Deployment Guide
Copyright
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with
any real company, organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement
from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
General Disclaimer
The contents of this document are subject to change without notice; therefore, the information presented
herein shall not be construed as a commitment or warranty. Microsoft shall not be liable for any technical or
editorial errors or omissions contained herein or for incidental or consequential damages resulting from the
performance, furnishing, reliance on, or use of this material.
Patents
Certain software described in this document is protected by issued and pending U.S. and foreign patents.
Microsoft, The SoftGrid Desktop, SoftGrid, SystemGuard, Virtual Application Services, Virtual Application
Server, Application Management Lifecycle, Application Management for the Always-On Enterprise, and Take
Control of Your Software are registered trademarks or trademarks of Microsoft Corporation. Other company,
brand and product names are the property of their respective owners.
Contents
Diagnostics and Recovery Toolset 6.0 ............................................................................................................ 5
Diagnostics and Recovery Toolset 6.0 Deployment Guide (for Windows Vista and Windows Server 2008)............... 5
Asset Inventory Service ..................................................................................................................................... 8
Asset Inventory Service Overview ............................................................................................................................................. 8
Activating AIS with Microsoft Volume License Services ................................................................................................ 10
Home Workspace .......................................................................................................................................................................... 12
Reports Workspace ...................................................................................................................................................................... 15
Software Categories ..................................................................................................................................................................... 19
Software Workspace .................................................................................................................................................................... 25
Licenses Workspace ..................................................................................................................................................................... 27
Computers Workspace................................................................................................................................................................ 30
Management and Support Workspace ................................................................................................................................ 32
Client Deployment ........................................................................................................................................................................ 33
Install the AIS Client Software .................................................................................................................................................. 34
Verify AIS Client Software Deployment ................................................................................................................................ 43
Client Configuration Settings in the AIS Administrative Template File ................................................................... 44
Remove the AIS Client Software ............................................................................................................................................. 48
Update the AIS Client Software ............................................................................................................................................... 52
User Management ........................................................................................................................................................................ 55
Account Management ................................................................................................................................................................. 56
Troubleshooting and Support.................................................................................................................................................. 56
Microsoft Advanced Group Policy Management 3.0 ................................................................................. 57
Step-by-Step Guide for Microsoft Advanced Group Policy Management 3.0 ..................................................... 57
AGPM Scenario Overview .......................................................................................................................................................... 57
Requirements.................................................................................................................................................................................. 58
Steps for Installing and Configuring AGPM ....................................................................................................................... 60
Steps for Managing GPOs ......................................................................................................................................................... 64
®
Microsoft System Center Desktop Error Monitoring (DEM) ..................................................................... 72
Introduction..................................................................................................................................................................................... 72
System Requirements .................................................................................................................................................................. 73
Installing the Desktop Error Monitoring Management Server ................................................................................... 74
Installing the Desktop Error Monitoring Reporting Server .......................................................................................... 80
The System Center Operations Manager Operations Console ................................................................................... 83
Configuring Client Monitoring ................................................................................................................................................ 85
Accessing Agentless Exception Monitoring Views .......................................................................................................... 89
Accessing Agentless Exception Monitoring Reports ...................................................................................................... 90
Customizing Client Monitoring Data Collection and Solution Response URLs for Error Groups ................ 91
Microsoft Application Virtualization Version 4.5 ....................................................................................... 92
Introduction..................................................................................................................................................................................... 92
System Requirements .................................................................................................................................................................. 94
Installing Microsoft System Center Application Virtualization Management Server ......................................... 96
Installing Microsoft Application Virtualization for Desktops .................................................................................... 108
Testing the Default Application ............................................................................................................................................ 112
Microsoft Application Virtualization for Terminal Servers ......................................................................................... 117
Installing Microsoft Application Virtualization Sequencer ........................................................................................ 117
Sequencer Files ........................................................................................................................................................................... 120
Sequencing Word Viewer 2003 ............................................................................................................................................ 121
Sequencing Silverlight 1.0 for Internet Explorer ............................................................................................................ 130
Microsoft System Center Application Virtualization Streaming Server ................................................................ 132
Offline Deployment Using the Sequencer-Generated .msi File ............................................................................... 135
Setting up Application Virtualization for Secure Connections................................................................................. 139
Troubleshooting ......................................................................................................................................................................... 146
Accessing the Microsoft Support Knowledge Base ...................................................................................................... 147
Contacting Microsoft Training .............................................................................................................................................. 147
Diagnostics and Recovery Toolset 6.0
Diagnostics and Recovery Toolset 6.0 Deployment Guide
(for Windows Vista and Windows Server 2008)
In the following sections, common tasks in preparation of using the ERD Commander are listed. The handson labs provide many of the same tasks, plus look at using the ERD Commander to successfully diagnose
and recover unusable systems. In order to use the ERD Commander in the virtual environment copy the ISO
and mount it instead of burning a CD.
CREATING THE CD
You will need the following items to successfully create a bootable CD from the ISO image that the ERD
Commander Boot Media Wizard creates:

A CD-R or CD-RW drive.

Vista DVD or ISO image.

A recordable CD (supported by your recordable drive).

CD burning software that supports your recordable drive and supports burning an ISO image
directly to CD.
Note: You should test the CD that you create on all systems that you intend to support because
some systems are not capable of starting from all types of recordable CDs.
Note: At this time there is no support for creating and ERD Commander installation on a removable
USB flash drive.
When you run the ERD Commander Boot Media Wizard, you should be prepared to provide the
following information:

Vista DVD: You will be asked to provide the location of a valid Vista DVD that the Windows Recovery
Environment (WinRE) environment can be built from.

Debugging Tools for Windows. You will be asked to provide the location of the Debugging Tools for
Windows. For more information, see How to Add the Debugging Tools for Windows.

Original Equipment Manufacturer (OEM) Drivers. You will be asked if you want to add OEM drivers
for storage and network devices to the ISO image. For more information, see Original Equipment
Manufacturer Drivers.
Diagnostics and Recovery Toolset 6.0
5

Additional Files. You can add files to the ISO image that you might need to help diagnose problems.
For more information, see How to Add Files to the CD.

ISO Image Location. You will be asked to specify where the ISO image should be located. For more
information, see How to Select an Image Location.

CD Drive. You will be asked to specify the CD drive that should be used to burn the CD. For more
information, see How to Burn the CD.
Note: The ISO image can range in size from 130 MB to 230 MB depending on the tools that you
select when you run the Boot Media Wizard.
TO START THE ERD COMMANDER BOOT MEDIA WIZARD
Click Start, point to Microsoft Diagnostics and Recovery Toolset, and then click ERD Commander Boot Media
Wizard. Complete the wizard selecting the tools and adding any drivers or files to the Boot Media.
1. Click Start | All Programs | Microsoft Diagnostics and Recovery Toolset | ERD Commander Boot
Media Wizard.
2. On the Welcome page click Next.
3. On the Boot Image Selection page Browse to a location with a valid Vista DVD, click open, and Next.
4. On the Preparing Files page, click Next.
5. On the Tool Selection page, scroll through the list of included tools.
6. Click Next.
7. On the Crash Analyzer Wizard page, note the available options. (You can choose to either use the
debugging tools on the current system, or choose to use the debugging tools on the system that the
ERD commander is inserted) Note: If the second option is selected and the debugging tools aren’t
available on the target system, crash analyzer won’t be able to analyze crashes.
8. Leave the default selection and click Next.
9. On the Standalone System Sweeper Definition Download, choose No, manually download
definitions later, click Next.
10. On the Additional Files page, click Next.
11. On the Create Startup Image page, click Browse.
12. Accept the default file name and click Save.
13. Click Next.
14. On the Burn to a recordable CD page, note the available options.
Diagnostics and Recovery Toolset 6.0
6
15. Click Next.
16. Click Explore. Minimize Windows Explorer.
17. Click Finish.
HOW TO CREATE A BOOTABLE CD THAT HAS A TIME LIMIT
You can also create a bootable CD that can only be used for a certain number of days after it is generated.
You must run the ERD Commander Boot Media Wizard from a Command Prompt window to create the
bootable CD that has a time limit. The following syntax is used to create a time-limited CD:
ERDC/e NumberOfDays
NumberOfDays is a positive integer that represents the number of days that the bootable CD will be usable.
1. Open a Command Prompt window.
2. Change the directory to the location of the Erdc.exe program.
3. Run the ERD Commander Boot Media Wizard with the /e parameter and specify the number of days that
the bootable CD can be used.
BOOTING INTO THE DART
1.
Insert the created ERD Commander bootable media, or alternatively on a virtual machine capture the
erd60.iso to the CD-ROM drive. This ISO is created during the ERD Creation Wizard process.
2. Start the machine and wait until presented with the selection screen for the keyboard layout, click Next.
3. On the System Recovery Options | Select Operating System page select the appropriate operating
system for troubleshooting or deselect all operating systems to run DaRT without being connected to an
installed Windows operating system, click Next.
4. On the System Recovery Options | Choose a recovery tool page select the appropriate WinRE tool or
click Microsoft Diagnostics and Recovery Toolset to open the DaRT tools.
5. Choose the appropriate tool for troubleshooting or Solution Wizard for guidance in choosing the
correct tool.
Diagnostics and Recovery Toolset 6.0
7
Asset Inventory Service
Asset Inventory Service Overview
Microsoft Asset Inventory Service (AIS) provides a comprehensive view of the software installed on client
computers in your enterprise. It helps reduce the total cost of managing software by providing a categorized
software inventory and by translating the inventory data into useful, actionable information.
AIS is a core component of the Microsoft Desktop Optimization Pack for Software Assurance, a suite of
advanced technologies to improve desktop manageability and security, and decrease total cost of
ownership (TCO).
AIS Consists of Two Parts
1. A Web-based service, onto which Desktop Optimization Pack subscribers can log to view inventories of
software installed on client computers in their enterprises.
2. Client software that communicates with the Web-based service and supplies it with an inventory of
programs that are installed on each client computer.
AIS WEB SITE OVERVIEW
The AIS user interface is composed of the following five pages, or workspaces:

Home—The Home workspace of the Asset Inventory Service displays notifications and status, the total
number of client computers participating in the inventory, a software summary that includes a quick view
of software manufacturers and types, and commands for viewing and organizing the inventory data.

Reports—The Reports workspace allows you to generate reports about software installed on client
computers. You can generate reports about all the software currently installed on client computers, or
about changes made to the number of installations of a program in a given period.

Licenses—The Licenses workspace allows you to generate license statements that reconcile your
organization’s Microsoft Software License Terms information with software inventory collected from your
computers. After license agreements are entered into AIS, AIS retrieves the entitlement information from
Microsoft Volume Licensing Services and compares the license information to your discovered Microsoft
software. You can then create license statements that allow you to see your organization’s level of
compliance with Microsoft Software License Terms. These statements are for your organization’s use only;
Microsoft cannot view your license statements.
Asset Inventory Service
8

Software—The Software workspace lists programs that are installed on all client computers participating
in the inventory, and it allows you to sort the inventory by software publisher, title, category, or computer
name. You can also search for specific software and run software reports.

Computers—The Computers workspace lists client computers participating in the inventory, and it allows
you to sort client computers by computer name, most recent user, group, most recent inventory, first
discovery date, and client software version. Commands are available in the Computers workspace for
retiring computers and running reports.

Management and Support—The Management and Support workspace includes areas for downloading
and deploying the AIS client software, managing user access to AIS, managing your enterprise’s account
information, and finding troubleshooting and support resources. Commands are available in the
Management and Support workspace for downloading client software, adding authorized users of the Web
service, editing your account information, and viewing notifications about the service.
For more information about workspaces, see the following topics:

Home Workspace

Reports Workspace

Licenses Workspace

Computers Workspace

Software Workspace

Management and Support Workspace
For more information about AIS, including troubleshooting and support information, see
Troubleshooting and Support.
AIS CLIENT SOFTWARE OVERVIEW
The AIS client software is a small program that is installed on all client computers in your enterprise for
which you want to view an inventory of installed programs.
You can install the AIS client software on any of the following Microsoft Windows operating systems.

Microsoft Windows 2000 Professional Service Pack 4 (SP4) (Subsequent service packs are also supported.)

Windows XP Professional

Windows Server 2003 operating systems

Windows Server 2008

Windows Vista Enterprise

Windows Vista Ultimate

Windows Vista Business
Asset Inventory Service
9
The AIS client software installation package is unique to your enterprise and contains account identifiers,
so you must download it from the AIS Web site after you have logged on with properly licensed
account credentials.
For more information about downloading and installing the AIS client software, see Client Deployment and
Install the AIS Client Software.
Activating AIS with Microsoft Volume License Services
When your organization purchases access to System Center Online Asset Inventory Service (AIS), or
whenever an agreement contact name is changed, Microsoft Volume License Services (MVLS) automatically
sends e-mail to the individual named in your AIS licensing agreement as the agreement contact. The mail
contains an invitation to register with MVLS.
HOW TO DETERMINE YOUR ONLINE SERVICES CONTACT
If you do not know the names of the individuals in your organization who are designated as contacts for
your AIS licensing agreement, you can find out by doing the following. You must know the Windows Live ID
account name and password associated with your AIS licensing agreement to complete the procedures in
this topic.
To determine your agreement contacts
1. Open the Microsoft Volume License Service Web site.
2. Log on to MVLS by using the Windows Live ID associated with your account.
3. Click the Agreements tab.
4. In the Agreement Summary window, select the agreement profile that applies to your organization’s
AIS license agreement.
5. Agreement contacts for the profile are displayed at the bottom of the Web page.
ACTIVATING YOUR ASSET INVENTORY SERVICE ACCOUNT
Use the following procedure to activate your AIS account after you have purchased licenses to use AIS. You
can complete this procedure more easily if you have your AIS license agreement number ready.
Asset Inventory Service
10
To activate your Asset Inventory Service account
1. Open the Microsoft Volume License Service Web site.
2. Log on to MVLS by using the Windows Live ID associated with your account.
3. In the hierarchy pane at left, click Online Services Administration.
4. On the Online Services Agreement / Public Customer Number List page, search for your AIS license
agreement number by entering the number into the Agreement Number field and then clicking Search.
If you don’t have the agreement number available, select All in each of the three search filter fields
(Agreement Program, Country, Agreement Status) and then click Search.
5. In the Search Results area, click the hyperlinked agreement number associated with your AIS activation.
6. In the Available for Activation list of the Online Services Summary page, click Asset Inventory
Service. The Status column for the Asset Inventory Service row should display Activate now.
7. In the Asset Inventory Service Activation area of the Activate Online Service page, select Yes if your
organization has already been using AIS and you would like AIS to use the same license agreement
number and Windows Live ID contact information. Select No if your organization has not used AIS
before or if you want a different agreement number or Windows Live ID information associated with
your AIS account.
8. Click Continue Activation.
9. If you selected Yes in the preceding step, go to the next step. If you selected No in the preceding step,
you must enter subscription contact details on the Activate Online Service page. You need to fill out all
required details, as indicated by asterisks. When you have finished, click Continue Activation.
10. If you have provided new contact or agreement information, review the information you provided on the
Review page, and then click Activate Service.
11. The subscription contact provided in the preceding steps receives e-mail confirmation that a request to
activate AIS has been made. The recipient must click the link provided in the confirmation e-mail to log
on to AIS for the first time.
Important: The confirmation e-mail contains important information and should be saved.
Check spam filters if the e-mail seems to be delayed by more than 24 hours.
Asset Inventory Service
11
Home Workspace
The Home workspace of the Asset Inventory Service (AIS) displays notifications and status, the total number
of client computers participating in the inventory, a software summary that includes a quick view of software
manufacturers and types, and commands for viewing and organizing the inventory data.
If this is the first time you have logged on to the Asset Inventory Service, the Notifications and Status box
advises you to download and deploy the AIS client software. For more information about downloading and
deploying the client software, see Install the AIS Client Software.
NOTIFICATIONS AND STATUS
You can find information about the current state of the Asset Inventory Service in the Notifications and
Status area in the Home workspace.
INVENTORY SUMMARY
The Inventory Summary area shows the total number of client computers participating in the inventory.
To display a complete and detailed list of computers participating in the inventory, click the
hyperlinked summary.
SOFTWARE SUMMARY
The Software Summary area includes a graphical view of the percentage of specific software manufacturers
in your inventory.
To display a complete and detailed list of software titles represented in your inventory, click View
software details.
ACTIONS AVAILABLE IN THE HOME WORKSPACE
You can perform the following actions in the Home workspace.
Update Inventory
AIS automatically updates your inventory once monthly. You can update inventory up to once weekly if you
want to see a more current software inventory of your client computers.
Asset Inventory Service
12
To update your inventory
1. On the Home page under Actions, click Update Inventory.
2. The Update Inventory dialog box opens, asking you to confirm that you want to update your
inventory now.
Note: You cannot manually update your inventory more than once in a seven-day period.
3.
Click Update.
The Computers workspace opens, showing the most current inventory. Inventory is updated within 24 hours.
Manage Users
You can add and delete users of AIS on the User Management page. These are not users of the client
computers in the inventory; they are the administrators who view and manage the inventory by using the
Web-based component of AIS.
Important: All users must have a Windows Live ID to work with AIS. To register for a Windows Live
account go to the Windows Live Web site at http://go.microsoft.com/fwlink/?LinkId=96631 and follow
the instructions to register for a new account.
Perform the following steps to add or delete AIS users.
To add a user
1. Navigate to the User Management area of the Management and Support workspace.
2. In the Actions pane, click Add.
3. In the Add User window, enter the name and e-mail address of the user and then click Add.
The new user’s name and type is displayed in the User Management pane.
To delete a user
1. Navigate to the User Management area of the Management and Support workspace.
2. Select the user you want to delete in the User Management pane. You can use the Search tool to find
the user.
3. In the Actions pane, click Delete.
4. Confirm that you want to delete the user by clicking OK.
Asset Inventory Service
13
Find a Computer
The Find a Computer command opens the Computers workspace, in which you can search for a
specific computer.
To search for a specific computer
1. Click Find a Computer.
2. On the All Computers page, place your cursor in the Search box.
3. Type the name of the computer, user, or group you want to find.
You can type a partial string in the Search box. For example, type the letter z to find all computers that
have one or more z characters in their names. All columns visible in the workspace are searched, so
matches found can be part of, for example, either the name, domain, or user of a computer.
4. Click the Search icon or press Enter.
Run a Report
The Run a Report command opens the Reports workspace, in which you can generate two different types
of reports:

View a Report of Your Programs—This command generates a report that summarizes all software titles
installed on your inventoried client computers. You can sort data in the report in alphanumeric order by
software title, publisher, category, version, language, or number of installed copies. You can also print
and export the report to other formats.

