[Today's post is provided by Martin Li]

The Application Compatibility Toolkit Connector (ACT Connector) assists administrators with collecting the necessary computer and application compatibility information to help plan for a Windows deployment. A prerequisite for the ACT Connector is Microsoft Application Compatibility Toolkit 5.5 (ACT 5.5), which was replaced by a newer version, ACT 5.6, on June 7th.

Will ACT Connector work with ACT 5.6? The short answer is "Yes." One limitation is that ACT Connector cannot take advantage of the 64-bit compatibility support newly added in ACT 5.6.  Application compatibility data reported by the ACT Connector are always for 32-bit operating systems.

If you upgrade from ACT 5.5 to ACT 5.6 and update the ACT database following the configuration wizard, ACT Connector features will continue to work as before. After you upgrade to ACT 5.6 and run the ACT configuration wizard, select your existing ACT database in the "Configure Your ACT Database Settings" page. You will notice an "Update" button beside the Database name, as shown in the screenshot below. Click the "Update" button and follow the instructions in "Database Upgrade Options" dialog to update the ACT database.

Alternately, you may make a new installation of ACT 5.6 rather than upgrading from ACT 5.5. In this case, do not use "Configure ACT Server" under Application Compatibility Toolkit Connector/Application Compatibility Toolkit Server node to configure ACT 5.6 database. Instead, use the VB script (ActConfig.vbs) documented in the following blog post to configure ACT database: http://blogs.technet.com/b/configurationmgr/archive/2009/07/01/support-for-act-5-5-with-the-act-connector.aspx. Please note that if the ACT database is hosted in a SQL named instance, be sure to include the instance name in the ACT Server parameter you pass to ActConfig.vbs. For example, ActConfig.vbs <Site server> <Site code> <ACT Server>\<SQL named instance> <ACT database> <Machine Account>.

Configuring the ACT 5.6 database using "Configure Your ACT Server" provided by ACT Connector will result in an error message reporting a series of invalid column errors. This is because ACT Connector has a dependency on ACT database tables whose schema changed in ACT 5.6.  To avoid this issue, uninstall and then reinstall ACT 5.6 and create a new ACT database. You can then configure the ACT database using the ActConfig.vbs VB script described above.

In summary, if you upgrade an ACT 5.5 environment to ACT 5.6, the ACT Connector will continue to work provided you properly update the ACT database using the ACT Configuration wizard. If you create a fresh installation of ACT 5.6, do not configure ACT database using ACT Connector wizard but instead use the ActConfig.vbs script.

--Martin Li

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is from the Configuration Manager Writing Team] 

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: June 1, 2010 at the top of the topic.

We have just a couple of changes this month to incorporate customer feedback. Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com.

What's New in the Configuration Manager Documentation Library for June 2010

The following information lists the topics that contain significant changes since the May 2010 update.

Determine Whether a Proxy Management Point is Needed at a Secondary Site

- Updated to clarify that proxy management points do retrieve client policy from the site database or a site replica. However, this still results in reduced network traffic because policy bodies are cached. Clients must access the default management point in the primary site for site assignment.

Step-by-Step Example Deployment of the PKI Certificates Required for Configuration Manager Native Mode: Windows Server 2008 Certification Authority

Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2008 Certification Authority

- Both of these step-by-steps have been updated to incorporate the new Select Certificate Enrollment Policy page in the wizard if your requesting member server is running Windows Server 2008 R2.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Yvette O'Meally]

We are announcing support changes for the following releases.  Please look for these changes to be reflected in the Supported Configuration pages within a few months.

Microsoft SQL Server 2008 R2 is now supported on Configuration Manager 2007 SP1 and SP2 and Configuration Manager 2007 R2

System Center Configuration Manager 2007 SP1 and SP2 now support Microsoft SQL Server 2008 R2 as a Configuration Manager 2007 site database.  System Center Configuration Manager 2007 R2 now supports Microsoft SQL Server 2008 R2 Reporting Services.

No software updates are required.

Microsoft Application Virtualization 4.5 Service Pack 2 is now supported on Configuration Manager 2007 R2 with Configuration Manager 2007 SP2

System Center Configuration Manager 2007 R2 with System Center Configuration Manager 2007 SP2 now supports Microsoft Application Virtualization 4.5 Service Pack 2.

No software updates are required.

Hyper-V Server 2008 R2 is now supported with Configuration Manager 2007 Service Pack 2.

System Center Configuration Manager 2007 SP2 now supports client installation and all site server roles in the Hyper-V Server 2008 R2 virtualization environment.

No software updates are required.

Microsoft Windows Embedded Standard 7 is now supported on Configuration Manager 2007 SP2

System Center Configuration Manager 2007 SP2 now supports Windows Embedded Standard 7 as a client platform.  General limitations for managing Windows Embedded devices can be found in this article, http://technet.microsoft.com/en-us/library/bb932123.aspx,

No software updates are required.

.NET Framework 4.0 is now supported with Configuration Manager 2007 SP1 and SP2.

System Center Configuration Manager 2007 SP1 and SP2 now support the .NET Framework 4.0 with the following limitations.

• Forcing the system to use only the .NET 4.0 CLR by enabling the following registry key is not supported.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR

• .NET Framework 2.0 is required to be installed on Windows XP and Windows 2003 in order for the Desired Configuration Management (DCM) feature to check compliance.

No software updates are required.

Application Compatibility Toolkit 5.6 is now supported with the Application Compatibility Toolkit Connector.

The Application Compatibility Toolkit (ACT) Connector now supports ACT 5.6.  Limitations and workarounds for upgrade issues from ACT 5.5 are documented in the following blog post:  http://blogs.technet.com/b/configmgrteam/archive/2010/06/20/act-connector-and-act-5-6.aspx

No software updates are required.

