Jaa


Introduction to Client Deployment in Configuration Manager

 

Updated: September 8, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Client deployment refers to the planning, installation, and management of System Center 2012 Configuration Manager client computers and mobile devices in your enterprise. The types of devices that you have, your business requirements, and your preferences, determine the methods that you use to manage computers and mobile devices. This guide contains information about how to plan, configure, manage, and monitor client deployment in Configuration Manager to computers and mobile devices.

Use the following sections for more information about how to deploy and monitor client deployment for computers and mobile devices:

  • Deploying the Configuration Manager Client to Windows-Based Computers

    • Deploying the Configuration Manager Client to Windows Embedded Devices
  • Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI)

  • Deploying the Configuration Manager Client to Mac Computers

  • Deploying the Configuration Manager Client to Linux and UNIX Servers

  • Monitoring the Status of Client Computers in Configuration Manager

  • Managing Mobile Devices by Using Configuration Manager

Deploying the Configuration Manager Client to Windows-Based Computers

The following table lists the various methods that you can use to install the Configuration Manager client software on computers. For information about how to decide which client installation method to use, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. For more information about how to install the client, see How to Install Clients on Windows-Based Computers in Configuration Manager.

Client installation method

Description

Client push installation

Automatically installs the client to assigned resources and manually installs the client to resources that are not assigned.

Software update point installation

Installs the client by using the Configuration Manager software updates feature.

Group Policy installation

Installs the client by using Windows Group Policy.

Logon script installation

Installs the client by using a logon script.

Manual installation

Manually installs the client software.

Upgrade installation by using application management

Upgrades clients to a newer version by using Configuration Manager application management. You can also use Configuration Manager 2007 software distribution to upgrade clients to System Center 2012 Configuration Manager.

Automatic client upgrade

Configuration Manager with no service pack

Automatically upgrades Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012 Configuration Manager version when they are earlier than version that you specify.

For System Center 2012 Configuration Manager SP1 and later:

Automatically upgrades Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012 Configuration Manager version when they are earlier than the version of their System Center 2012 Configuration Manager assigned site.

For more information, see the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager.

Client imaging

Prestages the client installation in an operating system image.

For information about how to install the Configuration Manager client on devices that run Windows Embedded operating systems, see the section Tasks for Managing Configuration Manager Clients on Windows Embedded Devices in the Configuration Manager 2007 Documentation Library.

After the client is installed successfully, it attempts to assign to a site and find a management point from which to download policy. For more information about site assignment, see How to Assign Clients to a Site in Configuration Manager.

Although the Configuration Manager console and reports provide some information about client installation and site assignment, you can use the fallback status point site system role to more closely track and monitor client installation and site assignment. For more information about the fallback status point, see Determine the Site System Roles for Client Deployment in Configuration Manager.

What’s New in Configuration Manager for Windows-Based Computers

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for client deployment since Configuration Manager 2007:

  • Clients are no longer configured for mixed mode or native mode, but instead use HTTPS together with public key infrastructure (PKI) certificates or HTTP together with self-signed certificates. Clients use HTTPS or HTTP according to the configuration of the site system roles that the clients connect to and whether they have a valid PKI certificate that performs client authentication.

    On the Configuration Manager client, in Properties, on the General tab, review the Client certificate value to determine the current client communication method. This value displays PKI certificate when the client communicates with a management point over HTTPS, and Self-signed when the client communicates with a management point over HTTP. Just as the client property value for the Connection type updates, depending on the current network status of the client, so the Client certificate client property value updates, depending on with which management point the client communicates.

  • Because System Center 2012 Configuration Manager does not use mixed mode and native mode, the client installation property /native: [<native mode option>] is no longer used. Instead, use /UsePKICert to use a PKI certificate that has client authentication capability, if it is available, but fall back to an HTTP connection if no certificate is available. If /UsePKICert is not specified, the client does not attempt to communicate by using a PKI certificate, but communicates by using HTTP only. Additionally, use the new command /NoCRLCheck if you do not want a client to check the certificate revocation list (CRL) before it establishes an HTTPS communication.

  • The client.msi property SMSSIGNCERT is still used but requires the exported self-signed certificate of the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate.

