anyweb

software update syncs are carried out by the schedule (check software update point in component services), check the Sync Schedule tab, however that is out of scope of THIS part, so please post those questions separately or on the relevant part, cheers !

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, then in Part 5 we enabled the Endpoint Protection Role and configured Endpoint Protection settings and targeted a collection called All Windows 7 Computers with these settings and policies. In Part 6 we configured our SUP further to Deploy software updates to our All Windows 7 Computers and Build Windows 7 X64 collections. In Part 7 we used the Build and Capture process to create our Base Windows 7 X64 wim image. In Part 8 we created a USMT 4 package to migrate the users data using hardlinking and then we imported the captured image into ConfigMgr and created a Deploy Windows 7 X64 task sequence. We created a Deploy Windows 7 X64 Collection and set some User Device Affinity collection variables. In Part 9 we created an Application, and created a deployment type for that application to only install if the Primary User was True for that device (User Device Affinity), we then copied our Task Sequence (duplicated it), deployed the new Task Sequence, added a computer to the new collection and then PXE booted the computer to the Deployment Menu. In Part 10 we monitored the Deployment process in a lot of detail to how UDA sent state messages and we verified that our application installed on the users Primary Device, in addition we modified our collection variables, and added a prestart command to our boot image to prompt for the SMSTSUdaUsers. Now we will setup the Reporting Services Point Role and verify that reporting is working. Reporting in Configuration Manager:- The following reporting features are new or have changed in System Center 2012 Configuration Manager. The reporting point has been deprecated The Reporting Services point is the only site system role used for reporting in System Center 2012 Configuration Manager. For more information about the Reporting Services point, see the Reporting Services Point section later in this topic. Full integration of the Configuration Manager 2007 R2 SQL Server Reporting Services solution In addition to standard report management, Configuration Manager 2007 R2 introduced support for SQL Server Reporting Services reporting. System Center 2012 Configuration Manager has integrated the Reporting Services solution, added new functionality, and removed standard report management as a reporting solution. For more information about Reporting Services, see the SQL Server Reporting Services section later in this topic. Report Builder 2.0 integration System Center 2012 Configuration Manager uses Microsoft SQL Server 2008 SP1 Reporting Services Report Builder 2.0 as the exclusive authoring and editing tool for both Model and SQL-based reports. Report Builder 2.0 is automatically installed when you create or modify a report for the first time. For more information about Report Builder, see the Report Builder section later in this topic. Subscription management Report subscriptions in SQL Reporting Services enable you to configure the automatic delivery of specified reports by e-mail or to a file share at scheduled intervals. Running reports You can run System Center 2012 Configuration Manager reports in the Configuration Manager console by using Report Viewer or you can run reports from a browser by using Report Manager. Each method for running reports provides a similar experience. Localized reporting Reports in System Center 2012 Configuration Manager are rendered in the locale of the installed Configuration Manager console. Subscriptions are rendered in the locale that SQL Server Reporting Services is installed. When you author a report, you can specify the assembly and expression. Reporting in System Center 2012 Configuration Manager provides a set of tools and resources that help you use the advanced reporting capabilities of SQL Server Reporting Services and the rich authoring experience that Microsoft SQL Server 2008 with Service Pack 1 (SP1) Reporting Services Report Builder 2.0 provides. Reporting helps you to gather, organize, and present information about users, hardware and software inventory, software updates, applications, site status, and other Configuration Manager operations in your organization. Reporting provides you with a number of predefined reports that you can use as is or that you can modify to meet your needs, or you can create custom reports. The following topics on Technet help you to manage reporting in System Center 2012 Configuration Manager: Introduction to Reporting in Configuration Manager Planning for Reporting in Configuration Manager Configuring Reporting in Configuration Manager Operations and Maintenance for Reporting in Configuration Manager Security and Privacy for Reporting in Configuration Manager Technical Reference for Reporting in Configuration Manager Step 1. Install the Reporting Services Point Role Perform the following on your SCCM 2012 server as SMSadmin. In the ConfigMgr console, click on Administration, Site Configuration, Servers and Site System Roles, right click on our server and choose Add Site System Roles when the Add site system roles wizard appears click next and select Reporting Services Point from the list of available choices you'll be asked to specify some Reporting Services settings, click on Verify beside database name if all goes well it will be listed as Successfully Verified, now we need to configure a Reporting Services Point Account, and we will use the Active Directory User (called ReportsUser) which we created in Part 1 of this series in Active Directory Users and Computers. * ReportsUser, a domain user for reporting services. so for User Name click on the Set drop down menu and select New Account when prompted for Windows User Account, enter the credentials of your ReportsUser account, you can use Browse to easily find the user in Active Directory. The specified Windows user account and password is encrypted and stored in the Reporting Services database. Note: Reporting Services retrieves the data for reports from the site database using this account and password. Tip: When installing the Reporting Service Point role, you do not have the ability to 'verify' the Reports user you specify, so the user may not even exist in AD. Therefore, you should browse AD when searching for the user. click next to install Reporting Services click next at the summary and review the completion screen. Tip: you can verify that the role installs successfully by monitoring the SMS_SRS_REPORTING_POINT log in Component Status, Monitoring. Look for Message ID 1015 which indicates that the Reporting Services point was successfully installed. In addition you can verify by checking the following Log on your server, SRSRP.LOG located in D:\Program Files\Microsoft Configuration Manager\Logs, look for a line which reads You should also inspect the SRSRPSetup.log file for the following line, Installation was Successful. Step 2. Configure Reporting Perform the following on your SCCM 2012 server as SMSadmin. Now that the Reporting Services Point role is installed we need to do some configuration before we can view reports. In the Monitoring Space of ConfigMgr console click on Reports it will list 0 items. On your ConfigMgr server, click on the start menu and right click on Internet Explorer, choose Run As Administrator, answer Yes to the UAC prompt. enter the following URL http://sccm.server20...b.local/Reports obviously replace your server FQDN in the URL. click on the Properties Tab followed by New Role Assignment In Group or Username enter Server2008R2ReportsUser and give the user the permissions you want now we can see that the ReportsUser has all reporting roles, and as this is a LAB we should verify that SMSadmin has the rights to do everything, select the SMSadmin user and choose Edit, click the Role checkbox so that we get all roles, and then click Apply, after editing both users we want them to have all permissions for Reporting services, Tip: This is a LAB so it's ok to configure Reporting this way, in production you would want to be more specific about what permissions users are granted. exit from Internet Explorer, and browse Reports within ConfigMgr again, the Reports are listed and ready to be used, note that they are sorted by Category (and also below Reports are Category Folders) Step 3. Viewing some Reports Perform the following on your SCCM 2012 server as SMSadmin. In the ConfigMgr console, expand reports, Select the All Collections report, right click it, choose Run, a list of collections appears in the Report Viewer, you can drill down further into the report by clicking on All Systems on one of your Windows 7 Client Computers, login as ReportsUser and start Internet Explorer, browse to http:\sccm.server2008r2.lab.localreports and select a report from the ConfigMgr_P01 database Tip: if the ConfigMgr_P01 database doesn't appear as a temporary measure you can add the ReportsUser to the Local Administrators group on your SCCM server, that's ok in a LAB, in production you'll want to configure your security accordingly and create Groups for Report Readers and Report Administrators. Thats it ! Reporting Services Point is installed and in our next part we will look at our Endpoint Protection reports and monitor it real time both on the Server and Clients.