View a Change Report of Your Software Installations—This command generates a report that
summarizes all the changes in the installation count of inventoried programs during a period specified
by you. You can sort data in a change report in alphanumeric order by software title, publisher, software
category, version, language, number of copies installed as of the earliest date in your specified time
period, or number of copies installed as of the latest date in your specified time period. You can also
print and export the report to other formats.
For more information about running reports, see Reports Workspace.
Asset Inventory Service
14
Reports Workspace
The Reports workspace allows you to generate reports about software installed on client computers. You
can generate reports about all the software currently installed on client computers, or about changes made
to the number of installations of a program in a given period.
The Reports area provides commands that allow you to generate two different types of reports:

View a Report of your Programs—This command generates a report that summarizes all software titles
installed on your inventoried client computers. You can sort data in the report in alphanumeric order by
software title, publisher, category, version, language, or number of installed copies. You can also print
and export the report to other formats.

View a Change Report of your Software Installations—This command generates a report that
summarizes all the changes in the installation count of inventoried programs during a period specified
by you. You can sort data in a change report in alphanumeric order by software title, publisher, software
category, version, language, number of copies installed as of the earliest date in your specified time
period, or number of copies installed as of the latest date in your specified time period. You can also
print and export the report to other formats.
REPORT FORMATS
You can export reports to any of the following formats:
Important: If you are running Internet Explorer with Enhanced Security Configuration on the
computer you are using to run reports, you can export reports only to the XML format.

XML

Comma-separated values (CSV), comma-delimited text

Tagged Image File Format (TIFF)

Adobe Acrobat PDF

Web archive

Microsoft Office Excel
PROGRAM REPORTS
The View a Report of your Programs command generates a report containing a single entry for each unique
software title that is running on one or more of your inventoried client computers. You can sort data in the
report in alphanumeric order by software title, publisher, category, version, language, or number of installed
copies. You can also print and export the report to other formats, as described in Report formats.
Asset Inventory Service
15
Filtering program reports
You can apply one or more of the following filters to a program report. To modify a filter, click the icon to
the right of each filter.

Publisher: The company that manufactured or published the software (for example, Microsoft). This is a
required field; at least one publisher must be selected in the filter to generate a program report. By
default, all publishers are selected.

Asset group: The group or groups you have configured for your software. This is an optional field. By
default, all asset groups are selected in the filter. For more information about configuring asset groups
for your client computers, see Client Configuration Settings in the AIS Administrative Template File.

Asset category: The category to which the software belongs. See the Software Categories topic for an
explanation of software categories. This is a required field; at least one asset category must be selected
in the filter to generate a program report. By default, all asset categories are selected.

End date: The report lists all software installed on inventoried computers before the specified date. This
is an optional field. By default, the end date is the date you run the report.
Searching the report
To search the report for a specific text string, enter the string into the Find field and click either Find or
Next. Click Next to find the next instance of the text string in the report.
How to generate, print, and export a program report
Perform the following steps to generate a program report.
To generate a program report
1. In the Reports workspace, click View a Report of your Programs.
2. On the report form, apply any filters you want to your report.

To filter by publishers, click the icon to the right of the Publisher field, select one or more publishers,
and then click OK. At least one check box must be filled on this filter.

To filter by asset groups, click the icon to the right of the Asset Group field, select one or more asset
groups, and then click OK.

To filter by asset categories, click the icon to the right of the Categories field, select one or more
asset categories, and then click OK. At least one check box must be filled in on this filter.

To filter by software installed before a specific date, click the icon to the right of the End Date field
and then click the end date you want.
3. To generate the report with your new filters applied, click View Report.
Asset Inventory Service
16
4. Sort the data in the report as desired by software title, publisher, category, version, language, or number
of installed copies.
5. If you want to export the report to a different format, select a format from the Select a format
drop-down list. For more information about report formats, see Report formats.
6. To print the report, click Print. You can print the report either before or after exporting it to a
different format.
CHANGE REPORTS
The View a Change Report of your Software Installations command generates a report containing a
single entry for each unique software title that has been either installed on or removed from one or more
computers in your inventory during a specified period. You can sort data in a change report in alphanumeric
order by software title, publisher, software category, version, language, number of copies installed as of the
earliest date in your specified time period, or number of copies installed as of the latest date in your
specified time period. You can also print and export the report to other formats.
Filtering change reports
You can apply one or more of the following filters to a change report. To modify a filter, click the icon to the
right of each filter.

End date 1: The report lists all software that was installed on or removed from client computers on or
after the date specified in this filter.

End date 2: The report lists all software installed on or removed from inventoried computers on or
before the specified date. This is an optional field. By default, the end date is the date you run the report.

Publisher: The company that manufactured or published the software (for example, Microsoft). This is a
required field; at least one publisher must be selected in the filter to generate a change report. By
default, all publishers are selected.

Asset group: The group or groups you have configured for your software. This is an optional field. By
default, all asset groups are selected in the filter. For more information about configuring asset groups
for your client computers, see Client Configuration Settings in the AIS Administrative Template File.

Asset category: The category to which the software belongs. See the Software Categories topic for an
explanation of software categories. This is a required field; at least one asset category must be selected
in the filter to generate a program report. By default, all asset categories are selected.
Searching the report
To search the report for a specific text string, enter the string into the Find field and click either Find or
Next. Click Next to find the next instance of the text string in the report.
Asset Inventory Service
17
How to generate, print, and export a change report
Perform the following steps to generate a change report.
To generate a change report
1. In the Reports workspace, click View a Change Report of your Software Installations.
2. On the report form, apply any filters you want to your report.

To select a start date for the change report period, click the calendar icon to the right of the
End date 1 field and then select a date.

To select an end date for the change report period, click the calendar icon to the right of the
End date 2 field and then select a date.
Note: Because inventory is normally updated once a month to get the most usable change data
in your report, specify a change report period that is longer than one month.

To filter by publishers, click the icon to the right of the Publisher field, select one or more publishers,
and then click OK. At least one check box must be filled on this filter.

To filter by asset groups, click the icon to the right of the Asset Group field, select one or more asset
groups, and then click OK.

To filter by asset categories, click the icon to the right of the Categories field, select one or more
asset categories, and then click OK. At least one check box must be filled in on this filter.
3. To generate the report with your new filters applied, click View Report.
4. Sort the data in the report as desired by software title, publisher, category, version, language, number of
copies installed as of the earliest date in your specified time period, or number of copies installed as of
the latest date in your specified time period.
5. If you want to export the report to a different format, select a format from the Select a format
drop-down list. For more information about report formats, see Report formats.
6. To print the report, click Print. You can print the report either before or after exporting it to a
different format.
Asset Inventory Service
18
Software Categories
Asset Inventory Service (AIS) uses seven major categories and 40 minor categories to organize software
inventories. This classification system allows administrators to understand the different types of software
used in the enterprise, optimize software licensing, and plan the deployment of new versions of software and
software updates.
You can see how your software is categorized in the Category column of the Computers workspace. You can
also create software reports and sort the results by category.
The seven major categories are as follows:

Platform and management

Education and reference

Home and entertainment

Content and communications

Operations and professional

Product manufacturing and service delivery

Line of business
PLATFORM AND MANAGEMENT
Platform and management software includes desktop and network infrastructure and management software
that allows users to control the computer operating environment, hardware components and peripherals,
and infrastructure services and security.

Operating System and Components
The operating system software infrastructure, including updates, themes, screensavers, and fonts.

Frameworks and Support
Frameworks and runtime environments such as Microsoft .NET and Sun Microsystems Java.

System Utilities
Utilities to manage the operating system, such as file compression, CD or DVD recorders, and
desktop tools.

Device Drivers, Configuration Programs, and Utilities
Device drivers, configuration programs (for example, mouse or keyboard configuration utilities), and
manufacturer-supplied utilities for third-party devices.

OEM Applications
Applications from a computer or peripheral manufacturer, such as a laptop configuration application, or
a game from a printer manufacturer; typically branded by the hardware manufacturer.
Asset Inventory Service
19

Virtualization and Virtual Environment Software
Clustering software, virtual user interface software, or virtual computer software.

System and Network Management Applications
Applications for network management; including license management applications and internal help
desk utilities.

Networking Software
Networking connectivity for devices, client computers, and servers; desktop and server
remote-control software.

Storage, Archive, Backup, and Retrieval Applications
Applications to protect and recover data, including storage area network (SAN) software.

Application and Collaboration Servers
E-mail, collaboration, and Web servers; middleware; and unified messaging.

Security Applications
Applications that protect desktop or network security, including firewalls, antivirus and anti-spyware
programs, pop-up blockers, parental controls, and digital media signatures.

Security Threats
Applications that threaten desktop and network security, including adult content dialers, keyloggers,
browser hijackers, and malicious software.
EDUCATION AND REFERENCE
Education and reference includes educational software that does not contain resources, such as training or
help files for a specific application.

Education
Exam preparation, language learning, and other programs that can, but do not necessarily, support an
academic subject or program.

Reference
Dictionaries, encyclopedias, phone books, or maps, in either text or multimedia formats.

Data
Computer-readable information for a specific application type, such as geographic information system
(GIS) data or music samples, that can be either in a proprietary format or based on open-source code.
Asset Inventory Service
20
HOME AND ENTERTAINMENT
Applications designed primarily for use in or for the home, or for entertainment.

Personal
Applications that focus on individual self-improvement, lifestyle, and health, such as exercise routine
planning, smoking cessation, or diabetes monitoring.

Home and Home Improvement
Applications intended for home use; can be used by the resident or by contractors.

Game or Entertainment
An application intended purely for amusement or used primarily for its recreational value.
CONTENT AND COMMUNICATIONS
Content and communications applications include common applications for productivity, content creation,
and communications. These typically include office productivity suites, multimedia players, file viewers, Web
browsers, and collaboration tools.

Office Suites and Productivity
Applications in common use for producing general business documents, such as word processors,
spreadsheets, and desktop databases packaged with office productivity suites.

Multimedia and File Viewers
Desktop and client-computing applications for accessing multimedia files, such as audio or video players,
electronic photo albums, and music or video collection organizers with limited editing capabilities.

Browsers
Internet browsers and plug-ins; RSS feeders, news and podcast readers, and aggregators.

Document Publishing and Authoring
Applications to create and edit text-based documents, including layout and formatting applications, such
as those used for screenwriting.

Multimedia Publishing and Authoring
Applications to create and edit images, sounds, music, or video.

Web Design and Development
Applications to design, develop, and build Web pages and sites; including Web site copiers.

Content Management
Applications for the storage, retrieval, and organization of documents or other digital works; rights
management applications.
Asset Inventory Service
21

Translation and Globalization
Applications that automate or assist in language translation and other globalization tasks.

E-mail and Collaboration
Client e-mail and collaboration applications and add-ons; personal information and contact managers.

Instant Messaging and Conferencing
Instant messaging and video-conferencing or voice-conferencing applications.

Team Collaborative Applications
Applications that provide shared virtual workspaces.

Telephony Applications
Applications that use or replace telephony, such as fax or VOIP software.

Internet Utilities and Applications
Internet-based communications, such as communications using FTP, telnet, and P2P applications.

Internet Services
ISP connection software, ISP-specific applications, and Internet and mobile services.
OPERATIONS AND PROFESSIONAL
Used for specific job titles; contains applications designed for business uses such as enterprise resource
management, customer relations management, supply chain and manufacturing tasks, application
development, information management and access, and tasks performed by both business and
technical equipment.

Management
Applications used by project or line managers for tasks such as project management and business
process analysis.

Finance and Accounting
Financial applications for tasks such as accounting, tax preparation, and asset management.

Legal
Legal and contracts software.

Human Resources and Administration
Human resources software, including recruiting and workforce management applications, and
administrative applications such as for postal and light shipping work.

Purchasing
Procurement and order-management software.
Asset Inventory Service
22

Facilities and Security
Building and grounds facilities, maintenance, and security software.

Records Management
Software that manages employee or other related business records and files.

Sales and Marketing
Sales and marketing, account and lead management, advertising, and marketing research applications.

Customer Service
Customer service applications, including contact center applications.

Supply Chain Management
Applications that support business processes for bringing a product to market, including logistics,
production planning, and inventory management.

Services and Manufacturing Management
Applications that support business processes for managing services delivery and manufacturing.

Information and Data Management
Databases, database design and management tools, and data center applications.

Information Access and Delivery
Query and reporting tools, and database analysis tools.

Development Tools
Development environment applications, code and text editors, compilers, debuggers, configuration
management applications, and quality analysis applications.

Development Resources
Resources for the developer, such as software development kits (SDKs) and libraries.

Technical and Science Software
Computer-aided design and engineering (CAD or CAE) applications, and applications for GIS
management, mathematical and statistical analysis, laboratory equipment control and
analysis applications.

Technical Equipment
Applications that manage scientific and engineering equipment, such as microscopes and
laboratory equipment.

Business Equipment
Label makers, postage meters, bar-code readers, and other business-related equipment.
Asset Inventory Service
23
PRODUCT MANUFACTURING AND SERVICE DELIVERY
Product manufacturing and service delivery applications help users create products or deliver services in
specific industries. Categories in this section are used by the North American Industry Classification System
(NAICS).

Agriculture, Forestry, Fishing and Hunting

Mining, Quarrying, and Oil and Gas Extraction

Utilities

Construction

Manufacturing

Wholesale Trade

Retail Trade

Transportation and Warehousing

Information

Finance and Insurance

Real Estate and Rental and Leasing

Professional, Scientific, and Technical Services

Management of Companies and Enterprises

Administrative and Support and Waste Management and Remediation Services

Educational Services

Health Care and Social Assistance

Arts, Entertainment, and Recreation

Accommodation and Food Services

Public Administration

Other Services (except Public Administration)
Line of business

Line of Business
Internal and proprietary line-of-business applications.
Asset Inventory Service
24
Software Workspace
The Software workspace lists programs that are installed on all client computers participating in the
inventory, and it allows you to sort the inventory by software publisher, title, category, or computer name.
Each unique software title has its own entry in the list. You can also search for specific software and run
software reports.
To sort the data shown in the Software workspace, click the label of the column for which you want to sort.
SEARCHING FOR SPECIFIC SOFTWARE
To search for a specific software title in the Software workspace, perform the following steps.
To search for specific software
1. Open the Software workspace.
2. Place your cursor in the Search text box.
3. Type the name or partial name of a software title, publisher, or category, and then click the search icon
or press Enter.
DATA DISPLAYED BY A SOFTWARE REPORT
Software reports show the following information about a specific software title:

Publisher

Category (For more information about categories, see Software Categories.)