  • When you reassign a client from a Microsoft System Center 2012 Configuration Manager hierarchy to another System Center 2012 Configuration Manager hierarchy, the client can automatically replace the trusted root key, if the new site is published to Active Directory Domain Services and the client can access that information from a global catalog server. For this scenario in Configuration Manager 2007, you had to remove the trusted root key, manually replace the trusted root key, or uninstall and reinstall the client.

  • The server locator point is no longer used for site assignment or to locate management points. This functionality is replaced by the management point. The CCMSetup Client.msi property SMSSLP remains supported, but only to specify the computer name of management points.

  • You no longer install International Client Packs when you want to support different languages on the client. Instead, select the client languages that you want during Setup. Then, during the client installation, Configuration Manager automatically installs support for those languages on the client, enabling the display of information in a language that matches the user’s language preferences. If a matching language is not available, the client displays information in the default of English. For more information, see the Planning for Client Language Packs section in the Planning for Sites and Hierarchies in Configuration Manager topic.

  • Decommissioned clients are no longer displayed in the Configuration Manager console, and they are automatically removed from the database by the Delete Aged Discovery Data task.

  • The Client.msi property for CCMSetup, SMSDIRECTORYLOOKUP=WINSPROMISCUOUS, is no longer supported. This setting allowed the client to use Windows Internet Name Service (WINS) to find a management point without verifying the management point's self-signed certificate.

  • To support the new 64-bit client, the location of the CCM folder for client-related files (such as the client cache and log files) has changed from %windir%\system32 to %windir%. If you reference the CCM folder for your own script files, update these references for the new folder location for System Center 2012 Configuration Manager clients. System Center 2012 Configuration Manager does not support the CCM folder on paths that support redirection (such as Program Files and %windir%\system32) on 64-bit operating systems.

  • Automatic, site-wide client push now installs the Configuration Manager on existing computer resources if the client is not installed, and not just newly discovered computer resources.

  • Client push installation starts and tracks the installation of the client by using the Configuration Manager database and no longer creates individual .CCR files. When you enable client push installation for a site, all discovered resources that are assigned to the site and that do not have a client installed are immediately added to the database, and client installation begins.

  • Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012 Configuration Manager version when they are below a version that you specify. For more information see the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager.

What’s New in Configuration Manager SP1 for Windows-Based Computers

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for client deployment in Configuration Manager SP1:

  • Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the version of their assigned System Center 2012 Configuration Manager site. For more information see the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager.

  • You can now specify the following CCMSetup.exe properties as installation options when you use client push:

    • /forcereboot

    • /skipprereq

    • /logon

    • /BITSPriority

    • /downloadtimeout

    • /forceinstall

  • Configuration Manager SP1 clients now use Microsoft Silverlight 5 for the Application Catalog. Configuration Manager automatically installs this version of Silverlight on clients if it is not already installed, and by default, configures the Computer Agent client setting Allow Silverlight applications to run in elevated trust mode to Yes. For more information, see the Certificates for Microsoft Silverlight 5, and elevated trust mode required for the Application Catalog section in the Security and Privacy for Application Management in Configuration Manager topic.

  • There is a new value that is now the default for the Computer Agent client setting PowerShell execution policy: All Signed. This new value restricts the Configuration Manager client to running Windows PowerShell scripts only if they are signed by a trusted publisher, regardless of the current Windows PowerShell configuration on the client computer. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

  • The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

  • Client notification in Configuration Manager enables some client operations to be performed as soon as possible, instead of during the usual client policy polling interval. For example, you can use the client management task Download Computer Policy to instruct computers to download policy as soon as possible. Additionally, you can initiate some actions for Endpoint Protection, such as a malware scan of a client.

    By default, client notification communication uses TCP port 10123, which is configurable as a site property for a primary site. You might have to configure Windows Firewall on the management point, clients, and any intervening firewalls for this new port communication. However, client notification can fall back to using the established client-to-management point communication of HTTP or HTTPS. Actions taken by client notification are displayed in the new Client Operations node in the Monitoring workspace.

    Note

    Client notification does not support role-based administration. All users of the Configuration Manager console can see notifications in the Client Operations node in the Monitoring workspace.

    For more information, see How to Configure Client Communication Port Numbers in Configuration Manager and How to Manage Clients in Configuration Manager.

  • You can install the Configuration Manager client on computers that run Mac OS X. You can then manage this client by using compliance settings, deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Mac Computers in Configuration Manager.