can you post the SMSPXE.log please

well what issues are you having specifically ? if you think in terms of refresh the only barrier is the encrypted drive, if you unlock the drive and suspend encryption on it then the rest of the refresh is as per normal (hardlinking and so on), the challenge is do you 1. disable the encryption in Windows (most people do this prior to rebooting into WinPE and doing the remaining tasks) 2. disable it if found in WinPE - this is where you have to get creative as the task sequence wants to write to the largest available NTFS drive at boot time... we did solve is though with some clever diskpart commands to reassign the drives followed by a reboot.

because you want your computer(s) installed with applications dynamically as part of the operating system installation, or your just want a task sequence to dynamically install a list of applications in a set order on computers,

unisntall the DP role uninstall WDS, reboot do NOT install or Configure WDS install the DP role, monitor the Distrmgr.log does that help ?

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, then in Part 5 we enabled the Endpoint Protection Role and configured Endpoint Protection settings and targeted a collection called All Windows 7 Computers with these settings and policies. In Part 6 we configured our SUP further to Deploy software updates to our All Windows 7 Computers and Build Windows 7 X64 collections. In Part 7 we used the Build and Capture process to create our Base Windows 7 X64 wim image. In Part 8 we created a USMT 4 package to migrate the users data using hardlinking and then we imported the captured image into ConfigMgr and created a Deploy Windows 7 X64 task sequence. We created a Deploy Windows 7 X64 Collection and set some User Device Affinity collection variables. In Part 9 we created an Application, and created a deployment type for that application to only install if the Primary User was True for that device (User Device Affinity), we then copied our Task Sequence (duplicated it), deployed the new Task Sequence, added a computer to the new collection and then PXE booted the computer to the Deployment Menu. Now we will monitor the Deployment process in a lot of detail to see what happens with UDA and more. Step 1. Deploy Windows 7 X64 and monitor the progress Perform the following on your SCCM 2012 server as SMSadmin. Recap: After PXE booting our W72 virtual machine, we entered the PXE password and then we selected the Deploy Windows 7 X64 - New Computer and it formatted the disc and then started applying the Operating System, at this point I want you to pay close attention to the Deployment progress so that you can see when it sets the UDA relationship, if your image is already deployed don't worry, you can delete the computer in SCCM, reimport it to the Deploy collection and PXE boot again. What we want to do here is to view the SMSTS.log file around the time that Setup Windows and Configmgr step is running, to do this we will press F8 at the right time, so press F8 now during the Apply Operating System phase while the image is being applied to c:\ you may as well copy over our troubleshooting tool, CMtrace.exe to the root of c:\ x:\sms\bin\i386\copy cmtrace.exe c:\ Tip: As the CMTrace tool is now embedded in our boot images, you can automate the above by adding a step to your Build and Capture Task Sequence (or even your Deploy Task Sequence) as long as it occurs before the Setup Windows and ConfigMgr step, the code is xcopy "x:\sms\bin\x64\cmtrace.exe" "c:\" /E /C /I /Q /H /R /Y /S. Note: the path will change depending on what architecture boot image you are using ! after the image is applied the Virtual Machine wants to reboot, so type Exit in your console and the vm will reboot into Windows and then Setup is installing devices and applying system settings followed by another reboot, and then Setup is preparing your computer for first use, and this is where you need to be awake if you want to witness this part of the process, when you see the blue windows screen press F8 again and it's now at the Setup Windows and ConfigMgr step type c:\cmtrace.exe and answer yes to make it the default logging tool, open the following file C:\_SMSTaskSequence\Logs\smsts.log meanwhile on your SCCM server, open the following log file in CMTrace.exe, D:\Program Files\SMS_CCM\Logs\MP_Status.log and look for the following line:- that is the UDA state message being sent meanwhile on the client we can see the UDA actions in in our SMSTS.log file (you may have to change the location of the SMSTS.log file to C:\Windows\CCM\Logs\SMSTSLog\smsts.log) Meanwhile.. back in the ConfigMgr console, click on Assets and Devices, and select our Deploy Windows 7 X64 collection, in there you'll see our W72 computer, right click it and choose Edit Primary Users you should see the following, Affinity Type=OSD Defined. ok, now that you've seen what happens, close the CMtrace tool and the command prompt in your Deploy Windows 7 X64 session and let it finish it's job (it'll jump to the login screen very quickly) so login and we can review some new logs ! Step 2. Review the Deployed Windows 7 X64 computer Perform the following on your Windows 7 client as testuser. Login to the desktop and start Internet Explorer and browse to the Application Catalog , review the My Devices tab, it should say:- Next, using Windows Explorer, start up CMTrace.exe (located in C:\) and browse to C:\Windows\CCM\Logs, open the AppDiscovery.log file, as we can see it's logging about detecting whether Mozilla FireFox is installed or not and it reports msi application not discovered next open C:\Windows\CCM\Logs\AppEnforce.log, you should see it referencing whether or not a user is logged on (we are logged on now, but if we had waited 30 minutes or so and then logged on it would have reported things differently), and how it tries to Enforce installing the app cool stuff indeed, oh and if we minimise CMTrace what do we see ? yup the Firefox icon on the desktop, installed using User Device Affinity variables and by configuring our Deployment Type rules, cool huh ? Step 3. Modify the boot wim to include prestart and Extrafiles Perform the following on your SCCM 2012 server as SMSadmin. Now that we've proven that we can use UDA to install apps for our Primary User, let's edit the task sequence to prompt us for a Primary User instead of forcing it via a collection variable. To do this we need to edit our boot.wim files first of all. We need a few files, so please download the following zip file Extrafiles.zip and uncompress it to D:\Sources\OS\Extrafiles In the ConfigMgr console, locate our Boot image (X86) and right click it, choose Properties click on the Customization tab and place a checkmark in Enable Prestart Command, place another checkmark in Include files for the prestart command click browse and browse to the UNC path of our Extrafiles eg: \\sccm\sources\os\Extrafiles in the command line type the following cscript.exe get_SMSTSUdaUsers_via_Prestart.vbs click apply and answer yes when prompted about distribution point update required it starts to inject the changes Tip: you can open the SMSProv.log to monitor the files being injected into your boot.wim files. Step 4. Modify our Collection Variables Perform the following on your SCCM 2012 server as SMSadmin. In the ConfigMgr console, click on Assets and Compliance and locate our Deploy Windows 7 X64 collection, right click, choose properties, select the Collection Variables tab remove the SMSTSUdaUsers variable we set earlier by highlighting it and clicking on the red X, answer yes when prompted. Step 5. PXE boot and test the prestart command Add a new virtual machine to our Deploy Windows 7 X64 collection (or delete the one we used previously, and then import it back again, verify it's in the collection after the import before pxe booting). PXE boot and you'll get to the Task Sequence password screen.. press next and Voila, you get to see your Prestart command in action ! so enter the primary user name and click ok and our SMSTSUdaUsers variable is now set via a Prestart command, in a later part of this series, we will see how we can set this via the task sequence itself and also look at setting the Task Sequence Deployment ID via a variable to override what's targetted to our computer.

