System Center 2012 Configuration Manager Logo Certification for Windows Server 2008 R2

Expected Behavior:

Applications must run in a Global environment. Unicode compliant applications must support customers running under multilingual environment; non-unicode applications that support specific language(s) must support customers running under supported language environment.

Microsoft Corporation – Microsoft System Center 2012 Configuration Manager: Observed Behavior

Result: Issue

Resolution: Documentation

This issue will be fixed in an upcoming release. Workarounds for RTM are:

• Set the %TEMP% environment variable to a path that only contains ANSI characters.

• Use an account that contains only ANSI characters in the account name.

Expected Behavior:

Windows Installation packages must not receive any errors from the Internal Consistency Evaluators (ICEs).

Microsoft Corporation – Microsoft System Center 2012 Configuration Manager: Observed Behavior

Result: Issue

Resolution: Documentation

• ICE18

  • Adminconsole.msi – Admin Console

  • Client.msi – Client Agent

  • Portalweb.msi – SW Catalog Server Role

  • Srsrp.msi – Reporting Srvcs Server Role

  These components do not allow you to add or remove individual features (that is, product configuration). We only allow full installation and full removal so the paths where the folder logic would end up in a bad state are not possible. This is expected to be resolved in a future release.

• ICE27

  • 32bitcompat.msi – 32-bit proxy dlls so that 3rd party 32bit extensions can work with our 64-bit clients

  We do not define any dialogs so package always installs with basic UI so these ‘missing’ dialogs have no functional impact. We have confirmed install and uninstall work properly in both quiet and user interactive modes.

• ICE34

  • Adminconsole.msi – Admin Console

    This is By Design, as we do not want CEIP opt-in dialog box to have a default selection – privacy requirement. The controls are still accessible through hot-keys and tab order.

  • Wimgapi.msi msi – this is an external component we get from another team, that team does not have the resources to fix and retest the MSI unless there is a functionality issue caused by these errors.  We are not aware of any functionality issues these errors cause and given our deployment and servicing model for this MSI we do not expect to encounter any issues. This MSI was released for our last major release with these same ICE failures and we have not heard of any negative effects. It has two ICE errors reported:

    • ICE24 – the upgrade code contains lower case letters.  We believe this doesn’t cause any actual problems.  Our servicing and upgrade model for this MSI is full uninstall/reinstall managed by an external bootstrapper. Therefore, we have no dependencies on the upgrade code and this will not cause any future issues for us or our customers.

    • ICE71 – media table starts with diskid4. Since there is only one entry in the media table and all the files are packed in a cabinet file that is stored within the database as a separate stream we believe this doesn’t cause any actual problems for MSI.

Expected Behavior:

Applications must correctly and fully uninstall from the machine. This includes removing files, registry keys, GAC assemblies, database tables, metabase settings, active directory accounts, Services, and so on. Anything left on the system after uninstall, including system components installed by the application, must be documented and justified.

Microsoft Corporation – Microsoft System Center 2012 Configuration Manager: Observed Behavior

Result: Issue

Resolution: Documentation

The site server is registered in Add/Remove Programs, so can be uninstalled via that method. However, there are many files and folders that are not removed as part of a site server uninstall. The following files and folders are not removed, and are to be automatically removed upon uninstall in a future release. They can be safely removed as desired:

• All files and folders in the C:\SMSPKGSIG folder

• All files and folders in the C:\SCCMContentLib folder

• All files in the C:\SMSPKG folder

• All files in the C:\SMSPKGC$ folder

• All files in the C:\SMSSIG$ folder

A future release of System Center 2012 Configuration Manager will properly remove the above directories.

The following files are removed upon uninstall, unless they are in use during the uninstall process. If so, they should be removed after a system restart, unless still in use:

• C:\Windows\System32\FrameworkServerPerf.dll

• C:\Windows\SysWOW64\FrameworkServerPerf.dll

• C:\Windows\inf\CcmFrameworkServer

• C:\Windows\inf\CcmFrameworkServer\0009

• C:\Windows\inf\CcmFrameworkServer\0009\CcmFrameworkServer.ini

• C:\Windows\inf\CcmFrameworkServer\CcmFrameworkServer.h

The following files are not removed, and left for the administrator to validate and troubleshoot (if necessary) the uninstall process. They can be safely removed as desired:

• C:\ConfigMgrSetup.log

• C:\ConfigMgrAdminUISetup.log

Expected Behavior:

Applications should install without attempting to replace any files or registry settings protected by Windows Resource Protection.