  • You can install the Configuration Manager client on servers that run a supported version of Linux or UNIX. You can then manage this client by using deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Linux and UNIX Computers in Configuration Manager.

What’s New in System Center 2012 R2 Configuration Manager for Windows-Based Computers

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for client deployment in System Center 2012 R2 Configuration Manager:

  • You can now select Resultant Client Settings from the Configuration Manager console to view the effective client settings that will be applied to the selected device. The resultant client setting accounts for the prioritization or combination of attributes where multiple client settings have been deployed to the same device. For more information, see How to View Resultant Client Settings (System Center 2012 R2 Configuration Manager Only).

  • You can now reassign Configuration Manager clients, including managed mobile devices, to another primary site in the hierarchy. Clients can be reassigned individually or can be multi-selected and reassigned in bulk to a new site.

  • If you use wake-up proxy, you no longer have to manually configure Windows Firewall on clients to allow TCP/IP ping commands when you specify the Power Management client setting, Firewall exception for wake-up proxy.

  • A new property has been added for Ccmsetup.exe, /ExcludeFeatures:<feature>. This property prevents the specified feature from installing the client installation. For this release, the only supported feature is ClientUI, which prevents the Software Center from installing on the client. For more information, see CCMSetup.exe Command-Line Properties.

Deploying the Configuration Manager Client to Windows Embedded Devices

If your Windows Embedded device does not include the Configuration Manager client, you can use any of the client installation methods if the device meets the required dependencies. If the embedded device supports write filters, you must disable these filters before you install the client, and then re-enable the filters again after the client is installed and assigned to a site.

Note that when you disable the filters, you should not disable the filter drivers. Typically these drivers are started automatically when the computer is started. Disabling the drivers will either prevent installation of the client, or interfere with write filter orchestration which will cause client operations to fail. These are the services associated with each write filter type that must remain running:

Write Filter Type

Driver

Type

Description

EWF

ewf

Kernel

Implements sector-level I/O redirection on protected volumes.

FBWF

fbwf

File system

Implements file-level I/O redirection on protected volumes.

UWF

uwfreg

Kernel

UWF Registry Redirector

UWF

uwfs

File System

UWF File Redirector

UWF

uwfvol

Kernel

UWF Volume Manager

Write filters control how the operating system on the embedded device is updated when you make changes, such as when you install software. When write filters are enabled, instead of making the changes directly to the operating system, these changes are redirected to a temporary overlay. If the changes are only written to the overlay, they are lost when the embedded device shuts downs. However, if the write filters are temporarily disabled, the changes can be made permanent so that you do not have to make the changes again (or reinstall software) every time that the embedded device restarts. However, temporarily disabling and then re-enabling the write filters requires one or more restarts, so that you typically want to control when this happens by configuring maintenance windows so that restarts occur outside business hours.

When you install software on Windows Embedded devices with Configuration Manager with no service pack, you must always take additional steps to disable the write filters, install the software, and then re-enable the write filters. However, if the embedded client runs Configuration Manager SP1, you can configure options to automatically disable and re-enable the write filters when you deploy software such as applications, task sequences, software updates, and the Endpoint Protection client. The exception is for configuration baselines with configuration items that use automatic remediation. In this scenario, the remediation always occurs in the overlay so that it is available only until the device is restarted. The remediation is applied again at the next evaluation cycle, but only to the overlay, which is cleared at restart. To force Configuration Manager SP1 to commit the remediation changes, you can deploy the configuration baseline and then another software deployment that supports committing the change as soon as possible.

If the write filters are disabled, you can install software on Windows Embedded devices by using Software Center. However, if the write filters are enabled, the installation fails and Configuration Manager displays an error message that you have insufficient permissions to install the application.

Warning

Even if you do not select the Configuration Manager SP1 options to commit the changes, the changes might be committed if another software installation or change is made that commits changes. In this scenario, the original changes will be committed in addition to the new changes.

When Configuration Manager SP1 disables the write filters to make changes permanent, only users who have local administrative rights can log on and use the embedded device. During this period, low-rights users are locked out and see a message that the computer is unavailable because it is being serviced. This helps protect the device while it is in a state where changes can be permanently applied, and this servicing mode lockout behavior is another reason to configure a maintenance window for a time when users will not log on to these devices.

