeriod2 . If
RenewalPeriod1 is less than 3 days, then RenewalPeriod2 is set to the same value as
RenewalPeriod1 .
RenewalReminderInter val1 - Specifies, in seconds, the frequency at which the Renew Certificate
Wizard will be displayed to users during the first renewal period. The default value is 86,400
 seconds (1 day). If RenewalReminderInter val1 is greater than 300 seconds and less than the
value configured for RenewalPeriod1 , then the configured value will be used. Otherwise, the
default value of 1 day will be used.
RenewalReminderInter val2 - Specifies, in seconds the frequency at which the Renew Certificate
Wizard will be displayed to users during the second renewal period. The default value is 28,800
seconds (8 hours). If RenewalReminderInter val2 is greater than 300 seconds, less than or equal
to RenewalReminderInter val1 and less than or equal to RenewalPeriod2 , then the configured
value will be used. Otherwise, a value of 8 hours will be used.
Example: If the values are left as their defaults, 45 days before the certificate expires, the wizard
will open every 24 hours. Within 3 days of the certificate expiring, the wizard will open every 8
hours.
Example: Use the following command line, or a script, to set the first renewal period to 20 days.
sudo defaults write com.microsoft.ccmclient RenewalPeriod1 1728000

2. When the Renew Certificate Wizard opens, the User name and Ser ver name fields will typically be pre-
populated and the user can just enter a password to renew the certificate.

NOTE
If the wizard does not open, or if you accidentally close the wizard, click Renew from the Configuration
Manager preference page to open the wizard.

Renew certificate manually

A typical validity period for the Mac client certificate is 1 year. Configuration Manager does not automatically
renew the user certificate that it requests during enrollment, so you must use the following procedure to renew
the certificate manually.

IMPORTANT
If the certificate expires, you must uninstall, reinstall and then re-enroll the Mac client.

This procedure removes the SMSID, which is required to request a new certificate for the same Mac computer.
When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you
delete the client from the Configuration Manager console.
1. Create and populate a device collection for the Mac computers that must renew the user certificates.

WARNING
Configuration Manager does not monitor the validity period of the certificate that it enrolls for Mac computers.
You must monitor this independently from Configuration Manager to identify the Mac computers to add to this
collection.

2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard .
3. On the General page, specify the following information:
Name:Remove SMSID for Mac
Type:Mac OS X
4. On the Suppor ted Platforms page, ensure that all macOS X versions are selected.
 5. On the Settings page, choose New and then, in the Create Setting dialog box, specify the following
information:
Name:Remove SMSID for Mac
Setting type:Script
Data type:String
6. In the Create Setting dialog box, for Discover y script , choose Add script to specify a script that
discovers Mac computers with an SMSID configured.
7. In the Edit Discover y Script dialog box, enter the following Shell Script:

defaults read com.microsoft.ccmclient SMSID

8. Choose OK to close the Edit Discover y Script dialog box.

9. In the Create Setting dialog box, for Remediation script (optional) , choose Add script to specify a
script that removes the SMSID when it is found on Mac computers.
10. In the Create Remediation Script dialog box, enter the following Shell Script:

defaults delete com.microsoft.ccmclient SMSID

11. Choose OK to close the Create Remediation Script dialog box.

12. On the Compliance Rules page of the wizard, click New , and then in the Create Rule dialog box,
specify the following information:
Name:Remove SMSID for Mac
Selected setting: Choose Browse and then select the discovery script that you specified
previously.
In the following values field, enter The domain/default pair of (com.microsoft.ccmclient,
SMSID) does not exist .
Enable the option Run the specified remediation script when this setting is
noncompliant .
13. Complete the Create Configuration Item Wizard.
14. Create a configuration baseline that contains the configuration item that you have just created and
deploy it to the device collection that you created in step 1.
For more information about how to create and deploy configuration baselines, see How to create
configuration baselines and How to deploy configuration baselines.
15. On Mac computers that have the SMSID removed, run the following command to install a new certificate:

sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u <'user name'>

When prompted, provide the password for the super user account to run the command and then the
password for the Active Directory user account.
16. To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window
and make the following changes:
 a. Enter the command
sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access

b. In the Keychain Access dialog, in the Keychains section, choose System , and then, in the Categor y
section, choose Keys .
c. Expand the keys to view the client certificates. When you have identified the certificate with a private
key that you have just installed, double-click the key.
d. On the Access Control tab, choose Confirm before allowing access .
e. Browse to /Librar y/Application Suppor t/Microsoft/CCM , select CCMClient , and then choose
Add .
f. Choose Save Changes and close the Keychain Access dialog box.
17. Restart the Mac computer.
 Introduction to collections in Configuration
Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Collections help you organize resources into manageable units. You can create collections to match your client
management needs, and to perform operations on multiple resources at one time.
Most management tasks rely on or require using one or more collections. Although you can use the built-in
collection of All Systems, using it for management tasks is not a best practice. Create custom collections to more
specifically identify the devices or users for a task.
Built-in and custom collections appear in the User Collections and Device Collections nodes in the Assets
and Compliance workspace in the Configuration Manager console.
Collections that you have recently viewed appear in the Users node and in the Devices node in the Assets and
Compliance workspace.
Here are some examples of collection use:

O P ERAT IO N EXA M P L E

Grouping resources You can create collections that group resources based on
your organization's hierarchy.

For example, you could create a collection of all computers in

the "London Headquarters" Active Directory Organizational
Unit (OU). For more information about how to create this
type of collection, see How to create collections.

You could use this collection for operations such as

configuring Endpoint Protection settings, configuring device
power management settings, or installing the Configuration
Manager client.

Application deployment You can create a collection of all computers that do not have
Microsoft Microsoft 365 Apps installed and then deploy it to
all computers in that collection.

You can also use application requirements to perform this

task. For more information, see How to create applications
with Configuration Manager.

Managing client settings Although the default client settings in Configuration

Manager apply to all devices and all users, you can create
custom client settings that apply to a collection of devices or
a collection of users.

For example, if you want remote control to be available on

all but a few devices, configure the default client settings to
allow remote control and then configure custom client
settings that do not allow remote control, and deploy those
to the collection of exceptional clients.
 O P ERAT IO N EXA M P L E

Power management You can configure specific power settings per collection.

Role-based administration Use collections to control which groups of users have access
to various functionality in the Configuration Manager
console.

Maintenance Windows With maintenance windows you can define a time period
when various Configuration Manager operations can be
carried out on members of a device collection.

Collection types in Configuration Manager

Configuration Manager has built-in collections for common operations, and you can also create custom
collections.
Built-in collections
By default, Configuration Manager includes the following collections, which cannot be modified.

C O L L EC T IO N N A M E DESC RIP T IO N

All User Groups Contains the user groups that are discovered by using
Active Directory Security Group Discovery.

All Users Contains the users who are discovered by using Active
Directory User Discovery.

All Users and User Groups Contains the All Users and the All User Groups collections.
This collection contains the largest scope of user and user
group resources.

All Desktop and Ser ver Clients Contains the server and desktop devices that have the
Configuration Manager client installed. Membership is
maintained by Heartbeat Discovery.

All Mobile Devices Contains the mobile devices that are managed by
Configuration Manager. Membership is restricted to those
mobile devices that are successfully assigned to a site or
discovered by the Exchange Server connector.

All Systems Contains the All Desktop and Server Clients, the All Mobile
Devices, and the All Unknown Computers collections, and all
mobile devices that are enrolled by Microsoft Intune. This
collection contains the largest scope of device resources.

All Unknown Computers Contains generic computer records for multiple computer
platforms. You can use this collection to deploy an operating
system by using a task sequence and PXE boot, bootable
media, or prestaged media.

Co-management Eligible Devices Contains devices that meet the client prerequisites and are
eligible for co-management enrollment (added in version
2111).

Custom collections
When you create a custom collection in Configuration Manager, the membership of that collection is determined
by one or more collection rules, as described in How to create collections.
 Prerequisites for collections in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Collections in Configuration Manager contain only dependencies within the product.

Configuration Manager dependencies

DEP EN DEN C Y M O RE IN F O RM AT IO N

Reporting services point The reporting services point site system role must be
installed before you can run reports for collections. For more
information, see Introduction to reporting.

Specific security permissions must have been granted to You must have the following security permissions to manage
manage collections compliance settings:

- To create and manage collections: Create , Delete ,

Modify , Modify Folder , Move Object , Read and Read
Resource for the Collection Object.

- To manage collection settings: Modify Collection

Setting for the Collection Object.

The Modify Folder permission is required for all collection

folders, including the root folder.
 Best practices for collections in Configuration
Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Some collection management guidance can be contradictory. For example, for performance reasons, you should
limit the number of collections that update frequently. But updating collections frequently is convenient, since
most Configuration Manager functionality is dependent on collections. Carefully consider both performance
impacts and business requirements when you design and configure collections and collection evaluation.
Use the following best practices for collections in Configuration Manager.

Configure maintenance window for updates

You can configure maintenance windows for device collections to restrict the times that Configuration Manager
can install software on these devices. If you configure the maintenance window to be too small, the client may
not install critical software updates. This state leaves the client vulnerable to the issues the update mitigates.
Important considerations to keep in mind when planning your maintenance windows:
The default software update maximum run time is 60 minutes.
When Configuration Manager calculates whether an update can install, it adds five minutes to the maximum
run time to account for a restart.
The remaining duration of a maintenance window must be longer than the maximum run time of the
software update plus five minutes.

Avoid frequent collection evaluation

A full collection evaluation evaluates not only the targeted collection, but also any collections that the collection
limits if an update occurs. Also, a collection with no schedule is still evaluated if its limiting collection updates. So
it's possible that some collections may be evaluated more often than you expect.
In a busy Configuration Manager environment, you can improve collection evaluation performance by scaling
back schedules to avoid repeated collection evaluations. In a deep tree, you can decrease collection evaluation
frequency as the collections descend deeper in the tree, because higher-level collection evaluations will also
trigger lower-level collection evaluations.

Understand the collection evaluation graph

Be aware of how the collection evaluation graph works so you can design an appropriate collection structure.
Don't rely on full collection evaluation to always update all collections. If an incrementally updated collection
updates on a schedule, referencing collections that aren't enabled for incremental updates may not update.
Because updates likely occurred during incremental evaluations, a full evaluation may not update the collection,
ending the collection evaluation graph for that cycle. In that case, no referencing collection evaluations occur. For
more information, see Collection evaluation graph.

Limit incremental updates

Enabling incremental updates for many collections might cause evaluation delays. It's best to limit the number
of incrementally updated collections to 200. The exact number depends on:
The total number of collections
The frequency of new resources being added and changed in the hierarchy
The number of clients in a hierarchy
The complexity of collection membership rules in a hierarchy
If the incremental evaluation cycle is taking longer than the configured update frequency, then Configuration
Manager is constantly processing collection evaluations, which could affect system performance. Reduce the
number of incrementally updated collections, or increase the time between incremental evaluation cycles.
Given the potential impacts of incremental collections, it's important to have a policy or procedure for creating
the collections and assigning update schedules. Examples of policy considerations might be:
Only use incremental updates for collections that are used for security scoping, client settings, and
maintenance windows. These collection updates affect client behavior and access to resources.
For applications with no licensing approval, advertise applications to existing collections, and use global
conditions to restrict availability.
Outline appropriate periods for other collections that have full collection updates scheduled.

Avoid evaluation of large trees from the CAS

In a Configuration Manager environment, the central administration site (CAS) doesn't evaluate collection
membership. Primary sites are the only sites that evaluate collections. Secondary sites act as proxies that use
only data they replicate from their primary site.
To request a collection update, the CAS sends a request to each primary site. The primary sites evaluate the
collection and send the results back to the CAS. The collection evaluation results appear only after all collection
evaluation instructions replicate to all sites, all sites evaluate all collections, and all data returns to the CAS and is
combined.
The following diagram demonstrates the flow when the CAS requests a manual collection update:

A collection update from a CAS with multiple primary sites can be time consuming. If a collection doesn't
evaluate in a timely fashion, it's tempting to repeat the request.
Once a collection evaluation thread begins and loads the evaluation graph, evaluation continues until the
collection evaluation graph is empty. The thread then terminates and becomes available for the next evaluation.
However, if another collection evaluation cycle queues while the thread is evaluating collections, the thread
immediately restarts to attempt an evaluation of the "missed" cycle.
Each evaluation method runs in its own thread. It's possible that within the thread, Configuration Manager may
attempt to graph the same collection more than once. Configuration Manager then drops the second and later
requests.
To prevent these scenarios, avoid manual collection evaluations of large trees, especially when working from the
CAS with multiple sites.

Consider collection depth and cross-referencing

To strike a balance between business requirements and performance, it's important to understand the collection
structure you create, and its dependencies on other collections. If you create a collection with rules that
reference one or more collections that also refer to other collections, all of those collections are evaluated to
create the membership of the collection.
The include and exclude collection rules in Configuration Manager make referencing collections easier than
writing a custom WQL query. However, if using include and exclude collections results in a high-performance
toll, you can use the WQL query method instead. Use the following example queries and replace the example
collection ID XYZ0003F with the ID of the collection you want to include or exclude.
Include:
Select * from SMS_R_System where SMS_R_System.ResourceId in (select ResourceID from SMS_CM_RES_COLL_XYZ0003F)

Exclude:
Select * from SMS_R_System where SMS_R_System.ResourceId not in (select ResourceID from
SMS_CM_RES_COLL_XYZ0003F)

Use CEViewer to monitor collection evaluation

You can use the Collection Evaluation Viewer (CEViewer) to monitor how many collections are being evaluated
and how long each collection is taking to update. The CEViewer is in the CD.Latest folder on the site server.

TIP
Starting in Configuration Manager version 2010, this functionality is built-in to the console. For more information, see,
How to view collection evaluation.

To manually do a similar check with SQL, you can use the following query:

SELECT [t2].[CollectionName], [t2].[SiteID], [t2].[value] AS [Seconds], [t2].[LastIncrementalRefreshTime],

[t2].[IncrementalMemberChanges] AS [IncChanges], [t2].[LastMemberChangeTime] AS [MemberChangeTime]
FROM (
SELECT [t0].[CollectionName], [t0].[SiteID], DATEDIFF(Millisecond, [t1].
[IncrementalEvaluationStartTime], [t1].[LastIncrementalRefreshTime]) * 0.001 AS [value], [t1].
[LastIncrementalRefreshTime], [t1].[IncrementalMemberChanges], [t1].[LastMemberChangeTime], [t1].
[IncrementalEvaluationStartTime], v1.[RefreshType]
FROM [dbo].[Collections_G] AS [t0]
INNER JOIN [dbo].[Collections_L] AS [t1] ON [t0].[CollectionID] = [t1].[CollectionID]
inner join v_Collection v1 on [t0].[siteid] = v1.CollectionID
) AS [t2]
WHERE ([t2].[IncrementalEvaluationStartTime] IS NOT NULL) AND ([t2].[LastIncrementalRefreshTime] IS NOT
NULL) and (refreshtype='4' or refreshtype='6')
ORDER BY [t2].[value] DESC
 Collection evaluation in Configuration Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager uses collection evaluation to update collection membership, based on the collection
rules you define. Collection evaluation scope and timing differ depending on site and collection configuration
and evaluation type.
It's important to understand collection evaluation behavior so you can make appropriate collection design
decisions. For collection evaluation guidance and recommendations, see Best practices for collections.

Evaluation process
The colleval.log records when the collection evaluator creates, changes, and deletes collections.
At a high level, each individual collection evaluation and update follows these steps:

1. Execute the collection query.

2. Add any systems that are direct members.
3. Evaluate all include collections.
If the include collections also have query rules, or have include or exclude collections, evaluate them also.
If the include collections themselves are limiting collections, evaluate any collections below them. After
fully evaluating the tree, return the results to the calling collection.
4. Perform a logical AND between the returned results and the limiting collection.
5. Evaluate the exclude collections.
If the exclude collections also have query rules, or have include or exclude collections, evaluate them also.
If these collections themselves are limiting collections, evaluate any collections below them. After fully
evaluating the tree, return the results to the calling collection.
6. Compare the result set from evaluating the direct members and include collections with the results of
evaluating the exclude collections.
7. Write the changes to the database and perform updates.
8. Trigger any dependent collections to update as well. Dependent collections are collections that the current
collection limits, or that refer to the current collection using include or exclude rules.

TIP
You can use management insights in the Configuration Manager console to help you manage your collections. There's a
group of insights specific to Collections. There are also several insights in the Configuration Manager Assessment group
for collections.

Collection evaluation types and triggers

These types of threads handle collection evaluation, depending on evaluation type:
Primar y for scheduled collection updates
Auxiliar y to manually update collections with dependent collections
Single to manually update collections with no dependent collections
Express for incremental collection updates
The following table describes collection evaluation triggers and their corresponding evaluation types.

T RIGGER EVA L UAT IO N T Y P E DESC RIP T IO N

Manual Single or Auxiliary Manual is the highest priority

collection evaluation. When an
administrator requests a manual
collection evaluation, the collection
evaluator assigns the next available
evaluation thread to the evaluation.

Scheduled Primary The process of scheduled evaluation is

the same as manual evaluation, except
the evaluation is time-driven rather
than event-driven.

Staging Single or Auxiliary All collections directly or indirectly

depend on All Systems or All Users
and User Groups . Both of these
collections do a full collection
evaluation at 4:00 AM daily. A change
to either of these collections triggers
updates of dependent collections,
based on a full collection graph.
 T RIGGER EVA L UAT IO N T Y P E DESC RIP T IO N

Incremental Express Incremental evaluation uses a

collection evaluation graph to evaluate
and update dependent collections if an
update to the incremental collection
membership changes. Configuration
Manager monitors and updates
resources objects in all collections that
are configured for incremental
updates.

If a collection query is based on

information that will be updated later,
like hardware inventory, Configuration
Manager only adds or removes the
resource from the collection during the
scheduled collection update.

Collection evaluation graph

A collection evaluation graph maps all collections that relate to the collection targeted for evaluation. A
collection evaluation involves the targeted collection and any related collections in the collection evaluation
graph.
When collection evaluation starts, Configuration Manager builds a graph that includes all collections that could
possibly need evaluating as a result of changes to the target collection, starting from the highest level in the
cycle. The collection evaluator then moves through the graph in order, evaluating each collection membership in
turn. After the collection is fully evaluated, the collection evaluator removes lower-level collections that aren't
affected by this cycle from the collection evaluation graph.
If one or more of the collections being evaluated has an include or exclude rule, the collection evaluator adds the
included or excluded collection to the graph, along with any collections that collection limits. If there are any
changes during the evaluation of the include and exclude collections, the graph continues on that branch before
it returns to the main branch.
Configuration Manager builds two types of evaluation graphs, incremental or full.
Incremental collection evaluation
When table data changes, a SQL Server trigger inserts a row in the CollectionNotifications table. The next
time a collection evaluation schedule fires, it AND s the resource ID with the existing collection query and
triggers updates on collections that are enabled for incremental collections.
Incremental collection evaluation executes one query per machine. The default site configuration for incremental
collection evaluation is every five minutes.
An incremental collection evaluation graph maps referenced collections only if they're enabled for incremental
evaluation. If an incremental evaluation is limited to a collection that isn't enabled for incremental evaluation, the
graph evaluates the collection based on the existing membership of the limiting collection.
For example, the following diagram shows newly discovered resources that are applicable to all collections.
However, collection evaluation only updates the All Ser vers and All Domain Controllers collections. The
collection evaluator doesn't evaluate the other collections, because the All Member Ser vers collection isn't
enabled for incremental evaluation.
Full collection evaluation
Manual or scheduled collection evaluations build a full collection evaluation graph of all dependent collections.
The graph includes all collections that reference the collection that is updating and subsequent collections.
Configuration Manager continues to evaluate down the graph as long as updates occur to the collections being
processed.
The following diagram shows how a scheduled or manual collection update request for the All Ser vers
collection produces a full graph that includes all applicable collections. The new DNS server and domain
controller resources are in scope of the membership queries of all collections, so all the collections update.

A full evaluation doesn't always evaluate all collections. The collection evaluation graph only continues to
evaluate dependent collections if an update occurs to the current referenced collection. If an incrementally
updated collection updates during scheduled incremental evaluations, referencing collections that aren't enabled
for incremental updates may not update. A full evaluation doesn't update the collection, ending the collection
evaluation graph and any referencing collection evaluations for that cycle.
In the following example, installing DNS on the existing server makes it a member of the DNS Ser vers
collection, but because there's no update to its limiting All Member Ser vers collection, the full evaluation
doesn't evaluate the DNS Ser vers collection. The next incremental evaluation cycle will evaluate the DNS
Ser vers collection, because it's an incremental collection.
Next steps
How to create collections
Best practices for collections
View collection evaluation (starting in version 2010)
Collection Evaluation Viewer
 How to create collections in Configuration Manager
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Collections are groupings of users or devices. Use collections for tasks like managing applications, deploying
compliance settings, or installing software updates. You can also use collections to manage groups of client
settings or use them with role-based administration to specify the resources that an administrative user can
access. Configuration Manager contains several built-in collections. For more information, see Introduction to
collections.

NOTE
A collection can contain users or devices, but not both.

The information in this article can help you create collections in Configuration Manager. You can also import
collections that were created at the current Configuration Manager site or at another one. For more information
about how to export and import collections, see How to manage collections.

Collection rules
There are different types of rules that you can use to configure the members of a collection in Configuration
Manager.
Direct rule
Use direct rules to choose the users or computers that you want to add to a collection. The membership doesn't
change unless you remove a resource from Configuration Manager. Before you can add the resources to a direct
rule collection, Configuration Manager must have discovered them or you must have imported them. Direct rule
collections have more administrative overhead than query rule collections because they require manual
changes.
Query rule
Dynamically update the membership of a collection based on a query that Configuration Manager runs on a
schedule. For example, you can create a collection of users that are a member of the Human Resources
organizational unit in Active Directory Domain Services. This collection is automatically updated when new
users are added to or removed from the Human Resources organizational unit.
For example queries that you can use to build collections, see How to create queries.
Include collection rule
Include the members of another collection in a Configuration Manager collection. If the included collection
changes, Configuration Manager updates the membership of the current collection on a schedule.
You can add multiple include collection rules to a collection.
Exclude collection rule
Exclude collection rules let you exclude the members of one collection from another Configuration Manager
collection. If the excluded collection changes, Configuration Manager updates the membership of the current
collection on a schedule.
You can add multiple exclude collection rules to a collection. If a collection includes both include collection and
exclude collection rules and there's a conflict, the exclude collection rule takes priority.
Example of an exclude collection rule
You create a collection that has one include collection rule and one exclude collection rule. The include collection
rule is for a collection of Dell desktops. The exclude collection is for a collection of computers that have less than
4 GB of RAM. The new collection contains Dell desktops that have at least 4 GB of RAM.

Create a collection
1. In the Configuration Manager console, go to the Assets and Compliance workspace.
To create a device collection, select the Device Collections node. Then, on the Home tab of the
ribbon, in the Create group, select Create Device Collection .
To create a user collection, select the User Collections node. Then, on the Home tab of the
ribbon, in the Create group, select Create User Collection .
2. On the General page of the wizard, provide a Name and a Comment . In the Limiting collection
section, select Browse , and then select a limiting collection. The collection you're creating will contain
only members from the limiting collection.
3. On the Membership Rules page, in the Add Rule list, select the type of membership rule that you want
to use for the collection. You can configure multiple rules for each collection. The configuration for each
rule varies. For more information on configuring each rule, see the following sections of this article:
Direct rule
Query rule
Include collection rule
Exclude collection rule
4. Also on the Membership Rules page, review the following settings.
Use incremental updates for this collection : Select this option to periodically scan for and
update only new or changed resources from the previous collection evaluation. This process is
independent of a full collection evaluation. By default, incremental updates occur at 5-minute
intervals.

IMPORTANT
Collections with query rules that use the following classes don't support incremental updates:
SMS_G_System_CollectedFile
SMS_G_System_LastSoftwareScan
SMS_G_System_AppClientState
SMS_G_System_DCMDeploymentState
SMS_G_System_DCMDeploymentErrorAssetDetails
SMS_G_System_DCMDeploymentCompliantAssetDetails
SMS_G_System_DCMDeploymentNonCompliantAssetDetails
SMS_G_User_DCMDeploymentCompliantAssetDetails (for collections of users only)
SMS_G_User_DCMDeploymentNonCompliantAssetDetails (for collections of users only)
SMS_G_System_SoftwareUsageData
SMS_G_System_CI_ComplianceState
SMS_G_System_EndpointProtectionStatus
SMS_GH_System_*
SMS_GEH_System_*
 Schedule a full update on this collection : Schedule a regular full evaluation of the collection
membership.
When you disable this setting, the site clears the schedule. This change from previous
behavior makes sure that the site doesn't continue to evaluate the query. To stop the site
evaluating a collection on a schedule, disable this option.
You can't disable the evaluation of built-in collections like All Systems , but you can
configure the schedule. This behavior allows you to customize this action at a time that
meets your requirements.

TIP
On built-in collections, only change the Time of the custom schedule. Don't change the
Recurrence pattern . Future versions of Configuration Manager might enforce a specific
recurrence pattern.

5. Complete the wizard to create the new collection. The new collection is displayed in the Device
Collections node of the Assets and Compliance workspace.

NOTE
To see new collection members, refresh or reload the Configuration Manager console. They don't appear in the collection
until after the first scheduled update. You can also manually select Update Membership for the collection. It might take
a few minutes for a collection update to complete.

Configure a direct rule for a collection

1. On the Search for Resources page of the Create Direct Membership Rule Wizard , specify the
following information:
Resource class : Select the type of resource you want to search for and add to the collection. For
example:
System Resource : Search for inventory data returned from client computers.
Unknown Computer : Select from values returned by unknown computers.
User Resource : Search for user information collected by Configuration Manager.
User Group Resource : Search for user group information collected by Configuration
Manager.
Attribute name : Select the attribute associated with the selected resource class that you want to
search for. For example:
If you want to select computers by their NetBIOS name, select System Resource in the
Resource class list and NetBIOS name in the Attribute name list.
If you want to select users by their organizational unit (OU) name, select User Resource in
the Resource class list and User OU Name in the Attribute name list.
Exclude resources marked as obsolete : If a client computer is marked as obsolete, don't
include this value in the search results.
Exclude resources that do not have the Configuration Manager client installed : These
resources won't be displayed in the search results.
Value : Enter a value to search the selected attribute name. Use the percent character ( % ) as a
 wildcard. For example:
To search for computers that have a NetBIOS name beginning with M , enter M% in this
field.
To search for users in the Contoso OU, enter Contoso in this field.
2. On the Select Resources page, select the resources that you want to add to the collection in the
Resources list, and then select Next .

Configure a query rule for a collection

In the Quer y Rule Proper ties dialog box, specify the following information.
Name : Specify a unique name for the query.
Impor t Quer y Statement : Opens the Browse Quer y dialog box. Select a Configuration Manager
query to use as the query rule for the collection.
Resource class : Select the type of resource you want to search for and add to the collection. Select a
value from System Resource to search for inventory data returned from client computers or from
Unknown Computer to select from values returned by unknown computers.
Edit Quer y Statement : Opens the Quer y Statement Proper ties dialog box, where you can write a
query to use as the rule for the collection. On the General tab, if you select the option to Omit duplicate
rows (select distinct) , it may result in less rows returned but potentially quicker results. For more
information about queries, see Introduction to queries.
Starting in Configuration Manager 2010, you can preview the results when you're creating or editing a
query for collection membership. For more information, see the Preview collection queries section.

Configure an include collection rule

In the Select Collections dialog box, select the collections you want to include in the new collection, and then
select OK .

Configure an exclude collection rule

In the Select Collections dialog box, select the collections you want to exclude from the new collection, and
then select OK .

Preview collection queries

(Introduced in 2010)
Starting in Configuration Manager 2010, you can preview the results when you're creating or editing a query for
collection membership. In the Quer y Statement Proper ties , select the green triangle to show the Quer y
Results Preview window. Select Stop if you want to stop a long running query.
Improvements to query preview
(Introduced in 2103)
Starting in Configuration Manager version 2103, you have more options when using the collection query
preview. The following improvements have been made to previewing collection queries:
Limit the number of rows returned
Your limit can be between 1 to 10,000 rows. The default is 5000 rows.
Omit duplicate rows from the result set
If the Omit duplicate rows option isn't selected, the original query statement will be executed as is,
even if the query contains the word distinct .
When the Omit duplicate rows option is selected, if the query already contains the word distinct ,
then the query runs as it is. When the query doesn't contain the word distinct , it's added to the query
for the preview (mean override).
Review statistics for the query preview such as number of rows returned and elapsed time.
 NOTE
Elapsed times shown for the query preview may not be the same as actual execution of the target query.
Quer y execution elapsed time and Displaying results elapsed time shouldn't be added for a total elapsed
time since these processes run in parallel.

Import a collection
When you export a collection from a site, Configuration Manager saves it as a Managed Object Format (MOF)
file. Use this procedure to import that file into your site database. To complete this procedure, you need Create
permissions on the collections class.

IMPORTANT
Make sure the MOF file contains only collection data, is from a trusted source, and hasn't been tampered with.
Also make sure to export the file from a site that's the same version of Configuration Manager as the import site.

For more information about exporting collections, see How to manage collections.
1. In the Configuration Manager console, go to the Assets and Compliance workspace. Select either the
User Collections or the Device Collections node.
2. On the Home tab of the ribbon, in the Create group, select Impor t Collections .
3. On the General page of the Impor t Collections Wizard , select Next .
4. On the MOF File Name page, select Browse . Browse to the MOF file that contains the collection
information you want to import.
5. Complete the wizard to import the collection. The new collection is displayed in the User Collections or
Device Collections node of the Assets and Compliance workspace. Refresh or reload the
Configuration Manager console to see the collection members for the newly imported collection.

Use PowerShell
You can use PowerShell to create and import collections. For more information, see the following cmdlet articles:
New-CMCollection
Set-CMCollection
Import-CMCollection

Synchronize members to Azure AD groups

You can enable the synchronization of collection memberships to an Azure Active Directory (Azure AD) group.
This synchronization allows you to use your existing on premises grouping rules in the cloud by creating Azure
AD group memberships based on collection membership results. You can synchronize device or user collections.
Only resources with an Azure AD record are reflected in the Azure AD group. Both hybrid Azure AD-joined and
Azure AD-joined devices are supported. The synchronization of collection memberships is a one-way process
from Configuration Manager to Azure AD. Ideally, Configuration Manager should be the authority for managing
the membership for the target Azure AD groups.
Synchronizations can either be full or incremental and they have slightly different behaviors:
 Full synchronization: Occurs on the first synchronization after enabling it. You can force a full
synchronization by selecting the collection, and then choosing Synchronize Membership from the
ribbon. A full synchronization will overwrite members of the Azure AD group.
Incremental synchronization: Occurs every 5 minutes. Changes made in Azure AD aren't reflected in
Configuration Manager collections, but they aren't overwritten by Configuration Manager.
Example synchronization scenario:
1. From Azure AD, create a group called Group1 and add DeviceA , DeviceB , and DeviceC .
Ideally, objects wouldn't be added from Azure AD since Configuration Manager should manage the
group membership.
2. From Configuration Manager, create a collection called Collection1 then add DeviceB , and DeviceC .
3. Enable synchronization for Collection1 to Group1 .
4. The first synchronization is a full synchronization so, Group1 now contains DeviceB , and DeviceC . DeviceA
was removed from the group during the full synchronization.
5. Remove DeviceC from Collection1 and wait for an incremental synchronization.
6. Group1 now contains only DeviceB .
7. From Azure AD, add DeviceD to Group1 and wait for an incremental synchronization.
8. Group1 now contains DeviceB and DeviceD .
9. From Configuration Manager, select Collection1 , and choose Synchronize Membership from the ribbon
to force a full synchronization.
10. Group1 now contains only DeviceB
Prerequisites for Azure AD synchronization
Integration with Azure AD for cloud management
Azure AD user discovery
An HTTPS or Enhanced HTTP-enabled management point
Access to the All Systems collection
Create a group and set the owner in Azure AD
1. Sign in to the Azure portal.
2. Navigate to Azure Active Director y > Groups > All groups .
3. Select New group , enter a Group name , and optionally enter a Group description .
4. Make sure that Membership type is Assigned .
5. Select Owners , then add the identity that will create the synchronization relationship in Configuration
Manager.
6. Select Create to finish creating the Azure AD group.
Enable collection synchronization for the Azure service
1. In the Configuration Manager console, go to the Administration workspace. Expand Cloud Ser vices ,
and select the Azure Ser vices node.
2. Select the cloud management service for the Azure AD tenant where you created the group. Then in the
ribbon, select Proper ties .
3. Switch to the Collection Synchronization tab, and select the option to Enable Azure Director y
Group Sync .
4. Select OK to save the setting.
Enable the collection to synchronize
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select either
the Device Collections or User Collections node.
2. Select the collection to sync. Then in the ribbon, select Proper ties .
3. Switch to the Cloud Sync tab, and select Add .
4. If necessary, change the Tenant to where you created the Azure AD group.
5. Type in your search criteria in the Name star ts with field, then select Search . If you leave the criteria
blank, the search returns all groups from the tenant. If it prompts you to sign in, use the identity you
specified as the owner for the Azure AD group.
6. Choose the target group, and then select OK to add the group. Select OK again to exit the collection's
properties.
Wait about five to seven minutes before you can verify the group memberships in the Azure portal. To start a
full synchronization, select the collection, and then in the ribbon select Synchronize Membership .
Verify the Azure AD group membership
1. Go to the Azure portal.
2. Navigate to Azure Active Director y > Groups > All groups .
3. Find the group you created and select Members .
4. Confirm that the members reflect the resources in the Configuration Manager collection. Only resources
with Azure AD identity show in the group.

Next steps
Manage collections
 How to manage collections in Configuration
Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the overview information in this article to help you run management tasks for collections in Configuration
Manager.
For information about how to create Configuration Manager collections, see How to create collections.

Collection actions
In the Configuration Manager console, go to the Assets and Compliance workspace. Select Device
Collections or User Collections , select the collection to manage, and then select a management task.
Manage device collections
Show Members
Displays all of the resources that are members of the selected collection in a temporary node under the Devices
node.
Add Selected Items
Provides the following options:
Add Selected Items to Existing Device Collection : Opens the Select Collection window. Select the
collection to which you want to add the members of the selected collection. The selected collection is
included in this collection by using an Include Collections membership rule.
Add Selected Items to New Device Collection : Opens the Create Device Collection Wizard
where you can create a new collection. The selected collection is included in this collection by using an
Include Collections membership rule.
For more information, see How to create collections.
Install Client
Opens the Install Client Wizard . This wizard uses client push installation to install a Configuration Manager
client on all computers in the selected collection. For more information, see Client push installation.
Run Script
Opens the Run Script wizard to run a PowerShell script on all of the clients in the collection. For more
information, see Create and run PowerShell scripts.
Start CMPivot
Opens CMPivot for this collection. Use CMPivot to query device information and take action in real time. For
more information, see CMPivot for real-time data.
Manage Affinity requests
Opens the Manage User Device Affinity Requests dialog box. Approve or reject pending requests to
establish user device affinities for devices in the selected collection. For more information, see Link users and
devices with user device affinity.
Clear Required PXE deployments
Clears any required PXE boot deployments from all members of the selected collection. For more information,
see Use PXE to deploy Windows over the network.
Update membership
Evaluates the membership for the selected collection. For collections with many members, this update might
take some time to finish. Use the Refresh action to update the display with the new collections members after
the update is completed.
Synchronize membership
If you configured this collection for cloud sync, synchronize the current membership with an Azure Active
Directory group. For more information, see Create collections.
Add resources
Opens the Add Resources to Collection window. Search for new resources to add to the selected collection.
The icon for the selected collection displays an hourglass symbol while the update is in progress.
Client notification
For more information, see Client notifications.
Client diagnostics
Displays the following options:
Enable verbose logging
Disable verbose logging
Collect client logs
For more information, see Client diagnostics.
Endpoint Protection
For more information, see Client notifications: Endpoint protection.
Export
Opens the Expor t Collection Wizard that helps you export this collection to a Managed Object Format (MOF)
file. You can then archive this file, or import it to another Configuration Manager site. When you export a
collection, referenced collections aren't exported. A referenced collection is referenced by the selected collection
by using an Include or Exclude rule.
Copy
Creates a copy of the selected collection. The new collection uses the selected collection as a limiting collection.
Refresh
Refresh the view.
Delete
Deletes the selected collection. You can also delete all of the resources in the collection from the site database.
You can't delete the collections that are built into Configuration Manager. For a list of the built-in collections, see
Introduction to collections.
Simulate deployment
Opens the Simulate Application Deployment Wizard . This wizard lets you test the results of an application
deployment without installing or uninstalling the application. For more information, see How to simulate
application deployments.
Deploy
Displays the following options:
Application : Opens the Deploy Software Wizard . Select and configure an application deployment to
the selected collection. For more information, see How to deploy applications.
Program : Opens the Deploy Software Wizard . Select and configure a package and program
deployment to the selected collection. For more information, see Packages and programs.
Configuration Baseline : Opens the Deploy Configuration Baselines window. Configure the
 deployment of one or more configuration baselines to the selected collection. For more information, see
How to deploy configuration baselines.
Task Sequence : Opens the Deploy Software Wizard . Select and configure a task sequence
deployment to the selected collection. For more information, see Deploy a task sequence.
Software Updates : Opens the Deploy Software Updates Wizard . Configure the deployment of
software updates to resources in the selected collection. For more information, see Deploy software
updates.
View relationships
For more information, see View collection relationships.
Move
Move the selected collection to another folder in the Device Collections node.
Properties
For more information, see Collection properties.
Manage user collections
The following actions are available on user collections. The behaviors are the same as with device collections,
other than they apply to user collections and the users within. For more information, see the corresponding
action under Manage device collections.
Show Members
Add Selected Items
Add Selected Items to Existing User Collection
Add Selected Items to New User Collection
Manage Affinity Requests
Update Membership
Synchronize Membership
Add Resources
Export
Copy
Refresh
Delete
Simulate Deployment
Deploy
Application
Program
Configuration Baseline
View Relationships
Move
Properties

Collection properties
When you view properties for a collection, you can view and configure the following options:
General : View and configure general information about the selected collection including the collection
name, the limiting collection, the collection ID, and last update times.
Membership Rules : Configure the membership rules that define the membership of this collection. For
more information, see How to create collections.
 Power Management : Configure power management plans that you've assigned to computers in the
selected collection. For more information, see Introduction to power management.
Deployments : Displays any software that you've deployed to members of the selected collection.
Maintenance Windows : View and configure maintenance windows that are applied to members of the
selected collection. For more information, see How to use maintenance windows.
Collection Variables : Configure variables that apply to this collection and can be used by task
sequences. For more information, see How to set task sequence variables.
Distribution Point Groups : Associate one or more distribution point groups to members of the
selected collection. For more information, see Manage content and content infrastructure.
Cloud Sync : Synchronize collection membership results to Azure Active Directory groups. For more
information, see Create collections.
Starting in version 2006, you can also make this collection available to assign endpoint security policies
when you tenant-attach the site. For more information, see Tenant attach: Onboard Configuration
Manager clients to Microsoft Defender for Endpoint from the admin center.
Security : Displays the administrative users who have permissions for the selected collection from
associated roles and security scopes. For more information, see Fundamentals of role-based
administration.
Aler ts : Configure when alerts are generated for client status and endpoint protection. For more
information, see How to configure client status and How to monitor endpoint protection.

View collection relationships

Starting in version 2010, you can view dependency relationships between collections in a graphical format. It
shows limiting, include, and exclude relationships.

If you want to change or delete collections, view the relationships to understand the effect of the proposed
change. Before you create a deployment, look at the potential target collection for any include or exclude
relationships that might affect the deployment.
When you select the View Relationships action on a device or user collection:
To view the relationships with parent collections, select Dependency .
 To view the relationships with child collections, select Dependent .
For example, if you select the All Systems collection to view its relationships, the Dependency node will be 0
as it has no parent collections.
Use the following tips to navigate the relationship viewer:
Select the plus ( + ) or minus ( - ) icons next to the collection name to expand or collapse members of a
node.
The number in parentheses after the collection name is the number of relationships. If the number is 0 ,
then that collection is the final or leaf node in that relationship tree.
The style and color of the line between the collections determines the type of relationship:

If you hover over a specific line, a tooltip shows the relationship type.
The maximum number of child nodes displayed depends upon the level of the graph:
First level: five nodes
Second level: three nodes
Third level: two nodes
Fourth level: one node
If there are more objects than the graph can display at that level, you'll see the More icon.
When the width of the tree is larger than the window, use the green arrows to the right or the left to view
more.
When a node of the relationship tree is larger than the available space, select More to change the view to
just that node.
To navigate to a prior view, select the Back arrow in the upper right corner. Select the Home icon to
return to the main page.
Use the Search box in the upper right corner to locate a collection in the current tree view.
Use the Navigator in the lower right corner to zoom and pan around the tree. You can also print the
current view.
You can only see relationships between collections to which you have permission:
If you have permission for All Systems or All Users and User Groups , then you'll see all
relationships.
If you don't have permission for a specific collection, you don't see it in the graph, and can't view
its relationships.
Improvements in version 2103
Starting in version 2103, you can view both dependency and dependent relationships together in a single graph.
This change allows you to quickly see an overview of all the relationships of a collection at once and then drill
down into specific related collections. It also includes other filtering and navigation improvements.
The following example shows the relationships for the "c1" collection in the center. It's dependent upon the
collections above it (parents), and has dependencies below it (children).

To see the relationships of another collection in the graph, select it to open a new window targeted on that
collection.
Other improvements:
There's a new Filter button in the upper right corner. This action lets you reduce the graph to specific
relationship types: Limiting , Include , or Exclude .
If you don't have permissions to all related collections, the graph includes a warning message that the
graph may be incomplete.
When the graph is wider than the window can display, use the page navigation controls in the upper left
corner. The first number is the page for parents (above), and the second number is the page for children
(below). The window title also shows the page numbers.
The tooltip for a collection displays the count of dependencies it has and the count of dependant
collections where applicable. This count only includes unique subcollections. The count no longer displays
in the parentheses next to the collection name.
Previously the Back button took you through your viewing history. Now it takes you to the previously
selected collection. For example, changing pages for the current collection doesn't activate the Back
button. When you select a new collection, you can select Back to return to the original collection graph.

TIP
Hold the Ctrl key and scroll the mouse wheel to zoom the graph.

For more information on how to navigate the collection dependency graph with a keyboard, see Accessibility
features.

Automate with Windows PowerShell

You can use the following PowerShell cmdlets to manage collections:
Generic cmdlets for all collection types
Basic cmdlets
Get-CMCollection
New-CMCollection
Remove-CMCollection
Set-CMCollection
Other actions
Copy-CMCollection
Export-CMCollection
Get-CMCollectionMember
Get-CMCollectionSetting
Import-CMCollection
Invoke-CMCollectionUpdate
Get membership rules
Get-CMCollectionDirectMembershipRule
Get-CMCollectionExcludeMembershipRule
Get-CMCollectionIncludeMembershipRule
Get-CMCollectionQueryMembershipRule
Remove membership rules
Remove-CMCollectionDirectMembershipRule
Remove-CMCollectionExcludeMembershipRule
Remove-CMCollectionIncludeMembershipRule
Remove-CMCollectionQueryMembershipRule
Device collection-specific cmdlets
Basic actions for device collections
Get-CMDeviceCollection
New-CMDeviceCollection
Device collection variables
Get-CMDeviceCollectionVariable
New-CMDeviceCollectionVariable
Remove-CMDeviceCollectionVariable
Set-CMDeviceCollectionVariable
Add device collection membership rules
Add-CMDeviceCollectionDirectMembershipRule
Add-CMDeviceCollectionExcludeMembershipRule
Add-CMDeviceCollectionIncludeMembershipRule
Add-CMDeviceCollectionQueryMembershipRule
Get device collection membership rules
Get-CMDeviceCollectionDirectMembershipRule
Get-CMDeviceCollectionExcludeMembershipRule
 Get-CMDeviceCollectionIncludeMembershipRule
Get-CMDeviceCollectionQueryMembershipRule
Remove device collection membership rules
Remove-CMDeviceCollectionDirectMembershipRule
Remove-CMDeviceCollectionExcludeMembershipRule
Remove-CMDeviceCollectionIncludeMembershipRule
Remove-CMDeviceCollectionQueryMembershipRule
User collection-specific cmdlets
Get-CMUserCollection
New-CMUserCollection
Add user collection membership rules
Add-CMUserCollectionDirectMembershipRule
Add-CMUserCollectionExcludeMembershipRule
Add-CMUserCollectionIncludeMembershipRule
Add-CMUserCollectionQueryMembershipRule
Get user collection membership rules
Get-CMUserCollectionDirectMembershipRule
Get-CMUserCollectionExcludeMembershipRule
Get-CMUserCollectionIncludeMembershipRule
Get-CMUserCollectionQueryMembershipRule
Remove user collection membership rules
Remove-CMUserCollectionDirectMembershipRule
Remove-CMUserCollectionExcludeMembershipRule
Remove-CMUserCollectionIncludeMembershipRule
Remove-CMUserCollectionQueryMembershipRule

Next steps
Client notifications
 How to use maintenance windows in Configuration
Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use maintenance windows to define when Configuration Manager can run impacting tasks on devices.
Maintenance windows help make sure that client configuration changes occur during times that don't affect
productivity. With Software Center, users can see the device's next maintenance window on the Installation
status tab.
The following tasks support maintenance windows:
Application and package deployments
Software update deployments
Compliance settings deployment and evaluation
OS and custom task sequence deployments
Configure maintenance windows with an effective date, a start and end time, and a recurrence pattern. The
maximum duration of a window has to be less than 24 hours. The console doesn't allow a single maintenance
window longer than 24 hours. For example, if you want to allow maintenance all day Saturday and Sunday, then
create two 24-hour maintenance windows for each day.
By default, computer restarts caused by a deployment aren't allowed outside of a maintenance window, but you
can override the default. Maintenance windows affect only the time when the deployment runs. Deployments
that you configure to download and run locally can download content outside of the window.
When a client is a member of a device collection that has a maintenance window, a deployment runs only if its
maximum allowed run time doesn't exceed the duration of the window. If the deployment fails to run, the client
generates an alert. It then reruns the deployment during the next scheduled maintenance window that has
available time.

TIP
A maintenance window is for a client. A service window is for a site server. For more information, see Service windows for
site servers.

Multiple maintenance windows

When a client computer is a member of multiple device collections that have maintenance windows, these rules
apply:
If the maintenance windows don't overlap, the client treats them as two independent maintenance
windows.
If the maintenance windows overlap, the client treats them as a single window for the entire time of both
windows. For example, you create two maintenance windows on a collection. The first is effective from
6:00 to 7:00, and the second is effective from 6:30 to 7:30. Because they overlap by 30 minutes, the
effective duration of the combined maintenance window is 90 minutes from 6:00 to 7:30.
When a user installs an application from Software Center, the client starts it immediately. It prioritizes the user's
intent over the administrator's.
If an application deployment with a purpose of Required reaches its installation deadline during the non-
business hours that a user configures in Software Center, the client installs the application. It prioritizes the
administrator's intent over the user's.
By default, with multiple maintenance windows, the client only installs software updates during Software
Update type windows. It ignores any All deployments maintenance windows, unless they're the only type. You
can configure this behavior with the following client setting in the Software updates group: Enable
installation of software updates in "All deployments" maintenance window when "Software
Update" maintenance window is available . For more information, see About client settings.

NOTE
This setting also applies to maintenance windows that you configure to apply to Task sequences .
If the client only has an All deployments window available, it still installs software updates or task sequences in that
window.

Configure maintenance windows

1. In the Configuration Manager console, go to the Assets and Compliance workspace.
2. Select the Device Collections node, and then select a collection.

NOTE
You can't create maintenance windows for the All Systems collection.

3. On the Home tab of the ribbon, in the Proper ties group, choose Proper ties .
4. Switch to the Maintenance Windows tab, and select the New icon.
a. Specify a Name to uniquely identify this maintenance window for the collection.
b. Configure the Time settings:
Effective date : The date when the maintenance windows starts. The default is the current
date.
Star t and End : The start and end times of the maintenance window. It calculates the
Duration for the window. The minimum duration is five minutes, and the maximum is 24
hours. The default duration is three hours, from 01:00 to 04:00.
Coordinated Universal Time (UTC) : Enable this option for the client to interpret the start
and end times in the UTC time zone. For regionally or globally distributed devices in the
same collection, this option sets the maintenance window to occur simultaneously on all
devices in the collection. Disable this option for the client to use the device's local time zone.
This option is disabled by default.
c. Configure the recurrence pattern. The default is once per week on the current day of the week.
d. Apply this schedule to : By default the window applies to All deployments . You can select
either Software updates or Task sequences to further control what deployments run during
this window.
 TIP
If you configure multiple maintenance windows of different types on the same collection, make sure you
understand the client behaviors. For more information, see Multiple maintenance windows.

5. Select OK to save and close the window.

The Maintenance Windows tab of the collection properties displays all configured windows.

Use PowerShell
You can use PowerShell to configure maintenance windows. For more information, see the following articles:
Get-CMMaintenanceWindow
New-CMMaintenanceWindow
Remove-CMMaintenanceWindow
Set-CMMaintenanceWindow
 How to view collection evaluation
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Starting in Configuration Manager version 2010, the functionality of Collection Evaluation Viewer is integrated
into the Configuration Manager console. On each primar y site , this functionality provides administrators a
central location to view and troubleshoot the collection evaluation process. The console displays the following
information:
Historic and live information for full and incremental collection evaluations
The evaluation queue status
The time for collection evaluations to complete
Which collections are currently being evaluated
The estimated time that a collection evaluation will start and complete

TIP
Viewing collection evaluation at the CAS changed in Configuration Manager version 2103. For more information, see the
Collection evaluation information at the CAS section.
When using the console connected to a CAS using Configuration Manager 2010, you'll see the following behavior:
Evaluation-related columns for device collections won't contain data.
The Collection Evaluation node under the Monitoring workspace isn't shown.
Evaluation-related information, such as evaluation status and links to the collection evaluation queues, won't be shown
in the collection Summar y group pane.

Collection evaluation queues

The collection evaluation process evaluates the membership rules of a collection to update its members. A
primary site places a collection that it's evaluating into one of four different queues:
Full Evaluation Queue : For collections due for full evaluation
Incremental Evaluation Queue : For collections with incremental evaluation
Manual Evaluation Queue : For collections that an administrator has manually selected for evaluation from
the console
New Evaluation Queue : For newly created collections

Add columns for the Device Collections node

Adding columns to the Device Collections node allows you to view collection evaluation information for
multiple collections.
1. Connect the Configuration Manager console to a primary site.
2. Go to Assets and Compliance > Over view > Device Collections .
3. Add any or all of the following columns prefixed by the type of evaluation:
Evaluation (Full)
Last Completion Time : When the last collection evaluation completed (default column)
Run Time : How long the last collection evaluation ran, in seconds
 Next Refresh Time : When the next full evaluation starts
Member Changes : The member changes in the last collection evaluation. Positive numbers
mean members were added while negative numbers mean members were removed.
Last Member Change Time : The most recent time that there was a membership change in
the collection evaluation
Evaluation (Incremental)
Last Evaluation Completion Time : When the last collection evaluation completed
Run Time : How long the last collection evaluation ran, in seconds
Member Changes : The member changes in the last collection evaluation. These changes are
either plus (members added) or minus (members removed).
Last Member Change Time : The most recent time that there was a membership change in
the collection evaluation

View evaluation information from the collection summary

View the collection summary information to get information specific to the evaluation of a single collection.
1. Connect the Configuration Manager console to a primary site.
2. Go to Assets and Compliance > Over view > Device Collections .
3. Select a collection from the Device Collections node.
4. In the Summar y group pane for collection, review the evaluation-related information for the selected
collection.
5. The Related Objects give links to view status of the collection in the specific queue. These links take you to
the queues in the Monitoring workspace under the Collection Evaluation node.
This action creates a new node is created where you can see the evaluation status for the specific
collection.

Monitoring collection evaluation queues

Monitoring the collection evaluation queues can give you deeper insight into the collection evaluation process.
1. Connect the Configuration Manager console to a primary site.
2. From the Monitoring workspace, go to the Collection Evaluation node. Starting in Configuration
Manager 2103, go to Monitoring > Collection Evaluation > Collection Evaluation Queue . The
following queues are summarized and have their own nodes:
Full Evaluation Queue : For collections due for full evaluation
Incremental Evaluation Queue : For collections with incremental evaluation
Manual Evaluation Queue : For collections that an administrator has manually selected for
evaluation from the console
New Evaluation Queue : For newly created collections
3. The total number of collections in queue and queue length is listed as a summary. Additionally, the following
status summaries for the evaluation queues are listed:
Number of collections in queue
Queue length
Current evaluation collection
Current evaluation started on
Current evaluation elapsed (seconds)
4. Starting in Configuration Manager 2103, you can:
Configure a primary site's refresh interval for the Collection Evaluation statistics page to be
between 1 minute and 1440 minutes (1 day). Typically, collection evaluation occurs over the course of
seconds or minutes. However, you can change the statistics refresh to accommodate your
environment. The default Refresh Inter val (minutes) is 5.
Copy collection evaluation statistics as structured text to the clipboard. Use the Copy button in the
ribbon to copy the statistics. When the text is pasted into a text editor, it's structured to make it easy to
read.
5. Selecting the node for a queue brings up detailed status for the queue including:
Name : Name of the collection
Collection ID : ID of the collection
Estimated Completion Time : When the evaluation is estimated to complete
Estimated Run Time : How long the evaluation is estimated to run, in day:hour:minute:second format

Full and incremental evaluation status nodes

(Introduced in 2103)
The Full Evaluation Status and Incremental Evaluation Status subnodes have been added to the
Collection Evaluation node in the Monitoring workspace.
On a primary site, Full Evaluation Status and Incremental Evaluation Status show the data for the
local evaluations.
On a CAS, Full Evaluation Status and Incremental Evaluation Status shows the data from the
primary site with the longest run time.
Using the longest runtime for these nodes is the same logic that's used for the collection evaluation
columns at the CAS.
Collection evaluation information at the CAS
(Introduced in 2103)
Since collection evaluation happens at the primary site level, the collection evaluation view on the CAS is a
summary of what's occurring on the primary sites. Starting in Configuration Manager version 2103, there are
two new tabs in the details pane of the collection view in the console. The following new tabs show collection
evaluation information from all primary sites in hierarchy:
Evaluation (Full) In Hierarchy
Evaluation (Incremental) In Hierarchy

From the Device Collections node at the CAS, the evaluation columns display the evaluation status from the
primary site with the longest run time. The column information at the CAS for the full evaluation status could be
from a different primary site than the incremental information since the longest runtime for the incremental
might have occurred at a different primary.
For instance, incremental evaluation for the All Systems collection on the WMI primary site takes longer than
the other primary sites. The full evaluation columns on the CAS display the information from primary site WMI
for the All Systems collection in the Device Collections node.

Drill through from collection evaluation queue or status view to a

collection
(Introduced in 2103)
You can navigate to a collection in the Assets and Compliance workspace from a collection evaluation status
view or evaluation queue in the Monitoring workspace. Select a collection from one of the status views or
queues, then choose View collection from the ribbon or right-click menu to open the collection.
Navigation to the collection from queues won't occur if the collection evaluation has completed. You can only
drill though from an item in a queue that's still currently running its evaluation. If the evaluation has already
completed, the View collection action takes you to the main collection view. Drill though from the evaluation
status views, Full Evaluation Status and Incremental Evaluation Status , will always take you to the
collection.

Next steps
Learn more about Collection evaluation in Configuration Manager.
 Security and privacy for collections in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article contains security recommendations and privacy information for collections in Configuration
Manager.

Security recommendations
When you export or import a collection by using a managed object format (MOF) file that's saved to a network
location, secure the location and the network channel. Restrict who can access the network folder. Use Server
Message Block (SMB) signing or Internet Protocol security (IPsec) between the network location and the site
server. These mechanisms help prevent an attacker from tampering with the exported collection data. Use IPsec
to encrypt the data on the network to prevent information disclosure.

Security issues
Collections have the following security issues:
If you use collection variables, local administrators can read potentially sensitive information. Collection
variables are only used when you deploy an OS. For more information, see Collection and device variables.

Privacy information
There's no privacy information specifically for collections in Configuration Manager. Collections are containers
for resources, such as users and devices. Collection membership often depends on the information that
Configuration Manager collects during standard operation.
Configuration Manager can collect resource information from discovery or inventory. Using this information,
you can configure a collection to contain the devices that meet your specified criteria. Collections might also be
based on the current status information for client management operations. For example, deploying software or
checking for compliance. Along with query-based collections, you can also directly add resources to collections.

Next steps
For more information about collections, see Introduction to collections.
For more information about other security features in Configuration Manager, see the Security documentation
hub.
 Introduction to hardware inventory
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use hardware inventory in Configuration Manager to collect information about the hardware configuration of
client devices in your organization. To collect hardware inventory, you must select the Enable hardware
inventor y on clients setting in client settings.
After hardware inventory is enabled and the client runs a hardware inventory cycle, the client sends the
information to a management point in the client's site. The management point then forwards the inventory
information to the Configuration Manager site server, which stores the inventory information in the site
database. Hardware inventory runs on clients according to the schedule that you specify in client settings.

View hardware inventory

You can use several methods to view the hardware inventory data that Configuration Manager collects:
Create queries that return devices that are based on a specific hardware configuration.
Create query-based collections that are based on a specific hardware configuration. Query-based
collection memberships automatically update on a schedule. You can use collections for several tasks,
including software deployment.
Run reports that display specific details about hardware configurations in your organization.
Use Resource Explorer to view detailed information about the hardware inventory that's collected from
client devices.
When hardware inventory runs on a client device, the first inventory data that the client returns is always a full
inventory. The next set of inventory data contains only delta inventory information. The site server processes
delta inventory information in the order received. If delta information for a client is missing, the site server
rejects more delta information and directs the client to run a full inventory cycle.
Configuration Manager provides limited support for dual-boot computers. Configuration Manager can discover
dual-boot computers but returns inventory information only from the OS that's active when the inventory cycle
runs.

Extend inventory
To collect more information than what Configuration Manager inventories by default, you can also use one of
these methods to extend hardware inventory:
Enable, disable, add, and remove inventory classes for hardware inventory from the Configuration
Manager console.
Use NOIDMIF files to collect information about client devices that can't be inventoried by Configuration
Manager. For example, you might want to collect device asset number information that exists only as a
label on the device. NOIDMIF inventory is automatically associated with the client device that it was
collected from.
Use IDMIF files to collect information about assets that aren't associated with a Configuration Manager
client, for example, projectors, photocopiers, and network printers.
 Starting in version 2107, you can use the administration service to set custom properties on devices. You
can then use the custom properties in Configuration Manager for reporting or to create collections. For
more information, see Custom properties for devices.