Microsoft Corporation – Microsoft System Center 2012 Configuration Manager: Observed Behavior

Result: Issue

Resolution: Documentation

The errors about elevated permissions and privileges are expected because our installers need to install and update some system level components for our product to function properly and our installers do not support running without Administrative privileges so these calls will always succeed.

Expected Behavior:

Shared components that are private to a single software vendor must be installed in one of two places: the common files directory, or the publisher's directory under the Program Files folder. Do not store these files in the System directory.

Microsoft Corporation – Microsoft System Center 2012 Configuration Manager: Observed Behavior

Result: Issue

Resolution: Documentation

Files contained in the SMSPKGSIG folder are staged on the site server’s drive (no other computer other than the site server will contain this folder) with the most free disk space, and are used for validating hash/signatures for files distributed to the distribution point.  The files contained in the SMSPKGSIG folder are not installed on any client, including the server on which they are hosted.  These files are created by the SMS Executive service and contain the content hash of the file, and are used for security validation.  The site server’s SMS Executive maintains the original filename.

The files in the %windows%\ccmsetup folder are downloaded by client computers during the installation of the Configuration Manager client software. The %windows%\ccmsetup folder is our designated staging folder for the client installation files. We do not download or install them in the "Program Files" folder as we do not want users to 'find' the files, and subsequently delete them. These files are retained after installation of the Configuration Manager client agent in the event the client agent needs to be reinstalled - thus preventing the download of the files again over the network. The Configuration Manager 2012 client installs, by default, to the %windir%\Ccm folder.

All files copied to the "Windows\winsxs\Catalogs" folder are from the external components that Configuration Manager requires for successful install of both the Configuration Manager site server and the Configuration Manager client. As a component of such a component is VCRedist. None of them are directly installed from our Configuration Manager 2012 site server or client components, rather they are installed.

Expected Behavior:

Application binaries must contain valid file version information, including Publisher, Product Name, and Product Version.

Microsoft Corporation – Microsoft System Center 2012 Configuration Manager: Observed Behavior

Result: Issue

Resolution: Documentation

The binaries Ccmsetup.exe and Scepinstall.exe, which are located in the SMSPKGSIG directory, are staged on the site server’s drive (no other computer other than the site server will contain this folder) with the most free disk space, and are used for validating hash/signatures for files distributed to the distribution point.  The files contained in the SMSPKGSIG folder are not installed on any client, including the server on which they are hosted.  These files are created by the SMS Executive service and contain the content hash of the file, and are used for security validation.  The site server’s SMS Executive maintains the original filename.

The following files in the same folder, without valid file version information, are external component files which Configuration Manager 2012 is dependent on but does not control:

• dotnetfx40_client_x86_x64.exe

• msrdcoob_x86.exe

• silverlight.exe

• vc50727_x86.exe

• vcredist_x86.exe

• wic_x86_enu.exe

• windowsupdateagent30-x86.exe

• msrdcoob_amd64.exe

• vc50727_x64.exe

• vcredist_x64.exe

• wic_x64_enu.exe

• windowsupdateagent30-x64.exe

Expected Behavior:

Every executable file installed by the application runs with Least Privilege.

Microsoft Corporation – Microsoft System Center 2012 Configuration Manager: Observed Behavior

Result: Issue

Resolution: Documentation

Reviewing the files without a manifest they fall into one of the following areas:

1. The following files with an “.exe” extension are not Win32 applications. These files are designed to run on other platforms (WinCE, Windows Mobile, ARM), and therefore adding a manifest would have no effect and could have a negative side effect.

   1. dmclientsetup_arm.exe

   2. dmclientsetup_x86.exe

   3. dmclientxfer.exe

   4. dmcommoninstaller.exe

   5. enroll_arm.exe

   6. enroll_x86.exe

2. The following files are designed to be installed as a service and run in the Local System context. These files cannot be launched interactively by the user so adding a manifest would not change how they are run.