but it's still not supported, way better to start fresh and know that you are doing so

"It doesn't appear to install the updates." what does your windowsupdate.log file say on the client

This Post has been superseded by the following Configuration Manager 2012 RTM post. In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, then in Part 5 we enabled the Endpoint Protection Role and configured Endpoint Protection settings and targeted a collection called All Windows 7 Computers with these settings and policies. In Part 6 we configured our SUP further to Deploy software updates to our All Windows 7 Computers and Build Windows 7 X64 collections. In Part 7 we used the Build and Capture process to create our Base Windows 7 X64 wim image. In Part 8 we created a USMT 4 package to migrate the users data using hardlinking and then we imported the captured image into ConfigMgr and created a Deploy Windows 7 X64 task sequence. We created a Deploy Windows 7 X64 Collection and set some User Device Affinity collection variables. In this part we will create an Application, and create a deployment type for that application to only install if the Primary User is True for that device (User Device Affinity), we will then copy our Task Sequence (duplicate it), deploy the new Task Sequence, add a computer to the new collection and then PXE boot the computer to the Deployment Menu. Applications are new in System Center 2012 Configuration Manager and have the following characteristics: Applications contain the files and information necessary to deploy a software package to a computer or a mobile device. Applications contain multiple deployment types that contain the files and commands necessary to install the software. For example, an application could contain deployment types for a local installation of a software package, a virtual application package or a version of the application for mobile devices. Requirement rules define conditions that specify how an application is deployed to client devices. For example, you can specify that the application should not be installed if the destination computer has less than 2GB RAM or you could specify that a virtual application deployment type is installed when the destination computer is not the primary device of the user. Global conditions are similar to requirement rules but can be reused with any deployment type. User device affinity allows you to associate a user with specified devices. This allows you to deploy software to a user rather than a device. For example, you could deploy an application so that it only installs on the primary device of the user. On devices that are not the primary device of the user, you could deploy a virtual application that is removed when the user logs out. Deployments are used to distribute applications. A deployment can have an action which specifies whether to install or uninstall the application and a purpose which specifies whether the application must be installed or whether the user can choose to install it. System Center 2012 Configuration Manager can use detection methods to determine if a deployment type has already been installed on a device by using product information, or a script. Application management supports the new monitoring features in System Center 2012 Configuration Manager. The status of an application deployment can be monitored directly in the Configuration Manager console. Packages and programs from Configuration Manager 2007 are supported in System Center 2012 Configuration Manager and can use some of the new deployment and monitoring features. You can now deploy a task sequence on the Internet, as a method to deploy a script, for example, prior to installing a package and program. It is still not supported to deploy an operating system over the Internet. Software Center is a new client interface that allows users to request and install applications, control some client functionality, and to access the Application Catalog, which contains details about all available applications. Step 1. Create an Application Perform the following on your SCCM 2012 server as SMSadmin. Now we will create an application in this case FireFox, you can download an MSI of it from here (The files contained in this MSI are the official binaries with no modifications). Save the application in your package sources share (I have shared a root folder on D:\ called Sources with sub folders within, one is called Apps). Copy the downloaded FireFox MSI to a subdirectory of your sources\apps\msi share just like I have done in the screenshot below. In the Configmgr Console, click on Software Library, Applications, in the ribbon click on Create Application When the Create Application wizard appears click on browse then point it to the UNC of where the MSI is stored eg: \\sccm\sources\apps\msi\firefox\Firefox-7.0.1-en-US.msi click next and you'll get to the Imported Information screen, click next again to enter General Information about this application, verify that the installation switches are ok and click next click next at the summary through to completion Step 2. Edit the Deployment Type Perform the following on your SCCM 2012 server as SMSadmin. As we have selected the default values during the wizard, a Deployment Type has already been setup but we want to edit it so that this application only installs if a primary user has been associated with the device (UDA), so right click on the Application and choose Properties the Applications properties are revealed, click on the Deployment Types Tab select the Deployment type and click on Edit the Deployment Type properties are revealed, click on the Requirements Tab there are no requirements listed, click on Add on the Create Requirement screen, select the Category drop down menu and select User, verify that it's set as below (primary device equals true) click Apply and click ok, then click apply and ok again to exit from the Deployment Type menu Step 3. Create a Deployment for our Application Perform the following on your SCCM 2012 server as SMSadmin. Select the Firefox application and in the ribbon click on Deployment and select Deploy from the menu when the Deploy Software wizard appears, browse to All Users for collection for Content, click on Add and select our Distribution Point next change the Purpose from Available to Required and place a checkmark in Deploy Automatically according to schedule whether or not a user is logged on for User Experience set it to hide in software center and all notifications click next through the rest of the wizard to completion (no other changes) Step 4. Copy our Task Sequence Perform the following on your SCCM 2012 server as SMSadmin. We want to be able to both Refresh our computers (reinstall and migrate data) and do a New Computer installation, to do this we need another task sequence, so lets copy (duplicate) the one we have as we've already created one Deploy Windows 7 X64 task sequence, so select it right click and choose Copy you'll be notified of the copy completion Rename the First task sequence to Deploy Window 7 X64 - Refresh by right clicking on it, properties, edit the name Now we need to edit the second Task sequence, right click it and choose edit As this is a New Computer Task Sequence, we don't need to migrate data, so Disable the Capture Files and Settings group and the Restore User files and settings Group, click on the Options tab for each group and place a checkmark in Disable, click Apply. Now we need to add a new step in the Install Operating system group just after Restart in Windows PE step, so select that step and choose Add from the drop down menu select Disks, Format and Paritition Disk so that it looks like so Apply the changes and rename this task sequence to Deploy Windows 7 X64 - New Computer, so now we have two Deploy Task Sequences Step 5. Deploy our new Task Sequence to the Deploy Windows 7 X64 collection Perform the following on your SCCM 2012 server as SMSadmin. To make the task sequence available to computers we need to Deploy it. In Software Library, select our Deploy Windows 7 X64 - New Computer task sequence and choose Deploy, point the wizard collection to Deploy Windows 7 X64 change purpose to Available, place a checkmark in Make available to boot media and PXE click next through to completion Step 6. Import a computer into the Deploy Windows 7 X64 collection Perform the following on your SCCM 2012 server as SMSadmin. We need a new Virtual Machine to be imported into ConfigMgr's database to add it to our Deploy Windows 7 X64 collection. In the ConfigMgr console, click on Assets and Compliance, Devices, and in the Ribbon click on Import Computer Information. If you havn't already created a Virtual Machine do so now, we need one with 1 gig of Virtual Ram and we need to know it's MAC address. choose import single computer, filll in the computername and mac address (if you want to import multiple comptuers using a file follow this guide) add it to our Deploy Windows 7 X64 collection done Verify it's in the collection (right click and choose Update Membership) and after a few minutes there it is Step 7. PXE boot the New Computer Perform the following on your SCCM 2012 server as SMSadmin. PXE boot the new Virtual Machine, and you should get to the familiar password prompt and two new task sequences are ready for us, select Deploy Windows 7 X64 - New Computer and there's that Format and Partition disk step in action and our captured OS get's applied In the Next Part we will review how Firefox get's deployed automatically to this computer based on the UDA variables we set, and we will review the logs involved and we'll edit our boot image to support prestart and add some extrafiles, these will be some VBS scripts to prompt for the UDA user instead of setting the variable on the collection as we really don't want all computers that get deployed to have one user as the primary user.