Next steps
How to configure hardware inventory
 How to extend hardware inventory in Configuration
Manager
2/16/2022 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Hardware inventory reads information from Windows PCs by using Windows Management Instrumentation
(WMI). WMI is the Microsoft implementation of web-based Enterprise Management (WBEM), an industry
standard for accessing management information in an enterprise. In previous versions of Configuration
Manager, you extended hardware inventory by modifying the file sms_def.mof on the site server. This file
contained a list of WMI classes that could be read by hardware inventory. Editing this file, you could enable and
disable existing classes, and also create new classes to inventory.
The Configuration.mof file is used to define the data classes to be inventoried by hardware inventory on the
client and is unchanged from Configuration Manager 2012. You can create data classes to inventory existing or
custom WMI repository data classes or registry keys present on client systems.
The Configuration.mof file also defines and registers the WMI providers that access device information during
hardware inventory. Registering providers defines the type of provider to be used and the classes that the
provider supports.
When Configuration Manager clients request policy, the Configuration.mof is attached to the policy body. This
file is then downloaded and compiled by clients. When you add, modify, or delete data classes from the
Configuration.mof file, clients automatically compile these changes that are made to inventory-related data
classes. No further action is necessary to inventory new or modified data classes on Configuration Manager
clients. This file is located in the Inboxes\clifiles.src\hinv\ folder of the Configuration Manager installation
directory on the primary site server or central administration site (CAS) server.
In Configuration Manager current branch, you don't edit the sms_def.mof file as with earlier versions. Instead,
make these changes with client settings. Configuration Manager provides the following methods to extend
hardware inventory.

NOTE
If you changed the state of classes in client settings, when you update the site, some classes may revert to a default state.
For example, if you disable the SMS_Windows8Application or SMS_Windows8ApplicationUserInfo classes, they're
enabled after installing a Configuration Manager update. When you customize hardware inventory classes, make sure to
review their configuration before and after a site update.
If you've manually changed the Configuration.mof file to add custom inventory classes, these changes will be overwritten
when you update the site. To keep using custom classes after you update, add them to the Added extensions section of
the Configuration.mof file. Don't modify anything above this section. The other sections are reserved for modification by
Configuration Manager. The site backs up your custom Configuration.mof in the data\hinvarchive\ folder of the
Configuration Manager installation directory on the site server.

Starting in version 2107, you can use the administration service to set custom properties on devices. You can
then use the custom properties in Configuration Manager for reporting or to create collections. For more
information, see Custom properties for devices.

Methods
Enable or disable
Enable or disable some of all attributes of a class that already exists on the client. This action instructs the
hardware inventory agent to collect it on clients. You can do this action in default client settings, or custom
device client settings. For more information, see Enable or disable existing classes.
Add
If a WMI class exists on the client and is known to the site, this action includes it to the possible set of hardware
inventory classes. You can add a new inventory class from the WMI namespace of another device. This action is
only on default client settings. For more information, see Add a new class.
Extend
Add a new WMI class to the client. To manually extend hardware inventory, edit the configuration.mof on the
top-level site.
If the WMI class doesn't already exist on the client, you need to extend the WMI schema:
1. Edit the configuration.mof on the top-level site. Review dataldr.log to see the site add it.
2. Refresh policy on a client, and wait for the new class to compile.
3. Use default client settings to Add the new class to hardware inventory. You don't have to enable this class
in default client settings. You can then enable it in a custom device client setting.
Import and export
Use the Configuration Manager console to import and export Managed Object Format (MOF) files that contain
inventory classes. For more information, see How to import classes and How to export classes.
About NOIDMIF files
Use NOIDMIF files to collect information about client devices that Configuration Manager can't inventory. For
example, collect device asset number information that exists only as a label on the device. NOIDMIF inventory is
automatically associated with the client device that it was collected from. For more information, see Create
NOIDMIF files.
About IDMIF files
Use IDMIF files to collect information about assets in your organization that aren't associated with a
Configuration Manager client. For example, projectors, photocopiers, and network printers. For more
information, see Create IDMIF files.

Procedures
These procedures help you to configure the default client settings for hardware inventory and they apply to all
the clients in your hierarchy. If you want these settings to apply to only some clients, create a custom client
device setting and assign it to a collection of specific clients. For more information, see How to configure client
settings.
Enable or disable existing classes
1. In the Configuration Manager console, go to the Administration workspace, and select the Client
Settings node.
2. Select the Default Client Settings . On the Home tab, in the Proper ties group, choose Proper ties .
3. In the Default Client Settings dialog box, choose Hardware Inventor y .
4. In the Device Settings list, select Set Classes .
5. In the Hardware Inventor y Classes dialog box, select or clear the classes and class properties to be
collected by hardware inventory. You can expand classes to select or clear individual properties within
 that class. Use the Search for inventor y classes field to search for individual classes.

IMPORTANT
When you add new classes to Configuration Manager hardware inventory, the size of the inventory file that is collected
and sent to the site server will increase. This might negatively affect the performance of your network and Configuration
Manager site. Enable only the inventory classes that you want to collect.

Add a new class

You can only add inventory classes from the hierarchy's top-level server by modifying the default client settings.
This option isn't available when you create custom device settings.
1. In the Configuration Manager console, go to the Administration workspace, and select the Client
Settings node.
2. Select the Default Client Settings . On the Home tab, in the Proper ties group, choose Proper ties .
3. In the Default Client Settings dialog box, choose Hardware Inventor y .
4. In the Device Settings list, choose Set Classes .
5. In the Hardware Inventor y Classes dialog box, choose Add .
6. In the Add Hardware Inventor y Class dialog box, select Connect .
7. In the Connect to Windows Management Instrumentation (WMI) dialog box, specify the name of
the computer from which you'll get the WMI classes and the WMI namespace to use to get the classes. If
you want to get all classes below the specified WMI namespace, select Recursive . If the computer you're
connecting to isn't the local computer, supply credentials for an account that has permission to access
WMI on the remote computer.
8. Choose Connect .
9. In the Add Hardware Inventor y Class dialog box, in the Inventor y classes list, select the WMI
classes that you want to add to Configuration Manager hardware inventory.
10. If you want to edit information about the selected WMI class, choose Edit , and in the Class qualifiers
dialog box, provide the following information:
Display name : This name will be displayed in Resource Explorer.
Proper ties : Specify the units in which each property of the WMI class will be displayed.
You can also set properties as a key property to help uniquely identify each instance of the class. If
no key is defined for the class, and multiple instances of the class are reported from the client, only
the latest instance that's found is stored in the database.
When you've finished configuring the properties, select OK to close the Class qualifiers dialog
box and the other open dialogs.
How to import classes
You can only import inventory classes when you modify the default client settings. However, you can use custom
client settings to import information that doesn't include a schema change, such as changing the property of an
existing class from True to False .
1. In the Configuration Manager console, go to the Administration workspace, and select the Client
Settings node.
2. Select the Default Client Settings . On the Home tab, in the Proper ties group, choose Proper ties .
3. In the Default Client Settings dialog box, choose Hardware Inventor y .
4. In the Device Settings list, choose Set Classes .
5. In the Hardware Inventor y Classes dialog box, choose Impor t .
6. In the Impor t dialog box, select the Managed Object Format (MOF) file that you want to import, and then
choose OK . Review the items that will be imported, and then select Impor t .
How to export classes
1. In the Configuration Manager console, go to the Administration workspace, and select the Client
Settings node.
2. Select the Default Client Settings . On the Home tab, in the Proper ties group, choose Proper ties .
3. In the Default Client Settings dialog box, choose Hardware Inventor y .
4. In the Device Settings list, choose Set Classes .
5. In the Hardware Inventor y Classes dialog box, choose Expor t .

NOTE
When you export classes, all currently selected classes will be exported.

6. In the Expor t dialog box, specify the Managed Object Format (MOF) file that you want to export the
classes to, and then choose Save .
Collect strings larger than 255 characters
You can specify the length of strings to be greater than 255 characters for hardware inventory properties. This
action applies only to newly added classes and for hardware inventory properties that aren't keys.
1. In the Administration workspace, select Client Settings . Choose a client device setting to edit, then
select Proper ties .
2. Select Hardware Inventor y , then Set Classes , and Add .
3. Select Connect .
4. Fill in Computer Name , WMI namespace , select recursive if needed. Provide credentials if necessary
to connect. Select Connect to view the namespace classes.
5. Select a new class, then select Edit .
6. Change the Length of your property that's a string, other than the key, to be greater than 255. Select OK .
7. Make sure that the edited property is selected for Add Hardware Inventor y Class , and select OK .

Use MIF files

Use Management Information Format (MIF) files to extend hardware inventory information collected from
clients by Configuration Manager. During hardware inventory, the information stored in MIF files is added to the
client inventory report and stored in the site database, where you can use the data in the same ways that you
use default client inventory data. There are two types of MIF files: NOIDMIF and IDMIF.
 IMPORTANT
Before you can add information from MIF files to the Configuration Manager database, create or import the class. For
more information, see Add a new class or How to import classes in this article.

Create NOIDMIF files

NOIDMIF files can be used to add information to a client hardware inventory that can't normally be collected by
Configuration Manager and is associated with a particular client device. For example, many companies label
each computer in the organization with an asset number and then catalog these numbers manually. When you
create a NOIDMIF file, this information can be added to the Configuration Manager database and be used for
queries and reporting.
For more information about creating NOIDMIF files, see About inventory in the Configuration Manager SDK
documentation.

IMPORTANT
When you create a NOIDMIF file, save it in an ANSI-encoded format. If you save NOIDMIF files in UTF-8 encoded format,
Configuration Manager can't read it.

After you create a NOIDMIF file, store it in the %Windir%\CCM\Inventory\noidmifs folder on each client.
Configuration Manager collects information from NODMIF files in this folder during the next scheduled
hardware inventory cycle.
Create IDMIF files
IDMIF files can be used to add information about assets that couldn't normally be inventoried by Configuration
Manager and isn't associated with a particular client device, to the Configuration Manager database. For
example, you could use IDMIFS to collect information about projectors, DVD players, photocopiers, or other
equipment that doesn't have a Configuration Manager client.
For more information about creating IDMIF files, see About inventory in the Configuration Manager SDK
documentation.
After you create an IDMIF file, store it in the %Windir%\CCM\Inventory\idmifs folder on client computers.
Configuration Manager collects information from this file during the next scheduled hardware inventory cycle.
Declare new classes for information contained in the file by adding or importing them.

NOTE
MIF files could contain large amounts of data and collecting this data could negatively affect the performance of your site.
Enable MIF collection only when required. Configure the option Maximum custom MIF file size (KB) in the hardware
inventory settings. For more information, see Introduction to hardware inventory.
 How to configure hardware inventory in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This procedure configures the default client settings for hardware inventory and will apply to all the clients in
your hierarchy. If you want these settings to apply to only some clients, create a custom device client setting and
assign it to a collection that contains the devices that you want to use hardware inventory. See How to configure
client settings.

NOTE
If a client device receives hardware inventory settings from multiple sets of client settings, then the hardware inventory
classes from each set of settings will be merged when the client reports hardware inventory. Additionally, not checking a
class in a custom client setting with a higher priority doesn't disable the client from inventorying that class.

To disable a specific hardware inventory class on a majority of systems except a few, the class needs to be
unchecked in the default client settings. Then create a custom client setting to enable the class, and deploy it to
the target systems.
To configure hardware inventory
1. In the Configuration Manager console, choose Administration > Client Settings > Default Client
Settings .
2. On the Home tab, in the Proper ties group, choose Proper ties .
3. In the Default Settings dialog box, choose Hardware Inventor y .
4. In the Device Settings list, configure the following:
Enable hardware inventor y on clients - Select Yes .
Hardware inventor y schedule - Click Schedule to specify the interval at which clients collect
hardware inventory.
5. Configure other hardware inventory client settings that you require.
Client devices will be configured with these settings when they next download client policy. To initiate policy
retrieval for a single client, see How to manage clients.
 How to use Resource Explorer to view hardware
inventory in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use Resource Explorer in Configuration Manager to view information about hardware inventory. The site
collects this information from clients in your hierarchy.

TIP
Resource Explorer doesn't display any data until a hardware inventory cycle runs on the client to which you're connecting.

Overview
Resource Explorer has the following sections related to hardware inventory:
Hardware : Shows the most recent hardware inventory collected from the specified client device.
The Workstation Status node shows the time and date of the last hardware inventory from the
device.
Hardware Histor y : A history of inventoried items that changed since the last hardware inventory cycle.
Expand an item to see a Current node and one or more nodes with the historical date. Compare the
information in the current node to one of the historical nodes to see the items that changed.

NOTE
By default, Configuration Manager deletes hardware inventory data that's been inactive for 90 days. Adjust this number
of days in the Delete Aged Inventor y Histor y site maintenance task. For more information, see Maintenance tasks.

How to open Resource Explorer

1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Devices node. You can also select any collection in the Device Collections node.
2. Select a device. In the ribbon, on the Home tab and Devices group, click Star t , and then select
Resource Explorer .

TIP
In Resource Explorer, right-click an item in the right results pane for additional actions. Click Proper ties to view that item
in a different format.

Use of large integer values

In Configuration Manager versions 1802 and prior, hardware inventory has a limit for integers larger than
4,294,967,296 (2^32). This limit can be reached for attributes such as hard drive sizes in bytes. The
management point doesn't process integer values above this limit, so no value is stored in the database.
Starting in version 1806, the limit is increased to 18,446,744,073,709,551,616 (2^64).
For a property with a value that doesn't change, like total disk size, you may not immediately see the value after
upgrading the site. Most hardware inventory is a delta report. The client only sends values that change. To work
around this behavior, add another property to the same class. This action causes the client to update all
properties in the class that changed.

See also
Resource Explorer also shows Software Inventory. For more information, see How to use Resource Explorer to
view software inventory.
 Resource Explorer default inventory classes
2/16/2022 • 29 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article describes the default inventory classes in Resource Explorer.
These are the default inventory classes:

1394 Controller
Namespace: root\cimv2
class Win32_1394Controller
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxNumberControlled
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset

Account SID
Namespace: root\cimv2
class Win32_AccountSID
(String) Element
(String) Setting

ActiveSync Service
Namespace: root\SmsDm
class SMS_ActiveSyncService
(UInt32) MajorVersion
(UInt32) MinorVersion
(String) LastSyncTime

AMT Agent
Namespace: root\cimv2\sms
class SMS_AMTObject
(UInt32) DeviceID
(String) AMT
(String) AMTApps
(String) BiosVersion
(String) BuildNumber
(String) Flash
(String) LegacyMode
(String) Netstack
(UInt32) ProvisionMode
(UInt32) ProvisionState
(String) RecoveryBuildNum
(String) RecoveryVersion
(String) Sku
(UInt32) TLSMode
(String) VendorID
(UInt32) ZTCEnabled

AppV Client Application

Namespace: root\AppV
class AppvClientApplication
 (String) ApplicationId
(String) PackageId
(String) PackageVersionId
(Boolean) EnabledForUser
(Boolean) EnabledGlobally
(String) Name
(String) TargetPath
(String) Version

AppV Client Package

Namespace: root\AppV
class AppvClientPackage
(String) PackageId
(String) VersionId
(String) Assets[]
(String) DeploymentMachineData
(String) DeploymentUserData
(Boolean) HasAssetIntelligence
(Boolean) InUse
(Boolean) IsPublishedGlobally
(Boolean) IsPublishedToUser
(String) Name
(UInt64) PackageSize
(String) Path
(UInt16) PercentLoaded
(String) UserConfigurationData
(String) Version

AutoStart Software
Namespace: root\cimv2\sms
class SMS_AutoStartSoftware
(String) FilePropertiesHash
(String) BinFileVersion
(String) BinProductVersion
(String) Description
 (String) FileName
(String) FilePropertiesHashEx
(String) FileVersion
(String) Location
(String) Product
(String) ProductVersion
(String) Publisher
(String) StartupType
(String) StartupValue

BaseBoard
Namespace: root\cimv2
class Win32_BaseBoard
(String) Tag
(String) Caption
(String) ConfigOptions[]
(String) Description
(Boolean) HostingBoard
(Boolean) HotSwappable
(DateTime) InstallDate
(String) Manufacturer
(String) Model
(String) Name
(String) OtherIdentifyingInfo
(String) PartNumber
(Boolean) PoweredOn
(String) Product
(Boolean) Removable
(Boolean) Replaceable
(String) RequirementsDescription
(Boolean) RequiresDaughterBoard
(String) SerialNumber
(String) SKU
(String) SlotLayout
 (Boolean) SpecialRequirements
(String) Status
(String) Version

Battery
Namespace: root\cimv2
class Win32_Battery
(String) DeviceID
(UInt16) Availability
(UInt16) BatteryStatus
(String) Caption
(UInt16) Chemistry
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt32) DesignCapacity
(UInt64) DesignVoltage
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt16) EstimatedChargeRemaining
(UInt32) EstimatedRunTime
(UInt32) ExpectedLife
(UInt32) FullChargeCapacity
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaxRechargeTime
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) SmartBatteryVersion
(String) Status
(UInt16) StatusInfo
(String) SystemName
 (UInt32) TimeOnBattery
(UInt32) TimeToFullCharge

BitLocker
Namespace: root\cimv2\security\MicrosoftVolumeEncryption
class Win32_EncryptableVolume
(String) DeviceID
(String) DriveLetter
(String) PersistentVolumeID
(UInt32) ProtectionStatus

BitLocker Encryption Details

Namespace: root\cimv2
class Win32_BitLockerEncryptionDetails
(String) BitlockerPersistentVolumeId
(SInt32) Compliant
(SInt32) ConversionStatus
(String) DeviceId
(String) DriveLetter
(SInt32) EncryptionMethod
(String) EnforcePolicyDate
(Boolean) IsAutoUnlockEnabled
(SInt32) KeyProtectorTypes[]
(String) MbamPersistentVolumeId
(SInt32) MbamVolumeType
(String) NoncomplianceDetectedDate
(SInt32) ProtectionStatus
(SInt32) ReasonsForNonCompliance[]

BitLocker Policy
Namespace: root\cimv2
class Win32Reg_MBAMPolicy
(String) EncodedComputerName
(UInt32) EncryptionMethod
(UInt32) FixedDataDriveAutoUnlock
 (UInt32) FixedDataDriveEncryption
(UInt32) FixedDataDrivePassphrase
(String) KeyName
(String) LastConsoleUser
(UInt32) MBAMMachineError
(UInt32) MBAMPolicyEnforced
(UInt32) OsDriveEncryption
(UInt32) OsDriveProtector
(DateTime) UserExemptionDate

Boot Configuration
Namespace: root\cimv2
class Win32_BootConfiguration
(String) Name
(String) BootDirectory
(String) ConfigurationPath
(String) Description
(String) LastDrive
(String) ScratchDirectory
(String) SettingID
(String) TempDirectory

Browser Helper Object

Namespace: root\cimv2\sms
class SMS_BrowserHelperObject
(String) FilePropertiesHash
(String) BinFileVersion
(String) BinProductVersion
(String) CLSID
(String) Description
(String) FileName
(String) FilePropertiesHashEx
(String) FileVersion
(String) Product
(String) ProductVersion
 (String) Publisher
(String) Version

CCM_RAX
Namespace: root\ccm\cimodels
class CCM_RAXInfo
(String) AppID
(String) FeedURL
(String) UserSID

CD-ROM
Namespace: root\cimv2
class Win32_CDROMDrive
(String) DeviceID
(UInt16) Availability
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(String) CompressionMethod
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt64) DefaultBlockSize
(String) Description
(String) Drive
(Boolean) DriveIntegrity
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(UInt16) FileSystemFlags
(UInt32) FileSystemFlagsEx
(String) ID
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt64) MaxBlockSize
 (UInt32) MaximumComponentLength
(UInt64) MaxMediaSize
(Boolean) MediaLoaded
(String) MediaType
(UInt64) MinBlockSize
(String) Name
(Boolean) NeedsCleaning
(UInt32) NumberOfMediaSupported
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) RevisionLevel
(UInt32) SCSIBus
(UInt16) SCSILogicalUnit
(UInt16) SCSIPort
(UInt16) SCSITargetId
(UInt64) Size
(String) Status
(UInt16) StatusInfo
(String) SystemName
(String) VolumeName
(String) VolumeSerialNumber

Client Diagnostics
Starting in version 2107
Namespace: root\cimv2
class CCM_ClientDiagnostics
(String) Identifier
(String) DebugLoggingEnabled
(UInt32) LogEnabled
(UInt32) LogLevel
(UInt32) LogMaxHistory
(UInt32) LogMaxSize
Client Events
Namespace: root\ccm\invagt
class ClientEvents
(String) EventName
(UInt16) Count

Computer System
Namespace: root\cimv2
class Win32_ComputerSystem
(String) Name
(UInt16) AdminPasswordStatus
(Boolean) AutomaticResetBootOption
(Boolean) AutomaticResetCapability
(UInt16) BootOptionOnLimit
(UInt16) BootOptionOnWatchDog
(Boolean) BootROMSupported
(String) BootupState
(String) Caption
(UInt16) ChassisBootupState
(SInt16) CurrentTimeZone
(Boolean) DaylightInEffect
(String) Description
(String) Domain
(UInt16) DomainRole
(UInt16) FrontPanelResetStatus
(Boolean) InfraredSupported
(String) InitialLoadInfo[]
(DateTime) InstallDate
(UInt16) KeyboardPasswordStatus
(String) LastLoadInfo
(String) Manufacturer
(String) Model
(String) NameFormat
(Boolean) NetworkServerModeEnabled
 (UInt32) NumberOfProcessors
(String) OEMLogoBitmap
(String) OEMStringArray[]
(SInt64) PauseAfterReset
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) PowerOnPasswordStatus
(UInt16) PowerState
(UInt16) PowerSupplyState
(String) PrimaryOwnerContact
(String) PrimaryOwnerName
(UInt16) ResetCapability
(SInt16) ResetCount
(SInt16) ResetLimit
(String) Roles[]
(String) Status
(String) SupportContactDescription[]
(UInt16) SystemStartupDelay
(String) SystemStartupOptions[]
(UInt8) SystemStartupSetting
(String) SystemType
(UInt16) ThermalState
(UInt64) TotalPhysicalMemory
(String) UserName
(UInt16) WakeUpType

Computer System Ex
Namespace: root\cimv2
class CCM_ComputerSystemExtended
(String) Name
(UInt16) PCSystemType

Computer System Product

Namespace: root\cimv2
class Win32_ComputerSystemProduct
 (String) IdentifyingNumber
(String) Name
(String) Version
(String) Caption
(String) Description
(String) SKUNumber
(String) UUID
(String) Vendor

SMS Advanced Client Ports

Namespace: root\cimv2
class Win32Reg_SMSAdvancedClientPorts
(String) InstanceKey
(UInt32) HttpsPortName
(UInt32) PortName

SMS Advanced Client SSL Configurations

Namespace: root\cimv2
class Win32Reg_SMSAdvancedClientSSLConfiguration
(String) InstanceKey
(String) CertificateSelectionCriteria
(String) CertificateStore
(UInt32) ClientAlwaysOnInternet
(UInt32) HttpsStateFlags
(String) InternetMPHostName
(UInt32) SelectFirstCertificate

SMS Advanced Client State

Namespace: root\ccm
class CCM_InstalledComponent
(String) Name
(String) DisplayName
(String) Version

Connected Device
Namespace: root\SmsDm
class SMS_ActiveSyncConnectedDevice
(String) DeviceOEMInfo
(String) DeviceType
(String) OS_Major
(String) OS_Minor
(String) OS_Platform
(String) ProcessorArchitecture
(String) ProcessorLevel
(String) ProcessorRevision
(String) InstalledClientID
(String) InstalledClientServer
(String) InstalledClientVersion
(String) LastSyncTime
(String) OS_AdditionalInfo
(String) OS_Build

SMS_DefaultBrowser
Namespace: root\cimv2\sms
class SMS_DefaultBrowser
(String) BrowserProgId

Desktop
Namespace: root\cimv2
class Win32_Desktop
(String) Name
(UInt32) BorderWidth
(String) Caption
(Boolean) CoolSwitch
(UInt32) CursorBlinkRate
(String) Description
(Boolean) DragFullWindows
(UInt32) GridGranularity
(UInt32) IconSpacing
(String) IconTitleFaceName
(UInt32) IconTitleSize
 (Boolean) IconTitleWrap
(String) Pattern
(Boolean) ScreenSaverActive
(String) ScreenSaverExecutable
(Boolean) ScreenSaverSecure
(UInt32) ScreenSaverTimeout
(String) SettingID
(String) Wallpaper
(Boolean) WallpaperStretched
(Boolean) WallpaperTiled

Desktop Monitor
Namespace: root\cimv2
class Win32_DesktopMonitor
(String) DeviceID
(UInt16) Availability
(UInt32) Bandwidth
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt16) DisplayType
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(Boolean) IsLocked
(UInt32) LastErrorCode
(String) MonitorManufacturer
(String) MonitorType
(String) Name
(UInt32) PixelsPerXLogicalInch
(UInt32) PixelsPerYLogicalInch
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
 (Boolean) PowerManagementSupported
(UInt32) ScreenHeight
(UInt32) ScreenWidth
(String) Status
(UInt16) StatusInfo
(String) SystemName

Device Info
Namespace: Reserved
class Device_Info
(String) CertExpiry
(String) DeviceName
(String) Manufacturer
(String) Model
(String) OS

MDM DevDetail
Namespace: root\cimv2\mdm\dmmap
class MDM_DevDetail_Ext01
(String) InstanceID
(String) ParentID
(String) DeviceHardwareData
(String) WLANMACAddress

Disk
Namespace: root\cimv2
class Win32_DiskDrive
(String) DeviceID
(UInt16) Availability
(UInt32) BytesPerSector
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(String) CompressionMethod
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt64) DefaultBlockSize
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(UInt32) Index
(DateTime) InstallDate
(String) InterfaceType
(UInt32) LastErrorCode
(String) Manufacturer
(UInt64) MaxBlockSize
(UInt64) MaxMediaSize
(Boolean) MediaLoaded
(String) MediaType
(UInt64) MinBlockSize
(String) Model
(String) Name
(Boolean) NeedsCleaning
(UInt32) NumberOfMediaSupported
(UInt32) Partitions
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt32) SCSIBus
(UInt16) SCSILogicalUnit
(UInt16) SCSIPort
(UInt16) SCSITargetId
(UInt32) SectorsPerTrack
(UInt64) Size
(String) Status
(UInt16) StatusInfo
(String) SystemName
 (UInt64) TotalCylinders
(UInt32) TotalHeads
(UInt64) TotalSectors
(UInt64) TotalTracks
(UInt32) TracksPerCylinder

Partition
Namespace: root\cimv2
class Win32_DiskPartition
(String) DeviceID
(UInt16) Access
(UInt16) Availability
(UInt64) BlockSize
(Boolean) Bootable
(Boolean) BootPartition
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt32) DiskIndex
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(UInt32) HiddenSectors
(UInt32) Index
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Name
(UInt64) NumberOfBlocks
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(Boolean) PrimaryPartition
(String) Purpose
 (Boolean) RewritePartition
(UInt64) Size
(UInt64) StartingOffset
(String) Status
(UInt16) StatusInfo
(String) SystemName
(String) Type

DMA
Namespace: root\cimv2
class Win32_DeviceMemoryAddress
(UInt64) StartingAddress
(String) Caption
(String) Description
(UInt64) EndingAddress
(DateTime) InstallDate
(String) MemoryType
(String) Name
(String) Status

DMA Channel
Namespace: root\cimv2
class Win32_DMAChannel
(UInt32) DMAChannel
(UInt16) AddressSize
(UInt16) Availability
(Boolean) BurstMode
(UInt16) ByteMode
(String) Caption
(UInt16) ChannelTiming
(String) Description
(DateTime) InstallDate
(UInt32) MaxTransferSize
(String) Name
(UInt32) Port
 (String) Status
(UInt16) TransferWidths[]
(UInt16) TypeCTiming
(UInt16) WordMode

Driver - VxD
Namespace: root\cimv2
class Win32_DriverVXD
(String) Name
(String) SoftwareElementID
(UInt16) SoftwareElementState
(UInt16) TargetOperatingSystem
(String) Version
(String) BuildNumber
(String) Caption
(String) CodeSet
(String) Control
(String) Description
(String) DeviceDescriptorBlock
(String) IdentificationCode
(DateTime) InstallDate
(String) LanguageEdition
(String) Manufacturer
(String) OtherTargetOS
(String) PM_API
(String) SerialNumber
(UInt32) ServiceTableSize
(String) Status
(String) V86_API

Embedded Device Information

Namespace: root\cimv2\sms
class CCM_EmbeddedDeviceInformation
(String) DeviceType
(String) Model
 (String) OEMName

Environment
Namespace: root\cimv2
class Win32_Environment
(String) Name
(String) UserName
(String) Caption
(String) Description
(DateTime) InstallDate
(String) Status
(Boolean) SystemVariable
(String) VariableValue

Firmware
Namespace: root\cimv2\sms
class SMS_Firmware
(Boolean) UEFI
(Boolean) SecureBoot

USM Folder Redirection Health

Namespace: root\cimv2\sms
class SMS_FolderRedirectionHealth
(String) FolderName
(String) SID
(UInt8) HealthStatus
(DateTime) LastSuccessfulSyncTime
(UInt8) LastSyncStatus
(DateTime) LastSyncTime
(Boolean) OfflineAccessEnabled
(String) OfflineFileNameFolderGUID
(Boolean) Redirected

IDE Controller
Namespace: root\cimv2
class Win32_IDEController
 (String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxNumberControlled
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset

Add Remove Programs (64)

Namespace: root\cimv2
class Win32Reg_AddRemovePrograms64
(String) ProdID
(String) DisplayName
(String) InstallDate
(String) Publisher
(String) Version

Add Remove Programs

Namespace: root\cimv2
class Win32Reg_AddRemovePrograms
(String) ProdID
 (String) DisplayName
(String) InstallDate
(String) Publisher
(String) Version

Installed Executable
Namespace: root\cimv2\sms
class SMS_InstalledExecutable
(String) ExecutableName
(String) ProductCode
(String) BinFileVersion
(String) BinProductVersion
(String) Description
(String) FilePropertiesHash
(String) FilePropertiesHashEx
(UInt32) FileSize
(String) FileVersion
(Boolean) HasPatchAdded
(String) InstalledFilePath
(Boolean) IsSystemFile
(Boolean) IsVitalFile
(UInt32) Language
(String) Product
(String) ProductVersion
(String) Publisher

Installed Software
Namespace: root\cimv2\sms
class SMS_InstalledSoftware
(String) SoftwareCode
(String) ARPDisplayName
(String) ChannelCode
(String) ChannelID
(String) CM_DSLID
(String) EvidenceSource
 (DateTime) InstallDate
(UInt32) InstallDirectoryValidation
(String) InstalledLocation
(String) InstallSource
(UInt32) InstallType
(UInt32) Language
(String) LocalPackage
(String) MPC
(UInt32) OsComponent
(String) PackageCode
(String) ProductID
(String) ProductName
(String) ProductVersion
(String) Publisher
(String) RegisteredUser
(String) ServicePack
(String) SoftwarePropertiesHash
(String) SoftwarePropertiesHashEx
(String) UninstallString
(String) UpgradeCode
(UInt32) VersionMajor
(UInt32) VersionMinor

IRQ Table
Namespace: root\cimv2
class Win32_IRQResource
(UInt32) IRQNumber
(UInt16) Availability
(String) Caption
(String) Description
(Boolean) Hardware
(DateTime) InstallDate
(String) Name
(Boolean) Shareable
 (String) Status
(UInt16) TriggerLevel
(UInt16) TriggerType
(UInt32) Vector

Keyboard
Namespace: root\cimv2
class Win32_Keyboard
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(Boolean) IsLocked
(UInt32) LastErrorCode
(String) Layout
(String) Name
(UInt16) NumberOfFunctionKeys
(UInt16) Password
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName

Load Order Group

Namespace: root\cimv2
class Win32_LoadOrderGroup
(String) Name
(String) Caption
 (String) Description
(Boolean) DriverEnabled
(UInt32) GroupOrder
(DateTime) InstallDate
(String) Status

Logical Disk
Namespace: root\cimv2\sms
class SMS_LogicalDisk
(String) DeviceID
(UInt16) Access
(UInt16) Availability
(UInt64) BlockSize
(String) Caption
(Boolean) Compressed
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt32) DriveType
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(String) FileSystem
(UInt64) FreeSpace
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaximumComponentLength
(UInt32) MediaType
(String) Name
(UInt64) NumberOfBlocks
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) ProviderName
 (String) Purpose
(UInt64) Size
(String) Status
(UInt16) StatusInfo
(Boolean) SupportsFileBasedCompression
(String) SystemName
(String) VolumeName
(String) VolumeSerialNumber

Memory
Namespace: root\cimv2
class CCM_LogicalMemoryConfiguration
(String) Name
(UInt64) AvailableVirtualMemory
(UInt64) TotalPageFileSpace
(UInt64) TotalPhysicalMemory
(UInt64) TotalVirtualMemory

Device Bluetooth
Namespace: Reserved
class Device_Bluetooth
(Boolean) Enabled

Device Camera
Namespace: Reserved
class Device_Camera
(Boolean) Enabled

Device Certificates
Namespace: Reserved
class Device_Certificates
(String) Thumbprint
(String) Type
(String) IssuedBy
(String) IssuedTo
(DateTime) ValidFrom
 (DateTime) ValidTo

Device Client
Namespace: Reserved
class Device_Client
(Boolean) DownloadWhenRoaming
(Boolean) SyncWhenRoaming

Device Client Agent version

Namespace: Reserved
class Device_ClientAgentVersion
(String) Version

Device Computer System

Namespace: Reserved
class Device_ComputerSystem
(String) CellularTechnology
(String) DeviceClientID
(String) DeviceManufacturer
(String) DeviceModel
(String) DMVersion
(String) FirmwareVersion
(String) HardwareVersion
(String) IMEI
(String) IMSI
(UInt8) IsActivationLockEnabled
(UInt8) Jailbroken
(String) MEID
(String) OEM
(String) PhoneNumber
(String) PlatformType
(UInt32) ProcessorArchitecture
(UInt32) ProcessorLevel
(UInt32) ProcessorRevision
(String) Product
 (String) ProductVersion
(String) SerialNumber
(String) SoftwareVersion
(String) SubscriberCarrierNetwork

Device Display
Namespace: Reserved
class Device_Display
(UInt32) HorizontalResolution
(UInt64) NumberOfColors
(UInt32) VerticalResolution

Device Email
Namespace: Reserved
class Device_Email
(String) OwnerEmailAddress
(String) SyncDomain
(String) SyncServer
(String) SyncUser
(String) Type

Device Encryption
Namespace: Reserved
class Device_Encryption
(UInt32) EmailEncryptionAlgorithm
(UInt32) EmailEncryptionNegotiation
(Boolean) EmailEncryptionRequired
(Boolean) EmailSigningAlgorithm
(Boolean) EmailSigningRequired
(Boolean) EncryptionCompliance
(Boolean) PhoneMemoryEncrypted
(Boolean) StorageCardEncrypted

Device Exchange
Namespace: Reserved
class Device_Exchange
 (Boolean) ConflictResolution
(SInt32) HTMLEmailTruncation
(UInt32) MailFormat
(UInt32) MaxCalendarAge
(UInt32) MaxEmailAge
(SInt32) MaxMailFileAttachmentSize
(UInt32) OffPeakSyncFrequency
(UInt32) PeakDays
(String) PeakEndTime
(String) PeakStartTime
(UInt32) PeakSyncFrequency
(SInt32) PlainTextEmailTruncation
(Boolean) SendEmailImmediately
(Boolean) SyncCalendar
(Boolean) SyncContacts
(Boolean) SyncEmail
(Boolean) SyncTasks
(Boolean) SyncWhenRoaming

Device Installed Applications

Namespace: Reserved
class Device_InstalledApplications
(String) Name
(String) Version

Device IrDA
Namespace: Reserved
class Device_IrDA
(Boolean) Enabled

Mobile Device Location

Namespace: Reserved
class MDM_RemoteFind
(Real32) Latitude
(Real32) Longitude
Device Memory
Namespace: Reserved
class Device_Memory
(UInt64) ProgramFree
(UInt64) ProgramTotal
(UInt64) RemovableStorageFree
(UInt64) RemovableStorageTotal
(UInt64) StorageFree
(UInt64) StorageTotal

Device OS Information
Namespace: Reserved
class Device_OSInformation
(String) Language
(String) Platform
(String) Version

Device Password
Namespace: Reserved
class Device_Password
(Boolean) AllowRecoveryPassword
(UInt32) AutolockTimeout
(Boolean) Enabled
(UInt32) Expiration
(UInt32) History
(UInt32) MaxAttemptsBeforeWipe
(UInt32) MinComplexChars
(UInt32) MinLength
(UInt8) PasswordQuality
(UInt32) Type

Device Policy
Namespace: Reserved
class Device_Policy
(String) Name
 (Boolean) Enforced

Device Power
Namespace: Reserved
class Device_Power
(UInt32) BacklightACTimeout
(UInt32) BacklightBatTimeout
(SInt32) BackupPercent
(SInt32) BatteryPercent

Mobile Device Security Status

Namespace: Reserved
class MDM_SecurityStatus
(UInt32) HardwareEncryptionCaps
(UInt8) PasscodeCompliant
(UInt8) PasscodeCompliantWithProfiles
(UInt8) PasscodePresent
(UInt8) RequireEncryption

Device Windows Security Policy

Namespace: Reserved
class Device_WindowsSecurityPolicy
(UInt32) ID
(String) Name
(UInt32) Value

Device WLAN
Namespace: Reserved
class Device_WLAN
(Boolean) Enabled
(String) EthernetMAC
(String) WiFiMAC

Modem
Namespace: root\cimv2
class Win32_POTSModem
(String) DeviceID
(UInt16) AnswerMode
(String) AttachedTo
(UInt16) Availability
(String) BlindOff
(String) BlindOn
(String) Caption
(String) CompatibilityFlags
(UInt16) CompressionInfo
(String) CompressionOff
(String) CompressionOn
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) ConfigurationDialog
(String) CountriesSupported[]
(String) CountrySelected
(String) CurrentPasswords[]
(String) DCB
(String) Default
(String) Description
(String) DeviceLoader
(String) DeviceType
(UInt16) DialType
(DateTime) DriverDate
(Boolean) ErrorCleared
(String) ErrorControlForced
(UInt16) ErrorControlInfo
(String) ErrorControlOff
(String) ErrorControlOn
(String) ErrorDescription
(String) FlowControlHard
(String) FlowControlOff
(String) FlowControlSoft
(String) InactivityScale
(UInt32) InactivityTimeout
(UInt32) Index
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaxBaudRateToPhone
(UInt32) MaxBaudRateToSerialPort
(UInt16) MaxNumberOfPasswords
(String) Model
(String) ModemInfPath
(String) ModemInfSection
(String) ModulationBell
(String) ModulationCCITT
(UInt16) ModulationScheme
(String) Name
(String) PNPDeviceID
(String) PortSubClass
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) Prefix
(String) Properties
(String) ProviderName
(String) Pulse
(String) Reset
(String) ResponsesKeyName
(UInt8) RingsBeforeAnswer
(String) SpeakerModeDial
(String) SpeakerModeOff
(String) SpeakerModeOn
(String) SpeakerModeSetup
(String) SpeakerVolumeHigh
(UInt16) SpeakerVolumeInfo
(String) SpeakerVolumeLow
 (String) SpeakerVolumeMed
(String) Status
(UInt16) StatusInfo
(String) StringFormat
(Boolean) SupportsCallback
(Boolean) SupportsSynchronousConnect
(String) SystemName
(String) Terminator
(DateTime) TimeOfLastReset
(String) Tone
(String) VoiceSwitchFeature

Motherboard
Namespace: root\cimv2
class Win32_MotherboardDevice
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) PrimaryBusType
(String) RevisionNumber
(String) SecondaryBusType
(String) Status
(UInt16) StatusInfo
 (String) SystemName

NAP Client
Namespace: root\Nap
class NAP_Client
(String) name
(String) description
(String) fixupURL
(Boolean) napEnabled
(String) napProtocolVersion
(String) probationTime
(UInt32) systemIsolationState

NAP System Health Agent

Namespace: root\Nap
class NAP_SystemHealthAgent
(UInt32) ID
(String) description
(UInt32) fixupState
(String) friendlyName
(String) infoClsid
(Boolean) isBound
(UInt8) percentage
(String) registrationDate
(String) vendorName
(String) version

Network Adapter
Namespace: root\cimv2
class Win32_NetworkAdapter
(String) DeviceID
(String) AdapterType
(Boolean) AutoSense
(UInt16) Availability
(String) Caption
 (UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt32) Index
(DateTime) InstallDate
(Boolean) Installed
(UInt32) LastErrorCode
(String) MACAddress
(String) Manufacturer
(UInt32) MaxNumberControlled
(UInt64) MaxSpeed
(String) Name
(String) NetworkAddresses[]
(String) PermanentAddress
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) ProductName
(String) ServiceName
(UInt64) Speed
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset

Network Adapter Configuration

Namespace: root\cimv2
class Win32_NetworkAdapterConfiguration
(UInt32) Index
(Boolean) ArpAlwaysSourceRoute
(Boolean) ArpUseEtherSNAP
(String) Caption
(String) DatabasePath
(Boolean) DeadGWDetectEnabled
(String) DefaultIPGateway[]
(UInt8) DefaultTOS
(UInt8) DefaultTTL
(String) Description
(Boolean) DHCPEnabled
(DateTime) DHCPLeaseExpires
(DateTime) DHCPLeaseObtained
(String) DHCPServer
(String) DNSDomain
(String) DNSDomainSuffixSearchOrder[]
(Boolean) DNSEnabledForWINSResolution
(String) DNSHostName
(String) DNSServerSearchOrder[]
(Boolean) DomainDNSRegistrationEnabled
(UInt32) ForwardBufferMemory
(Boolean) FullDNSRegistrationEnabled
(UInt16) GatewayCostMetric[]
(UInt8) IGMPLevel
(String) IPAddress[]
(UInt32) IPConnectionMetric
(Boolean) IPEnabled
(Boolean) IPFilterSecurityEnabled
(Boolean) IPPortSecurityEnabled
(String) IPSecPermitIPProtocols[]
(String) IPSecPermitTCPPorts[]
(String) IPSecPermitUDPPorts[]
(String) IPSubnet[]
(Boolean) IPUseZeroBroadcast
(String) IPXAddress
(Boolean) IPXEnabled
(String) IPXFrameType
 (UInt32) IPXMediaType
(String) IPXNetworkNumber[]
(String) IPXVirtualNetNumber
(UInt32) KeepAliveInterval
(UInt32) KeepAliveTime
(String) MACAddress
(UInt32) MTU
(UInt32) NumForwardPackets
(Boolean) PMTUBHDetectEnabled
(Boolean) PMTUDiscoveryEnabled
(String) ServiceName
(String) SettingID
(UInt32) TcpipNetbiosOptions
(UInt32) TcpMaxConnectRetransmissions
(UInt32) TcpMaxDataRetransmissions
(UInt32) TcpNumConnections
(Boolean) TcpUseRFC1122UrgentPointer
(UInt16) TcpWindowSize
(Boolean) WINSEnableLMHostsLookup
(String) WINSHostLookupFile
(String) WINSPrimaryServer
(String) WINSScopeID
(String) WINSSecondaryServer

Network Client
Namespace: root\cimv2
class Win32_NetworkClient
(String) Name
(String) Caption
(String) Description
(DateTime) InstallDate
(String) Manufacturer
(String) Status
Network Login Profile
Namespace: root\cimv2
class Win32_NetworkLoginProfile
(String) Name
(DateTime) AccountExpires
(UInt32) AuthorizationFlags
(UInt32) BadPasswordCount
(String) Caption
(UInt32) CodePage
(String) Comment
(UInt32) CountryCode
(String) Description
(UInt32) Flags
(String) FullName
(String) HomeDirectory
(String) HomeDirectoryDrive
(DateTime) LastLogoff
(DateTime) LastLogon
(String) LogonHours
(String) LogonServer
(UInt64) MaximumStorage
(UInt32) NumberOfLogons
(String) Parameters
(DateTime) PasswordAge
(DateTime) PasswordExpires
(UInt32) PrimaryGroupId
(UInt32) Privileges
(String) Profile
(String) ScriptPath
(String) SettingID
(UInt32) UnitsPerWeek
(String) UserComment
(UInt32) UserId
 (String) UserType
(String) Workstations

NT Eventlog File
Namespace: root\cimv2
class Win32_NTEventlogFile
(String) Name
(UInt32) AccessMask
(Boolean) Archive
(String) Caption
(Boolean) Compressed
(String) CompressionMethod
(DateTime) CreationDate
(String) Description
(String) Drive
(String) EightDotThreeFileName
(Boolean) Encrypted
(String) EncryptionMethod
(String) Extension
(String) FileName
(UInt64) FileSize
(String) FileType
(String) FSName
(Boolean) Hidden
(DateTime) InstallDate
(UInt64) InUseCount
(DateTime) LastAccessed
(DateTime) LastModified
(String) LogfileName
(String) Manufacturer
(UInt32) MaxFileSize
(UInt32) NumberOfRecords
(UInt32) OverwriteOutDated
(String) OverWritePolicy
 (String) Path
(Boolean) Readable
(String) Sources[]
(String) Status
(Boolean) System
(String) Version
(Boolean) Writeable

Office365ProPlusConfigurations
Namespace: root\cimv2
class Office365ProPlusConfigurations
(String) KeyName
(String) AutoUpgrade
(String) CCMManaged
(String) CDNBaseUrl
(String) cfgUpdateChannel
(String) ClientCulture
(String) ClientFolder
(String) GPOChannel
(String) GPOOfficeMgmtCOM
(String) InstallationPath
(String) LastScenario
(String) LastScenarioResult
(String) OfficeMgmtCOM
(String) Platform
(String) SharedComputerLicensing
(String) UpdateChannel
(String) UpdatePath
(String) UpdatesEnabled
(String) UpdateUrl
(String) VersionToReport

Office Addin
Namespace: root\ccm\InvAgt
class CCM_OfficeAddin
 (String) Architecture
(String) ID
(String) OfficeApp
(String) Type
(UInt32) AverageLoadTimeInMilliseconds
(String) CLSID
(String) CompanyName
(UInt32) CrashCount
(String) Description
(UInt32) ErrorCount
(String) FileName
(UInt64) FileSize
(UInt32) FileTimestamp
(String) FileVersion
(String) FriendlyName
(String) FriendlyNameHash
(String) IdHash
(UInt32) LoadBehavior
(UInt32) LoadCount
(UInt32) LoadFailCount
(String) ProductName
(String) ProductVersion

Office Client Metric

Namespace: root\ccm\InvAgt
class CCM_OfficeClientMetric
(String) OfficeApp
(UInt32) CompatibilityErrorCount
(UInt32) CrashedSessionCount
(UInt32) MacroCompileErrorCount
(UInt32) MacroRuntimeErrorCount
(UInt32) SessionCount

Office Device Summary

Namespace: root\ccm\InvAgt
class CCM_OfficeDeviceSummary
(Boolean) IsProPlusInstalled
(Boolean) IsTelemetryEnabled

Office Document Metric

Namespace: root\ccm\InvAgt
class CCM_OfficeDocumentMetric
(String) OfficeApp
(UInt32) TotalCloudDocs
(UInt32) TotalLegacyDocs
(UInt32) TotalLocalDocs
(UInt32) TotalMacroDocs
(UInt32) TotalNonMacroDocs
(UInt32) TotalUncDocs

Office Document Solution

Namespace: root\ccm\InvAgt
class CCM_OfficeDocumentSolution
(String) DocumentSolutionId
(String) OfficeApp
(UInt32) CompatibilityErrorCount
(UInt32) CrashCount
(String) ExampleFileName
(UInt32) LoadCount
(UInt32) LoadFailCount
(UInt32) MacroCompileErrorCount
(UInt32) MacroRuntimeErrorCount
(String) Type

Office Macro Error

Namespace: root\ccm\InvAgt
class CCM_OfficeMacroError
(String) DocumentSolutionId
(UInt32) ErrorCode
(UInt32) Count
 (UInt64) LastOccurrence
(String) Type

Office Product Info

Namespace: root\ccm\InvAgt
class CCM_OfficeProductInfo
(String) ProductName
(String) ProductVersion
(String) Architecture
(String) Channel
(UInt32) IsProPlusInstalled
(String) Language
(String) LicenseState

Office Vba Rule Violation

Namespace: root\ccm\InvAgt
class CCM_OfficeVbaRuleViolation
(UInt32) RuleId
(UInt32) FileCount
(String) OfficeApp

Office VbaSummary
Namespace: root\ccm\InvAgt
class CCM_OfficeVbaScanResultsSummary
(UInt32) Design
(UInt32) Design64
(UInt32) DuplicateVba
(Boolean) HasResults
(UInt32) HasVba
(UInt32) Inaccessible
(UInt32) Issues
(UInt32) Issues64
(UInt32) IssuesNone
(UInt32) IssuesNone64
(UInt32) Locked
 (UInt32) NoVba
(UInt32) Protected
(UInt32) RemLimited
(UInt32) RemLimited64
(UInt32) RemSignificant
(UInt32) RemSignificant64
(UInt32) Score
(UInt32) Score64
(UInt32) Total
(UInt32) Validation
(UInt32) Validation64

Operating System
Namespace: root\cimv2
class Win32_OperatingSystem
(String) Name
(String) BootDevice
(String) BuildNumber
(String) BuildType
(String) Caption
(String) CodeSet
(String) CountryCode
(String) CSDVersion
(SInt16) CurrentTimeZone
(Boolean) Debug
(String) Description
(Boolean) Distributed
(UInt8) ForegroundApplicationBoost
(UInt64) FreePhysicalMemory
(UInt64) FreeSpaceInPagingFiles
(UInt64) FreeVirtualMemory
(DateTime) InstallDate
(DateTime) LastBootUpTime
(DateTime) LocalDateTime
 (String) Locale
(String) Manufacturer
(UInt32) MaxNumberOfProcesses
(UInt64) MaxProcessMemorySize
(String) MUILanguages[]
(UInt32) NumberOfLicensedUsers
(UInt32) NumberOfProcesses
(UInt32) NumberOfUsers
(UInt32) OperatingSystemSKU
(String) Organization
(String) OSArchitecture
(UInt32) OSLanguage
(UInt32) OSProductSuite
(UInt16) OSType
(String) OtherTypeDescription
(String) PlusProductID
(String) PlusVersionNumber
(Boolean) Primary
(UInt32) ProductType
(String) RegisteredUser
(String) SerialNumber
(UInt16) ServicePackMajorVersion
(UInt16) ServicePackMinorVersion
(UInt64) SizeStoredInPagingFiles
(String) Status
(String) SystemDevice
(String) SystemDirectory
(UInt64) TotalSwapSpaceSize
(UInt64) TotalVirtualMemorySize
(UInt64) TotalVisibleMemorySize
(String) Version
(String) WindowsDirectory

Operating System Ex
Namespace: root\cimv2
class CCM_OperatingSystemExtended
(String) Name
(UInt32) SKU

Operating System Recovery Configuration

Namespace: root\cimv2
class Win32_OSRecoveryConfiguration
(String) Name
(Boolean) AutoReboot
(String) Caption
(String) DebugFilePath
(String) Description
(Boolean) KernelDumpOnly
(Boolean) OverwriteExistingDebugFile
(Boolean) SendAdminAlert
(String) SettingID
(Boolean) WriteDebugInfo
(Boolean) WriteToSystemLog

Optional Feature
Namespace: root\cimv2
class Win32_OptionalFeature
(String) Name
(String) Caption
(String) Description
(DateTime) InstallDate
(UInt32) InstallState
(String) Status

Page File Setting

Namespace: root\cimv2
class Win32_PageFileSetting
(String) Name
(String) Caption
 (String) Description
(UInt32) InitialSize
(UInt32) MaximumSize
(String) SettingID

Parallel Port
Namespace: root\cimv2
class Win32_ParallelPort
(String) DeviceID
(UInt16) Availability
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) DMASupport
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaxNumberControlled
(String) Name
(Boolean) OSAutoDiscovered
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset

BIOS
Namespace: root\cimv2
class Win32_BIOS
(String) Name
(String) SoftwareElementID
(UInt16) SoftwareElementState
(UInt16) TargetOperatingSystem
(String) Version
(UInt16) BiosCharacteristics[]
(String) BIOSVersion[]
(String) BuildNumber
(String) Caption
(String) CodeSet
(String) CurrentLanguage
(String) Description
(String) IdentificationCode
(UInt16) InstallableLanguages
(DateTime) InstallDate
(String) LanguageEdition
(String) ListOfLanguages[]
(String) Manufacturer
(String) OtherTargetOS
(Boolean) PrimaryBIOS
(DateTime) ReleaseDate
(String) SerialNumber
(String) SMBIOSBIOSVersion
(UInt16) SMBIOSMajorVersion
(UInt16) SMBIOSMinorVersion
(Boolean) SMBIOSPresent
(String) Status

PCMCIA Controller
Namespace: root\cimv2
class Win32_PCMCIAController
(String) DeviceID
(UInt16) Availability
 (String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxNumberControlled
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset

Physical Memory
Namespace: root\cimv2
class Win32_PhysicalMemory
(String) CreationClassName
(String) Tag
(String) BankLabel
(UInt64) Capacity
(String) Caption
(UInt16) DataWidth
(String) Description
(String) DeviceLocator
(UInt16) FormFactor
(Boolean) HotSwappable
(DateTime) InstallDate
 (UInt16) InterleaveDataDepth
(UInt32) InterleavePosition
(String) Manufacturer
(UInt16) MemoryType
(String) Model
(String) Name
(String) OtherIdentifyingInfo
(String) PartNumber
(UInt32) PositionInRow
(Boolean) PoweredOn
(Boolean) Removable
(Boolean) Replaceable
(String) SerialNumber
(String) SKU
(UInt32) Speed
(String) Status
(UInt16) TotalWidth
(UInt16) TypeDetail
(String) Version

PhysicalDisk
Namespace: root\microsoft\windows\storage
class MSFT_PhysicalDisk
(String) ObjectId
(UInt64) AllocatedSize
(UInt16) BusType
(UInt16) CannotPoolReason[]
(Boolean) CanPool
(String) Description
(String) DeviceId
(UInt16) EnclosureNumber
(String) FirmwareVersion
(String) FriendlyName
(UInt16) HealthStatus
 (Boolean) IsIndicationEnabled
(Boolean) IsPartial
(UInt64) LogicalSectorSize
(String) Manufacturer
(UInt16) MediaType
(String) Model
(UInt16) OperationalStatus[]
(String) OtherCannotPoolReasonDescription
(String) PartNumber
(String) PhysicalLocation
(UInt64) PhysicalSectorSize
(String) SerialNumber
(UInt64) Size
(UInt16) SlotNumber
(String) SoftwareVersion
(UInt32) SpindleSpeed
(UInt16) SupportedUsages[]
(String) UniqueId
(UInt16) Usage

PNP DEVICE DRIVER

Namespace: root\cimv2
class Win32_PnpEntity
(String) DeviceID
(UInt16) Availability
(String) Caption
(String) ClassGuid
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) CreationClassName
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
 (UInt32) LastErrorCode
(String) Manufacturer
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) Service
(String) Status
(UInt16) StatusInfo
(String) SystemCreationClassName
(String) SystemName

Pointing Device
Namespace: root\cimv2
class Win32_PointingDevice
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt16) DeviceInterface
(UInt32) DoubleSpeedThreshold
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt16) Handedness
(String) HardwareType
(String) InfFileName
(String) InfSection
(DateTime) InstallDate
(Boolean) IsLocked
(UInt32) LastErrorCode
(String) Manufacturer
(String) Name
 (UInt8) NumberOfButtons
(String) PNPDeviceID
(UInt16) PointingType
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt32) QuadSpeedThreshold
(UInt32) Resolution
(UInt32) SampleRate
(String) Status
(UInt16) StatusInfo
(UInt32) Synch
(String) SystemName

Portable Battery
Namespace: root\cimv2
class Win32_PortableBattery
(String) DeviceID
(UInt16) Availability
(UInt16) BatteryStatus
(UInt16) CapacityMultiplier
(String) Caption
(UInt16) Chemistry
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt32) DesignCapacity
(UInt64) DesignVoltage
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt16) EstimatedChargeRemaining
(UInt32) EstimatedRunTime
(UInt32) ExpectedLife
(UInt32) FullChargeCapacity
(DateTime) InstallDate
 (UInt32) LastErrorCode
(String) Location
(String) ManufactureDate
(String) Manufacturer
(UInt16) MaxBatteryError
(UInt32) MaxRechargeTime
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) SmartBatteryVersion
(String) Status
(UInt16) StatusInfo
(String) SystemName
(UInt32) TimeOnBattery
(UInt32) TimeToFullCharge

Ports
Namespace: root\cimv2
class Win32_PortResource
(UInt64) StartingAddress
(Boolean) Alias
(String) Caption
(String) Description
(UInt64) EndingAddress
(DateTime) InstallDate
(String) Name
(String) Status

Power Capabilities
Namespace: root\CCM\powermanagementagent
class CCM_PwrMgmtSystemPowerCapabilities
(UInt32) PreferredPMProfile
(Boolean) ApmPresent
(Boolean) BatteriesAreShortTerm
 (Boolean) FullWake
(Boolean) LidPresent
(String) MinDeviceWakeState
(Boolean) ProcessorThrottle
(String) RtcWake
(Boolean) SystemBatteriesPresent
(Boolean) SystemS1
(Boolean) SystemS2
(Boolean) SystemS3
(Boolean) SystemS4
(Boolean) SystemS5
(Boolean) UpsPresent
(Boolean) VideoDimPresent

Power Configurations
Namespace: root\CCM\policy\machine\actualconfig
class CCM_PowerConfig
(String) PowerConfigID
(UInt32) DurationInSec
(String) NonPeakPowerPlan
(String) NonPeakPowerPlanName
(String) PeakPowerPlan
(String) PeakPowerPlanName
(String) PeakStartTimeHoursMin
(String) WakeUpTimeHoursMin

Power Management Insomnia Reasons

Namespace: root\CCM\powermanagementagent
class CCM_PwrMgmtLastSuspendError
(String) Requester
(String) RequesterType
(String) RequestType
(DateTime) Time
(UInt32) AdditionalCode
(String) AdditionalInfo
 (String) RequesterInfo
(Boolean) UnknownRequester

Power Management Daily

Namespace: root\CCM\powermanagementagent
class CCM_PwrMgmtActualDay
(DateTime) Date
(String) TypeOfEvent
(UInt32) hr0_1
(UInt32) hr1_2
(UInt32) hr10_11
(UInt32) hr11_12
(UInt32) hr12_13
(UInt32) hr13_14
(UInt32) hr14_15
(UInt32) hr15_16
(UInt32) hr16_17
(UInt32) hr17_18
(UInt32) hr18_19
(UInt32) hr19_20
(UInt32) hr2_3
(UInt32) hr20_21
(UInt32) hr21_22
(UInt32) hr22_23
(UInt32) hr23_0
(UInt32) hr3_4
(UInt32) hr4_5
(UInt32) hr5_6
(UInt32) hr6_7
(UInt32) hr7_8
(UInt32) hr8_9
(UInt32) hr9_10
(UInt32) minutesTotal
Power Client Opt Out Settings
Namespace: root\ccm\ClientSDK
class CCM_PowerManagementClientOptoutSetting
(Boolean) AdminAllowOptout
(Boolean) EffectiveClientOptOut
(Boolean) IsClientOptOut

Power Management Monthly

Namespace: root\CCM\powermanagementagent
class CCM_PwrMgmtMonth
(DateTime) MonthStart
(UInt32) minutesComputerActive
(UInt32) minutesComputerOn
(UInt32) minutesComputerShutdown
(UInt32) minutesComputerSleep
(UInt32) minutesMonitorOn
(UInt32) minutesTotal
(String) TypeOfEvent