Version

Language

First Reported (the earliest date and time that AIS reported the title as being installed on one or more
client computers)

Last Reported (the most recent date and time that AIS reported the title as being installed on one or
more client computers)

Names of inventoried client computers on which the software is installed
Asset Inventory Service
25
RUNNING SOFTWARE REPORTS IN THE SOFTWARE WORKSPACE
A software report that is generated by clicking Run a report in the Software workspace does not show all
software installed on inventoried client computers. Instead, the report shows details about a single
software title.
To run a software report
1. Open the Software workspace.
2. In the All Software pane, select a software package.
3. In the Actions pane, click Run report.
A report page opens for the selected software title.
4. To filter by asset categories, click the icon to the right of the Categories field, select one or more asset
categories, and then click OK. At least one check box must be filled in on this filter.
5. To filter by software installed before a specific date, click the icon to the right of the End Date field, and
then click the end date you want.
6. To generate the report with your new filters applied, click View Report.
7. Sort the data in the report as desired by the names of the computers on which the software is installed.
8. If you want to export the report to a different format, select a format from the Select a format
drop-down list. For more information about report formats, see Reports Workspace.
9. To print the report, click Print. You can print the report either before or after exporting it to a
different format.
Asset Inventory Service
26
Licenses Workspace
The Licenses workspace of the Asset Inventory Service (AIS) allows you to upload your Microsoft Software
License Terms information to Microsoft Volume License Services (MVLS), verify that Microsoft software titles
in your inventory are properly licensed, and generate license statements that show your organization’s level
of compliance with Microsoft Software License Terms.
You can enter license agreements into AIS by providing one or more pairs of numbers for each agreement:
the authorization or agreement number, and the license or enrollment number. These numbers are supplied
by MVLS when licenses are purchased, upgraded, or renewed.
After license agreements are entered into AIS, AIS retrieves the entitlement information from MVLS and
compares the license information to your discovered Microsoft software. You can then create license
statements that allow you to see your organization’s level of compliance with Microsoft Software License
Terms. These statements are for your use only; Microsoft cannot view your license statements. For more
information, see the Microsoft privacy policy.
ACTIONS AVAILABLE IN THE LICENSES WORKSPACE
You can perform the following actions in the Licenses workspace.
Upload agreements
The Upload Agreements command displays a list of license agreements that have already been uploaded.
Each row shows an agreement’s name, agreement or authorization number, license or enrollment number,
and the specific license group to which the agreement belongs, if applicable. Commands in the Actions
pane allow you to add license agreements by using the Add Agreement Wizard, edit the names of existing
license agreements, or delete a license agreement you are no longer using. To edit an agreement name or
delete a license agreement, you must first select an agreement in the list.
Preparing to add agreements
To add new agreements to the Licenses workspace by using the Add Agreements Wizard, you must have
agreement number pairs available. The agreement or authorization numbers must be matched to the correct
license or enrollment numbers. Agreement number pairs are obtained from MVLS. For more information
about using MVLS and AIS, see Activating AIS with Microsoft Volume License Services.
If you have five or fewer license agreement number pairs, enter individual agreement pairs in the Add
Agreements wizard. If you have more than five agreement number pairs, prepare a comma-separated values
(CSV, also known as comma-delimited) text-only file.
Asset Inventory Service
27
Note: The CSV file must have a .csv file extension.
Save the file to a convenient location; the Add Agreements Wizard prompts you to browse for this file when
you are adding a new agreement. You can create this file by adding your agreement pairs to a new plain text
or Notepad document in one of the following formats, depending upon your organization type. Allow one
agreement number pair per line.

Open Value Customers: Agreement number, repeat agreement number

Open Customers: Authorization number, related license number

Select and Enterprise Customers: Agreement number, related enrollment number
Note: AIS allows you to upload a total maximum of 400 agreement pairs.
Create license groups
The Create License Groups command displays a list of existing license groups in its results pane. Commands
in the Actions pane allow you to open the License Group Wizard to add license groups into which you can
sort existing agreement pairs and assign computer groups to those pairs. You can also modify existing
license groups by adding or removing license agreement pairs or assigning them to different computer
groups. Other commands allow you to delete selected license groups or refresh entitlements. When you
refresh your entitlements in AIS for a selected license group, AIS connects to MVLS to obtain the most
current numbers of installations allowed for the software titles that are represented in the license group.
Note: AIS allows you to create a total maximum of 50 license groups.
View statements
A license statement is a four-page report that shows the results of a comparison between AIS-inventoried
software that is licensed under an MVLS agreement and the MVLS database for a selected license group. A
license statement should not be considered an exact calculation of software titles in use or proof of
compliance with agreements; the statement is a tool to help you make licensing decisions for your
enterprise. Some volume-licensable Microsoft products might not be detected by AIS in this release.
Asset Inventory Service
28
License statements show the following information.

Microsoft Volume Licensable Products—This section of the statement shows installed products for the
selected license group, and the results of reconciling volume-licensable products with the license
entitlements based on the Volume License agreements supplied.

Agreement Details—This section of the statement shows the license agreements included in the license
statement.

Important Notice—This section of the statement shows reconciliation limitations, terms and conditions,
legal disclaimers, and other important details.
The Microsoft Volume Licensable Products table is the core of your license statement; the columns of this
table are described in detail on the first page of each license statement.
Note: AIS allows you to store a total maximum of 50 license statements.
As with other reports in AIS, you can search statement reports for specific text strings, print statement
reports, or export them to other formats. For a list of available file types to which you can export reports,
see Report formats.
Asset Inventory Service
29
Computers Workspace
The Computers workspace lists client computers participating in the Asset Inventory Service (AIS) inventory,
and it allows you to sort client computers by computer name, most recent user, group, most recent
inventory, first discovery date, and client software version. Commands are available in the Computers
workspace for retiring computers and running reports.
SEARCHING FOR A SPECIFIC COMPUTER
To search for a specific computer in the Computers workspace, perform the following steps.
To search for a specific computer
1. Open the Computers workspace.
2. Place your cursor in the Search text box.
3. Type the name or partial name of a computer, user, or group, and then click the search icon or
press Enter.
DATA DISPLAYED BY A COMPUTER REPORT
Computer reports show the following information about a specific client computer participating in
the inventory:

Operating System Name

Service Pack

System Manufacturer

System Model

Operating System Language

Total Physical Memory

Total Storage

Free Space

First Reported (the earliest date and time that AIS reported the title as being installed on one or more
client computers)

Last Reported (the most recent date and time that AIS reported the title as being installed on one or
more client computers)

A table of all software titles installed on the inventoried computer
Asset Inventory Service
30
RUNNING COMPUTER REPORTS IN THE COMPUTERS WORKSPACE
A computer report that is generated by clicking Run a report in the Computers workspace does not show all
inventoried client computers. Instead, the report shows details about a selected computer.
To run a computer report
1. Open the Computers workspace.
2. In the All Computers pane, select a computer.
3. In the Actions pane, click Run report.
4. A report page opens for the selected computer.
On the report form, apply any filters you want to your report.

To filter by publishers, click the icon to the right of the Publisher field, select one or more publishers,
and then click OK. At least one check box must be filled on this filter.

To filter by asset categories, click the icon to the right of the Categories field, select one or more
asset categories, and then click OK. At least one check box must be filled in on this filter.

To filter by software installed before a specific date, click the icon to the right of the End Date field
and then click the end date you want.
5. To generate the report with your new filters applied, click View Report.
6. Sort the installed software titles as desired by title, publisher, category, version, or language.
7. If you want to export the report to a different format, select a format from the Select a format
drop-down list. For more information about report formats, see Reports Workspace.
8. To print the report, click Print. You can print the report either before or after exporting it to a
different format.
RETIRING COMPUTERS FROM THE INVENTORY
When you retire a computer, the computer is removed from the AIS inventory. Although the AIS client
software remains installed until it is removed by an administrator on the client computer, the client software
no longer communicates with the AIS Web-based service.
Note: Retiring a computer does not completely remove the computer’s inventory from the AIS
database. You can still view inventory for the computer in historical reports on your inventory.
As a security best practice, you should remove the AIS client software from any client computers that you
want to retire from the AIS inventory.
Asset Inventory Service
31
Note: To add a retired computer back to the AIS inventory, reinstall the AIS client software on the
retired computer. For more information about installing the AIS client software, see Install the AIS
Client Software.
To retire a computer
1. On the console, click Computers.
2. Select the computer you want to retire from the list in the All Computers pane.
3. Click Retire computer. A message box displays a warning and prompts you to retire the computer.
4. Click Yes. The computer is removed from the All Computers list.
Management and Support Workspace
The Management and Support workspace includes areas for downloading and deploying the System
Center Online Asset Inventory Service (AIS) client software, managing user access to AIS, managing your
enterprise’s account information, and finding troubleshooting and support resources. Commands are
available in the Management and Support workspace for downloading client software, adding authorized
users of the Web service, editing your account information, and viewing notifications about the service.
MANAGEMENT AND SUPPORT AREAS
The following sections describe the areas and functions of the Management and Support workspace.

The Client Deployment area allows you to download the AIS client software installation package and
review instructions for installing it on your computers. For more information, see Client Deployment.

The User Management area allows you to add, view, and delete users of the AIS Web-based service. For
more information, see User Management.

The Account Management area allows you to update your enterprise’s account details. For more
information, see Account Management.

The Troubleshooting and Support area contains links to several resources you can use to learn more
about AIS, join the community of AIS users, or troubleshoot issues with running AIS or the AIS client
software. For more information, see Troubleshooting and Support.
Asset Inventory Service
32
Client Deployment
You can download the Asset Inventory Service (AIS) client software from the Client Deployment page of the
Management and Support workspace.
DOWNLOAD THE AIS CLIENT SOFTWARE
To download the AIS client software, you must log on to the AIS Web site by using your subscription account
(Windows Live ID) and password.
The AIS client software installation package is unique to your enterprise and contains account identifiers,
so you must download it from the AIS Web site after you have logged on with properly licensed
account credentials.
To download the AIS client software installation package
1. After you have logged on to AIS, open the Management and Support workspace.
2. Click Download a Client to open the Client Deployment page.
3. On the Client Deployment page, click Download Client Here.
4. In the File Download dialog box, click Save.
5. Save the file to a secure location on a local hard drive.
Important: The installation file must be stored in a secure location on the hard drive. The package
contains your account-specific certificate and should be installed only on computers from which you
want inventory reports.
Deploy the client
For more information about deploying the AIS client software, see Install the AIS Client Software.
Asset Inventory Service
33
Install the AIS Client Software
The System Center Online Asset Inventory Service (AIS) Web service collects information about programs
installed on client computers in your enterprise that have the AIS client software installed. This topic
describes how to install the client software.
In this topic:

Requirements for Asset Inventory Service client software

AIS client software deployment scenarios

Configuring client computers that report to a proxy server
REQUIREMENTS FOR ASSET INVENTORY SERVICE CLIENT SOFTWARE
Before you begin installing the AIS client software on client computers in your enterprise, verify that your
enterprise can support the following requirements.
Permission requirements
You must be a member of the Administrators group on the computer on which you want to install the AIS
client software.
Operating system requirements
You can install the AIS client software on any of the following Microsoft Windows operating systems:

Microsoft Windows 2000 Professional Service Pack 4 (SP4) (Subsequent service packs are
also supported.)

Windows XP Professional

Windows Server 2003 operating systems

Windows Server 2008

Windows Vista Enterprise

Windows Vista Ultimate

Windows Vista Business
The AIS client software is supported on both 32-bit and 64-bit editions of the preceding operating systems,
when available. Except for Windows 2000 Professional, the AIS client software is supported on all service
packs for the preceding operating systems.
Asset Inventory Service
34
Hardware and memory requirements
To install the AIS client software, a computer must have the following:

133 MHz or higher Intel Pentium-compatible CPU

64 MB RAM

3 MB disk space
Client computer updates
You should verify that all client computers have the latest Windows updates and service packs installed
before installing the AIS client software.
AIS CLIENT SOFTWARE DEPLOYMENT SCENARIOS
This topic provides instructions for deploying the AIS client software by using one of the following four
methods or tools. You can also deploy the AIS client software by using other methods, such as
third-party tools.

Manual installation

System Center Essentials (SCE)

Systems Management Server (SMS)

Group Policy
Before you begin to deploy the AIS client software by using any of these methods, you must download the
client software package. To download the AIS client software, you must log on to the AIS Web site by using
your subscription account (Windows Live ID) and password. Follow the steps in Client Deployment to
download the AIS client software.
The AIS client software installation package is unique to your enterprise and contains account identifiers,
so you must download it from the AIS Web site after you have logged on with properly licensed
account credentials.
Manual installation
Perform the following steps to install the AIS client software onto individual client computers. Repeat this
procedure on every computer that you want to participate in the AIS inventory.
Asset Inventory Service
35
To install the AIS client software manually
1. On a client computer, download the AIS client software by following the procedure in
Client Deployment.
2. Open the folder into which you downloaded the client software.
3. Double-click the installer package SCOnlineClient.msi.
Installation completes in the background, and when it is complete, the installation window closes without
notification. To verify the client software installation, see Verify AIS Client Software Deployment.
System Center Essentials (SCE)
If you have installed System Center Essentials, you can use it to deploy the AIS client software. See
Software Deployment on the System Center Essentials TechCenter.
Systems Management Server (SMS)
To install the AIS client software on client computers by using SMS, create a software distribution package
and then advertise the AIS client software to the computers on which it should be installed. You can do this
by advertising it to a specified target collection. The advertisement contains the name of the program (AIS
Client), the name of the target collection, and the scheduling configuration (that is, when to run the
installation program).
Note: The site’s clients cannot receive advertised programs until you enable the software
distribution client agent on site clients (the Advertised Programs Client Agent on legacy clients, and
the Software Distribution Client Agent on advanced clients). This agent manages software
distribution tasks on SMS clients.
The following steps provide an overview of how to install the AIS client software by using SMS. For detailed
information about how to install software by using SMS, refer to the Distributing Software section of the
SMS 2003 Operations Guide.
Important: The AIS client software contains certificates that identify your account, and therefore
the installation file, must be stored in a secure location on the disk of the server running SMS. For
more information, see the Distributing Software section of the SMS 2003 Operations Guide.
Asset Inventory Service
36
To install the AIS client software by using SMS
1. Prepare the site for software distribution.
a. Create or modify the Advanced Client Network Access account.
b. Configure the Software Distribution Client Agents.
c.
Prepare client access points (CAPs), management points, and distribution points.
d. Prepare collections.
e. Prepare security.
2. Create packages.
3. Specify distribution points.
4. Create programs.
5. Create advertisements.
Group Policy
You can use Group Policy to install the AIS client software on the computers in your network. The tasks you
perform to install AIS client software by using Group Policy depend on whether the feature Group Policy
Management is installed on your server.
If Group Policy Management is not installed on your server, you can use the Active Directory Users and
Computers snap-in to deploy the AIS client software. If Group Policy Management is installed on your server,
you must use the Group Policy Editor to set up AIS client software deployment.