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, then in Part 5 we enabled the Endpoint Protection Role and configured Endpoint Protection settings and targeted a collection called All Windows 7 Computers with these settings and policies. In Part 6 we configured our SUP further to Deploy software updates to our All Windows 7 Computers and Build Windows 7 X64 collections. In Part 7 we used the Build and Capture process to create our Base Windows 7 X64 wim image. In this part we'll use the captured image in our Deploy Windows 7 X64 task sequence and we'll set some User Device Affinity collection variables and use a USMT 4 package to migrate the users data using hardlinking. Step 1. Create the USMT 4 package Perform the following on your SCCM 2012 server as SMSadmin. If you want to migrate data in a Deploy Task Sequence you'll need to have the USMT 4 package ready, so let's create it now so that we can access the necessary migration files in our Deploy Windows 7 X64 task sequence. On your SCCM server in Windows Explorer, browse to C:\Program Files\Windows AIK\Tools\ Right click on the USMT folder and choose Copy, select your sources folder (mine is on D:\) and paste the USMT folder in sources\os so that it's path is sources\os\usmt In the ConfigMgr Console, select Software Library, Application Management, Packages, right click and choose Create Package. fill in the details about the package, call it USMT version 4 and point to the UNC path of our newly copied files, \\sccm\sources\os\usmt for Program Type select Do not create a program Complete the Wizard Step 2. Distribute the USMT package to our Distribution Points Select the USMT package and click on Distribute Content in the Ribbon for Content Destination, click on Add, select Distribution point, select our DP, click through the rest of the wizard Step 3. Import the captured Windows 7 X64 wim file Perform the following on your SCCM 2012 server as SMSadmin. In the Software Library, Operating Systems section of the Configmgr console, click on Operating System Images, you'll note that it is empty because we havn't imported any images yet. Right click and choose Add Operating System Image browse to the UNC of where we captured the image in Part 7 and select the captured wim file eg: \\sccm\sources\os\captures\windows7x64.wim fill in some details about the image click through the summary, progress to completion Step 4. Distribute the image to the Distribution points Perform the following on your SCCM 2012 server as SMSadmin. We now need to distribute our imported image to our distribution points. Select Our Windows 7 Enterprise X64 image and in the ribbon above click on Home and then Distribute Content when the Distribute Content Wizard appears, click next to specify the destination, click on add and select distribution point select our Distribution Point from the list the DP appears selected click next through summary/progress to completion Step 5. Create the Deploy Task Sequence Perform the following on your SCCM 2012 server as SMSadmin. Now that we have added our captured operating system image to Configmgr, and distributed it to our dp's we want to create a Deploy Task sequence to Deploy the image. In Task Sequences, right click and choose Create Task Sequence. choose to Install an existing image package fill in some details about the image and click browse and select the X86 boot image, click next to proceed now select the Windows 7 image by clicking on browse and set an administrator password, uncheck Partition and format the target computer before installing the operating system if you want to use hardlinking for User state migration, otherwise files cannot be stored locally for the Configure the Network step, we want to join the domain so click on browse beside join a domain and now we need to specify the user that has permissions to join the domain, i use the DomJoin user just or this task (create the user and delegate them enough permissions to add computers to the domain) I'm not specifying an OU in this step, you can, but don't select the Computers Container if you do... for the Install the Configuration Manager client step click on browse and select the client package from defintion we created in the last part click next and for State Migration, select our USMT 4 package change the setting to Save user settings Locally (this will mean we can use Hard Links) for Include Updates select All Software Updates and click next through to completion (we are not installing any applications at this point). Step 6. Create a Deploy Windows 7 X64 collection Perform the following on your SCCM 2012 server as SMSadmin. In the ConfigMgr console, click on Assets and Compliance, select Device Collections, click on Create Device Collection in the Ribbon fill in the collection details, call it Deploy Windows 7 X64, limit it to All Systems click next through the wizard, we will not add any computers to it yet, and we will not create any queries. Step 7. Create Collection variables Perform the following on your SCCM 2012 server as SMSadmin. We want to set UDA variables on our collection, so that a UDA user gets assigned as the primary user of computers deployed in this collection. We are doing this to show you that you can set a primary user to a device based on Collection Variables. We could do this in other ways, for example using task sequence steps to set the variables or prestart commands or a frontend HTA, I will come back to this subject later, but for now, let's just see it in action by specifying the two variables below. Right click on the Deploy Windows 7 X64 Collection and choose Properties click on the Collection Variables tab, click on the yellow startburst and add a new variable called SMSTSAssignUsersMode, set the value to Auto and remove the checkmark from Do not display this value in the Configuration Manager console do the same again for another variable called SMSTSUdaUsers, specify the user as domain\user Step 8. Deploy our Task Sequence Perform the following on your SCCM 2012 server as SMSadmin. To make the task sequence available to computers we need to Deploy it. In Software Library, select our Deploy Windows 7 X64 task sequence and choose Deploy select our Deploy Windows 7 X64 collection and click ok to the warning change purpose to Available (this keeps it optional, Required is Mandatory ! and dangerous as a result), place a checkmark in Make available to boot media and PXE click next through the task sequence, until distribution points, by Default it will be set to Download content locally when needed by running task sequence, you can get this to change to Access content directly by editing each package referenced in the task sequence and setting the Data Access tab for each package, place a checkmark in Copy the content in this package to a package share on Distribution points click next through the wizard to completion. In our next part we will create an Application, and create a deployment type for that application to only install if the Primary User is True for that device (User Device Affinity), we will then add a computer to the new collection, PXE boot it and watch the process from start to finish.

can you post your SMSTS.log file please ?