   1. sdkinst.exe

   2. smsbkup.exe

   3. smssqlbkup.exe

   4. smstsvc.exe

   5. CmRcService

3. The following files only support being programmatically called by our core services, such as site system installation or operating system deployment, or launched from the console to complete a task. Most of them cannot be run independently by a user so adding a manifest would not change how they are run.

   1. bootstrp.exe

   2. compmgr.exe

   3. comregsetup.exe

   4. CreateMedia.exe

   5. dumpexcp.exe

   6. OsdSetupHook.exe

   7. perfsetup.exe

   8. preinst.exe

   9. rolesetup.exe

   10. smsdpmon.exe

   11. smswriter.exe

   12. srvboot.exe

   13. TsBootShell.exe

   14. TsProgressUI.exe

   15. tsprogressui.exe

   16. Ccm32BitLauncher

   17. CcmEval

   18. VAppCollector

4. The following files are external redistributable component from another Microsoft team, and are required components for Configuration Manager client installation. We do not have control over these files, however they all install software and require elevated permissions so adding a manifest would not change how they are run.

   1. msrdcoob_amd64.exe

   2. msrdcoob_x86.exe

   3. nlsdl.amd64.exe

   4. silverlight.exe

   5. sqlexpr_x64_enu.exe

   6. vc5027_x64.exe

   7. vc5027_x86.exe

   8. wic_x64_enu.exe

   9. wic_x86_enu.exe

   10. windowsupdatepageant30-x64.exe

   11. windowsupdatepageant30-x86.exe

5. The following file is already addressed in our waiver for supporting “User Account Control” for installation (2.9).

   1. ccmsetup.exe

6. The following files are intended to be run by an administrator, but do not require elevation.  These files can be launched either as part of our console or manually by the administrator. Adding a manifest would change the context these run under so these are the crux of our waiver request.

   1. CmRcViewer.exe

   2. cmtrace.exe

   3. setupdl.exe

In order to streamline future certification testing, we intend to add the appropriate manifest where applicable for our next release.

Expected Behavior:

Assure that all installers and executables installed by application have valid Authenticode signature.

Microsoft Corporation – Microsoft System Center 2012 Configuration Manager: Observed Behavior

Result: Issue

Resolution: Documentation

The binaries Ccmsetup.exe, Ccmsetup.cab, Client.msi, and Scepinstall.exe, which are located in the SMSPKGSIG directory, are staged on the site server’s drive (no other computer other than the site server will contain this folder) with the most free disk space, and are used for validating hash/signatures for files distributed to the distribution point.  The files contained in the SMSPKGSIG folder are not installed on any client, including the server on which they are hosted.  These files are created by the SMS Executive service and contain the content hash of the file, and are used for security validation.  The site server’s SMS Executive maintains the original filename.

The following files without valid signatures, are third party files which Configuration Manager 2012 is dependent on but does not control:

• dotnetfx40_client_x86_x64.exe

• microsoftpolicyplatformsetup.msi

• msrdcoob_x86.exe

• msxml6.msi

• silverlight.exe

• vc50727_x86.exe

• vcredist_x86.exe

• wic_x86_enu.exe

• windowsfirewallconfigurationprovider.msi

• windowsupdateagent30-x86.exe

• wimgapi.msi

• msrdcoob_amd64.exe

• msxml6_x64.msi

• vc50727_x64.exe

• vcredist_x64.exe

• wic_x64_enu.exe

• windowsupdateagent30-x64.exe

Prepdrv.sys is the Configuration Manager software metering driver, and is installed as part of the Configuration Manager client, through the Client.msi file. In the default installation, this file is unsigned, however we have provided a signed version of the file in the downloadable media in the \SMSSetup\Tools\WinQual folder. Instructions on how to install the signed software metering driver will be posted for public consumption at our general availability. In a future release of Configuration Manager 2012, the prepdrv.sys file, as part of default installation, will be a WHQL signed file.

The fact that the Prepdrv.sys driver is unsigned is waivered by Waiver #356 “MSFT SCCM 2012 - TC1.3.1 - All drivers in the application must pass Windows Hardware Quality Labs (WHQL)”. This is expected to be resolved with either the signature being imbedded into the driver, or the CAT file being pushed along with the driver.