--Yvette O'Meally

This posting is provided "AS IS" with no warranties, and confers no rights.

Our team member Jason Lewis has recently finished his screencast series that covers desired configuration management (DCM) with Configuration Manager 2007.  The series on his blog consists of 12 screencasts that begin with an introduction of DCM and take you through the authoring experience for the different objects and setting types. 

You can see the screencast series here: http://blogs.technet.com/b/jasonlewis/archive/tags/screencasts/dcm/

You can also visit Jason's blog here: http://blogs.technet.com/b/jasonlewis/

--Yvette O'Meally

This posting is provided "AS IS" with no warranties, and confers no rights.

[Today's post is provided by Carol Bailey]

I've been seeing a steady increase in the number of questions that customers ask about Active Directory Domain Services in relation to Configuration Manager.  Tech-Ed North America was no exception, which prompted me to write up some of these frequently asked questions. 

Although this information is in the product documentation, I can understand why it's sometimes difficult to find the exact answer to a specific scenario, simply because there are so many possible variations.  One documentation topic that holds a lot of this information is Configuration Manager in Multiple Active Directory Forests.

If you have an Active Directory-related question about Configuration Manager, see if it's addressed in this blog post. If you don't see the question listed, email SMSDocs@Microsoft.com with your question or suggestion.

Question:  Can Configuration Manager manage clients when they are in a different domain to the site system servers?

Answer:  Yes.  The only potential gotcha here is when the site is in mixed mode, you must configure the management point with an FQDN for automatic approval to work.  Tip: Check that name resolution (NetBIOS and FQDN) is working between the two domains.

Question:  Do all my site system servers in a site have to be in the same domain?

Answer: No, site systems within the same site can be from different domains within the same forest, with the exception of the following:

• SMS Provider
• reporting point
• site database server

Question:  Do all my site system servers in a site have to be from the same forest?

Answer: Most of the time, yes.  There are a few exceptions:

• The System Health Validator point
• Internet-based site systems
• Server locator point (security best practice is to install this in the same forest)
• PXE service point (security best practice is to install this in the same forest)

Question: Can Configuration Manager manage clients when they are in a different forest from the site server?

Answer: Yes, and this configuration does not require any PKI certificates or that you install any site system servers into this other forest.  The most important thing to remember here is that these clients cannot access site information that is published by the site server to Active Directory Domain Services - even if there is a trust in place between the two forests.  This means that when you install these clients, they require a server locator point to complete site assignment.  Make sure that the server locator point is installed and that these clients can access it - and the easiest way to do this is to use the SMSSLP property when you install the client.  For more information, see How to Create a Server Locator Point in Configuration Manager and How to Specify the Server Locator Point for Configuration Manager Client Computers.

Additionally:

• Make sure that you have name resolution between the two forests - that the client can resolve the names of site system servers in the Configuration Manager site, and that the site system servers can resolve the name of the client computers.
• If there is no trust between the client domain and the site server's domain, you will need a network access account for these clients to access distribution points. For more information, see How to Configure the Network Access Account.
• If the site is in mixed mode and there is no trust between the client domain and the site server's domain, these clients will not be approved if the site is configured for the default option Automatically approve computers in trusted domains, and you must manually approve these clients.
• If the site is in native mode and the client will use intranet communication, the clients must be installed with the option that allows HTTP communication for roaming and site assignment. The easiest way to do this is to use the /native:fallback or /native:crlandfallback property when you install the client. For more information, see How to Configure HTTP Communication for Roaming and Site Assignment. Also ensure that your PKI solution is designed to span the two forests.
• If you want to discover these clients by using Active Directory discovery methods, there must be a full forest trust in place. However, only client push installation requires computers to be discovered. For more information about the other client installation methods and their dependencies, see Prerequisites for Configuration Manager Client Deployment.

Question: I need to support clients from another forest, so do I install the the server locator point in the same forest as these clients or in the site server's forest?

Answer:  Technically, you can install the server locator point in either forest. However, as a security best practice, install it in the site server's forest. If you have a firewall between the two forests, note that the server locator point requires unauthenticated client connections over HTTP.  If this is against your security policies, an alternative configuration is to configure these clients for Internet-only client management, which does require PKI certificates and that the site is in native mode.  This configuration does not require that these clients contact a server locator point.  For more information, see the question "Is it possible to manage clients from another forest by using HTTPS connections only?"

Question: Can I install clients in another forest without downloading the client installation source files from the management point?

Answer:  Yes.  Copy the client installation source files from the management point or site server onto a file server in the clients' forest.  Then use the CCMSetup property /source:<path> when you install the clients.  The client installation source files are located in the <InstallationPath>\Client folder on the Configuration Manager 2007 site server and management points.

Question: What ports need to be open on a firewall between my two forests for client communication?

Answer:  To install the clients, see Ports Used During Configuration Manager Client Deployment.  Note that client push installation is the least firewall-friendly installation method, because it requires SMB and RPC.  The ports that might be used after client installation will depend on the Configuration Manager features that you are using. For a list of operational ports, see Ports Used by Configuration Manager.

Question: Is it possible to manage clients from another forest by using HTTPS connections only?

Answer:  Yes, if your site is in native mode, configure the native mode site systems for Internet connections and install these clients for Internet-only client management. For more information about this configuration, see Tips and Tricks: Using Internet-Only Client Management on the Intranet.

Question:  Can I install a secondary site in another forest?

Answer:  No. When your primary site is in forest A, Configuration Manager does not support installing a secondary site in forest B.  In this scenario, you must install a primary site in forest B or use the primary site in forest A to manage clients in forest B.