Power Settings
Namespace: root\cimv2\sms
class SMS_PowerSettings
(String) GUID
(String) ACSettingIndex
(String) ACValue
(String) DCSettingIndex
(String) DCValue
(String) Name
(String) UnitSpecifier

Print Jobs
Namespace: root\cimv2
class Win32_PrintJob
(String) Name
(String) Caption
 (String) DataType
(String) Description
(String) Document
(String) DriverName
(DateTime) ElapsedTime
(String) HostPrintQueue
(DateTime) InstallDate
(UInt32) JobId
(String) JobStatus
(String) Notify
(String) Owner
(UInt32) PagesPrinted
(String) Parameters
(String) PrintProcessor
(UInt32) Priority
(UInt32) Size
(DateTime) StartTime
(String) Status
(UInt32) StatusMask
(DateTime) TimeSubmitted
(UInt32) TotalPages
(DateTime) UntilTime

Printer Configuration
Namespace: root\cimv2
class Win32_PrinterConfiguration
(String) Name
(UInt32) BitsPerPel
(String) Caption
(Boolean) Collate
(UInt32) Color
(UInt32) Copies
(String) Description
(String) DeviceName
 (UInt32) DisplayFlags
(UInt32) DisplayFrequency
(UInt32) DitherType
(UInt32) DriverVersion
(Boolean) Duplex
(String) FormName
(UInt32) HorizontalResolution
(UInt32) ICMIntent
(UInt32) ICMMethod
(UInt32) LogPixels
(UInt32) MediaType
(UInt32) Orientation
(UInt32) PaperLength
(String) PaperSize
(UInt32) PaperWidth
(UInt32) PelsHeight
(UInt32) PelsWidth
(UInt32) PrintQuality
(UInt32) Scale
(String) SettingID
(UInt32) SpecificationVersion
(UInt32) TTOption
(UInt32) VerticalResolution
(UInt32) XResolution
(UInt32) YResolution

Printer Device
Namespace: root\cimv2
class Win32_Printer
(String) DeviceID
(UInt32) Attributes
(UInt16) Availability
(UInt32) AveragePagesPerMinute
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt32) DefaultPriority
(String) Description
(UInt16) DetectedErrorState
(String) DriverName
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt32) HorizontalResolution
(DateTime) InstallDate
(UInt32) JobCountSinceLastReset
(UInt16) LanguagesSupported[]
(UInt32) LastErrorCode
(String) Location
(String) Name
(UInt16) PaperSizesSupported[]
(String) PNPDeviceID
(String) PortName
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) PrinterPaperNames[]
(UInt32) PrinterState
(UInt16) PrinterStatus
(String) PrintJobDataType
(String) PrintProcessor
(String) SeparatorFile
(String) ServerName
(String) ShareName
(Boolean) SpoolEnabled
(DateTime) StartTime
(String) Status
 (UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset
(DateTime) UntilTime
(UInt32) VerticalResolution

Process
Namespace: root\cimv2
class Win32_Process
(String) Handle
(String) Caption
(DateTime) CreationDate
(String) Description
(String) ExecutablePath
(UInt16) ExecutionState
(UInt32) HandleCount
(DateTime) InstallDate
(UInt64) KernelModeTime
(UInt32) MaximumWorkingSetSize
(UInt32) MinimumWorkingSetSize
(String) Name
(String) OSName
(UInt64) OtherOperationCount
(UInt64) OtherTransferCount
(UInt32) PageFaults
(UInt32) PageFileUsage
(UInt32) ParentProcessId
(UInt32) PeakPageFileUsage
(UInt64) PeakVirtualSize
(UInt32) PeakWorkingSetSize
(UInt32) Priority
(UInt64) PrivatePageCount
(UInt32) ProcessId
(UInt32) QuotaNonPagedPoolUsage
 (UInt32) QuotaPagedPoolUsage
(UInt32) QuotaPeakNonPagedPoolUsage
(UInt32) QuotaPeakPagedPoolUsage
(UInt64) ReadOperationCount
(UInt64) ReadTransferCount
(UInt32) SessionId
(String) Status
(DateTime) TerminationDate
(UInt32) ThreadCount
(UInt64) UserModeTime
(UInt64) VirtualSize
(String) WindowsVersion
(UInt64) WorkingSetSize
(UInt64) WriteOperationCount
(UInt64) WriteTransferCount

Processor
Namespace: root\cimv2\sms
class SMS_Processor
(String) DeviceID
(UInt16) AddressWidth
(UInt16) Architecture
(UInt16) Availability
(UInt16) BrandID
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) CPUHash
(String) CPUKey
(UInt16) CpuStatus
(UInt32) CurrentClockSpeed
(UInt16) CurrentVoltage
(UInt16) DataWidth
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt32) ExtClock
(UInt16) Family
(DateTime) InstallDate
(Boolean) Is64Bit
(Boolean) IsHyperthreadCapable
(Boolean) IsHyperthreadEnabled
(Boolean) IsMobile
(Boolean) IsTrustedExecutionCapable
(Boolean) IsVitualizationCapable
(UInt32) L2CacheSize
(UInt32) L2CacheSpeed
(UInt32) L3CacheSize
(UInt32) L3CacheSpeed
(UInt32) LastErrorCode
(UInt16) Level
(UInt16) LoadPercentage
(String) Manufacturer
(UInt32) MaxClockSpeed
(String) Name
(UInt32) NormSpeed
(UInt32) NumberOfCores
(UInt32) NumberOfLogicalProcessors
(String) OtherFamilyDescription
(Boolean) PartOfDomain
(UInt32) PCache
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) ProcessorId
(UInt16) ProcessorType
(UInt16) Revision
 (String) Role
(String) SocketDesignation
(String) Status
(UInt16) StatusInfo
(String) Stepping
(String) SystemName
(String) UniqueId
(UInt16) UpgradeMethod
(String) Version
(UInt32) VoltageCaps
(String) Workgroup

Protected Volume Information

Namespace: root\cimv2\sms
class CCM_ProtectedVolumeInfo
(String) Name
(String) DriveLetter
(UInt32) ProtectionType

Protocol
Namespace: root\cimv2
class Win32_NetworkProtocol
(String) Name
(String) Caption
(Boolean) ConnectionlessService
(String) Description
(Boolean) GuaranteesDelivery
(Boolean) GuaranteesSequencing
(DateTime) InstallDate
(UInt32) MaximumAddressSize
(UInt32) MaximumMessageSize
(Boolean) MessageOriented
(UInt32) MinimumAddressSize
(Boolean) PseudoStreamOriented
(String) Status
 (Boolean) SupportsBroadcasting
(Boolean) SupportsConnectData
(Boolean) SupportsDisconnectData
(Boolean) SupportsEncryption
(Boolean) SupportsExpeditedData
(Boolean) SupportsFragmentation
(Boolean) SupportsGracefulClosing
(Boolean) SupportsGuaranteedBandwidth
(Boolean) SupportsMulticasting
(Boolean) SupportsQualityofService

Quick Fix Engineering

Namespace: root\cimv2
class Win32_QuickFixEngineering
(String) HotFixID
(String) ServicePackInEffect
(String) Caption
(String) Description
(String) FixComments
(DateTime) InstallDate
(String) InstalledBy
(String) InstalledOn
(String) Name
(String) Status

CCM Recently Used Applications

Namespace: root\cimv2\sms
class CCM_RecentlyUsedApps
(String) ExplorerFileName
(String) FolderPath
(String) LastUserName
(String) AdditionalProductCodes
(String) CompanyName
(String) FileDescription
(String) FilePropertiesHash
 (UInt32) FileSize
(String) FileVersion
(DateTime) LastUsedTime
(UInt32) LaunchCount
(String) msiDisplayName
(String) msiPublisher
(String) msiVersion
(String) OriginalFileName
(String) ProductCode
(UInt32) ProductLanguage
(String) ProductName
(String) ProductVersion
(String) SoftwarePropertiesHash

Registry
Namespace: root\cimv2
class Win32_Registry
(String) Name
(String) Caption
(UInt32) CurrentSize
(String) Description
(DateTime) InstallDate
(UInt32) MaximumSize
(UInt32) ProposedSize
(String) Status

SCSI Controller
Namespace: root\cimv2
class Win32_SCSIController
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt32) ControllerTimeouts
 (String) Description
(String) DeviceMap
(String) DriverName
(Boolean) ErrorCleared
(String) ErrorDescription
(String) HardwareVersion
(UInt32) Index
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxDataWidth
(UInt32) MaxNumberControlled
(UInt64) MaxTransferRate
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtectionManagement
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset

Serial Port Configuration

Namespace: root\cimv2
class Win32_SerialPortConfiguration
(String) Name
(Boolean) AbortReadWriteOnError
(UInt32) BaudRate
(Boolean) BinaryModeEnabled
(UInt32) BitsPerByte
(String) Caption
(Boolean) ContinueXMitOnXOff
 (Boolean) CTSOutflowControl
(String) Description
(Boolean) DiscardNULLBytes
(Boolean) DSROutflowControl
(Boolean) DSRSensitivity
(String) DTRFlowControlType
(UInt32) EOFCharacter
(UInt32) ErrorReplaceCharacter
(Boolean) ErrorReplacementEnabled
(UInt32) EventCharacter
(Boolean) IsBusy
(String) Parity
(Boolean) ParityCheckEnabled
(String) RTSFlowControlType
(String) SettingID
(String) StopBits
(UInt32) XOffCharacter
(UInt32) XOffXMitThreshold
(UInt32) XOnCharacter
(UInt32) XOnXMitThreshold
(UInt32) XOnXOffInFlowControl
(UInt32) XOnXOffOutFlowControl

Serial Ports
Namespace: root\cimv2
class Win32_SerialPort
(String) DeviceID
(UInt16) Availability
(Boolean) Binary
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(UInt32) MaxBaudRate
(UInt32) MaximumInputBufferSize
(UInt32) MaximumOutputBufferSize
(UInt32) MaxNumberControlled
(String) Name
(Boolean) OSAutoDiscovered
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) ProviderType
(Boolean) SettableBaudRate
(Boolean) SettableDataBits
(Boolean) SettableFlowControl
(Boolean) SettableParity
(Boolean) SettableParityCheck
(Boolean) SettableRLSD
(Boolean) SettableStopBits
(String) Status
(UInt16) StatusInfo
(Boolean) Supports16BitMode
(Boolean) SupportsDTRDSR
(Boolean) SupportsElapsedTimeouts
(Boolean) SupportsIntTimeouts
(Boolean) SupportsParityCheck
(Boolean) SupportsRLSD
(Boolean) SupportsRTSCTS
(Boolean) SupportsSpecialCharacters
 (Boolean) SupportsXOnXOff
(Boolean) SupportsXOnXOffSet
(String) SystemName
(DateTime) TimeOfLastReset

Server Feature
Namespace: root\cimv2
class Win32_ServerFeature
(UInt32) ID
(String) Name
(UInt32) ParentID

Services
Namespace: root\cimv2
class Win32_Service
(String) Name
(Boolean) AcceptPause
(Boolean) AcceptStop
(String) Caption
(UInt32) CheckPoint
(String) Description
(Boolean) DesktopInteract
(String) DisplayName
(String) ErrorControl
(UInt32) ExitCode
(DateTime) InstallDate
(String) PathName
(UInt32) ProcessId
(UInt32) ServiceSpecificExitCode
(String) ServiceType
(Boolean) Started
(String) StartMode
(String) StartName
(String) State
(String) Status
 (String) SystemName
(UInt32) TagId
(UInt32) WaitHint

Shares
Namespace: root\cimv2
class Win32_Share
(String) Name
(UInt32) AccessMask
(Boolean) AllowMaximum
(String) Caption
(String) Description
(DateTime) InstallDate
(UInt32) MaximumAllowed
(String) Path
(String) Status
(UInt32) Type

SW Licensing Product
Namespace: root\cimv2
class SoftwareLicensingProduct
(String) ID
(String) ApplicationID
(String) Description
(DateTime) EvaluationEndDate
(UInt32) GracePeriodRemaining
(UInt32) LicenseStatus
(String) MachineURL
(String) Name
(String) OfflineInstallationId
(String) PartialProductKey
(String) ProcessorURL
(String) ProductKeyID
(String) ProductKeyURL
(String) UseLicenseURL
SW Licensing Service
Namespace: root\cimv2
class SoftwareLicensingService
(String) Version
(String) ClientMachineID
(UInt32) IsKeyManagementServiceMachine
(UInt32) KeyManagementServiceCurrentCount
(String) KeyManagementServiceMachine
(String) KeyManagementServiceProductKeyID
(UInt32) PolicyCacheRefreshRequired
(UInt32) RequiredClientCount
(UInt32) VLActivationInterval
(UInt32) VLRenewalInterval

Software Shortcut
Namespace: root\cimv2\sms
class SMS_SoftwareShortcut
(String) ShortcutKey
(String) BinFileVersion
(String) BinProductVersion
(String) Description
(String) FilePropertiesHash
(String) FilePropertiesHashEx
(UInt32) FileSize
(String) FileVersion
(UInt32) Language
(String) ParentName
(String) Product
(String) ProductCode
(String) ProductVersion
(String) Publisher
(String) ShortcutName
(UInt32) ShortcutType
(String) TargetExecutable
SMS_SoftwareTag
Namespace: root\cimv2\sms
class SMS_SoftwareTag
(String) TagCreatorRegid
(String) UniqueID
(String) DisplayVersion
(Boolean) EntitlementRequired
(String) ProductName
(String) SoftwareCreator
(String) SoftwareCreatorRegid
(String) SoftwareLicensor
(String) SoftwareLicensorRegid
(String) TagCreator
(SInt32) VersionMajor
(SInt32) VersionMinor

Sound Devices
Namespace: root\cimv2
class Win32_SoundDevice
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(UInt16) DMABufferSize
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MPU401Address
(String) Name
(String) PNPDeviceID
 (UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) ProductName
(String) Status
(UInt16) StatusInfo
(String) SystemName

System Account
Namespace: root\cimv2
class Win32_SystemAccount
(String) Domain
(String) Name
(String) Caption
(String) Description
(DateTime) InstallDate
(String) SID
(UInt8) SIDType
(String) Status

System Boot Data

Namespace: root\CCM
class CCM_SystemBootData
(UInt64) SystemStartTime
(UInt32) BiosDuration
(UInt16) BootDiskMediaType
(UInt32) BootDuration
(UInt32) EventLogStart
(UInt32) GPDuration
(String) OSVersion
(UInt32) UpdateDuration

System Boot Summary

Namespace: root\CCM
class CCM_SystemBootSummary
(UInt32) AverageBootFrequency
 (UInt32) LatestBiosDuration
(UInt32) LatestBootDuration
(UInt32) LatestCoreBootDuration
(UInt32) LatestEventLogStart
(UInt32) LatestGPDuration
(UInt32) LatestUpdateDuration
(UInt32) MaxBiosDuration
(UInt32) MaxBootDuration
(UInt32) MaxCoreBootDuration
(UInt32) MaxEventLogStart
(UInt32) MaxGPDuration
(UInt32) MaxUpdateDuration
(UInt32) MedianBiosDuration
(UInt32) MedianBootDuration
(UInt32) MedianCoreBootDuration
(UInt32) MedianEventLogStart
(UInt32) MedianGPDuration
(UInt32) MedianUpdateDuration

System Console Usage

Namespace: root\cimv2\sms
class SMS_SystemConsoleUsage
(DateTime) SecurityLogStartDate
(String) TopConsoleUser
(UInt32) TotalConsoleTime
(UInt32) TotalConsoleUsers
(UInt32) TotalSecurityLogTime

System Console User

Namespace: root\cimv2\sms
class SMS_SystemConsoleUser
(String) SystemConsoleUser
(DateTime) LastConsoleUse
(UInt32) NumberOfConsoleLogons
(UInt32) TotalUserConsoleMinutes
System Devices
Namespace: root\cimv2\sms
class CCM_SystemDevices
(String) Name
(String) CompatibleIDs[]
(String) DeviceID
(String) HardwareIDs[]
(Boolean) IsPnP

System Drivers
Namespace: root\cimv2
class Win32_SystemDriver
(String) Name
(Boolean) AcceptPause
(Boolean) AcceptStop
(String) Caption
(String) Description
(Boolean) DesktopInteract
(String) DisplayName
(String) ErrorControl
(UInt32) ExitCode
(DateTime) InstallDate
(String) PathName
(UInt32) ServiceSpecificExitCode
(String) ServiceType
(Boolean) Started
(String) StartMode
(String) StartName
(String) State
(String) Status
(String) SystemName
(UInt32) TagId

System Enclosure
Namespace: root\cimv2
class Win32_SystemEnclosure
(String) Tag
(Boolean) AudibleAlarm
(String) BreachDescription
(String) CableManagementStrategy
(String) Caption
(UInt16) ChassisTypes[]
(SInt16) CurrentRequiredOrProduced
(String) Description
(UInt16) HeatGeneration
(Boolean) HotSwappable
(DateTime) InstallDate
(Boolean) LockPresent
(String) Manufacturer
(String) Model
(String) Name
(UInt16) NumberOfPowerCords
(String) OtherIdentifyingInfo
(String) PartNumber
(Boolean) PoweredOn
(Boolean) Removable
(Boolean) Replaceable
(UInt16) SecurityBreach
(UInt16) SecurityStatus
(String) SerialNumber
(String) ServiceDescriptions[]
(UInt16) ServicePhilosophy[]
(String) SKU
(String) SMBIOSAssetTag
(String) Status
(String) TypeDescriptions[]
(String) Version
 (Boolean) VisibleAlarm

Tape Drive
Namespace: root\cimv2
class Win32_TapeDrive
(String) DeviceID
(UInt16) Availability
(UInt16) Capabilities[]
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) Compression
(String) CompressionMethod
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt64) DefaultBlockSize
(String) Description
(UInt32) ECC
(UInt32) EOTWarningZoneSize
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(UInt32) FeaturesHigh
(UInt32) FeaturesLow
(String) ID
(DateTime) InstallDate
(UInt32) LastErrorCode
(String) Manufacturer
(UInt64) MaxBlockSize
(UInt64) MaxMediaSize
(UInt32) MaxPartitionCount
(String) MediaType
(UInt64) MinBlockSize
(String) Name
(Boolean) NeedsCleaning
 (UInt32) NumberOfMediaSupported
(UInt32) Padding
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt32) ReportSetMarks
(String) Status
(UInt16) StatusInfo
(String) SystemName

Time Zone
Namespace: root\cimv2
class Win32_TimeZone
(String) StandardName
(SInt32) Bias
(String) Caption
(SInt32) DaylightBias
(UInt32) DaylightDay
(UInt8) DaylightDayOfWeek
(UInt32) DaylightHour
(UInt32) DaylightMillisecond
(UInt32) DaylightMinute
(UInt32) DaylightMonth
(String) DaylightName
(UInt32) DaylightSecond
(UInt32) DaylightYear
(String) Description
(String) SettingID
(UInt32) StandardBias
(UInt32) StandardDay
(UInt8) StandardDayOfWeek
(UInt32) StandardHour
(UInt32) StandardMillisecond
(UInt32) StandardMinute
 (UInt32) StandardMonth
(UInt32) StandardSecond
(UInt32) StandardYear

TPM
Namespace: root\CIMv2\Security\MicrosoftTpm
class Win32_Tpm
(Boolean) IsActivated_InitialValue
(Boolean) IsEnabled_InitialValue
(Boolean) IsOwned_InitialValue
(UInt32) ManufacturerId
(String) ManufacturerVersion
(String) ManufacturerVersionInfo
(String) PhysicalPresenceVersionInfo
(String) SpecVersion

TPM Status
Namespace: root\cimv2\sms
class SMS_TPM
(Boolean) IsReady
(UInt32) Information
(Boolean) IsApplicable

TS Issued License
Namespace: root\cimv2
class Win32_TSIssuedLicense
(UInt32) LicenseId
(DateTime) ExpirationDate
(DateTime) IssueDate
(UInt32) KeyPackId
(UInt32) LicenseStatus
(String) sHardwareId
(String) sIssuedToComputer
(String) sIssuedToUser

TS License Key Pack

Namespace: root\cimv2
class Win32_TSLicenseKeyPack
(UInt32) KeyPackId
(UInt32) AvailableLicenses
(String) Description
(UInt32) IssuedLicenses
(UInt32) KeyPackType
(UInt32) ProductType
(String) ProductVersion
(UInt32) TotalLicenses

Uninterruptible Power Supply

Namespace: root\cimv2
class Win32_UninterruptiblePowerSupply
(String) DeviceID
(UInt16) ActiveInputVoltage
(UInt16) Availability
(Boolean) BatteryInstalled
(Boolean) CanTurnOffRemotely
(String) Caption
(String) CommandFile
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt16) EstimatedChargeRemaining
(UInt32) EstimatedRunTime
(UInt32) FirstMessageDelay
(DateTime) InstallDate
(Boolean) IsSwitchingSupply
(UInt32) LastErrorCode
(Boolean) LowBatterySignal
(UInt32) MessageInterval
 (String) Name
(String) PNPDeviceID
(Boolean) PowerFailSignal
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt32) Range1InputFrequencyHigh
(UInt32) Range1InputFrequencyLow
(UInt32) Range1InputVoltageHigh
(UInt32) Range1InputVoltageLow
(UInt32) Range2InputFrequencyHigh
(UInt32) Range2InputFrequencyLow
(UInt32) Range2InputVoltageHigh
(UInt32) Range2InputVoltageLow
(UInt16) RemainingCapacityStatus
(String) Status
(UInt16) StatusInfo
(String) SystemName
(UInt32) TimeOnBackup
(UInt32) TotalOutputPower
(UInt16) TypeOfRangeSwitching
(String) UPSPort

USB Controller
Namespace: root\cimv2
class Win32_USBController
(String) DeviceID
(UInt16) Availability
(String) Caption
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) Description
(Boolean) ErrorCleared
(String) ErrorDescription
(DateTime) InstallDate
 (UInt32) LastErrorCode
(String) Manufacturer
(UInt32) MaxNumberControlled
(String) Name
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(String) Status
(UInt16) StatusInfo
(String) SystemName
(DateTime) TimeOfLastReset

USB Device
Namespace: root\cimv2
class Win32_USBDevice
(String) DeviceID
(String) Caption
(String) ClassGuid
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) CreationClassName
(String) Description
(String) Manufacturer
(String) Name
(String) PNPDeviceID
(String) Service
(String) Status
(String) SystemCreationClassName
(String) SystemName

USM User Profile

Namespace: root\cimv2
class Win32_UserProfile
(String) SID
 (UInt8) HealthStatus
(String) LastAttemptedProfileDownloadTime
(String) LastAttemptedProfileUploadTime
(String) LastBackgroundRegistryUploadTime
(DateTime) LastDownloadTime
(DateTime) LastUploadTime
(DateTime) LastUseTime
(Boolean) Loaded
(String) LocalPath
(UInt32) RefCount
(Boolean) RoamingConfigured
(String) RoamingPath
(Boolean) RoamingPreference
(Boolean) Special
(UInt32) Status

Video Controller
Namespace: root\cimv2
class Win32_VideoController
(String) DeviceID
(UInt16) AcceleratorCapabilities[]
(String) AdapterCompatibility
(String) AdapterDACType
(UInt32) AdapterRAM
(UInt16) Availability
(String) CapabilityDescriptions[]
(String) Caption
(UInt32) ColorTableEntries
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(UInt32) CurrentBitsPerPixel
(UInt32) CurrentHorizontalResolution
(UInt64) CurrentNumberOfColors
(UInt32) CurrentNumberOfColumns
(UInt32) CurrentNumberOfRows
(UInt32) CurrentRefreshRate
(UInt16) CurrentScanMode
(UInt32) CurrentVerticalResolution
(String) Description
(UInt32) DeviceSpecificPens
(UInt32) DitherType
(DateTime) DriverDate
(String) DriverVersion
(Boolean) ErrorCleared
(String) ErrorDescription
(UInt32) ICMIntent
(UInt32) ICMMethod
(String) InfFilename
(String) InfSection
(DateTime) InstallDate
(String) InstalledDisplayDrivers
(UInt32) LastErrorCode
(UInt32) MaxMemorySupported
(UInt32) MaxNumberControlled
(UInt32) MaxRefreshRate
(UInt32) MinRefreshRate
(Boolean) Monochrome
(String) Name
(UInt16) NumberOfColorPlanes
(UInt32) NumberOfVideoPages
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(UInt16) ProtocolSupported
(UInt32) ReservedSystemPaletteEntries
(UInt32) SpecificationVersion
(String) Status
 (UInt16) StatusInfo
(String) SystemName
(UInt32) SystemPaletteEntries
(DateTime) TimeOfLastReset
(UInt16) VideoArchitecture
(UInt16) VideoMemoryType
(UInt16) VideoMode
(String) VideoModeDescription
(String) VideoProcessor

Virtual Application Packages

Namespace: root\Microsoft\appvirt\client
class Package
(String) PackageGUID
(UInt64) CachedLaunchSize
(UInt16) CachedPercentage
(UInt64) CachedSize
(UInt64) LaunchSize
(String) Name
(String) SftPath
(UInt64) TotalSize
(String) Version
(String) VersionGUID

Virtual Applications
Namespace: root\Microsoft\appvirt\client
class Application
(String) Name
(String) Version
(String) CachedOsdPath
(UInt32) GlobalRunningCount
(DateTime) LastLaunchOnSystem
(Boolean) Loading
(String) OriginalOsdPath
(String) PackageGUID
Virtual Machine (64)
Namespace: root\cimv2
class Win32Reg_SMSGuestVirtualMachine64
(String) InstanceKey
(String) PhysicalHostName
(String) PhysicalHostNameFullyQualified

Virtual Machine
Namespace: root\cimv2
class Win32Reg_SMSGuestVirtualMachine
(String) InstanceKey
(String) PhysicalHostName
(String) PhysicalHostNameFullyQualified

Virtual Machine Details

Namespace: root\vm\VirtualServer
class VirtualMachine
(String) Name
(UInt32) CpuUtilization
(UInt64) DiskBytesRead
(UInt64) DiskBytesWritten
(UInt64) DiskSpaceUsed
(UInt64) HeartbeatCount
(UInt32) HeartbeatInterval
(UInt32) HeartbeatPercentage
(UInt32) HeartbeatRate
(UInt64) NetworkBytesReceived
(UInt64) NetworkBytesSent
(UInt64) PhysicalMemoryAllocated
(UInt32) Uptime

Volume
Namespace: root\cimv2
class Win32_Volume
(String) DeviceID
(UInt16) Access
(Boolean) Automount
(UInt16) Availability
(UInt64) BlockSize
(UInt64) Capacity
(String) Caption
(Boolean) Compressed
(UInt32) ConfigManagerErrorCode
(Boolean) ConfigManagerUserConfig
(String) CreationClassName
(String) Description
(Boolean) DirtyBitSet
(String) DriveLetter
(UInt32) DriveType
(Boolean) ErrorCleared
(String) ErrorDescription
(String) ErrorMethodology
(String) FileSystem
(UInt64) FreeSpace
(Boolean) IndexingEnabled
(DateTime) InstallDate
(String) Label
(UInt32) LastErrorCode
(UInt32) MaximumFileNameLength
(String) Name
(UInt64) NumberOfBlocks
(String) PNPDeviceID
(UInt16) PowerManagementCapabilities[]
(Boolean) PowerManagementSupported
(String) Purpose
(Boolean) QuotasEnabled
(Boolean) QuotasIncomplete
(Boolean) QuotasRebuilding
(UInt32) SerialNumber
 (String) Status
(UInt16) StatusInfo
(Boolean) SupportsDiskQuotas
(Boolean) SupportsFileBasedCompression
(String) SystemCreationClassName
(String) SystemName

CCM_WebAppInstallInfo
Namespace: root\ccm\cimodels
class CCM_WebAppInstallInfo
(String) AppDeliveryTypeId
(UInt32) AppDtRevision
(String) TargetURL
(String) UserSID
(String) URLFileName
(String) URLPath

SMS_Windows8Application
Namespace: root\cimv2\sms
class SMS_Windows8Application
(String) FullName
(String) ApplicationName
(String) Architecture
(Boolean) ConfigMgrManaged
(String) DependencyApplicationNames
(String) FamilyName
(String) InstalledLocation
(Boolean) IsFramework
(String) Publisher
(String) PublisherId
(String) Version

SMS_Windows8ApplicationUserInfo
Namespace: root\cimv2\sms
class SMS_Windows8ApplicationUserInfo
 (String) FullName
(String) UserSecurityId
(String) InstallState
(String) UserAccountName

Windows Update
Namespace: root\cimv2
class Win32Reg_SMSWindowsUpdate
(String) InstanceKey
(UInt32) AUOptions
(UInt32) NoAutoUpdate
(UInt32) UseWUServer

Windows Update Agent Version

Namespace: root\cimv2\sms
class Win32_WindowsUpdateAgentVersion
(String) Version

Write Filter State

Namespace: root\cimv2\sms
class CCM_WriteFilterState
(Boolean) WriteFilterEnabled
 Security and privacy for hardware inventory in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This topic contains security and privacy information for hardware inventory in Configuration Manager.

Security best practices for hardware inventory

Use the following security best practices for when you collect hardware inventory data from clients:

SEC URIT Y B EST P RA C T IC E M O RE IN F O RM AT IO N

Sign and encrypt inventory data When clients communicate with management points by
using HTTPS, all data that they send is encrypted by using
SSL. However, when client computers use HTTP to
communicate with management points on the intranet,
client inventory data and collected files can be sent unsigned
and unencrypted. Make sure that the site is configured to
require signing and use encryption. In addition, if clients can
support the SHA-256 algorithm, select the option to require
SHA-256.

Do not collect IDMIF and NOIDMIF files in high-security You can use IDMIF and NOIDMIF file collection to extend
environments hardware inventory collection. When necessary,
Configuration Manager creates new tables or modifies
existing tables in the Configuration Manager database to
accommodate the properties in IDMIF and NOIDMIF files.
However, Configuration Manager does not validate IDMIF
and NOIDMIF files, so these files could be used to alter
tables that you do not want altered. Valid data could be
overwritten by invalid data. In addition, large amounts of
data could be added and the processing of this data might
cause delays in all Configuration Manager functions. To
mitigate these risks, configure the hardware inventory client
setting Collect MIF files as None .

Security issues for hardware inventory

Collecting inventory exposes potential vulnerabilities. Attackers can perform the following:
Send invalid data, which will be accepted by the management point even when the software inventory
client setting is disabled and file collection is not enabled.
Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of
service.
Access inventory information as it is transferred to Configuration Manager.
Because a user with local administrative privileges can send any information as inventory data, do not
consider inventory data that is collected by Configuration Manager to be authoritative.
Hardware inventory is enabled by default as a client setting.
Privacy information for hardware inventory
Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on
Configuration Manager clients. Software inventory allows you to discover all files of a specified type or to collect
any specified files from clients. Asset Intelligence enhances the inventory capabilities by extending hardware and
software inventory and adding new license management functionality.
Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by
options that you select. Software inventory is enabled by default but files are not collected by default. Asset
Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting
classes to enable.
Inventory information is not sent to Microsoft. Inventory information is stored in the Configuration Manager
database. When clients use HTTPS to connect to management points, the inventory data that they send to the
site is encrypted during the transfer. If clients use HTTP to connect to management points, you have the option
to enable inventory encryption. The inventory data is not stored in encrypted format in the database.
Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventor y
Histor y or Delete Aged Collected Files every 90 days. You can configure the deletion interval.
Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection,
consider your privacy requirements.
 Introduction to software inventory in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use software inventory to collect information about files on client devices. Software inventory can also collect
files from client devices and store them on the site server. Software inventory is collected when you select the
Enable software inventor y on clients setting in client settings. You can also schedule the operation in client
settings.
After you enable software inventory and the clients run a software inventory cycle, the client sends the
information to a management point in the client's site. The management point then forwards the inventory
information to the Configuration Manager site server, which stores the information in the site database.
There are a few ways to view software inventory data:
Create queries that return devices with specified files.
Create query-based collections that include devices with specified files.
Run reports that provide details about files on devices.
Use Resource Explorer to examine detailed information about the files that were inventoried and collected
from client devices.
When software inventory runs on a client device, the first report is a full inventory. Subsequent reports contain
only delta inventory information. The site server processes delta information in the order received. If delta
information for a client is missing, the site server rejects further delta information and directs the client to run a
full inventory.
Configuration Manager can discover dual-boot computers but only returns inventory information from the
operating system that's active at the time of inventory.
 How to configure software inventory in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This procedure configures the default client settings for software inventory and applies to all the computers in
your hierarchy. If you want to apply these settings to only some computers, create a custom device client setting
and assign it to a collection. For more information about how to create custom device settings, see How to
configure client settings.

To configure software inventory

1. In the Configuration Manager console, choose Administration > Client Settings Default Client
Settings .
2. On the Home tab, in the Proper ties group, choose Proper ties .
3. In the Default Settings dialog box, choose Software Inventor y .
4. In the Device Settings list, configure the following values:
Enable software inventor y on clients - From the drop-down list, select True .
Schedule software inventor y and file collection schedule - Configures the interval at which
clients collect software inventory and files.
5. Configure the client settings that you require. The Software inventory section of the About client settings
article has a list of the client settings.
Client computers will be configured with these settings when they next download client policy. To initiate
policy retrieval for a single client, see How to manage clients.

TIP
Error code 80041006 in inventoryprovider.log means the WMI provider is out of memory. That is, the memory
quota limit for a provider has been hit and inventory provider cannot continue. In this case, the inventory agent
creates a report with 0 entries so no inventory items are reported.
A possible solution for this error would be to reduce the scope of the software inventory collection. In
circumstances when the error occurs after limiting the inventory scope, increasing the MemoryPerHost property
defined in the _ProviderHostQuotaConfiguration class can provide a solution.

To exclude folders from software inventory

1. Using Notepad.exe, create an empty file named Skpswi.dat .
2. Right-click the Skpswi.dat file and click Proper ties . In the file properties for the Skpswi.dat file, select
the Hidden attribute.
3. Place the Skpswi.dat file at the root of each client hard drive or folder structure that you want to exclude
from software inventory.
NOTE
Software inventory will not inventory the client drive again unless this file is deleted from the drive on the client computer.
 How to use Resource Explorer to view software
inventory in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use Resource Explorer in Configuration Manager to view information about software inventory that has been
collected from computers in your hierarchy.

NOTE
Resource Explorer will not display any inventory data until a software inventory cycle has run on the client.

Resource Explorer provides the following software inventory information:

Software :
Collected Files - Files that were collected during software inventory.
File Details - Files that were inventoried during software inventory that are not associated with a
specific product or manufacturer.
Last Software Scan - Date and time of the last software inventory and file collection for the
client computer.
Product Details - Software products that were inventoried by software inventory, grouped by
manufacturer.

To run Resource Explorer from the Configuration Manager console

1. In the Configuration Manager console, choose Assets and Compliance
2. In the Assets and Compliance workspace, choose Devices or open any collection that displays devices.
3. Choose the computer containing the inventory that you want to view and then, in the Home tab >
Devices group, choose Star t > Resource Explorer .
4. You can right-click any item in the right-pane of the Resource Explorer window and choose Proper ties to
view the collected inventory information in a more readable format.

View and manage collected diagnostic files

Starting in Configuration Manager version 2002, use Resource Explorer to view and manage the files gathered
when you use client notification to collect client logs.
1. From the Devices node, right-click on the device you want to view logs for.
2. Select Star t , then Resource Explorer .
3. From Resource Explorer , click on Diagnostic Files .
4. In the Diagnostic Files list, you can see the collection date for the files. The name format of the client logs is
Support_<guid>.zip .
5. Right-click on the zip file and select one of the following options:
Open Suppor t Center : Launches Support Center.
 Copy : Copies the row information from Resource Explorer.
View file : Opens the folder where the zip file is located with File Explorer.
Save : Opens a Save File dialog for the selected file.
Expor t : Saves the Resource Explorer columns shown in Diagnostic Files .
Refresh : Refreshes the file list.
Proper ties : Returns the properties on the selected file.

Next steps
Use Support Center to view collected diagnostic files.
 Security and privacy for software inventory in
Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This topic contains security and privacy information for software inventory in Configuration Manager.

Security best practices for software inventory

Use the following security best practices for when you collect software inventory data from clients:

SEC URIT Y B EST P RA C T IC E M O RE IN F O RM AT IO N

Sign and encrypt inventory data When clients communicate with management points by
using HTTPS, all data that they send is encrypted by using
SSL. However, when client computers use HTTP to
communicate with management points on the intranet,
client inventory data and collected files can be sent unsigned
and unencrypted. Make sure that the site is configured to
require signing and use encryption. In addition, if clients can
support the SHA-256 algorithm, select the option to require
SHA-256.

Do not use file collection to collect critical files or sensitive Configuration Manager software inventory uses all the
information rights of the LocalSystem account, which has the ability to
collect copies of critical system files, such as the registry or
security account database. When these files are available at
the site server, someone with the Read Resource rights or
NTFS rights to the stored file location could analyze their
contents and possibly discern important details about the
client in order to be able to compromise its security.

Restrict local administrative rights on client computers A user with local administrative rights can send invalid data
as inventory information.

Security issues for software inventory

Collecting inventory exposes potential vulnerabilities. Attackers can perform the following:
Send invalid data, which will be accepted by the management point even when the software inventory
client setting is disabled and file collection is not enabled.
Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of
service.
Access inventory information as it is transferred to Configuration Manager.
If users know that they can create a hidden file named Skpswi.dat and place it in the root of a client hard
drive to exclude it from software inventory, you will not be able to collect software inventory data from
that computer.
Because a user with local administrative privileges can send any information as inventory data, do not
consider inventory data that is collected by Configuration Manager to be authoritative.
 Software inventory is enabled by default as a client setting.

Privacy information for software inventory

Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on
Configuration Manager clients. Software inventory allows you to discover all files of a specified type or to collect
any specified files from clients. Asset Intelligence enhances the inventory capabilities by extending hardware and
software inventory and adding new license management functionality.
Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by
options that you select. Software inventory is enabled by default but files are not collected by default. Asset
Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting
classes to enable.
Inventory information is not sent to Microsoft. Inventory information is stored in the Configuration Manager
database. When clients use HTTPS to connect to management points, the inventory data that they send to the
site is encrypted during the transfer. If clients use HTTP to connect to management points, you have the option
to enable inventory encryption. The inventory data is not stored in encrypted format in the database.
Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventor y
Histor y or Delete Aged Collected Files every 90 days. You can configure the deletion interval.
Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection,
consider your privacy requirements.
 Introduction to asset intelligence in Configuration
Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

IMPORTANT
Starting in November 2021, this feature of Configuration Manager is deprecated.
This deprecation plan doesn't include the product lifecycle dashboard.

Inventory and manage software license usage throughout your enterprise by using the asset intelligence
catalog. Asset intelligence adds hardware inventory classes to improve the breadth of information that
Configuration Manager collects. This information includes the hardware and software titles used in your
environment. Over 60 reports present this information in an easy-to-use format. Many of these reports link to
more specific reports. Query for general information and drill down to more detailed information.
Add custom information to the asset intelligence catalog. For example, custom software categories, software
families, software labels, and hardware requirements. To dynamically update the asset intelligence catalog with
the most current information available, connect it to the Microsoft Cloud.
Use asset intelligence to help reconcile your enterprise software license usage. Import software license
information into the Configuration Manager site database to view it against what software is being used.

Asset intelligence catalog

The asset intelligence catalog is a set of database tables stored in the site database. These tables include
categorization and identification information for over 300,000 software titles and versions. They also help
manage hardware requirements for specific software titles.
Asset intelligence provides software license information for software titles that are being used, both of Microsoft
and of non-Microsoft software. A predefined set of hardware requirements for software titles is available in the
asset intelligence catalog, and you can create new user-defined hardware requirement information to meet
custom requirements. You can also customize information in the asset intelligence catalog, and you can upload
software title information to the Microsoft cloud for categorization.
Asset intelligence catalog updates that include newly released software are available for download periodically
to perform bulk catalog updates. It can also be dynamically updated by using the asset intelligence
synchronization point.
Software categories
Asset intelligence software categories are used to widely categorize inventoried software titles and as high-level
groupings of more specific software families. For example, a software category could be energy companies, and
a software family within that software category could be oil and gas or hydroelectric. Many software categories
are predefined in the asset intelligence catalog. You can create user-defined categories to additionally define
inventoried software. The validation state for all predefined software categories is always Validated . Custom
software category information added to the asset intelligence catalog is User Defined .
For more information about how to manage software categories, see Configuring asset intelligence.
 NOTE
Predefined software category information stored in the asset intelligence catalog is read-only. You can't change or delete
it. Administrative users can add, modify, or delete user-defined software categories.

Software families
Asset intelligence software families are used to define inventoried software titles within software categories.
Many software families are predefined in the asset intelligence catalog. You can create user-defined categories to
additionally define inventoried software. The validation state for all predefined software families is always
Validated . Custom software family information added to the asset intelligence catalog is User-Defined .
For more information about how to manage software families, see Configuring asset intelligence.

NOTE
Predefined software family information is read-only and can't be changed. Administrative users can add, modify, or delete
user-defined software families.

Software labels
Asset intelligence custom software labels let you create filters to group software titles and to view them in asset
intelligence reports. Use software labels to create user-defined groups of software titles that share a common
attribute. For example, you could create a software label called Shareware, associate it with inventoried
shareware titles, and run a report to display all software titles with that label. There are no predefined labels. The
validation state for software labels is always User Defined .
For more information about how to manage software labels, see Configuring asset intelligence.
Hardware requirements
Use the hardware requirements information to verify that computers meet the hardware requirements for
software titles before they're targeted for software deployments. Manage hardware requirements for software
titles in the Assets and Compliance workspace in the Hardware Requirements node under the Asset
Intelligence node.
Many hardware requirements are predefined in the asset intelligence catalog. Create new user-defined
hardware requirement information to meet custom requirements. The validation state for all predefined
hardware requirements is always Validated . User-defined hardware requirements information added to the
asset intelligence catalog is User Defined .
For more information about how to manage hardware requirements, see Configuring asset intelligence.

NOTE
The hardware requirements displayed in the Configuration Manager console are retrieved from the asset intelligence
catalog. They aren't based on inventoried software title information from clients.
Hardware requirement information isn't updated as part of the synchronization process with Microsoft.
You can create user-defined hardware requirements for inventoried software that doesn't have associated hardware
requirements.

By default, the following information is displayed for each listed hardware requirement:
Software Title : The software title associated with the hardware requirement
Minimum CPU (MHz) : The minimum processor speed in megahertz (MHz) required by the software
 title
Minimum RAM (KB) : The minimum RAM in kilobytes (KB) required by the software title
Minimum Disk Space (KB) : The minimum free hard disk space in KB required by the software title
Minimum Disk Size (KB) : The minimum hard disk size in KB required by the software title
Validation State : The validation state for the hardware requirement
Predefined hardware requirements stored in the asset intelligence catalog are read-only and can't be deleted.
Administrative users can add, modify, or delete user-defined hardware requirements for software titles that
aren't stored in the asset intelligence catalog.

Inventoried software titles

To view inventoried software title information in the Configuration Manager console, go to the Assets and
Compliance workspace, expand the Asset Intelligence node, and select the Inventoried Software node.
The hardware inventory agent collects the inventoried software information from Configuration Manager clients
based on the software titles stored in the asset intelligence catalog.

NOTE
The hardware inventory agent collects inventory based on the asset intelligence hardware inventory reporting classes
that you enable. For more information about how to enable the reporting classes, see Configuring asset intelligence.

By default, the following information is displayed for each inventoried software title:
Name : The name of the inventoried software title
Vendor : The name of the vendor that developed the inventoried software title
Version : The product version of the inventoried software title
Categor y : The software category that's currently assigned to the inventoried software title
Family : The software family that's currently assigned to the inventoried software title
Label [1 , 2 , and 3 ]: The custom labels associated with the software title. Inventoried software titles can
have up to three custom labels associated with them.
Count : The number of Configuration Manager clients that have inventoried the software title
State : The validation state for the inventoried software title

NOTE
You can change the categorization information for inventoried software only at the top-level site in your hierarchy. This
information includes product name, vendor, software category, and software family. After you modify the categorization
information for predefined software, the validation state for the software changes from Validated to User Defined .

Asset intelligence synchronization point

The asset intelligence synchronization point is a Configuration Manager site system role. It's used to connect to
the Microsoft cloud on TCP port 443 to manage dynamic catalog information updates. Install this site role only
on the top-level site of the hierarchy. Configure all asset intelligence catalog customization by using a
Configuration Manager console connected to the top-level site.
While you configure all updates at the top-level site, catalog information is replicated to other sites in the
hierarchy. The site role lets you request on-demand catalog synchronization with Microsoft, or schedule
automatic catalog synchronization. In addition to downloading new catalog information, the asset intelligence
synchronization point can upload custom software title information to Microsoft for categorization. Microsoft
treats all uploaded software titles as public information. Make sure that your custom software titles don't include
confidential or proprietary information.
After you submit an uncategorized software title, Microsoft doesn't review it until there are at least four
categorization requests from customers for the same software title. Then Microsoft researchers identify,
categorize, and make the software title categorization information available to all customers who are using the
online service. Software titles that represent the most requests for categorization receive the highest priority to
categorize. Custom software and line-of-business applications are unlikely to receive a category. Don't send
these software titles to Microsoft for categorization.
An asset intelligence synchronization point is required to connect to the Microsoft cloud. For information about
how to install the role, see Configuring asset intelligence.

Asset intelligence home page

The Asset Intelligence node in the Assets and Compliance workspace is the home page for asset
intelligence in Configuration Manager. This home page displays a summary dashboard view for asset
intelligence catalog information.

NOTE
The Asset Intelligence home page doesn't automatically update while you're viewing it.

The Asset Intelligence home page includes the following sections:

Catalog Synchronization : Information about whether asset intelligence is enabled and the current
status of the asset intelligence synchronization point.

NOTE
The home page only displays this section when you install an asset intelligence synchronization point.

The section also provides the following information:

Synchronization schedule
If you've imported a customer license statement
The last status update
The time for the next scheduled update
The number of changes after you installed the asset intelligence synchronization point
Inventoried Software Status : The count and percentage of inventoried software, software categories,
and software families that are identified by Microsoft, identified by an administrator, pending online
identification, or unidentified and not pending. The information displayed in table format shows the count
for each, and the information displayed in the chart shows the percentage for each.

Asset intelligence reports

The asset intelligence reports are located in the Configuration Manager console, in the Monitoring workspace,
in the Asset intelligence folder under the Repor ting node. The reports provide information about hardware,
license management, and software. For more information about reports in Configuration Manager, see
Introduction to reporting.

NOTE
The accuracy of the quantity of installed software titles and license information displayed in asset intelligence reports
might vary from the actual number of software titles installed or licenses that are used in the environment. This variation
is because of the complex dependencies and limitations involved in inventorying software license information for software
titles that are installed in enterprise environments. Don't use asset intelligence reports as the sole source for determining
purchased software license compliance.

Hardware reports
Asset intelligence hardware reports provide information about hardware assets in the organization. By using
hardware inventory information such as speed, memory, and peripheral devices, asset intelligence hardware
reports can present information about USB devices, about hardware that must be upgraded, and even about
computers that aren't ready for a specific software upgrade.

NOTE
Some user data in asset intelligence hardware reports is collected from the Windows security event log. For better report
accuracy, clear this log when you reassign a computer to a new user.

License management reports

Asset intelligence license management reports provide data about licenses that are being used. The License
Ledger report lists installed Microsoft applications in a format congruent with a Microsoft License Statement
(MLS). This format provides a convenient method of matching acquired licenses with used licenses. Other
license management reports provide information about computers acting as servers that run the key
management service (KMS) for Windows activation statistics.

IMPORTANT
Several of the asset intelligence license management reports present information about the function of KMS, a method of
administering volume licensing. If you haven't implemented a KMS server, some reports might not return any data.

Software reports
Asset intelligence software reports provide information about software families, categories, and specific
software titles that are installed on computers in the organization. The software reports present information
such as browser helper objects and software that starts automatically. These reports can be used to identify
adware, spyware, and other malware. You can also use them to identify software redundancy to help streamline
software acquisition and support.
Software identification tag reports
Asset intelligence software identification tag reports provide information about software that includes a
software identification tag compliant with ISO/IEC 19770-2. The software identification tags provide
authoritative information used to identify installed software. When you enable the SMS_SoftwareTag
hardware inventory reporting class, Configuration Manager collects information about the software with
software identification tags.
The following reports provide information about the software:
Software 14A - Search for software identification tag enabled software : The count of installed
software with a software identification tag enabled
 Software 14B - Computers with specific software identification tag enabled software
installed : All computers that have installed software with a specific software identification tag enabled
Software 14C - Installed software identification tag enabled software on a specific computer :
All installed software with a specific software identification tag enabled on a specific computer
Reporting limitations
Asset intelligence reports can provide large amounts of information about installed software titles and acquired
software licenses that are being used. Don't use this information as the only source for determining acquired
software license compliance.
Example dependencies
The accuracy of the quantity displayed in the asset intelligence reports for installed software titles and license
information can vary from the actual amounts currently used. This variation is caused by the complex
dependencies involved in inventorying software license information for software titles in use in enterprise
environments. The following examples show the dependencies involved in inventorying installed software in the
enterprise by using asset intelligence that might affect the accuracy of asset intelligence reports:
Client hardware inventor y dependencies : Asset intelligence installed software reports are based on
data collected from Configuration Manager clients by extending hardware inventory to enable asset
intelligence reporting. Because of this dependency on hardware inventory reporting, asset intelligence
reports reflect data only from clients that successfully complete hardware inventory processes with the
required asset intelligence WMI reporting classes enabled. Because Configuration Manager clients
perform hardware inventory processes on a schedule defined by the administrative user, a delay might
occur in data reporting that affects the accuracy of asset intelligence reports.
For example, an inventoried licensed software title might be uninstalled after the client finishes a
successful hardware inventory cycle. Asset intelligence reports display the software title as installed until
the client's next scheduled hardware inventory reporting cycle.
Software packaging dependencies : Asset intelligence reports are based on installed software title
data collected by using standard Configuration Manager client hardware inventory processes. Some
software title data might not be collected correctly. Examples that could cause inaccurate asset
intelligence reporting:
Software installations that don't comply with standard installation processes
Software installations that were changed before installation
Legal limitations
The information displayed in asset intelligence reports is subject to many limitations. The information displayed
in them doesn't represent legal, accounting, or other professional advice. The information provided by asset
intelligence reports is for information only. Don't use it as the only source of information for determining
software license usage compliance.
The following limitations are examples of using asset intelligence that might affect the accuracy of the reports:
Microsoft license usage quantity limitations :
The quantity of acquired Microsoft software licenses is based on information that administrators
supply. Closely review it to make sure that the correct number of software licenses is provided.
The reported quantity of Microsoft software licenses includes information only about Microsoft
software licenses acquired through volume licensing programs. It doesn't reflect information for
software licenses acquired through retail, OEM, or other software license sales channels.
Software licenses acquired in the last 45 days might not be included in the quantity of Microsoft
software licenses reported because of software reseller reporting requirements and schedules.
 Software license transfers from company mergers or acquisitions might not be reflected in
Microsoft software license quantities.
Nonstandard terms and conditions in a Microsoft Volume Licensing (MVLS) agreement might
affect the number of software licenses reported. They might require additional review by a
Microsoft representative.
Installed software title quantity limitations : Configuration Manager clients must successfully
complete hardware inventory reporting cycles for the asset intelligence reports to accurately report the
quantity of installed software titles. There might be a delay between the installation or uninstallation of a
licensed software title after a successful hardware inventory reporting cycle. This action may not be
reflected in asset intelligence reports run before the client reports its next scheduled hardware inventory.
License reconciliation limitations : The reconciliation of the quantity of installed software titles to the
quantity of acquired software licenses is calculated by using a comparison of the license quantity
specified by the administrator and the quantity of installed software titles collected from Configuration
Manager client hardware inventories based on the schedule set by the administrator. This comparison
doesn't represent a final Microsoft conclusion of the license positions. The actual license position depends
on the specific software title license and usage rights granted by the license terms.

Asset intelligence validation states

Asset intelligence validation states represent the source and current validation status of asset intelligence
catalog information. The following table shows possible asset intelligence validation states and administrator
actions that can cause them.

STAT E DEF IN IT IO N A DM IN IST RATO R A C T IO N C O M M EN T

Validated Microsoft researchers None Best state

defined the catalog item

User Defined Microsoft researchers Customize the local catalog This state is displayed in
haven't defined the catalog information asset intelligence reports
item

Pending Microsoft researchers No further action after Catalog item remains in this
haven't defined the catalog requesting categorization state until Microsoft
item, but you submitted the researchers categorize the
item to Microsoft for item, and you synchronize
categorization your asset intelligence
catalog

Updateable A user-defined catalog item Use the Resolve Conflict After you resolve a
has been categorized action to decide whether to categorization conflict, the
differently by Microsoft use the new categorization item isn't validated as
during catalog information or the previous conflicting again unless later
synchronization. user-defined value. For categorization updates
more information about introduce new information
how to resolve conflicts, see about the item.
Operations for asset
intelligence.
 STAT E DEF IN IT IO N A DM IN IST RATO R A C T IO N C O M M EN T

Uncategorized Catalog item hasn't been Request categorization or None

defined by Microsoft customize your local catalog
researchers, the item hasn't information. For more
been submitted to information, see Operations
Microsoft for categorization, for asset intelligence.
and the administrator
hasn't assigned a user-
defined categorization
value.

NOTE
Catalog items that you submit to Microsoft for categorization have a validation state of Pending on a central
administration site, but continue to be displayed with a validation state of Uncategorized on child primary sites.

For examples of when a validation state might transition from one state to another, see Example validation state
transitions for asset intelligence.
 Prerequisites for Asset Intelligence in Configuration
Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Asset Intelligence in Configuration Manager has external dependencies and dependencies within the product.

Dependencies external to Configuration Manager

The following table provides the dependencies for Asset Intelligence that are external to Configuration Manager.

DEP EN DEN C Y M O RE IN F O RM AT IO N

Auditing of Success Logon Events Prerequisites Four Asset Intelligence reports display information gathered
from the Windows Security event logs on client computers. If
the Security event log settings are not configured to log all
Success logon events, these reports contain no data even if
the appropriate hardware inventory reporting class is
enabled.

The following Asset Intelligence reports depend on collected

Windows Security event log information:

- Hardware 03A - Primary Computer Users

- Hardware 03B - Computers for a Specific Primary Console
User
- Hardware 04A - Shared (Multi-user) Computers
- Hardware 05A - Console Users on a Specific Computer

To enable the Hardware Inventory Client Agent to inventory

the information required to support these reports, you must
first modify the Windows Security event log settings on
clients to log all Success logon events, and enable the
SMS_SystemConsoleUser hardware inventory reporting
class. For more information about modifying Security event
log settings to log all Success logon events, see Enable
auditing of success logon events.

NOTE
The SMS_SystemConsoleUser hardware inventory reporting class retains successful logon event data for only the
previous 90 days of the Security event log, regardless of the length of the log. If the Security event log has fewer than 90
days of data, the entire log is read.

Dependencies Internal to Configuration Manager

The following table provides the dependencies for Asset Intelligence that are internal to Configuration Manager.

DEP EN DEN C Y M O RE IN F O RM AT IO N
DEP EN DEN C Y M O RE IN F O RM AT IO N

Client Agent Prerequisites The Asset Intelligence reports depend on client information
that is obtained through client hardware and software
inventory reports. To obtain the information necessary for all
Asset Intelligence reports, the following client agents must
be enabled:

- Hardware Inventory Client Agent

- Software Metering Client Agent

Hardware Inventory Client Agent Dependencies To collect inventory data required for some Asset Intelligence
reports, the Hardware Inventory Client Agent must be
enabled. In addition, some hardware inventory reporting
classes that Asset Intelligence reports depend on must be
enabled on primary site server computers.

For information about enabling the Hardware Inventory

Client Agent, see How to extend hardware inventory.

Software Metering Client Agent Dependencies A number of Asset Intelligence software reports depend on
the Software Metering Client Agent for data. For information
about enabling the Software Metering Client Agent, see
Monitor app usage with software metering.

The following Asset Intelligence reports depend on the

Software Metering Client Agent to provide data:

- Software 07A - Recently Used Executables by Number of

Computers
- Software 07B - Computers that Recently Used a Specified
Executable
- Software 07C - Recently Used Executables on a Specific
Computer
- Software 08A - Recently Used Executables by Number of
Users
- Software 08B - Users that Recently Used a Specified
Executable
- Software 08C - Recently Used Executables by a Specified
User
DEP EN DEN C Y M O RE IN F O RM AT IO N

Asset Intelligence Hardware Inventory Reporting Class Asset Intelligence reports in Configuration Manager depend
Prerequisites on specific hardware inventory reporting classes. Until the
hardware inventory reporting classes are enabled and clients
have reported hardware inventory based on these classes,
the associated Asset Intelligence reports do not contain any
data. You can enable the following hardware inventory
reporting classes to support Asset Intelligence reporting
requirements:

- SMS_SystemConsoleUsage1
- SMS_SystemConsoleUser1
- SMS_InstalledSoftware
- SMS_AutoStartSoftware
- SMS_BrowserHelperObject
- Win32_USBDevice
- SMS_InstalledExecutable
- SMS_SoftwareShortcut
- SoftwareLicensingService
- SoftwareLicensingProduct
- SMS_SoftwareTag
1 By default, the SMS_SystemConsoleUsage and
SMS_SystemConsoleUser Asset Intelligence hardware
inventory reporting classes are enabled.

You can edit the Asset Intelligence hardware inventory

reporting classes in the Configuration Manager console, in
the Assets and Compliance workspace, when you click
the Asset Intelligence node. For more information, see the
Enable Asset Intelligence hardware inventory reporting
classes section in the Configuring Asset Intelligence topic.

Reporting services point The reporting services point site system role must be
installed before software updates reports can be displayed.
For more information about creating a reporting services
point, see Configuring reporting.
 Configure Asset Intelligence in Configuration
Manager
2/16/2022 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Asset Intelligence inventories and manages software license usage.

Steps to configure Asset Intelligence

Step 1 :To collect the inventory data required for Asset Intelligence reports, you have to enable the hardware
inventory client agent as described in How to extend hardware inventory.
Step 2 : Enable Asset Intelligence Hardware Inventory Reporting Classes.
Step 3 : Install an Asset Intelligence Synchronization Point
Step 4 : Enable auditing of success logon events
Step 5 : Import Software License Information
Step 6 : Configure Asset Intelligence maintenance tasks
Enable Asset Intelligence hardware inventory reporting classes
To enable Asset Intelligence in Configuration Manager sites, you must enable one or more Asset Intelligence
hardware inventory reporting classes. You can enable the classes on the Asset Intelligence home page, or, in
the Administration workspace, in the Client Settings node, in client settings properties. Use one of the
following procedures.
To e n a b l e A sse t I n t e l l i g e n c e h a r d w a r e i n v e n t o r y r e p o r t i n g c l a sse s fr o m t h e A sse t I n t e l l i g e n c e h o m e p a g e

1. In the Configuration Manager console, choose Asset and Compliance > Asset Intelligence .
2. On the Home tab, in the Asset Intelligence group, choose Edit Inventor y Classes .
3. To enable Asset Intelligence reporting, select Enable all Asset Intelligence repor ting classes or
Enable only the selected Asset Intelligence repor ting classes , and select at least one reporting
class from the classes displayed.

NOTE
Asset Intelligence reports that depend on the hardware inventory classes that you enable by using this procedure
do not display data until clients have scanned for and returned hardware inventory.