Configuration Manager supports managing the following types of write filters:

  • File-Based Write Filter (FBWF) – (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only). For more information, see File-Based Write Filter on MSDN.

  • Enhanced Write Filter (EWF) RAM – (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only). For more information, see Enhanced Write Filter on MSDN.

  • Unified Write Filter (UWF) – (System Center 2012 R2 Configuration Manager only). For more information, see Unified Write Filter on MSDN.

Configuration Manager does not support write filter operations when the Windows Embedded device is in EWF RAM Reg mode.

Important

If you have the choice, use File-Based Write Filters (FBWF) with Configuration Manager SP1 for increased efficiency and higher scalability.

For devices that use FBWF only: Configure the following exceptions to persist client state and inventory data between device restarts:

  • CCMINSTALLDIR\*.sdf

  • CCMINSTALLDIR\ServiceData

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem

Devices that run Windows Embedded 8.0 and later do not support exclusions that contain wildcard characters. On these devices, you must configure the following exclusions individually:

  • All files in CCMINSTALLDIR with the extension .sdf, typically:

    • UserAffinityStore.sdf

    • InventoryStore.sdf

    • CcmStore.sdf

    • StateMessageStore.sdf

    • CertEnrollmentStore.sdf

  • CCMINSTALLDIR\ServiceData

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem

For devices that use FBWF and UWF only: When clients in a workgroup use certificates for authentication to management points, you must also exclude the private key to ensure the client continues to communicate with the management point. On these devices, configure the following exceptions:

  • c:\Windows\System32\Microsoft\Protect

  • c:\ProgramData\Microsoft\Crypto

  • HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SMS\Certificates

For an example scenario to deploy and manage write-filter-enabled Windows Embedded devices in Configuration Manager SP1, see Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices.

For more information about how to build images for Windows Embedded devices and configure write filters, see your Windows Embedded documentation, or contact your OEM.

Note

When you select the applicable platforms for software deployments and configuration items, these display the Windows Embedded families rather than specific versions. Use the following list to map the specific version of Windows Embedded to the options in the list box:

  • Embedded Operating Systems based on Windows XP (32-bit) includes the following:

    • Windows XP Embedded

    • Windows Embedded for Point of Service

    • Windows Embedded Standard 2009

    • Windows Embedded POSReady 2009

  • Embedded operating systems based on Windows 7 (32-bit) includes the following:

    • Windows Embedded Standard 7 (32-bit)

    • Windows Embedded POSReady 7 (32-bit)

    • Windows ThinPC

  • Embedded operating systems based on Windows 7 (64-bit) includes the following:

    • Windows Embedded Standard 7 (64-bit)

    • Windows Embedded POSReady 7 (64-bit)

What’s New in System Center 2012 R2 Configuration Manager for Windows Embedded Devices

The following items are new or have changed for Windows Embedded Devices in System Center 2012 R2 Configuration Manager:

  • Configuration Manager now supports the Unified Write Filter available in certain Windows Embedded operating systems.

Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI)

System Center 2012 Configuration Manager supports installing the Configuration Manager client on the following virtual desktop infrastructure (VDI) scenarios:

  • Personal virtual machines – Personal virtual machines are generally used when you want to make sure that user data and settings are maintained on the virtual machine between sessions.

  • Remote Desktop Services sessions – Remote Desktop Services enables a server to host multiple, concurrent client sessions. Users can connect to a session and then run applications on that server.

  • Pooled virtual machines – Pooled virtual machines are not persisted between sessions. When a session is closed, all data and settings are discarded. Pooled virtual machines are useful when Remote Desktop Services cannot be used because a required business application cannot run on the Windows Server that hosts the client sessions.

The following table lists considerations for managing the Configuration Manager client in a virtual desktop infrastructure.

Virtual machine type

More information

Personal virtual machines

  • Configuration Manager treats personal virtual machines identically to a physical computer. The Configuration Manager client can be preinstalled on the virtual machine image or deployed after the virtual machine is provisioned.

Remote Desktop Services

  • The Configuration Manager client is not installed for individual Remote Desktop sessions. Instead, the client is only installed one time on the Remote Desktop Services server. All Configuration Manager features can be used on the Remote Desktop Services server.

Pooled virtual machines

  • When a pooled virtual machine is decommissioned, any changes that you make by using Configuration Manager are lost.