Question: What additional configuration is required if I install a site in another forest?

Answer:  If you are using secure key exchange between the sites, use the hierarchy maintenance tool (Preinst.exe) to configure manual key exchange.  For more information, see How to Manually Exchange Public Keys Between Sites.

If there is no trust between the two forests trusts you must configure domain user accounts as site address accounts in the sender address properties of each site. If there is a full forest trust between the sites, you can use the site server computer accounts.

Question:  Can I install site systems on domain controllers?

Answer:  Yes.  There is no technical restriction that prevents you from installing any of the site system roles on domain controllers.  However, for security best practices, this is not recommended in a production environment.

Question:  Can I install site systems on stand-alone servers (not in an Active Directory forest)?

Answer:  No.  All site systems must belong to an Active Directory forest.  This includes branch distribution points and Internet-based site systems.

Question:  Does any Configuration Manager feature or operation require a specific domain or forest functional level?

Answer:  No.  The only exception is when a full forest trust is required, which itself requires a minimum forest level of Windows Server 2003.  A full forest trust is needed for the following:

• To discover computers in another forest
• The option Allow only site server initiated data transfers from this site system, which is a configuration option for Internet-based site systems that are installed in the perimeter network to ensure that connections are only initiated from the intranet.

Question:  Does Configuration Manager support all versions of Active Directory Domain Services, including Windows Server 2008 R2?

Answer:  Yes.  However, for supported versions of the operating systems on clients and site systems, always check the Supported Configurations documentation for the version of Configuration Manager that you are running.

Question:  Do I need to extend the schema again if I create new Configuration Manager sites or add computers from new domains?

Answer:  No.  Active Directory schema extensions are for the entire forest, so you need to extend the schema for Configuration Manager only once if your Configuration Manager hierarchy is contained within the forest. The only exception is if you create a new primary site in another forest, and you want this new site to publish to Active Directory Domain Services.  In this scenario, extend the schema in the new forest (and configure the security permissions for the System Management container).

Question:  Do I need to extend the schema again for Configuration Manager after upgrading to a later version of Configuration Manager (for example, Configuration Manager SP2) or after raising my Active Directory domain or forest functional level?

Answer:  No.  If you have extended the Active Directory schema for Configuration Manager, you do not need to extend it again for these scenarios.  However, if you're upgrading from SMS 2003 to Configuration Manager, then you should extend the schema for Configuration Manager to benefit from the new site changes that are published to Active Directory Domain Services. 

 --Carol Bailey

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is from the Configuration Manager Writing Team] 

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: July 1, 2010 at the top of the topic.

This month's revisions incorporate customer feedback to include instructions that are specific to Windows Server 2008 R2 in How to Configure Windows Server 2008 for Site Systems and How to Configure Network Load Balancing for Configuration Manager Site Systems.

We've also updated several of the supported configurations topics to include the following:

• Added SQL Server 2008 R2 support for Configuration Manager 2007 SP1 and Configuration Manager 2007 SP2.
• Added Application Virtualization 4.5 Service Pack 2 support for Configuration Manager 2007 R2 when you use Configuration Manager 2007 SP2.
• Added Hyper-V Server 2008 R2 as a supported virtualization environment.
• Added Windows Embedded Standard 7 as a supported client operating system with Configuration Manager 2007 SP2.
• Clarified that Fast User Switching is not supported in Configuration Manager.
• Added software update points and their supported server operating system platforms to the supported configuration documents for Configuration Manager 2007 SP1 and Configuration Manager 2007 SP2.

Additionally, the Application Compatibility Toolkit Connector in Configuration Manager is updated to reflect the changes implemented to support operating systems other than Vista.  These changes were made to Application Compatibility Toolkit 5.5 and require Application Compatibility Toolkit Connector 2.  The toolkit now supports Windows XP, Windows Vista, and Windows 7.

With the help of our publishing partners, we've been able to correct a publishing problem that some customers reported to us about links not working in some topics and the "Note" icons not displaying correctly.  If you find other instances like this, let us know so that we can republish the topic and correct the problem.   

Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for July 2010

The following information lists the topics that contain significant changes since the June 2010 update.

Configuration Manager 2007 General Supported Configurations  
Configuration Manager 2007 Supported Configurations
Configuration Manager 2007 SP1 Supported Configurations 
Configuration Manager 2007 SP2 Supported Configurations
Configuration Manager 2007 R2 Supported Configurations   

- Updated with the latest support statements and clarifications.

 How to Configure Windows Server 2008 for Site Systems

- Updated to include information specific to Windows Server 2008 R2 and reformatted for easier reading.

How to Configure Network Load Balancing for Configuration Manager Site Systems

- Updated to include information specific to Windows Server 2008 R2 and reformatted for easier reading.

Decide If You Should Extend the Active Directory Schema

- Updated with the clarification that you do not need to extend the schema again for Configuration Manager if you upgrade the operating system on domain controllers or raise the functional level of the domain or forest.

Known Limitations in Configuration Manager Support for Windows Embedded

- Updated to clarify that operating system deployment for Windows Embedded is supported for stand-alone media only and that task sequences are supported for actions other than operating system deployment.