To e n a b l e A sse t I n t e l l i g e n c e h a r d w a r e i n v e n t o r y r e p o r t i n g c l a sse s fr o m c l i e n t se t t i n g s p r o p e r t i e s

1. In the Configuration Manager console, choose Administration > Client Settings > Default Client
Agent Settings . If you have created custom client settings, you can select those instead.
2. On the Home tab > Proper ties group, choose Proper ties .
3. Choose Hardware Inventor y > Set Classes . .
4. Choose Filter by categor y > Asset Intelligence Repor ting Classes . The list of classes is refreshed
with only the Asset Intelligence hardware inventory reporting classes.
5. Select at least one reporting class from the list.
 NOTE
Asset Intelligence reports that depend on the hardware inventory classes that you enable by using this procedure
do not display data until clients have scanned for and returned hardware inventory.

Install an Asset Intelligence Synchronization Point

The Asset Intelligence synchronization point site system role is used to connect Configuration Manager sites to
System Center Online to synchronize Asset Intelligence catalog information. The Asset Intelligence
synchronization point can only be installed on a site system located at the top-level site of the Configuration
Manager hierarchy and requires Internet access to synchronize with System Center Online by using TCP port
443.
In addition to downloading new Asset Intelligence catalog information, the Asset Intelligence synchronization
point can upload custom software title information to System Center Online for categorization. Microsoft treats
all uploaded software titles as public information. Ensure that your custom software titles do not contain
confidential or proprietary information. For more information about requesting software title categorization, see
Request a catalog update for uncategorized software titles.
To i n st a l l a n A sse t I n t e l l i g e n c e sy n c h r o n i z a t i o n p o i n t si t e sy st e m r o l e

1. In the Configuration Manager console, choose Administration > Site Configuration > Ser vers and
Site System Roles .
2. Add the Asset Intelligence synchronization point site system role to a new or existing site system server:
For a New site system ser ver : On the Home tab, in the Create group, choose Create Site
System Ser ver to start the wizard.

NOTE
By default, when Configuration Manager installs a site system role, the installation files are installed on the
first available NTFS-formatted hard disk drive that has the most available free hard disk space. To prevent
Configuration Manager from installing on specific drives, create an empty file named
NO_SMS_ON_DRIVE.SMS and copy it to the root folder of the drive before you install the site system
server.

For an Existing site system ser ver : Choose the server on which you want to install the Asset
Intelligence synchronization point site system role. When you choose a server, a list of the site
system roles that are already installed on the server are displayed in the details pane.
On the Home tab, in the Ser ver group, choose Add Site System Role to start the wizard.
3. Complete the General page. When you add the Asset Intelligence synchronization point to an existing
site system server, verify the values that were previously configured.
4. On the System Role Selection page, select Asset Intelligence Synchronization Point from the list
of available roles.
5. On the Asset Intelligence Synchronization Point Connection Settings page, choose Next .
By default, the Use this Asset Intelligence Synchronization Point setting is selected and cannot be
configured on this page. System Center Online accepts network traffic only over TCP port 443, therefore
the SSL por t number setting cannot be configured on this page of the wizard.
6. Optionally, you can specify a path to the System Center Online authentication certificate (.pfx) file.
Typically, you do not specify a path for the certificate because the connection certificate is automatically
provisioned during site role installation.
7. On the Proxy Ser ver Settings page, specify whether the Asset Intelligence synchronization point will
use a proxy server when connecting to System Center Online to synchronize the catalog and whether to
use credentials to connect to the proxy server.

WARNING
If a proxy server is required to connect to System Center Online, the connection certificate might also be deleted if
the user account password expires for the account configured for proxy server authentication.

8. On the Synchronization Schedule page, specify whether to synchronize the Asset Intelligence catalog
on a schedule. When you enable the synchronization schedule, you specify a simple or custom
synchronization schedule. During scheduled synchronization, the Asset Intelligence synchronization point
connects to System Center Online to retrieve the latest Asset Intelligence catalog. You can manually
synchronize the Asset Intelligence catalog from the Asset Intelligence node in the Configuration Manager
console. For the steps to manually synchronize the Asset Intelligence catalog, see the To manually
synchronize the Asset Intelligence catalog section in the Operations for Asset Intelligence.
9. Complete the wizard
Enable auditing of success logon events
Four Asset Intelligence reports display information gathered from the Windows Security event logs on client
computers. Here's how to configure computer security policy logon settings to enable auditing of Success logon
events.
To e n a b l e su c c e ss l o g o n e v e n t l o g g i n g b y u si n g a l o c a l se c u r i t y p o l i c y

1. On a Configuration Manager client computer, choose Star t > Administrative Tools > Local Security
Policy .
2. In the Local Security Policy dialog box, under Security Settings , expand Local Policies , and then
choose Audit Policy .
3. In the results pane, double-click Audit logon events , ensure that the Success check box is selected, and
then choose OK .
To e n a b l e su c c e ss l o g o n e v e n t l o g g i n g b y u si n g a n A c t i v e D i r e c t o r y d o m a i n se c u r i t y p o l i c y

1. On a domain controller computer, choose Star t , point to Administrative Tools , and then choose
Domain Security Policy .
2. In the Local Security Policy dialog box, under Security Settings , expand Local Policies , and then
choose Audit Policy .
3. In the results pane, double-click Audit logon events , ensure that the Success check box is selected, and
then choose OK .
Import software license information
The following sections describe the procedures necessary to import both Microsoft and general software
licensing information into the Configuration Manager site database by using the Import Software License
Wizard. When you import software license information into the site database from license statement files, the
site server computer account requires Full Control permissions for the NTFS file system to the file share that is
used to import software license information.

IMPORTANT
When software license information is imported into the site database, existing software license information is overwritten.
Ensure that the software license information file that you use with the Import Software License Wizard contains a
complete listing of all necessary software license information.
To i m p o r t so ft w a r e l i c e n se i n fo r m a t i o n i n t o t h e A sse t I n t e l l i g e n c e c a t a l o g

1. In the Asset and Compliance workspace, choose Asset Intelligence .

2. On the Home tab, in the Asset Intelligence group, choose Impor t Software Licenses .
3. On the Impor t page, specify whether you are importing a Microsoft Volume Licensing (MVLS) file (.xml
or .csv) or a General License Statement file (.csv). For more information about creating a General License
Statement file, see Create a general license statement information file for import later in this topic.

WARNING
To download an MVLS file in .csv format that you can import to the Asset Intelligence catalog, see Microsoft
Volume Licensing Service Center. To access this information, you must have a registered account on the website.
You must contact your Microsoft account representative for information about how to get your MVLS file in .xml
format.

4. Enter the UNC path to the license statement file or choose Browse to select a network shared folder and
file.

NOTE
The shared folder should be correctly secured to prevent unauthorized access to the licensing information file, and
the computer account of the computer that the wizard is being run on must have Full Control permissions to the
share that contains the license import file.

5. Complete the wizard.

Create a general license statement information file for import
A general license statement can also be imported into the Asset Intelligence catalog by using a manually created
license import file in comma delimited (.csv) file format.

NOTE
While only the Name , Publisher , Version , and EffectiveQuantity fields are required to contain data, all fields must be
entered on the first row of the license import file. All date fields should be displayed in the following format:
Month/Day/Year, for example, 08/04/2008.

Asset Intelligence matches the products that you specify in the general license statement by using the product
name and product version, but not publisher name. You must use a product name in the general license
statement that is an exact match with the product name stored in the site database. Asset Intelligence takes the
EffectiveQuantity number given in the general license statement and compares the number with the number
of installed products found in Configuration Manager inventory.

TIP
To get a complete list of the product names stored in the Configuration Manager site database, you can run the following
query on the site database: SELECT DISTINCT ProductName0 FROM v_GS_INSTALLED_SOFTWARE.

You can specify exact versions for a product or specify part of the version, such as only the major version. The
following examples provide the resulting version matches for a general license statement version entry for a
specific product.
 GEN ERA L L IC EN SE STAT EM EN T EN T RY M ATC H IN G SIT E DATA B A SE EN T RIES

Name: "MySoftware", ProductVersion0:"2" ProductName0: "Mysoftware", ProductVersion0: "2.01.1234"

ProductName0: "MySoftware", ProductVersion0: "2.02.5678"

ProductName0: "MySoftware", ProductVersion0: "2.05.1234"

ProductName0: "MySoftware", ProductVersion0: "2.05.5678"

ProductName0: "MySoftware", ProductVersion0:

"2.05.3579.000"

ProductName0: "MySoftware", ProductVersion0: "2.10.1234"

Name: "MySoftware", Version "2.05" ProductName0: "MySoftware", ProductVersion0: "2.05.1234"

ProductName0: "MySoftware", ProductVersion0: "2.05.5678"

ProductName0: "MySoftware", ProductVersion0:

"2.05.3579.000"

Name: "Mysoftware", Version "2" Error during import. The import fails when more than one
entry matches the same product version.
Name: "Mysoftware", Version "2.05"

To c r e a t e a g e n e r a l l i c e n se st a t e m e n t i m p o r t fi l e b y u si n g M i c r o so ft Ex c e l

1. Open Microsoft Excel and create a new spreadsheet.

2. On the first row of the new spreadsheet, enter all software license data field names.
3. On the second and subsequent rows of the new spreadsheet, enter software license information as
required. Ensure that at least all of the required software license data fields are entered on subsequent
rows for each software license to be imported. The software title name entered in the spreadsheet must
be the same as the software title that is displayed in Resource Explorer for a client computer after
hardware inventory has run.
4. Save the file in .csv format.
5. Copy the .csv file to the file share that is used to import software license information into the Asset
Intelligence catalog.
6. In the Configuration Manager console, use the Import Software License Wizard to import the newly
created .csv file.
7. Run the Asset Intelligence License 15A - Third Par ty Software Reconciliation Repor t to verify that
the licensing information has been successfully imported into the Asset Intelligence catalog.

NOTE
For an example of a general software license file that you can use for testing purposes, see Example Asset Intelligence
general license import file.

Sample table to describe software licenses

When creating a general license statement import file, the information in the following table can be used to
describe software licenses to be imported into the Asset Intelligence catalog.
 C O L UM N N A M E DATA T Y P E REQ UIRED EXA M P L E

Name Up to 255 characters Yes Software title

Publisher Up to 255 characters Yes Software publisher

Version Up to 255 characters Yes Software title version

Language Up to 255 characters Yes Software title language

EffectiveQuantity Integer value Yes Number of licenses

purchased

PONumber Up to 255 characters No Purchase order information

ResellerName Up to 255 characters No Reseller information

DateOfPurchase Date value in the following No Date of license purchase

format: MM/DD/YYYY

SupportPurchased Bit value No 0 or 1: Enter 0 for Yes, or 1

for No

SupportExpirationDate Date value in the following No End date of purchased

format: MM/DD/YYYY support

Comments Up to 255 characters No Optional comments

Configure Asset Intelligence maintenance tasks

The following maintenance tasks are available for Asset Intelligence:
Check Application Title with Inventor y Information : Checks that the software title that is reported
in software inventory is reconciled with the software title in the Asset Intelligence catalog. By default, this
task is enabled and scheduled to run on Saturday after 12:00 A.M. and before 5:00 A.M. This maintenance
task is only available at the top-level site in your Configuration Manager hierarchy.
Summarize Installed Software Data : Provides the information that is displayed in the Assets and
Compliance workspace, in the Inventoried Software node, under the Asset Intelligence node. When
the task runs, Configuration Manager gathers a count for all inventoried software titles at the primary
site. By default, this task is enabled and scheduled to run every day after 12:00 A.M. and before 5:00 A.M.
This maintenance task is available only on primary sites.
To c o n fi g u r e A sse t I n t e l l i g e n c e m a i n t e n a n c e t a sk s

1. In the Configuration Manager console, choose Administration > Site Configuration > Sites .
2. Select the site on which to configure the Asset Intelligence maintenance task.
3. On the Home tab, in the Settings group, choose Site Maintenance . Select a task, and choose Edit to
modify the settings.
We recommend that you set the time period to off-peak hours of the site. The time period is the time
interval in which the task can run. It is defined by the Star t after and Latest star t time specified in the
Task Proper ties dialog box.
You can initiate the task right away by selecting the current day and setting the Star t after time to a
couple minutes after the present time.
4. Choose OK to save your settings. The task now runs according to its schedule.

NOTE
If a task fails to run on the first attempt, Configuration Manager attempts to rerun the task until either the task
runs successfully or until the time period in which the task can run has passed.
 How to use Asset Intelligence in Configuration
Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This topic contains information to help you manage typical Asset Intelligence tasks in your Configuration
Manager hierarchy:

View Asset Intelligence information

You can view Asset Intelligence information on the Asset Intelligence home page and in Asset Intelligence
reports.
Asset Intelligence home page
The Asset Intelligence home page displays a summary dashboard for Asset Intelligence catalog information.
On the home page, you can view information about catalog synchronization and inventoried software status.
The Asset Intelligence home page is divided into the following sections:
Catalog Synchronization : Provides information about whether Asset Intelligence is enabled, the
current status of the Asset Intelligence synchronization point, the synchronization schedule, whether the
customer license statement is imported, when status was last updated and the time for the next
scheduled update, and the number of changes that occurred after the Asset Intelligence synchronization
point site system was installed.

NOTE
The Asset Intelligence catalog synchronization section of the Asset Intelligence home page is only displayed if
an Asset Intelligence synchronization point site system role has been installed.

Inventoried Software Status : Provides the count and percentage of inventoried software, software
categories, and software families that are identified by Microsoft, identified by an administrative user,
pending online identification, or unidentified and not pending. The information displayed in table format
shows the count for each, while the information displayed in the chart shows the percentage for each.
Use the following procedure to view Asset Intelligence information on the Asset Intelligence home
page.
To v i e w A sse t I n t e l l i g e n c e i n fo r m a t i o n o n t h e A sse t I n t e l l i g e n c e h o m e p a g e

1. In the Configuration Manager console, click Assets and Compliance .

2. In the Asset and Compliance workspace, click Asset Intelligence . The Asset Intelligence reports are
displayed.
Asset Intelligence reports
There are over 60 Asset Intelligence reports that display the information collected by Asset Intelligence. Many of
these reports link to more specific reports in which you can query for general information and drill down to
more detailed information. The Asset Intelligence reports are located in the Configuration Manager console, in
the Monitoring workspace, under the Repor ting node. The reports provide information about hardware,
license management, and software. For more information about reports in Configuration Manager, see
Introduction to reporting.
 NOTE
The accuracy of installed software title quantities and license information displayed in Asset Intelligence reports might
vary from the actual number of software titles installed or licenses in use in the environment because of the complex
dependencies and limitations involved in inventorying software license information for software titles installed in
enterprise environments. Asset Intelligence reports should not be used as the sole source for determining purchased
software license compliance.

Use the following procedure to view Asset Intelligence information by using the Asset Intelligence reports.
To v i e w c o l l e c t e d A sse t I n t e l l i g e n c e i n fo r m a t i o n b y u si n g A sse t I n t e l l i g e n c e r e p o r t s

1. In the Configuration Manager console, click Monitoring .

2. In the Monitoring workspace, expand Repor ting , expand Repor ts , and click Asset Intelligence . The
Asset Intelligence reports are displayed.

WARNING
If no report folders exist under the Repor ts node, verify that you have configured reporting. For more
information, see Configuring reporting.

3. Select the Asset Intelligence report that you want to run, and then on the Home tab, in the Repor t
Group group, click Run .

Synchronize the Asset Intelligence catalog

You can synchronize the local Asset Intelligence catalog with System Center Online to retrieve the latest software
title categorization. When you manually request catalog synchronization with System Center Online, it could
take 15 minutes or longer to complete the synchronization process with System Center Online. Configuration
Manager updates the Last Successful Update setting on the Asset Intelligence home page with the current
time for when synchronization successfully finishes.

NOTE
An Asset Intelligence synchronization point site system role must first be installed before by using the procedures. For
information about installing an Asset Intelligence synchronization point, see Configuring Asset Intelligence.

Use the following procedure to create a synchronization schedule for the Asset Intelligence catalog.
To create a synchronization schedule for the Asset Intelligence catalog
1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, click Asset Intelligence .
3. On the Home tab, in the Create group, click Synchronize , and then click Schedule Synchronization .
4. In the Asset Intelligence Synchronization Point Schedule dialog box, select Enable
synchronization on a schedule , and then configure a simple or custom schedule.
5. Click OK to save the changes.

NOTE
For information about the synchronization schedule, including the next scheduled synchronization, see the Asset
Intelligence node in the Assets and Compliance workspace on the top-level site of the hierarchy.
 Use the following procedure to manually synchronize the Asset Intelligence catalog.

WARNING
System Center Online accepts only one manual synchronization request in a 12-hour period.

To manually synchronize the Asset Intelligence catalog

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, click Asset Intelligence .
3. On the Home tab, in the Create group, click Synchronize , click Synchronize Asset Intelligence
Catalog , and then click OK .

Customize the Asset Intelligence catalog

Asset Intelligence catalog categorization information received from System Center Online is stored in the site
database with read-only permissions and cannot be modified or deleted. However, you can create, modify, and
delete custom software categories, software families, software labels, and hardware requirements catalog
information. Then you can use custom categorization data instead of the information supplied by System Center
Online for existing or user-defined software title information. When you change or add categorization
information, the catalog information is considered user-defined. User-defined categorization information is
stored in different database tables than validated catalog information.
Software categories
Asset Intelligence software categories are used to broadly categorize inventoried software titles and are also
used as high-level groupings of more specific software families. For example, a software category could be
energy companies, and a software family within that software category could be oil and gas or hydroelectric.
Many software categories are predefined in the Asset Intelligence catalog, and additional user-defined
categories can be created to further define inventoried software. The validation state for all predefined software
categories is always Validated , while custom software category information added to the Asset Intelligence
catalog is User Defined .
Use the following procedure to create a user-defined software category.
To c r e a t e a u se r- d e fi n e d so ft w a r e c a t e g o r y

1. In the Configuration Manager console, click Assets and Compliance .

2. In the Assets and Compliance workspace, click Asset Intelligence , and then click Catalog .
3. On the Home tab, in the Create group, click Create Software Categor y .
4. On the General page, enter a name for the new software category and, optionally, a description.

NOTE
The validation state for all new custom software categories is always set to User Defined .

Click Next .
5. On the Summar y page, review the settings, and then click Next .
6. On the Completion page, click Close to exit the wizard.
Software families
Asset Intelligence software families are used to further define inventoried software titles within software
categories. For example, a software category could be energy companies, and a software family within that
software category could be oil and gas or hydroelectric. Many software families are predefined in the Asset
Intelligence catalog, and additional user-defined families can be created to define inventoried software. The
validation state for all predefined software families is always Validated , while custom software family
information added to the Asset Intelligence catalog is User Defined .
Use the following procedure to create a user-defined software family.
To c r e a t e a u se r- d e fi n e d so ft w a r e fa m i l y

1. In the Configuration Manager console, click Assets and Compliance .

2. In the Assets and Compliance workspace, click Asset Intelligence , and then click Catalog .
3. On the Home tab, in the Create group, click Create Software Family .
4. On the General page, enter a name for the new software family and, optionally, a description.

NOTE
The validation state for all new custom software families is always set to User Defined .

5. On the Summar y page, review the settings, and then click Next .
6. On the Completion page, click Close to exit the wizard.
Software labels
Asset Intelligence custom software labels let you create filters that you can use to group software titles and view
them by using Asset Intelligence reports. For example, you can create a software label called shareware,
associate it with a number of applications, and then run a report that shows you all titles with the software label
of shareware. The validation state is User Defined for all custom software labels that you add to the Asset
Intelligence catalog.
Use the following procedure to create a user-defined custom label.
To c r e a t e a u se r- d e fi n e d so ft w a r e l a b e l

1. In the Configuration Manager console, click Assets and Compliance .

2. In the Assets and Compliance workspace, click Asset Intelligence , and then click Catalog .
3. On the Home tab, in the Create group, click Create Software Label .
4. On the General page, enter a name for the new software family and, optionally, a description.

NOTE
The validation state for all new custom software labels is always set to User Defined .

5. On the Summar y page, review the settings, and then click Next .
6. On the Completion page, click Close to exit the wizard.
Hardware requirements
Hardware requirements information can help you verify that computers meet the hardware requirements for
software titles before they are targeted for software deployments. Many hardware requirements are predefined
in the Asset Intelligence catalog, and you can create new user-defined hardware requirement information to
meet custom requirements. The validation state for all predefined hardware requirements is always Validated ,
while user-defined hardware requirements information added to the Asset Intelligence catalog is User Defined .
 IMPORTANT
The hardware requirements displayed in the Configuration Manager console are retrieved from the Asset Intelligence
catalog on the local computer and are not based on inventoried software title information from System Center 2012
Configuration Manager clients. Hardware requirements information is not updated as part of the synchronization process
with System Center Online. You can create user-defined hardware requirements for inventoried software that does not
have associated hardware requirements.

Use the following procedure to create a user-defined hardware requirement.

To c r e a t e a u se r- d e fi n e d h a r d w a r e r e q u i r e m e n t s

1. In the Configuration Manager console, click Assets and Compliance .

2. In the Assets and Compliance workspace, click Asset Intelligence , and then click Hardware
Requirements .
3. On the Home tab, in the Create group, click Create Hardware Requirements .
4. On the General page, enter the following information:
a. Software title : Specifies the software title for which the hardware requirements are associated.
The software title cannot already exist in the Asset Intelligence catalog.
b. Validation state : Lists the validation state as User Defined for the hardware requirements. You
cannot modify this setting.
c. Minimum CPU (MHz) : Specifies the minimum processor speed, in megahertz (MHz), required by
the software title.
d. Minimum RAM (KB) : Specifies the minimum RAM, in kilobytes (KB), required by the software
title.
e. Minimum Disk Space (KB) : Specifies the minimum free disk space, in KB, required by the
software title.
f. Minimum Disk Size (KB) : Specifies the minimum hard disk size, in KB, required by the software
title.
Click Next .
5. On the Summar y page, review the settings, and then click Next .
6. On the Completion page, click Close to exit the wizard.
Modify categorization information for inventoried software
Predefined software in the Asset Intelligence catalog is configured with specific categorization information, such
as product name, vendor, software category, and software family. When the predefined categorization
information does not meet your requirements, you can modify the information in the properties for the
software title. When you modify categorization information for predefined software, the validation state for the
software changes from Validated to User Defined .

IMPORTANT
The categorization information can only be modified at the top-level site.

Use the following procedure to modify categorization information for inventoried software.
To m o d i fy t h e c a t e g o r i z a t i o n s fo r so ft w a r e t i t l e s

1. In the Configuration Manager console, click Assets and Compliance .

2. In the Assets and Compliance workspace, click Asset Intelligence , and then click Inventoried
Software .
3. Select a software title or select multiple software titles for which you want to modify categorizations.
4. On the Home tab, in the Proper ties group, click Proper ties .
5. On the General tab, you can modify the following categorization information:
Product Name : Specifies the name of the inventoried software title.
Vendor : Specifies the name of the vendor that developed the inventoried software title.
Categor y : Specifies the software category that is currently assigned to the inventoried software
title.
Family : Specifies the software family that is currently assigned to the inventoried software title.
6. Click OK to save the changes.
Use the following procedure to revert software to the original categorization information.
Revert categorization information to original settings for software
Configuration Manager stores categorization information obtained from System Center Online in the database.
The information cannot be deleted. After the information has been modified, you can revert the categorization
information back to the System Center Online categorization. Inventoried software that is not in the Asset
Intelligence catalog can also be reverted back to the original settings.
Use the following procedure to revert categorization information to the original settings.
To r e v e r t c a t e g o r i z a t i o n i n fo r m a t i o n t o o r i g i n a l se t t i n g s

1. In the Configuration Manager console, click Assets and Compliance .

2. In the Assets and Compliance workspace, click Asset Intelligence , and then click Inventoried
Software .
3. Select a software title or select multiple software titles that you want to revert to the original settings.
Only software that has a User Defined state can be reverted.

TIP
Click the State column to sort by the validation state. Sorting lets you see all software by validation state and
quickly select multiple items to revert to the original settings.

4. On the Home tab, in the Product group, click Rever t .

5. Click Yes to revert the software to the original categorization information.
6. When you revert categorization information for software that is in the Asset Intelligence catalog, the
validation state changes from User Defined to Validated . When you revert software that is not in the
catalog, the validation state changes from User Defined to Uncategorized .

Request a catalog update for uncategorized software titles

Uncategorized software title information can be submitted to System Center Online for research and
categorization. After an uncategorized software title is submitted, and there are at least 4 categorization requests
from customers for the same software title, researchers identify, categorize, and then make the software title
categorization information available to all customers that are using the System Center Online service. Microsoft
gives the highest priority to software titles that have the most requests for categorization. Custom software and
line-of-business applications are unlikely to receive a category, and as a best practice, you should not send these
software titles to Microsoft for categorization.
When software title information is submitted to System Center Online for categorization, the following
conditions apply:
Only basic software title information is transmitted to System Center Online, and software title
information to be categorized can be reviewed before submission.
Software license information is never transmitted.
Any software title that is uploaded becomes publicly available as part of the System Center Online
catalog and can be downloaded by other customers.
The source of the software title is not stored in the System Center Online catalog. However, application
titles containing confidential or proprietary information should not be submitted for categorization by
System Center Online.

NOTE
For more information about Asset Intelligence privacy information, see Security and privacy for Asset Intelligence.

Use the following procedure to request Asset Intelligence catalog software title categorization from System
Center Online.
To request a catalog update for uncategorized software titles
1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, click Asset Intelligence , and then click Inventoried
Software .
3. Select a product name or select multiple product names, to be submitted to System Center Online for
categorization. Only uncategorized inventoried software titles can be submitted to System Center Online
for categorization. If an inventoried software title has been categorized by an administrator resulting in a
user-defined state, you must right-click the inventoried software title, and then click Rever t to revert the
software title to the Uncategorized state before it can be submitted to System Center Online for
categorization.

NOTE
Configuration Manager can process up to 2000 software titles for categorization at a time. If you select more than
2000 software titles, only the first 2000 software titles will be processed. You must select the remaining software
titles for categorization in batches of less than 2000.

TIP
Click the State column to sort by the validation state. This lets you see all uncategorized product names and
quickly select multiple items to submit for categorization.

4. On Home tab, in the Product group, click Request Catalog Update .

5. Review the System Center Online categorization submission privacy message. Click Details to view the
information that will be sent to System Center Online.
6. Select I have read and understood this message , and then click OK to allow the selected software
titles to be submitted for categorization.
7. Verify that the state of the inventoried software product names submitted to System Center Online for
categorization has changed from Uncategorized to Pending .

NOTE
Software that is submitted to System Center Online for categorization has a validation state of Pending on a
central administration site is still displayed with a validation state of Uncategorized on child primary sites.

Resolve software details conflicts

After newly updated software categorization details have been received from System Center Online that conflict
with existing software details information, you can choose how to resolve the conflict. Software that has a
current conflict has a validation state of Updatable . After a software details conflict has been resolved, the
software categorization information is retained in the Asset Intelligence catalog according to the setting that you
specify. A software details conflict does not occur for the same software categorization value again unless the
System Center Online value changes after the conflict has been resolved.
Use the following procedure to resolve a software details conflict.
To resolve a software details conflict
1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, click Asset Intelligence , and then click Inventoried
Software .
3. Review the State column for software titles in the Updatable state.
4. Select the software title for which you have to resolve a conflict, and then on the Home tab, in the
Product group, and click Resolve Conflict .
5. Review the following information:
Local value : Specifies the existing software categorization information in the Asset Intelligence
catalog that conflicts with newer System Center Online software categorization details.
Downloaded value : Specifies the new System Center Online software categorization information
for conflicting Asset Intelligence catalog software categorization information.
6. Select one of the following settings to resolve the software details conflict:
Do not change the locally edited catalog information value : Resolves the software details
conflict by retaining the existing Asset Intelligence catalog software categorization information.
When you select this setting, the software title state changes from Updatable to User Defined .
Over write the locally edited catalog information value with the downloaded System
Center Online value : Resolves the software details conflict by overwriting the existing Asset
Intelligence catalog software categorization information with new information obtained from
System Center Online. When you select this setting, the software title state changes from
Updatable to Validated .
Click OK to save the conflict resolution.
 Security and privacy for Asset Intelligence in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article contains security guidance and privacy information for Asset Intelligence in Configuration Manager.

Security guidance
Secure license files
When you import a Microsoft Volume Licensing file or a General License Statement file, secure the file and
communication channel. Configure NTFS permissions to make sure that only authorized users can access the
license files. Use Server Message Block (SMB) signing to keep the integrity of the data when it's transferred to
the site server during the import process.
Limit permissions for users who import license files
Use the principle of least permissions to import the license files. Use role-based administration to grant the
Manage Asset Intelligence permission to the administrative user who imports license files. The built-in role
of Asset Manager includes this permission.

Privacy information
Asset Intelligence extends the inventory capabilities of Configuration Manager to provide a higher level of asset
visibility. Asset Intelligence information collection isn't automatically enabled. You can modify the type of
information collected by enabling hardware inventory reporting classes. For more information, see Configure
Asset Intelligence.
Configuration Manager stores Asset Intelligence information in the site database the same as inventory
information. When clients connect to management points by using HTTPS, the data is always encrypted during
transfer to the management point. When clients connect by using HTTP, configure the inventory data transfer to
be signed and encrypted. Inventory data isn't stored in an encrypted format in the database. Information is kept
in the database until the site maintenance task Delete Aged Inventory History deletes it every 90 days by
default. You can configure the deletion interval.
Asset Intelligence doesn't send information about users, computers, or license usage to Microsoft. You can
choose to send System Center Online requests for categorization. For these requests, you tag one or more
uncategorized software titles and send them to Microsoft for research and categorization. After you upload a
software title, Microsoft researchers identify and categorize the software. They then make that information
available to all customers who use the online service.
When you submit information to System Center Online, understand the following privacy implications:
Upload applies only to generic software title information that you choose to send to Microsoft. For
example, software name and publisher. Inventory information isn't sent to Microsoft.
Upload never occurs automatically, and the system isn't designed for this task to be automated. Manually
select and approve the upload of each software title.
Before the upload process starts, the Configuration Manager console shows you exactly what data it will
upload.
License information isn't sent to Microsoft. Configuration Manager stores the license information in a
separate area of the site database, and it can't be sent to Microsoft.
Any software title that you upload becomes public. The knowledge of that software and its categorization
become part of the online Asset Intelligence catalog. Other customers can then download the catalog
updates.
The source of the software title isn't recorded in the Asset Intelligence catalog, and it isn't made available
to other customers. Still verify that you don't include any application titles that contain any private
information.
You can't recall uploaded data.
 Example validation state transitions for Asset
Intelligence
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Asset Intelligence validation states in Configuration Manager are not static and can change from administrative
actions that you take to affect the data that are stored in the Asset Intelligence catalog. This topic provides
examples for possible validation state transitions.

Uncategorized catalog item is categorized by the administrative user

STAT E T RA N SIT IO N STAT E T RA N SIT IO N DESC RIP T IO N

Uncategorized An inventoried software title that has not been previously

categorized by System Center Online or that the
administrative user has entered into the Asset Intelligence
catalog.

Uncategorized to UserDefined The uncategorized item is categorized by the administrative

user.

Categorized catalog item is recategorized by the administrative user

STAT E T RA N SIT IO N STAT E T RA N SIT IO N DESC RIP T IO N

Validated Catalog item has been defined by System Center Online

researchers and is present in the Asset Intelligence catalog.

Validated to User Defined The validated catalog item is re-categorized by the

administrative user.

NOTE
Because categorization information obtained from System Center Online is stored in the database and cannot be deleted,
the administrative user can revert back to the System Center Online categorization later.

User-defined catalog item is recategorized by System Center Online

STAT E T RA N SIT IO N STAT E T RA N SIT IO N DESC RIP T IO N

Uncategorized An inventoried software title is entered into the Asset

Intelligence catalog that has not been previously categorized
by System Center Online or the administrative user.

User Defined The uncategorized item is categorized by the administrative

user.
 STAT E T RA N SIT IO N STAT E T RA N SIT IO N DESC RIP T IO N

User Defined to Updateable A user-defined catalog item has been categorized differently
by System Center Online during subsequent manual bulk
updates of the Asset Intelligence catalog.

The administrative user can use the Software Details

Conflict Resolution dialog box to decide whether to use
the new categorization information or the previous user-
defined value.

Updateable to Validated The administrative user uses the Software Details

Conflict Resolution dialog box to use the new
categorization information received from System Center
Online during the previous catalog update.

or

Updateable to User Defined The administrative user uses the Software Details
Conflict Resolution dialog box to use the previous user-
defined value.

NOTE
Because categorization information obtained from System Center Online is stored in the database and cannot be deleted,
the administrative user can revert back to the System Center Online categorization later.

Uncategorized catalog item is submitted to System Center Online for

categorization
STAT E T RA N SIT IO N STAT E T RA N SIT IO N DESC RIP T IO N

Uncategorized An inventoried software title is entered into the Asset

Intelligence database that has not been previously
categorized by System Center Online or the administrative
user.

Uncategorized to Pending The uncategorized item is submitted to System Center

Online for categorization by the administrative user.

Pending to Validated The item is categorized by System Center Online. The

administrative user imports the item into the Asset
Intelligence catalog by using a bulk catalog update or Asset
Intelligence catalog synchronization. Both are available by
using the Asset Intelligence synchronization point site
system role.

User-defined catalog item is submitted to System Center Online for

categorization
STAT E T RA N SIT IO N STAT E T RA N SIT IO N DESC RIP T IO N
STAT E T RA N SIT IO N STAT E T RA N SIT IO N DESC RIP T IO N

Uncategorized An inventoried software title is entered into the Asset

Intelligence database that has not been previously
categorized by an administrative user or System Center
Online.

User Defined You categorized the uncategorized item.

User Defined to Pending You submit the user-defined item to System Center Online
for categorization.

Pending to Updateable A user-defined catalog item has been categorized differently

by System Center Online during subsequent catalog
synchronization. You can use the Resolve Conflict action to
decide whether to use the new categorization information or
the previous user-defined value. For more information about
resolving conflicts, see Resolve software details conflicts.

Updateable to Validated You use the Resolve Conflict action and select the new
categorization information received from System Center
Online during the previous catalog update. For more
information about resolving conflicts, see Resolve software
details conflicts.

or

Updateable to User Defined You use the Resolve Conflict action and select to use the
previous user-defined value. For more information about
resolving conflicts, see Resolve software details conflicts.

NOTE
Because categorization information obtained from System Center Online is stored in the database and cannot be deleted,
you can revert back to the System Center Online categorization later.
 Example Asset Intelligence general license import
file in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The example information in this topic can be used to create a sample general software license file to import
software licenses into the Asset Intelligence catalog by using the Import Software License Wizard. You can copy
and paste the following table into a new Microsoft Excel spreadsheet and save it with a .csv file name extension
to be used as an example general software license import file for testing purposes. When creating the license
import file, all header fields are required while only Name, Publisher, Version, and EffectiveQuantity data values
are required in the spreadsheet. For more information about importing software licenses to the Asset
Intelligence catalog, see Configuring Asset Intelligence.

EF F EC T SUP P O SUP P O
IVEQ U RESEL L DAT EO RT P UR RT EXP I
P UB L IS VERSIO L A N GU A N T IT PONU ERN A F P URC C H A SE RAT IO C OMM
NAME H ER N A GE Y M B ER ME H A SE D N DAT E EN T S

Softwa Softwa 1.01 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re Title re se name 2010 2012 ent
1 publish numbe
er r

Softwa Softwa 1.02 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re title re se name 2010 2012 ent
2 publish numbe
er r

Softwa Softwa 1.03 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re title re se name 2010 2012 ent
3 publish numbe
er r

Softwa Softwa 1.04 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re title re se name 2010 2012 ent
4 publish numbe
er r

Softwa Softwa 1.05 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re title re se name 2010 2012 ent
5 publish numbe
er r

Softwa Softwa 1.06 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re title re se name 2010 2012 ent
6 publish numbe
er r

Softwa Softwa 1.07 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re title re se name 2010 2012 ent
7 publish numbe
er r
 EF F EC T SUP P O SUP P O
IVEQ U RESEL L DAT EO RT P UR RT EXP I
P UB L IS VERSIO L A N GU A N T IT PONU ERN A F P URC C H A SE RAT IO C OMM
NAME H ER N A GE Y M B ER ME H A SE D N DAT E EN T S

Softwa Softwa 1.08 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re title re se name 2010 2012 ent
8 publish numbe
er r

Softwa Softwa 1.09 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re title re se name 2010 2012 ent
9 publish numbe
er r

Softwa Softwa 1.10 English 1 Purcha Reseller 10/10/ 0 10/10/ Comm

re title re se name 2010 2012 ent
10 publish numbe
er r
 Manage Microsoft Lifecycle Policy with
Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the Configuration Manager product lifecycle dashboard to view the Microsoft Lifecycle Policy. The
dashboard shows the state of the Microsoft Lifecycle Policy for Microsoft products installed on devices managed
with Configuration Manager. It also provides you with information about Microsoft products in your
environment, supportability state, and support end dates. Use the dashboard to understand the availability of
support for each product. This information helps you plan for when to update the Microsoft products you use
before their current end of support is reached.
For more information, see the Microsoft Lifecycle Policy.

Prerequisites
To see data in the product lifecycle dashboard, the following components are required:
Install Internet Explorer 9 or later on the computer that runs the Configuration Manager console.
To get updates for the data on this dashboard, the service connection point must be online. If the service
connection point is in offline mode, synchronize it regularly. For more information, see About the service
connection point.
Configure and synchronize the asset intelligence synchronization point. The dashboard uses the asset
intelligence catalog as metadata for product titles. Configuration Manager compares this metadata
against inventory data in your hierarchy. For more information, see Configure asset intelligence in
Configuration Manager.
If you're configuring the asset intelligence service point for the first time, make sure to enable
asset intelligence hardware inventory classes. The lifecycle dashboard depends on those asset
intelligence hardware inventory classes. The dashboard won't display data until clients scan for
and return hardware inventory.
In version 2006 and earlier, to view information about Extended Security Updates (ESU) in this
dashboard, enable the hardware inventory class Software Licensing Product - Asset
Intelligence (SoftwareLicensingProduct) . For more information, see Enable asset intelligence
hardware inventory classes. In version 2010 and later, the dashboard uses an attribute in the client
discovery data.

Use the product lifecycle dashboard

To access the lifecycle dashboard in the Configuration Manager console, go to the Assets and Compliance
workspace, expand Asset Intelligence , and select the Product Lifecycle node.
Based on inventory data the site collects from managed devices, the dashboard displays information about all
current products. However, the information displayed for operating systems and SQL Server is limited to the
following versions:
Windows Server 2008 and later
Windows XP and later
 SQL Server 2008 and later

NOTE
The data in the dashboard is based on the site the Configuration Manager console connects to. If the console connects to
your top-tier site, you see data for the entire hierarchy. When connected to a child primary site, only data from that site
displays.

Product lifecycle dashboard

Change the view by selecting one of the following options from the Product categor y list:
All : View all products together
Windows Client : View Windows client OS versions
Windows Ser ver : View Windows server OS versions
Database : View SQL Server versions
Configuration Manager : View Configuration Manager versions
Microsoft Office : View information for installed versions of Office 2003 through Office 2016
The dashboard has the following tiles:
Top 5 products past end-of-suppor t : This tile is a consolidated data view of products found in your
environment past their end-of-support. The graph shows installed software that's expired when
compared against the support lifecycle for operating systems and SQL Server products.
Top 5 products nearing end-of-suppor t : This tile is a consolidated data view of products found in
your environment that are nearing end-of-support in next 18 months. The graph shows installed
software that's within 18 months of end-of-support when compared against the support lifecycle for
operating systems and SQL Server products.
Starting in version 2103, use the time slider to control the timeframe for this tile. The default is 18
months, but you can adjust it from 1 to 36 months.
 Lifecycle data for installed products : This tile gives you a general idea of when a product transitions
from supported to the expired state. The chart provides a breakdown of the number of clients where the
product is installed, the support availability state, and a link to learn more about the next steps to take.
The following information is included in the chart:
Support time remaining
Number in environment
Mainstream support end date
Extended support end date
Next steps
Starting in version 2103, the dashboard also has a subnode, All Product Lifecycle Data . You can sort and
filter the product lifecycle information, which gives you multiple ways to view it. When you select a product, you
can View devices for that product. From the list of devices, you can create a direct membership collection. Use
this action to deploy the latest software versions to these collections so that the devices are kept current.

IMPORTANT
The information shown in this dashboard is provided for your convenience and only for use internally within your
company. You should not solely rely on this information to confirm compliance. Be sure to verify the accuracy of the
information provided to you, along with availability of support information by visiting the Microsoft Lifecycle Policy.

Reporting
Other reports are available as well. In the Configuration Manager console, go to the Monitoring workspace,
expand Repor ting , and expand Repor ts . The following reports are added under the category Asset
Intelligence :
Lifecycle 01A - Computers with a specific software product : View a list of computers on which a
specified product is detected.
Lifecycle 02A - List of machines with expired products in the organization : View computers
that have expired products on them. You can filter this report by product name.
Lifecycle 03A - List of expired products found in the organization : View details for products in
your environment that have expired lifecycle dates.
Lifecycle 04A - General Product Lifecycle over view : View a list of product lifecycles. Filter the list
by product name and days to expiration.
 Lifecycle 05A - Product lifecycle dashboard : This report includes similar information as the in-
console dashboard. Select a category to view the count of products in your environment, and the days of
support remaining.
For more information, see List of reports.
 Introduction to remote control in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use remote control to remotely administer, provide assistance, or view any client computer in the hierarchy. You
can use remote control to troubleshoot hardware and software configuration problems on client computers and
to provide support. Configuration Manager supports the remote control of all workgroup computers and
domain-joined computers that run supported operating systems for the Configuration Manager client. For more
information, see Supported operating systems for clients and devices for Configuration Manager
Configuration Manager also lets you configure client settings to run Windows Remote Desktop and Remote
Assistance from the Configuration Manager console.

NOTE
You cannot establish a Remote Assistance session from the Configuration Manager console to a client computer that is in
a workgroup.

You can start a remote control session in the Configuration Manager console from Assets and Compliance >
Devices , from any device collection, from the Windows Command Prompt window, or from the Windows Star t
menu.
 Prerequisites for remote control in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Remote control in Configuration Manager has external dependencies and dependencies in the product.

Dependencies external to Configuration Manager

To help improve performance, install the most up-to-date video driver on client devices.
You can't use Configuration Manager remote control to remotely administer client computers that run versions
of the Configuration Manager client earlier than current branch.

NOTE
No Windows services are required as an external dependency for remote control.

Supported operating systems for the remote control viewer

The remote control viewer is supported on all operating systems that are supported for the Configuration
Manager console. For information, see Supported configurations for Configuration Manager consoles.
The following OS versions don't support the remote control viewer, but they do support the remote control
client:
Windows Embedded
Windows Embedded for Point of Service (POS)
Windows Fundamentals for Legacy PCs

Configuration Manager dependencies

Enable remote control
By default, remote control isn't enabled when you install Configuration Manager. For more information about
how to enable and configure remote control, see Configure remote control.
Reporting
Before you can run reports for remote control, install the reporting services point site system role. For more
information, see Introduction to reporting.
Security permissions
To access collection resources and to start a remote control session from the Configuration Manager
console, your account needs the Read , Read Resource , and Remote Control permissions for the
Collection object.
The Remote Tools Operator security role includes the permissions that are required to manage remote
control in Configuration Manager.
Permitted viewers must be given permission to use remote control by adding these users to the
Permitted viewers of Remote Control and Remote Assistance list in the Remote Tools client
 settings.
For more information, see Configure role-based administration.
Remote clients
Remote tools aren't supported for clients that are connected remotely. For example, you can't remote control a
client that communicates with the site through a cloud management gateway (CMG). For more information
about the network ports required for remote tools, see Ports used in Configuration Manager.

TIP
For tenant-attached devices, remote tools are available in the Microsoft Endpoint Manager admin center. For more
information, see Support for remote tools.

Next steps
Configure remote control
 Configuring remote control in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This procedure describes configuring the default client settings for remote control. These settings apply to all
computers in your hierarchy. If you want these settings to apply to only some computers, assign a custom
device client setting to a collection that contains those computers. For more information a see How to configure
client settings.
To use Remote Assistance or Remote Desktop, it must be installed and configured on the computer that runs the
Configuration Manager console. For more information about how to install and configure Remote Assistance or
Remote Desktop, see your Windows documentation.
To enable remote control and configure client settings
1. In the Configuration Manager console, choose Administration > Client Settings > Default Client
Settings .
2. On the Home tab, in the Proper ties group, choose Proper ties .
3. In the Default dialog box, choose Remote Tools .
4. Configure the remote control, Remote Assistance and Remote Desktop client settings. For a list of remote
tools client settings that you can configure, see Remote Tools.
You can change the company name that appears in the ConfigMgr Remote Control dialog box by
configuring a value for Organization name displayed in Software Center in the Computer Agent
client settings.
Client computers are configured with these settings the next time they download client policy. To initiate
policy retrieval for a single client, see How to manage clients.
Enable keyboard translation
By default, Configuration Manager transmits the key position from the viewer's location to the sharer's location.
This can present a problem for keyboard configurations that differ from viewer to sharer. For example, a viewer
with an English keyboard would type an "A", but the sharer's French keyboard would provide a "Q". You now
have the option of configuring remote control so that the character itself is transmitted from the viewer's
keyboard to the sharer, and what the viewer intends to type arrives at the sharer.
To turn on keyboard translation, in Configuration Manager Remote Control , choose Action ,and choose
Enable keyboard translation to transmit key position.

NOTE
Special keys, such as ~!#@$%, will not be translated correctly.

Keyboard shortcuts for the remote control viewer

K EY B O A RD SH O RTC UT DESC RIP T IO N

Alt+Page Up Switches between running programs from left to right.

Alt+Page Down Switches between running programs from right to left.

Alt+Insert Cycles through running programs in the order that they

were opened.

Alt+Home Displays the Star t menu.

Ctrl+Alt+End Displays the Windows Security dialog box (Ctrl+Alt+Del).

Alt+Delete Displays the Windows menu.

Ctrl+Alt+Minus Sign (on the numeric keypad) Copies the active window of the local computer to the
remote computer Clipboard.

Ctrl+Alt+Plus Sign (on the numeric keypad) Copies the entire local computer's window area to the
remote computer Clipboard.
 How to remotely administer a Windows client
computer by using Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager allows you to connect to client computers using Configuration Manager Remote
Control . Before you begin to use remote control, ensure that you review the information in the following
articles:
Prerequisites for remote control
Configuring remote control
Here are three ways to start the remote control viewer:
In the Configuration Manager console.
In a Windows command prompt.
From the Windows Star t menu, on a computer that runs the Configuration Manager console, in the
Microsoft Endpoint Manager program group.

NOTE
The above Start menu path is for versions from November 2019 (version 1910) or later. In earlier versions, the
folder name is Microsoft System Center .

To remotely administer a client computer from the Configuration

Manager console
1. In the Configuration Manager console, choose Assets and Compliance > Devices or Device
Collections .
2. Select the computer that you want to remotely administer and then, in the Home tab, in the Device
group, choose Star t > Remote Control .

IMPORTANT
If the client setting Prompt user for Remote Control permission is set to True , the connection does not
initiate until the user at the remote computer agrees to the remote control prompt. For more information, see
Configuring remote control.

3. After the Configuration Manager Remote Control window opens, you can remotely administer the
client computer. Use the following options to configure the connection.

NOTE
If the computer that you connect to has multiple monitors, the display from all the monitors is shown in the
remote control window.
File
Connect - Connect to another computer. This option is unavailable when a remote control
session is active.
Disconnect - Disconnects the active remote control session but doesn't close the
Configuration Manager Remote Control window.
Exit - Disconnects the active remote control session and closes the Configuration Manager
Remote Control window.

NOTE
When you disconnect a remote control session, the contents of the Windows Clipboard on the computer
that you are viewing is deleted.

View
Color depth - Choose either 16 bits or 32 bits per pixel.
Full Screen - Maximizes the Configuration Manager Remote Control window. To exit full
screen mode, press Ctrl+Alt+Break.
Optimize for low bandwidth connection - Choose this option if the connection is low
bandwidth.
Display:
All Screens - If the computer that you connect to has multiple monitors, the display
from all the monitors is shown in the remote control window.
First Screen - The first screen is at the top and far left as shown in Windows display
settings. You can't select a specific screen. When you switch the configuration of the
viewer, reconnect the remote session. The viewer saves your preference for future
connections.
Scale to Fit - Scales the display of the remote computer to fit the size of the
Configuration Manager Remote Control window.
Status Bar - Toggles the display of the Configuration Manager Remote Control
window status bar.

NOTE
The viewer saves your preference for future connections.

Action
Send Ctrl+Alt+Del Key - Sends a Ctrl+Alt+Del key combination to the remote computer.
Enable Clipboard Sharing - Lets you copy and paste items to and from the remote
computer. If you change this value, you must restart the remote control session for the change
to take effect.
If you don't want clipboard sharing to be enabled in the Configuration Manager console,
on the computer running the console, set the value of the registry key
HKEY_CURRENT_USER\Software\Microsoft\ConfigMgr10\Remote
Control\Clipboard Sharing to 0 .
Enable Keyboard Translation - Translates the keyboard layout of the computer running the
console to the connected device's layout.
Lock Remote Keyboard and Mouse - Locks the remote keyboard and mouse to prevent the
user from operating the remote computer.
Help
 About Remote Control - Displays the current version of the viewer.
4. Users at the remote computer can view more information about the remote control session when they
click the Configuration Manager Remote Control icon. The icon is in the Windows notification area or
the icon on the remote control session bar.

To start the remote control viewer from the Windows command line
At the Windows command prompt, type <Configuration Manager Installation
Folder>\AdminConsole\Bin\i386\CmRcViewer.exe
CmRcViewer.exe supports the following command-line options:
Address - Specifies the NetBIOS name, the fully qualified domain name (FQDN), or the IP address of the
client computer that you want to connect to.
Site Server Name - Specifies the name of the Configuration Manager site server to which you want to send
status messages that are related to the remote control session.
/? - Displays the command-line options for the remote control viewer.

Example: CmRcViewer.exe <Address> <\\Site Server Name>

NOTE
The remote control viewer is supported on all operating systems that are supported for the Configuration Manager
console. For more information, see Supported configurations for Configuration Manager consoles and Prerequisites for
remote control.

Next steps
Audit remote control usage
 How to audit remote control usage in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can use Configuration Manager reports to view audit information for remote control.
For more information about how to configure reporting in Configuration Manager, see Introduction to
reporting.
The following two reports are available with the category Status Messages - Audit :
Remote Control - All computers remote controlled by a specific user - Displays a summary of
remote control activity that a specific user initiated.
Remote Control - All remote control information - Displays a summary of status messages about
remote control of client computers.
To run the report Remote Control - All computers remote controlled by a specific user
1. In the Configuration Manager console, click Monitoring .
2. In the Monitoring workspace, expand Repor ting , and then click Repor ts .
3. In the Repor ts node, click the Categor y column to sort the reports so that you can more easily find the
reports in the category Status Messages - Audit .
4. Select the report Remote Control - All computers remote controlled by a specific user , and then,
on the Home tab, in the Repor t Group , click Run .
5. In the User Name list of the Remote Control - All computers remote controlled by a specific
user , specify the user that you want to report audit information for, and then click View Repor t .
6. When you have finished viewing the data in the report, close the report window.
To run the report Remote Control - All remote control information
1. In the Configuration Manager console, click Monitoring .
2. In the Monitoring workspace, expand Repor ting , and then click Repor ts .
3. In the Repor ts node, click the Categor y column to sort the reports so that you can more easily find the
reports in the category Status Messages - Audit .
4. Select the report Remote Control - All remote control information , and then, on the Home tab, in
the Repor t Group , click Run to open the Remote Control - All remote control information
window.
5. When you have finished viewing data in the report, close the report window.
 Security and privacy for remote control in
Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This topic contains security and privacy information for remote control in Configuration Manager.

Security best practices for remote control

Use the following security best practices when you manage client computers by using remote control.

SEC URIT Y B EST P RA C T IC E M O RE IN F O RM AT IO N

When you connect to a remote computer, do not continue if When Configuration Manager detects that the remote
NTLM instead of Kerberos authentication is used. control session is authenticated by using NTLM instead of
Kerberos, you see a prompt that warns you that the identity
of the remote computer cannot be verified. Do not continue
with the remote control session. NTLM authentication is a
weaker authentication protocol than Kerberos and is
vulnerable to replay and impersonation.

Do not enable Clipboard sharing in the remote control The Clipboard supports objects such as executable files and
viewer. text and could be used by the user on the host computer
during the remote control session to run a program on the
originating computer.

Do not enter passwords for privileged accounts when Software that observes keyboard input could capture the
remotely administering a computer. password. Or, if the program that is being run on the client
computer is not the program that the remote control user
assumes, the program might be capturing the password.
When accounts and passwords are required, the end user
should enter them.

Lock the keyboard and mouse during a remote control If Configuration Manager detects that the remote control
session. connection is terminated, Configuration Manager
automatically locks the keyboard and mouse so that a user
cannot take control of the open remote control session.
However, this detection might not occur immediately and
does not occur if the remote control service is terminated.

Select the action Lock Remote Keyboard and Mouse in

the ConfigMgr Remote Control window.

Do not let users configure remote control settings in Do not enable the client setting Users can change policy
Software Center. or notification settings in Software Center to help
prevent users from being spied on. If one user changes it, it
can allow a different user on the same machine to be viewed
remotely.

This setting is for the computer, not for the logged-

on user .
 SEC URIT Y B EST P RA C T IC E M O RE IN F O RM AT IO N

Enable the Domain Windows Firewall profile. Enable the client setting Enable remote control on
clients Firewall exception profiles and then select the
Domain Windows Firewall for intranet computers.

If you log off during a remote control session and log on as If you do not log off in this scenario, the session remains
a different user, ensure that you log off before you open.
disconnect the remote control session.

Do not give users local administrator rights. When you give users local administrator rights, they might
be able to take over your remote control session or
compromise your credentials.

Use either Group Policy or Configuration Manager to You can use Configuration Manager and Group Policy to
configure Remote Assistance settings, but not both. make configuration changes to the Remote Assistance
settings. When Group Policy is refreshed on the client, by
default, it optimizes the process by changing only the
policies that have changed on the server. Configuration
Manager changes the settings in the local security policy,
which might not be overwritten unless the Group Policy
update is forced.

Setting policy in both places might lead to inconsistent

results. Choose one of these methods to configure your
Remote Assistance settings.

Enable the client setting Prompt user for Remote Although there are ways around this client setting that
Control permission . prompts a user to confirm a remote control session, enable
this setting to reduce the chance of users being spied upon
while working on confidential tasks.

In addition, educate users to verify the account name that is

displayed during the remote control session and disconnect
the session if they suspect that the account is unauthorized.

Limit the Permitted Viewers list. Local administrator rights are not required for a user to be
able to use remote control.

Security issues for remote control

Managing client computers by using remote control has the following security issues:
Do not consider remote control audit messages to be reliable.
If you start a remote control session and then log on by using alternative credentials, the original account
sends the audit messages, not the account that used the alternative credentials.
Audit messages are not sent if you copy the binary files for remote control rather than install the
Configuration Manager console, and then run remote control at the command prompt.

Privacy information for remote control

Remote control lets you view active sessions on Configuration Manager client computers and potentially view
any information stored on those computers. By default, remote control is not enabled.
Although you can configure remote control to provide prominent notice and get consent from a user before a
remote control session begins, it can also monitor users without their permission or awareness. You can
configure View Only access level so that nothing can be changed on the remote control, or Full Control. The
account of the connecting administrator is displayed in the remote control session, to help users identify who is
connecting to their computer.
By default, Configuration Manager grants the local Administrators group Remote Control permissions.
Before you configure remote control, consider your privacy requirements.
 Introduction to power management in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Power Management in Configuration Manager addresses the need that many organizations have to monitor
and reduce the power consumption of their computers. The feature takes advantage of the power management
features built into Windows to apply relevant and consistent settings to computers in the organization. You can
apply different power settings to computers during business hours and nonbusiness hours. For example, you
might want to apply a more restrictive power plan to computers during nonbusiness hours. In cases where
computers must always remain turned on, you can prevent power management settings from being applied.
Power management in Configuration Manager includes several reports to help you analyze power consumption
and computer power settings in your organization. You can also use the reports to help you troubleshoot
problems with power management.
For a detailed workflow about how to configure and use power management, see Administrator checklist for
power management.

IMPORTANT
Configuration Manager power management is not supported on virtual machines. You cannot apply power plans to
virtual machines, nor can you or report power data from them.

The power management workflow

Use the following three phases to plan and implement power management in Configuration Manager.
Monitoring and planning phase
Power Management uses Configuration Manager hardware inventory to collect data about computer usage and
power settings for computers in the site. There are a number of reports that you can use to analyze this data and
determine the optimal power management settings for computers. For example, during the monitoring and
planning phase of the power management workflow, you can create collections that are based on the data that
is included in the Power Capabilities report and use that data to identify the computers that are not capable of
power management. Then, you can exclude those computers from power management.

IMPORTANT
Do not apply power plans to computers in your site until you collect and analyze the power data from client computers. If
you apply new power management settings to computers without first examining the existing settings, you might
experience an increase in power consumption.

Enforcement phase
Power management lets you create power plans that you can apply to collections of computers in your site.
These power plans configure Windows power management settings on computers. You can use the power plans
that are included with Configuration Manager, or you can configure your own custom power plans. You can use
the power data that is collected during the monitoring and planning phase as a baseline to help you evaluate
power savings after you apply a power plan to computers. For more information, see Administrator checklist for
power management.
Compliance phase
In the compliance phase, you can run reports that help you to evaluate power usage and power cost savings in
your organization. You can also run reports that describe the improvements in the amount of CO2 generated by
computers. Reports are also available that help you validate that power settings were correctly applied to
computers and that help you troubleshoot problems with the power management feature.
 Prerequisites for power management in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Power management in Configuration Manager has external dependencies and dependencies within the product.

Dependencies external to Configuration Manager

The following table lists the dependencies external to Configuration Manager for using power management.

DEP EN DEN C Y M O RE IN F O RM AT IO N

Client computers must be able to support the required To use all features of power management, client computers
power states must be able to support the sleep, hibernate, wake from
sleep, and wake from hibernate actions. You can use the
Power Capabilities report to determine if computers can
support these actions. For more information, see Power
Capabilities report in the topic How to monitor and plan for
power management.

Configuration Manager dependencies

The following table lists the dependencies within Configuration Manager for using power management.

DEP EN DEN C Y M O RE IN F O RM AT IO N

Power management must be enabled before you can create For information about how to enable and configure power
and monitor power plans. management, see Configuring power management.

Reporting services point You must configure a reporting services point before you
can view power management reports. For more information,
see Introduction to reporting.
 Recommendations for power management in
Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the following recommendations for power management in Configuration Manager.

Monitor at a representative time

The monitoring phase of power management provides you with the following information from computers in
your organization:
Power consumption
Activity
Power management capabilities
Environmental impact
Choose a representative time to monitor the devices. For example, monitoring during a public holiday doesn't
provide a realistic report on computer power usage.

Create a control collection

Create two collections of computers to help you monitor the effects of applying power plans to computers. The
first collection should contain the majority of the computers to which you want to apply power settings. The
control collection should contain the remaining computers. Apply the required power management plan to the
first collection. Then run reports to compare the impact between the two collections.