  • Data returned from Configuration Manager features such as hardware inventory, software inventory and software metering might not be relevant to your needs as the virtual machine might only be operational for a short length of time. Consider excluding pooled virtual machines from inventory tasks.

Because virtualization supports running multiple Configuration Manager clients on the same physical computer, many client operations have a built-in randomized delay for scheduled actions such as hardware and software inventory, antimalware scans, software installations, and software update scans. This delay helps distribute the CPU processing and data transfer for a computer that has multiple virtual machines that run the Configuration Manager client.

Note

With the exception of Windows Embedded clients that are in servicing mode, Configuration Manager clients that are not running in virtualized environments also use this randomized delay. When you have many deployed clients, this behavior helps avoid peaks in network bandwidth and reduces the CPU processing requirement on the Configuration Manager site systems, such as the management point and site server. The delay interval varies according to the Configuration Manager capability.

In Configuration Manager with no service pack, this behavior is not configurable in the Configuration Manager console. For Configuration Manager SP1 only, the randomization delay is disabled by default for required software updates and required application deployments by using the following client setting: Computer Agent: Disable deadline randomization.

Deploying the Configuration Manager Client to Mac Computers

For System Center 2012 Configuration Manager SP1 and later:

You can install the Configuration Manager client on Mac computers that run the Mac OS X operating system and use the following management capabilities:

Capability

More Information

Hardware inventory

You can use Configuration Manager hardware inventory to collect information about the hardware and installed applications on Mac computers. This information can then be viewed in Resource Explorer in the Configuration Manager console and used to create collections, queries and reports. For more information, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager.

Configuration Manager collects the following hardware information from Mac computers:

  • Processor

  • Computer System

  • Disk Drive

  • Disk Partition

  • Network Adapter

  • Operating System

  • Service

  • Process

  • Installed Software

  • Computer System Product

  • USB Controller

  • USB Device

  • CDROM Drive

  • Video Controller

  • Desktop Monitor

  • Portable Battery

  • Physical Memory

  • Printer

Important

You cannot extend the hardware information that is collected from Mac computers during hardware inventory.

Compliance settings

You can use Configuration Manager compliance settings to view the compliance of and remediate Mac OS X preference (.plist) settings. For example, you could enforce settings for the home page in the Safari web browser or ensure that the Apple firewall is enabled. You can also use shell scripts to monitor and remediate settings in MAC OS X.

Application management

Configuration Manager can deploy software to Mac computers. You can deploy the following software formats to Mac computers:

  • Apple Disk Image (.DMG)

  • Meta Package File (.MPKG)

  • Mac OS X Installer Package (.PKG)

  • Mac OS X Application (.APP)

When you install the Configuration Manager client on Mac computers, you cannot use the following management capabilities that are supported by the Configuration Manager client on Windows-based computers:

  • Client push installation

  • Operating system deployment

  • Software updates

    Note

    You can use Configuration Manager application management to deploy required Mac OS X software updates to Mac computers. In addition, you can use compliance settings to make sure that computers have any required software updates.

  • Maintenance windows

  • Remote control

  • Power management

  • Client status client check and remediation

For more information about how to install and configure the Configuration Manager Mac client, see How to Install Clients on Mac Computers in Configuration Manager.

What’s New in System Center 2012 R2 Configuration Manager for Mac Computers

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for Mac computers in System Center 2012 R2 Configuration Manager:

  • You can now install the client certificate and enroll Mac computers by using the new enrollment wizard for the Mac client as an alternative to using the CMEnroll tool command-line tool.

  • You can now use the renew certificate wizard to renew the Mac client certificate.

Deploying the Configuration Manager Client to Linux and UNIX Servers

For System Center 2012 Configuration Manager SP1 and later:

You can install the Configuration Manager client on computers that run Linux or UNIX. This client is designed for servers that operate as a workgroup computer, and the client does not support interaction with logged-on users.

After you install the client software and the client establishes communication with the Configuration Manager site, you manage the client by using the Configuration Manager console and reports.

You can use the following management capabilities when you install the Configuration Manager client on Linux and UNIX computers:

Functionality

More information

Collections, queries, and maintenance windows

See How to Manage Linux and UNIX Clients in Configuration Manager.

Hardware inventory

See Hardware Inventory for Linux and UNIX in Configuration Manager.

Software deployment

See Deploying Software to Linux and UNIX Servers in Configuration Manager.