Setup Windows and ConfigMgr

- This task sequence image step documentation is updated to correct the explanation about when the alternate graphical identification and authentication (GINA) library is applied during the setup of deployed operating systems for computers running Windows XP and Windows Server 2003.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is contributed by Carol Bailey]

The ISA documentation How to Configure ISA SSL Bridging for System Center Configuration Manager Internet-Based Client Management has been updated with the following information:

• The certificate requirements for clients that are members of the forest can use a certificate with a DNS SAN value, for example: DNS=computer1@contoso.com.  This means that you can deploy these certificates by using the standard Workstation Authentication certificate template and autoenrollment, which greatly simplifies client certificate deployment.  Previously, only a UPN SAN value was supported, which could not be deployed by using autoenrollment. Note that workstations that are not joined to the forest still require manual deployment and the UPN SAN value in their certificate.
• Security references are added that explain the differences between SAN attributes and SAN extensions, and security best practices for a production environment: How to Request a Certificate With a Custom Subject Alternative Name.
• Instructions are added for configuring ISA Server for the Internet-based software update point.  Separate instructions are required because WSUS does not support client certificates.
• Instructions are added for configuring the HTTP methods allowed for the Internet-based management point and distribution point, to help increase security. 

Note:  HTTP methods for the Internet-based software update point are not included because the HTTP verbs used by WSUS are not documented for the latest WSUS versions.  However, previous versions document these as GET, HEAD, and POST and our preliminary testing confirms that these verbs are still used.  If you want to increase security for the Internet-based software update point by restricting the HTTP verbs that are allowed, test this configuration yourself by using the instructions "To Modify the Web Publishing Rule to Enable the required HTTP Methods" and for the HTTP methods, substitute the following HTTP verbs: GET, HEAD and POST.

If you need to manually request certificates with a version of a Certification Authority (CA) that does not support Web enrollment for the computer store, see How to Request a Certificate With a Custom Subject Alternative Name for alternative certificate request methods.

This updated documentation has been published with the Community Content footer, so that you can share additional information about this scenario configuration with other customers. 

Our thanks to Jim Harrison (Program Manager for Forefront TMG), Jason Jones (Forefront MVP), and Rachel Aldam (Technical Writer, Identify and Security Division) for their help in updating this documentation for our customers.

- Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.

[Today's post is from the Configuration Manager Writing Team] 

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web and the latest content on the Web has Updated: August 1, 2010 at the top of the topic.

This month, we've been focusing on the Configuration Manager 2007 R3 content and the only updates to the existing documentation set is to clarify a support statement around branch distribution points.  In May, we were contacted by a customer who noticed the following support statement in the status message ID 10035:  "...branch distribution points do not support advertisements that are configured to run directly from a distribution point" and found the same statement in the software distribution troubleshooting documentation but not in any of the planning documentation, or the topic About Standard and Branch Distribution Points. We updated the documentation accordingly for the May update, and included this revision in the blog monthly announcement.

A sharp-eyed customer on the Documentation forum commented that he had never seen this configuration causing any problems and asked us to verify it.  The result of the investigation was that the product group decided to overturn their original decision and support the option Run program from distribution point for branch distribution points, but failed to update the status message.

It's unlikely that the status message text will be changed at this point, but we could update the documentation.  So this month we removed the additional text we added in May (topics About Standard and Branch Distribution Points and Choose Between a Standard and Branch Distribution Point) and removed the troubleshooting entry in Troubleshooting Software Distribution Issues.

We've also been republishing topics that contain links that don't work and "Note" or "Important" icons that don't display correctly.  Republishing the topic allows us to correct this publishing problem and does not warrant the Updated date (no technical change).  Unfortunately, the problem seems to be very intermittent, which makes it difficult for us to find all the topics that have this problem.  If you come across topics like this, please let us know - and thank you to customers who have helped us to identify these topics so far.

Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

The Configuration Manager IX team is excited to announce the release of the new client installation and assignment SuperFlow.

This SuperFlow provides detailed steps on how to plan for, install, manage and monitor Configuration Manager 2007 clients. It also includes troubleshooting information and further resources that you can use to learn more about client installation and assignment.

You'll find this and all other SuperFlows at http://go.microsoft.com/fwlink/?LinkId=183297.

What is a SuperFlow?

The SuperFlow interactive content model provides a structured and interactive interface for viewing documentation. Each SuperFlow includes comprehensive information about a specific Configuration Manager 2007 dataflow, workflow, or process. Depending on the focus of the SuperFlow, you will find overview information, steps that include detailed information, procedures, sample log entries, best practices, real-world scenarios, troubleshooting information, security information, animations, or other information. Each SuperFlow also includes links to relevant resources, such as Web sites or local files that are copied to your computer when you install the SuperFlow.

Your feedback about the SuperFlows is hugely important to us as we improve and expand the range of available SuperFlows. Please use the link contained in the SuperFlow to let us know what you think and to give us suggestions for any new SuperFlows you'd like to see.

 -  Rob Stack

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is from the Configuration Manager Writing Team] 

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web with updates from September and R3 content in October. Topics that were updated for September have Updated: September 1, 2010 at the top of the topic and topics that were updated or created for R3 have Updated: October 14, 2010 at the top of the topic.

There will be a new version of the help file available for download with the Help File Updater soon - stay tuned.

Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for September 2010

The following information lists the topics that contain significant changes since the August 2010 update.

Troubleshooting Management Point Communication

- Updated to include additional information about using the Management Point Troubleshooter from the System Center Configuration Manager 2007 Toolkit V2.

How to Set Security on the System Management Container in Active Directory Domain Services

- Updated to clarify that if you have a secondary site server, this computer's account also needs permissions to the System Management container.

How to Use Hard Links for User State Migration

- Updated to clarify the procedure for using hard links, a feature of User State Migration Tool (USMT) 4.0, as part of an operating system deployment. 

Setup Windows and ConfigMgr

- Updated to clarify that when group policy is applied to a newly deployed operating system will depend upon the operating system being deployed.

Log Files for Operating System Deployment

- Updated to correctly specify the location of the CreateTSMedia.log file in <ConfigMgrInstallationPath>\AdminUI\AdminUILog.