Installing AIS Client Software without Group Policy Management

Installing AIS Client Software with Group Policy Management
Note: When you are deploying the AIS client software to multiple computers by using SMS or
Group Policy, schedule installations for off-peak hours to reduce network traffic. It is recommended
that you deploy the client software to no more than 10,000 computers per package.
Installing AIS Client Software without Group Policy Management
If Group Policy Management is not installed on your server, perform the following tasks to deploy the AIS
client software by using Active Directory Users and Computers.
Note: These tasks can be completed only on a server that is an Active Directory Domain Services
domain controller.
Asset Inventory Service
37
TASK ONE: CREATE A DISTRIBUTION POINT
First, create a distribution point on a server.
To create a distribution point
1. Log on as an administrator to a server in your network.
2. Create a shared network folder for the installation file.
3. Set permissions on the share to allow access to the installation file.
Important: The SYSTEM account of each client computer on which you want to install the AIS
client software must have read access to the share. The path provided must be in the format
\\MyServer\MyFolder\SCOnlineClient.msi.
4. Download the AIS client installation software package as directed in Client Deployment, and save the file
to the shared network folder.
Important: The installation file must be stored in a secure location on the server’s hard disk.
TASK TWO: CREATE A GROUP POLICY OBJECT
Next, create a Group Policy object to distribute the AIS client software.
To create a Group Policy object
1. Start the Active Directory Users and Computers snap-in: click Start, point to Administrative Tools, and
then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, and then click New.
4. Enter a name for the new Group Policy object, such as AIS Client Software Distribution, and then
press ENTER.
5. In the results pane, double-click the new Group Policy object to modify its properties, and then click the
Security tab.
6. Select Apply Group Policy for groups to which you want to deploy the AIS client software.
7. Clear the Apply Group Policy check box for groups to which you do not want to deploy the AIS
client software.
8. Click OK.
Asset Inventory Service
38
TASK THREE: ASSIGN THE AIS CLIENT SOFTWARE
Finally, assign the AIS client software to computers on your network that are running the operating systems
listed in Operating system requirements in this topic.
Important: Verify that all client computers have the latest Windows service pack installed before
installing the AIS client software.
To assign the AIS client software
1. Open the Active Directory Users and Computers snap-in: click Start, point to Administrative Tools,
and then click Active Directory Users and Computers.
2. In the console tree, right-click the site, the domain, or the organizational unit (OU) and then
click Properties.
3. Click the Group Policy tab.
4. Expand the site, domain, or OU in the hierarchy pane, and then select the Group Policy object (for
example, AIS Client Distribution).
5. In the Computer Configuration area, expand Software Settings. (On servers running Windows Server
2008, you must also expand Policies.)
6. Right-click Software installation, point to New, and then click Package.
7. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the installation file that
you downloaded in Task One, as shown in the following example:
\\<serverName>\<share>\SCOnlineClient.msi
Important: Do not click Browse to access the location. Type the UNC path directly into the
Open dialog box.
8. Click Open.
9. Click Assigned, and then click OK. The package is displayed in the results pane of the Group Policy
Editor window.
10. Close the Group Policy Editor snap-in, click OK, and then close Active Directory Users and Computers.
The AIS client software is installed automatically on all assigned computers the next time they are restarted.
Asset Inventory Service
39
Installing AIS Client Software with Group Policy Management
If Group Policy Management is installed on your server, perform the following tasks to deploy AIS client
software by using the Group Policy Editor snap-in.
Note: These tasks can be completed only on a server that is an Active Directory Domain Services
domain controller.
TASK ONE: CREATE A DISTRIBUTION POINT
First, create a distribution point on a server.
To create a distribution point
1. Log on as an administrator to a server in your network.
2. Create a shared network folder for the installation file.
3. Set permissions on the share to allow access to the installation file.
Important: The SYSTEM account of each client computer on which you want to install the AIS
client software must have read access to the share. The path provided must be in the format
\\MyServer\MyFolder\SCOnlineClient.msi.
4. Download the AIS client installation software package as directed in Client Deployment, and save the
file to the shared network folder.
Important: The installation file must be stored in a secure location on the server’s hard disk.
TASK TWO: CREATE A GROUP POLICY OBJECT
Next, create a Group Policy object to distribute the AIS client software.
To create a Group Policy object
1. Click Start, point to Administrative Tools, and then click Group Policy Management to open the
Group Policy Management snap-in.
2. In the console tree, right-click your domain, and then click Create and Link a GPO Here.
3. In the New GPO dialog box, enter a name for the new Group Policy object, such as AIS Client Software
Distribution, and then press ENTER.
4. In the console tree, right-click the new Group Policy object and then click Edit to open the Group Policy
Object Editor snap-in.
Asset Inventory Service
40
5. In the console tree of the Group Policy Object Editor snap-in, expand Computer Configuration, and
then expand Software Settings.
Note: On computers running Windows Server 2008, you must also expand Policies.
6. Right-click Software installation, click New, and then click Package.
7. Click OK.
TASK THREE: ASSIGN THE AIS CLIENT SOFTWARE
Finally, assign the AIS client software to computers on your network that are running the operating systems
listed in Operating system requirements in this guide.
Important: Verify that all client computers have the latest Windows updates and service packs
installed before installing the AIS client software.
To assign the AIS client software
1. Open the Active Directory Users and Computers snap-in, click Start, point to Administrative Tools,
and then click Active Directory Users and Computers.
2. In the console tree, right-click the site, the domain, or the organizational unit (OU) and then
click Properties.
3. Click the Group Policy tab.
4. Expand the site, domain, or OU in the hierarchy pane, and then select the Group Policy object (for
example, AIS Client Distribution).
5. In the Computer Configuration area, expand Software Settings. (On servers running Windows Server
2008, you must also expand Policies.)
6. Right-click Software installation, point to New, and then click Package.
7. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the installation file that you
downloaded in Task One, as shown in the following example: \\<serverName>\<share>\SCOnlineClient.msi
Important: Do not click Browse to access the location. Type the UNC path directly into the
Open dialog box.
8. Click Open.
9. In the Deploy Software dialog box, click Assigned, and then click OK. The next time the Group Policy
Object Editor console is refreshed, the package is displayed in the results pane.
If the package is not displayed, right-click Software Installation and then click Refresh.
Asset Inventory Service
41
To modify package installation settings, double-click the package in the Group Policy Object Editor
results pane. To cancel the installation and remove its Group Policy object, right-click the package, point
to All Tasks, and then click Remove.
10. Close the Group Policy Editor snap-in, click OK, and then close Group Policy Management.
The AIS client software is installed automatically on all assigned computers the next time they are restarted.
CONFIGURING CLIENT COMPUTERS THAT REPORT TO AN AUTHENTICATED PROXY SERVER
If you want client computers that report to an authenticated proxy server to participate in your inventory, you
must follow the steps in this section. These steps are required only if the proxy server requires authentication.
To inventory client computers that report to a proxy server, the proxy server must be configured to use
computer authentication. Verify that your proxy server is using correct authentication settings. The following
steps enable you to add computer authentication for each client computer when the proxy server to which
the computers report is running Microsoft ISA Server.
To add computers that report to a proxy server to your inventory
1. On the client computer, open a Command Prompt window by clicking Start, clicking Run, typing cmd in
the Open text box, and then pressing Enter.
2. Enter one of the following commands:
a. If the group served by the proxy server is a domain group, enter the following:
net group"Internet Authenicated Group Name" "Computer Name" /add
For example, net group"Internet Authenticated Users""win2k3$" /add
b. If the group served by the proxy server is a local group located on the ISA server, enter the following:
net localgroup "Internet Authenticated Group Name" "Computer Name" /add
For example, net localgroup "Internet users" domain\computername$ /ADD
3. Add an exception to the ISA server configuration to allow anonymous access to the SCO-AIS Service
URLs (https://sc.microsoft.com and any subdirectories).
4. Add the computer to the AIS inventory manually by running the SCOnline-Full task in Task Scheduler.
a. Open Task Scheduler by doing one of the following:
On a computer running Windows XP or Windows Server 2003, open Scheduled Tasks by clicking
Start, pointing to Control Panel, and then clicking Scheduled Tasks.
On a computer running Windows Vista, click Start, click Control Panel, click System and
Maintenance, click Administrative Tools, and then double-click Task Scheduler.
On a computer running Windows 2000, click Start, point to Settings, point to Control Panel, and
then click Scheduled Tasks.
b. In the Task Scheduler or Scheduled Tasks tree pane, open %windir%\Tasks.
c.
Right-click the task SCOnline-Full-{89C1481E-9333-4a66-9014-18C9F60CA82D}.
d. On the shortcut menu, click Run. (Allow 10 minutes for the client computer’s inventory to be uploaded to AIS.)
Asset Inventory Service
42
Verify AIS Client Software Deployment
VERIFY THAT AIS CLIENT SOFTWARE IS INSTALLED AND RUNNING
The client software automatically runs between five and 55 minutes after installation is complete. The Webbased service displays the client computer in its inventory within 15 minutes to one hour after client software
installation is complete.
To verify that the System Center Online Asset Inventory Service (AIS) client software was successfully
installed and is communicating with the Web service, perform the following steps.
To verify the installation of the AIS client software
1. Open the AIS Web site.
2. Log on to AIS by entering your Windows Live ID and password.
3. In the navigation pane, click Computers.
4. Scroll down the list of inventoried computers to find client computers that are communicating with AIS,
or search for a specific client computer by entering the computer name in the Search text box.
Allow up to one hour for a client computer to be displayed in the inventory following installation of the
client software.
Alternatively, you can also verify that AIS client software was successfully installed by doing the following:

Open Control Panel, and then open Add or Remove Programs. (In Windows Vista, open Control
Panel, click Programs, and then click Programs and Features.) An entry for Microsoft System Center
Online Client is displayed in the list of installed programs if client software installation succeeded.
On the Client Deployment page, the Deployment Status notification area shows the total number of client
computers participating in the inventory and how many of those have successfully uploaded data. Some
computers might take more time between enrolling in the inventory and completing the upload of their data.
Note: If more than 10,000 client computers are participating in your inventory, allow two to three
business days (that is, two to three days in which client computers are turned on) for AIS to display
your complete inventory.
Asset Inventory Service
43
WHAT TO DO IF INSTALLATION FAILS
If a client computer is not visible in the Web service inventory after one hour, and the client software does
not appear in Add or Remove Programs (or Programs and Features in Windows Vista), installation of the
client software most likely failed.
Refer to Asset Inventory Service Tips and Troubleshooting for help with specific errors.
Alternatively, click Troubleshooting and Support in the Management and Support workspace of the AIS
Web UI.
Client Configuration Settings in the AIS Administrative Template File
The System Center Online (SCO) administrative template file provides Asset Inventory Service (AIS) with three
Group Policy and Windows Registry settings that help you manage your AIS inventory.
INSTALLING THE SCO ADMINISTRATIVE TEMPLATE
The Group Policy administrative template sconline.adm is available for download on the Microsoft Web site.
Use the Group Policy Management Console to view and edit the SCO administrative template.
To install and view the SCO administrative template
1. Save the sconline.adm file to the %windir%\inf directory.
2. Open the Group Policy Editor, click Start, click Run, type gpedit.msc, and then press Enter.
3. In the console tree, expand Computer Configuration, and then select Administrative Templates.
4. On the Action menu, click Add/Remove Templates.
5. In the Add/Remove Templates dialog box, click Add.
6. In the Policy Templates dialog box, open the %windir%\inf directory and select sconline.adm, then
click Open.
System Center Online Client is displayed in Administrative Templates.
Asset Inventory Service
44
MODIFYING SETTINGS IN SCONLINE.ADM
Once the SCO administrative template file, sconline.adm, is installed on a client computer you want to
participate in your inventory, the following three Group Policy settings are available:
Important: You must be a member of the Administrators group on the client computers for which
you want to modify Group Policy settings.

Add the client to a group—This setting allows you to assign the computers in your inventory to a
computer group. For more information, see Adding computers to groups by using Group Policy.

Turn off fallback to Microsoft Update—This setting allows you to prevent or allow the AIS client
software from receiving updates from Microsoft Update by default. If this setting is enabled, when the
AIS client software requires updates, it does not fall back to Microsoft Update. For more information, see
Turning off fallback to Microsoft Update by using Group Policy.

Add additional proxies—This setting allows you to specify additional or backup proxy servers that
client computers can use to communicate their inventories with AIS. For more information, see Adding
additional or backup proxy servers by using Group Policy.
Adding computers to groups by using Group Policy
After the SCO administrative template is installed on a client computer, you can use a Group Policy setting to
organize the computer into an asset group.
Computer groups are visible on the AIS Computers workspace as a column in the All Computers table. You can
also filter on computer groups in reports. (For more information about filtering reports, see Reports Workspace.)
You can use one of two methods to assign the computers in your inventory to groups:

Distribute a Group Policy administrative template (*.adm) to inventoried client computers, and modify
the Enable client grouping setting.

Add a Windows Registry key to client computers.
To add computers to groups by using Group Policy
1. On an inventoried client computer, open the Group Policy Editor, click Start, click Run, type gpedit.msc,
and then press Enter.
2. In the console tree, expand Computer Configuration, and then expand Administrative Templates.
3. Select System Center Online Client.
4. In the results pane, double-click the Enable client grouping setting.
5. To enable client grouping, select Enabled.
6. In the Group name for this computer box, type a group name and click OK.
Asset Inventory Service
45
Note: A computer can belong to only one group.
Adding computers to groups in the registry
To add your computers to a group in AIS, you can set the value of the registry key
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System Center Online\Client\ClientGroup on
client computers to the group name of which you want them to be members. To do this, open regedit and
create a folder called System Center Online under HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\
if it does not already exist. Under the System Center Online folder create another folder called Client. Under
the Client folder, create a new string valued called ClientGroup (no space). Modify the ClientGroup value so
that the ―value data‖ field contains the name of the Client group that you would like it to belong to.
Important: Incorrectly editing the registry may severely damage your system. Before making
changes to the registry, you should back up any valued data on the computer.
Turning off fallback to Microsoft Update by using Group Policy
If you want to force AIS client computers to search for updates only on approved update sites or servers (for
example, you want computers running the AIS client software to locate updates only on servers running
Windows Server Update Services), and you do not want them to find updates by using Microsoft Update,
you can enable this policy setting.
To turn off client fallback to Microsoft Update by using Group Policy
1. On an inventoried client computer, open the Group Policy Editor, click Start, click Run, type gpedit.msc,
and then press Enter.
2. In the console tree, expand Computer Configuration, and then expand Administrative Templates.
3. Select System Center Online Client.
4. In the results pane, double-click the Turn off fallback to Microsoft Update setting.
5. To enable the setting, and prevent client computers from finding updates on Microsoft Update by
default, select Enabled.
6. To allow client computers to find updates on Microsoft Update by default, disable or do not configure
the policy setting.
7. Click OK.
Asset Inventory Service
46
Adding additional or backup proxy servers by using Group Policy
It is recommended that you configure this policy setting if you want client computers that report to a proxy
server to participate in your inventory. Additional configuration steps are required for adding client
computers to your inventory that report to a proxy server. For more information about adding computers to
your inventory that report to a proxy server, see Install the AIS Client Software.
To add additional proxy servers by using Group Policy
1. On an inventoried client computer, open the Group Policy Editor, click Start, click Run, type gpedit.msc,
and then press Enter.
2. In the console tree, expand Computer Configuration, and then expand Administrative Templates.
3. Select System Center Online Client.
4. In the results pane, double-click Add additional proxies.
5. To instruct AIS to check additional proxy servers to locate this client computer if it cannot communicate
with the default proxy server, select Enable.
6. In the list box, specify additional proxy servers, either by entering their URLs or their IP addresses.
Separate proxies with a semicolon (;).
7. Click OK.
Asset Inventory Service
47
Remove the AIS Client Software
Removing the System Center Online Asset Inventory Service (AIS) client software from a computer also
retires, or deletes, the computer from the AIS inventory. If you want to retire a computer from the AIS
inventory, but do not want to remove the AIS client software, see Computers Workspace.
In this topic:

How to remove the AIS client software manually

How to remove the AIS client software by using System Center Essentials

How to remove the AIS client software by using Group Policy
HOW TO REMOVE THE AIS CLIENT SOFTWARE MANUALLY
The procedure you use to remove the AIS client software from computers participating in the AIS inventory
depends on the operating system that is running on the client computer.
If the client computer is running the following operating systems, see Removing the AIS client software by
using Add or Remove Programs.

Microsoft Windows 2000 Professional Service Pack 4 (SP4) (Subsequent service packs are
also supported.)

Windows XP Professional

Windows Server 2003 operating systems
If the client computer is running any of the following operating systems, see Removing the AIS client
software by using Uninstall a program.