Monitoring and reporting

See How to Monitor Linux and UNIX Clients in Configuration Manager.

When you install the Configuration Manager client on Linux and UNIX computers, you cannot use the following management capabilities that are supported by the Configuration Manager client on Windows-based computers:

  • Client push installation

  • Operating system deployment

  • Application deployment; instead, deploy software by using packages and programs.

  • Software inventory

  • Software updates

  • Compliance settings

  • Remote control

  • Power management

  • Client status client check and remediation

  • Internet-based client management

For information about the supported Linux and UNIX distributions and the hardware required to support the client for Linux and UNIX, see the Client Requirements for Linux and UNIX Servers section in the Supported Configurations for Configuration Manager topic.

For more information about how to install and configure the Configuration Manager client for Linux and UNIX, see How to Install Clients on Linux and UNIX Computers in Configuration Manager.

What’s New in Cumulative Update 1 for the Client for Linux and UNIX

The following items are new or have changed for the client for Linux and UNIX with cumulative update 1:

Monitoring the Status of Client Computers in Configuration Manager

Use the Client Status node in the Monitoring workspace of the Configuration Manager console to monitor the health and activity of client computers in your hierarchy. Configuration Manager uses the following two methods to evaluate the overall status of client computers.

Client Activity: You can configure thresholds to determine whether a client is active, for example:

  • Whether the client requested policy during the last seven days.

  • Whether Heartbeat Discovery found the client during the last seven days.

  • Whether the client sent hardware inventory during the last seven days.

When all these thresholds are exceeded, the client is determined to be inactive.

Client Check: A client evaluation engine is installed with the Configuration Manager client, which periodically evaluates the health of the Configuration Manager client and its dependencies. This engine can check or remediate some problems with the Configuration Manager client.

On computers that run Windows 7, client check runs as a scheduled task. On later operating systems, client check runs automatically during the Windows maintenance window.

You can configure remediation not to run on specific computers, for example, a business-critical server. In addition, if there are additional items that you want to evaluate, you can use System Center 2012 Configuration Manager compliance settings to provide a comprehensive solution to monitor the overall health, activity, and compliance of computers in your organization. For more information about compliance settings, see Compliance Settings in Configuration Manager.

Client status uses the monitoring and reporting capabilities of Configuration Manager to provide information in the Configuration Manager console about the health and activity of the client. You can configure alerts to notify you when clients check results or client activity drops below a specified percentage of clients in a collection or when remediation fails on a specified percentage of clients.

For information about how to configure client status, see How to Configure Client Status in Configuration Manager.

Checks and remediations made by client check

The following checks and remediations can be performed by client check.

Client check

Remediation action

More information

Verify that client check has recently run

Run client check

Checks that client check has run at least one time in the past three days.

Verify that client prerequisites are installed

Install the client prerequisites

Checks that client prerequisites are installed. Reads the file ccmsetup.xml in the client installation folder to discover the prerequisites.

WMI repository integrity test

Reinstall the Configuration Manager client

Checks that Configuration Manager client entries are present in WMI.

Verify that the client service is running

Start the client (SMS Agent Host) service

No additional information

WMI Event Sink Test.

Restart the client service

Check whether the Configuration Manager related WMI event sink is lost

Verify that the Windows Management Instrumentation (WMI) service exists

No remediation

No additional information

Verify that the client was installed correctly

Reinstall the client

No additional information

WMI repository read and write test

Reset the WMI repository and reinstall the Configuration Manager client

Remediation of this client check is only performed on computers that run Windows Server 2003, Windows XP (64-bit) or earlier versions.

Verify that the antimalware service startup type is automatic

Reset the service startup type to automatic

No additional information

Verify that the antimalware service is running

Start the antimalware service

No additional information

Verify that the Windows Update service startup type is automatic or manual

Reset the service startup type to automatic

No additional information

Verify that the client service (SMS Agent Host) startup type is automatic

Reset the service startup type to automatic

No additional information

Verify that the Windows Management Instrumentation (WMI) service is running.

