Skip to main content

Configuring Group Policies for your ConfigMgr Servers

Disclaimer: Please test and validate this in your test environment, don’t take the information i provide for granted. This article describes a method to determine correct settings and doesn’t supply the answer to your specific environment !

When you are installing System Center Configuration Manager (ConfigMgr) in environments where group policies are used to control the User Rights Assignment and Security Options security settings of the Servers, you have to be extra carefull.

You can expect some strange behavior after the installation because when the companies policy is applied again, it removes some entries made by either the prerequisite installation (roles and features) and installation of ConfigMgr itself, and this can result in some interesting scenario’s. Therefore my advise would be:

If you know the environment in which you are going to install ConfigMgr in, has a lot of restricing group policies make sure you do the installation of ConfigMgr while the servers are member of an OU with minimal policies applied.

Read More

System Center 2012 R2 Configuration Manager prerequisite overview on Windows Server 2012 R2

Before you can start installing System Center 2012 R2 Configuration Manager in your environment you have to install the servers with an OS and configure its roles and features. While the Site System Installation Wizard now provides the option to configure some of the roles and features when not installed, I prefer to setup my environment upfront so that the Prerequisite Checker doesn’t give any Errors or Warnings to start with. My ex-collegue Tom Klaver already documenten the settings once for installing ConfigMgr 2012 RTM on Windows Server 2008 R2 – but since some things changed in the meantime i decided to update the spreadsheat to reflect installing System Center 2012 R2 Configuration manager on top of Windows Server 2012 R2. This information is coming from the following documentation on TechNet – Supported Configurations for Configuration Manager via: More

Some things to consider before installing the ConfigMgr database on a SQL cluster

Note: I’ve already posted this article a while ago, but since my ex-employer decided to whipe the whole website without asking me if I would like a backup it got lost. Therefore i decided to place it here again. Note that this is still valid for ConfigMgr 2012 installations, i’ve modified the article to reflect that.

The System Center Configuration Manager (ConfigMgr) database can be installed on a clustered SQL Server, some things work different though compared to installing ConfigMgr on a normal SQL server installation, and you should be aware of them before starting your installation.

To summarize in front, what you should take into account before starting your installation:

  1. Make sure that the SQL administrators are aware that during installation extra righs are needed and that after installation the Site server must stay local administrator on the cluster nodes
  2. Make sure that the SQL administrators are aware of the fact that ConfigMgr will install a service on the Cluster Nodes, which is used for creating the backup using VSS
  3. Make sure that each shared cluster disk contains a no_sms_on_drive.sms file on the disk
  4. Configure the Site Backup tasks, so that it is either configured to backup to an UNC path or a drive which is suitable for storing the backup files on both the site server and the cluster nodes using the “Different Paths for the Site Backup and Database backup” option

Read More

The self signed certificate could not be created successfully error in the Create Site System Server Wizard

Today, a customer contacted me with a very strange issue while installing a new Site System Server in his System Center 2012 R2 Configuration Manager environment. While adding a new Site System (in this case a distribution point) on the Distribution Point page of the Create Site System Server Wizard the customer got the following error on the Create a self-signed certificate or import a PKI client certificate part. Read More

Windows Management User Group Netherlands: Meeting on the 17th of September

wmug_logoOn Tuesday evening the 17th of September the Windows Management User Group Netherlands organizes its 3rd meeting. The announcement, which is in Dutch can be found here.

The subject of the evening is virtualization, and its hosted by PQR and we have three fantastic speakers for this evening, session summaries will be communicated soon:


  • 17:30 – 18:30 Registration and food
  • 18:30 – 19:30 Sessie 1, Ruben Spruijt
  • 19:45 – 20:45 Sessie 2, Henk Arts
  • 21:00 – 22:00 Sessie 3, James van den Berg

The sessions will be in Dutch, tickets can be reserved here at no additional costs.


How to create ConfigMgr 2012 boot images from scratch

Today, after installing a fresh System Center 2012 Configuration Manager Service Pack 1 environment, we experienced that the Boot images for both 32- and 64-bit were not created. The reason for this is already widely known, because it had to do with the virus scanner which was active at time of installation. There are already some articles describing what can go wrong during an upgrade to Service Pack 1 for example, as described in the following article: Updated System Center 2012 Configuration Manager Antivirus Exclusions with more details on OSD and Boot Images, etc… . So lesson one here: Please disable the virus scanner during installation and make sure the correct exclusions are in place after installing the ConfigMgr environment.

Read More

Introducing the Windows Management User Group Netherlands (WMUG NL)

Text below is in Dutch, together with Bob Cornelissen, Marnix Wolf and Peter Daalmans we created a new User Group called the Windows Management User Group Netherlands or in short WMUG.NL.

With the user group we want to provide a platform for and by people involved with managing the Microsoft Windows platform. Our first session will be held on the 22nd of May this year.

If you have any questions about the new user group, mail us at

Read More

Role Based Access Control in ConfigMgr 2012: Part 4 Outcome

In the first part of this series I outlined what Microsoft changed in ConfigMgr 2012 in order to introduce Role Based Access Control. In the second part I outlined a possible scenario and started building the scenario. In the third part we mapped the business roles to the ConfigMgr roles and configured them in the ConfigMgr console. In this part we are going to see, what the outcome of this mapping has become.

SSC Operations Administrator

The SSC Operations Administrator can manage the whole environment, except for the security. As you can see, when a SSC Operations Administrator opens the ConfigMgr Console, he isn’t able to modify the security under Administrative Users.

Read More

Role Based Access Control in ConfigMgr 2012: Part 3 Mapping OpCo roles to ConfigMgr roles

In the first part of this series I outlined what Microsoft changed in ConfigMgr 2012 in order to introduce Role Based Access Control. In the second part I outlined a possible scenario and started building the scenario up to the point where the OpCo roles will be mapped to the ConfigMgr roles, this post will discuss the steps taken.

For the purpose of mapping the Customer roles to the ConfigMgr roles I created a spreadsheet to help out. Make sure that you understand what each OpCo needs to be able to do, and try to map this using the default roles. If not create a custom role and integrate this role into the matrix. My matrix turned out something like this:

Read More

Role Based Access Control in ConfigMgr 2012: Part 2 Scenario

In the previous post I introduced Role Based Access Control in ConfigMgr 2012 as the new way to delegate administrative access to a ConfigMgr hierarchy. In this post I’m going to walk you through a scenario and show you how we can delegate the access in order to meet the requirements.

The Scenario:

The Customer is a very large company, which has a Shared Service Center responsible for the ConfigMgr environment. Each OpCo has its own IT department which manage their own servers and workstations. In the past each OpCo had their own Primary Site, and they should now be able to operate the environment in a similar way, while the Shared Service Center manages the environment. With operating you should think about:

  • Create Packages and Applications
  • Create Task Sequences
  • Specify their own Client Settings
  • Create Deployments
  • Install Distribution Points

The company wants to facilitate sharing between OpCo’s though, therefore objects created by OpCo’s should be able to be shared

Read More