What's New in the Configuration Manager Documentation Library for October 2010

The following information lists the two main new topics for Configuration Manager 2007 R3. Use these topics to find additional topics that relate to R3.

What's New in the Configuration Manager Documentation Library for September 2010

- New topic that contains a list of updated topics since March 2010, and topics that relate to R3.

What's New in Configuration Manager 2007 R3

- New topic that lists the new features and functionality in Configuration Manager 2007 R3.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post has been provided by Fei Xia]

System Center Updates Publisher (SCUP) helps users to publish their private updates to Windows Server Update Services (WSUS) and synchronize the updates in Configuration Manager 2007. Typically users synchronize these updates with WSUS by clicking "Run Synchronization" in the Configuration Manager console. This manual synchronization process does not synchronize the "Expired" flag from WSUS to Configuration Manager, so when you want to expire an update by using SCUP and then run the manual synchronization, the log (SMS\logs\wsyncmgr.log) would read "No changes made to the SMS database" as follows:

This behavior occurs because the manual synchronization process does not synchronize the expired flag for an existing update, which is only performed by the scheduled synchronization process. Use the following workaround  to synchronize expired software updates by using a scheduled synchronization.   

WORKAROUND:

1. Open the SCUP console, and then select and expire the software update that you want to expire.

    

    

2. Set the "Publish" flag on the software updates, and then click Publish Update to re-publish it. The software update record in WSUS database is flagged as "Expired".

    

   Record in WSUS Database:

    

3. Open the Configuration Manager console, navigate to Site Management->[Site Code]->Component Configuration->Software Update Point, open the properties, and make sure the “Enable synchronization on a schedule” setting is checked.

   Note: Default is 7 days. You could also set a custom schedule for a quick check.

    

    

4. After the scheduled synchronization process completes, check the log (SMS\Logs\wsyncmgr.log). It should read "Removed 1 unreferenced updates"

    

    

5. Refresh your update list in the Configuration Manager console, and the software update should be flagged as "Expired". 

    

--Fei Xia

 This posting is provided "AS IS" with no warranties and confers no rights.

3/4/2011 - The SCUP Catalog Authoring Best Practice document has been updated. Language information has been added to the "Defining Metadata" section.

[Today's post is provided by Jason Lewis.  To view more of his posts visit his blog]

Over the past year I have received lots of questions on how to properly author SCUP catalogs.  Some of the most common questions have been ...

"When should I modify my existing update or create a new one?"
"When should I remove an update from my catalog (and/or SCUP)"?
"Should I use prerequisite rules?"

And many more... 

With all the questions I have decided to create a catalog authoring guide.  This guide provides best practices for anyone that is authoring catalogs.  My hope is to continually update this document as I receive more questions.  If you have authoring questions that are not answered in this document please send me your question here and I will attempt to answer it and later add it to this guide.

You can find the SCUP Catalog Authoring Best Practices guide attached below to this post.

--Jason Lewis

This posting is provided "AS IS" with no warranties, and confers no rights.

[Today's post is provided by Rob Stack]

The latest downloadable update for the Configuration Manager 2007 Documentation Library has been posted to the download center. The September 2010 version is the newest downloadable update available and contains new material and fixes to documentation problems reported by customers since the last update was published for the March 2010 version. This version also includes the new documentation for Configuration Manager 2007 R3.

To get the most recent downloadable Configuration Manager Documentation Library help, go to http://www.microsoft.com/downloads/details.aspx?FamilyID=71816b0f-de06-40e0-bce7-ad4b1e4377bb&displaylang=en.

For more information about the Configuration Manager 2007 Help File Update Wizard, see this post: "Need the Latest Configuration Manager 2007 Help File?" at http://blogs.technet.com/configmgrteam/archive/2009/02/03/need-the-latest-configuration-manager-2007-help-file.aspx .

Please contact smsdocs@microsoft.com if you have any questions or comments about this downloadable update.

-- Rob Stack

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Harini Muralidharan]

We are announcing support changes for the following releases.  Please look for these changes to be reflected in the Supported Configuration pages within a few months.

Windows Storage Server 2008 R2 is now supported on Configuration Manger 2007 SP1 and SP2

System Center Configuration Manager 2007 SP1 and SP2 now support the Windows Storage Server 2008 R2 operating systems for client installation. The site system role of a standard distribution point and branch distribution point is supported. Installations of the administrator console or other site system roles are not supported.

No software updates are required.

Microsoft SQL Server 2008 SP2 is now supported on Configuration Manager 2007 SP1, SP2 and R2

System Center Configuration Manager 2007 SP1, SP2 and R2 now support Microsoft SQL Server 2008 SP2 as a Configuration Manager 2007 site database. The site system role of Reporting Services Point and the client status reporting feature of System Center Configuration Manager 2007 R2 are supported.

No software updates are required.

--Harini Muralidharan

This posting is provided "AS IS" with no warranties, and confers no rights.

[Today's post is provided by Yvette O'Meally]

On April 12^th, 2011 SMS 2.0 will reach the end of its extended support lifecycle.  At that time, the Security Update Inventory Tool (SUIT) or Extended Security Update Inventory Tool (ESUIT) for SMS 2.0 and SMS 2003 will be retired and will no longer be available for download.  Updated catalogs will not be provided after that date.

You are encouraged to begin planning your upgrade to Configuration Manager 2007 to deploy Software Updates.  For customers remaining on SMS 2003 SP3 the Inventory Tool for Microsoft Updates (ITMU) is also an option.

Why Upgrade?

The SMS 2.0 SUS Feature Pack and the SMS 2003 Scan Tools ship the Office Update Inventory Tool (OUIT) to scan for Office products.  The Office Detection Tool, the scan engine and catalog for OUIT, was deprecated on July 2009.  Without upgrading you cannot scan for Security Updates on Microsoft Office products.