Run reports before you apply a plan

Before you apply a power management plan to a collection of computers, run the Power Settings report. Use
this report to help you understand the power management settings that are already configured on computers in
the collection. If you apply new power management settings to computers without first examining the existing
settings, it might increase their power consumption.

Exclude servers
Power management for computers that run Windows Server isn't supported. Add servers to a collection and
exclude it from power management.

NOTE
Although Configuration Manager doesn't support power management of Windows Server, it still collects power usage
data for analysis and reporting.

Exclude other computers

If you have computers that you don't want to manage with power management, add these computers to an
exclusion collection.
You might want to exclude from power management the following types of computers:
Computers that must remain turned on.
Computers that users need to connect to remotely.
Computers that can't use power management.
Computers that have the distribution point site system role.
Public computers such as kiosk computers, information displays, or monitoring consoles where the
computer and the monitor must always be turned on.
For more information, see Configuring power management.

Apply power plans to a test collection

Always test the effect of applying a power management plan on a test collection of computers before you apply
the power plan to a larger collection of computers.
When you exclude a computer from power management, all power settings revert to their original values. You
can't revert individual power settings to their original values.

Apply power plan settings individually

Monitor the effect of applying each power setting before you apply the next one. This process makes sure that
each setting has the required effect. For more information about power plan settings, see Available power
management plan settings.

Regularly monitor computers for multiple power plans

Power management includes a report that displays computers that have more than one power plan applied:
Computers with Multiple Power Plans .
If a computer is a member of multiple collections, each applying different power plans, then the following
behaviors apply:
Power plan : If you apply multiple values for power settings to a computer, it uses the least restrictive
value.
Wakeup time : If you apply multiple wakeup times to a desktop computer, it uses the time closest to
midnight.
For more information, see Computers with multiple power plans.

Save or export power management information

When you run reports during the monitoring and compliance phases, save or export the results. Keep the data
for later comparison in case Configuration Manager later removes the data.
Configuration Manager keeps in the site database the following power management information:
Power management information used by daily reports: 31 days
Power management information used by monthly reports: 13 months
 Administrator checklist for power management in
Configuration Manager
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This administrator checklist provides the recommended steps for using Configuration Manager power
management in your organization.

Configuring power management

Use these steps to help you configure your hierarchy to collect power management information from client
computers.

IMPORTANT
Do not apply power plans to computers in your hierarchy until you have collected and analyzed power data from client
computers. If you apply new power management settings to computers without first examining the existing settings, this
might lead to an increase in power consumption.

TA SK DETA IL S

Review the power management concepts in the See Introduction to power management.
Configuration Manager documentation library.

Review the power management prerequisites in the See Prerequisites for power management.
Configuration Manager documentation library.

Review the best practices information for power See Best practices for power management.
management.

Configure your collections to manage power consumption Use the Collection for repor ting of baseline data ,
from computers within your environment. Collection for repor ting of baseline data , Collection
of computers incapable of power management ,
Collections of computers to which power plans will
be applied , Collections of computers to which power
plans will be applied , and Collections of computers
that are running Windows Ser ver to help you manage
power settings for computers in your hierarchy. You can
create multiple collections and apply different power plans to
each collection.

Enable power management. Before you can begin to use power management, you must
enable it and configure the required client settings. For more
information, see Configuring power management.

Collect power management information from client Power management data is reported by clients through
computers. Configuration Manager hardware inventory. Depending on
the hardware inventory schedule that you have configured,
it might take some time to retrieve inventory from all client
computers.
Monitoring and planning phase
TA SK DETA IL S

Run the report Computer Activity . The Computer Activity report displays a graph showing
monitor, computer, and user activity for a specified collection
over a specified time period. This report links to the
Computer Activity Details report which displays the
sleep and wake capabilities of computers in the specified
collection. For more information, see How to monitor and
plan for power management.

Run the report Energy Consumption or Energy The Energy Consumption and Energy Consumption
Consumption by Day . by Day reports display the total monthly power
consumption in kilowatt per hour (kWh) for a specified
collection over a specified time period. For more information,
see How to monitor and plan for power management.

Run the report Environmental Impact or Environmental The Environmental Impact and Environmental Impact
Impact by Day . by Day reports display a graph showing carbon dioxide
(CO2) emissions saved by a specified collection of computers
for a specified period of time. For more information, see How
to monitor and plan for power management.

Run the report Energy Cost or Energy Cost by Day . The Energy Cost and Energy Cost by Day reports
display the total power consumption cost for a specified
period of time. For more information, see How to monitor
and plan for power management.

Run the report Power Capabilities . The Power Capabilities report displays the power
management capabilities of computers in the specified
collection. For more information, see How to monitor and
plan for power management.

Run the report Power Settings . The Power Settings report displays an aggregated list of
the current power settings used by computers in a specified
collection. For more information, see How to monitor and
plan for power management.

Exclude any required collections of computers from power See Configuring power management.
management.

IMPORTANT
Ensure that you save the information from power management reports generated during the monitoring and planning
phase. You can compare this data to power management information generated during the enforcement and compliance
phases to help you evaluate, the power usage, power cost and environmental impact savings from applying a power plan
to computers in your hierarchy.

Enforcement phase
TA SK DETA IL S

Select existing power plans or create new power plans for See How to create and apply power plans.
collections of computers in your organization.
 TA SK DETA IL S

Apply these power plans to computers. See How to create and apply power plans.

Compliance phase
TA SK DETA IL S

Run the report Computer Activity . The Computer Activity report displays a graph showing
monitor, computer, and user activity for a specified collection
over a specified time period. This report links to the Power
Computer Activity Details report which displays the
sleep and wake capabilities of computers in the specified
collection. For more information, see How to monitor and
plan for power management.

Run the report Energy Consumption or Energy The Energy Consumption and Energy Consumption
Consumption by Day . by Day reports display the total monthly power
consumption in kilowatt per hour (kWh) for a specified
collection over a specified time period. For more information,
see How to monitor and plan for power management.

Run the report Environmental Impact or Environmental The Environmental Impact and Environmental Impact
Impact by Day . by Day reports display a graph showing carbon dioxide
(CO2) emissions saved by a specified collection of computers
for a specified period of time. For more information, see How
to monitor and plan for power management.

Run the report Energy Cost or Energy Cost by Day . The Energy Cost and Energy Cost by Day reports
display the total power consumption cost for a specified
period of time. For more information, see How to monitor
and plan for power management.

Troubleshooting
TA SK DETA IL S

If computers in your hierarchy have not entered sleep or The Insomnia Repor t displays a list of common causes
hibernate, run the report Insomnia Repor t to display that prevented computers from entering sleep or hibernate
possible causes. and the number of computers affected by each cause for a
specified time period. For more information, see How to
monitor and plan for power management.

If multiple power plans are applied to one computer, then See Computers with Multiple Power Plans in How to
the least restrictive power plan is applied. Run the report monitor and plan for power management.
Computers with Multiple Power Plans to see
computers with multiple power plans applied.
 Configure power management in Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article explains how to set up power management in Configuration Manager.

Enable and configure client settings

This procedure configures the default client settings for power management. It applies to all the computers in
your hierarchy.
If you want to apply these settings to only some computers, create a custom device client setting. Then assign it
to a collection that contains the computers for power management. For more information, see How to configure
client settings.
1. In the Configuration Manager console, go to the Administration workspace, select the Client Settings
node, and select Default Client Settings .
2. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
3. Select the Power Management group.
4. Enable the client setting to Allow power management of devices .
5. Configure the additional client settings that you require. For more information, see About client settings -
Power Management.
Clients configure these settings when they next download client policy. To initiate policy retrieval for a single
client, see How to manage clients.

Exclude computers
You can prevent collections of computers from receiving power management settings. If a computer is a
member of any collection that you exclude from power management settings, that computer doesn't apply
power management settings. This behavior applies even if it's a member of another collection that does apply
power management settings.
You might want to exclude computers from power management for the following reasons:
You have a business requirement for computers to be turned on at all times.
You have a control collection of computers on which you don't want to apply power management
settings.
Some of your computers are incapable of applying power management settings.
You want to exclude computers that run Windows Server from power management.
 NOTE
If you configure the client setting to Allow users to exclude their device from power management , users can
exclude their own computers from power management by using Software Center.

To find out which computers are excluded from power management, run the report Computers Excluded . For
more information about this report see How to monitor and plan for power management.

IMPORTANT
Excluding a computer from power management causes all power settings to be reverted to their original values. You
cannot revert individual power settings to their original values.

How to exclude a collection of computers from power management

1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Device Collections node.
2. Select the collection that you want to exclude from power management. In the Home tab of the ribbon, in
the Proper ties group, select Proper ties .
3. Switch to the Power Management tab, and select Never apply power management settings to
computers in this collection .

Next steps
How to create and apply power plans
How to monitor and plan for power management
 How to create and apply power plans in
Configuration Manager
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Power management in Configuration Manager enables you to apply power plans to collections of computers in
your hierarchy. Configuration Manager defines several power plans, or you can create your own custom power
plans.
You can only apply Configuration Manager power plans to device collections. If a computer is a member of
multiple collections, each with different power plans, then the following actions happen:
Power plan: If policy applies multiple values for power settings on a computer, it uses the least restrictive
value.
Wakeup time: If policy applies multiple wakeup times to a desktop computer, it uses the time closest to
midnight.
To display all computers that have multiple power plans applied to them, use the Computers with Multiple
Power Plans report. This report can help you discover computers that have power conflicts. For more
information about power management reports, see How to monitor and plan for power management.
Make sure to review any power settings that you apply from group policy. Power settings configured by using
group policy will override settings configured by Configuration Manager power management.

IMPORTANT
Systems that you enable for Modern Standby (S0) won't apply Configuration Manager power policies. You'll see a
message similar to the following in the PwrProvider.log:
The "Required idleness to sleep" setting (<738eddaa-52e2-467f-b453-821ef2884d47>) is not supported on
this operating system. This setting will be ignored.

Create and apply a power plan

1. In the Configuration Manager console, go to the Assets and Compliance workspace.
2. In the Assets and Compliance workspace, select the Device Collections node.
3. In the Device Collections list, choose the collection to which you want to apply power management
settings. In the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Power Management tab of the collection, and select Specify power management
settings for this collection .

NOTE
You can also select Browse , and copy the power management settings from another collection to this collection.

5. Specify the Star t and End time for peak (or business) hours.
6. To specify a time when a desktop computer wakes from sleep or hibernate, Enable Wakeup time
 (desktop computers) . When the client wakes up, it can install scheduled software updates or other
deployments.

IMPORTANT
Power management uses the internal Windows wakeup time feature to wake computers from sleep or hibernate.
Wakeup time settings aren't applied to portable computers to prevent scenarios in which they might wake when
not plugged in. The wake up time is randomized and computers will be woken over a one hour period from the
specified wakeup time.

7. If you want to configure a custom power plan for business hours, select Customized Peak
(ConfigMgr) from the Peak plan list, and then select Edit . If you want to configure a power plan for
non-business hours, select Customized Non-Peak (ConfigMgr) from the Non-peak plan list, and
then select Edit .

NOTE
You can use the Computer Activity report to help you decide the schedules to use for peak and non-peak
hours when you apply power plans to collections of computers. For more information, see How to monitor and
plan for power management.

You can also select from the built-in power plans: Balanced (ConfigMgr) , High Performance
(ConfigMgr) , and Power Saver (ConfigMgr) . Select View to display the properties of each power
plan.

NOTE
You can't modify the built-in power plans.

8. For the power plan properties, configure the following settings:

Name: Specify a name for this power plan or use the supplied default value.
Description: Specify an optional description to further describe the plan in the console.
Specify the proper ties for this power plan: Configure the power plan properties. For more
information, see Available power management plan settings.

IMPORTANT
When the Configuration Manager client applies the power plan to the device, it applies the enabled
settings. If you unselect a power setting in the policy, the value on the client computer doesn't change
when it applies the power plan. This action also doesn't restore the power setting to its previous value
before a power plan was applied.

9. Select OK to save and close the power plan properties.

10. Select OK to save and close the collection properties, and to apply the power plan.

Available power plan settings

The following table lists the power management settings available in Configuration Manager. You can configure
separate settings for when the computer is plugged in or running on battery power. Depending on the version
of Windows you use, some settings might not be configurable.
NOTE
Power settings that you don't configure keep their current value on client computers.

NAME DESC RIP T IO N

Turn off display after (minutes) Specifies the length of time, in minutes, that the computer
must be inactive before the display is turned off. If you don't
want power management to turn off the display, specify a
value of 0 .

Sleep after (minutes) Specifies the length of time, in minutes, that the computer
must be inactive before it enters sleep. If you don't want the
device to sleep, specify a value of 0 .

Require a password on wakeup Yes specifies that a user has to unlock the computer when
it wakes up.

Power button action Specifies the action when you press the computer's power
button: Do nothing , Sleep , Hibernate , or Shut down .

Star t menu power button Specifies the action when you press the computer's Star t
menu power button: Sleep , Hibernate , or Shut down .

Sleep button action Specifies the action when you press the computer's Sleep
button: Do nothing , Sleep , Hibernate , or Shut down .

Lid close action Specifies the action when the user closes the lid of a portable
computer: Do nothing , Sleep , Hibernate , and Shut
down .

Turn off hard disk after (minutes) Specifies the length of time, in minutes, that the computer's
hard disk must be inactive before it's turned off. If you don't
want power management to turn off the computer's hard
disk, specify a value of 0 .

Hibernate after (minutes) Specifies the length of time, in minutes, that the computer
must be inactive before it hibernates. If you don't want the
device to hibernate, specify a value of 0 .

Low batter y action Specifies the action when the computer's battery reaches the
specified low battery notification level: Do nothing , Sleep ,
Hibernate , or Shut down .

Critical batter y action Specifies the action when the computer's battery reaches the
specified critical battery notification level. When it's on
battery: Sleep , Hibernate, or Shut down . When it's
plugged in: Do nothing , Sleep , Hibernate, or Shut
down .
NAME DESC RIP T IO N

Allow hybrid sleep On specifies that Windows saves a hibernation file when it
enters sleep. If there's a power loss while it's asleep, Windows
uses this file to restore the computer's state.

Hybrid sleep is designed for desktop computers. By default,

it's not enabled on portable computers. Enabling hybrid
sleep disables the hibernate functionality.

Allow standby state when sleeping action On enables the computer to be on standby. This state still
consumes some power, but enables the computer to wake
faster. If this setting is Off , the computer can only
hibernate or turn off.

Required idleness to sleep (%) Specifies the percentage of idle time on the computer
processor time required for the computer to enter sleep. For
computers running Windows 7 and alter, this value is always
0 .

Enable Windows wake up timer for desktop Set Enable to enable the built-in Windows timer to wake a
computers desktop computer. When this timer wakes a desktop
computer, it stays awake for 10 minutes by default. This time
period allows the client to install any updates or to receive
policy.

Wakeup timers aren't supported on portable computers.

This behavior prevents scenarios where they might wake
when they're on limited battery power.
 How to monitor and plan for power management in
Configuration Manager
2/16/2022 • 32 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the following information to help you monitor and plan for power management in Configuration Manager.

How to use reports for power management

Power management in Configuration Manager includes several reports to help you analyze power consumption
and computer power settings in your organization. The reports can also be used to help you troubleshoot
problems.
Before you can use the power management reports, you must configure reporting for your hierarchy. For more
information about reporting in Configuration Manager, see Introduction to reporting.

NOTE
Power management information used by daily reports is retained in the Configuration Manager site database for 31 days.
Power management information used by monthly reports is retained in the Configuration Manager site database for 13
months.
When you run reports during the monitoring and planning and compliance phases of power management, save or export
the results from any reports for which you want to retain the data for later comparison in case they are later removed by
Configuration Manager.

List of power management reports

The following lists details the power management reports that are available in Configuration Manager.

NOTE
Power management reports display the number of physical computers and the number of virtual computers in a selected
collection. However, only power management information from physical computers is displayed in power management
reports.

Computer Activity report

The Computer Activity report displays a graph showing the following activity for a specified collection over a
specified period:
Computer On – The computer has been turned on.
Monitor On – The monitor has been turned on.
User Active – Activity has been detected from the computer mouse, computer keyboard, or from a
Remote Desktop connection to the computer
This report is used during the monitoring and planning and enforcement stages to help you understand
the alignment between computer activity, monitor activity and user activity over a 24 hour period. If you
run the report over a number of days then the data is aggregated over this period. This report can help
 you to determine typical business (peak) and nonbusiness (non-peak) hours for a selected collection to
help you decide when to apply configured power management plans.
The graph shows time periods where a computer might be turned on, but there is no user activity.
Consider applying more restrictive power settings during these times to save on the power costs of
computers that are turned on, but are not being used. A computer is counted as being active if there has
been computer, user or monitor activity for one minute or more for a displayed hour on the graph. If a
computer is not reporting power management data, it will not be included in the Computer Activity
report.
Use the following parameters to configure this report.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Star t date From the drop-down list, select the start date for this report.

End date (Optional) From the drop-down list, select an optional end date for this
report.

Collection name From the drop-down list, select a collection to use for this
report.

Device type From the drop-down list, select the type of computer for
which you want a report. Valid values are All (both desktop
and portable computers), Desktop (desktop computers
only), and Laptop (portable computers only).

Hidden report parameters

This report has no hidden parameters that you can set.
Report links
If a value for End date (optional) is not specified, this report contains a link to the following report which
provides further information.

REP O RT N A M E DETA IL S

Computer Activity Details Click the Click for detailed information link to see a list
of active, inactive and non-reporting computers for the
specified date.

For more information, see Computer Activity Details Report

in this topic.

Computer Activity by Computer report

The Computer Activity by Computer report displays a graph showing the following activity for a specified
computer on a specified date:
Computer On – The computer has been turned on.
Monitor On – The monitor has been turned on.
User Active – Activity has been detected from the computer mouse, computer keyboard, or from a
Remote Desktop connection to the computer.
This report can be run independently or called by the Computer Activity Details report.
 NOTE
Information about computer activity is collected from client computers during hardware inventory. Depending on the
time at which hardware inventory runs, activity during an applied peak or non-peak power plan might be collected.

Use the following parameters to configure this report.

Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Repor t date From the drop-down list, select a date for this report.

Computer name Enter a computer name for which you want a report.

Hidden report parameters

This report has no hidden parameters that you can set.
Report links
This report contains links to the following report which provides further information about the selected item.

REP O RT N A M E DETA IL S

Computer Details Click the Click for detailed information link to see the
power capabilities, power settings, and applied power plans
for the selected computer.

Computer Activity Details report

The Computer Activity Details report displays a list of active or inactive computers with their sleep and wake
capabilities. This report is called by the Computer Activity Report and is not designed to be run directly by the
site administrator.
Use the following parameters to configure this report.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection name From the drop-down list, select a collection to use for this
report.

Repor t date From the drop-down list, select a date to use for this report.

Repor t hour From the drop-down list, select an hour from the specified
date for which to run this report. Valid values are between
12am and 11pm .

Computer state From the drop-down list, select the computer state for which
to run this report. Valid values are All (computers that were
turned on or off), On (computers that were turned on), and
Off (computers that were turned off, in sleep, or in
hibernate). These values are only returned for the chosen
reporting period.
 PA RA M ET ER N A M E DESC RIP T IO N

Device type From the drop-down list, select the type of computer for
which you want a report. Valid values are All (both desktop
and portable computers), Desktop (desktop computers
only), and Laptop (portable computers only). These values
are only returned for the chosen reporting period.

Sleep capable From the drop-down list, select if you want to display
computers capable of sleep in the report. Valid values are All
(both computers capable and incapable of sleep), No
(computers that are incapable of sleep), and Yes (computers
that are capable of sleep).

Wake from sleep capable From the drop-down list, select if you want to display
computers capable of wake from sleep in the report. Valid
values are All (both computers capable and incapable of
wake from sleep), No (computers that are incapable of wake
from sleep), and Yes (computers that are capable of wake
from sleep).

Power plan From the drop-down list, select the power plan types you
want to display in the report. Valid values are All (computers
that do not have any power management plans applied;
computers that have a power management plan applied;
computers excluded from power management), Not
specified (computers that do not have a power
management plan applied), Defined (computers that have a
power management plan applied), and Excluded
(computers that have been excluded from power
management).

Operating system From the drop-down list, select the computer operating
systems that you want to display in the report or select All
to display all operating systems.

Hidden report parameters

This report has no hidden parameters that you can set.
Report links
This report contains links to the following report which provides further information about the selected item.

REP O RT N A M E DETA IL S

Computer Activity by Computer Click a computer name to see specific activity for that
computer over a chosen reporting period. These activities
include Computer on (has the computer been turned on?),
Monitor on (has the monitor been turned on?), and User
Active (activity has been detected from the computer's
mouse, keyboard, or a remote desktop connection).

For more information, see Computer Activity by Computer

Report in this topic.

Computer Details report

The Computer Details report displays detailed information about the power capabilities, power settings, and
power plans applied to a specified computer. This report is called by the Computer Activity by Computer
report, the Computers with Multiple Power Plans report, the Power Capabilities report and the Power
Settings Details report. It is not designed to be run directly by the site administrator.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Computer name Enter a computer name for which you want a report.

Power mode From the drop down list, select the type of power settings
you want to display in the report results. Select Plugged In
to view the power settings configured for when the
computer is plugged in and On Batter y to view the power
settings configured for when the computer is running on
battery power.

Hidden report parameters

This report has no hidden parameters you can set.
Report links
This report does not link to any other power management reports.
Computer Not Reporting Details report
The Computer Not Repor ting Details report displays a list of computers in a specified collection that have
not reported any power activity on a specified date and time. This report is called by the Computer Activity
Repor t and is not designed to be run directly by the site administrator.

NOTE
Computers report power management information as part of their hardware inventory schedule. Before you consider a
computer to not be reporting, ensure it has reported hardware inventory.

Use the following parameters to configure this report.

Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection name From the drop-down list, select a collection to use for this
report.

Repor t date From the drop-down list, select a date for this report.

Repor t hour From the drop-down list, select an hour from the specified
date for which to run this report. Valid values are between
12am and 11pm .

Device type From the drop-down list, select the type of computer for
which you want a report. Valid values are All (both desktop
and portable computers), Desktop (desktop computers
only), and Laptop (portable computers only). These values
are only returned for the chosen reporting period.

Hidden report parameters

This report has no hidden parameters that you can set.
Report links
This report does not link to any other power management reports.
Computers Excluded
The Computers Excluded report displays a list of computers in a specified collection that have been excluded
from Configuration Manager power management.
Use the following parameters to configure this report.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection From the drop-down list, select a collection for this report.

Reason From the drop-down list, select the reason why the
computers were excluded from power management. You can
display All (all excluded computers), Excluded by
administrator (only computers that were excluded by an
administrative user), and Excluded by user (only
computers that were excluded by a user of Software Center).

Hidden report parameters

This report has no hidden parameters that you can set.
Report links
This report contains links to the following report which provides further information about the selected item.

REP O RT N A M E DETA IL S

Power Computer Details Click a computer name to see the power capabilities, power
settings, and applied power plans for the selected computer.

For more information, see Computer Details Report in this

topic.

Computers with Multiple Power Plans

The Computers with Multiple Power Plans report displays a list of computers that are members of multiple
collections, each applying different power plans. For each computer with potentially conflicting power settings,
the report displays the computer name and the power plans being applied for each collection that the computer
is a member of.

IMPORTANT
If a computer is a member of multiple collections, where each collection has different power plans, then the least
restrictive power plan will be applied.
If a computer is a member of multiple collections, where each collection has different wakeup times, then the time closest
to midnight will be used.

Use the following parameters to configure this report.

Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection name From the drop-down list, select a collection for this report.
Hidden report parameters
This report has no hidden parameters that you can set.
Report links
This report contains links to the following report which provides further information about the selected item.

REP O RT N A M E DETA IL S

Power Computer Details Click a computer name to see the power capabilities, power
settings, and applied power plans for the selected computer.

For more information, see Computer Details Report in this

topic.

Energy Consumption report

The Energy Consumption report displays the following information:
A graph showing the total monthly power consumption of computers in kiloWatt per hour (kWh) in the
specified collection for the specified time period.
A graph showing the average power consumption in kiloWatt per hour (kWh) of each computer in the
specified collection for the specified time period.
A table showing the total monthly power consumption in kiloWatt per hour (kWh) and the average power
consumption of computers in the specified collection for the specified time period.
This information can be used to help you to understand power consumption trends in your environment.
After applying a power plan to computers in the selected collection, the power consumption of
computers should decrease.

NOTE
If you add or remove members to the collection after you have applied a power plan, this will affect the results shown by
the Energy Consumption report and might make it more difficult to compare the results from the monitoring and
planning phase and the enforcement phase.

Use the following parameters to configure this report.

Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Star t date From the drop-down list, select a start date for this report.

End date From the drop-down list, select an end date for this report.

Collection name From the drop-down list, select a collection for this report.

Device type From the drop-down list, select the type of computer for
which you want a report. Valid values are All (both desktop
and portable computers), Desktop (desktop computers
only), and Laptop (portable computers only). These values
are only returned for the chosen reporting period.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
 PA RA M ET ER N A M E DESC RIP T IO N

Desktop computer on Specify the power consumption of a desktop computer when

it is turned on. The default value is 0.07 kW per hour.

Laptop computer on Specify the power consumption of a portable computer

when it is turned on. The default value is 0.02 kW per hour.

Desktop computer sleep Specify the power consumption of a desktop computer that
has entered sleep. The default value is 0.003 kW per hour.

Laptop computer sleep Specify the power consumption of a portable computer that
has entered sleep. The default value is 0.001 kW per hour.

Desktop computer off Specify the power consumption of a desktop computer when
it is turned off. The default value is 0 kW per hour.

Laptop computer off Specify the power consumption of a portable computer

when it is turned off. The default value is 0 kW per hour.

Desktop monitor on Specify the power consumption of a desktop computer

monitor when it is turned on. The default value is 0.028 kW
per hour.

Laptop monitor on Specify the power consumption of a portable computer

monitor when it is turned on. The default value is 0 kW per
hour.

Report links
This report does not link to any other power management reports.
Energy Consumption by Day report
The Energy Consumption by Day report displays the following information:
A graph showing the total daily power consumption of computers in kiloWatt per hour (kWh) in the
specified collection for the last 31 days.
A graph showing the average daily power consumption in kiloWatt per hour (kWh) of each computer in
the specified collection for last 31 days.
A table showing the total daily power consumption in kiloWatt per hour (kWh) and the average daily
power consumption of computers in the specified collection for the last 31 days.
This information can be used to help you to understand power consumption trends in your environment.
After applying a power plan to computers in the selected collection, the power consumption of
computers should decrease.

NOTE
If you add or remove members to the collection after you have applied a power plan, this will affect the results shown by
the Energy Consumption report and might make it more difficult to compare the results from the monitoring and
planning phase and the enforcement phase.

Use the following parameters to configure this report.

Required report parameters
The following parameters must be specified to run this report.
 PA RA M ET ER N A M E DESC RIP T IO N

Collection From the drop-down list, select a collection for this report.

Device Type From the drop-down list, select the type of computer for
which you want to report. Valid values are All (both desktop
and portable computers), Desktop (desktop computers
only), and Laptop (portable computers only). These values
are only returned for the chosen reporting period.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of this report.

PA RA M ET ER N A M E DESC RIP T IO N

Desktop computer on Specify the power consumption of a desktop computer when

it is turned on. The default value is 0.07 kW per hour.

Laptop computer on Specify the power consumption of a portable computer

when it is turned on. The default value is 0.02 kW per hour.

Desktop computer sleep Specify the power consumption of a desktop computer that
has entered sleep. The default value is 0.003 kW per hour.

Laptop computer sleep Specify the power consumption of a portable computer that
has entered sleep. The default value is 0.001 kW per hour.

Desktop computer off Specify the power consumption of a desktop computer when
it is turned off. The default value is 0 kW per hour.

Laptop computer off Specify the power consumption of a portable computer

when it is turned off. The default value is 0 kW per hour.

Desktop monitor on Specify the power consumption of a desktop computer

monitor when it is turned on. The default value is 0.028 kW
per hour.

Laptop monitor on Specify the power consumption of a portable computer

monitor when it is turned on. The default value is 0 kW per
hour.

Report links
This report does not link to any other power management reports.
Energy Cost report
The Energy Cost report displays the following information:
A graph showing the total monthly power cost for computers in the specified collection for specified time
period.
A graph showing the average monthly power cost for each computer in the specified collection for the
specified time period.
A table showing the total monthly power cost and the average monthly power cost for computers in the
specified collection for the last 31 days.
This information can be used to help you to understand power cost trends in your environment. After
 applying a power plan to computers in the selected collection, the power cost for computers should
decrease.
Use the following parameters to configure this report.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Star t date From the drop-down list, select a start date for this report.

End date From the drop-down list, select an end date for this report.

Cost of KwH Specify the cost per kWh of electricity. The default value is
0.09 .

You can modify the unit of currency used by this report in

the hidden parameters section.

Collection name From the drop-down list, select a collection to use for this
report.

Device type From the drop-down list, select the type of computer for
which you want to report. Valid values are All (both desktop
and portable computers), Desktop (desktop computers
only), and Laptop (portable computers only). These values
are only returned for the chosen reporting period.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of this report.

PA RA M ET ER N A M E DESC RIP T IO N

Desktop computer on Specify the power consumption of a desktop computer when

it is turned on. The default value is 0.07 kW per hour.

Laptop computer on Specify the power consumption of a portable computer

when it is turned on. The default value is 0.02 kW per hour.

Desktop computer sleep Specify the power consumption of a desktop computer that
has entered sleep. The default value is 0.003 kW per hour.

Laptop computer sleep Specify the power consumption of a portable computer that
has entered sleep. The default value is 0.001 kW per hour.

Desktop computer off Specify the power consumption of a desktop computer when
it is turned off. The default value is 0 kW per hour.

Laptop computer off Specify the power consumption of a portable computer

when it is turned off. The default value is 0 kW per hour.

Desktop monitor on Specify the power consumption of a desktop computer

monitor when it is turned on. The default value is 0.028 kW
per hour.
 PA RA M ET ER N A M E DESC RIP T IO N

Laptop monitor on Specify the power consumption of a portable computer

monitor when it is turned on. The default value is 0 kW per
hour.

Currency Specify the currency label to use for this report. The default
value is USD ($) .

Report links
This report does not link to any other power management reports.
Energy Cost by Day report
The Energy Cost by Day report displays the following information:
A graph showing the total daily power cost for computers in the specified collection for the last 31 days.
A graph showing the average daily power cost for each computer in the specified collection for the last
31 days.
A table showing the total daily power cost and the average daily power cost for computers in the
specified collection for the last 31 days.
This information can be used to help you to understand power cost trends in your environment. After
applying a power plan to computers in the selected collection, the power cost for computers should
decrease.
Use the following parameters to configure this report.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection name From the drop-down list, select a collection to use for this
report.

Device type From the drop-down list, select the type of computer you
want to report about. Valid values are All (both desktop and
portable computers), Desktop (desktop computers only),
and Laptop (portable computers only). These values are
only returned for the chosen reporting period.

Cost of KwH Specify the cost per kWh of electricity. The default value is
0.09 .

You can modify the unit of currency used by this report in

the hidden parameters section.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of this report.

PA RA M ET ER N A M E DESC RIP T IO N

Desktop computer on Specify the power consumption of a desktop computer when

it is turned on. The default value is 0.07 kW per hour.
 PA RA M ET ER N A M E DESC RIP T IO N

Laptop computer on Specify the power consumption of a portable computer

when it is turned on. The default value is 0.02 kW per hour.

Desktop computer sleep Specify the power consumption of a desktop computer that
has entered sleep. The default value is 0.003 kW per hour.

Laptop computer sleep Specify the power consumption of a portable computer that
has entered sleep. The default value is 0.001 kW per hour.

Desktop computer off Specify the power consumption of a desktop computer when
it is turned off. The default value is 0 kW per hour.

Laptop computer off Specify the power consumption of a portable computer

when it is turned off. The default value is 0 kW per hour.

Desktop monitor on Specify the power consumption of a desktop computer

monitor when it is turned on. The default value is 0.028 kW
per hour.

Laptop monitor on Specify the power consumption of a portable computer

monitor when it is turned on. The default value is 0 kW per
hour.

Currency Specify the currency label to use for this report. The default
value is USD ($) .

Report links
This report does not link to any other power management reports.
Environmental Impact report
The Environmental Impact report displays the following information:
A graph showing the total monthly CO2 generated (in tons) for computers in the specified collection for
the specified time period.
A graph showing the average monthly CO2 generated (in tons) for each computer in the specified
collection for the specified time period.
A table showing the total monthly CO2 generated and the average monthly CO2 generated for
computers in the specified collection for specified time period.
The Environmental Impact report calculates the amount of CO2 generated (in tons) by using the time
that a computer or monitor was turned on in a 24 hour period.
Use the following parameters to configure this report.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Repor t star t date From the drop-down list, select a start date for this report.

Repor t end date From the drop-down list, select an end date for this report.
 PA RA M ET ER N A M E DESC RIP T IO N

Collection name From the drop-down list, select a collection for this report.

Device type From the drop-down list, select the type of computer for
which you want a report. Valid values are All (both desktop
and portable computers), Desktop (desktop computers
only), and Laptop (portable computers only). These values
are only returned for the chosen reporting period.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of this report.

PA RA M ET ER N A M E DESC RIP T IO N

Desktop computer on Specify the power consumption of a desktop computer when

it is turned on. The default value is 0.07 kW per hour.

Laptop computer on Specify the power consumption of a portable computer

when it is turned on. The default value is 0.02 kW per hour.

Desktop computer sleep Specify the power consumption of a desktop computer that
has entered sleep. The default value is 0.003 kW per hour.

Laptop computer sleep Specify the power consumption of a portable computer that
has entered sleep. The default value is 0.001 kW per hour.

Desktop computer off Specify the power consumption of a desktop computer when
it is turned off. The default value is 0 kW per hour.

Laptop computer off Specify the power consumption of a portable computer

when it is turned off. The default value is 0 kW per hour.

Desktop monitor on Specify the power consumption of a desktop computer

monitor when it is turned on. The default value is 0.028 kW
per hour.

Laptop monitor on Specify the power consumption of a portable computer

monitor when it is turned on. The default value is 0 kW per
hour.

Carbon Factor (tons/kWh) (CO2Mix) Specify the value for carbon factor (in tons/kWh) that you
typically can obtain from your power company. The default
value is 0.0015 tons per kWh.

Report links
This report does not link to any other power management reports.
Environmental Impact by Day report
The Environmental Impact by Day report displays the following information:
A graph showing the total daily CO2 generated (in tons) for computers in the specified collection for the
last 31 days.
A graph showing the average daily CO2 generated (in tons) for each computer in the specified collection
for the last 31 days.
 A table showing the total daily CO2 generated and the average daily CO2 generated for computers in the
specified collection for the last 31 days.
The Environmental Impact by Day report calculates the amount of CO2 generated (in tons) by using
the time that a computer or monitor was turned on in a 24 hour period.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection name From the drop-down list, select a collection for this report.

Device type From the drop-down list, select the type of computer you
want to report about. Valid values are All (both desktop and
portable computers), Desktop (desktop computers only),
and Laptop (portable computers only). These values are
only returned for the chosen reporting period.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of this report.

PA RA M ET ER N A M E DESC RIP T IO N

Desktop computer on Specify the power consumption of a desktop computer when

it is turned on. The default value is 0.07 kWh.

Laptop computer on Specify the power consumption of a portable computer

when it is turned on. The default value is 0.02 kWh.

Desktop computer off Specify the power consumption of a desktop computer when
it is turned off. The default value is 0 kWh.

Laptop computer off Specify the power consumption of a portable computer

when it is turned off. The default value is 0 kWh.

Desktop computer sleep Specify the power consumption of a desktop computer that
has entered sleep. The default value is 0.003 kWh.

Laptop computer sleep Specify the power consumption of a portable computer has
entered sleep. The default value is 0.001 kWh.

Desktop monitor on Specify the power consumption of a desktop computer

monitor when it is turned on. The default value is 0.028
kWh.

Laptop monitor on Specify the power consumption of a portable computer

monitor when it is turned on. The default value is 0 kWh.

Carbon Factor (tons/kWh) (CO2Mix) Specify a value for the carbon factor (in tons/kWh) that you
typically can obtain from your power company. The default
value is 0.0015 tons per kWh.

Report links
This report does not link to any other power management reports.
Insomnia Computer Details report
The Insomnia Computer Details report displays a list of computers that did not sleep or hibernate for a
specific reason within a specified time period. This report is called by the Insomnia Repor t and is not designed
to be run directly by the site administrator.
The Insomnia Repor t displays computers as Not sleep capable when they are not capable of sleep and have
been turned on during the entire specified report interval. The report displays computers as Not hibernate
capable when they are not capable of hibernate and have been turned on during the entire specified report
interval.

NOTE
Power management can only collect causes that prevented computers from entering sleep or hibernate from computers
running Windows 7 or Windows Server 2008 R2.

Use the following parameters to configure this report.

Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection name From the drop-down list, select a collection to use for this
report.

Repor t inter val (days) Specify the number of days to report. The default value is 7
days.

Cause of Insomnia From the drop-down list, select one of the causes that can
prevent computers from entering sleep or hibernate.

Hidden report parameters

This report has no hidden parameters that you can set.
Report links
This report contains links to the following report which provides further information about the selected item.

REP O RT N A M E DETA IL S

Computer Details Click the Click for detailed information link to see the
power capabilities, power settings, and applied power plans
for the selected computer.

For more information, see Computer Details Report in this

topic.

Insomnia report
The Insomnia Repor t displays a list of common causes that prevented computers from entering sleep or
hibernate and the number of computers affected by each cause for a specified time period. There are a number
of causes that might prevent a computer from entering sleep or hibernate such as a process running on the
computer, an open Remote Desktop session, or that the computer is incapable of sleep or hibernate. From this
report, you can open the Insomnia Computer Details report which displays a list of computers affected by
each cause of computers not sleeping or hibernating.
The Power Insomnia report displays computers as Not sleep capable when they are not capable of sleep and
have been turned on during the entire specified report interval. The report displays computers as Not
hibernate capable when they are not capable of hibernate and have been turned on during the entire
specified report interval.

NOTE
Power management can only collect causes that prevented computers from entering sleep or hibernate from computers
running Windows 7 or Windows Server 2008 R2.

Use the following parameters to configure this report.

Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection name From the drop-down list, select a collection to use for this
report.

Repor t inter val (days) Specify the number of days to report. The default value is 7
days. The maximum value is 365 days. Specify 0 to run the
report for today.

Hidden report parameters

This report has no hidden parameters that you can set.
Report links
This report contains links to the following report which provides further information about the selected item.

REP O RT N A M E DETA IL S

Insomnia Computer Details Click a number in the Affected Computers column to see
a list of computers that could not sleep or hibernate because
of the selected cause.

For more information, see Insomnia Computer Details

Report in this topic.

Power Capabilities report

The Power Capabilities report displays the power management hardware capabilities of computers in the
specified collection. This report is typically used in the monitoring phase of power management to determine
the power management capabilities of computers in your organization. The information displayed in the report
can then be used to create collections of computers to apply power plans to, or to exclude from power
management. The power management capabilities displayed by this report are:
Sleep Capable - Indicates whether the computer has the capability to enter sleep if it is configured to do
so.
Hibernate Capable – Indicates whether the computer can enter hibernate if it is configured to do so.
Wake from Sleep – Indicates whether the computer can wake from sleep if it is configured to do so.
Wake from Hibernate – Indicates whether the computer can wake from hibernate if it is configured to
do so.
The values reported by the Power Capabilities report indicate the sleep and hibernate capabilities of
computers as reported by Windows. However, the reported values do not reflect cases where Windows
or BIOS settings prevent these functions from working.
Use the following parameters to configure this report.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection From the drop-down list, select a collection for this report.

Display Filter From the drop-down list, select Not Suppor ted to display
only computers in the specified collection that are incapable
of sleep, hibernate, wake from sleep, or wake from hibernate.
Select Show All to display all computers in the specified
collection.

Hidden report parameters

This report has no hidden parameters that you can set.
Report links
This report contains links to the following report which provides further information about the selected item.

REP O RT N A M E DETA IL S

Computer Details Click a computer name to see the power capabilities, power
settings, and applied power plans for the selected computer.

For more information, see Computer Details Report in this

topic.

Power Settings report

The Power Settings report displays an aggregated list of power settings used by computers in the specified
collection. For each power setting, the possible power modes, values, and units are displayed, together with a
count of the number of computers that use those values. This report can be used during the monitoring phase
of power management to help the administrator understand the existing power settings used by computers in
the site and to help plan optimal power settings to be applied by using a power management plan. The report is
also useful when troubleshooting to validate that power settings were correctly applied.

NOTE
The settings displayed are collected from client computers during hardware inventory. Depending on the time at which
hardware inventory runs, settings from applied peak or non-peak power plans might be collected.

Use the following parameters to configure this report.

Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection name From the drop-down list, select a collection for this report.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of this report.

PA RA M ET ER N A M E DESC RIP T IO N
 PA RA M ET ER N A M E DESC RIP T IO N

numberOfLocalizations Specify the number of languages in which you want to view

power setting names reported by client computers. If you
only want to view the most popular language, leave this
setting at the default of 1 . To view all languages, set this
value to 0 .

Report links
This report contains links to the following report which provides further information about the selected item.

REP O RT N A M E DETA IL S

Power Settings Details Click the number of computers in the Computers column
to see a list of all computers that use the power settings in
that row.

For more information, see Power Settings Details Report in

this topic.

Power Settings Details report

The Power Settings Details report displays further information about computers selected in the Power
Settings report. This report is called by the Power Settings report and is not designed to be run directly by
the site administrator.
Required report parameters
The following parameters must be specified to run this report.

PA RA M ET ER N A M E DESC RIP T IO N

Collection From the drop-down list, select a collection to use for this
report.

Power Setting GUID From the drop-down list, select the power setting GUID on
which you want to report. For a list of all power settings and
their uses, see Available power management plan settings in
the topic How to create and apply power plans.

Power Mode From the drop down list, select the type of power settings
you want to display in the report results. Select Plugged In
to view the power settings configured for when the
computer is plugged in and On Batter y to view the power
settings configured for when the computer is running on
battery power.

Setting Index From the drop-down list, select the value for the selected
power setting name on which you want to report. For
example, if you want to display all computers with the turn
off hard disk after setting set to 10 minutes, select turn
off hard disk after for Power Setting Name and 10 for
Setting Index.

Hidden report parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
 PA RA M ET ER N A M E DESC RIP T IO N

numberOfLocalizations Specify the number of languages in which you want to view

power setting names reported by client computers. If you
only want to view the most popular language, leave this
setting at the default of 1 . To view all languages, set this
value to 0 .

Report links
This report contains links to the following report which provides further information about the selected item.

REP O RT N A M E DETA IL S

Computer Details Click a computer name to see the power capabilities, power
settings, and applied power plans for the selected computer.

For more information, see Computer Details Report in this

topic.
 Security and privacy for power management in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This section contains security and privacy information for power management in Configuration Manager.

Security best practices for power management

There are no security-related best practices for power management.

Privacy information for power management

Power management uses features that are built into Windows to monitor power usage and to apply power
settings to computers during business hours and nonbusiness hours. Configuration Manager collects power
usage information from computers, which includes data about when a user is using a computer. Although
Configuration Manager monitors power usage for a collection rather than for each computer, a collection can
contain just one computer. Power management is not enabled by default and must be configured by an
administrator.
The power usage information is stored in the Configuration Manager database and is not sent to Microsoft.
Detailed information is retained in the database for 31 days and summarized information is retained for 13
months. You cannot configure the deletion interval.
Before you configure power management, consider your privacy requirements.
 Upgrade clients in Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can use different methods to upgrade the Configuration Manager client software on Windows computers
and Mac computers. Here are the advantages and disadvantages of each method.

TIP
If you are upgrading your server infrastructure from System Center 2012 Configuration Manager, before upgrading the
Configuration Manager clients, complete the server upgrades including installing all current branch updates. This process
makes sure that you'll have the most recent version of the client software.

Group Policy installation

Supported client platform: Windows
Advantages:
Doesn't require computers to be discovered before the client can be upgraded.
Can be used for new client installations or for upgrades.
Computers can read client installation properties that have been published to Active Directory Domain
Services.
Doesn't require you to configure and maintain an installation account for the intended client computer.
Disadvantages:
Can cause high network traffic if you're upgrading many clients.
If you don't extend the Active Directory schema for Configuration Manager, use Group Policy settings.
These settings add client installation properties to computers in your site.

Logon script installation

Supported client platform: Windows
Advantages:
Doesn't require computers to be discovered before the client can be installed.
Can be used for new client installations or for upgrades.
Supports using command-line properties for CCMSetup.
Disadvantages:
Can cause high network traffic if you're upgrading many clients in a short time.
Can take a long time to upgrade all client computers if users don't frequently sign in to the network.
For more information, see How to install clients by using logon scripts.
Manual installation
Supported client platform: Windows , macOS
Advantages:
Doesn't require computers to be discovered before the client can be upgraded.
Can be useful for testing purposes.
Supports using command-line properties for CCMSetup.
Disadvantages:
No automation, so can be time consuming.
For more information, see the following articles:
How to install clients manually
How to upgrade clients on Mac computers

Upgrade installation (application management)

Supported client platform: Windows
Advantages:
Supports using command-line properties for CCMSetup.
Disadvantages:
Can cause high network traffic if you distribute the client to large collections.
Can only be used to upgrade the client software on computers that have been discovered and assigned to
the site.
For more information, see How to install clients by using a package and program.

Automatic client upgrade

Supported client platform: Windows
Advantages:
Because of the randomization over the specified period, only auto-upgrade is suitable for large-scale
client upgrades. Other methods are either too slow on large scale, or don't have randomization.

NOTE
Client piloting isn't good for large scale as it doesn't randomize at all.

Can be used to automatically keep clients in your site at the latest version.
Requires minimal administration.
Disadvantages:
Can only be used to upgrade the client software and can't be used to install a new client.
Applies to all clients in the hierarchy that are assigned to a site. Can't be scoped by collection.
 Limited scheduling options.
For more information, see How to upgrade clients for Windows computers.

Client testing
Supported client platform: Windows
Advantages:
Can be used to test new client versions in a smaller pre-production collection.
When testing is complete, clients in pre-production are promoted to production and automatically
upgraded across the Configuration Manager site.
Disadvantages:
Can only be used to upgrade the client software and can't be used to install a new client.
For more information, see How to test client upgrades in a pre-production collection.

Next steps
How to test client upgrades in a pre-production collection
How to exclude clients from upgrade
How to upgrade clients for Windows computers
 How to test client upgrades in a pre-production
collection
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can test a new Configuration Manager client version in a pre-production collection before upgrading the
rest of the site with it. When you do this process, the site only updates devices that are part of the test collection.
Once you've had a chance to test the client, you can promote the client. Client promotion makes the new version
of the client software available to the rest of the site.

NOTE
Only a user with the Full Administrator security role and the All security scope can promote a test client to production.
For more information, see Fundamentals of role-based administration. This action is only available when connected to the
central administration site (CAS) or a standalone primary site.

There are three steps to test clients in pre-production:

1. Configure automatic client upgrades to use a pre-production collection.
2. Install a Configuration Manager update that includes a new version of the client.
3. Promote the new client to production.

Configure automatic client upgrades to use a pre-production

collection
IMPORTANT
Pre-production client deployment isn't supported for workgroup computers. They can't use the authentication required
for the distribution point to access the pre-production client package. They'll receive the latest client when it's promoted
to be the production client.

1. Set up a collection that contains the computers to which you want to deploy the pre-production client.
2. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node. In the ribbon, select Hierarchy Settings .
3. Switch to the Client Upgrade tab, and configure the following settings:
Select Upgrade all clients in the pre-production collection automatically using pre-
production client .
Select a collection to use as the Pre-production collection .
 NOTE
Only a user with the Full Administrator security role and the All security scope can change these settings.

Configure client upgrades during site update

1. In the Configuration Manager console, go to the Administration workspace, and select the Updates
and Ser vicing node. Select an available update, and then in the ribbon select Install Update Pack .
For more information on installing updates, see Updates for Configuration Manager.
2. During installation of the update, on the Client Options page of the wizard, select Test in pre-
production collection .
3. Complete the rest of the wizard and install the update pack.
After the wizard complete, clients in the pre-production collection will begin to deploy the updated client. You
can monitor the deployment of upgraded clients in the console. Go to the Monitoring workspace, expand
Client Status , and select the Pre-production Client Deployment node. For more information, see How to
monitor client deployment status.

NOTE
For computers in a pre-production collection that also host site system roles, their deployment status may report as Not
compliant . This state may show even when the client was successfully updated. When you promote the client to
production, the deployment status reports correctly.

Promote a new client to production

1. In the Configuration Manager console, go to the Administration workspace, and select the Updates
and Ser vicing node. In the ribbon, select Promote Pre-production Client .
 TIP
The Promote Pre-production Client action is also available when you monitor client deployments in the
console at Monitoring > Client Status > Pre-production Client Deployment .

2. Review the client versions in production and pre-production, and make sure the correct pre-production
collection is specified. When ready, select Promote , and then select Yes to confirm.
The updated client version now replaces the client version in use in your hierarchy. You can then upgrade the
clients for your whole site. For more information, see How to upgrade clients for Windows computers.

NOTE
To enable the pre-production client, or to promote a pre-production client to a production client, your account must be a
member of a security role that has Read and Modify permissions for the Update Packages object.
Client upgrades honor any Configuration Manager maintenance windows you have configured.

Next steps
How to exclude clients from upgrade
How to upgrade clients for Windows computers
 How to exclude clients from upgrade in
Configuration Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can exclude a collection of clients from automatically installing updated client versions. Use this exclusion
for a collection of computers that need greater care when upgrading the client. A client that's in an excluded
collection ignores requests to install updated client software.
This exclusion applies to the following methods:
Automatic upgrade
Software update-based upgrade
Logon scripts
Group policy

NOTE
Although the user interface states that clients won't upgrade via any method, there are two methods you can use to
override these settings. Use client push or manual client installation to override this configuration. For more information,
see How to upgrade an excluded client.

Configure exclusion
1. In the Configuration Manager console, go to the Administration workspace. Expand Site
Configuration , select the Sites node, and then select Hierarchy Settings in the ribbon.
2. Switch to the Client Upgrade tab.
3. Select the option to Exclude specified clients from upgrade . Then select the Exclusion collection
you want to exclude. You can only select a single collection for exclusion.
4. Select OK to close and save the configuration.
After clients in the excluded collection update policy, they don't automatically install client updates. For more
information, see How to upgrade clients for Windows computers.

NOTE
Excluded clients still download and run Ccmsetup, but don't upgrade.

When you remove a client from the exclude collection, it doesn't automatically upgrade until the next auto-
upgrade cycle.

How to upgrade an excluded client

If a device is a member of a collection that you excluded from upgrade, you can still upgrade the client using one
of the following methods:
Client push installation : Ccmsetup allows client push installation because it's your direct intent. This
method lets you upgrade a client without removing it from the collection, or removing the entire
collection from exclusion.
Manual client installation : Manually upgrade an excluded client by using the following Ccmsetup
command-line parameter: /IgnoreSkipUpgrade
If you attempt to manually upgrade a client that's a member of the excluded collection, and don't use this
parameter, the client doesn't upgrade. For more information, see How to install Configuration Manager
clients manually.

Next steps
How to upgrade clients for Windows computers
Extended interoperability client
 How to upgrade clients for Windows computers in
Configuration Manager
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Upgrade the Configuration Manager client on Windows computers using client installation methods or the
automatic client upgrade feature. The following client installation methods are valid ways to upgrade client
software on Windows computers:
Group policy installation
Logon script installation
Manual installation
Upgrade installation
For more information, see How to deploy clients to Windows computers.
Exclude clients from upgrade by specifying an exclusion collection. For more information, see How to exclude
clients from upgrade. Excluded clients still download and run CCMSETUP, but won't upgrade.

TIP
If upgrade your server infrastructure from a previous version of Configuration Manager, complete the server upgrades
before upgrading the Configuration Manager clients. This process includes installing all current branch updates. The latest
current branch update contains the latest version of the client. Upgrade clients after you have installed all of the
Configuration Manager updates.

NOTE
If you plan to reassign the site for the clients during upgrade, specify the new site using the SMSSITECODE client.msi
property. If you use the value of AUTO for the SMSSITECODE , also specify SITEREASSIGN=TRUE . This property allows for
automatic site reassignment during upgrade. For more information, see Client installation properties - SMSSITECODE.

About automatic client upgrade

Configure the site to automatically upgrade clients to the latest Configuration Manager version. When
Configuration Manager identifies an assigned client's version is earlier than the hierarchy version, it
automatically upgrades the client. This scenario includes upgrading the client to the latest version when it
attempts to assign to a Configuration Manager site.
A client can automatically upgrade in the following scenarios:
The client version is earlier than the version used in the hierarchy.
The client on the central administration site (CAS) has a language pack installed and the existing client
doesn't.
A client prerequisite in the hierarchy is a different version than the one installed on the client.
 One or more of the client installation files are a different version.

NOTE
To identify the different versions of the Configuration Manager client in your hierarchy, use the report Count of
Configuration Manager clients by client versions in the report folder Site - Client Information .

Configuration Manager creates an upgrade package by default. It automatically sends the package to all
distribution points in the hierarchy. If you make changes to the client package on the CAS, Configuration
Manager automatically updates the package, and redistributes it. An example change is when you add a client
language pack. If you enable automatic client upgrade, every client automatically installs the new client
language package.
Enable automatic client upgrade across your hierarchy. This configuration keeps your clients up to date with less
effort.
If you also manage your Configuration Manager site systems as clients, determine whether to include them as
part of the automatic upgrade process. You can exclude all servers, or a specific collection from client upgrade.
Some Configuration Manager site roles share the client framework. For example, the management point and
pull distribution point. These roles upgrade when you update the site, so the client version on these servers
updates at the same time.

Configure automatic client upgrade

Use the following procedure to configure automatic client upgrade at the CAS. This configuration applies to all
clients in your hierarchy.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and then select the Sites node.
2. On the Home tab of the ribbon, in the Sites group, select Hierarchy Settings .
3. Switch to the Client Upgrade tab. Review the version and date of the production client. Make sure it's
the version you want to use to upgrade your clients. If it's not the client version you expect, you may need
to promote the pre-production client to production. For more information, see How to test client
upgrades in a pre-production collection.
4. Select Upgrade all clients in the hierarchy using the production client . Select OK to confirm.
5. If you don't want client upgrades to apply to servers, select Do not upgrade ser vers .
6. Specify the number of days in which devices must upgrade the client. After the device receives policy, it
upgrades the client at a random interval within this number of days. This behavior prevents a large
number of clients simultaneously upgrading.

NOTE
A computer must be running to upgrade the client. If a computer isn't running when it's scheduled to receive the
upgrade, the upgrade doesn't occur. When the computer turns on, and it receives policy, it schedules the upgrade
for a random time within the allowed number of days. If this occurs after the number of days to upgrade has
expired, it schedules the upgrade at a random time within 24 hours after the computer was turned on.
Because of this behavior, computers that are routinely shut down may take longer to upgrade than expected if the
randomly scheduled upgrade time isn't within the normal working hours.

7. To exclude clients from upgrade, select Exclude specified clients from upgrade , and specify the
 collection to exclude. For more information, see Exclude clients from upgrade.
8. If you want the site to copy the client installation package to distribution points that you've enabled for
prestaged content, select the option to Automatically distribute client installation package to
distribution points that are enabled for prestaged content .
9. Select OK to save the settings and close Hierarchy Settings Properties.
Clients receive these settings when they next download policy.

NOTE
Client upgrades honor any Configuration Manager maintenance windows you've configured. The ClientServicing thread
only runs the client setup bootstrap program (ccmsetup.exe) during a maintenance window. If the device runs an edition
of Windows with a write filter, ccmsetup tries to download and install at the same time. Otherwise, ccmsetup randomizes
a time to download content. After it downloads content and compiles the local policy, ClientServicing schedules the client
upgrade during the next maintenance window.

Next steps
For alternative methods to upgrade clients, see How to deploy clients to Windows computers.
Exclude specific clients from automatic upgrade. For more information, see How to exclude clients from
upgrade.
 How to upgrade clients on Mac computers in
Configuration Manager
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

IMPORTANT
Starting in January 2022, this feature of Configuration Manager is deprecated. For more information, see Mac computers.

Follow the high-level steps in this article to upgrade the client for Mac computers by using a Configuration
Manager application. You can also download the Mac client installation file, copy it to a shared network location
or a local folder on the Mac computer, and then instruct users to manually run the installation.

NOTE
Before you do these steps, make sure that your Mac computer meets the prerequisites. For more information, see
Supported operating systems for Mac computers.

Download the latest Mac client

The Mac client for Configuration Manager isn't supplied on the Configuration Manager installation media. The
Mac client installation files are contained in a Windows Installer file named ConfigmgrMacClient.msi .

NOTE
The macOS client installation package isn't available for new deployments, but existing deployments are supported until
December 31, 2022.

Create the Mac client installation file

On a computer that runs Windows, run ConfigmgrMacClient.msi . This installer unpacks the Mac client
installation file, named Macclient.dmg . By default, you can find this file in the following folder: C:\Program
Files\Microsoft\System Center Configuration Manager for Mac client .

Extract the client installation files

Copy Macclient.dmg to a Mac computer. Mount the Macclient.dmg file in macOS, and then copy the contents
to a folder on the Mac computer.

Create a .cmmac file

1. Open the Tools folder of the Mac client installation files. Use the CMAppUtil tool to create a .cmmac file
from the client installation package. You'll use this file to create the Configuration Manager application.
2. Copy the new CMClient.pkg.cmmac file to a network location that's available to the computer running
the Configuration Manager console.
 For more information, see the Supplemental procedures to create and deploy applications for Mac
computers.

Create and deploy the app

1. In the Configuration Manager console, create an application from the CMClient.pkg.cmmac file.
2. Deploy this application to Mac computers in your hierarchy.

Install the updated client

The existing Configuration Manager client on Mac computers will prompt the user that an update is available to
install. After users install the client, they must restart their Mac computer.
After the computer restarts, the Computer Enrollment wizard automatically runs to request a new user
certificate.
If you don't use Configuration Manager enrollment, but install the client certificate independently from
Configuration Manager, see Configure clients to use an existing certificate.