Windows Server 2008

Windows Vista Enterprise

Windows Vista Ultimate

Windows Vista Business
Asset Inventory Service
48
Removing the AIS client software by using Add or Remove Programs
Perform the following steps to remove the AIS client software.
To remove the AIS client software by using Add or Remove Programs
1. Click Start, point to Control Panel, and then click Add or Remove Programs.
2. In the button pane, click Change or Remove Programs.
3. Select System Center Online Agent.
4. Click Remove.
5. When removal completes, close Add or Remove Programs.
Removing the AIS client software by using Uninstall a program
Perform the following steps to remove the AIS client software.
To remove the AIS client software by using Uninstall a program
1. Click Start, and then click Control Panel.
2. In the Programs area, click Uninstall a program.
3. In the Uninstall or change a program window, select System Center Online Agent.
4. Click Remove.
5. When removal completes, close the Uninstall or change a program window.
HOW TO REMOVE THE AIS CLIENT SOFTWARE BY USING SYSTEM CENTER ESSENTIALS
If you have installed System Center Essentials, you can use it to remove the AIS client software. See ―How to
Uninstall Deployed Software in System Center Essentials‖ in the System Center Essentials TechCenter.
HOW TO REMOVE THE AIS CLIENT SOFTWARE BY USING GROUP POLICY
If you installed AIS client software on multiple computers in a domain simultaneously, as a published or
assigned package in Group Policy, you can use Group Policy to remove the AIS client software from those
computers. The tasks you perform to remove the AIS client software by using Group Policy depend on
whether the feature Group Policy Management is installed on your server.
If Group Policy Management is not installed on your server, you can use the Active Directory Users and
Computers snap-in to remove the AIS client software. If Group Policy Management is installed on your
server, you must use the Group Policy Editor to remove AIS client software.
Asset Inventory Service
49

Removing AIS client software without Group Policy Management

Removing AIS client software with Group Policy Management
Removing AIS client software without Group Policy Management
If Group Policy Management is not installed on a domain controller, use the following procedure to remove
the AIS client software by using the Group Policy tab in Active Directory Users and Computers.
Note: These tasks can be completed only on a server that is an Active Directory Domain Services
domain controller.
To remove AIS client software without Group Policy Management
1. Open the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point
to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click the domain you want, and then click Properties.
3. On the Group Policy tab, select the Group Policy object with which you deployed the package, and then
click Edit.
4. In the Group Policy Editor snap-in, expand the Software Settings container that contains the software
installation item with which you deployed the package.
Note: On computers running Windows Server 2008, you must also expand Policies.
5. Expand the software installation container that contains the package.
6. In the results pane, right-click the program, point to All Tasks, and then click Remove.
7. Do one of the following:

Click Immediately uninstall the software from users and computers, and then click OK.

Click Allow users to continue to use the software, but prevent new installations, and then
click OK.
8. Close the Group Policy Editor snap-in, click OK, and then close the Active Directory Users and Computers
snap-in.
Asset Inventory Service
50
Removing AIS client software with Group Policy Management
If Group Policy Management is installed on your domain controller, use the following procedure to remove
the AIS client software by using the Group Policy Editor snap-in.
Note: These tasks can be completed only on a server that is an Active Directory Domain Services
domain controller.
To remove the AIS client software with Group Policy Management
1. Click Start, point to Administrative Tools, and then click Group Policy Management to open the
Group Policy Management snap-in.
2. In the console tree, expand your domain, and then right-click the object that was created to distribute
the AIS client software package.
3. Click Edit to open the Group Policy Object Editor snap-in.
4. In the console tree of the Group Policy Object Editor snap-in, expand Computer Configuration, and
then expand Software Settings.
Note: On computers running Windows Server 2008, you must also expand Policies.
5. In the results pane, right-click the package you want to remove, point to All Tasks, and then
click Remove.
6. Do one of the following:

Click Immediately uninstall the software from users and computers, and then click OK.

Click Allow users to continue to use the software, but prevent new installations, and then
click OK.
7. Close the Group Policy Editor snap-in.
8. Click OK.
Asset Inventory Service
51
Update the AIS Client Software
This topic provides information about System Center Online Asset Inventory Service (AIS) client software
updates, and instructions for finding and installing updates.
TYPES OF UPDATES AVAILABLE FOR AIS CLIENT SOFTWARE
Updates for the AIS client software can be any of the following types, and are listed in the order of their
priority and importance.
1. Security updates are released in the event vulnerability is discovered in the client software. You should
not delay the installation of security updates.
2. Updates occasionally are released to improve functionality or fix bugs in the client software. These
updates are strongly recommended.
3. Updates that provide new functionality are optional, but recommended.
Note: Updating the AIS client software does not affect inventory collected in the past from a
specific computer.
FREQUENCY OF UPDATES
Updates to the AIS client software are expected to become available a maximum of twice per year.
UPDATE METHODS
The AIS client software can be updated by any of the following methods.
Automatic updates
The client software can be updated automatically either by Microsoft Update, or by self-initiating updates.
Updating the AIS client software by using Microsoft Update
You can turn on Microsoft Update to update the AIS client software automatically. If Microsoft Update is
turned on, and is configured to allow the Windows operating system that is running on a client computer to
download and install recommended and important updates, the AIS client software running on that
computer is updated depending on your settings (for example, depending upon whether you have selected
Install updates automatically or Download updates but let me choose whether to install them in the
Windows Update Change Settings dialog box). You can access Microsoft Update settings in Control Panel
on all AIS-supported Windows operating systems.
Asset Inventory Service
52
Self-initiated update
When Microsoft Update is not turned on, or when it is not configured to download recommended updates
automatically, AIS client software installed on that computer can still receive updates.
After each time the AIS client software checks in with Asset Inventory Service (once daily, if the computer on
which the AIS client software is turned on), a separate operation verifies that the client software is fully
updated. If updates are available, the computer on which the client software is running downloads and
installs the updates. Typically, restarting the computer is not required following the self-initiated updating of
the AIS client software.
If the Windows-based operating system that is running on the client computer is configured to receive
updates from a server in the enterprise that is running Windows Server Update Services (WSUS), updates are
received from WSUS first. The AIS client software that is running on a computer configured to receive
updates from WSUS does not check for updates elsewhere, unless the client computer is unable to connect
to WSUS. If connecting to WSUS to receive updates is unsuccessful, the client software connects to Microsoft
Update to receive updates.
By modifying the AIS administrative template, you can disable this fallback update behavior of the AIS client
software if you do not want client computers to connect to Microsoft Update, especially if the client
computers are outside of the corporate network. For example, you might not want a laptop computer that is
connecting to your enterprise’s network from a remote location to attempt a connection to Microsoft
Update if it cannot receive updates from WSUS. Microsoft recommends that you turn off the fallback
updating behavior only if your enterprise is running an update server such as WSUS, or if the computer is
running Windows Vista®, and Microsoft Update is enabled. If there is no update server available, the AIS
client software is not updated automatically if Microsoft Update is disabled. To download the administrative
template, see the Microsoft Web site. For more information about configuring the administrative template,
see Client Configuration Settings in the AIS Administrative Template File.
Manually controlled update
Important: Before you update the AIS client software manually, note the version number of the AIS
client software. The simplest method of verifying that updating the AIS client software was
successful is to compare the pre-update version number with the post-update version number.
If you do not want to update the AIS client software automatically in your enterprise, you can download the
most current version of the AIS client software from the AIS Web site. For more information about how to
download the AIS client software, see Client Deployment.
Asset Inventory Service
53
New computers
The AIS client software installation package that you download from the AIS Web site includes the updated
software and your account certificate. To add new computers to your AIS inventory, see
Install the AIS Client Software.
Computers that are already in your inventory
If a client computer is running an older version of the AIS client software, and is already reporting inventory
to AIS, you can configure the MSI package to perform an incremental installation to update the existing
client software, instead of reinstalling it entirely. AIS client software updates are minor, meaning that the
version displayed during installation by the MSI is not updated in whole numbers. For example, the AIS client
software version number might change from 1.0 to 1.5, but not to 2.0, if you run the MSI to update, but not
overwrite, your AIS client software. If you run the MSI installation package without specifying that you want
to update the AIS client software, the installation might fail if an existing copy of the AIS client software
already is located on the client computer.
To use the AIS client software MSI package to apply updates only, follow the steps provided in the MSDN
topic, Applying Small Updates by Reinstalling the Product.
Note: You cannot reinstall the AIS client software by using Add or Remove Programs because the
MSI package containing the updates must first be downloaded from the AIS Web site, and would
not be available in Add or Remove Programs.
VERIFYING THE INSTALLATION OF UPDATES
When updates to the AIS client software are installed successfully, inventory for updated computers is
reported to AIS, and inventory includes the updated version number of the AIS client software itself. After
updating your AIS client software, allow at least one hour for your inventory to be updated with the new AIS
client software version.
You can verify that your AIS client software updates are successful by checking either or both of
the following.

The version number for System Center Online Client that is visible in Add or Remove Programs or
Turn Windows features on or off is higher.

The AIS Web site shows the updated version number for the client software in the computer’s inventory.
Asset Inventory Service
54
User Management
You can add and delete users of the Asset Inventory Service (AIS) on the User Management page. These are
not users of the client computers in the inventory; they are the administrators who view and manage the
inventory by using the Web-based component of AIS.
Important: All users must have a Windows Live ID to work with AIS. To register for a Windows Live
account, open the Windows Live Web site at and follow the instructions to register for a new
account. A user can be associated with only one AIS account at a time.
Perform the following steps to add or delete AIS users.
To add a user
1. In the User Management area of the Management and Support workspace, click User Management.
2. In the Actions pane, click Add.
3. In the Add User dialog box, enter the name and e-mail address of the user and then click Add.
Note: The e-mail address must be associated with a Windows Live account.
The new user’s name and e-mail address is added to the list of users.
To delete a user
1. In the User Management area of the Management and Support workspace, click User Management.
2. Select the user you want to delete in the User Management pane.
3. In the Actions pane, click Delete.
4. In the Delete User window, confirm that you want to delete the user by clicking OK.
Asset Inventory Service
55
Account Management
The Account Management page of the Management and Support workspace displays the number of seat
licenses currently in use by your AIS account.
From the Account Management page, you can also visit Microsoft Volume License Services to edit your
account information and adjust the number of licenses your enterprise requires.
MICROSOFT VOLUME LICENSING SERVICES
Click Microsoft Volume Licensing Services Portal to visit the Microsoft Volume Licensing Services Web site.
Microsoft offers volume licensing solutions that scale to meet the needs of small, medium, and enterprise
businesses and organizations. Licensing programs provide volume pricing for purchases of five or more
software licenses and allow purchasers to manage multiple software licenses.
One seat license is required for each client computer that you want to participate in your inventory.
You can update or modify your AIS subscription contact information on the Microsoft Volume License
Services Portal Web site.
Troubleshooting and Support
You can use the Troubleshooting and Support area in the Management and Support workspace to find
more information about the Asset Inventory Service (AIS), get troubleshooting tips for common issues, join a
discussion forum, or contact Microsoft Support.
SUPPORT RESOURCES

To review and search frequently asked questions, see Asset Inventory Service Frequently Asked
Questions.

To review and search a collection of tips and troubleshooters, see Asset Inventory Service Tips and
Troubleshooting.

To discuss your experiences or questions about using AIS with other users, see the System Center Online
Services forums.

To get additional support, see System Center Online Services AIS Troubleshooting and Support.
Asset Inventory Service
56
Microsoft Advanced Group Policy Management 3.0
Step-by-Step Guide for Microsoft Advanced Group Policy Management 3.0
This step-by-step guide demonstrates advanced techniques for Group Policy management using the Group
Policy Management Console (GPMC) and Microsoft Advanced Group Policy Management (AGPM). AGPM
increases the capabilities of the GPMC, providing:

Standard roles for delegating permissions to manage Group Policy objects (GPOs) to multiple Group
Policy administrators, as well as the ability to delegate access to GPOs in the production environment.

An archive to enable Group Policy administrators to create and modify GPOs offline before deploying
them to a production environment.

The ability to roll back to any previous version of a GPO in the archive and to limit the number of
versions stored in the archive.

Check-in/check-out capability for GPOs to ensure that Group Policy administrators do not inadvertently
overwrite each other's work.
AGPM Scenario Overview
For this scenario, you will use a separate user account for each role in AGPM to demonstrate how Group
Policy can be managed in an environment with multiple Group Policy administrators who have different
levels of permissions. Specifically, you will perform the following tasks:

Using an account that is a member of the Domain Admins group, install AGPM Server and assign the
AGPM Administrator role to an account or group.

Using accounts to which you will assign AGPM roles, install AGPM Client.

Using an account with the AGPM Administrator role, configure AGPM and delegate access to GPOs by
assigning roles to other accounts.

Using an account with the Editor role, request the creation of a GPO, which you then approve using an
account with the Approver role. With the Editor account, check the GPO out of the archive, edit the GPO,
check the GPO into the archive, and request deployment.

Using an account with the Approver role, review the GPO and deploy it to your production environment.

Using an account with the Editor role, create a GPO template and use it as a starting point to create a new GPO.

Using an account with the Approver role, delete and restore a GPO.
Microsoft Advanced Group Policy Management 3.0
57
Requirements
Computers on which you want to install AGPM must meet the following requirements, and you must create
accounts for use in this scenario.
Note: If you have AGPM 2.5 installed and are upgrading from Windows Server® 2003 to Windows
Server 2008 or Windows Vista® with no service packs installed to Windows Vista with Service
Pack 1, you must upgrade the operating system before you can upgrade to AGPM 3.0.
Microsoft Advanced Group Policy Management 3.0
58
AGPM SERVER REQUIREMENTS
AGPM Server 3.0 requires Windows Server 2008 or Windows Vista with Service Pack 1 and the GPMC from
Remote Server Administration Tools (RSAT) installed. Both 32-bit and 64-bit versions are supported.
Before you install AGPM Server, you must be a member of the Domain Admins group and the following
Windows features must be present unless otherwise noted:


GPMC

Windows Server 2008: The GPMC is automatically installed by AGPM if not present.

Windows Vista: You must install the GPMC from RSAT before you install AGPM. For more
information, see http://go.microsoft.com/fwlink/?LinkID=116179.
.NET Framework 3.5
The following Windows features are required by AGPM Server and will be automatically installed if not present:

WCF Activation; Non-HTTP Activation

Windows Process Activation Service

Process Model

.NET Environment

Configuration APIs
AGPM CLIENT REQUIREMENTS
AGPM Client 3.0 requires Windows Server 2008 or Windows Vista with Service Pack 1 and the GPMC from
Remote Server Administration Tools (RSAT) installed. Both 32-bit and 64-bit versions are supported. AGPM
Client can be installed on a computer running AGPM Server.
The following Windows features are required by AGPM Client and will be automatically installed if not
present unless otherwise noted:


GPMC

Windows Server 2008: The GPMC is automatically installed by AGPM if not present.