In addition, the Security Update Inventory Tool (SUIT) that is based on the MBSA 1.2 scan engine and catalog, does not support Internet Explorer 7 or later.  The Extended Security Update Inventory Tool (ESUIT) is also affected.  These tools and their limited scope of application can cause a risk to an organization if they are utilized as a scanning and update validation resource.  Microsoft recommends a migration to more recent tools for your environment such as System Center Configuration Manager 2007 for Software Updates or the ITMU for SMS 2003 customers.  Note that SMS 2003 mainstream support ended in January 2010, and SMS 2003 is currently in extended support.

In summary, the SMS 2003 Scan Tools and the SMS 2.0 SUS Feature Pack do not support the following:

• SQL Server, MSDE, or Windows MSDE
• Internet Explorer 7 or later
• 64-bit Applications
• Windows Vista or later
• Microsoft Office

 Will You Lose any Scan Capabilities Upgrading to ITMU or Configuration Manager? 

The following products will not be supported using the latest software update tools because they are not published into Microsoft Update:

• BizTalk 2000 which reaches end of life on July 2011
• BizTalk 2002 which reaches end of life July 2012
• Commerce Server 2002 which reaches end of life July 2013

 Administrators deploying security updates to these products can continue to use the legacy catalogs until April 12^th, 2011, and then will need to deploy the hotfixes using Software Distribution.  Administrators should still upgrade to ITMU for deploying security updates to all other products.

Administrators who are considering upgrading to Configuration Manager 2007 should note that the legacy scan tools are not supported.  We recommend you use Software Distribution for the products above after upgrading.

How Can I Deploy Security Updates using Software Distribution?

Guidance can be found at http://technet.microsoft.com/en-us/library/cc917507.aspx.  This was written for SMS 2003 but the same steps will work for Configuration Manager 2007.

 -- Yvette O'Meally

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post is provided by Chaohao Xu.]

The Transfer Site Settings Wizard in Configuration Manager 2007 R3 provides two new options that are shown in the following picture: Power Management Agent and Enable Active Directory Delta Discovery and Delta Discovery Interval. To transfer these settings from one site to another, the source and destination sites must both be running Configuration Manager 2007 R3. 

The Power Management Agent setting allows you to transfer the configuration of the power management agent and supports two settings; enabled or disabled.

The Enable Active Directory Delta Discovery and Delta Discovery Interval setting deserves a little more attention and is discussed below.

 Enable Active Directory Delta Discovery and Delta Discovery Interval

 This option applies to the following types of discovery methods:

• Active Directory System Discovery
• Active Directory Security Group Discovery
• Active Directory System Group Discovery
• Active Directory User Discovery

 It is a best practice to select Polling schedule when you select Enable Active Directory Delta Discovery and Delta Discovery Interval. This ensures that all the settings related to the discovery schedule and delta discovery transfer together. This is important because with Configuration Manager 2007 R3, delta discovery can change how schedules are evaluated. Unless you transfer all the settings, it is possible the resulting schedule will not be as you expect.

When delta discovery is enabled on Configuration Manager 2007 R3, as shown in the following picture, the properties used by the discovery component are set as follows: 

• PROPERTY <Startup Schedule><0001170000500008><><0>
  The Startup Schedule value is when the discovery method is set to run. Before R3 this is set to the polling schedule you configure for the discovery method.  This can be a recurring schedule or a one-time event.  With R3 and delta discovery, the discovery method does not use the polling schedule for the Startup Schedule and instead uses the delta discovery interval you configure.
• PROPERTY <Enable Incremental Sync><><><1>
  The Enable Incremental Sync value is the delta discovery interval and is how frequently the site will run a delta discovery cycle for the discovery method.  Incremental synchronizations begin after an initial full discovery process has run.  This is only available on R3 sites.
• PROPERTY <Full Sync Schedule><0001170000500008><><0>
  The Full Sync Schedule value is how often a full discovery process runs. This is not a delta discovery cycle but a full discovery cycle with a schedule that is equivalent to that defined as the polling schedule.  This can be set to be a recurring action or a one-time event by configuring the discovery methods polling schedule. With R3, this is an initial full discovery cycle, and if recurring, includes subsequent full discovery cycles. 

With the configurations shown in the example, the Startup Schedule is set to the delta discovery interval of five minutes and the Full Sync Schedule is set to the polling schedule, which is daily at 12:00 am.  This configuration results in the discovery method initiating a full discovery cycle at midnight every day, and running a delta discovery cycle every five minutes. 

 When you disable delta discovery the schedule properties for the discovery component revert to pre-R3 behavior.  The Startup Schedule is set to be the polling schedule, there is no delta discovery process, and the Full Sync Schedule setting is ignored. This is shown in the following table.  What this means is the discovery method will run on the defined polling schedule. Because delta discovery (incremental sync) is not enabled, there are no supplemental discovery actions.

Transferring Settings between Sites

The Transfer Site Settings Wizard needs to handle these property changes, which result in transferring different properties based on the whether delta discovery is enabled or disabled on the source and destination site. The following tables illustrate the outcome for different scenarios, which apply to both online transfers and offline transfers (exporting settings to an XML file). 