Configure clients to use an existing certificate

Use this procedure to prevent the Computer Enrollment Wizard from running, and to configure the upgraded
client to use an existing client certificate.
1. In the Configuration Manager console, create a configuration item of the type Mac OS X .
2. Add a setting to this configuration item with the setting type Script .
3. Add the following script to the setting:

#!/bin/sh
echo "Starting script\n"
echo "Changing directory to MAC Client\n"
cd /Users/Administrator/Desktop/'MAC Client'/
echo "Import root cert\n"
/usr/bin/sudo /usr/bin/security import /Users/Administrator/Desktop/'MAC Client'/Root.pfx -A -k
/Library/Keychains/System.Keychain -P ROOT
echo "Using openssl to convert pfx to a crt\n"
/usr/bin/sudo openssl pkcs12 -in /Users/Administrator/Desktop/'MAC Client'/Root.pfx -out Root1.crt -
nokeys -clcerts -passin pass:ROOT
echo "Adding trust to root cert\n"
/usr/bin/sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k
/Library/Keychains/System.Keychain Root1.crt
echo "Import client cert\n"
/usr/bin/sudo /usr/bin/security import /Users/Administrator/Desktop/'MAC Client'/MacClient.pfx -A -k
/Library/Keychains/System.Keychain -P MAC
echo "Executing ccmclient with MP\n"
sudo ./ccmsetup -MP https://SCCM34387.SCCM34387DOM.NET/omadm/cimhandler.ashx
echo "Editing Plist file\n"
sudo /usr/libexec/Plistbuddy -c 'Add:SubjectName string CMMAC003L' /Library/'Application
Support'/Microsoft/CCM/ccmclient.plist
echo "Changing directory to CCM\n"
cd /Library/'Application Support'/Microsoft/CCM/
echo "Making connection to the server\n"
sudo open ./CCMClient
echo "Ending Script\n"
exit

4. Add the configuration item to a configuration baseline. Then deploy the configuration baseline to all Mac
computers that install a certificate independently from Configuration Manager.
 Manage clients over the internet with Configuration
Manager
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Typically in Configuration Manager, most of the managed computers and servers are physically on the same
internal network as the site system servers that perform management functions. However, you can manage
clients outside your internal network when they are connected to the internet. This ability doesn't require the
clients to connect via VPN to reach the site system servers.
Configuration Manager provides two ways to manage internet-connected clients:
Cloud management gateway
Internet-based client management

NOTE
You can have a combination of both services for a single site. If a device gets policy from the site for both IBCM and CMG,
then it randomizes between them for communication. The only mechanism available to control communication is client
authentication. For example, if an Azure AD-joined client doesn't trust the server authentication certificate of the internet-
based management point, it can only use the CMG. If a domain-joined client doesn't trust the server authentication
certificate of the CMG, it can only use the internet-based management point.

Cloud management gateway

The cloud management gateway provides management of internet-based clients. It uses a combination of a
Microsoft Azure cloud service, and an on-premises site system role that communicates with that service.
Internet-based clients use the cloud service to communicate with the on-premises Configuration Manager.
CMG advantages
No additional on-premises infrastructure investment required.
Does not expose on-premises infrastructure to the internet.
Cloud virtual machines that run the service are fully managed by Azure and require no maintenance.
Easily set up and configured in the Configuration Manager console.
CMG disadvantages
Cloud subscription cost.
Management data sent through cloud service.

Internet-based client management

This method relies on internet-facing site system servers to which clients directly communicate for management
purposes. It requires clients and site system servers to be configured for internet-based client management
(IBCM).
IBCM advantages
 No cloud service dependency.
No additional cost associated with a cloud subscription.
Full control of servers and roles providing the service.
IBCM disadvantages
Require additional infrastructure investment.
Overhead and operational cost of additional infrastructure.
Infrastructure must be exposed to the internet.

Next steps
Overview of cloud management gateway
Plan for internet-based client management
 Cloud management gateway overview
2/16/2022 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The cloud management gateway (CMG) provides a simple way to manage Configuration Manager clients over
the internet. You deploy CMG as a cloud service in Microsoft Azure. Then without more on-premises
infrastructure, you can manage clients that roam on the internet or are in branch offices across the WAN. You
also don't need to expose your on-premises infrastructure to the internet.

After establishing the prerequisites, creating the CMG consists of the following three steps in the Configuration
Manager console:
1. Deploy the CMG cloud service to Azure.
2. Add the CMG connection point role.
3. Configure the site and site roles for the service.
Once deployed and configured, clients seamlessly access on-premises site roles whether they're on the intranet
or internet.
This article provides the foundational knowledge to learn about the CMG and the scenarios where you can use
it.

Scenarios
There are several scenarios for which a CMG is beneficial. The following scenarios are some of the more
common:
Manage traditional Windows clients with Active Directory domain-joined identity. These clients include
any supported version of Windows. It uses PKI certificates to secure the communication channel.
Management activities include:
Software updates and endpoint protection
Inventory and client status
Compliance settings
Software distribution to the device
Windows in-place upgrade task sequence
Manage traditional Windows 10 or later clients with modern identity, either hybrid or pure cloud domain-
joined with Azure Active Directory (Azure AD). Clients use Azure AD to authenticate rather than PKI
certificates. Using Azure AD is simpler to set up, configure and maintain than more complex PKI systems.
Management activities are the same as the first scenario plus:
Software distribution to the user
Install the Configuration Manager client on Windows 10 or later devices over the internet. Using Azure
AD allows the device to authenticate to the CMG for client registration and assignment. You can install the
client manually, or using another software distribution method, such as Microsoft Intune.
New device provisioning with co-management. When auto-enrolling existing clients, CMG isn't required
for co-management. It's required for new devices involving Windows Autopilot, Azure AD, Microsoft
Intune, and Configuration Manager. For more information, see Paths to co-management.
Specific use cases
Across these scenarios, the following specific device use cases may apply:
Roaming devices such as laptops
Remote/branch office devices that are less expensive and more efficient to manage over the internet than
across a WAN or through a VPN.
Mergers and acquisitions, where it may be easiest to join devices to Azure AD and manage through a
CMG.
Workgroup clients. These devices may require other configurations, such as certificates.
To help with management of remote workgroup clients, use Configuration Manager token-based
authentication. For more information, see Token-based authentication for CMG.

IMPORTANT
By default all clients receive policy for a CMG, and start using it when they become internet-based. Depending upon the
scenario and use case that applies to your organization, you may need to scope usage of the CMG. For more information,
see the Enable clients to use a cloud management gateway client setting.

Next steps
Develop your design and plan for implementing a CMG in your environment:
Plan for the CMG
 Plan for the CMG in Configuration Manager
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To simplify management of internet-based clients, first develop a plan for the cloud management gateway
(CMG). Design how it fits in your environment and prepare for your implementation.
For more foundational knowledge of CMG scenarios and use cases, see Overview of CMG.

NOTE
Some sections that were previously in this article have moved:
Hierarchy design : CMG hierarchy design
Performance and scale : CMG performance and scale

Planning checklist
The overall CMG planning process is divided into the following parts:
Components and requirements: This article summarizes the components that make up the CMG system.
It also lists the system requirements.
Client authentication: Determine which authentication method you'll use for clients from potentially
untrusted networks.
Hierarchy design: Plan where to place the CMG in your environment.
Supported configurations: Understand which Configuration Manager features you can support on
internet-based clients that connect to the CMG.
Performance and scale: Decide how many service components you'll need to best support your number
of clients.
Cost: Understand the cost of the Azure-based components.

CMG components
Deployment and operation of the CMG includes the following components:
The CMG cloud ser vice in Azure authenticates and forwards Configuration Manager client requests
over the internet to the on-premises CMG connection point.
The CMG connection point site system role enables a consistent and high-performance connection
from the on-premises network to the CMG service in Azure. It also publishes settings to the CMG
including connection information and security settings. The CMG connection point forwards client
requests from the CMG to on-premises roles according to URL mappings. For example, the management
point and software update point.
The ser vice connection point site system role runs the cloud service manager component, which
handles all CMG deployment tasks. Additionally, it monitors and reports service health and logging
information from Azure Active Directory (Azure AD). Make sure your service connection point is in online
mode.
 The management point and software update point site system roles service client requests per
normal.
The CMG uses a cer tificate-based HTTPS web service to help secure network communication with
clients.
Internet-based clients connect to the CMG to access on-premises Configuration Manager components.
There are multiple options for client identity and authentication:
Azure AD
PKI certificates
Configuration Manager site-issued tokens
For more information, see Plan for CMG client authentication.
The CMG creates an Azure storage account , which it uses for its standard operations. By default, the
CMG is also content-enabled to provide deployment content to internet-based clients. This storage
account doesn't support customizations, such as virtual network restrictions.

NOTE
The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP
instances. To provide content to internet-based devices, enable the CMG to distribute content.

Azure Resource Manager

You create the CMG using an Azure Resource Manager deployment . Azure Resource Manager is a modern
platform for managing all solution resources as a single entity, called a resource group. When you deploy a
CMG with Azure Resource Manager, the site uses Azure Active Directory (Azure AD) to authenticate and create
the necessary cloud resources.

NOTE
CMG deployments with the cloud ser vice (classic) method don't support subscriptions for Azure Cloud Service
Providers (CSP). The CMG deployment with Azure Resource Manager continues to use the classic cloud service, which the
CSP doesn't support. For more information, see Azure services available in the Azure CSP program. In version 2006 and
earlier, this deployment method is the only option.
The option to deploy a CMG as a cloud ser vice (classic) is deprecated. All CMG deployments should use a virtual
machine scale set. For more information, see Removed and deprecated features.

Virtual machine scale sets

NOTE
This feature was first introduced in version 2010 as a pre-release feature. Starting in version 2107, it's no longer a pre-
release feature.

Starting in version 2010, customers with a Cloud Solution Provider (CSP) subscription can deploy the CMG with
a vir tual machine scale set in Azure. This support is only if they don't currently have a CMG deployed using
classic cloud services to another subscription.
Starting in version 2107, all customers can deploy a CMG with a virtual machine scale set. If you have an
existing CMG deployed with the classic cloud service, conver t the CMG to use a virtual machine scale set.
With a few exceptions, the configuration, operation, and functionality of the CMG remains the same.
Other Azure resource providers in your Azure subscription.
Different deployment names, for example, GraniteFalls.EastUS.CloudApp.Azure.Com for a
deployment in the East US Azure region. This name change can affect how you create and manage the
CMG server authentication certificate.
The CMG connection point only communicates with the virtual machine scale set in Azure over HTTPS. It
doesn't require TCP-TLS ports.
Limitations for a CMG with a virtual machine scale set
Limitations with versions 2107 and later

NOTE
Starting in version 2111, CMG deployments with a virtual machine scale set support Azure US Government cloud
environments.

Users may experience a delay of up to three seconds for actions in Software Center.
You can't approve/deny application requests through the CMG.
Version 2107 doesn't support Azure US Government cloud environments.
Limitations with versions 2010 and 2103
If you require more than one CMG instance, they all have to use the same deployment method.
The supported number of concurrent client connections is 2,000 per VM instance. For more information, see
CMG performance and scale.
It's only supported with a standalone primary site.
It doesn't support Azure US Government cloud environments.
Users may experience a delay of up to three seconds for actions in Software Center.
Configuration Manager currently creates the Azure storage container based on the name of the resource
group. Azure has different naming requirements for resource groups and storage containers. Make sure the
name of the resource group for this service only has lowercase letters, numbers, and hyphens. If you have an
existing resource group that doesn't work, rename it in the Azure portal, or create a new resource group.
If you have more than one HTTPS management point, then you can't install the Configuration Manager client
on devices over the internet. If you need to Install off-premises clients using a CMG, then you can only have
one HTTPS management point. You also need to enable the CMG for content.
You can't approve/deny application requests through the CMG.

Requirements
TIP
To clarify some Azure terminology:
The Azure AD tenant is the directory of user accounts and app registrations. One tenant can have multiple
subscriptions.
An Azure subscription separates billing, resources, and services. It's associated with a single tenant.
For more information, see Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings.

An Azure subscription to host the CMG. This subscription can be in one of the following environments:
Global Azure cloud
Azure US Government cloud
 Customers with a Cloud Service Provider (CSP) subscription need to use version 2010 or later with a
vir tual machine scale set deployment.
Integrate the site with Azure AD to deploy the service with Azure Resource Manager. For more
information, see Configure Azure AD for CMG.
When you onboard the site to Azure AD, you can optionally enable Azure AD user discover y . It isn't
required to create the CMG, but required if you plan to use Azure AD authentication with hybrid
identities. For more information, see Install clients using Azure AD and see About Azure AD user
discovery.
An Azure administrator needs to participate in the initial creation of certain components. This persona
can be the same as the Configuration Manager administrator, or separate. If separate, they don't require
permissions in Configuration Manager.
When you integrate the site with Azure AD for deploying the CMG using Azure Resource Manager,
you need a Global Administrator .
When you create the CMG, you need an account that is an Azure Subscription Owner and an
Azure AD Global Administrator .
Your user account needs to be a Full administrator or Infrastructure administrator in Configuration
Manager.
At least one on-premises Windows server to host the CMG connection point . You can colocate this role
with other Configuration Manager site system roles.
The ser vice connection point must be in online mode.
Configure the management point to allow traffic from the CMG. It also needs to require HTTPS, or
configure the site for Enhanced HTTP.
A ser ver authentication cer tificate for the CMG.
Other cer tificates may be required, depending upon your client OS version and authentication model.
For more information, see Configure client authentication.
Clients must use IPv4 .
Make sure the following client settings in the Cloud ser vices group are enabled for devices that will use
the CMG:
Enable clients to use a cloud management gateway
Allow access to cloud distribution point

NOTE
If you enable the client setting to Download delta content when available, the content for third-party updates
won't download to clients.

Next steps
Next, determine how clients will authenticate with the CMG:
Plan for CMG client authentication
 CMG client authentication
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Clients that connect to a cloud management gateway (CMG) are potentially on the untrusted public internet.
Because of the client's origin, they have a higher authentication requirement. There are three options for identity
and authentication with a CMG:
Azure AD
PKI certificates
Configuration Manager site-issued tokens
The following table summarizes the key factors for each method:

A Z URE A D P K I C ERT IF IC AT E SIT E TO K EN

ConfigMgr version All supported All supported All supported

Windows client version Windows 10 or later All supported All supported

Scenario suppor t User and device Device-only Device-only

Management point E-HTTP or HTTPS E-HTTP or HTTPS E-HTTP or HTTPS

Microsoft recommends joining devices to Azure AD. Internet-based devices can use Azure AD modern
authentication with Configuration Manager. It also enables both device and user scenarios whether the device is
on the internet or connected to the internal network.
You can use one or more methods. All clients don't have to use the same method.
Which ever method you choose, you may also need to reconfigure one or more management points. For more
information, see Configure client authentication for CMG.

Azure AD
If your internet-based devices are running Windows 10 or later, consider using Azure AD modern authentication
with the CMG. This authentication method is the only one that enables user-centric scenarios. For example,
deploying apps to a user collection.
First, the devices need to be either cloud domain-joined or hybrid Azure AD-joined, and the user also needs an
Azure AD identity. If your organization is already using Azure AD identities, then you should be set with this
prerequisite. If not, talk with your Azure administrator to plan for cloud-based identities. For more information,
see Azure AD device identity. Until that process is complete, consider token-based authentication for internet-
based clients with your CMG.
There are a few other requirements, depending upon your environment:
Enable user discovery methods for hybrid identities
Enable ASP.NET 4.5 on the management point
Configure client settings
For more information on these prerequisites, see Install clients using Azure AD.

NOTE
If your devices are in an Azure AD tenant that's separate from the tenant with a subscription for the CMG compute
resources, starting in version 2010 you can disable authentication for tenants not associated with users and devices. For
more information, see Configure Azure services.

PKI certificate
If you have a public key infrastructure (PKI) that can issue client authentication certificates to devices, then
consider this authentication method for internet-based devices with your CMG. It doesn't support user-centric
scenarios, but supports devices running any supported version of Windows.

TIP
Windows devices that are hybrid or cloud domain-joined don't require this certificate because they use Azure AD to
authenticate.

This certificate may also be required on the CMG connection point.

Site token
If you can't join devices to Azure AD or use PKI client authentication certificates, then use Configuration Manager
token-based authentication. Site-issued client authentication tokens work on all supported client OS versions,
but only support device scenarios.
If clients occasionally connect to your internal network, they're automatically issued a token. They need to
communicate directly with an on-premises management point to register with the site and get this client token.
If you can't register clients on the internal network, you can create and deploy a bulk registration token. The bulk
registration token enables the client to initially install and communicate with the site. This initial communication
is long enough for the site to issue the client its own, unique client authentication token. The client then uses its
authentication token for all communication with the site while it's on the internet.

Next steps
Next, design how to use a CMG in your hierarchy:
CMG hierarchy design
 CMG hierarchy design
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Whether you have a central administration site (CAS), a standalone primary site, or a small test lab, design the
cloud management gateway (CMG) for that environment. This article provides the information to help you
decide how to position the CMG in your environment.
Create the CMG at the top-tier site of your hierarchy. If that's a CAS, then create CMG connection points at child
primary sites. The cloud service manager component is on the service connection point, which is also on the
CAS. This design can share the service across different primary sites if needed.
You can create multiple CMG services in Azure, and you can create multiple CMG connection points. Multiple
CMG connection points provide load balancing of client traffic from the CMG to the on-premises roles.
Other factors, such as the number of clients to manage, also affect your CMG design. For more information, see
Performance and scale.

Design examples
Example 1: Standalone primary site
Contoso has a standalone primary site in an on-premises datacenter at their headquarters in New York City.
They create a CMG in the East US Azure region to reduce network latency.
They create two CMG connection points, both linked to the single CMG service.
As clients roam onto the internet, they communicate with the CMG in the East US Azure region. The CMG
forwards this communication through both of the CMG connection points.
Example 2: Hierarchy
Fourth Coffee has a CAS in an on-premises datacenter at their headquarters in Seattle. One primary site is in the
same datacenter, and the other primary site is in their main European office in Paris.
On the CAS, they create a CMG service in the West US Azure region. They scale the number of VMs for the
expected load of roaming clients in the entire hierarchy.
On the Seattle-based primary site, they create a CMG connection point linked to the single CMG.
On the Paris-based primary site, they create a CMG connection point linked to the single CMG.
As clients roam onto the internet, they communicate with the CMG in the West US Azure region. The CMG
forwards this communication to the CMG connection point in the client's assigned primary site.

TIP
You don't need to deploy more than one CMG for the purposes of geolocation. The Configuration Manager client is
mostly unaffected by the slight latency that can occur with the cloud service, even when geographically distant.

Test environments
Many organizations have separate environments for production, test, development, or quality assurance. When
you plan your CMG deployment, consider the following questions:
 How many Azure AD tenants does your organization have?
Is there a separate tenant for testing?
Are user and device identities in the same tenant?
How many subscriptions are in each tenant?
Are there subscriptions that are specific for testing?
Configuration Manager's Azure service for Cloud management supports multiple tenants. Multiple
Configuration Manager sites can connect to the same tenant. A single site can deploy multiple CMG services
into different subscriptions. Multiple sites can deploy CMG services into the same subscription. Configuration
Manager provides flexibility depending upon your environment and business requirements.
For more information, see the following FAQ: Do the user accounts have to be in the same Azure AD tenant as
the tenant associated with the subscription that hosts the CMG cloud service?

Boundary groups
You can associate a CMG with a boundary group. This configuration allows clients to default or fall back to the
CMG for client communication according to boundary group relationships. This behavior is especially useful in
branch office and VPN scenarios. You can direct client traffic away from expensive and slow WAN links to
instead use faster services in Microsoft Azure.
Starting in version 2006, intranet clients can access a CMG-enabled software update point when it's assigned to
a boundary group. For more information, see Configure boundary groups.
Internet-based clients don't rely on boundary groups. They only use internet-facing or cloud content sources. If
you're only using content-enabled CMGs for these types of clients, then you don't need to include them in
boundary groups.
If you want clients on your internal network to get content from a CMG, then it needs to be in the same
boundary group as the clients. By default, clients prioritize cloud-based sources last in their list of content
sources. This behavior is because there's a cost associated with downloading content from Azure. Cloud-based
sources are typically used as a fallback source for intranet-based clients. If you want a cloud-first design, then
design your boundary groups to meet this business requirement. For more information, see Configure
boundary groups. For more information on content location priority and when intranet-based clients use a
cloud-based content source, see Content source priority.
Even though you install the CMG in a specific region of Azure, clients aren't aware of the Azure regions. They
randomly select an available CMG as a content source. If you have CMGs in multiple regions, and a client
receives more than one in the content location list, it may not download content from the same Azure region.

Next steps
Next, review the features and configurations that the CMG supports:
Supported configurations for CMG
 Supported configurations for cloud management
gateway
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use this article as a reference for the features and configurations that are supported by the Configuration
Manager cloud management gateway (CMG).

Specifications
All Windows versions listed in Supported operating systems for clients and devices are supported for
CMG.
CMG only supports the management point and software update point roles.
CMG doesn't support clients that only communicate with IPv6 addresses.
Software update points using a network load balancer don't work with CMG.
CMG deployments with the cloud ser vice (classic) method don't support subscriptions for Azure
Cloud Service Providers (CSP). The CMG deployment with Azure Resource Manager continues to use the
classic cloud service, which the CSP doesn't support. For more information, see Azure services available
in the Azure CSP program. In version 2006 and earlier, this deployment method is the only option.
Starting in version 2010, customers with a Cloud Solution Provider (CSP) subscription can deploy the
CMG with a vir tual machine scale set in Azure. For more information, see Topology design: Virtual
machine scale sets.

Support for Configuration Manager features

The following table lists CMG support for Configuration Manager features:

F EAT URE SUP P O RT

Software updates

Endpoint protection No te 1

Hardware and software inventory

Client status and notifications

Run scripts

CMPivot

Compliance settings
F EAT URE SUP P O RT

Automatic client upgrade

Client install
(with Azure AD integration)

Client install
(with token authentication)

Software distribution (device-targeted)

Software distribution (user-targeted, required)

(with Azure AD integration)

Software distribution (user-targeted, available)

(all requirements)

BitLocker Management (2010)

Pull distribution point source

Windows in-place upgrade task sequence No te 2

Task sequence without a boot image, deployed with the

option to Download all content locally before star ting
task sequence No te 2

Task sequence without a boot image, deployed with either

download option No te 2

Task sequence with a boot image, started from Software (2006)

Center No te 2

Task sequence with a boot image, started from bootable (2010)

media No te 2

Any other task sequence scenario No te 2

Content for PXE or multicast-enabled deployments

Client push

Automatic site assignment

Software approval requests

Configuration Manager console

Remote tools No te 3
 F EAT URE SUP P O RT

Reporting website

Wake on LAN

macOS clients

Peer cache

On-premises MDM

Alternate content providers No te 4

Content for App-V streaming applications

Content for Microsoft 365 Apps updates

Prestage content

K EY

= This feature is supported with CMG by all supported versions of Configuration Manager

(YYMM) = This feature is supported with CMG starting with version YYMM of Configuration Manager

= This feature isn't supported with CMG

Support notes
Note 1: Support for endpoint protection
Starting in version 2006, clients that communicate via a CMG can immediately apply endpoint protection
policies without an active connection to Active Directory.
In version 2002 and earlier, for domain-joined devices to apply endpoint protection policy, they require access to
the domain. Devices with infrequent access to the internal network may experience delays in applying endpoint
protection policy. If you require that devices immediately apply endpoint protection policy after they receive it,
consider one of the following options:
Update the site and clients to version 2006.
Use co-management and switch the Endpoint Protection workload to Intune, and manage Microsoft
Defender Antivirus from the cloud.
Use configuration items instead of the native antimalware polices feature to apply endpoint protection
policy.
Note 2: Support for task sequences
For more information about support for deploying a task sequence to a client via the CMG, see Deploy a task
sequence over the internet.
Note 3: Support for remote tools
As announced at Microsoft Ignite 2021, a public preview of the new remote assistance solution is now available
in the Microsoft Endpoint Manager admin center. This cloud-based tool can help you more securely support
users of Windows devices.
For more information, see the following resources:
Remote help: a new remote assistance tool from Microsoft (blog post)
Enable remote help scenarios with Microsoft Endpoint Manager (demo video)
Use remote help with Intune and Microsoft Endpoint Manager
Note 4: Support for alternate content providers
Alternate content providers aren't supported to get content from a content-enabled CMG. You can still use them
on a client that communicates with a CMG and gets content from other supported content locations.

Next steps
Next, plan how the design the CMG for the best performance at the appropriate scale:
CMG performance and scale
 CMG performance and scale
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The supported scale and performance of the cloud management gateway (CMG) is based on the number of
devices that you expect to simultaneously connect to the service. Use the information in this article to determine
how many of the following components you need in your environment for the best performance at the
appropriate scale:
CMG cloud service
Virtual machine instances for each CMG
CMG connection point site system on your internal network

NOTE
Sizing guidance for management points and software update points doesn't change whether they service on-premises or
internet-based clients. For more information, see Size and scale numbers.

Size and scale for CMG

Unless otherwise noted, this guidance is the same for all deployment models and VM sizes.
You can install multiple instances of the cloud management gateway (CMG) at primary sites, or the
central administration site (CAS).

TIP
In a hierarchy, create the CMG at the CAS.

One CMG supports up to 16 virtual machine (VM) instances in the Azure cloud service.
Simultaneous client connections per each CMG VM instance depend upon the deployment model and
VM size:
Cloud ser vice (classic) : 6,000
Vir tual machine scale set (version 2010 and 2103 for Cloud Service Provider (CSP)
subscriptions): 2,000
Vir tual machine scale-set (version 2107 or later)
Lab (B2s) : 10
Standard (A2_v2) : 6,000
Large (A4_v2) : 10,000
 IMPORTANT
The Lab (B2s) size VM is only intended for lab testing and small proof-of-concept environments. They
aren't intended for production use with the CMG. The B2s VMs are low cost and low performing. The
Configuration Manager technical preview branch only supports 10 clients, which is why this size supports
that number of clients.

When the CMG is under high load with more than the supported number of clients, it still handles
requests but there may be delay.

Size and scale for CMG connection point

This guidance is the same for all deployment models and VM sizes.
You can install multiple instances of the CMG connection point at primary sites.
One CMG connection point can support a CMG with up to four VM instances. If the CMG has more than
four VM instances, add a second CMG connection point for load balancing. A CMG with 16 VM instances
should be linked with four CMG connection points.

NOTE
When considering hardware requirements for the CMG connection point, see Recommended hardware for remote site
system servers.

Improve performance
The following recommendations can help you improve CMG performance:
The connection between the Configuration Manager client and the CMG isn't region-aware. Client
communication is largely unaffected by latency and geographic separation. It's generally not necessary to
deploy multiple CMG for the purposes of geo-proximity. Deploy the CMG at the top-level site in your
hierarchy. To increase scale, add VM instances.
For high availability of the service, create a CMG with at least two VM instances and two CMG connection
points per site.
Scale the CMG to support more clients by adding more VM instances. The Azure load balancer controls
client connections to the service.
Create more CMG connection points to distribute the load among them. The CMG distributes the traffic
to its connecting CMG connection points in a round-robin fashion.

NOTE
The CMG connection point creates a TCP connection to the management point for each client. While Configuration
Manager has no hard limit on the number of clients for a CMG connection point, Windows Server has a default maximum
TCP dynamic port range of 16,384. If a Configuration Manager site manages more than 16,384 clients with a single CMG
connection point, add another site system or increase the Windows Server limit. All clients maintain a channel for client
notifications, which holds a port open on the CMG connection point. For more information on how to increase this limit,
see Microsoft Support article 929851.

Content performance
As with any distribution point design, consider the following factors for a content-enabled CMG:
Number of concurrent client connections
The size of the content that clients download
The length of time allowed to meet your business requirements
Depending upon your design, if clients have the option of more than one CMG for any given content, then they
naturally randomize across those cloud sources. If you only distribute a certain piece of content to a single CMG,
and a large number of clients try to download this content at the same time, it puts higher load on that single
CMG. Adding another CMG includes a separate Azure storage service. For more information on how the client
communicates with the CMG components and downloads content, see Data flow.

NOTE
The Azure storage service supports 500 requests per second for a single file. Performance testing of a single cloud-based
content source supported distribution of a single 100-MB file to 50,000 clients in 24 hours.

Next steps
Next, understand the costs associated with operating an Azure service for the CMG:
Cost of CMG
 Cost of CMG
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The cloud management gateway (CMG) in Configuration Manager uses several components in Microsoft Azure.
These components incur charges to the Azure subscription account. Some costs are fixed, but some vary
depending upon usage.

IMPORTANT
The following cost information is for estimating purposes only. Your environment may have other variables that affect the
overall cost of using CMG.

To help determine potential costs, use the following Azure resources:

Azure pricing calculator

NOTE
Virtual machine costs vary by region.

Azure bandwidth pricing details

NOTE
Pricing for data transfer is tiered. The more you use, the less you pay per gigabyte.

Compute costs
CMG uses Azure platform as a service (PaaS), which uses virtual machines (VMs). These VMs incur compute
costs. The specific type to use when estimating costs depends upon which deployment method you use.
Virtual machine scale set
If you deploy the CMG as a virtual machine scale set, use this section.
In version 2103 and earlier, CMG uses a Standard A2_v2 VM. The VM size isn't configurable.
In version 2107 and later, you can configure the VM size, which will affect this cost.
Lab (B2s)
Standard (A2_v2)
Large (A4_v2)

IMPORTANT
The Lab (B2s) size VM is only intended for lab testing and small proof-of-concept environments. It isn't intended
for production use with the CMG. The B2s VMs are low cost and low performing.

You can't change the VM size after you deploy the CMG. To change the VM size, you need to Redeploy the
 service.
You select how many VM instances support the CMG. One is the default, and 16 is the maximum. This
number is set when you create the CMG, but you can change it afterwards to scale the service as needed.
For more information on how many VMs you need to support your clients, see CMG performance and
scale.
Virtual machine
If you deploy the CMG as a classic cloud service, this deployment method replaces the virtual machine scale set
when estimating cost. The specific details are otherwise the same. With this deployment method, it uses a
Standard A2_v2 VM. The VM size isn't configurable.
The cost difference between a virtual machine and a virtual machine scale set should be negligible, but may
vary by Azure region.

Outbound data transfer

Charges are based on data flowing out of Azure, otherwise referred to as egress or download.
CMG data flows out of Azure include policy to the client, client notifications, and client responses that the
CMG forwards to the site. These responses include inventory reports, status messages, and compliance
status.
Even without any clients communicating with a CMG, some background communication causes network
traffic between the CMG and the on-premises site.
View the Outbound data transfer (GB) in the Configuration Manager console. For more information,
see Monitor clients on CMG.
For estimating purposes only, expect approximately 100-300 MB per client per month for internet-based
clients. The lower estimate is for a default client configuration. The upper estimate is for a more
aggressive client configuration. Your actual usage may vary depending upon how you configure client
settings.

NOTE
Other administrative actions can increase the amount of outbound data transfer from Azure. For example,
deployments for software updates or applications.

Internet-based clients get Microsoft software update content from Windows Update at no charge. Don't
distribute update packages with Microsoft update content to a content-enabled CMG. If you do distribute
software update packages to your cloud content sources, you may incur storage and data egress costs.
Misconfiguration of the CMG option to Verify client cer tificate revocation can cause more traffic
from clients to the CMG. This other traffic can increase the Azure egress data, which can increase your
Azure costs. For more information, see Publish the certificate revocation list.

TIP
Any data flows into Azure are free. These flows are otherwise referred to as ingress or upload. When you distribute
content from the site to the content-enabled CMG, you're uploading the content to Azure.

Content storage
Internet-based clients get Microsoft software update content from Windows Update at no charge. Don't
 distribute update packages with Microsoft update content to a content-enabled CMG. If you do distribute
software update packages to your cloud content sources, you may incur storage and data egress costs.

NOTE
The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP instances. To
provide content to internet-based devices, enable the CMG to distribute content.

CMG uses Azure locally redundant storage (LRS). For more information, see Locally redundant storage.
For any other necessary content, distribute it to a content-enabled CMG. This other content includes
applications or third-party software updates.

NOTE
If you enable the client setting to Download delta content when available, the content for third-party updates
won't download to clients.

Other costs
Each distinct CMG has one Basic (ARM) dynamic IP address. If you add other VMs to a CMG, it doesn't increase
the number of these IP addresses. For more information, see IP addresses pricing.
If you deploy the CMG as a virtual machine scale set, it uses Azure Key Vault . The CMG usage of Key Vault is
low, significantly less than 10,000 operations per month. For more information, see Key Vault pricing.
If you get a CMG server authentication certificate from a public provider, there's generally a cost associated with
this certificate. For more information, see CMG server authentication certificate.

Control and monitor

Configuration Manager includes the following options to help control costs and monitor data access:
Control and monitor the amount of content that you store in a cloud service.
Configure Configuration Manager to alert you when thresholds for client downloads meet or exceed
monthly limits.
For more information, see Monitor CMG.
To help reduce the number of data transfers from cloud-based sources by clients, use one of the following peer
caching technologies:
Configuration Manager peer cache
Windows Delivery Optimization
Windows BranchCache

NOTE
To enable a content-enabled CMG to use Windows BranchCache, install the BranchCache feature on the site
server. For more information, see Set up CMG: BranchCache

For more information, see Fundamental concepts for content management.

Next steps
Now that you have your CMG design, understand the supported configurations and cost, you're ready to set up
the CMG:
Set up checklist for cloud management gateway
 Set up checklist for CMG
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Before you deploy a cloud management gateway (CMG), use this article to understand the setup process. Also
make sure you have all of the prerequisites ready to get started.
First, develop your design and plan for implementing a CMG in your environment. For more information, see
Plan for cloud management gateway. Use that section of articles to determine your CMG design.
The overall CMG setup process is divided into the following five main parts:
1. Get the CMG server authentication certificate: The CMG uses HTTPS for secure client communication over
the public internet. You can get a certificate from a public provider, or issue one from your public key
infrastructure (PKI).
2. Configure Azure Active Directory (Azure AD): Configuration Manager requires app registrations in Azure
AD. You can let Configuration Manager create them, or an Azure administrator can pre-create the
registrations.
3. Configure client authentication: Because clients communicate across the internet, Configuration Manager
requires more security for this channel. You can use Azure Active Directory (Azure AD), PKI certificates, or
token-based authentication from the site server.
4. Set up the CMG: This step also includes configuring the site, and adding the CMG connection point site
system role.
5. Configure clients to use the CMG.
The other articles in this section step through each part of the process.

Terminology
The following terms are used in the context of setting up a CMG. They're defined here for clarity.
Azure AD tenant: The directory of user accounts and app registrations. One tenant can have multiple
subscriptions.
Azure subscription: A subscription separates billing, resources, and services. It's associated with a single
tenant.

TIP
For more information, see Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings.

Azure resource group: A container that holds related resources for an Azure solution. The resource group
includes those resources that you want to manage as a group. You decide which resources belong in a
resource group based on what makes the most sense for your organization. For more information, see
Resource groups.
CMG service name: The common name (CN) of the CMG server authentication certificate. Clients and the
CMG connection point site system role communicate with this service name. For example,
GraniteFalls.Contoso.Com or GraniteFalls.WestUS.CloudApp.Azure.Com .
 CMG deployment name: The first part of the service name plus the Azure location for the cloud service
deployment. The cloud service manager component of the service connection point uses this name when
it deploys the CMG in Azure. The deployment name is always in an Azure domain. The Azure location
depends upon the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net

Checklist
Use the following checklist to make sure you have the necessary information and prerequisites to create a CMG:
The Azure environment to use. For example, the Azure Public Cloud or the Azure US Government Cloud.
The Azure region for this CMG deployment.
How many VM instances you need for scale and redundancy.
An Azure global administrator role to register apps in Azure AD.
An Azure subscription owner role for when you create the CMG in Azure.
At least one existing site system server on which you plan to add the CMG connection point role.
You'll set up other prerequisite components during the next steps in the process.

Automate with PowerShell

Optionally, you can automate aspects of the CMG setup using PowerShell. While some cmdlets were available in
earlier versions, version 2010 includes new cmdlets and significant improvements to existing cmdlets.
For example, an Azure administrator first creates the two required apps in Azure Active Directory (Azure AD).
Then you write a script that uses the following cmdlets to deploy a CMG:
1. Impor t-CMAADSer verApplication : Create the Azure AD server app definition in Configuration Manager.
2. Impor t-CMAADClientApplication : Create the Azure AD client app definition in Configuration Manager.
3. Use Get-CMAADApplication to get the app objects, and then pass to New-
CMCloudManagementAzureSer vice to create the Azure service connection in Configuration Manager.
4. New-CMCloudManagementGateway : Create the CMG service in Azure.
5. Add-CMCloudManagementGatewayConnectionPoint : Create the CMG connection point site system.
You can use these cmdlets to automate the creation, configuration, and management of the CMG service and
Azure Active Directory (Azure AD) requirements.
Azure AD app definitions in Configuration Manager:
Get-CMAADApplication
Import-CMAADClientApplication
Import-CMAADServerApplication
The Cloud Management Azure service in Configuration Manager:
New-CMCloudManagementAzureService
Set-CMCloudManagementAzureService
Get-CMAzureService
Remove-CMAzureService
The cloud management gateway service in Configuration Manager:
 Get-CMCloudManagementGateway
New-CMCloudManagementGateway
Remove-CMCloudManagementGateway
Set-CMCloudManagementGateway
Start-CMCloudManagementGateway
Stop-CMCloudManagementGateway
The CMG connection point site system role:
Add-CMCloudManagementGatewayConnectionPoint
Get-CMCloudManagementGatewayConnectionPoint
Remove-CMCloudManagementGatewayConnectionPoint
Set-CMCloudManagementGatewayConnectionPoint

Next steps
Get started with your CMG setup by getting a server authentication certificate:
CMG server authentication certificate
 CMG server authentication certificate
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The first step when you set up a cloud management gateway (CMG) is to get the server authentication
certificate. The CMG creates an HTTPS service to which internet-based clients connect. The server requires a
server authentication certificate to build the secure channel. You can acquire a certificate for this purpose from a
public provider, or issue it from your public key infrastructure (PKI).
When you create the CMG in the Configuration Manager console, you provide this certificate. The common
name (CN) of this certificate defines the service name of the CMG.

NOTE
You may need additional certificates for clients and management points. These certificates are covered in the third step of
the CMG setup process, Configure client authentication.

A reminder of some CMG terminology that's used in this article:

Ser vice name : The common name (CN) of the CMG server authentication certificate. Clients and the
CMG connection point site system role communicate with this service name. For example,
GraniteFalls.contoso.com or GraniteFalls.WestUS.CloudApp.Azure.Com .

Deployment name : The first part of the service name plus the Azure location for the cloud service
deployment. The cloud service manager component of the service connection point uses this name when
it deploys the CMG in Azure. The deployment name is always in an Azure domain. The Azure location
depends upon the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net

IMPORTANT
This article uses examples with a virtual machine scale set as the recommended deployment method in version
2107 and later. If you use a classic deployment, note the difference as you read this article and prepare the server
authentication certificate.

Choose the certificate type

First, decide where you want to get the certificate. There are several factors to consider.
Clients must trust the CMG server authentication certificate to establish the HTTPS channel with the CMG
service. There are two methods to accomplish this trust:
1. Use a certificate from a public and globally trusted certificate provider.
Windows clients include trusted root certificate authorities (CAs) from these providers. By using a
certificate issued by one of these providers, your clients automatically trust it.
There's a cost associated with this certificate, which is specific to the provider.
2. Use a certificate issued by an enterprise CA from your public key infrastructure (PKI).
 Most enterprise PKI implementations add the trusted root CAs to Windows clients. For example, if
you use Active Directory Certificate Services with group policy. If you issue the CMG server
authentication certificate from a CA that your clients don't automatically trust, add the CA trusted
root certificate to internet-based clients.
If you plan to install the Configuration Manager client from Intune, you can also use Intune
certificate profiles to provision certificates on clients. For more information, see Configure a
certificate profile.
Your organization may have an internal cost to issue certificates, but there are generally no
external costs associated with this certificate.

IMPORTANT
Before you get this certificate, make sure the service name is globally unique for the cloud service and storage account.
Also make sure the name uses supported characters. For more information, see Globally unique name.

Summary comparison of certificate types

P UB L IC P RO VIDER EN T ERP RISE P K I

Client trust Trusted in Windows by default Automatic with some implementations,

otherwise need to deploy

Cost Yes Not typical

Ser vice name example GraniteFalls.contoso.com GraniteFalls.contoso.com or

GraniteFalls.WestUS.CloudApp.Azure.Com

DNS CNAME required Yes No for Azure domain service name (

GraniteFalls.WestUS.CloudApp.Azure.Com
)

NOTE
The CMG server authentication certificate supports wildcards. Some certificate authorities issue certificates using a
wildcard character for the service name prefix. For example, *.contoso.com . Some organizations use wildcard certificates
to simplify their PKI and reduce maintenance costs.
For more information on how to use a wildcard certificate with a CMG, see Set up a CMG.

Globally unique name

This certificate requires a globally unique name to identify the service in Azure. Before you request a certificate,
confirm that the Azure deployment name you want is unique. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com .

Virtual machine scale set

1. Sign in to the Azure portal.
2. From the Azure portal home page, select Create a resource under Azure services.
3. Search for Vir tual machine scale set . Select Create .
4. Select the Subscription and Resource group that you'll use for the CMG.
5. In the Vir tual machine scale set name field, type the prefix that you want. For example, GraniteFalls .
6. Select the Region that you'll use for the CMG. For example, (US) West US .
The interface reflects whether the domain name is available or already in use by another service.

IMPORTANT
Don't create the service in the portal, just use this process to check the name availability.

Content-enabled CMG storage account

If you also enable the CMG for content, confirm that it's also a unique Azure storage account name. If the CMG
deployment name is unique, but the storage account isn't, Configuration Manager fails to provision the service
in Azure. Repeat the above process in the Azure portal with the following changes:
Search for Storage account .
Test your name in the Storage account name field.

IMPORTANT
The DNS name prefix should be 3 to 24 characters long, and contain numbers and lowercase letters only. Don't use special
characters, like a dash ( - ). For example: granitefalls .

Issue the certificate

The CMG server authentication certificate supports the following configurations:
2048-bit or 4096-bit key length
This certificate supports key storage providers for certificate private keys (v3). For more information, see
CNG v3 certificates overview.
Use a public provider certificate
A third-party certificate provider can't create a certificate for an Azure domain like cloudapp.azure.com , because
Microsoft owns those domains. You can only get a certificate issued for a domain you own. The main reason for
acquiring a certificate from a third-party provider is that your clients already trust that provider's root certificate.
The specific process to get this certificate varies by provider. For more information, contact your third-party
certificate provider.
For the web server certificate common name (CN):
You've made sure the deployment name is globally unique in Azure for the cloud service and storage
account. For example, GraniteFalls.WestUS.CloudApp.Azure.Com .
To determine the service name, append the deployment name prefix ( GraniteFalls ) to your
organization's domain name ( contoso.com ).
Use this service name for the certificate common name (CN). For example, GraniteFalls.contoso.com .
Next, you need to create a DNS CNAME alias.
Use an enterprise PKI certificate
Issuing a web server certificate from your organization's PKI varies by product. The instructions for Deploying
the service certificate for cloud-based distribution points are for Active Directory Certificate Services. This
process generally applies for the CMG server authentication certificate.
For the web server certificate common name (CN):
You've made sure the deployment name is globally unique in Azure for the cloud service and storage
account. For example, GraniteFalls.WestUS.CloudApp.Azure.Com .
To determine the service name, you have two options:
Use your domain name (recommended). Append the deployment name prefix ( GraniteFalls ) to
your organization's domain name ( contoso.com ). For example, GraniteFalls.contoso.com . For this
option, you also need to create a DNS CNAME alias.
Use the Azure deployment name. This option doesn't require a DNS CNAME alias. For example:
For the Azure public cloud: GraniteFalls.WestUS.CloudApp.Azure.Com .
For the Azure US Government cloud: GraniteFalls.usgovcloudapp.net .

NOTE
If the Azure deployment name changes, you'll need to redeploy the service to change this service name.
For example, if your service name is in the cloudapp.net domain, you can't convert the classic cloud
service CMG to a virtual machine scale set. If you use your domain name for the CMG service name, then
you can update the DNS CNAME for the new deployment name.

Use this service name for the certificate common name (CN).

Create a DNS CNAME alias

If the CMG service name uses your organization's domain name ( GraniteFalls.contoso.com ), you need to create
a DNS canonical name record (CNAME). This alias maps the service name to the deployment name.
Create a CNAME record in your organization's public DNS. The CMG service in Azure and all clients that use it
need to resolve the service name. For example:
Contoso names their CMG GraniteFalls .
The deployment name in Azure is GraniteFalls.WestUS.CloudApp.Azure.Com .
In Contoso's public DNS contoso.com namespace, the DNS administrator creates a new CNAME record
for the service name GraniteFalls.contoso.com to the Azure deployment name,
GraniteFalls.WestUS.CloudApp.Azure.Com .

When you create the CMG, while the certificate has GraniteFalls.contoso.com as the CN, Configuration
Manager only extracts the service name prefix, for example: GraniteFalls . It appends this prefix to the Azure
service domain ( cloudapp.azure.com ) with the region ( westus ) to create the deployment name. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com . The CNAME alias in the DNS namespace for your domain (
contoso.com ) maps together these two FQDNs.

The Configuration Manager client policy includes the CMG service name, GraniteFalls.contoso.com . The client
resolves the service name via the CNAME alias to the deployment name,
GraniteFalls.WestUS.CloudApp.Azure.Com . It then can resolve the IP address of the deployment name to
communicate with the service in Azure.

Next steps
Continue your CMG setup by configuring Azure Active Directory (Azure AD):
Configure Azure AD
 Configure Azure Active Directory for CMG
2/16/2022 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The second primary step to set up a cloud management gateway (CMG) is to integrate the Configuration
Manager site with your Azure Active Directory (Azure AD) tenant. This integration allows the site to authenticate
with Azure AD, which it uses to deploy and monitor the CMG service. If you choose the Azure AD authentication
method for clients in the next step, then this integration is a prerequisite for that authentication method.

TIP
This article provides prescriptive guidance to integrate the site specifically for the cloud management gateway. For more
information on this process and other uses of the Azure Ser vices node in the Configuration Manager console, see
Configure Azure services.

When you integrate the site, you create app registrations in Azure AD. The CMG requires two app registrations:
Web app (also referred to as a server app in Configuration Manager)
Native app (also referred to as a client app in Configuration Manager)
There are two methods to create these apps, both of which require a global administrator role in Azure AD:
Use Configuration Manager to automate the creation of the apps when you integrate the site.
Manually create the apps in advance, and then import them when you integrate the site.
This article primarily follows the first method. For more information on the other method, see Manually register
Azure AD apps for CMG.
Before you start, make sure you have an Azure AD global administrator available.

NOTE
If you plan to import precreated app registrations, you first need to create them in Azure AD. Start with the article to
Manually register Azure AD apps for CMG. Then return to this article to run the Azure Services wizard and import the
apps to Configuration Manager.

Start the Azure Services wizard

1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices ,
and select the Azure Ser vices node.
2. On the Home tab of the ribbon, in the Azure Services* group, select Configure Azure Ser vices .
3. On the Azure Services page of the Azure Services Wizard:
a. Specify a Name for the object in Configuration Manager. This name is only to identify the
connection in Configuration Manager.
b. Specify an optional Description to further identify this service connection.
c. Select the Cloud Management service.
4. On the App page of the Azure Services Wizard, select the Azure environment for your tenant:
AzurePublicCloud : Your tenant is in the global Azure cloud.
AzureUSGovernmentCloud : Your tenant is in the Azure US Government cloud.

Create the web (server) app registration

1. On the App page of the Azure Services Wizard window, for the Web app , select Browse .
2. In the Server App window, select Create to use Configuration Manager to automate the creation of the
app.
3. In the Create Server Application window, specify the following information:
Application name : A friendly name for the app.
HomePage URL : This value isn't used by Configuration Manager, but required by Azure AD. By
default this value is https://ConfigMgrService .
App ID URI : This value needs to be unique in your Azure AD tenant. It's in the access token used
by the Configuration Manager client to request access to the service. By default this value is
https://ConfigMgrService . Change the default to one of the following recommended formats:

api://{tenantId}/{string} , for example,

api://5e97358c-d99c-4558-af0c-de7774091dda/ConfigMgrService
https://{verifiedCustomerDomain}/{string} , for example,
https://contoso.onmicrosoft.com/ConfigMgrService

Secret key validity period : choose either 1 year or 2 years from the drop-down list. One year
is the default value.
Azure AD admin account : Select Sign in to authenticate to Azure AD as a global administrator.
Configuration Manager doesn't save these credentials. This persona doesn't require permissions in
Configuration Manager, and doesn't need to be the same account that runs the Azure Services
Wizard. After successfully authenticating to Azure, the page shows the Azure AD tenant name
for reference.
4. Select OK to create the web app in Azure AD and close the Create Server Application window.
5. In the Server App window, make sure your new app is selected, then select OK to save and close the
window.

Create the native (client) app registration

1. On the App page of the Azure Services Wizard window, for the Native Client app , select Browse .
2. In the Client App window, select Create to use Configuration Manager to automate the creation of the
app.
3. In the Create Client Application window, specify the following information:
Application name : A friendly name for the app.
Azure AD admin account : Select Sign in to authenticate to Azure AD as a global administrator.
Configuration Manager doesn't save these credentials. This persona doesn't require permissions in
Configuration Manager, and doesn't need to be the same account that runs the Azure Services
Wizard. After successfully authenticating to Azure, the page shows the Azure AD tenant name
for reference.
4. Select OK to create the native app in Azure AD and close the Create Client Application window.
5. In the Client App window, make sure your new app is selected, then select OK to save and close the
window.

Complete the Azure Services wizard

1. In the Azure Services Wizard, confirm both the Web app and Native Client app values are complete.
Select Next to continue.
2. The Discovery page of the wizard is only necessary in some scenarios. It's optional when you onboard the
site to Azure AD, and not required to create the CMG. If you need it to support specific functionality in
your environment, you can enable it later.
For more information on the CMG scenarios that may require Azure AD user discovery, see Configure
client authentication: Azure AD and Install clients using Azure AD.
For more information on this discovery method, see Configure Azure AD user discovery.
3. Review the settings and complete the wizard.
When the wizard closes, you'll see the new connection in the Azure Ser vices node. You can also view the
tenant and app registrations in the Azure Active Director y Tenants node of the Configuration Manager
console.
Disable Azure AD authentication for non-device or user tenants
If your devices are in an Azure AD tenant that's separate from the tenant with a subscription for the CMG
compute resources, starting in version 2010 you can disable authentication for tenants not associated with
users and devices.
1. Open the properties of the Cloud Management service.
2. Switch to the Applications tab.
3. Select the option to Disable Azure Active Director y authentication for this tenant .
For more information, see Configure Azure services.

Configure Azure resource providers

The CMG service requires that you register specific resource providers in your Azure subscription. The providers
vary depending upon how you deploy the CMG:
Starting in version 2010, if you'll deploy the CMG to a virtual machine scale set, register the following resource
providers:
Microsoft.KeyVault
Microsoft.Storage
Microsoft.Network
Microsoft.Compute
If you'll deploy the CMG using a classic cloud service, your Azure subscription requires the following two
resource providers:
Microsoft.ClassicCompute
Microsoft.Storage
Your Azure AD account needs permission to do the /register/action operation for the resource provider. By
default, the Contributor and Owner roles include this permission.
The following steps summarize the process to register a resource provider. For more information, see Azure
resource providers and types.
1. Sign in to the Azure portal.
2. On the Azure portal menu, search for Subscriptions . Select it from the available options.
3. Select the subscription you want to view.
4. On the left menu, under Settings , select Resource providers .
5. Find the resource provider you want to register, and select Register . To maintain least privileges in your
subscription, only register those resource providers that you're ready to use.

Automate with PowerShell

Starting in version 2010, you can optionally automate aspects of these configurations using PowerShell.
1. Use the Import-CMAADServerApplication cmdlet to define the Azure AD web/server app in
Configuration Manager.
2. Use the Import-CMAADClientApplication cmdlet to define the Azure AD native/client app in
Configuration Manager.
3. Use the Get-CMAADApplication cmdlet to get the imported app objects.
4. Then pass the app objects to the New-CMCloudManagementAzureService cmdlet to create the Azure
service for Cloud Management in Configuration Manager.

Next steps
Continue your CMG setup by deciding which type of client authentication to use:
Configure client authentication
 Configure client authentication for cloud
management gateway
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The next step in the setup of a cloud management gateway (CMG) is to configure how clients authenticate.
Because these clients are potentially connecting to the service from the untrusted public internet, they have a
higher authentication requirement. There are three options:
Azure Active Directory (Azure AD)
PKI certificates
Configuration Manager site-issued tokens
This article describes how to configure each of these options. For more foundational information, see Plan for
CMG client authentication methods.

Azure AD
If your internet-based devices are running Windows 10 or later, use Azure AD modern authentication with the
CMG. This authentication method is the only one that enables user-centric scenarios.
This authentication method requires the following configurations:
The devices need to be either cloud domain-joined or hybrid Azure AD-joined, and the user also needs an
Azure AD identity.

TIP
To check if a device is cloud-joined, run dsregcmd.exe /status in a command prompt. If the device is Azure AD-
joined or hybrid-joined, the AzureAdjoined field in the results shows YES. For more information, see dsregcmd
command - device state.

One of the primary requirements for using Azure AD authentication for internet-based clients with a
CMG is to integrate the site with Azure AD. You already completed that action in the prior step.
There are a few other requirements, depending upon your environment:
Enable user discovery methods for hybrid identities
Enable ASP.NET 4.5 on the management point
Configure client settings
For more information on these prerequisites, see Install clients using Azure AD.

PKI certificate
Use these steps if you have a public key infrastructure (PKI) that can issue client authentication certificates to
devices.
This certificate may be required on the CMG connection point. For more information, see CMG connection point.
Issue the certificate
Create and issue this certificate from your PKI, which is outside of the context of Configuration Manager. For
example, you can use Active Directory Certificate Services and group policy to automatically issue client
authentication certificates to domain-joined devices. For more information, see Example deployment of PKI
certificates: Deploy the client certificate.
The CMG client authentication certificate supports the following configurations:
2048-bit or 4096-bit key length
This certificate supports key storage providers for certificate private keys (v3). For more information, see
CNG v3 certificates overview.
Export the client certificate's trusted root
The CMG has to trust the client authentication certificates to establish the HTTPS channel with clients. To
accomplish this trust, export the trusted root certificate chain. Then supply these certificates when you create the
CMG in the Configuration Manager console.
Make sure to export all certificates in the trust chain. For example, if the client authentication certificate is issued
by an intermediate CA, export both the intermediate and root CA certificates.

NOTE
Export this certificate when any client uses PKI certificates for authentication. When all clients use either Azure AD or
tokens for authentication, this certificate isn't required.

After you issue a client authentication certificate to a computer, use this process on that computer to export the
trusted root certificate.
1. Open the Start menu. Type "run" to open the Run window. Open mmc .
2. From the File menu, choose Add/Remove Snap-in....
3. In the Add or Remove Snap-ins dialog box, select Cer tificates , then select Add .
a. In the Certificates snap-in dialog box, select Computer account , then select Next .
b. In the Select Computer dialog box, select Local computer , then select Finish .
c. In the Add or Remove Snap-ins dialog box, select OK .
4. Expand Cer tificates , expand Personal , and select Cer tificates .
5. Select a certificate whose Intended Purpose is Client Authentication .
a. From the Action menu, select Open .
b. Go to the Cer tification Path tab.
c. Select the next certificate up the chain, and select View Cer tificate .
6. On this new Certificate dialog box, go to the Details tab. Select Copy to File....
7. Complete the Certificate Export Wizard using the default certificate format, DER encoded binar y
X.509 (.CER) . Make note of the name and location of the exported certificate.
8. Export all of the certificates in the certification path of the original client authentication certificate. Make
note of which exported certificates are intermediate CAs, and which ones are trusted root CAs.
CMG connection point
To securely forward client requests, the CMG connection point requires a secure connection with the
management point. If you're using PKI client authentication, and the internet-enabled management point is
HTTPS, issue a client authentication certificate to the site system server with the CMG connection point role.

NOTE
The CMG connection point doesn't require a client authentication certificate in the following scenarios:
Clients use Azure AD authentication.
Clients use Configuration Manager token-based authentication.
The site uses Enhanced HTTP.

For more information, see Enable management point for HTTPS.

Site token
If you can't join devices to Azure AD or use PKI client authentication certificates, then use Configuration Manager
token-based authentication. For more information, or to create a bulk registration token, see Token-based
authentication for cloud management gateway.

Enable management point for HTTPS

Depending upon how you configure the site, and which client authentication method you choose, you may need
to reconfigure your internet-enabled management points. There are two options:
Configure the site for Enhanced HTTP, and configure the management point for HTTP
Configure the management point for HTTPS
Configure the site for Enhanced HTTP
When you use the site option to Use Configuration Manager-generated cer tificates for HTTP site
systems , you can configure the management point for HTTP. When you enable Enhanced HTTP, the site server
generates a self-signed certificate named SMS Role SSL Cer tificate . This certificate is issued by the root SMS
Issuing certificate. The management point adds this certificate to the IIS Default Web site bound to port 443.
With this option, internal clients can continue to communicate with the management point using HTTP. Internet-
based clients using Azure AD or a client authentication certificate can securely communicate through the CMG
with this management point over HTTPS.
For more information, see Enhanced HTTP.
Configure the management point for HTTPS
To configure a management point for HTTPS, first issue it a web server certificate. Then enable the role for
HTTPS.
1. Create and issue a web server certificate from your PKI or a third-party provider, which are outside of the
context of Configuration Manager. For example, use Active Directory Certificate Services and group policy
to issue a web server certificate to the site system server with the management point role. For more
information, see the following articles:
PKI certificate requirements
Example deployment of PKI certificates: Deploy the web server certificate for site systems that run IIS
2. On the properties of the management point role, set the client connections to HTTPS .
 TIP
After you set up the CMG, you'll configure other settings for this management point.

If your environment has multiple management points, you don't have to HTTPS-enable them all for CMG.
Configure the CMG-enabled management points as Internet only . Then your on-premises clients don't try to
use them.
Management point client connection mode summary
These tables summarize whether the management point requires HTTP or HTTPS, depending upon the type of
client. They use the following terms:
Workgroup: The device isn't joined to a domain or Azure AD, but has a client authentication certificate.
AD domain-joined: You join the device to an on-premises Active Directory domain.
Azure AD-joined: Also known as cloud domain-joined, you join the device to an Azure AD tenant. For more
information, see Azure AD joined devices.
Hybrid-joined: You join the device to your on-premises Active Directory and register it with your Azure AD.
For more information, see Hybrid Azure AD joined devices.
HTTP: On the management point properties, you set the client connections to HTTP .
HTTPS : On the management point properties, you set the client connections to HTTPS .
E-HTTP: On the site properties, Communication Security tab, you set the site system settings to HTTPS or
HTTP , and you enable the option to Use Configuration Manager-generated cer tificates for HTTP site
systems . You configure the management point for HTTP, and the HTTP management point is ready for both
HTTP and HTTPS communication.

IMPORTANT
Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure
the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP.

F o r i n t e r n e t - b a se d c l i e n t s c o m m u n i c a t i n g w i t h t h e C M G

Configure an on-premises management point to allow connections from the CMG with the following client
connection mode:

IN T ERN ET - B A SED C L IEN T M A N A GEM EN T P O IN T

Workgroup No te 1 E-HTTP, HTTPS

AD domain-joined No te 1 E-HTTP, HTTPS

Azure AD-joined E-HTTP, HTTPS

Hybrid-joined E-HTTP, HTTPS

NOTE
Note 1 : This configuration requires the client has a client authentication certificate, and only supports device-centric
scenarios.

F o r o n - p r e m i se s c l i e n t s c o m m u n i c a t i n g w i t h t h e o n - p r e m i se s m a n a g e m e n t p o i n t

Configure an on-premises management point with the following client connection mode:
 O N - P REM ISES C L IEN T M A N A GEM EN T P O IN T

Workgroup HTTP, HTTPS

AD domain-joined HTTP, HTTPS

Azure AD-joined HTTPS

Hybrid-joined HTTP, HTTPS

NOTE
On-premises AD domain-joined clients support both device- and user-centric scenarios communicating with an HTTP or
HTTPS management point.
On-premises Azure AD-joined and hybrid-joined clients can communicate via HTTP for device-centric scenarios, but need
E-HTTP or HTTPS to enable user-centric scenarios. Otherwise they behave the same as workgroup clients.