Start the Windows Management Instrumentation service

No additional information

Verify that the Microsoft SQL CE database is healthy

Reinstall the Configuration Manager client

No additional information

Microsoft Policy Platform WMI Integrity Test

Repair the Microsoft Policy Platform

No additional information

Verify that the Microsoft Policy Platform Service exists

Repair the Microsoft Policy Platform

No additional information

Verify that the Microsoft Policy Platform service startup type is manual

Reset the service startup type to manual

No additional information

Verify that the Background Intelligent Transfer Service exists

No Remediation

No additional information

Verify that the Background Intelligent Transfer Service startup type is automatic or manual

Reset the service startup type to automatic

No additional information

Verify that the Network Inspection Service startup type is manual

Reset the service startup type to manual if installed

No additional information

Verify that the Windows Management Instrumentation (WMI) service startup type is automatic

Reset the service startup type to automatic

No additional information

Verify that the Windows Update service startup type on Windows 8 computers is automatic or manual

Reset the service startup type to manual

No additional information

Verify that the client (SMS Agent Host) service exists.

No Remediation

No additional information

Verify that the Configuration Manager Remote Control service startup type is automatic or manual

Reset the service startup type to automatic

No additional information

Verify that the Configuration Manager Remote Control service is running

Start the remote control service

No additional information

Verify that the client WMI provider is healthy

Restart the Windows Management Instrumentation service

Remediation of this client check is only performed on computers that run Windows Server 2003, Windows XP (64-bit) or earlier.

Verify that the wake-up proxy service (ConfigMgr Wake-up Proxy) is running

Start the ConfigMgr Wakeup Proxy service

For System Center 2012 Configuration Manager SP1 and later:

This client check is made only if the Power Management: Enable wake-up proxy client setting is set to Yes on supported client operating systems.

Verify that the wake-up proxy service (ConfigMgr Wake-up Proxy) startup type is automatic

Reset the ConfigMgr Wakeup Proxy service startup type to automatic

For System Center 2012 Configuration Manager SP1 and later:

This client check is made only if the Power Management: Enable wake-up proxy client setting is set to Yes on supported client operating systems.

What’s New in Configuration Manager for Client Status

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new or have changed for client status since Configuration Manager 2007:

  • Client check and client activity information is integrated into the Configuration Manager console.

  • Typical client problems that are detected are automatically remediated.

  • The Ping tool used by Configuration Manager 2007 R2 client status reporting is not used by System Center 2012 Configuration Manager.

Managing Mobile Devices by Using Configuration Manager

You can use the following solutions to manage mobile devices in Configuration Manager:

  • In Configuration Manager SP1, you can use the Microsoft Intune connector to enroll mobile devices that run Windows Phone 8, Windows RT, and iOS. This solution uses the built-in management client and does not install the Configuration Manager client, but does automatically install PKI certificates on the mobile devices. This solution does not require you to have your own PKI, but does require a Microsoft Intune subscription.

  • Configuration Manager can enroll mobile devices and deploy the Configuration Manager client on supported mobile operating systems when the mobile device and site system roles use PKI certificates. This solution automatically installs PKI certificates onto the mobile devices but requires you to run Active Directory Certificate Services and an enterprise certification authority.

  • When the mobile devices run Windows CE or Windows Mobile 6.0, you must install the mobile device legacy client by using a package and program. This solution also requires PKI certificates that must be installed independently from Configuration Manager.

  • If you cannot use the other mobile device management solutions, you can use the Configuration Manager Exchange Server connector to find and manage mobile devices that connect to Microsoft Exchange Server or Exchange Online. Because a management client is not installed, management is more limited for this solution than the others. For example, with the exception of Android devices that use the Microsoft Intune connector in Configuration Manager SP1, you cannot deploy applications to these mobile devices. However, you can retrieve some inventory information, define settings and access rules, and issue wipe commands for these mobile devices in Configuration Manager.

For more information about these mobile device management solutions, see Determine How to Manage Mobile Devices in Configuration Manager.

For more information about how to install the mobile device legacy client for Windows CE mobile devices, see Mobile Device Management in Configuration Manager in the Configuration Manager 2007 documentation library.

What’s New in Configuration Manager for Mobile Devices

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new for mobile devices since Configuration Manager 2007:

  • Enrollment for mobile devices in Configuration Manager is now natively supported by using the two new enrollment site system roles (the enrollment point and the enrollment proxy point) and a Microsoft enterprise certification authority. For more information about how to configure and enroll mobile devices in Configuration Manager, see How to Install Clients on Windows Mobile and Nokia Symbian Devices Using Configuration Manager.