R3 Site and Delta Discovery Enabled  -> R3 Site and Delta Discovery Enabled
Wizard Selection	Destination Site Property Change * represents property from source site
	Full Sync Schedule = Full Sync Schedule*
	Enable Incremental Sync = Enable Incremental Sync* Startup Schedule = Startup Schedule*
	Full Sync Schedule = Full Sync Schedule* Enable Incremental Sync = Enable Incremental Sync* Startup Schedule = Startup Schedule*

R3 Site and Delta Discovery Enabled  -> R3 Site and Delta Discovery Disabled
Wizard Selection	Destination Site Property Change * represents property from source site
	Startup Schedule = Full Sync Schedule*
	Enable Incremental Sync = Enable Incremental Sync* Full Sync Schedule = Startup Schedule Startup Schedule = Startup Schedule*
	Enable Incremental Sync = Enable Incremental Sync* Startup Schedule = Startup Schedule* Full Sync Schedule = Full Sync Schedule*

R3 Site and Delta Discovery Disabled  -> R3 Site  and Delta Discovery Enabled
Wizard Selection	Destination Site Property Change * represents property from source site
	Full Sync Schedule = Startup Schedule*
	Enable Incremental Sync = Enable Incremental Sync* Startup Schedule = Full Sync Schedule Full Sync Schedule = Full Sync Schedule*
	Enable Incremental Sync = Enable Incremental Sync* Startup Schedule = Startup Schedule* Full Sync Schedule = Full Sync Schedule*

R3 Site Delta Discovery Disabled  -> R3 Site Delta Discovery Disabled
Wizard Selection	Destination Site Property Change * represents property from source site
	Startup Schedule = Startup Schedule*
	Enable Incremental Sync = Enable Incremental Sync* Full Sync Schedule = Full Sync Schedule*
	Enable Incremental Sync = Enable Incremental Sync* Startup Schedule = Startup Schedule* Full Sync Schedule = Full Sync Schedule*

R3 Site Delta Discovery Disabled  -> SP2 Site
Wizard Selection	Destination Site Property Change * represents property from source site
	Startup Schedule = Startup Schedule*
	Nothing changes on target site
	Startup Schedule = Startup Schedule*

R3 Site  Delta Discovery Enabled  -> SP2 Site
Wizard Selection	Destination Site Property Change * represents property from source site
	Startup Schedule = Full Sync Schedule*
	Nothing changes on target site
	Startup Schedule = Full Sync Schedule*

Conclusion

When the destination site is running Configuration Manager 2007 R3, as a best practice, select the option Polling schedule when you select the Enable Active Directory Delta Discovery and Delta Discovery Interval option in the Transfer Site Settings Wizard. For all other scenarios, reference the tables above to confirm the outcome of your transferred settings.

--Chaohao Xu

This posting is provided "AS IS" with no warranties, and confers no rights.

[Martin Li has provided today's post]

The task sequence (TS) feature was introduced in Configuration Manger 2007 to enable Operating System deployment scenarios. As a good "side effect", it also provides a convenient mechanism for administrators to perform a series of arbitrary tasks on selected client computers, with reporting and logging support. Therefore, many administrators utilize TS to deploy massive applications, software updates, and other custom tasks that fulfill their specific business requirements.

When you work with a very large task sequence using the Admin Console TS editor, there might be high memory pressure on the WMI instance hosting the SMS provider. Depending on the size and complexity of the TS, you might encounter the following error while saving a task sequence:

You might also find the error 0x80041006 in theTaskSequenceProvider.log, which means: WBEM_E_OUT_OF_MEMORY.

The TS editor does not save the task sequence to the site database directly; instead, it initiates a WMI call to the SMS Provider, which will then write the data to the site database. For a very large and complex task sequence, the WMI call can cause the WMI process hosting the TaskSequenceProvider to exceed its memory quota. When this occurs, the out-of-memory error is returned to the TS editor which displays the above dialog.

One way to prevent this issue is to adjust the memory quota of the WMI Provider, namely the MemoryPerHost and MemoryAllHosts properties of the __ProviderHostQuotaConfiguration configuration class under the root namespace.

• MemoryPerHost defines the amount of private memory (in bytes) that can be held by each host process.
• MemoryAllHosts defines the combined amount of private memory (in bytes) that can be held by all host processes.

More information can be found in this blog article by Mark Ghazai on the definitions of these quotas and how to adjust them using wbemtest.exe.

On the Windows Server 2008 R2 site server in our lab, the default MemoryPerHost value is 536870912 (512MB) and MemoryAllHosts is 1073741824 (1GB). The default values might be different on your SMS Provider server.

How much you should increase the quota depends on your specific situation. For example, take into consideration the TS size and complexity, your existing WMI memory load excluding the SMS Provider, and the available physical memory on your server. As memory resources are limited on a given server system, the quota cannot be set infinitely high. You should only increase the quota when necessary.

You can use the Task Manager or Performance Monitor (perfmon) to measure the memory usage (private bytes) of WMI processes. There are usually multiple WMI provider host processes (WmiPrvSE.exe) running on each system. You can find out which WMI process hosts the TaskSequenceProvider by running "listdlls.exe -d TaskSequenceProvider.dll".

Besides adjusting the WMI provider quota, also consider reducing the size of the task sequence. There is a 4-Megabyte (MB) limit on the task sequence file size, documented in http://technet.microsoft.com/en-us/library/bb932192.aspx.

--Martin Li

This posting is provided "AS IS" with no warranties, and confers no rights.

[Today's post is from the Configuration Manager Writing Team] 

The Configuration Manager documentation library (http://technet.microsoft.com/en-us/library/bb680651.aspx) has been updated on the Web with updates for January. Topics that were updated have Updated: January 1, 2011 at the top of the topic.

You will see updates to the supported configuration information, including a statement to clarify Configuration Manager support for products that are beyond their current support lifecycle.  We also incorporated some customer feedback for the operating system deployment documentation.

Although we can't promise to make the docs perfect for everybody, we are committed to continual improvement.  So, keep that feedback coming, and feel free to contact us about anything related to the documentation by using our usual address of SMSDocs@Microsoft.com. 