Next steps
You're now ready to create the CMG in Configuration Manager:
Set up CMG
 Set up CMG for Configuration Manager
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Once you have the prerequisites in place, you can start the process to set up a cloud management gateway
(CMG). Before you start this process, make sure you have the necessary information and prerequisites to create
a CMG. For more information, see Set up checklist for CMG.
This step of the overall process includes the following actions:
Use the Configuration Manager console to create the CMG service in Azure.
Configure the primary site for client certificate authentication.
Add the CMG connection point site system role.
Configure the management point and software update point for CMG traffic.
Configure boundary groups.

Set up a CMG
TIP
Deploying a CMG with a vir tual machine scale set in Azure was first introduced in version 2010 as a pre-release
feature. Beginning with version 2107, it's no longer a pre-release feature.

Do this procedure on the top-level site. That site is either a standalone primary site, or the central administration
site (CAS).
1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices ,
and select Cloud Management Gateway .
2. Select Create Cloud Management Gateway in the ribbon.
3. On the General page of the wizard, first specify the Azure environment for this CMG:
AzurePublicCloud : Create the service in the global Azure cloud.
AzureUSGovernmentCloud : Create the service in the Azure US Government cloud.
4. Next choose how you want to deploy the CMG in Azure:

NOTE
In version 2006 and earlier, you don't have this choice. All deployments use the cloud ser vice (classic) method.

Vir tual machine scale set

Starting in version 2107, this option is the recommended deployment method. Even if you
have an existing CMG deployed with the cloud service (classic) method, deploy new CMG
instances as a virtual machine scale set.
In versions 2010 and 2103, you have to enable this pre-release feature to see it. In these
releases, it's only intended for customers with a Cloud Solution Provider (CSP) subscription.
If you already deployed a CMG with the cloud ser vice (classic) method, this option is
 unavailable. For more information, see Plan for CMG: Virtual machine scale sets.
Cloud ser vice (classic)
In versions 2010 and 2103, most customers should use this deployment method. Use this
option.
In version 2107 and later, only use this option if you can't deploy with a virtual machine
scale set because of one of the limitations.

IMPORTANT
The option to deploy a CMG as a cloud ser vice (classic) is deprecated. All CMG deployments should
use a virtual machine scale set. For more information, see Removed and deprecated features.

5. Select Sign in . Authenticate with an Azure Subscription Owner account. The wizard automatically
populates the remaining fields from the information stored during the Azure AD integration prerequisite.
If you own multiple subscriptions, select the Subscription ID of the subscription you want to use.
Select Next , and wait as the site tests the connection to Azure.
6. On the Settings page of the wizard, first Browse to the .PFX file for the CMG server authentication
certificate (Cer tificate file ). The common name from this certificate is used to populate the Ser vice
name and Deployment name fields.
If you use a wildcard certificate, replace the asterisk ( * ) in the Ser vice name field with the globally
unique deployment name prefix for your CMG.
a. Optionally specify a Description to further identify this CMG in the Configuration Manager
console.
b. Select an Azure Region for this CMG. The list of available regions may vary based on the selected
subscription.
c. Select a Resource Group option:
If you choose Use existing , then select an existing resource group from the list. This
resource group needs to already exist in the same region you selected for the CMG. If you
select an existing resource group, and it's in a different region than the previously selected
region, the CMG will fail to deploy.
If you choose Create new , then enter the new resource group name.
d. By default, the VM Size is Standard (A2_V2) . Select another option as your design specifies. For
example, Large (A4_v2) for increased client capacity per VM, or Lab (B2s) in a small test
environment.

IMPORTANT
The Lab (B2s) size VM is only intended for lab testing and small proof-of-concept environments. For
example, with the Configuration Manager technical preview branch. The B2s VMs aren't intended for
production use with the CMG. They are low cost and low performing.

e. In the VM Instance field, enter the number of VMs for this service. The default is one, but you can
scale up to 16 VMs per CMG.
f. If you're using client authentication certificates, select Cer tificates to add trusted root certificates.
Add all of the certificates in the trust chain.
 NOTE
A trusted root certificate isn't required when using Azure Active Directory (Azure AD) or site-issued tokens
for client authentication.

g. By default, the wizard enables the option to Verify Client Cer tificate Revocation . A certificate
revocation list (CRL) must be publicly published for this verification to work. For more information,
see Publish the certificate revocation list.
h. By default, the wizard enables the option to Enforce TLS 1.2 . This setting requires the Azure VM
to use the TLS 1.2 encryption protocol. It doesn't apply to any on-premises Configuration Manager
site servers or clients. Starting in version 2107 with the update rollup, this setting also applies to
the CMG storage account. For more information, see How to enable TLS 1.2.
i. By default, the wizard enables the option to Allow CMG to function as a cloud distribution
point and ser ve content from Azure storage . If you plan on targeting deployments with
content to clients, you need to configure the CMG to serve content.
7. Next is the Aler ts page of the wizard. To monitor CMG traffic with a 14-day threshold, enable the
threshold alert. Then specify the threshold, and the percentage at which to raise the different alert levels.
You can also enable a storage alert threshold. Choose Next when you're done.
8. Review the settings, and complete the wizard.
Configuration Manager starts to set up the service. The amount of time it takes to completely provision the
service in Azure is dependent upon the settings that you specified. To determine when the service is ready, view
the Status column for the new CMG.
To troubleshoot CMG deployments, use CloudMgr.log and CMGSetup.log . For more information, see Monitor
CMG.

TIP
Starting in version 2010, you can also use the PowerShell cmdlet New-CMCloudManagementGateway for this
process. Optionally use this cmdlet to create the CMG service. While it was available in earlier versions, version 2010
includes significant improvements to this cmdlet. For more information, see New-CMCloudManagementGateway.

Configure primary site for client certificate authentication

If you're using client authentication certificates for clients to authenticate with the CMG, follow this procedure to
configure each primary site.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select Sites .
2. Select the primary site to which your internet-based clients are assigned, and choose Proper ties .
3. Switch to the Communication Security tab, and select Use PKI client cer tificate (client
authentication) when available .
4. If you don't publish a CRL, disable the following option: Clients check the cer tificate revocation list
(CRL) for site systems .

Add the CMG connection point

The CMG connection point is the site system role that's required for communication from your on-premises
Configuration Manager deployment to the cloud-based CMG. Before you start this process, you should have
already developed a plan for the role, and identified at least one existing site system server. For more
information, see Plan for the CMG.
To add the CMG connection point, the following steps summarize the instructions to install site system roles:
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Ser vers and Site System Roles node.
2. Select an existing site server to which you want to add this role. In the ribbon, on the Home tab, select
Add Site System Roles .
3. On the System Role Selection screen, choose Cloud management gateway connection point , and
then select Next . Choose the Cloud management gateway name to which this server connects. The
wizard will show the region for the selected CMG.

IMPORTANT
If you're using client authentication certificates, the CMG connection point needs this certificate. For more information,
see client authentication certificate.

To troubleshoot CMG service health, use CMGSer vice.log and SMS_Cloud_ProxyConnector.log . For more
information, see Log files.

TIP
Optionally, you can also use the PowerShell cmdlet Add-CMCloudManagementGatewayConnectionPoint to add
the CMG connection point role to a site system server.
For more information, see Add-CMCloudManagementGatewayConnectionPoint.

Configure client-facing roles for CMG traffic

Configure the management point and software update point site systems to accept CMG traffic. Do this
procedure on the primary site, for all management points and software update points that service internet-
based clients.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Ser vers and Site System Roles node. On the Home tab of the ribbon,
in the View group, select Ser vers with Role . Then select Management point from the list.
2. Select the site system server you want to configure for CMG traffic. Select the Management point role
in the details pane, and then in the Site Role group of the ribbon, select Proper ties .
3. In the Management point properties sheet, under Client Connections select Allow Configuration
Manager cloud management gateway traffic .
Depending upon your CMG design and Configuration Manager version, you may need to enable the
HTTPS option. For more information, see Enable management point for HTTPS.
4. Select OK to close the management point properties window.
Repeat these steps for other management points as needed, and for any software update points.

Configure boundary groups

You can associate a CMG with a boundary group. This configuration allows clients to use the CMG for client
communication according to boundary group relationships. This configuration is beneficial for VPN or branch
office clients where it might be better to manage them via a CMG than over the VPN or WAN connection. If you
enable the option to Prefer cloud-based sources over on-premises sources then clients will prefer the
CMG for both policy and content.
For more information on boundary groups, see Configure boundary groups.
When you create or configure a boundary group, on the References tab, add a cloud management gateway.
This action associates the CMG with this boundary group.

BranchCache
To enable a content-enabled CMG to use Windows BranchCache, install the BranchCache feature on the site
server.
If the site server has an on-premises distribution point site system role, configure the option in that role's
properties to Enable and configure BranchCache . For more information, see Configure a distribution
point.
If the site server doesn't have a distribution point role, install the BranchCache feature in Windows. For
more information, see Install the BranchCache feature.
If you've already distributed content to a CMG, and then decide to enable BranchCache, first install the feature.
Then redistribute the content to the CMG.

Distribute and manage content

Distribute content to the content-enabled CMG the same as any other distribution point. The management point
doesn't include the CMG in the list of content locations unless it has the content that clients request. For more
information, see Distribute and manage content.
Manage content on a CMG the same as any other distribution point. These actions include assigning it to a
distribution point group and managing content packages. For more information, see Install and configure
distribution points.

Next steps
Continue your CMG setup by configuring clients for CMG:
Configure clients for CMG
 Configure clients for cloud management gateway
2/16/2022 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Once the cloud management gateway (CMG) and the supporting site system roles are operational, you may
need to make configuration changes on Configuration Manager clients.
Clients that can communicate with the management point automatically get the location of the CMG service on
the next location request. The polling cycle for location requests is every 24 hours. If you don't want to wait for
the normally scheduled location request, you can force the request. To force the request, restart the SMS Agent
Host service (ccmexec.exe) on the computer.
For devices that aren't connected to the internal network, there are several options to configure them with a
CMG location. For more information, see Install off-premises clients using a CMG.

NOTE
By default all clients receive CMG policy. Control this behavior with the client setting, Enable clients to use a cloud
management gateway . For more information, see About client settings.

Client location
The Configuration Manager client automatically determines whether it's on the intranet or the internet. If the
client can contact a domain controller or an on-premises management point, it sets its connection type to
Currently intranet . Otherwise, it switches to Currently Internet , and uses the location of the CMG service to
communicate with the site.

NOTE
You can force the client to always use the CMG regardless of whether it's on the intranet or internet. This configuration is
useful for testing purposes, or for clients that you want to force to always use the CMG. Set the following registry key on
the client:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\Security, ClientAlwaysOnInternet = 1

You can also specify this setting during client installation using the CCMALWAYSINF property.
This setting will always apply, even if the client roams into a location where boundary group configurations would
otherwise leverage local resources.

To verify that clients have the policy specifying the CMG, open a Windows PowerShell command prompt as an
administrator on the client computer, and run the following command:

Get-WmiObject -Namespace Root\Ccm\LocationServices -Class SMS_ActiveMPCandidate | Where-Object {$_.Type -eq

"Internet"}

This command displays any internet-based management points the client knows about. While the CMG isn't
technically an internet-based management point, clients view it as one.
 NOTE
To troubleshoot CMG client traffic, use CMGSer vice.log and SMS_Cloud_ProxyConnector.log . For more information,
see Log files.

Install off-premises clients using a CMG

There are two methods to install the Configuration Manager client on devices that aren't currently connected to
your intranet. Both require a local administrator account on the target system.
The first method is to use a bulk registration token to install the client on a device. For more information
on this method, see Create a bulk registration token.
For the second method, when you run ccmsetup.exe , use the /mp parameter to specify the CMG's URL.
For more information, see About client installation parameters and properties. This method requires one
of the following conditions:
The Configuration Manager site is properly configured to use PKI certificates for client
authentication. Additionally, the client systems each have a valid, unique, and trusted client
authentication certificate previously issued to them.
The systems are Azure Active Directory (Azure AD) domain-joined or hybrid Azure AD domain-
joined.

Configure off-premises clients for CMG

You can connect devices to a recently configured CMG where the following conditions are true:
They already have the Configuration Manager client installed.
They aren't connected and can't be connected to your intranet.
They meet one of the following conditions:
A valid, unique, and trusted client authentication certificate previously issued to it.
Azure AD domain-joined
Hybrid Azure AD domain-joined
You don't want to or can't completely reinstall the existing client.
You have a method to change a machine registry value and restart the SMS Agent Host service using a
local administrator account.
To force the connection on these devices, create the REG_SZ registry entry CMGFQDNs in the key
HKLM\Software\Microsoft\CCM . Set its value to the URL of the CMG, for example,
https://GraniteFalls.contoso.com . Then restart the SMS Agent Host Windows service on the device.

If the Configuration Manager client doesn't have a current CMG or internet-facing management point set in the
registry, it automatically checks the CMGFQDNs registry value. This check occurs every 25 hours, when the SMS
Agent Host service starts, or when it detects a network change. When the client connects to the site and learns
of a CMG, it automatically updates this value.

Next steps
Your CMG is now set up and functional with clients communicating to the site. Next, understand how to monitor
the CMG service and clients:
Monitor CMG
 Monitor the CMG
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After the cloud management gateway (CMG) is running and clients are connecting through it, you can monitor
clients and network traffic. Monitor the service to make sure its performance is optimal.

Monitor clients
Clients connected through the CMG appear in the Configuration Manager console the same way on-premises
clients do. For more information, see how to monitor clients.

Monitor traffic in the console

Monitor traffic on the CMG using the Configuration Manager console:
1. Go to the Administration workspace, expand Cloud Ser vices , and select the Cloud Management
Gateway node.
2. Select the CMG in the list pane.
3. View the traffic information in the details pane for the CMG connection point and the site system roles it
connects to. These statistics show the client requests coming into these roles. The requests include policy,
location, registration, content, inventory, and client notifications.

Monitor content
Monitor content that you distribute to a CMG the same as with any other distribution point. For more
information, see Monitor content.
When you view the list of CMGs in the console, you can add more columns to the list. For example, the Storage
egress (GB) column shows the amount of data that clients downloaded from the service in the last 30 days.

Monitor logs
The following table lists the log files that contain information related to the cloud management gateway.

LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CloudMgr.log Records details about deploying the The installdir folder on the primary site
cloud management gateway service, server or CAS.
ongoing service status, and use data
associated with the service. To
configure the logging level, edit the
Logging level value in the following
registry key:
HKLM\SOFTWARE\
Microsoft\SMS\COMPONENTS\
SMS_CLOUD_ SERVICES_MANAGER
 LO G N A M E DESC RIP T IO N C O M P UT ER W IT H LO G F IL E

CMGSetup.log No te 1 Records details about the second The %approot%\logs on your Azure
phase of the cloud management server, or the SMS/Logs folder on the
gateway deployment (local site system server
deployment in Azure). To configure the
logging level, use the setting Trace
level (Information (Default),
Verbose , Error ) on the Azure
por tal\Cloud ser vices
configuration tab.

CMGService.log No te 1 Records details about the cloud The %approot%\logs on your Azure
management gateway service core server, or the SMS/Logs folder on the
component in Azure. To configure the site system server
logging level, use the setting Trace
level (Information (Default),
Verbose , Error ) on the Azure
por tal\Cloud ser vices
configuration tab.

SMS_Cloud_ProxyConnector.log Records details about setting up Site system server

connections between the cloud
management gateway service and the
cloud management gateway
connection point.

CMGContentService.log No te 1 When you enable a CMG to also serve The %approot%\logs on your Azure
content from Azure storage, this log server, or the SMS/Logs folder on the
records the details of that service. site system server

For troubleshooting deployments, use CloudMgr.log and CMGSetup.log

For troubleshooting service health, use CMGSer vice.log and SMS_Cloud_ProxyConnector.log .
For troubleshooting client traffic, use CMGSer vice.log and SMS_Cloud_ProxyConnector.log .
Note 1: Logs synchronized from Azure
These are local Configuration Manager log files that cloud service manager syncs from Azure storage every five
minutes. The cloud management gateway pushes logs to Azure storage every five minutes. So the maximum
delay is 10 minutes. Verbose switches affect both local and remote logs. The actual file names include the
service name and role instance identifier. For example, CMG-ServiceName-RoleInstanceID-CMGSetup.log. These
log files are synced, so you don't need to RDP to the cloud management gateway to obtain them, and that
option isn't supported.

Cloud management dashboard

The cloud management dashboard provides a centralized view for CMG usage. It also displays data about cloud
users and devices.
In the Configuration Manager console, go to the Monitoring workspace. Select the Cloud Management node,
and view the dashboard tiles.
The following screenshot shows the section of the cloud management dashboard specific for the CMG:
Connection analyzer
To aid troubleshooting, use the CMG connection analyzer for real-time verification. The in-console utility checks
the current status of the service, and the communication channel through the CMG connection point to any
management points that allow CMG traffic.
1. In the Configuration Manager console, go to the Administration workspace. Expand Cloud Ser vices
and select the Cloud management gateway node.
2. Select the target CMG instance, and then select Connection analyzer in the ribbon.
3. In the CMG connection analyzer window, select one of the following options to authenticate with the
service:
a. Azure AD user : Use this option to simulate communication the same as a cloud-based user
identity signed in to an Azure AD-joined Windows device. Select Sign In to securely enter the
credentials for an Azure AD user account.
b. Client cer tificate : Use this option to simulate communication the same as a Configuration
Manager client with a client authentication certificate.
4. Select Star t to start the analysis. The analyzer window displays the results. Select an entry to see more
details in the Description field.
Set up outbound traffic alerts
Outbound traffic alerts help you know when network traffic approaches a 14-day threshold level. When you
create the CMG, you can set up traffic alerts. If you skipped that part, you can still set up the alerts after the
service is running. Adjust the alert settings at any time.
You can also configure thresholds for the amount of data that you want to store on the CMG and that clients
download. Use alerts for these thresholds to help you decide when to stop or delete the cloud service, adjust the
content that you store on the CMG, or modify which clients can use the service.
1. Go to the Administration workspace, expand Cloud Ser vices , and select the Cloud Management
Gateway node.
2. Select the CMG in the list pane, and then select Proper ties in the ribbon.
3. Go to the Aler ts tab to enable the threshold and alerts:
Specify the 14-day data threshold for outbound data transfer in gigabytes (GB). This
threshold helps you to monitor the amount of data that transfers from the CMG to clients every
two weeks. By default, this threshold is 10 GB . The site raises warning and critical alerts when
transfers reach values that you define. By default, these alerts occur at 50% and 90% of the
threshold.
If the CMG is content-enabled, also specify a storage aler t threshold . This threshold sets an
upper limit on the amount of content to store on the CMG. By default, this threshold is 2 GB .
Configuration Manager generates warning and critical alerts when the remaining free space
reaches the levels that you specify. By default, these alerts occur at 50% and 90% of the threshold.
 NOTE
Alerts for the CMG depend on usage statistics from Azure, which can take up to 24 hours to become available. For more
information about Storage Analytics for Azure, see Storage Analytics.
In an hourly cycle, the primary site that monitors the CMG downloads transaction data from Azure. It stores this
transaction data in the CloudDP-<ServiceName>.log file on the site server. Configuration Manager then evaluates this
information against the storage and transfer quotas for each CMG. When the transfer of data reaches or exceeds the
specified volume for either warnings or critical alerts, Configuration Manager generates the appropriate alert.
Because the site downloads information about data transfers from Azure every hour, the usage might exceed a warning
or critical threshold before Configuration Manager can access the data and raise an alert.

Stop CMG when it exceeds threshold

Configuration Manager can stop a CMG service when the total data transfer goes over your limit. Use alerts to
trigger notifications when the usage reaches warning or critical levels. To help reduce any unexpected Azure
costs because of a spike in usage, this option turns off the cloud service.

IMPORTANT
Even if the service isn't running, there are still costs associated with the cloud service. Stopping the service doesn't
eliminate all associated Azure costs. To remove all cost for the cloud service, delete the CMG.
When you stop the CMG service, internet-based clients can't communicate with Configuration Manager.

The total data transfer (egress) includes data from the cloud service and storage account. This data comes from
the following flows:
CMG to client
CMG to site, including CMG log files
If you enable CMG for content, storage account to client
For more information on these data flows, see CMG ports and data flow.
The storage alert threshold is separate. That alert monitors the capacity of your Azure storage instance.
When you select the CMG instance in the Cloud Management Gateway node in the console, you can see the
total data transfer in the details pane.
Configuration Manager checks the threshold value every six minutes. If there's a sudden spike in usage,
Configuration Manager can take up to six minutes to detect that it exceeded the threshold and then stop the
service.
Process to stop the cloud service when it exceeds threshold
1. Set up outbound traffic alerts.
2. On the Aler ts tab of the CMG properties window, enable the option to Stop this ser vice when the
critical threshold is exceeded .
To test this feature, temporarily reduce one of the following values:
14-day threshold for outbound data transfer (GB) . The default value is 10000 .
Percentage of threshold for raising Critical aler t . The default value is 90 .

Next steps
If you need to change the configuration, you can modify the CMG:
Modify a CMG
 Modify a CMG
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

If you need to change the configuration, you can modify the cloud management gateway (CMG).

Configure properties
After you create a CMG, you can modify some of its settings. Select the CMG in the Configuration Manager
console and select Proper ties . Configure settings on the following tabs:
Settings tab
Cer tificate file : Change the server authentication certificate for the CMG. This option is useful when you
renew the certificate before it expires. When you get a new certificate, make sure its common name is the
same.

NOTE
When you renew the server authentication certificate for the CMG, the FQDN that you specify for the certificate's
common name (CN) is case-sensitive. For example, if the CN of the current certificate is
granitefalls.contoso.com , create the new certificate with the same lowercase CN. The wizard won't accept a
certificate with the CN GRANITEFALLS.CONTOSO.COM .
If you make significant changes to the certificate, you may need to Redeploy the service. For example, changing
the organization name on the certificate.

Description : Specify an optional description to further identify this CMG in the Configuration Manager
console.
VM Instance : Change the number of virtual machines that the service uses in Azure. This setting allows
you to dynamically scale the service up or down based on usage or cost considerations.
Cer tificates : Add or remove trusted root or intermediate CA certificates. This option is useful when
adding new CAs, or retiring expired certificates.
Verify Client Cer tificate Revocation : If you didn't originally enable this setting when you created the
CMG, you can enable it afterwards after you publish the CRL. For more information, see Publish the
certificate revocation list.
Enforce TLS 1.2 : The CMG enables this option by default. Require it to use the TLS 1.2 encryption
protocol. Starting in version 2107 with the update rollup, this setting also applies to the CMG storage
account. For more information, see How to enable TLS 1.2.
Allow CMG to function as a cloud distribution point and ser ve content from Azure storage :
The CMG enables this option by default. If you plan on targeting deployments with content to clients, you
need to configure the CMG to serve content.
Alerts tab
Reconfigure the alerts at any time after you create the CMG. For more information, see Monitor the CMG: Set up
outbound traffic alerts.
Content tab
View the packages that are assigned to the cloud storage account for this CMG. See how much space each
package uses in the storage account. When you select a package, you can redistribute or remove the content
files.
To verify that the content files for a package are available on the content-enabled CMG, go to the Content
Status node in the Monitoring workspace. For more information, see Monitor content you distribute.

Convert
Starting in version 2107, if you have a CMG that uses the classic cloud service, convert it to use a virtual
machine scale set.

TIP
This process reuses the underlying storage account.

When you convert a CMG, you can't change all settings:

SET T IN G C O N VERT

VM size

VM instances

Verify CRL

Require TLS

Serve content

Azure environment

Subscription

Azure AD app

Region

Resource group

To make changes that the conversion process doesn't support, you need to Redeploy the service.
 IMPORTANT
If your CMG's service name is in the cloudapp.net domain, you can't convert it to a virtual machine scale set. For
example, you issued a server authentication certificate from your internal PKI with a common name of
GraniteFalls.cloudapp.net . Since Microsoft owns the cloudapp.net domain, you can't create a DNS CNAME to map
this service name to the new deployment name in the cloudapp.azure.com domain.
1. Issue a new server authentication certificate from your internal PKI with a new service name. Consider using your
domain name instead of a Microsoft domain. For more information, see Use an enterprise PKI certificate.
2. Deploy a new CMG as a virtual machine scale set with the new certificate.
3. Once clients refresh policy to get this new CMG, delete the old CMG.
For more information, see Replace a CMG with a new service name.

Process to convert a CMG to a virtual machine scale set

1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices ,
and select the Cloud Management Gateway node.
2. Select a CMG instance whose Status is Ready. In the ribbon, select Conver t . This action opens the
Convert CMG wizard.
3. On the General page, select Next . You can't change any of these settings.
4. On the Settings page, note the new Deployment name with the suffix for the virtual machine scale set.
5. Make other configuration changes as needed. Then select Next and complete the wizard.
Monitor the conversion process the same as a new deployment. For example, view the state in the console, and
review cloudmgr.log . For more information, see Monitor CMG.
Update or create a DNS CNAME
Since the deployment name changed, you need to update or create a DNS canonical name record (CNAME). This
alias maps the service name to the deployment name. For more information, see Create a DNS CNAME alias.
For example:
The CMG's service name is GraniteFalls.contoso.com .
For the deployment name:
Classic: GraniteFalls.cloudapp.net

Virtual machine scale set: GraniteFalls.EastUS.CloudApp.Azure.Com

Redeploy the service

More significant changes, such as the following configurations, require that you redeploy the service:
Subscription
Service name
Region
Resource group
Significant changes to the server authentication certificate
Always keep at least one active CMG for internet-based clients to receive updated policy. Internet-based clients
can't communicate with a removed CMG. Clients don't know about a new one until they refresh policy. When
you create a second CMG instance to delete the first, also create another CMG connection point.
Clients refresh policy by default every 24 hours. Before you delete the old CMG, wait at least one day after you
create a new one. If clients are turned off or without an internet connection, you may need to wait longer.
If you have an existing CMG from version 1810 or earlier, it uses the Azure Service Manager deployment
method. This method used an Azure management certificate. This method is deprecated, and support will be
removed in a later version of Configuration Manager. Redeploy a new CMG to use the Azure Resource Manager
deployment method.
The process to redeploy the service depends upon your service name and whether you want to reuse it.

NOTE
In version 2107 and later, you can have multiple CMGs that use different deployment methods. You can also convert a
cloud ser vice (classic) CMG to a vir tual machine scale set . For more information, see Convert.
In versions 2010 and 2103, if you already deployed a CMG with the cloud ser vice (classic) method, you can't deploy
another CMG as a vir tual machine scale set , and vice versa. First delete the existing CMG, and then create a new one
with the other deployment method. All CMG instances for the site need to use the same deployment method. For more
information, see Plan for CMG: Virtual machine scale sets.

Replace a CMG and reuse the same service name

IMPORTANT
This process assumes that you already have at least two CMG services, and are replacing one of them at a time. You need
to have at least one active CMG for internet-based clients.

1. Delete the old CMG.

2. Create a new CMG with the same server authentication certificate.
3. Reconfigure the CMG connection point to use the new CMG.
Replace a CMG with a new service name
1. Get a new server authentication certificate.
2. Create a new CMG.
3. Create a new CMG connection point and link it with the new CMG.
4. Wait at least one day for internet-based clients to receive policy about the new CMG. If clients are turned
off or without an internet connection, you may need to wait longer.
5. Delete the old CMG and associated CMG connection point.

Stop and start the service

Use the Configuration Manager console to stop and start the service if you need to.
1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices ,
and select the Cloud Management Gateway node.
2. Select the CMG instance.
3. In the ribbon, select one of the following actions:
To stop a running CMG, select Stop ser vice .
To start a stopped CMG, select Star t ser vice .
Configuration Manager can stop a CMG service when the total data transfer goes over your limit. For more
information, see Stop CMG when it exceeds threshold

IMPORTANT
Even if the service isn't running, there are still costs associated with the cloud service. Stopping the service doesn't
eliminate all associated Azure costs. To remove all cost for the cloud service, delete the CMG.
When you stop the CMG service, internet-based clients can't communicate with Configuration Manager.

You can also use PowerShell to stop and start a CMG:

Start-CMCloudManagementGateway
Stop-CMCloudManagementGateway

Determine deployment model

To determine the current deployment model of a CMG:
1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices ,
and select the Cloud Management Gateway node.
2. Select the CMG instance.
3. In the Details pane at the bottom of the window, look for the Deployment Model attribute.
Starting in version 2010, you'll see either Cloud ser vice (classic) or Vir tual machine scale set .
In version 2006 and earlier, for a Resource Manager deployment, this attribute is Azure Resource
Manager . The legacy deployment model with the Azure management certificate displays as Azure
Ser vice Manager .

IMPORTANT
CMG deployments using Azure Service Manager are deprecated. Support will be removed in a later version of
Configuration Manager. Redeploy a new CMG to use the Azure Resource Manager deployment method.

You can also add the Deployment Model attribute as a column to the list view.

Modifications in the Azure portal

Only modify the CMG from the Configuration Manager console. Making modifications to the service or
underlying VMs directly in Azure isn't supported. Any changes may be lost without notice. As with any platform
as a service (PaaS), the service can rebuild the VMs at any time. These rebuilds can happen for backend
hardware maintenance, or to apply updates to the VM OS.

Renew Azure service secret key

When you first configure Azure Active Directory (Azure AD) for the CMG to create the Cloud Management
Azure service, you specify a secret key validity period on the web (server) app registration. By default, the secret
key is valid for one year, or you can specify two years. Before the secret key expires, make sure to renew it. For
more information, see Renew secret key.

Delete the service

If you need to delete the CMG, only do it from the Configuration Manager console. Manually removing any
components in Azure causes the system to be inconsistent. This state leaves orphaned information, and
unexpected behaviors may occur.
 Manually register Azure AD apps for the CMG
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The second primary step to set up a cloud management gateway (CMG) is to integrate the Configuration
Manager site with your Azure Active Directory (Azure AD) tenant. This integration allows the site to authenticate
with Azure AD, which it uses to deploy and monitor the CMG service. If you can't use Configuration Manager to
automate the creation of the apps during the Azure Service Wizard, you can use the wizard to import a
previously created app. For example, if your Azure administrators require that they manually create all Azure AD
app registrations, then use this process.

TIP
This article provides prescriptive guidance to integrate the site specifically for the cloud management gateway. For more
information on this process and other uses of the Azure Ser vices node in the Configuration Manager console, see
Configure Azure services.

When you integrate the site, you create app registrations in Azure AD. The CMG requires two app registrations:
Web app (also referred to as a server app in Configuration Manager)
Native app (also referred to as a client app in Configuration Manager)
There are two methods to create these apps, both of which require a global administrator role in Azure AD:
Use Configuration Manager to automate the creation of the apps when you integrate the site.
Manually create the apps in advance, and then import them when you integrate the site.
This article provides the specific details for the second method. Pair these instructions with the procedures in the
Configure Azure AD for CMG article to complete the process.

Get tenant details

TIP
During this process, you'll need to note several values to use later. Open an app like Windows Notepad to paste in the
values that you'll copy from the Azure Portal.

First, you need to make note of the Azure AD tenant name and tenant ID . These values are the first two
pieces of information that you need to import the app registrations in Configuration Manager.
1. In the Azure portal, select Azure Active Director y .
2. In the Azure AD menu, select Custom domain names .
3. Note the tenant name. For example, contoso.onmicrosoft.com .
4. In the Azure AD menu, select Proper ties .
5. Copy the Tenant ID GUID value.

Register the web (server) app

1. In the Azure AD menu, select App registrations . Select New registration to create a new app.
2. In the Register an application pane, specify the following information:
Name : A friendly name for the app. For example, CMG-ServerApp .
Suppor ted account types : Leave this setting as the default option, Accounts in this
organizational director y only .
Redirect URI : Leave this optional value blank.
3. Select Register to create the app.
4. In the properties of the new app, copy the following values:
Display name : This value is the friendly name for this app registration that you'll use later as the
application name.
Application (client) ID : You'll use this GUID value later as the client ID.
5. In the menu of the app properties, select Cer tificates & secrets , then select New client secret .
Description : You can use any name for the secret or leave it blank.
Expires : Select either 12 months or 24 months .
Select Add . Immediately copy the client secret string Value and Expires . If you leave this pane, you can't
retrieve the same secret again. You'll use these values later as the secret key and secret key expiry values.
6. If you're going to use Azure AD User Discovery in Configuration Manager, you need to adjust the
permissions on this app. In the menu of the app properties, select API permissions . By default it should
have the User.Read permission for the Microsoft Graph API, which needs to change.
a. Select Microsoft Graph to enumerate the list of available API permissions, then select
Application permissions .
b. Expand Director y , and then select Director y.Read.All .
c. Switch to Delegated permissions .
d. Expand User , and remove the User.Read permission.
e. Select Update permissions .
f. On the API permissions pane, select Grant admin consent for..., then select Yes .
7. In the menu of the app properties, select Expose an API .
a. For the Application ID URI, select Set . Specify a URI that's unique for the tenant. You'll use this
value later as the App ID URI. Use one of the following recommended formats:
api://{tenantId}/{string} , for example,
api://5e97358c-d99c-4558-af0c-de7774091dda/ConfigMgrService
https://{verifiedCustomerDomain}/{string} , for example,
https://contoso.onmicrosoft.com/ConfigMgrService
Select Save .
b. Select Add a scope , and specify the following required information:
Scope name : user_impersonation
Who can consent : Select Admins and users
Admin consent display name : Specify a meaningful name. For example,
Access CMG-ServerApp
Admin consent description : Specify a meaningful description. For example,
 Allow the application to access CMG-ServerApp on behalf of the signed-in user.

c. Select Add scope to save.

8. In the menu of the app properties, select Manifest . Set the oauth2AllowIdTokenImplicitFlow entry to
true . For example:

"oauth2AllowIdTokenImplicitFlow": true,

Select Save .
The web (server) app for CMG is now registered in Azure AD.

Register the native (client) app

1. In the Azure AD menu, select App registrations . Select New registration to create a new app.
2. In the Register an application pane, specify the following information:
Name : A friendly name for the app. For example, CMG-ClientApp .
Suppor ted account types : Leave this setting as the default option, Accounts in this
organizational director y only .
Redirect URI : Leave this optional value blank.
3. Select Register to create the app.
4. In the properties of the new app, copy the following values:
Display name : This value is the friendly name for this app registration that you'll use later as the
application name.
Application (client) ID : You'll use this GUID value later as the client ID.
5. In the menu of the app properties, select Authentication .
a. Under Platform configurations, select Add a platform .
a. In the Configure platforms pane, select Mobile and desktop applications .
b. In the Configure Desktop + devices pane, under Custom redirect URIs, specify
ms-appx-web://Microsoft.AAD.BrokerPlugin/<ClientID> . Use the app's client ID GUID, for
example: ms-appx-web://Microsoft.AAD.BrokerPlugin/2afe572e-d268-4c77-a22d-fdca617e2255 .
c. Select Configure .
b. Under Advanced settings, set Allow public client flows to Yes . Select Save .
6. If you're going to use Azure AD User Discovery in Configuration Manager, you need to adjust the
permissions on this app. In the menu of the app properties, select API permissions . By default it should
have the User.Read delegated permission for the Microsoft Graph API.
a. On the API permissions pane, select Add a permission .
b. Switch to the My APIs tab, and select your web (server) app. For example, CMG-Ser verApp .
Select the user_impersonation permission, and then select Add permissions to save.
c. On the API permissions pane, select Grant admin consent for..., and then select Yes .
7. In the menu of the app properties, select Manifest . Set the oauth2AllowIdTokenImplicitFlow entry to
true . For example:
 "oauth2AllowIdTokenImplicitFlow": true,

Select Save .
The native (client) app for CMG is now registered in Azure AD. This step also concludes the process in the Azure
portal. The role of the Azure global administrator is done.

Import the apps to Configuration Manager

After you manually register the two apps in the Azure portal, use the process in the article to Configure Azure
AD for CMG, but select the option to Impor t each of the apps.
These processes import metadata about the Azure AD apps into Configuration Manager. You don't require any
Azure AD permissions to import these apps.
Import web (server) app
When you select Impor t from the Server app window, it opens the Import apps window. Enter the following
information about the Azure AD web app that's already registered in the Azure portal:
Azure AD Tenant Name : The name of your Azure AD tenant.
Azure AD Tenant ID : The GUID of your Azure AD tenant.
Application Name : A friendly name for the app, the display name in the app registration.
Client ID : The Application (client) ID value of the app registration. The format is a standard GUID.
Secret Key : Copy the secret key when you register the app in Azure AD and create the secret key.
Secret Key Expir y : Specify the same date as from the Azure portal.
App ID URI : The value is the Application ID URI of the app registration entry in the Azure AD portal. The
format is similar to https://ConfigMgrService .

After entering the information, select Verify . Then select OK to close the Import apps window.

IMPORTANT
When you use an imported Azure AD app, you aren't notified of an upcoming expiration date from console notifications.

Import native (client) app

When you select Impor t from the Client app window, it opens the Import apps window. Enter the following
information about the Azure AD native app that's already registered in the Azure portal:
The wizard autopopulates the Azure AD tenant name and tenant ID based on the web (server) app that you
already specified.
Application Name : A friendly name for the app.
Client ID : The Application (client) ID value of the app registration. The format is a standard GUID.
After entering the information, select Verify . Then select OK to close the Import apps window.

Next steps
After you manually register the two apps in the Azure portal, use the process in the following article to import
the apps:
Configure Azure AD for CMG
 Security and privacy for the cloud management
gateway
2/16/2022 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article includes security and privacy information for the Configuration Manager cloud management
gateway (CMG). For more information, see Overview of cloud management gateway.

Security details
The CMG accepts and manages connections from CMG connection points. It uses mutual authentication using
certificates and connection IDs.
The CMG accepts and forwards client requests using the following methods:
Pre-authenticates connections using mutual HTTPS with the PKI-based client authentication certificate or
Azure Active Directory (Azure AD).
IIS on the CMG VM instances verifies the certificate path based on the trusted root certificates that
you upload to the CMG.
If you enable certificate revocation, IIS on the VM instance also verifies client certificate revocation.
For more information, see Publish the certificate revocation list.
The certificate trust list (CTL) checks the root of the client authentication certificate. It also does the same
validation as the management point for the client. For more information, see Review entries in the site's
certificate trust list.
Validates and filters client requests (URLs) to check if any CMG connection point can service the request.
Checks content length for each publishing endpoint.
Uses round-robin behavior to load-balance CMG connection points in the same site.
The CMG connection point uses the following methods:
Builds consistent HTTPS/TCP connections to all VM instances of the CMG. It checks and maintains these
connections every minute.
Uses mutual authentication with the CMG using certificates.
Forwards client requests based on URL mappings.
Reports connection status to show service health status in the console.
Reports traffic per endpoint every five minutes.
Starting in version 2010, Configuration Manager rotates the storage account key for the CMG. This process
happens automatically every 180 days.
Configuration Manager client-facing roles
The management point and software update point host endpoints in IIS to service client requests. The CMG
doesn't expose all internal endpoints. Every endpoint published to the CMG has a URL mapping.
 The external URL is the one the client uses to communicate with the CMG.
The internal URL is the CMG connection point used to forward requests to the internal server.
URL-mapping example
When you enable CMG traffic on a management point, Configuration Manager creates an internal set of URL
mappings for each management point server. For example: ccm_system, ccm_incoming, and sms_mp. The
external URL for the management point ccm_system endpoint might look like:
https://<CMG service name>/CCM_Proxy_MutualAuth/<MP Role ID>/CCM_System
The URL is unique for each management point. The Configuration Manager client then puts the CMG-enabled
management point name into its internet management point list. This name looks like:
<CMG service name>/CCM_Proxy_MutualAuth/<MP Role ID>
The site automatically uploads all published external URLs to the CMG. This behavior allows the CMG to do URL
filtering. All URL mappings replicate to the CMG connection point. It then forwards the communication to
internal servers according to the external URL from the client request.

Security guidance
Publish the certificate revocation list
Publish your PKI's certificate revocation list (CRL) for internet-based clients to access. When deploying a CMG
using PKI, configure the service to Verify client cer tificate revocation on the Settings tab. This setting
configures the service to use a published CRL. For more information, see Plan for PKI certificate revocation.
This CMG option verifies the client authentication certificate.
If the client is using Azure AD or Configuration Manager token-based authentication, the CRL doesn't
matter.
If you use PKI, and externally publish the CRL, then enable this option (recommended).
If you use PKI, don't publish the CRL, then disable this option.
If you misconfigure this option, it can cause more traffic from clients to the CMG. This traffic can increase
the Azure egress data, which can increase your Azure costs.
Review entries in the site's certificate trust list
Each Configuration Manager site includes a list of trusted root certification authorities, the certificate trust list
(CTL). View and modify the list by going to the Administration workspace, expand Site Configuration , and
select Sites . Select a site, and then select Proper ties in the ribbon. Switch to the Communication Security
tab, and then select Set under Trusted Root Certification Authorities.
Use a more restrictive CTL for a site with a CMG using PKI client authentication. Otherwise, clients with client
authentication certificates issued by any trusted root that already exists on the management point are
automatically accepted for client registration.
This subset provides administrators with more control over security. The CTL restricts the server to only accept
client certificates that are issued from the certification authorities in the CTL. For example, Windows ships with
certificates for many public and globally trusted certificate providers. By default, the computer running IIS trusts
certificates that chain to these well-known certificate authorities (CA). Without configuring IIS with a CTL, any
computer that has a client certificate issued from these CAs are accepted as a valid Configuration Manager
client. If you configure IIS with a CTL that didn't include these CAs, client connections are refused if the certificate
chained to these CAs.
Enforce TLS 1.2
Use the CMG setting to Enforce TLS 1.2 . It only applies to the Azure cloud service VM. It doesn't apply to any
on-premises Configuration Manager site servers or clients.
Starting in version 2107 with the update rollup, this setting also applies to the CMG storage account.
For more information on TLS 1.2, see How to enable TLS 1.2.
Use token-based authentication
If you have devices that have one or more of the following conditions, consider using Configuration Manager
token-based authentication:
An internet-based device that doesn't often connect to the internal network
The device isn't able to join Azure AD
You don't have a method to install a PKI-issued certificate
With token-based authentication, the site automatically issues tokens for devices that register on the internal
network. You can create a bulk registration token for internet-based devices. For more information, see Token-
based authentication for CMG.
 Data flow for CMG
2/16/2022 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use this article to understand how data flows between components of the cloud management gateway (CMG). It
requires specific network ports and internet endpoints to function. You don't need to open any inbound ports to
your on-premises network. The service connection point and CMG connection point site system roles start all
communication with Azure and the CMG. These two roles need to create outbound connections to the Microsoft
cloud. The service connection point deploys and monitors the service in Azure, so needs to be online. The CMG
connection point connects to the CMG to manage communication between the CMG and on-premises site
system roles.

Data flow diagram

The following diagram is a basic, conceptual data flow for the CMG:

1. The service connection point connects to Azure over HTTPS port 443. It authenticates using Azure Active
Directory (Azure AD). The service connection point deploys the CMG in Azure. The CMG creates the
HTTPS service using the server authentication certificate.
2. The CMG connection point connects to the CMG in Azure. It holds the connection open, and builds the
channel for future two-way communication.
When you deploy the CMG as a virtual machine scale set, this flow is over HTTPS.
If you deploy the CMG as a classic cloud service, it first tries TCP-TLS. If that connection fails, it
switches to HTTPS.
For more information, see Note 2: CMG connection point HTTPS ports for one VM.
3. The client connects to the CMG over HTTPS port 443. It authenticates using Azure AD, the client
authentication certificate, or a site-issued token.

NOTE
If you enable the CMG to serve content, the client connects directly to Azure blob storage over HTTPS port 443.
For more information, see Content data flow.

4. The CMG forwards the client communication over the existing connection to the on-premises CMG
connection point. You don't need to open any inbound firewall ports.
5. The CMG connection point forwards the client communication to the on-premises management point
and software update point.
For more information when you integrate with Azure AD, see Configure Azure services: Cloud management data
flow.
Content data flow
When a client uses a CMG as a content location:
1. The management point gives the client an access token along with the list of content sources. This token
 is valid for 24 hours, and gives the client access to the cloud-based content source.
2. The management point responds to the client's location request with the service name of the CMG. This
property is the same as the common name of the server authentication certificate.
If you're using your domain name, for example, WallaceFalls.contoso.com , then the client first tries to
resolve this FQDN. Clients use the CNAME alias in your domain's internet-facing DNS to resolve the
Azure deployment name.
3. The client next resolves the deployment name to a valid IP address. This response is handled by Azure's
DNS.
4. The client connects to the CMG. Azure load balances the connection to one of the VM instances. The client
authenticates itself using the access token.
5. The CMG authenticates the client's access token, and then gives the client the exact content location in
Azure storage.
6. If the client trusts the CMG's server authentication certificate, it connects to Azure storage to download
the content.

Required ports
This table lists the required network ports and protocols. The Client is the device that starts the connection,
requiring an outbound port. The Server is the device that accepts the connection, requiring an inbound port.

C L IEN T P ROTO C O L P O RT SERVER DESC RIP T IO N

Service connection HTTPS 443 Azure CMG deployment

point

CMG connection HTTPS 443 CMG service Protocol to build

point (virtual CMG channel to only
machine scale set) one VM instance No te
2

CMG connection HTTPS 10124-10139 CMG service Protocol to build

point (virtual CMG channel to two
machine scale set) or more VM
instances No te 3

CMG connection TCP-TLS 10140-10155 CMG service Preferred protocol to

point (classic cloud build CMG channel
service) No te 1

CMG connection HTTPS 443 CMG service Fall back protocol to

point (classic cloud build CMG channel
service) to only one VM
instance No te 2

CMG connection HTTPS 10124-10139 CMG service Fall back protocol to

point (classic cloud build CMG channel
service) to two or more VM
instances No te 3

Client HTTPS 443 CMG General client

communication
 C L IEN T P ROTO C O L P O RT SERVER DESC RIP T IO N

Client HTTPS 443 Blob storage Download cloud-

based content

CMG connection HTTPS or HTTP 443 or 80 Management point On-premises traffic,

point port depends upon
management point
configuration

CMG connection HTTPS or HTTP 443 or 80 / 8530 or Software update On-premises traffic,
point 8531 point port depends upon
software update
point configuration

Notes on ports
Note 1: CMG connection point TCP-TLS ports
These ports only apply when you deploy the CMG as a cloud ser vice (classic) , which was the only method
available in version 2006 and earlier.
The CMG connection point first tries to establish a long-lived TCP-TLS connection with each CMG VM instance. It
connects to the first VM instance on port 10140. The second VM instance uses port 10141, up to the 16th on
port 10155. A TCP-TLS connection has the best performance, but it doesn't support internet proxy. If the CMG
connection point can't connect via TCP-TLS, then it falls back to HTTPS Note 2.
Note 2: CMG connection point HTTPS ports for one VM
If you deploy the CMG in a vir tual machine scale set , the CMG connection point only communicates with the
service in Azure over HTTPS. It doesn't require TCP-TLS ports to build the CMG communication channel.
For a CMG deployed as a classic cloud service, it only uses this port if the TCP-TLS connection fails. If the CMG
connection point can't connect to the CMG via TCP-TLS Note 1, it connects to the Azure network load balancer over
HTTPS 443. This behavior is only for one VM instance.
Note 3: CMG connection point HTTPS ports for two or more VMs
If there are two or more VM instances, the CMG connection point uses HTTPS 10124 to the first VM instance,
not HTTPS 443. It connects to the second VM instance on HTTPS 10125, up to the 16th on HTTPS port 10139.

Internet access requirements

If your organization restricts network communication with the internet using a firewall or proxy device, you
need to allow the CMG connection point and service connection point to access internet endpoints.
For more information, see Internet access requirements.
This section covers the following features:
Cloud management gateway (CMG)
Azure Active Directory (Azure AD) integration
Azure AD-based discovery
Cloud distribution point (CDP)
 NOTE
The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP
instances. To provide content to internet-based devices, enable the CMG to distribute content.

The following sections list the endpoints by role. Some endpoints refer to a service by <prefix> , which is the
prefix name of the CMG. For example, if your CMG is GraniteFalls.WestUS.CloudApp.Azure.Com , then the actual
storage endpoint is GraniteFalls.blob.core.windows.net .

TIP
To clarify some terminology:
CMG service name: The common name (CN) of the CMG server authentication certificate. Clients and the CMG
connection point site system role communicate with this service name. For example, GraniteFalls.contoso.com
or GraniteFalls.WestUS.CloudApp.Azure.Com .
CMG deployment name: The first part of the service name plus the Azure location for the cloud service
deployment. The cloud service manager component of the service connection point uses this name when it
deploys the CMG in Azure. The deployment name is always in an Azure domain. The Azure location depends upon
the deployment method, for example:
Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
Classic deployment: GraniteFalls.CloudApp.Net
This article uses examples with a virtual machine scale set as the recommended deployment method in version 2107 and
later. If you use a classic deployment, note the difference as you read this article and configure internet access.

Service connection point for cloud services

For Configuration Manager to deploy the CMG service in Azure, the service connection point needs access to:
Specific Azure endpoints, which are different per environment depending upon the configuration.
Configuration Manager stores these endpoints in the site database. Query the AzureEnvironments
table in SQL Server for the list of Azure endpoints.
Azure services:
(Azure public cloud)
management.azure.com
management.usgovcloudapi.net (Azure US Government cloud)
For Azure AD user discovery: Microsoft Graph endpoint https://graph.microsoft.com/
CMG connection point for cloud services
The CMG connection point needs access to the following endpoints:

TYPE A Z URE P UB L IC C LO UD A Z URE US GO VERN M EN T C LO UD

Service name <prefix>. <prefix>.usgovcloudapp.net

<region>.cloudapp.azure.com

Storage endpoint 1 <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net

Storage endpoint 2 <prefix>.table.core.windows.net <prefix>.table.core.usgovcloudapi.net

The CMG connection point site system supports using a web proxy. For more information on configuring this
role for a proxy, see Proxy server support.
The CMG connection point only needs to connect to the CMG service endpoints. It doesn't need access to other
Azure endpoints.
Configuration Manager client for cloud services
Any Configuration Manager client that needs to communicate with a CMG needs access to the following
endpoints:

TYPE A Z URE P UB L IC C LO UD A Z URE US GO VERN M EN T C LO UD

Deployment name <prefix>. <prefix>.usgovcloudapp.net

<region>.cloudapp.azure.com

Storage endpoint <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net

Azure AD endpoint login.microsoftonline.com login.microsoftonline.us

Configuration Manager console for cloud services

Any device with the Configuration Manager console needs access to the following endpoints:

TYPE A Z URE P UB L IC C LO UD A Z URE US GO VERN M EN T C LO UD

Azure AD endpoints login.microsoftonline.com login.microsoftonline.us

aadcdn.msauth.net
aadcdn.msftauth.net

HTTP headers and verbs

Any networking device that manages communication between the client, the CMG, and the on-premises site
systems has to allow the following HTTP headers and verbs. If these items are blocked, it will affect client
communication through the CMG.
HTTP headers
Range:
CCMClientID:
CCMClientIDSignature:
CCMClientTimestamp:
CCMClientTimestampsSignature:
HTTP verbs
HEAD
CCM_POST
BITS_POST
GET
PROPFIND
 Plan for internet-based client management in
Configuration Manager
2/16/2022 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use internet-based client management (IBCM) to manage Configuration Manager clients when they aren't
connected to your internal network. Advantages of using IBCM:
Full control of servers and roles providing the service
No cloud service dependency
May not require a virtual private network (VPN)
All costs are associated with the on-premises service
Because of the higher security requirements of managing client computers on a public network, IBCM requires
the use of PKI certificates. This configuration makes sure that connections are authenticated by an independent
authority. When IBCM clients and site servers send data, it's encrypted and secure.

Client communications
The following site system roles at primary sites support connections from clients that are in untrusted locations:

NOTE
While IBCM primarily focuses on the internet-based scenario, the same behaviors apply to clients in an untrusted Active
Directory forest. Secondary sites don't support client connections from untrusted locations.

Certificate registration point for the Configuration Manager policy module (NDES)
Distribution point
Content-enabled cloud management gateway (CMG)
Enrollment proxy point
Fallback status point
Management point
Software update point
About internet facing site systems
There's no requirement to have a trust between a client's forest and that of the site system server. However,
when the forest that contains an internet-facing site system trusts the forest that contains the user accounts, this
configuration supports user-based policies for devices on the internet when you enable the Client Policy client
setting Enable user policy requests from internet clients .
For example, the following configurations illustrate when IBCM supports user policies for devices on the
internet:
The internet-based management point is in the perimeter network. That network also has a read-only
domain controller to authenticate the user. A firewall between the perimeter and internal networks allows
 Active Directory packets.
The user account is in the intranet-based forest. The internet-based management point is in the
perimeter-based forest. The perimeter forest trusts the internal forest. A firewall between the perimeter
and internal networks allows the authentication packets.
The user account and the internet-based management point are both in the intranet-based forest. You
publish the management point to the internet with a web proxy server.
Use a web proxy server
You can place internet-based site systems in the intranet when you publish them to the internet with a web
proxy server. Configure these site systems for client connections from the internet only, or client connections
from the internet and intranet. When you use a web proxy server, you can configure it for Secure Sockets Layer
(SSL) bridging to SSL or SSL tunneling.
SSL bridging to SSL
SSL bridging to SSL is the recommended and more secure configuration, because it uses SSL termination with
authentication. It authenticates client computers with computer authentication. Mobile devices that you enroll
with Configuration Manager don't support SSL bridging.
With SSL termination at the proxy, it inspects packets from the internet before it forwards them to the internal
network. The proxy authenticates the connection from the client, terminates it, and then opens a new
authenticated connection to the internet-based site systems. When Configuration Manager clients use a proxy,
the client securely contains its identity (GUID) in the packet payload. The management point doesn't consider the
proxy to be the client. Configuration Manager doesn't support bridging with HTTP to HTTPS, or from HTTPS to
HTTP.

NOTE
Configuration Manager doesn't support setting third-party SSL bridging configurations. For example, Citrix Netscaler or
F5 BIG-IP. Please work with your device vendor to configure it for use with Configuration Manager.

Tunneling
If your proxy web server can't support the requirements for SSL bridging, Configuration Manager also supports
SSL tunneling. You can also use SSL tunneling to support mobile devices that you enroll with Configuration
Manager. It's a less secure option because the proxy forwards the SSL packets from the internet to the site
systems without SSL termination. The proxy doesn't inspect the packets for malicious content. When you use
SSL tunneling, there are no certificate requirements for the proxy web server.

Plan for internet-based clients

Decide whether to configure your internet-based clients for management on both the intranet and the internet,
or for internet-only client management. You can only configure this management option during client
installation. To change it later, reinstall the client.

NOTE
If you configure a management point to support internet-based clients, clients that connect to this management point
will become internet-capable when they next refresh their list of available management points.
You don't have to restrict the configuration of internet-only client management to the internet. You can also use it on the
intranet.

Clients that you configure for internet-only management only communicate with the site systems that you
configure for client connections from the internet. Use this configuration in the following scenarios:
 For computers that you know will never connect to your intranet. For example, point of sale computers in
remote locations.
To restrict client communication to HTTPS only. For example, to support firewall and restricted security
policies.
When you install internet-based site systems in a perimeter network, and you want to manage these servers
as Configuration Manager clients.

NOTE
When you want to manage workgroup clients on the internet, install them as internet-only.
When you configure a mobile device to use an internet-based management point, it automatically configures as internet-
only.

You can configure other clients for both internet and intranet client management. When they detect a change of
network, they automatically switch between IBCM and intranet client management. If these clients can find and
connect to a management point that supports client connections on the intranet, these clients are managed as
intranet clients. Intranet clients have full Configuration Manager functionality. If the clients can't find or connect
to a management point that supports client connections on the intranet, they attempt to connect to an internet-
based management point. If this action succeeds, these clients are then managed by the internet-based site
systems in their assigned site.
The benefit in automatic switching is that clients can use all features when they connect to the intranet, and
receive essential management when they're on the internet. Content download that begins on the internet can
seamlessly resume on the intranet, and the other way around.

Prerequisites
IBCM in Configuration Manager has the following dependencies:
Clients require an internet connection. Configuration Manager uses the device's existing internet
connection. Mobile devices must have a direct internet connection. Full client computers can have either a
direct internet connection or connect by using a proxy web server.
Site systems that support IBCM require an internet connection, and must be in an Active Directory
domain. The internet-based site systems don't require a trust relationship with the Active Directory forest
of the site server. However, when the internet-based management point can authenticate the user by
using Windows authentication, it supports user policies. If Windows authentication fails, it only supports
device policies.

NOTE
To support user policies, also enable the following client settings in the Client Policy group:
Enable user policy polling on clients
Enable user policy requests from Internet clients

A public key infrastructure (PKI) to deploy and manage the required certificates for internet-based clients
and site system servers. For more information, see PKI certificate requirements.
Register public DNS host entries for the internet fully qualified domain names (FQDN) of site systems
that support IBCM.
Enable the option to Use PKI client cer tificate (client authentication capability) when available
on the Communication Security tab of the site properties. Starting with the update rollup for version
 2006, this option is required.
Client communication requirements
Intervening firewalls or proxy servers must allow the client communication for internet-based site systems:
Support HTTP 1.1
Allow HTTP content type of multipart MIME attachment (multipart/mixed and application/octet-stream)
Verbs
Allow the following verbs for the internet-based site system server roles:

RO L E VERB S

Management point - HEAD

- CCM_POST
- BITS_POST
- GET
- PROPFIND

Distribution point - HEAD

- GET
- PROPFIND

Fallback status point POST

HTTP headers
Allow the following HTTP headers for the internet-based site system server roles:

RO L E H T T P H EA DERS

Management point - Range:

- CCMClientID:
- CCMClientIDSignature:
- CCMClientTimestamp:
- CCMClientTimestampsSignature:

Distribution point Range:

For similar communication requirements when you use the software update point for client connections from
the internet, see the documentation for Windows Server Update Services (WSUS).

Unsupported features
Not all client management functionality is appropriate for the internet. Configuration Manager doesn't support
some features for clients on the internet. These unsupported features typically rely on Active Directory Domain
Services or aren't appropriate for a public network.
The following features aren't supported when you manage clients on the internet with IBCM:
Client deployment over the internet, such as client push and software update-based client deployment.
Use manual client installation.
Automatic site assignment
Wake-on-LAN
OS deployment. However, you can deploy task sequences that don't deploy an OS.
 Remote control
Software deployment to users. This feature relied upon the application catalog, which is no longer
supported.
Client roaming. Roaming enables clients to always find the closest distribution points to download
content. Clients non-deterministically select one of the internet-based site systems, whatever the
bandwidth or physical location.
When you configure a software update point to accept connections from the internet, internet-based clients
always scan against this software update point to determine which software updates are required. When these
clients are on the internet, they first try to download the software updates from Microsoft Update, rather than
from an internet-based distribution point. If this behavior fails, they then try to download the required software
updates from an internet-based distribution point.

