You are browsing the archive for 2007 August.

Configmgr 2007 Rtm’s / Configmgr 2009 Wishlist

8:11 am in ConfigMgr 2007, SCCM 2007, SMS by The WMI guy

Hi all,

UPDATED: Removed DP Decommision, this was apparently fixed from what I can see in my lab, great job.

As you probably have read on several  blogs Configmgr 2007 has Rtm’ed in line with the always publicly announced Summer 2007 release date. So in contrast with most products now-a-days that have slipping release dates our Configmgr 2007 delivered right on time. Hey they are even about a month early, well done.

Bill, I assume this means the team can go on vacation till the 20th of september, right?

You can read the official announcement here:

I’ll leave it up to someone else to post about the importance of Microsoft using a blog to get the word of this release out.

You can download the evaluation version here:, and in contrast with previous versions the evaluation version will be fully upgradeable to the full version. General availability is expected early november.

Now that we have this Configmgr 2007 thingy out of the way, it is time to compile our Configmgr 2009 aka SMSV5 wishlists compiled. Since the product team is on vacation till the 20th of september we have about a month to get early feed back in. So I’ll get the bal rolling by publishing mine.


Site Infrastructure:

Multi-tenancy is on the top of my list here. The ability to host multiple customers on one single site. This requires a great deal of work, but would open up Configmgr 2007 to be used in a real hosting scenario. Stuff that probably needs to be taken care of, are “Site Wide Settings”. Easier way of limiting reports to certain collections. Easier way of handling security on sms objects, possibly by using folder security and inheritance.

A way to replicate between Configmgr Sites that does NOT require file sharing. Opening up the Firewall for filesharing usually creates big discussions with the security admins. Please give us an alternate way of connecting sites.

Admin UI:

Object backup & restore to aid in migrating.

Right-click option, to trigger client actions, central way to configure client settings (Client cache size is just one example).


Inventory network devices would be a welcome addition here.

An easier way to add additional information to the inventory of an existing device. EG: be able to add the warranty period by just adding it to resource explorer from with the Admin console.

Software distribution:

Staggering advertisements/ Trickle feed collections, whatever else you want to call this. It is a way to load balance software distributions in a less administration-intensive way.

Postpone software distribution end-user option. This should look closely like the options we have in ITMUv3 where users can postpone the installation of Updates.

Integrate with Vista’s Presentation settings to avoid pop-ups and reboots when users are giving presentations.


Some sort of discovery that can browse entire subnets to find devices without the device needing to have snmp enabled.

An easier way to add devices manually into the Configmgr database.


Allow Task sequences to run as local logged in user. Task sequences are invaluable for a lot of things, one of them being the ability to control which applications get installed in which order, they only have one limitation, they can only run as localsystem, this limitation has to go.


Windows Mobile 6.0 support needs to be added.


Either we change the acronym to be Desired Configuration Monitoring, or we start making work of this actually being Desired Configuration Management. Additional template manifests, to monitor SOx and other regulatory compliancy would be HUGE.

Agree with other Microsoft teams on which SDM/SML version should be used to make sure that these “Manifests” can be used in Configmgr/Opsmgr/Service Manager without any modifications.


Reporting needs to go the SQL Reporting Services route, for consistency with other Microsoft Products and for the added flexibility that SQL Reporting Services brings.

Software Metering:

Complete license management, which means at least the possibility to add the number of licenses you bought to the Config Mgr 2007 database. A way to store the License Keys in a secure fashion would be nice as well.


That’s it for now :-)




Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Planning your CRL Distribution Point for Configmgr 2007 Native mode

1:25 pm in ConfigMgr 2007, SCCM 2007, SMS by The WMI guy

Hi all,


Everyone that has ever done an sms roll-out should know that planning is critical to the success of the project. Now one planning part that might easily get overlooked is planning some portions of the PKI infrastructure. And an important part of planning your pki for Configmgr 2007 is planning the location of your Certificate Revocation List Distribution point.

Let me start by Sketching the problem. Configmgr 2007 Native mode relies on certificates to do the client authentication. Certificate authentication is a very strong authentication method, but it comes with some things you should know about it, to properly use it. One of the things that work different with certificate based authentication is how you disable a certain account from being able to authenticate in the future. This might be necessary because you don’t want the certificate of an end-of-life machine to be mis-used for communication purposes, or because the certificate was compromised. When you use user accounts you can just disable the account and your done. With certificates you need to revoke the certificate AND publish the certificate on the Certificate Revocation List.

If you use a default Windows 2003 PKI then the Certificate Revocation list is by default published in Active Directory and on The Certificate authority website, which is accessible to all authenticated users (Which includes computer accounts). Now, these defaults are fine for Internal clients, but are not accessible in some instances. Internet based clients for instance will not be able to access either of these Crl distribution points (CDP). And they are not the only ones, clients in untrusted forests, workgroups, or even clients that boot from a Configmgr 2007 Boot Image will not be able to access these CDP’s.

The reason why your CDP’s need to be carefully planned is because the list of CDP’s is actually part of the certificate. So once the certificate is rolled out, there is NO WAY to add another CDP on their in an easily automated way without redistributing all your certificates!!!

Clients that are not able to contact the CDP, will fail to communicate if CRL checking is enabled, and will throw an error in the logs called



Now, there are 2 fixes for this:

1) Disable Certificate Revocation List checking. You can do this from within the Configmgr 2007 Console, on the Site Properties Site Mode tab, by clearing the Check Certificate Revocation list checkbox.  (The checkbox is only visible if your site is in Native mode). This obviously is the easiest fix, but lowers your pki, client-certificate based security to an unacceptable level in my humble opinion, and by consequence is only fit for Labo and demonstration purposes.


2) Publish your CDP and make sure it is accessible to Workgroup, internet-based, and untrusted forest clients. This obviously is the proper way of handling this issue. Great, now how de we do that? Well, that could be food for another post. But since the folks over at already created an article about that, which continues into publishing the CDP with Isa Server 2004, I am not going to bother writing it up myself. I will just point you guys to this article




Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

David, you’ll be missed.

11:31 am in personal by The WMI guy