here's a presentation I did at Best of MMS in Stockholm, Sweden called Reducing Complexity in OSD with Configuration Manager 2012, I'll attach the scripts used in the demo's shortly. Reducing Complexity in OSD with Configuration Manager 2012.pptx Niall Brady Niall Brady is an MVP in System Center Configuration Manager, Enfo Zipper. Niall Brady is an Irish man living in Sweden, he’s been working with computers since the early 90’s and is an MVP in System Center Configuration Manager. Niall has a strong passion for deploying Operating Systems and can be found online helping others on the Technet forums or blogging about his experiences at MyITForum. Niall run’s a forum dedicated to ConfigMgr called windows-noob.com Reducing Complexity in OSD with Configuration Manager 2012 Talare: Niall Brady, System Center Configuration Manager MVP, Enfo Zipper. Produkt: System Center Configuration Manager 2012 This session will focus on how OSD in Configuration Manager 2012 reduces your workload by reducing complexity and serviceability with user targetted applications, reducing vulnerabilities of the OS image and reducing deployment time with Offline servicing, and the simple things to make administrators life easy.

pm me the link, it obviously includes a word that i've marked as spam, so it's not working.

just delete the computer object from All Systems collection, once done, re-import it (computername+mac address) into the build and capture collection and try again.

if you want to import multiple computers in SCCM 2012 using a file then it's easy to do so, just make sure that your file is in CSV format and looks like so In the sample screenshot above I have three machines listed with the Computername first (name), followed by the SMSBIOS Guid and finally the MAC Address. You can get the SMSBIOS Guid and MAC Address simply booting your chosen computer and monitoring the PXE boot process look for the details below (press PAUSE on your keyboard to make note of the values or simply pause the VM by pressing the appropriate button as in the HyperV sample below). You could also ask your Hardware Manufacturer to provide you this information in CSV format. Now that you have the values add them to your MAC Addresses.CSV file (a text file in notepad or Microsoft Excel) open the ConfigMgr Console and click on Assets and Compliance, click on Devices, in the ribbon above select Import Computer Information select the first option, Import computers using a file point to your CSV file by clicking on browse, open if your CSV file has headings at the top of the file then place a check mark in This file has column headings and then click next look at the data preview, if anything looks incorrect you can go back or cancel, click next if it's all ok Note: you can have GUID plus Name, or MAC plus Name, or a combination of all three but you must have at least two and one of the values must be Name. next you can select the target collection, I want to add mine to the Build and Capture Windows 7 X64 collection so I click on Browse and select that collection, choose the one you wish click next through to completion you can then wait for normal discovery to pick up the new objects or force an update by choosing update membership on the chosen collection, answer yes whem prompted refresh the collection and the computers appear (if you've just imported them, give it a couple of minutes before they appear)

The latest version of MDT is now available on Connect (Join the MDT 2012 Beta 2 Connect program here!) MDT 2012 Beta 2 offers new User-Driven Installation components and extensibility for Configuration Manager 2007 and Configuration Manager 2012 as well as integration with the Microsoft Diagnostics and Recovery Toolkit (DaRT) for Lite Touch Installation remote control and diagnostics. Key benefits include: Full use of the capabilities provided by System Center Configuration Manager 2012 for OS deployment. Improved Lite Touch user experience and functionality. A smooth and simple upgrade process for all existing MDT users. New features For System Center Configuration Manager customers: Support for Configuration Manager 2012 (while still supporting Configuration Manager 2007) New User-Driven Installation components for Configuration Manager 2007 and Configuration Manager 2012 Extensible wizard and designer, additional integration with Configuration Manager to deliver a more customized OS experience, support for more imaging scenarios, and an enhanced end-user deployment experience [*]Ability to migrate MDT 2012 task sequences from Configuration Manager 2007 to Configuration Manager 2012 New features For Lite Touch Installation: Integration with the Microsoft Diagnostics and Recovery Toolkit (DaRT) for remote control and diagnostics New monitoring capabilities to see the progress of currently running deployments Support for deploying Windows to computers using UEFI Ability to deploy Windows 7 so that the computer will start from a new VHD file, “Deploy to VHD” Improved deployment wizard user experience MDT 2012 Beta 2 will be available for beta download through to January 2012. Already using the Microsoft Deployment Toolkit? the MDT team would like to hear about your experiences. Please send comments and suggestions to satfdbk@microsoft.com. This post was contributed by Richard Smith, a Principal Consultant with Microsoft Services UK Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use via http://blogs.technet.com/b/deploymentguys/archive/2011/11/11/mdt-2012-beta-2-released.aspx?utm_medium=windows-noob&utm_source=windows-noob.com

the CAS is NOT the same as today's Central site, for example, you cannot have a Management Point on a CAS, but you can on a Central site, if you want child sites in SCCM 2012 you can have one standalone primary with secondaries underneath but if you want more than one primary you'll need to install the CAS first, as you cannot install the CAS later, it's now or never. For more info see the links below:- Fundamentals of Configuration Manager - http://technet.micro...y/gg682106.aspx Supported Configurations for Configuration Manager - http://technet.micro...y/gg682077.aspx Planning for Configuration Manager Sites and Hierarchy - http://technet.micro...y/gg682075.aspx as ConfigMgr 2012 is still in Release Candidate phase, please go ahead and test CAS with an attached primary/secondary to see how it all works together in your Lab (not in Production).

when searching for Software updates in SCCM 2012 release candidate you can add criteria for Title and enter X64, that gives you the desired result

don't configure WDS, configmgr will do it for you have you Deployed your task sequence to a collection and made sure that the computer you imported is in that collection ? did you find the smspxe.log file yet ?

Endpoint protection is covered in Part 5 of this series - http://www.windows-noob.com/forums/index.php?/topic/4466-using-sccm-2012-rc-in-a-lab-part-5-enable-the-endpoint-protection-role-and-configure-endpoint-protection-settings/