Windows Vista: You must install the GPMC from RSAT before you install AGPM. For more
information, see http://go.microsoft.com/fwlink/?LinkID=116179.
.NET Framework 3.0
Microsoft Advanced Group Policy Management 3.0
59
SCENARIO REQUIREMENTS
Before you begin this scenario, create four user accounts. During the scenario, you will assign one of the
following AGPM roles to each of these accounts: AGPM Administrator (Full Control), Approver, Editor, and
Reviewer. These accounts must be able to send and receive e-mail messages. Assign Link GPOs permission
to the accounts with the AGPM Administrator, Approver, and (optionally) Editor roles.
Note: Link GPOs permission is assigned to members of Domain Administrators and Enterprise
Administrators by default. To assign Link GPOs permission to additional users or groups (such as
accounts with the roles of AGPM Administrator or Approver), click the node for the domain and
then click the Delegation tab, select Link GPOs, click Add, and select users or groups to which to
assign the permission.
Steps for Installing and Configuring AGPM
You must complete the following steps to install and configure AGPM.
Step 1: Install AGPM Server
Step 2: Install AGPM Client
Step 3: Configure an AGPM Server connection
Step 4: Configure e-mail notification
Step 5: Delegate access
STEP 1: INSTALL AGPM SERVER
In this step, you install AGPM Server on the member server or domain controller that will run the AGPM
Service, and you configure the archive. All AGPM operations are managed through this Windows service and
are executed with the service's credentials. The archive managed by an AGPM Server can be hosted on that
server or on another server in the same forest.
To install AGPM Server on the computer that will host the AGPM Service
1. Log on with an account that is a member of the Domain Admins group.
2. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select
Advanced Group Policy Management - Server.
3. In the Welcome dialog box, click Next.
4. In the Microsoft Software License Terms dialog box, accept the terms and click Next.
Microsoft Advanced Group Policy Management 3.0
60
5. In the Application Path dialog box, select a location in which to install AGPM Server. The computer on
which AGPM Server is installed will host the AGPM Service and manage the archive. Click Next.
6. In the Archive Path dialog box, select a location for the archive relative to the AGPM Server. The archive
path can point to a folder on the AGPM Server or elsewhere, but you should select a location with
sufficient space to store all GPOs and history data managed by this AGPM Server. Click Next.
7. In the AGPM Service Account dialog box, select a service account under which the AGPM Service will
run and then click Next.
8. In the Archive Owner dialog box, select an account or group to which to initially assign the AGPM
Administrator (Full Control) role. This AGPM Administrator can assign AGPM roles and permissions to
other Group Policy administrators (including the role of AGPM Administrator). For this scenario, select
the account to serve in the AGPM Administrator role. Click Next.
9. In the Port Configuration dialog box, type a port on which the AGPM Service should listen. Do not clear
the Add port exception to firewall check box unless you manually configure port exceptions or use
rules to configure port exceptions. Click Next.
10. In the Languages dialog box, select one or more display languages to install for AGPM Server.
11. Click Install, and then click Finish to exit the Setup Wizard.
Caution: Do not modify settings for the AGPM Service through Administrative Tools and Services
in the operating system. Doing so can prevent the AGPM Service from starting. For information on
how to modify settings for the service, see Help for Advanced Group Policy Management.
STEP 2: INSTALL AGPM CLIENT
Each Group Policy administrator—anyone who creates, edits, deploys, reviews, or deletes GPOs—must have
AGPM Client installed on computers that they use to manage GPOs. For this scenario, you install AGPM
Client on at least one computer. You do not need to install AGPM Client on the computers of end users who
do not perform Group Policy administration.
To install AGPM Client on the computer of a Group Policy administrator
1. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select
Advanced Group Policy Management - Client.
2. In the Welcome dialog box, click Next.
3. In the Microsoft Software License Terms dialog box, accept the terms and click Next.
4. In the Application Path dialog box, select a location in which to install AGPM Client. Click Next.
5. In the AGPM Server dialog box, type the fully-qualified computer name for the AGPM Server and the
port to which to connect. The default port for the AGPM Service is 4600. Do not clear the Allow
Microsoft Advanced Group Policy Management 3.0
61
Microsoft Management Console through the firewall check box unless you manually configure port
exceptions or use rules to configure port exceptions. Click Next.
6. In the Languages dialog box, select one or more display languages to install for AGPM Client.
7. Click Install, and then click Finish to exit the Setup Wizard.
STEP 3: CONFIGURE AN AGPM SERVER CONNECTION
AGPM stores all versions of each controlled Group Policy object (GPO)—a GPO for which AGPM provides
change control—in a central archive, so Group Policy administrators can view and modify GPOs offline
without immediately impacting the deployed version of each GPO.
In this step, you configure an AGPM Server connection and ensure that all Group Policy administrators
connect to the same AGPM Server. (For information about configuring multiple AGPM Servers, see Help for
Advanced Group Policy Management.)
To configure an AGPM Server connection for all Group Policy administrators
1. On a computer on which you have installed AGPM Client, log on with the user account that you selected
as the Archive Owner. This user has the role of AGPM Administrator (Full Control).
2. Click Start, point to Administrative Tools, and click Group Policy Management to open the GPMC.
3. Edit a GPO that is applied to all Group Policy administrators.
4. In the Group Policy Management Editor window, double-click User Configuration, Policies,
Administrative Templates, Windows Components, and AGPM.
5. In the details pane, double-click AGPM: Specify default AGPM Server (all domains).
6. In the Properties window, select Enabled and type the fully-qualified computer name and port (for
example, server.contoso.com:4600) for the server hosting the archive. By default, the AGPM Service
uses port 4600.
7. Click OK, and then close the Group Policy Management Editor window. When Group Policy is updated,
the AGPM Server connection is configured for each Group Policy administrator.
STEP 4: CONFIGURE E-MAIL NOTIFICATION
As an AGPM Administrator (Full Control), you designate the e-mail addresses of Approvers and AGPM
Administrators to whom an e-mail message containing a request is sent when an Editor attempts to create,
deploy, or delete a GPO. You also determine the alias from which these messages are sent.
To configure e-mail notification for AGPM
1. In the details pane, click the Domain Delegation tab.
2. In the From e-mail address field, type the e-mail alias for AGPM from which notifications should be sent.
Microsoft Advanced Group Policy Management 3.0
62
3. In the To e-mail address field, type the e-mail address for the user account to which you intend to
assign the Approver role.
4. In the SMTP server field, type a valid SMTP mail server.
5. In the User name and Password fields, type the credentials of a user with access to the SMTP service.
Click Apply.
STEP 5: DELEGATE ACCESS
As an AGPM Administrator (Full Control), you delegate domain-level access to GPOs, assigning roles to the
account of each Group Policy administrator.
Note: You can also delegate access at the GPO level rather than the domain level. For details, see
Help for Advanced Group Policy Management.
Important: You should restrict membership in the Group Policy Creator Owners group, so it cannot
be used to circumvent AGPM management of access to GPOs. (In the Group Policy Management
Console, click Group Policy Objects in the forest and domain in which you want to manage GPOs,
click Delegation, and then configure the settings to meet the needs of your organization.)
To delegate access to all GPOs throughout a domain
1. On the Domain Delegation tab, click the Add button, select the user account of the Group Policy
administrator to serve as Approver, and then click OK.
2. In the Add Group or User dialog box, select the Approver role to assign that role to the account, and
then click OK. (This role includes the Reviewer role.)
3. Click the Add button, select the user account of the Group Policy administrator to serve as Editor, and
then click OK.
4. In the Add Group or User dialog box, select the Editor role to assign that role to the account, and then
click OK. (This role includes the Reviewer role.)
5. Click the Add button, select the user account of the Group Policy administrator to serve as Reviewer, and
then click OK.
6. In the Add Group or User dialog box, select the Reviewer role to assign only that role to the account.
Microsoft Advanced Group Policy Management 3.0
63
Steps for Managing GPOs
You must complete the following steps to create, edit, review, and deploy GPOs using AGPM. Additionally,
you will create a template, delete a GPO, and restore a deleted GPO.
Step 1: Create a GPO
Step 2: Edit a GPO
Step 3: Review and deploy a GPO
Step 4: Use a template to create a GPO
Step 5: Delete and restore a GPO
STEP 1: CREATE A GPO
In an environment with multiple Group Policy administrators, those with the Editor role have the ability to
request the creation of new GPOs, but such a request must be approved by someone with the Approver role
because the creation of a new GPO impacts the production environment.
In this step, you use an account with the Editor role to request the creation of a new GPO. Using an account
with the Approver role, you approve this request and complete the creation of a GPO.
To request the creation of a new GPO managed through AGPM
1. On a computer on which you have installed AGPM Client, log on with a user account that has been
assigned the Editor role in AGPM.
2. In the Group Policy Management Console tree, click Change Control in the forest and domain in
which you want to manage GPOs.
3. Right-click the Change Control node, and then click New Controlled GPO.
4. In the New Controlled GPO dialog box:
a. To receive a copy of the request, type your e-mail address in the Cc field.
b. Type MyGPO as the name for the new GPO.
c.
Type a comment for the new GPO.
d. Click Create live so the new GPO will be deployed to the production environment immediately upon
approval. Click Submit.
5. When the AGPM Progress window indicates that overall progress is complete, click Close. The new GPO
is displayed on the Pending tab.
Microsoft Advanced Group Policy Management 3.0
64
To approve the pending request to create a GPO
1. On a computer on which you have installed AGPM Client, log on with a user account that has been
assigned the role of Approver in AGPM.
2. Open the e-mail inbox for the account, and note that you have received an e-mail message from the
AGPM alias with the Editor's request to create a GPO.
3. In the Group Policy Management Console tree, click Change Control in the forest and domain in
which you want to manage GPOs.
4. On the Contents tab, click the Pending tab to display the pending GPOs.
5. Right-click MyGPO, and then click Approve.
6. Click Yes to confirm approval of the creation of the GPO. The GPO is moved to the Controlled tab.
STEP 2: EDIT A GPO
You can use GPOs to configure computer or user settings and deploy them to many computers or users. In
this step, you use an account with the Editor role to check out a GPO from the archive, edit the GPO offline,
check the edited GPO into the archive, and request deployment of the GPO to the production environment.
For this scenario, you configure a setting in the GPO to require that the password be at least eight characters
in length.
To check the GPO out from the archive for editing
1. On a computer on which you have installed AGPM Client, log on with a user account that has been
assigned the role of Editor in AGPM.
2. In the Group Policy Management Console tree, click Change Control in the forest and domain in
which you want to manage GPOs.
3. On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.
4. Right-click MyGPO, and then click Check Out.
5. Type a comment to be displayed in the history of the GPO while it is checked out, and then click OK.
6. When the AGPM Progress window indicates that overall progress is complete, click Close. On the
Controlled tab, the state of the GPO is identified as Checked Out.
Microsoft Advanced Group Policy Management 3.0
65
To edit the GPO offline and configure the minimum password length
1. On the Controlled tab, right-click MyGPO, and then click Edit to open the Group Policy Management
Editor window and make changes to an offline copy of the GPO. For this scenario, configure the
minimum password length:
a. Under Computer Configuration, double-click Policies, Windows Settings, Security Settings,
Account Policies, and Password Policy.
b. In the details pane, double-click Minimum password length.
c.
In the properties window, select the Define this policy setting check box, set the number of
characters to 8, and then click OK.
2. Close the Group Policy Management Editor window.
To check the GPO into the archive
1. On the Controlled tab, right-click MyGPO and then click Check In.
2. Type a comment, and then click OK.
3. When the AGPM Progress window indicates that overall progress is complete, click Close. On the
Controlled tab, the state of the GPO is identified as Checked In.
To request the deployment of the GPO to the production environment
1. On the Controlled tab, right-click MyGPO and then click Deploy.
2. Because this account is not an Approver or AGPM Administrator, you must submit a request for
deployment. To receive a copy of the request, type your e-mail address in the Cc field. Type a comment
to be displayed in the history of the GPO, and then click Submit.
3. When the AGPM Progress window indicates that overall progress is complete, click Close. MyGPO is
displayed on the list of GPOs on the Pending tab.
STEP 3: REVIEW AND DEPLOY A GPO
In this step, you act as an Approver, creating reports and analyzing the settings and changes to settings in
the GPO to determine whether you should approve them. After evaluating the GPO, you deploy it to the
production environment and link it to a domain or an organizational unit (OU) so that it takes effect when
Group Policy is refreshed for computers in that domain or OU.
Microsoft Advanced Group Policy Management 3.0
66
To review settings in the GPO
1. On a computer on which you have installed AGPM Client, log on with a user account that has been
assigned the role of Approver in AGPM. (Any Group Policy administrator with the Reviewer role, which is
included in all of the other roles, can review the settings in a GPO.)
2. Open the e-mail inbox for the account and note that you have received an e-mail message from the
AGPM alias with an Editor's request to deploy a GPO.
3. In the Group Policy Management Console tree, click Change Control in the forest and domain in
which you want to manage GPOs.
4. On the Contents tab in the details pane, click the Pending tab.
5. Double-click MyGPO to display its history.
6. Review the settings in the most recent version of MyGPO:
a. In the History window, right-click the GPO version with the most recent timestamp, click Settings,
and then click HTML Report to display a summary of the GPO's settings.
b. In the Web browser, click show all to display all of the settings in the GPO. Close the browser.
7. Compare the most recent version of MyGPO to the first version checked in to the archive:
a. In the History window, click the GPO version with the most recent time stamp. Press CTRL and click
the oldest GPO version for which the Computer Version is not *.
b. Click the Differences button. The Account Policies/Password Policy section is highlighted in green
and preceded by [+], indicating that this setting is configured only in the latter version of the GPO.
c.
Click Account Policies/Password Policy. The Minimum password length setting is also
highlighted in green and preceded by [+], indicating that it is configured only in the latter version of
the GPO.
d. Close the Web browser.
To deploy the GPO to the production environment
1. On the Pending tab, right-click MyGPO and then click Approve.
2. Type a comment to include in the history of the GPO.
3. Click Yes. When the AGPM Progress window indicates that overall progress is complete, click Close. The
GPO is deployed to the production environment.
To link the GPO to a domain or organizational unit
1. In the GPMC, right-click the domain or an OU to which to apply the GPO that you configured, and then
click Link an Existing GPO.
2. In the Select GPO dialog box, click MyGPO, and then click OK.
Microsoft Advanced Group Policy Management 3.0
67
STEP 4: USE A TEMPLATE TO CREATE A GPO
In this step, you use an account with the Editor role to create a template—an uneditable, static version of a
GPO for use as a starting point for creating new GPOs—and then create a new GPO based upon that
template. Templates are useful for quickly creating multiple GPOs that include many of the same settings.
To create a template based on an existing GPO
1. On a computer on which you have installed AGPM Client, log on with a user account that has been
assigned the role of Editor in AGPM.
2. In the Group Policy Management Console tree, click Change Control in the forest and domain in
which you want to manage GPOs.
3. On the Contents tab in the details pane, click the Controlled tab.
4. Right-click MyGPO, and then click Save as Template to create a template incorporating all settings
currently in MyGPO.
5. Type MyTemplate as the name for the template and a comment, and then click OK.
6. When the AGPM Progress window indicates that overall progress is complete, click Close. The new
template appears on the Templates tab.
To request the creation of a new GPO managed through AGPM
1. Click the Controlled tab.
2. Right-click the Change Control node, and then click New Controlled GPO.
3. In the New Controlled GPO dialog box:
a. To receive a copy of the request, type your e-mail address in the Cc field.
b. Type MyOtherGPO as the name for the new GPO.
c.
Type a comment for the new GPO.
d. Click Create live, so the new GPO will be deployed to the production environment immediately
upon approval.
e. For From GPO template, select MyTemplate. Click Submit.
4. When the AGPM Progress window indicates that overall progress is complete, click Close. The new GPO
is displayed on the Pending tab.
Use an account that has been assigned the role of Approver to approve the pending request to create the
GPO as you did in Step 1: Create a GPO. MyTemplate incorporates all of the settings that you configured in
MyGPO. Because MyOtherGPO was created using MyTemplate, it initially contains all of the settings that
MyGPO contained at the time that MyTemplate was created. You can confirm this by generating a difference
report to compare MyOtherGPO to MyTemplate.
Microsoft Advanced Group Policy Management 3.0
68
To check the GPO out from the archive for editing
1. On a computer on which you have installed AGPM Client, log on with a user account that has been
assigned the role of Editor in AGPM.
2. Right-click MyOtherGPO, and then click Check Out.
3. Type a comment to be displayed in the history of the GPO while it is checked out, and then click OK.
4. When the AGPM Progress window indicates that overall progress is complete, click Close. On the
Controlled tab, the state of the GPO is identified as Checked Out.
To edit the GPO offline and configure the account lockout duration
1. On the Controlled tab, right-click MyOtherGPO, and then click Edit to open the Group Policy
Management Editor window and make changes to an offline copy of the GPO. For this scenario,
configure the minimum password length:
a. Under Computer Configuration, double-click Policies, Windows Settings, Security Settings,
Account Policies, and Account Lockout Policy.
b. In the details pane, double-click Account lockout duration.
c.
In the properties window, check Define this policy setting, set the duration to 30 minutes, and then
click OK.
2. Close the Group Policy Management Editor window.
Check MyOtherGPO into the archive and request deployment as you did for MyGPO in Step 2: Edit a GPO.
You can compare MyOtherGPO to MyGPO or to MyTemplate using difference reports. Any account that
includes the Reviewer role (AGPM Administrator [Full Control], Approver, Editor, or Reviewer) can
generate reports.
To compare a GPO to another GPO and to a template
1. To compare MyGPO and MyOtherGPO:
a. On the Controlled tab, click MyGPO. Press CTRL and then click MyOtherGPO.
b. Right-click MyOtherGPO, point to Differences, and click HTML Report.
2. To compare MyOtherGPO and MyTemplate:
a. On the Controlled tab, click MyOtherGPO.
b. Right-click MyOtherGPO, point to Differences, and click Template.
b. Select MyTemplate and HTML Report, and then click OK.
Microsoft Advanced Group Policy Management 3.0
69
STEP 5: DELETE AND RESTORE A GPO
In this step, you act as an Approver to delete a GPO.
To delete a GPO
1. On a computer on which you have installed AGPM Client, log on with a user account that has been
assigned the role of Approver.
2. In the Group Policy Management Console tree, click Change Control in the forest and domain in
which you want to manage GPOs.
3. On the Contents tab, click the Controlled tab to display the controlled GPOs.
4. Right-click MyGPO, and then click Delete. Click Delete GPO from archive and production to delete
both the version in the archive as well as the deployed version of the GPO in the production
environment.
5. Type a comment to be displayed in the audit trail for the GPO, and then click OK.
6. When the AGPM Progress window indicates that overall progress is complete, click Close. The GPO is
removed from the Controlled tab and is displayed on the Recycle Bin tab, where it can be restored
or destroyed.
Occasionally you may discover after deleting a GPO that it is still needed. In this step, you act as an Approver
to restore a GPO that has been deleted.
To restore a deleted GPO
1. On the Contents tab, click the Recycle Bin tab to display deleted GPOs.
2. Right-click MyGPO, and then click Restore.
3. Type a comment to be displayed in the history of the GPO, and then click OK.
4. When the AGPM Progress window indicates that overall progress is complete, click Close. The GPO is
removed from the Recycle Bin tab and is displayed on the Controlled tab.
Note: Restoring a GPO to the archive does not automatically redeploy it to the production
environment. To return the GPO to the production environment, deploy the GPO as in Step 3:
Review and deploy a GPO.
After editing and deploying a GPO, you may discover that recent changes to the GPO are causing a problem.
In this step, you act as an Approver to roll back to a previous version of the GPO. You can roll back to any
version in the history of the GPO. You can use comments and labels to identify known good versions and
when specific changes were made.
Microsoft Advanced Group Policy Management 3.0
70
To roll back to a previous version of a GPO
1. On the Contents tab, click the Controlled tab to display the controlled GPOs.
2. Double-click MyGPO to display its history.
3. Right-click the version to be deployed, click Deploy, and then click Yes.
4. When the Progress window indicates that overall progress is complete, click Close. In the History
window, click Close.
Note: To verify that the version that has been redeployed is the version intended, examine a
difference report for the two versions. In the History window for the GPO, select the two versions,
right-click them, point to Difference, and then click either HTML Report or XML Report.
Microsoft Advanced Group Policy Management 3.0
71
Microsoft® System Center Desktop Error Monitoring (DEM)
Introduction
Microsoft® System Center Desktop Error Monitoring is part of the Microsoft Desktop Optimization Pack for
Software Assurance (MDOP). It is built on Microsoft System Center Operations Manager 2007, and provides a
subset of the System Center Operations Manager features that enable you to collect information about
application and operating system failures that cause your client computers to hang or crash. You can manage
error reports created by the Windows Error Reporting (WER) client in Windows Vista® and the error-reporting
clients included in Windows® XP and Windows Server® 2003, in addition to other Microsoft programs.
If your error reporting clients are configured to work with Desktop Error Monitoring, error reports are
redirected to a secure Desktop Error Monitoring shared directory instead of being sent to Microsoft.
Important: Desktop Error Monitoring gives you access to the entire System Center Operations Manager
documentation set. However, not all of that documentation applies to Desktop Error Monitoring.
With Desktop Error Monitoring you can use one Desktop Error Monitoring Management Server to monitor
client computers without using agents; that is, agentless-managed computers. The management server and
error reporting clients should be in the same or in fully trusted domains.
OBTAINING THE DESKTOP ERROR MONITORING TOOL
To obtain System Center Desktop Error Monitoring, please download the Microsoft Desktop Optimization
Pack for Software Assurance, available at Microsoft Volume Licensing.
AUDIENCE FOR THIS GUIDE
This guide was written for Microsoft Windows system administrators. As an information technology (IT)
professional, you should have sufficient knowledge and experience to accomplish the following tasks:

Set up operating systems and computers.

Add computers to domains.

Posses a working knowledge of Active Directory® directory service and Microsoft Domain Name
System (DNS).
Hardware and software requirements are documented in the "System Requirements" section of this guide.
Microsoft® System Center Desktop Error Monitoring (DEM)
72
System Requirements
The supported configurations for System Center Desktop Error Monitoring are the same as for
System Center Operations Manager.
SYSTEM CENTER DESKTOP ERROR MONITORING MANAGEMENT SERVER
Hardware

Intel Pentium III 1 gigahertz (GHz) or greater CPU

2,048 megabytes (MB) or more RAM

10 gigabytes (GB) or more available hard disk space
Software

Windows Server 2003 with Service Pack 1 (SP1) or later

Microsoft Internet Information Services (IIS) 5.0 or later

Microsoft .NET Framework 2.0

Microsoft SQL Server® 2005 with SP1
WINDOWS DESKTOP
Hardware

Intel Pentium III 700 megahertz (MHz) or greater CPU

128 MB or more RAM

4 GB or more available hard disk space (includes space for cache)
Software

Microsoft Windows 2000; Windows XP Pro; or Windows Vista Business, Enterprise, or Ultimate editions
Microsoft® System Center Desktop Error Monitoring (DEM)
73
Installing the Desktop Error Monitoring Management Server
The section guides you, step-by-step, through the process of installing the System Center Desktop Error
Monitoring Management Server. In this guide we will install the database and management console on the
same computer.
BEFORE YOU BEGIN
The following items must be present on the server before installing the System Center Desktop Error
Monitoring Management Server:

Windows Server 2003 with SP1 or later

SQL Server 2005 with SP1

Active Directory

IIS 5.0 or later (must be installed prior to installing .NET Framework)

.NET Framework 2.0 and 3.0 components

ASP.NET 2.0

Windows PowerShell 1.0

Microsoft XML Core Services (MSXML) 6.0
Active Directory
Installing the management server on a primary or backup domain controller is not recommended.
The following accounts must be created in Active Directory:
For the Desktop Error Monitoring Management Server installation:

A Desktop Error Monitoring Administrators global security group

A Desktop Error Monitoring Administrator Account (add this user account to the Desktop Error
Monitoring Administrators security group)

A Management Server Action Account

An SDK and Config Service Account--the account must have local Administrator rights on the
Management Server.
Note: For the purposes of this guide we will be using the Local System account for the Management
Server Action Account and the SDK and Config Service Account. The Desktop Error Monitoring
Administrators group used will be the Domain Admins group.
Microsoft® System Center Desktop Error Monitoring (DEM)
74
For the Reporting Server installation:

Data Warehouse Write Account

Data Reader Account
If you have a domain password expiration Group Policy in place, remember to put these accounts in an
organizational unit (OU) that does not inherit the domain Group Policy object (GPO), unless you want to
change these service account passwords on the same schedule as all passwords.
A description of the accounts and their privileges is available on Microsoft TechNet.
.NET Framework
Make sure you have properly installed IIS 5.0 or later before you install the .NET Framework 2.0 and
3.0 components.
You can download the latest versions of these components from www.microsoft.com.
ASP.NET 2.0
To enable ASP.NET 2.0 in IIS:
1. In Administrative Tools, click Internet Information Services (IIS) Manager.
2. Expand Internet Information Services | {server_name}, and then click Web Service Extensions.
3. Right-click ASP.NET v2.0, and then click Allow, if necessary. If ASP.NET is not available, then.NET
Framework is installed but ASP.NET has not been installed. Perform the following steps:
a. In Control Panel, click Add or Remove Programs.
b. Click Add/Remove Windows Components.
c.
Click Application Server, and then click Details.
d. Select the ASP.NET check box, and then click OK.
e. Click Next.
f.
Click Finish.
Windows PowerShell 1.0
Windows PowerShell 1.0 can be downloaded from How to Download Windows PowerShell 1.0.
Microsoft® System Center Desktop Error Monitoring (DEM)
75
INSTALLING THE MANAGEMENT SERVER
The section guides you step-by-step through the process of installing the Desktop Error Monitoring
Management Server.
1. Insert the MDOP 2007 CD.
2. On the Microsoft Desktop Optimization Pack for Software Assurance page, click Microsoft System
Center Desktop Error Monitoring.
3. On the Microsoft System Center Desktop Error Monitoring page (Figure 1), click Install Microsoft
System Center Desktop Error Monitoring.
Figure 1. System Center Desktop Error Monitoring
If MSXML 6.0 is not installed, the MSXML 6.0 Parser Setup Wizard will run. Perform the following steps
to install the MSXML 6.0 Parser:
a. On the Welcome page, click Next.
b. On the License Agreement page, accept the terms of the license agreement, and then click Next.
c.
On the Registration Information page, type your Name and Company, and then click Next.
d. On the Ready to Install the Program page, click Install.
e. On the Completing the MSXML 6.0 Parser Setup page, click Finish.
Microsoft® System Center Desktop Error Monitoring (DEM)
76
4. On the Welcome to the System Center Operations Manager 2007 Setup Wizard page (Figure 2), click
Next. This wizard will install the System Center Operations Manager components that constitute the
Desktop Error Monitoring tool.
Figure 2. System Center Operations Manager Setup Wizard
5. On the End-User License Agreement page, accept the terms of the license agreement, and then click Next.
6. On Product Registration page, type a User Name and Organization, and then click Next.
7. On the Custom Setup page, review the components to be installed by the wizard, and then click Next.
Figure 3. Custom Setup
Microsoft® System Center Desktop Error Monitoring (DEM)
77
Note: If the prerequisite check passed with warnings or failures, click View Log to see them.
You cannot proceed with the installation until the system complies with all prerequisites.
8. On the Management Group Configuration page (Figure 4), type a Management Group name.
9. In the Configure MOM Administrators section, click Browse. Browse to a domain user group that you
want to set as an administrator, and then click OK.
Figure 4. Management Group Configuration
10. Click Next.
11. On the SQL Server Database Instance page, click the instance of the SQL Server database you want
Desktop Error Monitoring to use, and then click Next.
12. On the Database and Log File Options page, type a name and size (in megabytes) for the database.
(Note the recommended size for your database is 1,000 MB)
13. To change the default location for data files or log files, click Advanced.
14. Click Next.
15. On the Management Server Action Account page, click Local System, and then click Next.
16. On the SDK and Config Service Account page, click Local System, and then click Next.
17. On the Web Console Authentication Configuration page, leave Use Windows Authentication
selected, and then click Next.
18. On the Operations Manager Error Reports page, select the Do you want to send error reports to
Microsoft? check box, and then click Next.
Microsoft® System Center Desktop Error Monitoring (DEM)
78
Figure 5. Operations Manager Error Reports
19. On the Customer Experience Improvement Program page, click Join the Customer Experience
Improvement Program, and then click Next.
Figure 6. Customer Experience Improvement Program
20. On the Microsoft Update page, click Next.
21. On the Ready to Install the Program page, click Install.
22. On the Completing the System Center Operations Manager 2007 Setup Wizard page, clear the Start
the Console check box, and then click Finish.
Microsoft® System Center Desktop Error Monitoring (DEM)
79
Installing the Desktop Error Monitoring Reporting Server
The section guides you step-by-step through the process of installing the Desktop Error Monitoring
Reporting Server.
1. On the Welcome to Operations Manager 2007 Reporting Setup page, click Next.
Figure 7. Operations Manager 2007 Reporting Setup Wizard
2. On the End-User License Agreement page, accept the terms of the license agreement, and then
click Next.
3. On the Product Registration page, type a User Name and Organization, and then click Next.
4. On the Custom Setup page, review the components the wizard will install, and then click Next. To
change the location of the installation, click Browse.
Microsoft® System Center Desktop Error Monitoring (DEM)
80
Figure 8. Custom Setup
Note: If the prerequisite check passed with warnings or failures, click View Log to see them.
You cannot proceed with the installation until the system complies with all prerequisites.
5. On the Connect to the Root Management Server page, type the name of the Root Management
Server for Desktop Error Monitoring, and then click Next.
Figure 9. Root Management Server Connection
Microsoft® System Center Desktop Error Monitoring (DEM)
81
6. On the SQL Server Database Instance page, click the database instance you will use for reporting, and
then click Next.
7. On the Database and Log File Options page, type a name and size (in megabytes) for the
reporting database.
Note: The recommended size for your database is 1,000 MB.
8. To change the default location for data files or log files, click Advanced.
9. Click Next.
10. On the SQL Server Reporting Services Instance page, click the server instance on which SQL Server
Reporting Services runs, and then click Next.
11. On the Data Warehouse Write Account page, type the User Account name, Password, and Domain
or local computer name, and then click Next.
Note: Use user principal name (UPN) format (user@domain.com); do not use the
domain\user format.
12. On the Data Reader Account page, type the User Account name, Password, and Domain or local
computer name, and then click Next.
Note: Use user principal name (UPN) format (user@domain.com); do not use the
domain\user format.
13. On the Operational Data Reports page, click Yes, send operational data reports to Microsoft
(recommended), and then click Next.
14. On the Microsoft Update page, click Next.
15. On the Ready to Install the Program page, click Install.
16. Click Finish.
Microsoft® System Center Desktop Error Monitoring (DEM)
82
The System Center Operations Manager Operations Console
The Operations Console is the central management tool in System Center Operations Manager. It has a
consolidated interface that gives you immediate access to the Monitoring, Authoring, Reporting, and
Administrative views. You can control who has access to these areas by assigning user roles as appropriate
for your organization.
Desktop Error Monitoring gives you access to a limited set of System Center Operations Manager features;
therefore, you will not have access to all the components and features of System Center Operations
Manager.
For more information about using the Operations Console, see the System Center Operations Manager Help.
CLIENT MONITORING
Using System Center Desktop Error Monitoring you can use System Center Operations Manager
Management Server to monitor operating system and application failures that cause your client computers
to hang or crash. You can also participate in the Customer Experience Improvement Program (CEIP).
Desktop Error Monitoring consists of the following components:

Agentless Exception Monitoring (AEM)