TIP
The Configuration Manager client automatically determines whether it's on the intranet or the internet. If the client can
contact a domain controller or an on-premises management point, it sets its connection type to "Currently intranet".
Otherwise, it switches to "Currently internet", and communicates with the site systems assigned to its site.
 Install and assign Configuration Manager clients
using Azure AD for authentication
2/16/2022 • 4 minutes to read • Edit Online

To install the Configuration Manager client on Windows devices using Azure Active Directory (Azure AD)
authentication, integrate Configuration Manager with Azure AD. Clients can be on the intranet communicating
directly with an HTTPS-enabled management point or any management point in a site enabled for Enhanced
HTTP. They can also be internet-based communicating through the CMG or with an Internet-based management
point. This process uses Azure AD to authenticate clients to the Configuration Manager site. Azure AD replaces
the need to configure and use client authentication certificates.
Setting up Azure AD may be easier for some customers than setting up a public key infrastructure for
certificate-based authentication. There are features that require you onboard the site to Azure AD, but don't
necessarily require the clients to be Azure AD-joined. For more information, see the following articles:
Plan for Azure Active Directory
Use Azure AD for co-management

Before you begin

An Azure AD tenant is a prerequisite
Device requirements:
A supported version of Windows 10 or later
Joined to Azure AD, either pure cloud domain-joined, or hybrid Azure AD-joined
User requirements:
The signed in user must be an Azure AD identity.
If the user is a federated or synchronized identity, configure both Configuration Manager Active
Directory user discovery and Azure AD user discovery. For more information about hybrid
identities, see Define a hybrid identity adoption strategy.
In addition to the existing prerequisites for the management point site system role, also enable ASP.NET
4.5 on this server. Include any other options that are automatically selected when enabling ASP.NET 4.5.
Determine whether your management point needs HTTPS. For more information, see Enable
management point for HTTPS.
Optionally set up a cloud management gateway (CMG) to deploy internet-based clients. For on-premises
clients that authenticate with Azure AD, you don't need a CMG.

TIP
Configuration Manager extends its support for internet-based devices that don't often connect to the internal network,
aren't able to join Azure Active Directory (Azure AD), and don't have a method to install a PKI-issued certificate. For more
information, see Token-based authentication for CMG.

Configure Azure Services for Cloud Management

Connect your Configuration Manager site to Azure AD as the first step. For details of this process, see Configure
Azure services. Create a connection to the Cloud Management service.
Enable Azure AD User Discovery as part of onboarding to Cloud Management .
After you complete these actions, your Configuration Manager site is connected to Azure AD.

NOTE
If your devices are in an Azure AD tenant that's separate from the tenant with a subscription for the CMG compute
resources, starting in version 2010 you can disable authentication for tenants not associated with users and devices. For
more information, see Configure Azure services.

Configure client settings

These client settings help configure Windows devices to be hybrid-joined. They also enable internet-based
clients to use the CMG.
1. Configure the following client settings in the Cloud Ser vices group. For more information, see How to
configure client settings.
Allow access to cloud distribution point : Enable this setting to help internet-based devices get
the required content to install the Configuration Manager client. Devices can get the content from
the CMG.
Automatically register new Windows 10 or later domain joined devices with Azure
Active Director y : Set to Yes or No . The default setting is Yes . This behavior is also the default in
Windows.

TIP
Hybrid-joined devices are joined to an on-premises Active Directory domain and registered with Azure AD.
For more information, see Hybrid Azure AD joined devices.

Enable clients to use a cloud management gateway : Set to Yes (default), or No .

2. Deploy the client settings to the required collection of devices. Don't deploy these settings to user
collections.
To confirm the device is hybrid-joined, run dsregcmd.exe /status in a command prompt. If the device is Azure
AD-joined or hybrid-joined, the AzureAdjoined field in the results shows YES . For more information, see
dsregcmd command - device state.

Install and register the client using Azure AD identity

To manually install the client using Azure AD identity, first review the general process on How to install clients
manually.

NOTE
The device needs access to the internet to contact Azure AD, but doesn't need to be internet-based.

The following example shows the general structure of the command line:
ccmsetup.exe /mp:<source management point> CCMHOSTNAME=<internet-based management point> SMSSITECODE=<site
code> SMSMP=<initial management point> AADTENANTID=<Azure AD tenant identifier> AADCLIENTAPPID=<Azure AD
client app identifier> AADRESOURCEURI=<Azure AD server app identifier>

For more information, see Client installation properties.

The /mp parameter and CCMHOSTNAME property specify one of the following, depending upon the scenario:
On-premises management point. Only specify the /mp parameter. The CCMHOSTNAME property isn't
required.
Cloud management gateway
Internet-based management point
The SMSMP property specifies the on-premises management point. It's not required. It's recommended for
Azure AD-joined devices that roam onto the intranet, so they can find an on-premises management point.
This example uses a cloud management gateway. It replaces sample values:
ccmsetup.exe /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500
CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSITECODE=ABC
SMSMP=https://mp1.contoso.com AADTENANTID=daf4a1c2-3a0c-401b-966f-0b855d3abd1a AADCLIENTAPPID=7506ee10-f7ec-
415a-b415-cd3d58790d97 AADRESOURCEURI=https://contososerver

The site publishes additional Azure AD information to the cloud management gateway (CMG). An Azure AD-
joined client gets this information from the CMG during the ccmsetup process, using the same tenant to which
it's joined. This behavior further simplifies installing the client in an environment with more than one Azure AD
tenant. The only two required ccmsetup properties are CCMHOSTNAME and SMSSITECODE .
To automate the client install using Azure AD identity via Microsoft Intune, see How to prepare internet-based
devices for co-management.

Next steps
Once complete, you can continue to monitor and manage clients.
 Token-based authentication for cloud management
gateway
2/16/2022 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The cloud management gateway (CMG) supports many types of clients, but even with Enhanced HTTP, these
clients require a client authentication certificate. This certificate requirement can be challenging to provision on
internet-based clients that don't often connect to the internal network, aren't able to join Azure Active Directory
(Azure AD), and don't have a method to install a PKI-issued certificate.
To overcome these challenges, Configuration Manager extends its device support by issuing its own
authentication tokens to devices. To take full advantage of this feature, after you update the site, also update
clients to the latest version. The complete scenario isn't functional until the client version is also the latest. If
necessary, make sure you promote the new client version to production.
Clients initially register for these tokens using one of the following two methods:
Internal network
Bulk registration
The Configuration Manager client together with the management point manage this token, so there's no OS
version dependency. This feature is available for any supported client OS version.

NOTE
These methods only support device-centric management scenarios.
Microsoft recommends joining devices to Azure AD. Internet-based devices can use Azure AD to authenticate with
Configuration Manager. It also enables both device and user scenarios whether the device is on the internet or connected
to the internal network. For more information, see Install and register the client using Azure AD identity.

Make sure to Enable clients to use a cloud management gateway in the Cloud ser vices group of client
settings. Even with a site token, clients can't communicate with a CMG if client settings don't allow it. For more
information, see About client settings: Cloud services.

Internal network registration

This method requires the client to first register with the management point on the internal network. Client
registration typically happens right after installation. The management point gives the client a unique token that
shows it's using a self-signed certificate. When the client roams onto the internet, to communicate with the CMG
it pairs its self-signed certificate with the management point-issued token.
The site enables this behavior by default.

NOTE
With an HTTPS management point, the client needs to first register regardless of internet/intranet management point.
The client needs to present a valid PKI-issued certificate, an Azure AD token, or a bulk registration token.

Bulk registration token

If you can't install and register clients on the internal network, create a bulk registration token. Use this token
when the client installs on an internet-based device, and registers through the CMG. The bulk registration token
has a short-validity period, and isn't stored on the client or the site. It allows the client to generate a unique
token, which paired with its self-signed certificate, lets it authenticate with the CMG.

NOTE
Don't confuse bulk registration tokens with those that Configuration Manager issues to individual clients. The bulk
registration token enables the client to initially install and communicate with the site. This initial communication is long
enough for the site to issue the client its own, unique client authentication token. The client then uses its authentication
token for all communication with the site while it's on the internet. Beyond the initial registration, the client doesn't use or
store the bulk registration token.

To create a bulk registration token for use during client installation on internet-based devices, complete the
following actions:
1. Sign in to the top-level site server in the hierarchy with local administrator privileges.
2. Open a command prompt as an administrator.
3. Run the tool from the \bin\X64 folder of the Configuration Manager installation directory on the site
server: BulkRegistrationTokenTool.exe . Create a new token with the /new parameter. For example,
BulkRegistrationTokenTool.exe /new . For more information, see Bulk registration token tool usage.

4. Copy the token and save it in a secure location.

5. Install the Configuration Manager client on an internet-based device. Include the client installation
parameter: /regtoken . The following example command line includes the other required setup
parameters and properties:
ccmsetup.exe /mp:https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCod
/regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik9Tbzh2Tmd5VldRUjlDYVh5T2lacHFlMDlXNCJ9.eyJTQ0NNVG9rZW5DYXRlZ29yeSI6IlN7Q01QcmVBdXRoVG9rZW4iLCJBdXRob3JpdHkiOiJT
gvQQZiE5NSgJ63LCp5KtqFCZe8vlZxnOloErFIrebjFikxqAgwOO4i5ukJdl3KQ07YPRhwpuXmwxRf1vsiawXBvTMhy40SOeZ3mAyCRypQpQNa7NM3adCBwUtYKwHqiX3r1jQU0y57LvU_brBfLUL6JUpk3ri-LSpwPFarR
 TIP
For more information on this command line, see Install and register the client using Azure AD identity. This
process is similar, just doesn't use the Azure AD properties.

To verify, review the following log file for a similar entry:

Rotating internet management point, new management point [1] is:

https://CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 (0) with capabilities: <Capabilities
SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities>

To troubleshoot installation, review %WinDir%\ccmsetup\logs\ccmsetup.log on the client. After installation, review

%WinDir%\ccm\logs\ClientIDManagerStartup.log .
On the server, review the following logs:
CMG logs
Management point
CCM_STS.log
MP_RegistrationManager.log
ClientAuth.log
Bulk registration token tool usage
The BulkRegistrationTokenTool.exe tool is in the \bin\X64 folder of the Configuration Manager installation
directory on the site server. Sign in to the site server, and run it as an administrator. It supports the following
command-line parameters:
/?
/new
/lifetime

/?
Display this usage information.
Example: BulkRegistrationTokenTool.exe /?

/new
Create a new bulk registration token.
Example: BulkRegistrationTokenTool.exe /new

The tool displays the following information:

A GUID that the site uses to track issued tokens
The token validity period, which is three days by default.
The bulk registration token.
The token isn't stored on the client or the site. Make sure to copy the token from the command prompt, and
store in a secure location.
/lifetime
Use with /new parameter to specify the token validity period of the token. Specify an integer value in minutes.
The default value is 4,320 (three days). The maximum value is 10,080 (seven days).
Example: BulkRegistrationTokenTool.exe /lifetime 4320

Bulk registration token management

You can see previously created bulk registration tokens and their lifetimes in the Configuration Manager console
and block their usage if necessary. The site database doesn't, however, store bulk registration tokens.
Review a bulk registration token
1. In the Configuration Manager console, go to the Administration workspace.
2. Expand Security , and select the Cer tificates node. The console lists all site-related certificates and bulk
registration tokens in the details pane.
3. Select the bulk registration token to review.
You can filter or sort on the Type column. Identify specific bulk registration tokens based on their GUID. When
you create a bulk registration token, the tool displays the GUID.
Block a bulk registration token
1. In the Configuration Manager console, go to the Administration workspace.
2. Expand Security , select the Cer tificates node, and select the bulk registration token to block.
3. On the Home tab of the ribbon bar or the right-click context menu, select Block . To unblock previously
blocked bulk registration tokens, select the Unblock action.

Token renewal
The client renews its unique, Configuration Manager-issued token once a month, and it's valid for 90 days. A
client doesn't need to connect to the internal network to renew its token. As long as the token is still valid,
connecting to the site using a CMG is sufficient. If the token isn't renewed within 90 days, the client must directly
connect to a management point on an internal network to receive a new token.
You can't renew a bulk registration token. Once a bulk registration token expires, generate a new one for
internet-based device registration using a CMG.
See also
Overview of cloud management gateway
Install and assign Configuration Manager clients using Azure AD for authentication
 Azure AD authentication workflow
2/16/2022 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article is a technical reference for the Configuration Manager client installation and registration process on
a Windows device that is joined to Azure Active Directory (Azure AD). It details the workflow process for the
device authentication.

NOTE
Windows clients get a workplace join (WPJ) certificate when they join an Azure AD tenant. If the certificate isn't found, the
Configuration Manager client can't request Azure AD tokens. Without a token, the client can't use the Configuration
Manager security token service (CCM_STS) communication channel for Azure AD authentication with Configuration
Manager site systems.

Client installation
In this workflow sample, you installed the Configuration Manager client on a Windows device over the internet
with the following ccmsetup command-line properties:
CCMHOSTNAME="CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500" SMSSITECODE="MEM"

1. Azure AD info request from ccmsetup

Clients installed from internet need specific command-line properties to use Azure AD authentication. You can
include these properties in the command line for internet ccmsetup, but they aren't required. When you don't
use Azure AD properties, ccmsetup requests the AADCLIENTAPPID and AADRESOURCEURI properties from
the cloud management gateway (CMG). It uses the device's Azure AD TenantID as a reference. If you haven't
onboarded the client's TenantID in Configuration Manager, the CMG doesn't give the required properties to
ccmsetup to continue client installation.
The following entries are logged in ccmsetup.log of the client:

Getting AAD info from CMG 'CMG.CLOUDAPP.NET'

SMS CCM 5.0: Host=CMG.CLOUDAPP.NET, Path=/CCM_Proxy_ServerAuth/AADAuthInfo?TenantID=9aaf466a-3f40-4468-b3cd-
f0010f21f05a, Port=443, Protocol=https, CcmTokenAuth=0, Flags=0x1304, Options=0xe0
Created connection on port 443
Enabled SSL revocation check.

IMPORTANT
During ccmsetup, the device has to validate the CMG server authentication certificate. The root certificate authority (CA)
certificate for the CMG server authentication certificate needs to be available on the client for the chain validation. If you
use PKI, when the root CA isn't published on the internet, add the root CA certificate to the device's root CAs store.
If the root CA certificate revocation list (CRL) isn't published on internet, add the /nocrlcheck parameter in the ccmsetup
command line.

2. Azure AD token request

On a Windows Azure AD domain-joined device, ccmsetup uses the Azure AD properties to request an Azure AD
token calling the ADALOperation provider. The following entries are logged in ccmsetup.log on the client:

Getting AAD (device) token with: ClientId = 0b7c8ab3-9ea1-4ffa-b2b9-8ffdd944bd8b, ResourceUrl =

https://ConfigMgrService, AccountId = https://login.microsoftonline.com/common/oauth2/token

If the device token request fails, ccmsetup falls back to try requesting an Azure AD user token. If the device can't
get either an Azure AD device or user token, ccmsetup doesn't continue.

NOTE
If the device has a valid PKI client authentication certificate, ccmsetup always prefers the certificate. In this case, the client
installs as a PKI client and doesn't use Azure AD authentication.

WAM token request failed. Status 5, Details 'AAD WAM extension error'
Failed to get AAD token..
Unknown error (Error: D0090016; Source: Unknown)
Failed to get AAD token for 'S-1-5-18' from WAM API. Error 0xd0090016
Falling back to get user 'S-1-5-21-1527250992-855612568-2252598708-1604' token for system...
Getting AAD (user) token with: ClientId = 0b7c8ab3-9ea1-4ffa-b2b9-8ffdd944bd8, ResourceUrl =
https://ConfigMgrService, AccountId = 149FC29A-ECE3-123-A3C1-123456F035A6E
Retrieved AAD token for AAD user 'e8838041-db7a-42d5-b9ae-78813910e4cc'

3. Configuration Manager client token request

The client uses the Azure AD token to request the Configuration Manager client (CCM) token. Operational
communication between ccmsetup and the site uses the CCM token as authorization token (CcmTokenAuth=1).
3.1 Client sends CCM token request to CMG
The following entries are logged in ccmsetup.log on the client:

Getting CCM Token from STS server 'cmg.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500'

Getting CCM Token from https://cmg.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500/CCM_STS

3.2 CMG forwards to CMG connection point

The following entries are logged in CMGSer vice.log on the CMG VM instance.
 RequestUri: /CCM_PROXY_SERVERAUTH/72057594037937981/CCM_STS RequestCount: 1 RequestSize: 1974 Bytes
ResponseCount: 1 ResponseSize: 1566 Bytes AverageElapsedTime: 218 ms~~ $$<CMGService><06-24-2020
15:31:46.376+00><thread=4992 (0x1380)>

TIP
Configuration Manager synchronizes the CMGSer vice.log to the site server logs folder every five minutes as
CMG-<CMGname>-ProxyService_IN_<%>-CMGService.log .

3.3 CMG connection point transforms CMG client request to management point client request
The following entries are logged in SMS_CLOUD_PROXYCONNECTOR.log (verbose mode) of the site system
that hosts the CMG connection point role:

SMS_CLOUD_PROXYCONNECTOR Switched to internal URL. Replaced

'https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500/CCM_STS' in
'https://CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500/CCM_STS' with
'https://MP.MYCORP.COM/CCM_STS' and got 'https:///MP.MYCORP.COM/CCM_STS~~

3.4 Management point verifies user token in site database

The following entries are logged in CCM_STS.log of the site system that hosts the management point that
handles the client request:

ProcessRequest - Start
Incoming request URL: https://MP.MYCORP.COM/CCM_STS
Validated AAD token. TokenType: UDA TenantId: 2ca9a796-a1a6-43ec-88f1-5935b32155c5 UserId: e8838041-db7a-
42d5-b9ae-78813910e4cc DeviceId: 8d2b4ff9-0172-4998-9851-b5324303385f OnPrem_UserSid: S-1-5-21-1527250992-
855612568-2252598708-1604 OnPrem_DeviceSid:
TokenType is UDA
Created SCCM token, token type: UDA, hierarchyId: 8ed3174b-e814-41b5-b51c-fb368f0d4003, userId: 23bbbba2-
702e-4db4-8fd9-3b4fe3a5175d, deviceId: GUID:13E80CEF-5698-4C63-9ED6-E58FBFF78C38
Issued token
Return token to client

4. Content location request

Once the client gets the CCM token, it caches and uses it to request site information and content location of
ccmsetup.cab. Once the device downloads the client content, it starts the installation. The following entries are
logged in ccmsetup.log on the client:
 Cached encrypted token for 'S-1-5-18'. Will expire at '06/25/2020 08:29:35'
ccmsetup: Host=CMG.cloudapp.net, Path=/CCM_Proxy_ServerAuth7981/ccm_system_tokenauth/request, Port=443,
Protocol=https, CcmTokenAuth=1, Flags=0x4100, Options=0xe0
Created connection on port 443
Sending location request to 'cmg.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500' with payload '<
Request >
Appending CCM Token to the header.
Received message '<SiteInfoReply SchemaVersion="1.00"> < reply > </SiteInfoReply>'
...
Checking the URL 'https://CMG.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500/CCM_Client/ccmsetup.cab
ccmsetup: Host=CMG.cloudapp.net, Path=/CCM_Proxy_ServerAuth/72057594037937995/CCM_Client
Appending CCM Token to the header.
Found a valid online MP 'https://CMG.cloudapp.net/CCM_PROXY_MutualAuth/72186325152220500
Searching for DP locations from MP(s)...
CCMSETUP bootstrap from Internet: 1
Sending message body '<ContentLocationRequest SchemaVersion="1.00" BGRVersion="1"> ...
The location 'https://CMG.cloudapp.net/downloadrestservice.svc/getcontentxmlsecure?pid=CS100001&cid=CS100001
...
Installing version 5.00.8968.1000 of the client with product code {66653948-0717-4D50-B0B9-ED66FDED2DDB}
Running installation package
Package: C:\WINDOWS\ccmsetup\{E6F27809-FF66-4BAA-B0FB-E4A154A6A388}\client.msi

NOTE
If the client finds the content from a content-enabled CMG, ccmsetup downloads the content from the cloud storage. If
the latest client version isn't available on the cloud, it downloads the content from the management point via a CMG
request.

Client registration

1. Configuration Manager client request registration

Once ccmsetup successfully installs the Configuration Manager client, registration initializes. The following
entries are logged in ClientIDManagerStar tup.log of the client:
 AADJoinStatusTask: Client hasn't been registered yet.
RegEndPoint: Event notification: CCM_RemoteClient_Reassigned
RegEndPoint: Received notification for site assignment change from '<none>' to 'MEM'.
...
[RegTask] - Starting registration, attempt 1.
[RegTask] - Client is not registered. Sending registration request for GUID:C66EE0FD-08E7-4B38-B282-
7E6954B71139 ...
Registering client using AAD auth.

2. Configuration Manager requests Azure AD token to register client

The client requests a new Azure AD token to register using Azure AD authentication. It prefers a device token,
but if it's not available, the client falls back to request an Azure AD user token. The following entries are logged
in ADALOperationProvider.log of the client:

Getting AAD (user) token with: ClientId = 0b7c8ab3-9ea1-4ffa-b2b9-8ffdd944bd8, ResourceUrl =

https://ConfigMgrService, AccountId = 9756a359-f76a-47d5-8662-9a837012fc35
Retrieved AAD token for AAD user 'e8838041-db7a-42d5-b9ae-78813910e4cc'

3. Registration request
The registration component on the management point handles the client registration process. The client sends a
registration message to the MP_ClientRegistration endpoint.
3.1 CMG forwards the client registration request to the management point
The following entries are logged in the MP_RegistrationManager.log of the site system that hosts the
management point that handles the client request:

Registering device using AAD auth: DeviceId='8d2b4ff9-0172-4998-9851-b5324303385f ', TenantId='c8c82542-

203c-4df9-9d86-cdd4dae67e0a'
Processing Registration request from Client 'GUID:C66EE0FD-08E7-4B38-B282-7E6954B71139'

3.2 Configuration Manager client is registered

If registration succeeds, the client gets a confirmation message of registration with Approval 3 for Azure AD-
based registration. The following entries are logged in ClientIDManagerStar tup.log of the client:

[RegTask] - Client is registered. Server assigned ClientID is GUID:C66EE0FD-08E7-4B38-B282-7E6954B71139.

Approval status 3

4. Configuration Manager client token request

Once the server confirms the client registration, the client processes the reply message. The client then requests
and caches a new CCM token. The following entries are logged in ClientIDManagerStar tup.log of the client:

Getting CCM Token from STS server 'MP.MYCORP.COM'

Getting CCM Token from https://MP.MYCORP.COM/CCM_STS
...
Cached encrypted token for 'S-1-5-18'. Will expire at '08/12/2020 18:55:40'

4.1 CMG gets and forwards CCM_Token request to CMG connection point
The following entries are logged in CMGSer vice.log of the CMG VM and the site system that hosts the CMG
connection point role:

RequestUri: /CCM_PROXY_SERVERAUTH/72057594037937981/CCM_STS RequestCount: 769 RequestSize: 1081595 Bytes

ResponseCount: 769 ResponseSize: 36143 Bytes AverageElapsedTime: 3945 ms
4.2 CMG connection point transforms CMG client request to management point client request
The following entries are logged in SMS_CLOUD_PROXYCONNECTOR.log of the site system that hosts the
CMG connection point role:

MessageID: 3087bd34-b82c-4950-b972-e82bb0fb8385 RequestURI: https://MP.MYCORP.COM/CCM_STS EndpointName:

CCM_STS ResponseHeader: HTTP/1.1 200 OK ~~ ResponseBodySize: 0 ElapsedTime: 2 ms

4.3 Management point verifies user token in site database

The following entries are logged in CCM_STS.log of the site system that hosts the management point that
handles the client request:

ProcessRequest - Start
Incoming request URL: https://MP.MYCORP.COM/CCM_STS
Validated AAD token. TokenType: UDA TenantId: 2ca9a796-a1a6-43ec-88f1-5935b32155c5 UserId: e8838041-db7a-
42d5-b9ae-78813910e4cc DeviceId: 8d2b4ff9-0172-4998-9851-b5324303385f OnPrem_UserSid: S-1-5-21-1527250992-
855612568-2252598708-1604 OnPrem_DeviceSid:
TokenType is UDA
Created SCCM token, token type: UDA, hierarchyId: 8ed3174b-e814-41b5-b51c-fb368f0d4003, userId: 23bbbba2-
702e-4db4-8fd9-3b4fe3a5175d, deviceId: GUID:13E80CEF-5698-4C63-9ED6-E58FBFF78C38
Issued token
Return token to client

The server returns the CCM token to the client for the rest of client-to-site communication.

NOTE
During client registration, certificate validation always runs. This process happens even if you're using the Azure AD
authentication method to register the client. This behavior is a fallback option, in case Azure AD authentication doesn't
succeed.

CCM token renewal

The CCM token has a lifetime of eight hours. When the client detects the CCM token is expired or close to
expiration, it sends a new CCM token request. The CcmMessaging component handles this renewal process. The
following entries are logged in CcmMessaging.log of the client:

Sending remote sync message '{BD03DEED-D09A-4E63-ADAD-596376FFB0DA}' to host

'CMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500' endpoint 'MP_PolicyManager'. Flags 0x280, sender
account S-1-5-21-1721254763-462695806-1538882281-3289177
...
CCM Token for 'S-1-5-8-1721254763-462695806-1538882281-3289177' (12/23/2019 21:47:24) is already expired or
close to expire
Getting CCM Token from https://CMG.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72186325152220500/CCM_STS
Cached encrypted token for 'S-1-5-21-1721254763-462695806-1538882281-3289177'. Will expire at '01/10/2020
17:14:54'
...
ccmhttp: Host=CMG.CLOUDAPP.NET, Path=/CCM_Proxy_ServerAuth/72186325152220500/ccm_system_tokenauth/request,
Port=443, Protocol=https, CcmTokenAuth=1, Flags=0x4200, Options=0x1e0
Target URL scheme is HTTPS:
https://CMG.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72186325152220500/ccm_system_tokenauth/request
Appending CCM Token to the header.
...
Message '{BD03DEED-D09A-4E63-ADAD-596376FFB0DA}' got reply message '{36EE3A78-8F6E-425F-BF5C-8460E8E56C33}'
to endpoint 'dummy'

Common issues
Root CA not present: Clients need the root CA certificate to validate the CMG server authentication
certificate.
 CRL check is enabled: Publish the CRL on the internet. As an alternative, use the /NoCRLCheck
parameter for ccmsetup. You can also disable the following option: Clients check the cer tificate
revocation list (CRL) for site systems . Find this setting on the Communication Security tab of the
site properties.
The WPJ certificate isn't found: Make sure the device is Azure AD-joined. Use dsregcmd.exe. For example,
dsregcmd /status and look at the Device State section.

TIP
Client communication via CMG, CMG connection point, and management point runs over HTTPS. If you configure the site
for enhanced HTTP, you can still configure the management point for HTTP.
Client verifies the CMG server authentication certificate:
PKI certificate: Client requires the root CA of the CMG certificate in its local store.
Third-party certificate: Clients automatically validate a certificate with its root CA published on the internet.
CMG, CMG connection point, and management point validate Azure AD and CCM tokens.
Communication between CMG connection point and management point is also secured in both ends:
CMG connection point uses client auth certificate.
MP uses a PKI certificate for HTTPS configuration, or a self-signed certificate for enhanced HTTP.
 Use a cloud distribution point in Configuration
Manager
2/16/2022 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

WARNING
The implementation for sharing content from Azure has changed. Use a content-enabled cloud management gateway by
enabling the option to Allow CMG to function as a cloud distribution point and ser ve content from Azure
storage . For more information, see Modify a CMG.
Starting in version 2107, you can't create a traditional cloud distribution point (CDP).

A cloud distribution point is a Configuration Manager distribution point that is hosted as Platform-as-a-Service
(PaaS) in Microsoft Azure. This service supports the following scenarios:
Provide software content to internet-based clients without additional on-premises infrastructure
Cloud-enable your content distribution system
Reduce the need for traditional distribution points
This article helps you learn about the cloud distribution point, plan for its use, and design your implementation.
It includes the following sections:
Features and benefits
Topology design
Requirements
Specifications
Cost
Performance and scale
Ports and data flow
Certificates
Frequently asked questions (FAQ)

Features and benefits

Features
The cloud distribution point supports several features that are also offered by on-premises distribution points:
Manage cloud distribution points individually or as members of distribution point groups
Use a cloud distribution point as a fallback content location
Supports both intranet and internet-based clients
Benefits
The cloud distribution point provides the following additional benefits:
The site encrypts the content before sending it to the cloud distribution point in Azure.
 To meet changing demands for content requests by clients, manually scale the cloud service in Azure. This
action doesn't require that you install and provision additional distribution points in Configuration
Manager.
Supports content download from clients configured for other content technologies, such as Windows
BranchCache.
Use cloud distribution points as source locations for pull-distribution points.

Topology design
Deployment and operation of the cloud distribution point includes the following components:
A cloud ser vice in Azure. The site distributes content to this service, which stores it in Azure cloud
storage. The management point provides to clients this content location in the list of available sources as
appropriate.
A management point site system role services client requests per normal.
On-premises clients typically use an on-premises management point.
Internet-based clients either use a cloud management gateway, or an internet-based management
point.
The cloud distribution point uses a cer tificate-based HTTPS web service to help secure network
communication with clients. Clients must trust this certificate.
Azure Resource Manager
Create a cloud distribution point using an Azure Resource Manager deployment . Azure Resource Manager
is a modern platform for managing all solution resources as a single entity, called a resource group. When
deploying a cloud distribution point with Azure Resource Manager, the site uses Azure Active Directory (Azure
AD) to authenticate and create the necessary cloud resources.

NOTE
This feature doesn't enable support for Azure Cloud Service Providers (CSP). The cloud distribution point deployment with
Azure Resource Manager continues to use the classic cloud service, which the CSP doesn't support. For more information,
see available Azure services in Azure CSP.

Azure Resource Manager is the only deployment mechanism for new instances of the cloud distribution point.
Existing deployments continue to work.
Hierarchy design
Where you create the cloud distribution point depends upon which clients need to access the content.
Azure Resource Manager deployment: Create this type at a primary site or the central administration site.
The cloud management gateway (CMG) can also serve content to clients. This functionality reduces the
required certificates and cost of Azure VMs. For more information, see Overview of cloud management
gateway.
To determine whether to include cloud distribution points in boundary groups, consider the following behaviors:
Internet-based clients don't rely on boundary groups. They only use internet-facing distribution points or
cloud distribution points. If you're only using cloud distribution points to service these types of clients,
then you don't need to include them in boundary groups.
If you want clients on your internal network to use a cloud distribution point, then it needs to be in the
 same boundary group as the clients. Clients prioritize cloud distribution points last in their list of content
sources, because there's a cost associated with downloading content out of Azure. So a cloud distribution
point is typically used as a fallback source for intranet-based clients. If you want a cloud-first design, then
design your boundary groups to meet this business requirement. For more information, see Configure
boundary groups.
Even though you install cloud distribution points in specific regions of Azure, clients aren't aware of the Azure
regions. They randomly select a cloud distribution point. If you install cloud distribution points in multiple
regions, and a client receives more than one in the content location list, the client might not use a cloud
distribution point from the same Azure region.
Backup and recovery
When you use a cloud distribution point in your hierarchy, use the following information to help you plan for
backup and recovery:
When you use the Backup Site Ser ver maintenance task, Configuration Manager automatically
includes the configurations for the cloud distribution point.
Back up and save a copy of the server authentication certificate. When you restore the Configuration
Manager primary site to a different server, reimport the certificate.

Requirements
You need an Azure subscription to host the service.
An Azure administrator needs to participate in the initial creation of certain components,
depending upon your design. This persona doesn't require permissions in Configuration Manager.
The site server requires internet access to deploy and manage the cloud service.
When using the Azure Resource Manager deployment method, integrate Configuration Manager with
Azure AD for Cloud Management . Azure AD user discovery isn't required.
A ser ver authentication cer tificate . For more information, see the Certificates section below.
To reduce complexity, use a public certificate provider for the server authentication certificate. When
doing so, you also need a DNS CNAME alias for clients to resolve the name of the cloud service.
Set the client setting, Allow access to cloud distribution points , to Yes in the Cloud Ser vices
group. By default, this value is set to No .
Client devices require internet connectivity , and must use IPv4 .

Specifications
The cloud distribution point supports all Windows versions listed in Supported operating systems for
clients and devices.
An administrator distributes the following types of supported software content:
Applications
Packages
OS upgrade packages
Third-party software updates
 IMPORTANT
While the Configuration Manager console doesn't block the distribution of Microsoft software updates
to a cloud distribution point, you're paying Azure costs to store content that clients don't use. Internet-
based clients always get Microsoft software update content from the Microsoft Update cloud service.
Don't distribute Microsoft software updates to a cloud distribution point.
When using a CMG for content storage, the content for third-party updates won't download to clients
if the Download delta content when available client setting is enabled.

Configure a pull-distribution point to use a cloud distribution point as a source. For more information,
see About source distribution points.
Deployment settings
Download content locally when needed by the running task sequence . The task sequence engine
can download packages on-demand from a content-enabled CMG or a cloud distribution point. This
option provides additional flexibility with your Windows in-place upgrade deployments to internet-based
devices.
Download all content locally before star ting task sequence . With this option, the Configuration
Manager client downloads the content from the cloud source before starting the task sequence.
A cloud distribution point doesn't support package deployments with the option to Run program from
distribution point . Use the deployment option to Download content from distribution point and
run locally .
Limitations
You can't use a cloud distribution point for PXE or multicast-enabled deployments.
A cloud distribution point doesn't support App-V streaming applications.
A cloud distribution point doesn't support content for Microsoft 365 Apps updates.
You can't prestage content on a cloud distribution point. The distribution manager of the primary site that
manages the cloud distribution point transfers all content.
You can't configure a cloud distribution point as a pull-distribution point.

Cost
IMPORTANT
The following cost information is for estimating purposes only. Your environment may have other variables that affect the
overall cost of using a cloud distribution point.

Configuration Manager includes the following options to help control costs and monitor data access:
Control and monitor the amount of content that you store in a cloud service. For more information, see
Monitor cloud distribution points.
Configure Configuration Manager to alert you when thresholds for client downloads meet or exceed
monthly limits. For more information, see Data transfer threshold alerts.
To help reduce the number of data transfers from cloud distribution points by clients, use one of the
following peer caching technologies:
Configuration Manager peer cache
 Windows BranchCache
Windows Delivery Optimization
For more information, see Fundamental concepts for content management.
Components
A cloud distribution point uses the following Azure components, which incur charges to the Azure subscription
account:

TIP
The cloud management gateway can also serve content to clients. This functionality reduces the cost by consolidating the
Azure VMs. For more information, see Cost for cloud management gateway.

Virtual machine
The cloud distribution point uses Azure Cloud Services as platform as a service (PaaS). This service uses
virtual machines (VMs) that incur compute costs.
Each cloud distribution point service uses two Standard A0 VMs.
See the Azure pricing calculator to help determine potential costs.

NOTE
Virtual machine costs vary by region.

Outbound data transfer

Any dataflows into Azure are free (ingress or upload). Distributing content from the site to the cloud
distribution point is uploading to Azure.
Charges are based on data flowing out of Azure (egress or download). Cloud distribution point dataflows
out of Azure consist of the software content that clients download.
For more information, see Monitor cloud distribution points.
See the Azure bandwidth pricing details to help determine potential costs. Pricing for data transfer is
tiered. The more you use, the less you pay per gigabyte.
Content storage
Internet-based clients get Microsoft software update content from the Microsoft Update cloud service at
no charge. Don't distribute software update deployment packages with Microsoft software updates to a
cloud distribution point. Otherwise, you'll incur data storage costs for content that clients never use.
Cloud distribution points with an Azure Resource Manager deployment use Azure locally redundant
storage (LRS). For more information, see Locally redundant storage.
Other costs
Each cloud service has a dynamic IP address. Each distinct cloud distribution point uses a new dynamic IP
address. Adding additional VMs per cloud service doesn't increase these addresses.

Ports and data flow

There are two primary data flows for the cloud distribution point:
The site server connects to Azure to set up the cloud distribution point service
A client connects to the cloud distribution point to download content
Site server to Azure
You don't need to open any inbound ports to your on-premises network. The site server initiates all
communication with Azure and the cloud distribution point to deploy, update, and manage the cloud service.
The site server needs to create outbound connections to the Microsoft cloud. This action is equivalent to
installing the distribution point site system role on a specific site.
Client to cloud distribution point
You don't need to open any inbound ports to your on-premises network. Internet-based clients communicate
directly with the Azure service. Clients on your internal network that use a cloud distribution point need to
connect to the Microsoft cloud.
For more information on content location priority and when intranet-based clients use a cloud distribution point,
see Content source priority.
When a client uses a cloud distribution point as a content location:
1. The management point gives the client an access token along with the list of content sources. This token
is valid for 24 hours, and gives the client access to the cloud distribution point.
2. The management point responds to the client's location request with the Ser vice FQDN of the cloud
distribution point. This property is the same as the common name of the server authentication certificate.
If you're using your domain name, for example, WallaceFalls.contoso.com, then the client first tries to
resolve this FQDN. You need a CNAME alias in your domain's internet-facing DNS for clients to resolve
the Azure service name, for example: WallaceFalls.cloudapp.net.
3. The client next resolves the Azure service name, for example, WallaceFalls.cloudapp.net, to a valid IP
address. This response should be handled by Azure's DNS.
4. The client connects to the cloud distribution point. Azure load balances the connection to one of the VM
instances. The client authenticates itself using the access token.
5. The cloud distribution point authenticates the client's access token, and then gives the client the exact
content location in Azure storage.
6. If the client trusts the cloud distribution point's server authentication certificate, it connects to Azure
storage to download the content.

Performance and scale

As with any distribution point design, consider the following factors:
Number of concurrent client connections
The size of the content that clients download
The length of time allowed to meet your business requirements
Depending upon your topology design, if clients have the option of more than one cloud distribution point for
any given content, then they naturally randomize across those cloud services. If you only distribute a certain
piece of content to a single cloud distribution point, and a large number of clients try to download this content
at the same time, this activity puts higher load on that single cloud distribution point. Adding an additional cloud
distribution point also includes a separate Azure storage service. For more information on how the client
communicates with the cloud distribution point components and downloads content, see Ports and data flow.
The cloud distribution point uses two Azure VMs as the front end to the Azure storage. This default deployment
meets most customer's needs. In some extreme circumstances, with a large number of concurrent client
connections (for example, 150,000 clients), the processing capacity of the Azure VMs can't keep up with the
client requests. You can't resize the Azure VMs used for the cloud distribution point. While you can't configure
the number of VM instances for the cloud distribution point in Configuration Manager, if necessary, reconfigure
the cloud service in the Azure portal. Either manually add more VM instances, or configure the service to
automatically scale.

IMPORTANT
When you update Configuration Manager, the site redeploys the cloud service. If you manually reconfigure the cloud
service in the Azure portal, the number of instances resets to the default of two.

The Azure storage service supports 500 requests per second for a single file. Performance testing of a single
cloud distribution point supported distribution of a single 100-MB file to 50,000 clients in 24 hours.

Certificates
Depending upon your cloud distribution point design, you need one or more digital certificates.
General information
Certificates for cloud distribution points support the following configurations:
4096-bit key length
Version 3 certificates. For more information, see CNG certificates overview.
When you configure Windows with the following policy: System cr yptography: Use FIPS compliant
algorithms for encr yption, hashing, and signing
Support for TLS 1.2. For more information, see Cryptographic controls technical reference.
Server authentication certificate
This certificate is required for all cloud distribution point deployments.
For more information, see CMG server authentication certificate, and the following subsections, as necessary:
CMG trusted root certificate to clients
Server authentication certificate issued by public provider
Server authentication certificate issued from enterprise PKI
The cloud distribution point uses this type of certificate in the same way as the cloud management gateway.
Clients also need to trust this certificate. To reduce complexity, Microsoft recommends using a certificate issued
by a public provider.
Unless you use a wildcard certificate, don't reuse the same certificate. Each instance of the cloud distribution
point and cloud management gateway requires a unique server authentication certificate.
For more information on creating this certificate from a PKI, see Deploy the service certificate for cloud
distribution points.

Frequently asked questions (FAQ)

Does a client need a certificate to download content from a cloud distribution point?
A client authentication certificate isn't required. The client does need to trust the server authentication certificate
used by the cloud distribution point. If this certificate is issued by a public certificate provider, then most
Windows devices already include trusted root certificates for these providers. If you issued a server
authentication certificate from your organization's PKI, then your clients need to trust the issuing certificates in
the entire chain. This chain includes the root certificate authority, and any intermediate certificate authorities.
Depending upon your PKI design, this certificate can introduce additional complexity to the deployment of the
cloud distribution point. To avoid this complexity, Microsoft recommends using a public certificate provider that
your clients already trust.
Can my on-premises clients use a cloud distribution point?
Yes. If you want clients on your internal network to use a cloud distribution point, then it needs to be in the same
boundary group as the clients. Clients prioritize cloud distribution points last in their list of content sources,
because there's a cost associated with downloading content out of Azure. Thus, a cloud distribution point is
typically used as a fallback source for intranet-based clients. If you want a cloud-first design, then design your
boundary groups accordingly. For more information, see Configure boundary groups.
Do I need Azure ExpressRoute?
Azure ExpressRoute lets you extend your on-premises network into the Microsoft cloud. ExpressRoute, or other
such virtual network connections aren't required for the Configuration Manager cloud distribution point.
If your organization uses ExpressRoute, isolate the Azure subscription for the cloud distribution point from the
subscription that uses ExpressRoute. This configuration ensures that the cloud distribution point isn't
accidentally connected in this manner.
Do I need to maintain the Azure virtual machines?
No maintenance is required. The design of the cloud distribution point uses Azure platform as a service (PaaS).
Using the subscription you provide, Configuration Manager creates the necessary VMs, storage, and
networking. Azure secures and updates the virtual machines. These VMs aren't a part of your on-premises
environment, as is the case with infrastructure as a service (IaaS). The cloud distribution point is a PaaS that
extends your Configuration Manager environment into the cloud. For more information, see Security
advantages of a PaaS cloud service model.
Does the cloud distribution point use Azure CDN?
The Azure Content Delivery Network (CDN) is a global solution for rapidly delivering high-bandwidth content
by caching the content at strategically placed physical nodes across the world. For more information, see What
is Azure CDN?.
The Configuration Manager cloud distribution point currently doesn't support Azure CDN.

Next steps
Install cloud distribution points
 Install a cloud distribution point for Configuration
Manager
2/16/2022 • 14 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

WARNING
The implementation for sharing content from Azure has changed. Use a content-enabled cloud management gateway by
enabling the option to Allow CMG to function as a cloud distribution point and ser ve content from Azure
storage . For more information, see Modify a CMG.
Starting in version 2107, you can't create a traditional cloud distribution point (CDP).

This article details the steps to install a Configuration Manager cloud distribution point in Microsoft Azure. It
includes the following sections:
Before you begin
Set up
Configure DNS
Set up site server proxy
Distribute content and configure clients
Manage and monitor
Modify
Advanced troubleshooting

Before you begin

Start by reading the article Use a cloud distribution point. That article helps you plan and design your cloud
distribution points.
Use the following checklist to make sure you have the necessary information and prerequisites to create a cloud
distribution point:
The site server can connect to Azure. If your network uses a proxy, configure the site system role.
The Azure environment to use. For example, the Azure Public Cloud or the Azure US Government
Cloud.
Use the Azure Resource Manager deployment . It has the following requirements:
Integration with Azure Active Directory for Cloud Management . Azure AD user discovery isn't
required.
The Azure Subscription ID .
The Azure Resource Group .
A subscription admin account needs to sign in during the wizard.
A ser ver authentication cer tificate , exported as a .PFX file.
 A globally unique ser vice name for the cloud distribution point.

TIP
Before requesting the server authentication certificate that uses this service name, confirm that the desired Azure
domain name is unique. For example, WallaceFalls.CloudApp.Net.
1.Sign in to the Azure portal.
2.Select All resources , and then select Add .
3.Search for Cloud ser vice . Select Create .
4.In the DNS name field, type the prefix you want, for example WallaceFalls. The interface reflects whether the
domain name is available or already in use by another service.
Don't create the service in the portal, just use this process to check the name availability.

The Azure region for this deployment.

BranchCache
To enable a cloud distribution point to use Windows BranchCache, install the BranchCache feature on the site
server.
If the site server has an on-premises distribution point site system role, configure the option in that role's
properties to Enable and configure BranchCache . For more information, see Configure a distribution
point.
If the site server doesn't have a distribution point role, install the BranchCache feature in Windows. For
more information, see Install the BranchCache feature.
If you've already distributed content to a cloud distribution point, and then decide to enable BranchCache, first
install the feature. Then redistribute the content to the cloud distribution point.

Set up
WARNING
Starting in version 2107, this action isn't available. You can't create a traditional cloud distribution point (CDP). Use a
content-enabled cloud management gateway by enabling the option to Allow CMG to function as a cloud
distribution point and ser ve content from Azure storage . For more information, see Modify a CMG.

Perform this procedure on the site to host this cloud distribution point as determined by your design.
1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices ,
and select Cloud Distribution Points . In the ribbon, select Create Cloud Distribution Point .
2. On the General page of the Create Cloud Distribution Point Wizard, configure the following settings:
a. First specify the Azure environment .
b. Select Azure Resource Manager deployment as the deployment method. Select Sign in to
authenticate with an Azure subscription admin account. The wizard auto-populates the remaining
fields from the information stored during the Azure AD integration prerequisite. If you own
multiple subscriptions, select the Subscription ID of the desired subscription to use.
3. Select Next . Wait as the site tests the connection to Azure.
4. On the Settings page, specify the following settings, and then select Next :
Region : Select the Azure region where you want to create the cloud distribution point.
 Resource Group (Azure Resource Manager deployment method only)
Use existing : Select an existing resource group from the drop-down list.
Create new : Enter the new resource group name to create in your Azure subscription.
Primar y site : Select the primary site to distribute content to this distribution point.
Cer tificate file : Select Browse and select the .PFX file for this cloud distribution point's server
authentication certificate. The common name from this certificate populates the required Ser vice
FQDN and Ser vice name fields.

NOTE
The cloud distribution point server authentication certificate supports wildcards. If you use a wildcard
certificate, replace the asterisk ( * ) in the Ser vice FQDN field with the desired hostname for the service.

5. On the Aler ts page, set up storage quotas, transfer quotas, and at what percentage of these quotas you
want Configuration Manager to generate alerts. Then select Next .
6. Complete the wizard.
Monitor installation
The site starts to create a new hosted service for the cloud distribution point. After you close the wizard, monitor
the installation progress of the cloud distribution point in the Configuration Manager console. Also monitor the
CloudMgr.log file on the primary site server. If necessary, monitor the provisioning of the cloud service in the
Azure portal.

NOTE
It can take up to 30 minutes to provision a new distribution point in Azure. The CloudMgr.log file repeats the following
message until the storage account is provisioned:
Waiting for check if container exists. Will check again in 10 seconds
After it provisions the storage account, the service is created and configured.

Verify installation
Verify that the cloud distribution point installation is complete by using the following methods:
In the Configuration Manager console, go to the Administration workspace. Expand Cloud Ser vices ,
and select the Cloud Distribution Points node. Find the new cloud distribution point in the list. The
Status column should be Ready .
In the Configuration Manager console, go to the Monitoring workspace. Expand System Status , and
select the Component Status node. Show all messages from the
SMS_CLOUD_SERVICES_MANAGER component, and look for status message ID 9409 .
If necessary, go to the Azure portal. The Deployment for the cloud distribution point displays a status of
Ready .

Configure DNS
Before clients can use the cloud distribution point, they must be able to resolve the name of the cloud
distribution point to an IP address that Azure manages. The management point gives them the Ser vice FQDN
of the cloud distribution point. The cloud distribution point exists in Azure as the Ser vice name . See these
values on the Settings tab of the cloud distribution point properties.
 NOTE
The Cloud Distribution Points node in the console includes a column named Ser vice Name , but actually shows the
Ser vice FQDN value. To see both values, open Proper ties for the cloud distribution point and switch to the Settings
tab.

The server authentication certificate common name should include your domain name. This name is required
when you purchase a certificate from a public provider. It's recommended when issuing this certificate from
your PKI. For example, WallaceFalls.contoso.com . When you specify this certificate in the Create Cloud
Distribution Point Wizard, the common name populates the Ser vice FQDN property (
WallaceFalls.contoso.com ). The Ser vice name takes the same hostname ( WallaceFalls ) and appends it to the
Azure domain name, cloudapp.net . In this scenario, clients need to resolve your domain's Ser vice FQDN (
WallaceFalls.contoso.com ) to the Azure Ser vice name ( WallaceFalls.cloudapp.net ). Create a CNAME alias to
map these names.
Create CNAME alias
Create a canonical name record (CNAME) in your organization's public, internet-facing DNS. This record creates
an alias for the cloud distribution point's Ser vice FQDN property that clients receive, to the Azure Ser vice
name . For example, create a new CNAME record for WallaceFalls.contoso.com to WallaceFalls.cloudapp.net .
Client name resolution process
The following process shows how a client resolves the name of the cloud distribution point:
1. The client gets the Ser vice FQDN of the cloud distribution point in the list of content sources. For
example, WallaceFalls.contoso.com .
2. It queries DNS, which resolves the Service FQDN using the CNAME alias to the Azure Ser vice name . For
example, WallaceFalls.cloudapp.net .
3. It queries DNS again, which resolves the Azure service name to the Azure public IP address.
4. The client uses this IP address to start communication with the cloud distribution point.
5. The cloud distribution point presents the server authentication certificate to the client. The client uses the
trust chain of the certificate to validate.

Set up site server proxy

The primary site server that manages the cloud distribution point needs to communicate with Azure. If your
organization uses a proxy server to control internet access, configure the primary site server to use this proxy.
For more information, see Proxy server support.

Distribute content and configure clients

Distribute content to the cloud distribution point the same as any other on-premises distribution point. The
management point doesn't include the cloud distribution point in the list of content locations unless it has the
content that clients request. For more information, see Distribute and manage content.
Manage a cloud distribution point the same as any other on-premises distribution point. These actions include
assigning it to a distribution point group, and managing content packages. For more information, see Install and
configure distribution points.
Default client settings automatically enable clients to use cloud distribution points. Control access to all cloud
distribution points in your hierarchy with the following client setting:
 In the Cloud Settings group, modify the setting Allow access to cloud distribution points .
By default, this setting is set to Yes .
Modify and deploy this setting for both users and devices.

Manage and monitor

Monitor content that you distribute to a cloud distribution point the same as with any other on-premises
distribution points. For more information, see Monitor content.
When you view the list of cloud distribution points in the console, you can add additional columns to the list. For
example, the Data egress column shows the amount of data clients downloaded from the service in the last 30
days.
Alerts
Configuration Manager periodically checks the Azure service. If the service isn't active, or if there are
subscription or certificate issues, Configuration Manager raises an alert.
Configure thresholds for the amount of data that you want to store on the cloud distribution point, and for the
amount of data that clients download from the distribution point. Use alerts for these thresholds to help you
decide when to stop or delete the cloud service, adjust the content that you store on the cloud distribution point,
or modify which clients can use the service.
Storage aler t threshold : The storage alert threshold sets an upper limit in GB on the amount of data or
content that you want store on the cloud distribution point. By default, this threshold is 2,000 GB.
Configuration Manager generates warning and critical alerts when the remaining free space reaches the
levels that you specify. By default, these alerts occur at 50% and 90% of the threshold.
Monthly transfer aler t threshold : The monthly transfer alert threshold helps you to monitor the
amount of content that transfers from the distribution point to clients for a 30-day period. By default, this
threshold is 10,000 GB. The site raises warning and critical alerts when transfers reach values that you
define. By default, these alerts occur at 50% and 90% of the threshold.

IMPORTANT
Configuration Manager monitors the transfer of data, but does not stop the transfer of data beyond the specified
transfer alert threshold.

Specify thresholds for each cloud distribution point during installation, or use the Aler ts tab of the cloud
distribution point properties.

NOTE
Alerts for a cloud distribution point depend on usage statistics from Azure, which can take up to 24 hours to become
available. For more information about Storage Analytics for Azure, see Storage Analytics.

In an hourly cycle, the primary site that monitors the cloud distribution point downloads transaction data from
Azure. It stores this transaction data in the CloudDP-<ServiceName>.log file on the site server. Configuration
Manager then evaluates this information against the storage and transfer quotas for each cloud distribution
point. When the transfer of data reaches or exceeds the specified volume for either warnings or critical alerts,
Configuration Manager generates the appropriate alert.
 WARNING
Because the site downloads information about data transfers from Azure every hour, the usage might exceed a warning
or critical threshold before Configuration Manager can access the data and raise an alert.

Modify
View high-level information about the distribution point in the Cloud Distribution Points node under Cloud
Ser vices in the Administration workspace of the Configuration Manager console. Select a distribution point
and select Proper ties to see more details.
When you edit the properties of a cloud distribution point, the following tabs include settings to edit:
Settings
Description
Cer tificate file : Before the server authentication certificate expires, issue a new certificate with the same
common name. Then add the new certificate here for the service to start using. If the certificate expires,
clients won't trust and use the service.
Alerts
Adjust the data thresholds for storage and monthly transfer alerts.
Content
Manage content the same as for an on-premises distribution point.
Redeploy the service
More significant changes, such as the following configurations, require redeploying the service:
Classic deployment method to Azure Resource Manager
Subscription
Service name
Private to public PKI
Azure region
If you have an existing cloud distribution point on the classic deployment method, in order to use the Azure
Resource Manager deployment method you need to deploy a new cloud distribution point. There are two
options:
If you want to reuse the same service name:
1. First delete the classic cloud distribution point. If there isn't another cloud distribution point, then
clients may not be able to get content.
2. Create a new cloud distribution point using a Resource Manager deployment. Reuse the same
server authentication certificate.
3. Distribute the necessary software package content to the new cloud distribution point.
If you want to use a new service name:
1. Create a new cloud distribution point using a Resource Manager deployment. Use a new server
authentication certificate.
2. Distribute the necessary software package content to the new cloud distribution point.
3. Delete the classic cloud distribution point.
 TIP
To determine the current deployment model of a cloud distribution point:
1. In the Configuration Manager console, go to the Administration workspace, expand Cloud Ser vices , and select the
Cloud Distribution Points node.
2. Add the Deployment Model attribute as a column to the list view. For a Resource Manager deployment, this
attribute is Azure Resource Manager .

Stop or start the cloud service on demand

Stop a cloud distribution point at any time in the Configuration Manager console. This action immediately
prevents clients from downloading additional content from the service. Restart the cloud service from the
Configuration Manager console to restore access for clients. For example, stop a cloud service when it reaches a
data threshold.
When you stop a cloud distribution point, the cloud service doesn't delete the content from the storage account.
It also doesn't prevent the site server from transferring additional content to the cloud distribution point. The
management point still returns the cloud distribution point to clients as a valid content source.
Use the following procedure to stop a cloud distribution point:
1. In the Configuration Manager console, go to the Administration workspace. Expand Cloud Ser vices ,
and select the Cloud Distribution Points node.
2. Select the cloud distribution point. To stop the cloud service that runs in Azure, select Stop ser vice in the
ribbon.
3. Select Star t ser vice to restart the cloud distribution point.
Delete a cloud distribution point
To uninstall a cloud distribution point, select the distribution point in the Configuration Manager console, and
then select Delete .
When you delete a cloud distribution point from a hierarchy, Configuration Manager removes the content from
the cloud service in Azure.
Manually removing any components in Azure causes the system to be inconsistent. This state leaves orphaned
information, and unexpected behaviors may occur.

Advanced troubleshooting
If you need to collect diagnostic logging from the Azure VMs to help troubleshoot problems with your cloud
distribution point, use the following PowerShell sample to enable the service diagnostic extension for the
subscription:
 # Change these variables for your Azure environment. The current values are provided as examples. You can
find the values for these from the Azure portal.
$storage_name="4780E3836835850223C071" # The name of the storage account that goes with the CloudDP
$key="3jSyvMssuTyAyj5jWHKtf2bV5JF^aDN%z%2g*RImGK8R4vcu3PE07!P7CKTbZhT1Sxd3l^t69R8Cpsdl1xhlhZtl" # The
storage access key from the Storage Account view
$service_name="4780E3836835850223C071" # The name of the cloud service for the CloudDP, which for a Cloud DP
is the same as the storage name
$azureSubscriptionName="8ba1cb83-84a2-457e-bd37-f78d2dd371ee" # The subscription name the tenant is using
$subscriptionId="8ba1cb83-84a2-457e-bd37-f78d2dd371ee" # The subscription ID the tenant is using

# This variable is the path to the config file on the local computer.
$public_config="F:\PowerShellDiagFile\diagnostics.wadcfgx"

# These variables are for the Azure management certificate. Install it in the Current User certificate store
on the system running this script.
$thumbprint="dac9024f54d8f6df94935fb1732638ca6ad77c13" # The thumbprint of the Azure management certificate
$mycert = Get-Item cert:\\CurrentUser\My\$thumbprint

Set-AzureSubscription -SubscriptionName $azureSubscriptionName -SubscriptionId $subscriptionId -Certificate

$mycert

Select-AzureSubscription $azureSubscriptionName

Set-AzureServiceDiagnosticsExtension -StorageAccountName $storage_name -StorageAccountKey $key -

DiagnosticsConfigurationPath $public_config –ServiceName $service_name -Slot 'Production' -Verbose

The following sample is an example diagnostics.wadcfgx file as referenced in the public_config variable in
the above PowerShell script. For more information, see Azure Diagnostics extension configuration schema.
<?xml version="1.0" encoding="utf-8"?>
<PublicConfig xmlns="http://schemas.microsoft.com/ServiceHosting/2010/10/DiagnosticsConfiguration">
<WadCfg>
<DiagnosticMonitorConfiguration overallQuotaInMB="4096">
<Directories scheduledTransferPeriod="PT1M">
<IISLogs containerName ="wad-iis-logfiles" />
<FailedRequestLogs containerName ="wad-failedrequestlogs" />
</Directories>
<WindowsEventLog scheduledTransferPeriod="PT1M">
<DataSource name="Application!*" />
</WindowsEventLog>
<Logs scheduledTransferPeriod="PT1M" scheduledTransferLogLevelFilter="Information" />
<CrashDumps dumpType="Full">
<CrashDumpConfiguration processName="WaAppAgent.exe" />
<CrashDumpConfiguration processName="WaIISHost.exe" />
<CrashDumpConfiguration processName="WindowsAzureGuestAgent.exe" />
<CrashDumpConfiguration processName="WaWorkerHost.exe" />
<CrashDumpConfiguration processName="DiagnosticsAgent.exe" />
<CrashDumpConfiguration processName="w3wp.exe" />
</CrashDumps>
<PerformanceCounters scheduledTransferPeriod="PT1M">
<PerformanceCounterConfiguration counterSpecifier="\Memory\Available MBytes" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\Web Service(_Total)\ISAPI Extension
Requests/sec" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\Web Service(_Total)\Bytes Total/Sec"
sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\ASP.NET Applications(__Total__)\Requests/Sec"
sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\ASP.NET Applications(__Total__)\Errors
Total/Sec" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\ASP.NET\Requests Queued" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\ASP.NET\Requests Rejected" sampleRate="PT3M" />
<PerformanceCounterConfiguration counterSpecifier="\Processor(_Total)\% Processor Time"
sampleRate="PT3M" />
</PerformanceCounters>
</DiagnosticMonitorConfiguration>
</WadCfg>
</PublicConfig>