thanks, and updated

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, then in Part 5 we enabled the Endpoint Protection Role and configured Endpoint Protection settings and targeted a collection called All Windows 7 Computers with these settings and policies. In Part 6 we configured our SUP further to Deploy software updates to our All Windows 7 Computers and Build Windows 7 X64 collections. Now we will use the Build and Capture process to create our Base Windows 7 X64 wim image, we'll use this image in the next part to Deploy Windows 7. Whats new in Configuration Manager 2012 for Operating System Deployment ? You can apply Windows Updates by using Component-Based Servicing (CBS) to update the Windows Imaging (.wim) file format images that are stored in the image node of the Software Library. The Task Sequence Media Wizard includes steps to add prestart command files (formerly pre-execution hooks) to prestaged media, bootable media, and stand-alone media. You can configure the Task Sequence Media Wizard to suppress the Configuration Manager Boot Media wizard during operating system installation. This configuration enables you to deploy operating systems without end user intervention. You can define a deployment in a prestart command that overrides existing deployments to the target computer. Use the SMSTSPreferredAdvertID task sequence variable to configure the task sequence to use the specific Offer ID that defines the conditions for the deployment. You can use the same task sequence media to deploy operating systems to computers anywhere in the hierarchy. The Capture User State task sequence action and the Restore User State task sequence action supports new features from the User State Migration Tool (USMT) version 4. You can use the Install Application task sequence action to deploy applications from the Software Library when you deploy an operating system. You can define user device affinity for a client computer during operating system deployment. The functionality of the PXE service point and its configuration is moved to the distribution point to increase scalability. Step 1. Enable PXE support for Clients Perform the following on the SCCM server as SMSadmin In the ConfigMgr console, click on Administration, Site Configuration, Servers and Site System Roles, and double click on the Distribution Point role listed, select the PXE tab and place a checkmark in Enable PXE support for Clients, answer Yes when prompted about firewall ports (UDP ports 67, 68, 69 and 4011 ). enable all options and click on the Drop down UDA option and set it to Allow User Device Affinity with Automatic Approval Step 2. Add the Windows 7 X64 operating system image Perform the following on the SCCM server as SMSadmin In the ConfigMgr console, select Software Library and expand Operating Systems, click on Operating System Installers and choose add operating system installer from the ribbon (alternatively right click to get the same option) browse to the UNC path where you have previously copied the extracted contents of your Windows 7 X64 Enterprise ISO (I extracted mine and then copied it to \\sccm\sources\os\Windows 7x64 prior to starting this step. fill in some general info about the image and complete that wizard. Step 3. Distribute the Operating System to our Distribution Points Perform the following on the SCCM server as SMSadmin Now that we've added the image, let's distribute it to our DP. Click on the image we just added and in the ribbon click on Distribute Content the Distribute Content wizard appears click next, select Add, select Distribution Point, select our SCCM server then ok click next through the wizard until completion Step 4. Customise our boot images and then Distribute the Boot images to DP's Perform the following on the SCCM server as SMSadmin Note: Even though Build and Capture of Windows 7 X64 only needs the X64 boot image, we will update both boot images as we'll need them to both have Command support enabled. Select boot images in the left navigational pane, select the X86 boot image, right click choose properties click on the Customization tab, enable Command support click on the Data Source tab, place a checkmark in Deploy this boot image from the PXE service Point click apply, and answer No when prompted to udpate the Distribution Points now as we have to add our DP first before updating the boot image to the DP's.. click Ok to close. Now we need to Distribute our Boot image to our Distribution Point, so select the image and choose Distribute Content from the ribbon add our Distribution Point and click through the wizard to completion Tip: you can open the SMSProv.log file in CMTrace to review the progress of the boot image changes being made, infact you can even see that the CMtrace tool itself is now being copied into our boot images by default ! excellent !! Note: you must repeat the above process for the X64 Boot image Step 5. Create and then Distribute the Configmgr Client Package to DP's Perform the following on the SCCM server as SMSadmin Currently there are two packages for Configuration Manager Client however neither are working in their current form, rather than use them let's create our own. In Software Library, right click on Packages and choose Create Package from Definition, choose Configuration Manager Client Upgrade, click next choose Always obtain source files from a source folder for source folder point to \\server\sms_xxx\client where xxx is your site code eg; P01 click next through the wizard until it completes select our newly created package and add it to our Distribution Points (right click it, choose Distribute Content, go through the wizard). Note: our Client package is the only one with version 5.0 so it's easy to see. Step 6. Create the Build and Capture Task Sequence Perform the following on the SCCM server as SMSadmin In the Configmgr Console click on Task Sequences under Software Library, Operating System Deployment. In the Ribbon click on Create Task Sequence select the Build and Capture a reference operating system image option fill in some details about the Task Sequence and select the X64 boot image which you distributed to the dp's above in the next screen we get to select our Operating System Installation source Image that we added above in addition to this i'd recommend you DON'T enter the Product Key and that you DO enter an Administrator Password next we should join a workgroup to keep the build and capture image clean of any changes that can be made via domain join next we get to include the Configmgr client package, use the one we created earlier, select the Microsoft Configuration Manager Client Upgrade 5.0 All Package Note: If you want windows updates to installed include SMSMP=sccm.server2008r2.lab.local in your Setup windows and configmgr step Installation Properties, the old switch SMSSLP is retired as is the Server Locator Point role. choose to install All Software Updates click next through the wizard through the application, sysprep and image info screens, for the Capture image settings screen fill in the capture account details and use a user that has rights to that UNC path (don't forget to create the \\server\sources\os\captures directory first..) make sure you type the capture account details correctly otherwise you'll have a long wait until the next Build and Capture is done and you get to see if your capture actually succeeds or not due to a typo) close the wizard Step 7. Import Computer Information Perform the following on the SCCM server as SMSadmin We need our Virtual Machine to be imported into ConfigMgr's database before we can add it to our Build and Capture Windows 7 X64 collection so lets do that. In the ConfigMgr console, click on Assets and Compliance, Devices, and in the Ribbon click on Import Computer Information. If you havn't already created a Virtual Machine do so now, we need one with 1 gig of Virtual Ram and we need to know it's MAC address. Note: If you want to import multiple computers via a file then see my separate post here We will import one computer into ConfigMgr's database so choose import single computer filll in the computername and mac address click next through data preview and for target collection choose our Build and Capture Windows 7 X64 collection we created in the previous part click next through the wizard to completion. and it appears in our collection after a few minutes Note: Do not continue with this part until the computer appears in the collection. Step 8. Deploy the Build and Capture Task Sequence Perform the following on the SCCM server as SMSadmin In Software Library, select Task Sequences, select our Build and Capture Task sequence and right click, choose Deploy, if Deploy is greyed out are you sure you created a new package from Definition for the Configuration Manager Client ? point it to our build and capture collection change the purpose from Required to Available, and set make available to boot media and PXE click next through the options until you get to distribution point, make a note of the Network Access Account note ! finish the wizard Step 9. Enable the Network Access Account Perform the following on the SCCM server as SMSadmin In the ConfigMgr console, select Site Configuration, Sites and right click on our P01 site, choose Configure Site Components, Software Distribution (alternatively in the ribbon click on Settings, Configure Site Components, Software Distribution) Click on the Network Access Account tab and specify your Network Access Account user, choose new user, input the details and test the connection (Note: this is New since Beta 2) click Apply and Ok. Step 10. PXE boot our new Virtual Machine Perform the following on the SCCM server as SMSadmin Note: Before PXE booting the Virtual Machine, verify that the Windows Deployment Service is started, if not, start it, monitor the SMSPXE.log during the process and during the PXE boot. Press F12 when prompted enter our PXE password click next and select our Build and Capture Windows 7 X64 task sequence and pat yourself on the back for a job well done as it goes through the process of Build and Capture if you get any errors about packages not being found then enable the following setting in Data Access for all packages in your task sequence including the boot image:- copy the contents in this package to a package share on distribution points Note: once you have enabled the setting above your Deployment distribution settings gets a new drop down menu choice, access content directly from a distribution point when needed by the running task sequence and then try again.. our client is being built Setup windows and configmgr... followed by a System Restart followed by the usual windows setup routines.. and another restart later and it's setup windows and configmgr (in windows) followed by Install Updates and after it's evaluated things, the updates will be downloaded and applied Note: the updates will not be found unless you have SMSMP=sccm.server2008r2.lab.local in your Setup windows and configmgr step after this there will be another restart followed by Sysprep, and then the moment you have been waiting for, Capture ! In the next part of this series, we will Deploy our captured WIM and continue learning about this fantastic product