  • New in Configuration Manager, the Exchange Server connector lets you find and manage devices that connect to Exchange Server, on-premise or hosted, by using the Exchange ActiveSync protocol. Use this mobile device management process when you cannot install the Configuration Manager client on the mobile device. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Exchange.

  • If you have mobile devices that you managed with Configuration Manager 2007, and you cannot enroll them by using System Center 2012 Configuration Manager, you can continue to use them with System Center 2012 Configuration Manager. The installation for this mobile device client is still the same. However, whereas Configuration Manager 2007 did not require PKI certificates, System Center 2012 Configuration Manager requires PKI certificates on the mobile device and the management points and distribution points. File collection is no longer supported for these mobile device clients in Configuration Managerand, unlike the mobile devices that you can enroll with Configuration Manager or manage by using the Exchange Server connector, you cannot manage settings for these mobile devices. In addition, the mobile device management inventory extension tool (DmInvExtension.exe) is no longer supported. This functionality is replaced with the Exchange Server connector.

What’s New in Configuration Manager SP1 for Mobile Devices

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new for mobile devices in Configuration Manager SP1:

  • The client settings group to configure mobile device enrollment settings is no longer named Mobile Devices and is now named Enrollment. This change and associated changes, such as the change from the client setting of Mobile device enrollment profile to Enrollment profile, reflects that the enrollment functionality is now extended to Mac computers.

    Important

    The client certificates for mobile devices and Mac computers have different requirements. Therefore, if you configure client settings enrollment for mobile devices and Mac computers, do not configure the certificate templates to use the same user accounts.

  • Mobile devices that are enrolled by Configuration Manager SP1 now use the client policy polling interval setting in the Client Policy client setting group and no longer use the polling interval in the renamed Enrollment client setting group. This change lets you configure different client policy intervals for mobile devices that are enrolled by Configuration Manager, by using custom device client settings. You cannot create custom device client settings for Enrollment.

  • You can enroll mobile devices that run Windows Phone 8, Windows RT, and iOS when you use the Microsoft Intune connector. For more information, see Manage Mobile Devices with Configuration Manager and Microsoft Intune.

  • Users who have mobile devices that are enrolled by Intune and Android devices that are managed by the Exchange Server connector can install apps from the company portal. The company portal is the Application Catalog equivalent for these mobile devices.

  • The new Retire option for mobile devices in the Configuration Manager console is supported only for mobile devices that are enrolled by Microsoft Intune.

What’s New in System Center 2012 R2 Configuration Manager for Mobile Devices

Note

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

The following items are new for mobile device management in System Center 2012 R2 Configuration Manager:

  • Users can enroll Android devices by using the company portal app which will be available on Google Play. The company portal app is supported on Android devices as of Android 4.0. When users download the company portal app the installation includes the management agent. The management agent gives you the following management capabilities.

    • You can manage compliance settings which include password, camera, and encryption settings.

    • When you deploy apps to Android devices, you now have the option to install the apps directly to the device

    • Users are prompted to take required actions, such as app installations or updating device passcodes by using Android notifications.

  • Users can enroll iOS devices by using the iOS company portal app which will be available in the App store. The company portal app can be installed on iOS devices as of iOS 6. The company portal app will allow users to perform the following actions:

    • Change or reset passwords.

    • Download and install company apps.

    • Enroll, unenroll, or wipe company content from their devices.

  • Devices that run Windows RT, iOS and Android now support a deployment purpose of Required. This allows you to deploy apps automatically to devices according to a configured schedule.

  • Wipe and retire functions now include the option to only remove company content from devices, see the table in Help protect your data with remote wipe, remote lock, or passcode reset using Configuration Manager for information about what company content is removed.

  • You can configure enrolled devices as company-owned or personal-owned. Company-owned allows you to get software inventory on on all mobile devices. You can configure devices as personal-owned or company-owned by using the Change ownership action. Change ownership is only available for devices that are not domain-joined and do not have the Configuration Manager client installed.All mobile devices will report software inventory on company content when they are personal-owned or company-owned. iOS and Android will report a full software inventory on the device if they are set as Company-owned. You can configure enrolled devices as company-owned or personal-owned. Company-owned allows you to get software inventory on company content on all devices.

  • You can use Microsoft Intune to manage Windows 8.1 devices that are not joined to the domain and do not have the Configuration Manager client installed.