What's New in the Configuration Manager Documentation Library for January 2011

The following information lists the topics that contain significant changes since the October 2010 update.

Configuration Manager 2007 Supported Configurations
- Updated to correct a conflicting statement about SQL Server upgrades.

Configuration Manager 2007 SP1 Supported Configurations and Configuration Manager 2007 SP2 Supported Configurations
- Updated to add support statements for SQL Server 2008 SP2, and support for Windows Storage Server R2.

Configuration Manager 2007 R3 Supported Configurations
- Updated to correct an incorrect statement that SQL Server 2008 requires an update to support the reporting services point for Configuration Manager 2007 R3.

Using a Remote SQL Server to Host the Site Database
- Updated to clarity that a SQL Server that hosts the site database must be in the same domain as the site server.

How to Configure an SPN for SQL Server Site Database Servers
- Updated to add information about how to configure the SPN for a clustered SQL Server and how to verify the SPN by using the SetSPN command.

Troubleshooting Configuration Manager Setup
- Updated to add a new error message that identifies when Setup fails when it installs the SMS Provider because of a problem with the SPN for the SQL Server.

Administrator Workflow: Create and Distribute Image for Operating System Deployment
- Updated to clarify how to manually create a .wim image.

How to Capture an Image from a Reference Computer by Using Capture Media
- Updated to specify that the .iso image must be burned to CD or DVD media by using a separate application.

How to Add Boot Images to Configuration Manager
- Updated to clarify how to add custom boot images for 32-bit and 64-bit computers.

Capture Windows Settings Task Sequence Action Variables
- Updated to correct the definition of the OSDTimeZone task sequence variable.

How to Add a New Computer to the Configuration Manager Database
- Updated to clarify that you can import only one MAC address per computer into the database.

Task Sequence Media Wizard - Select Media Type Page
- Updated to clarify that only USB flash drives are supported when you select the media type.

How to Advertise Task Sequences
- Updated to clarify that task sequences can only be advertised to computers, and not to users.

Log Files for Operating System Deployment
- Updated to correct the location of the CreateTSMedia.log log file.

-- The Configuration Manager Writing Team

This posting is provided "AS IS" with no warranties and confers no rights.

[March 18 Update]  Continued testing on a fix for this issue has revealed some additional changes that need to be made.  We are working through those and then will continue our verification.  I will have another update by the end of next week.  Thank you again for your patience.  -- Brian Huneycutt

[Today's post is from Brian Huneycutt]

The Configuration Manager Sustained Engineering and Customer Support and Services teams are investigating an issue where the Install Software Updates action will hang indefinitely on Windows 7 clients.

When this happens, the task sequence Installation Progress dialog displays "Downloading 1 of x Updates (0% complete) ..." with no change in the progress bar, as shown in the following picture.

If you look at the smsts.log file during this time, you'll see the following entries and the last entry repeats:

//
Installing all updates targetted for this computer
Installation of updates started
Waiting for installation job to complete
Waiting for job status notification ...
Waiting for job status notification ...
Waiting for job status notification ...
//

In addition, the other log files that are associated with the Install Software Updates task (CAS.log, UpdatesDeployment.log, UpdatesHandler.log, UpdatesStore.log) do not update during this time.

Note: The repeated "Waiting for job status notification" message can appear under normal circumstances when updates are being installed. However, if you see the repeated entry and the progress bar hangs at "Downloading 1 of x Updates" and the other components are no longer logging, it is likely that you're experiencing this issue under investigation.

In some scenarios, this issue can occur when a large number of software updates (more than 60) are applied via the Install Software Updates task for Windows 7, Office 2007, or Office 2010. A possible solution here is to use the Updates folder in the Office installation folder to reduce the number of updates to be installed during the Install Software Updates task. For additional information about how to use the Updates folder, see the following:

Office 2010
http://technet.microsoft.com/en-us/library/cc178995.aspx#BKMK_UpdatesFolder

Office 2007
http://technet.microsoft.com/en-us/library/cc178995(office.12).aspx#BKMK_UpdatesFolder

Some customers have reported that installing the latest Intel Mass Storage drivers as part of their deployment can also trigger this problem. If you experience this, a solution here is to remove the drivers from their deployment packages because base functionality is provided with the default Windows 7 drivers.

These are not necessarily the only triggers for this particular issue, but the two that have been observed by several customers. This blog entry will be updated as soon as we have more information.

Thank you for your patience as we work to find the best resolution for all our customers.

-- Brian Huneycutt

This posting is provided "AS IS" with no warranties and confers no rights.

[Today's post comes from Jason Lewis]

We made the announcement at MMS 2010 that starting with Adobe Acrobat and Reader X products, their updates will also include System Center Updates Publisher (SCUP) catalogs for easy enterprise deployment.  Today I am extremely happy to announce that Adobe has released these two new SCUP catalogs in conjunction with their first updates to the Acrobat and Reader X product lines.  With these new catalogs, enterprises will be able to stay up-to-date with both products in the same manner they do with Microsoft Updates when using System Center Updates Publisher with System Center Configuration Manager. 

The catalog links are below and will be added to our Partner Directory (inside SCUP) very soon.
http://armmf.adobe.com/arm-manifests/win/SCUP/Acrobat10_Catalog.cab
http://armmf.adobe.com/arm-manifests/win/SCUP/Reader10_Catalog.cab

To learn more about this great news visit Adobe Reader's Blog:
http://blogs.adobe.com/adobereader/2011/02/our-first-scup-catalog-for-acrobat-and-reader-x-is-here.html

-- Jason Lewis

This posting is provided "AS IS" with no warranties and confers no rights.