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, then in Part 5 we enabled the Endpoint Protection Role and configured Endpoint Protection settings and targeted a collection called All Windows 7 Computers with these settings and policies. Now we will configure our SUP further to Deploy software updates to our All Windows 7 Computers and Build Windows 7 X64 collections. Recommended Reading:- Planning for Software Updates in Configuration Manager - http://technet.micro...y/gg712696.aspx Prerequisites for Software Updates in Configuration Manager - http://technet.micro...y/hh237372.aspx Configuring Software Updates in Configuration Manager - http://technet.micro...y/gg712312.aspx Step 1. Configure the SUP Products to Sync and Perform a Sync Perform the following on the SCCM server as SMSadmin Click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Software Update Point. In the Products tab ensure that the product Windows 7 check box is selected. Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates, answer Yes when prompted. Monitor the Sync process using the Wsyncmgr.log file in CMTrace. As we started the sync manually you should search for the following string "Performing Sync on local request", followed by the status of the sync and you know it's complete when you can see the following line "Sync Succeeded. Setting Sync alert to cancelled on Site P01." Step 2. Specify Search Criteria for Software Updates Perform the following on the SCCM server as SMSadmin In the console, click Software Library, expand it and select All Software Updates then click on Add Criteria in the top right of the search field. In the scrollable Add Criteria menu, select the following options Bulletin ID Expired Superseded Product then define the criteria using the drop down menus beside each option so that they look as follows:- Product = Windows 7 Bulletin ID =MS Expired = No Superseded = No then click on Search, you'll get a list of results like so let's save our Search criteria and call it Windows 7 Updates search criteria, you can return to this search later by clicking on saved searches and selecting your search from the list. Step 3. Create a Software Update Group that Contains the Software Updates Perform the following on the SCCM server as SMSadmin Note: Normally you'd want to look through all these updates and filter out (delete) the ones that are not applicable to you, such as Beta or Service Packs, Delete these from your list before continuing. After we've trimmed down out updates we'll select the remaining updates by selecting all the updates found in our search criteria above by clicking on one update and then pressing CTRL + A, it should say 153 (or similar) items selected in the bottom left corner, make sure you are still in the Search Criteria as in the picture below In the ribbon, click on Home and then in the Update click on Create Software Update Group, call it Windows 7 Updates and click on Create Now you can click on Software Update Groups in the console and you'll see your newly created Software Update Group, right click on it and choose Show Members to see the updates in this group. this lists the Sotware Updates contained in the Software Update Group Step 4. Deploy the Software Update Group Perform the following on the SCCM server as SMSadmin We could download the Content for the Software Update Group to verify that it's available before distributing it to our Distribution Points, but we'll skip that step and go ahead and deploy our Updates to our previously created All Windows 7 Computers collection. Select the Windows 7 Updates Software Update Group and in the Ribbon click on Deploy. give it a name and point it to our All Windows 7 Computers collection. Note: if you click on Select deployment Template, it will appear empty as you have no created any templates yet. for Deployment Settings set the type of deployment to Required (mandatory) and State message level to Minimal (to reduce Configuration Manager server load via state messages) For scheduling set the Time Based on to UTC for User Experience we want the user to see they are being updated, set Alerts client compliance is below the following to 80%, Set the Download Settings to download if a slow or unreliable connection detected, click next when you get to Deployment Package, choose create a new deployment package, Note: Make sure that \\sccm\sources\updates\windows7 (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won't exist select your Distribution Point and click next, then for Download Location select Download Software Updates from the Internet, select the English language and at the summary screen click on Save As Template, call the template Windows 7 updates Template TIP: To review the progress of this task, while you are waiting for the wizard to complete you can browse the UNC on your server of your Deployment Package to see that it's actually filling up with updates, you should see something like this And that's it, after you complete the wizard the software updates in the software update group are deployed to computers in the target collection Finally, create a new collection called Build and Capture Windows 7 X64 and repeat the above Deployment for our Windows 7 Updates and target it to the Build and Capture Windows 7 X64 Collection as follows In the next two parts we will start adding clients to these collections and we will verify that the above is really working.

In Part 1 of this series we got our AD and SCCM servers ready, and then we installed System Center 2012 Configuration Manager as a standalone Primary site. In Part 2 we configured the SCCM server further by adding some Windows Server roles necessary for the following Configuration Manager 2012 functionality, Software Update Point (SUP) and Operating System Deployment. In Part 3 we configured the server further by Enabling some Discovery methods and creating Boundary's and Boundary Groups. In Part 4 we configured Client Settings, Added roles and Distributed the Configmgr Client to our Computers within the LAB, now we will enable the Endpoint Protection Role and configure Endpoint Protection settings and we will target All Windows 7 Computers with these settings and policies. Note: In Part 2 we selected Definition Updates in the Classifications screen to support Endpoint Protection as part of the SUP role setup, if you havn't completed that part then do so now before continuing. Below is an Introduction to Endpoint Protection in Configuration Manager, for more info see the following on Technet - http://technet.micro...y/hh508781.aspx When you use Endpoint Protection with Configuration Manager, you benefit from the following: You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings. You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date. You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers. Endpoint Protection installs its own client, which is in addition to the Configuration Manager client. The Endpoint Protection client has the following capabilities: Malware and Spyware detection and remediation. Rootkit detection and remediation. Critical vulnerability assessment and automatic definition and engine updates. Integrated Windows Firewall management. Network vulnerability detection via Network Inspection System. Recommended Reading:- Prerequisites for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh508780.aspx Best Practices for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh508771.aspx Administrator Workflow for Endpoint Protection in Configuration Manager - http://technet.micro...y/hh526775.aspx Step 1. Configure the Endpoint Protection Role Perform the following on the SCCM server as SMSadmin Note: The Endpoint Protection point site system role must be installed before you can use Endpoint Protection or before you can set EndPoint Protection client settings. It must be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site. In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Servers and Site System Roles and click on Home in the Ribbon and click on Add Site System Roles. when the wizard appears click next Select the Endpoint Protection Point role and click next Read and then accept the License Agreement terms Next you get some choices about Microsoft Active Protection service, you can opt in, or opt out, let's select Basic Membership. click next at the summary and review the status on the completion screen. within a few minutes you'll see the Endpoint Protection client appear in the System Tray of your ConfigMgr Server (this is normal behaviour and is expected, you must have the SCEP client installed on your ConfigMgr Server hosting the Endpoint Protection role). Note: you can review the EPSetup.log on the server to monitor role installation progress. Step 2. Configure alerts for Endpoint Protection Perform the following on the SCCM server as SMSadmin Note: Alerts inform the administrator when specific events have occurred, such as a malware infection. Alerts can be displayed in the Configuration Manager console, through reports, or optionally can be emailed to specified users. You can configure Endpoint Protection alerts in System Center 2012 Configuration Manager to notify administrative users when specific security events occur in your hierarchy. Notifications display in the Endpoint Protection dashboard in the Configuration Manager console, in reports, and you can configure them to be emailed to specified recipients. Configure Email Notification (Optional) If you have access to an SMTP server then you can optionally configure Email Notification Alerts. In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Email Notification. enter your desired settings for SMTP and click Apply. Note that you can test your SMTP settings also. Configure Alerts for Collections Next let's configure Alerts for a Collection, but first let's create a collection called All Windows 7 Computers (in a LAB this is fine for what we want to do, in Production you should create EndPoint Protection specific Collections). Note:- You cannot configure alerts for User Collections.Click on Assets and Complicance in the console,click on Device Collections and in the ribbon click on Create Device Collection. Call the collection All Windows 7 Computers and limit it to All Systems click next, choose Query Rule from the drop down menu and fill in a Query like so (edit query statement, criteria, show query language and replace the code with the below) select * from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%" set the schedule as follows (it's a LAB) click next through the wizard, the collection is now created. In Assets and Compliance select Devices and choose Device Collections, select the All Windows 7 Computers collection (we have no computers in this collection yet but we will have soon), choose properties Click on the Alerts tab and place a checkmark in View this collection in the Endpoint Protection Dashboard click on Add and select all the options click ok and leave the other Alert settings as they are Step 3. Configure the SUP Products to Sync and Perform a Sync Perform the following on the SCCM server as SMSadmin Click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Software Update Point. In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected. change the Sync Schedule to 1 days Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates answer Yes to the Sync at this point you can review the Wsyncmgr.log in CMtrace Step 4. Configure SUP to deliver Definition Updates using an Automatic Deployment Rule Perform the following on the SCCM server as SMSadmin In the Configuration Manager console, click Software Library, expand Software Updates and click on Automatic Deployment Rules in the Ribbon click on Create Automatic Deployment Rule and the wizard appears, give the rule a suitable name like Automatic Deployment Rule for Endpoint Protection and point it to our previously created All Windows 7 Computers collection, select add to an exisiting software update group On the Deployment Settings page of the wizard select Minimal from the Detail level drop-down list and then click Next this reduces State Messages returned and thus reduces Configuration Manager server load on the Software Updates page select Date Released or Revised in the Search Criteria pane, click on Value to find and select Last 1 day In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected. for Evaluation Schedule, click on Customize and set it to run every 1 days, Tip: notice that the Synchronization Schedule is listed below, make sure that this occurs at least 2 hours before you evaluate for Forefront Endpoint Protection definition updates, there is no point checking for updates if we haven't synchronized yet. for Deployment Schedule set Time based on: UTC (if you want all clients in the hierarchy to install the latest definitions at the same time. This setting is a recommended best practice.), for software available select 2 hours to allow sufficient time for the Deployment to reach all Distribution Points and select As soon as possible for the installation Deadline. for the User Visual Experience select Hide from the drop down menu for Alerts enable the option to generate an alert for download settings as the definition updates are important let's download them even if on slow networks For Deployment Package we are creating a new one so give it a suitable name like Endpoint Protection Definition Updates and point it to a previously created folder Note: Make sure that \\sccm\sources\updates\Endpoint (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won't exist. In addition Everytime this ADR runs it will want to create a new deployment package as specified above, we do not want this to happen so after running the ADR once, retire it and create a new ADR except this time point the deployment package to the packaged which is now created called Endpoint Protection Definition Updates. click your way through the rest of the Wizard till completion if you scroll to the right you'll see nothing has been downloaded, yet...(because our Automatic Deployment Rule hasn't run yet since the sync) so let's force the Automatic Deployment Rule to run now, right click on our ADR and choose Run Now and after a few minutes look at our Definition Updates again, notice the difference ? Step 5. Configure Custom Client Settings for Endpoint Protection Perform the following on the SCCM server as SMSadmin Note: Do not configure the default Endpoint Protection client settings unless you are sure that you want these applied to all computers in your hierarchy. Below is an explanation of the EndPoint Protection settings available:- In the Configuration Manager console, click Administration, click Client Settings and on the Home tab in the Create group, click Create Custom Client Device Settings. Select Endpoint Protection and call it Custom Client Device Endpoint Protection Settings click on Endpoint Protection and review the settings, change them to as follows:- Manage Endpoint Protection Client on Client Computers = True Install Endpoint Protection Client on Client Computers = True Automatically remove previously installed antimalware software before Endpoint Protection is installed = True Suppress any required computer restart after the Endpoint Protection client installed = False Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours) = 1 Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers = True click ok when done, right click on the new custom settings and choose Deploy select our All Windows 7 Computers collection and choose Ok. Step 6. Configure Custom AntiMalware Policies Perform the following on the SCCM server as SMSadmin Note: Do not configure the default client Malware Policy unless you are sure that you want these applied to all computers in your hierarchy. There are several pre-created AntiMalware Policies available, to review/use them click on Import. (see screenshot below) We will create our own policy in this LAB so in the Configuration Manager console, click Assets and Compliance, click Endpoint Protection, select Antimalware Policies. In the ribbon select Create Antimalware Policy give the policy a name like Custom Endpoint Protection Antimalware Policy for Scheduled scans change to Daily at 12 pm (default was Saturday, 2am) and set it to check for latest definition updates before the scan and to randomize the scan start time for Definition Updates set the check to 2 hours and click on set source, only select Updates distributed from Configuration Manager (deselet the other options) Note: if your SCCM server has no internet access you can configure it to check for updates from UNC file shares Click Ok, Ok. Right click our Custom Endpoint Protection Antimalware Policy and select Deploy, choose our All Windows 7 Computers Collection as we did for the Device settings above. that's it we are done ! we have now created custom Client Device settings and a Custom Antimalware Policy for our All Windows 7 Computers collection, in further posts we will add some computers to that collection and verify our Endpoint Protection settings. Note: If you are having issues with the client installing or getting the Endpoint Protection role installed please refer to the following Endpoint Protection Log files. EndpointProtectionAgent.log - Records details about the installation of the Endpoint Protection client and the application of antimalware policy to that client.EPCtrlMgr.log - Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database.EPMgr.log - Monitors the status of the Endpoint Protection site system role.EPSetup.log - Provides information about the installation of the Endpoint Protection site system role.