Customer Experience Improvement Program (CEIP)
Agentless Exception Monitoring
AEM enables you to monitor operating systems and application failures that cause your client computers to
hang or crash. Error reporting clients are configured with Group Policy to redirect error reports to a System
Center Operations Manager Management Server, instead of directly to Microsoft. By staging error reports on
a Management Server, Desktop Error Monitoring provides detailed views and reports that aggregate error
data across your organization. The views and reports provide knowledge about failures and offer solutions,
as available, to help resolve the issues.
Important: The WER client is a feature of Windows XP and Windows Server 2003. For Microsoft
Windows 2000, the error reporting client is included in and reports errors for Microsoft programs,
such as Microsoft Office XP and Microsoft Office 2003 applications, Microsoft Visio® 2002, and
Microsoft Visual Studio® .NET.
Microsoft® System Center Desktop Error Monitoring (DEM)
83
Using Desktop Error Monitoring views and reports, you can determine how often an operating system or
application experiences an error and the number of affected computers and users. Using this information
you can direct your efforts to where they will have the greatest benefit to the organization.
When the error reports are anonymously synchronized with Microsoft, according to the Privacy Statement
for the Microsoft Error Reporting Service, any available solution responses for the respective errors are
provided. You can also use AEM to provide solutions for issues with internally developed applications.
Customer Experience Improvement Program
When you choose to participate in the CEIP, you configure clients using Group Policy to redirect CEIP reports
to a System Center Operations Manager Management Server, instead of directly to Microsoft. The
Management Server is configured to forward these reports to Microsoft, however.
Important: The CEIP reports do not contain contact information about you or your organization,
such as names or addresses.
The CEIP reports forwarded from your organization to Microsoft are combined with CEIP reports from other
organizations and individual customers to help Microsoft solve problems and improve the Microsoft
products and features customers use most often. For more information about the CEIP, see
Microsoft Customer Experience Improvement Program.
Microsoft® System Center Desktop Error Monitoring (DEM)
84
Configuring Client Monitoring
Use the following procedures to configure a Management Server for the server component of Desktop
Error Monitoring.
Important: If your server uses a proxy server to access the Internet and you plan to configure the
Management Server to forward error reports to Microsoft and receive links to available solutions for
those errors, or participate in the CEIP, you must first configure the Management Server's proxy
settings. For more information, see ―How to Configure Proxy Settings for an Operations Manager
2007 Management Server‖ in System Center Operations Manager online Help.
You will use the System Center Operations Manager Client Monitoring Configuration Wizard to configure
the Desktop Error Monitoring server component. The wizard will create a Group Policy template that will
then be deployed to configure error reporting on the client.
CONFIGURE THE MANAGEMENT SERVER FOR CLIENT MONITORING
The Management Server and error reporting clients must be in the same or in fully trusted domains.
1. Log on to the Management Server with an account that is a member of the System Center Operations
Manager Administrators role.
2. Open Windows Explorer and create a network share for the Group Policy template generated to be
copied to.
3. Click Start | All Programs | System Center Operations Manager 2007 | Operations Console.
4. In the Operations Console, click the Administration button.
When you run the Operations Console on a computer that is not a Management Server, the Connect To
Server dialog box appears. In the Server name text box, type the name of the Management Server that you
want the Operations Console to connect to.
5. In the Administration pane, expand Administration | Device Management, and then click
Management Servers.
6. In the Management Servers pane, right-click the server you want to configure, and then click Configure
Client Monitoring.
This will start the Client Monitoring Configuration Wizard. You can use the same procedure detailed in the
following steps to Disable Client Monitoring on the Management Server. If you disable client monitoring on
the Management Server, you must also disable it on client computers.
Microsoft® System Center Desktop Error Monitoring (DEM)
85
Note: The Configure Client Monitoring option will not be available if the selected computer is
a Gateway Server.
7. On the Introduction page, click Next.
8. On the Customer Experience Improvement Program page, click Yes, use the selected Management
Server to collect and forward CEIP data to Microsoft.
9. Leave the Use Secure Socket Layer (SSL) protocol check box selected.
Note: If you have installed a certificate on your Management Server, you can use Secure
Socket Layer (SSL) and Windows Authentication to have the client computers authenticate with
the Management Server. Otherwise clear the Use Secure Socket Layer (SSL) protocol
check box.
10. Leave the default Port value of 51907, and then click Next.
11. On the Configure Error Collection page, in the File Share Path, type C:\ErrorData.
We are using a local file share path to collect error reports, so the file share will be created at the local path
on the Management Server and shared, with the necessary permissions. If you are using a remote path,
System Center Operations Manager checks the sharing permissions. The file share path must be on an NTFS
file system partition and have at least 2 GB of free disk space. We recommend that the path be no longer
than 120 characters. The file share path can be a Universal Naming Convention (UNC) path; however, it must
not be mapped to a drive.
12. Click Collect application errors from Windows Vista or later computers.
13. Leave the Use Secure Socket Layer (SSL) protocol check box selected.
14. Leave the default Port value of 51906.
15. Type your organization name, using no more than 22 characters.
The custom Watson user interface (UI) will display the organization name on computers experiencing errors
and running Windows Server 2003 and earlier operating systems.
16. Click Next.
17. On the Configure Error Forwarding page, select the Automatically forward all collected errors to
Microsoft check box.
18. Click Detailed to help ensure Microsoft can provide a solution to the issue.
19. Click Next.
Microsoft® System Center Desktop Error Monitoring (DEM)
86
20. On the Create File Share page, click Other user account, type the User name and Password of an
account with rights to create the file share, click the Domain in the list, and then click Next.
Note: The account must have the necessary permissions to create a file share on the path provided
in step 11.
21. On the Create file Share: Task Status page, after the file share has been successfully created, click Next.
To modify the client monitoring settings on the Management Server, such as the file share, you must disable
and then re-enable client monitoring on the Management Server. You must also then modify the client
monitoring Group Policy settings on client computers.
22. On the Deploy Configuration Settings page, browse to the network share you created at which to save
the <ServerName>.ADM file, and then click Finish.
You will use the <ServerName>.ADM file to configure clients to redirect their client monitoring data to the
Management Server in Group Policy.
CONFIGURE CLIENTS FOR CLIENT MONITORING
1. Log on to the domain controller using a user account with Group Policy editing rights, and then start
Group Policy Management (gpmc.msc).
For information about Group Policy, see Windows Server 2003 Group Policy.
2. In the Group Policy Management console, right-click the Group Policy you want to administer using
agentless error monitoring, and then click Edit.
3. In the console tree, go to Computer Configuration | Administrative Templates | System | Internet
Communication Management, and then click Internet Communication settings.
4. In the details pane, double-click Turn off Windows Error Reporting, click Enable, and then click OK.
5. In the console tree, under Computer Configuration, right-click Administrative Templates, and then
click Add/Remove Templates.
6. Click Add, browse to and click the <ServerName>.ADM file created by the Client Monitoring
Configuration Wizard, and then click Open.
7. Click Close.
8. In the console tree, go to Computer Configuration | Administrative Templates | Microsoft
Applications | System Center Operations Manager (SCOM) (Figure.10).
Microsoft® System Center Desktop Error Monitoring (DEM)
87
Figure 10. Group Policy Object Editor
9. Enable the AEM policies that reflect the configuration of client monitoring for Desktop Error Monitoring.
10. Close the Group Policy Object Editor and the Group Policy Management Console.
Use this same procedure to disable the AEM policies, thereby disabling client monitoring on client
computers.
Microsoft® System Center Desktop Error Monitoring (DEM)
88
Accessing Agentless Exception Monitoring Views
Use the following procedure to access agentless exception monitoring views. AEM views help you determine
how often an operating system or application experiences an error and the number of affected computers
and users. This helps your organization direct its efforts to where they will have the greatest benefit.
1. Log on to the computer with an account that is a member of the Operations Manager Operators role for
the System Center Operations Manager Management Group.
2. Click Start | All Programs | System Center Operations Manager 2007 | Operations Console.
3. In the Operations Console, click Monitoring.
4. In the Monitoring pane, expand Monitoring, expand Agentless Exception Monitoring, and then click
a view (Figure 11).
Figure 11. Desktop Error Monitoring Overview
Microsoft® System Center Desktop Error Monitoring (DEM)
89
Accessing Agentless Exception Monitoring Reports
Reports for agentless exception monitoring appear in the System Center Operations Manager
Operations Console.
Available agentless exception monitoring reports include

Top Applications

Top Applications Growth And Resolution

Top Error Groups

Top Error Groups Grown And Resolution
Reporting data is available with virtually no latency. It is pre-aggregated, summarized, and indexed.
1. Log on to the computer with an account that is a member of the Operations Manager Operators role for
the System Center Operations Manager Management Group.
2. Click Start | All Programs | System Center Operations Manager 2007 | Operations Console.
3. In the Operations Console, click Reporting.
4. In the Reporting pane, expand Reporting, and then click Client Monitoring Views Library (Figure 12).
Figure 12. Client Monitoring Views Library Reports
Microsoft® System Center Desktop Error Monitoring (DEM)
90
5. The names of available reports appear in the Client Monitoring Views Library Reports pane.
6. To view a description of the report, click the report name. A description of the report appears in the
Report Details pane.
7. To view the report, right-click the report name, and then click Open.
8. The report opens in a window in which you can set the time period to be covered by the report and
other specifics. When you have the configured the settings you want, click Run.
Customizing Client Monitoring Data Collection and Solution Response URLs
for Error Groups
You can help decrease the time it takes to diagnose and resolve operating system and application failures
that cause client computers in your organization to hang or crash by customizing the data that is collected in
error reports and the solution response URL for an error group.
1. Log on to the computer with an account that is a member of the Operations Manager Operators role for
the System Center Operations Manager Management Group.
2. In the Operations Console, click Monitoring.
3. In the Monitoring pane, expand Monitoring | Agentless Exception Monitoring, and then click
Application Error Group View.
4. In the Error Group View, click an entry.
5. In the Actions pane, click Show or Edit Error Group Properties.
6. In the Error Group Responses dialog box, click Custom Collection, and then click Edit.
7. In the Diagnostic Data Collection Configuration dialog box, specify the Files, WMI Queries, and
Registry Keys you want to collect from the computers experiencing the error, and then click OK. A
computer will send the specified data in an error report to the Management Server on the next
occurrence of an error in the error group.
You can use variables, such as %ProgramFiles%, for file paths. For information about Windows
Management Instrumentation (WMI), see WMI Overview.
In the Error Bucket Responses dialog box, click Custom Solution link, type the URL for the custom error
information, such as http://server/errors/100.htm; click Test Link, and then click OK.
Microsoft® System Center Desktop Error Monitoring (DEM)
91
Microsoft Application Virtualization Version 4.5
Introduction
This is designed to help you quickly set up and evaluate a Microsoft® Application Virtualization (App-V)
environment. This guide outlines steps necessary to install Microsoft Application Virtualization server
components, both Microsoft System Center Application Virtualization Management Server and Microsoft
System Center Application Virtualization Streaming Server. You will install Microsoft Application
Virtualization for Desktops, publish the shortcuts of sequenced applications, and then stream and run these
virtual applications on App-V clients. You will learn to virtualize a select set of applications using Microsoft
System Center Application Virtualization Sequencer. You will also configure clients to run applications in a
standalone environment.
To help this process flow as smoothly as possible, we recommend that you read this guide before installing
the Microsoft App-V platform.
AUDIENCE FOR THIS GUIDE
This guide was written for Microsoft Windows® system administrators. As an information technology (IT)
professional, you should have sufficient knowledge and experience to accomplish the following tasks:

Set up operating systems and install applications.

Add computers to domains.

Set up and work comfortably with Active Directory® directory service and Microsoft Domain Name
System (DNS).
System requirements are documented in the System Requirements section of this guide.
OVERVIEW OF MICROSOFT APPLICATION VIRTUALIZATION
Microsoft Application Virtualization lets you deploy, update, and support applications as services in real time,
on an as-needed basis. When you use App-V, you transform individual applications from locally installed
products into centrally managed services. Applications become available everywhere they need to be—no
computer pre-configuration or changes to operating system settings are required. Microsoft Application
Virtualization consists of the following components.
Microsoft Application Virtualization Version 4.5
92
Microsoft System Center Application Virtualization Management Server
Microsoft System Center Application Virtualization Management Server delivers sequenced applications ondemand to Microsoft System Center Application Virtualization Client for Desktops. One or more App-V
servers can share a single SQL data store. The App-V Server authorizes and authenticates requests and
provides the security, metering, monitoring, and data gathering that you need. The server uses Active
Directory and supporting tools to manage users and applications.
Microsoft System Center Application Virtualization Management System
The App-V System includes the Microsoft System Center Application Virtualization Management Console
and Microsoft System Center Application Virtualization Management Service. Administrators use the App-V
Management Console (a Microsoft Management Console, or MMC, snap-in) to configure App-V
Management Servers. Using the App-V Management Console, administrators can add and remove
applications, change File Type Associations (FTAs), and assign access permissions and licenses to users and
groups. The App-V Management Service is the communication conduit between the App-V Management
Console and the SQL data store.
Microsoft Application Virtualization for Desktops
Microsoft Application Virtualization for Desktops automatically sets up and manages virtual environments
for App-V sequenced applications, publishes the applications to the user's desktop, and manages
connections to the App-V Server. The App-V Client stores user-specific virtual application settings in each
user's profile—for example, registry and file changes.
Microsoft Application Virtualization for Terminal Services
Microsoft Application Virtualization for Terminal Services automatically sets up and manages virtual
environments for App-V sequenced applications, publishes the applications to the Terminal Services virtual
desktop, and manages connections to the App-V Server. The App-V Client stores user-specific virtual
application settings in each user's profile—for example, registry and file changes.
Microsoft Application Virtualization Sequencer
Microsoft Application Virtualization Sequencer is a wizard-based tool administrators use to create App-V
sequenced applications. The Sequencer produces the application ―package,‖ which consists of several files.
These files include a sequenced application (.sft) file, one or more Open Software Description (.osd) "link" files,
one or more icon (.ico) files, a manifest xml file which can be used to distribute sequenced applications with
electronic software delivery (ESD) systems, and a project (.sprj) file. The .sft, .osd, and .ico files are stored on
MSCAV Server; these files are the keys that the App-V Client uses to access and run sequenced applications.
Microsoft Application Virtualization Version 4.5
93
Microsoft System Center Application Virtualization Streaming Server
This server has streaming capabilities including active/package upgrade without the Active Directory or SQL
Server requirements. However, it does not have a Desktop Configuration Service, licensing or metering
capabilities. This service relies on the manual or scripted addition of a manifest file for virtual application
configuration. The Desktop Configuration Service of the Microsoft System Center Application Virtualization
Management Server may also be used in conjunction with the Microsoft System Center Application
Virtualization Streaming Server so the Management Server configures the application, but the Streaming
Server delivers it.
System Requirements
For this evaluation, one computer will run Microsoft Internet Information Services (IIS), the Microsoft System
Center Application Virtualization Management Service, the Microsoft System Center Application
Virtualization Management Console, and the Microsoft System Center Application Virtualization Server. A
second computer will run Microsoft Application Virtualization for Desktops. You will need to set up a third
computer as a Windows domain controller with Windows DNS. You will also need an additional computer
for testing the Microsoft Application Virtualization Sequencer. All of the computers must be members of the
common domain (Figure 1). Note that you can use virtual machines on a single physical computer that
meets the system requirements.
Active Directory
DNS
Microsoft
Application
Virtualization
for Terminal
Services
Microsoft
Application
Virtualization
for Desktops
`
Microsoft System
Center Application
Virtualization Server
Microsoft
Application
Virtualization
Sequencer
Figure 1. System Center Application Virtualization in an isolated network
Microsoft Application Virtualization Version 4.5
94
We assume that you set up Microsoft Application Virtualization in a test lab, completely separate from your
production network. The purpose of this evaluation is for you to acquire basic experience with the App-V
platform. You can address any questions relating to integration into your production environment, such as
security concerns and enterprise-level design, later. Also, only basic platform functionality will be covered in
this guide, to simplify and focus on proof of concept. Microsoft Application Virtualization is covered in its
entirety by Microsoft training courses.
The following section lists the components used for this evaluation.
Windows Domain Controller

Windows Server 2008 domain with Microsoft DNS
Note: For users Setting up Application Virtualization for Secure Connections, Active Directory
Certificate Services will need to be configured.
Microsoft System Center Application Virtualization Management Server

Windows Server 2008 (32-bit or 64-bit)

IIS 7.0

Microsoft .NET Framework 2.0

Microsoft SQL Server 2005 Express Edition
Note: The computer host name of this server cannot begin with a number.
Microsoft System Center Application Virtualization Streaming Server

Windows Server 2008 (32-bit or 64-bit)

The Application Virtualization Management Console is only supported on 32-bit platforms.
Microsoft Application Virtualization for Terminal Services

Windows Server 2008 (32-bit only)
Microsoft Application Virtualization for Desktops

Windows Vista® Business, Enterprise, or Ultimate Editions
Microsoft Application Virtualization Sequencer
The requirements for Microsoft Application Virtualization Sequencer are identical to those of Microsoft
Application Virtualization Client for Desktops. Create a real partition or drive labeled "Q:" on the
Sequencer computer.
Microsoft Application Virtualization Version 4.5
95
Installing Microsoft System Center Application Virtualization Management Server
The section guides you through the step-by-step process of installing Microsoft System Center Application
Virtualization Management Server.
The following items must be configured on the domain controller computer:

Windows Server.2008

Active Directory Domain Services

Specified Active Directory objects
The following items must be present on the management server computer before installing Microsoft
System Center Application Virtualization Management Server:

Windows Server 2008

IIS 7.0 configured with ASP.NET (and required role features)

Microsoft SQL Server 2005 Express Edition
CONFIGURE THE WINDOWS SERVER 2008 DOMAIN CONTROLLER
Perform the following on the Windows Server 2008 domain controller:
Active Directory
Before you install the App-V Management Server, you must create the following objects in Active Directory:

Organizational Unit (OU): Create an OU in Active Directory for Microsoft Application Virtualizationspecific groups, and for the necessary Microsoft Application Virtualization domain account.

Microsoft Application Virtualization Administrative Group: Microsoft Application Virtualization
requires you to select an Active Directory group to use as an App-V administrators group for controlling
administrative access to the Management Console. Add to this group every user who needs to use the
Management Console. You cannot create this group directly from the Microsoft System Center
Application Virtualization Management Server installer.
Note: For the purposes of this guide, only a single-domain setup is supported in your test lab
environment. If you create groups, create them as global groups. Multi-domain and multi-forest
scenarios require a different setup and are covered in Microsoft training courses.

Microsoft Application Virtualization Users Group: Microsoft Application Virtualization requires that all
user accounts that access Microsoft Application Virtualization functions be a member of a provider policy
associated with a single group for general platform access. You can use an existing group (such as
Domain Users) or create a new group.
Microsoft Application Virtualization Version 4.5
96

Domain Test User Account: This account will be the user test account for Microsoft Application
Virtualization end-user functionality. Add your domain test user account to each of the groups discussed in
this list. If you do not, application shortcuts on the App-V Client will not display in your test user account.

Application Groups: Microsoft Application Virtualization associates the right to use an individual
application with a group. For the purposes of this guide, we will associate all test applications with the
Domain Users group, even though many other options exist for production use. If you decide to use
individual groups for application publishing, then the user will need to logout and log back into the
system to refresh their applications if a user has been added to a new application group. This is not
necessary if you are assigning a virtual application to an existing group which the user was already a
member of during the last logon.
CONFIGURE THE MICROSOFT APPLICATION VIRTUALIZATION MANAGEMENT SERVER
Perform the following on the machine to be the App-V Management Server:
Configuring IIS 7.0 for Windows Server 2008
Add the Web Server (IIS) role with the following role services enabled:

ASP.NET (and all required role services and features)

Windows Authentication

Management Tools
Install Microsoft SQL Server 2005 Express Edition SP2
Using SQL Server 2005 Express Edition is not a recommended configuration for a production environment of
Microsoft Application Virtualization. The Express Edition was chosen to facilitate the setup of this trail
environment only.
1. Download Microsoft SQL Server 2005 Express Edition SP2.
2. Run SQLEXPR32.EXE.
3. Read and accept the license agreement, and then click Next.
4. On the Installing Prerequisites page, click Install.
5. Click Next. The Microsoft SQL Server 2005 Setup wizard will launch.
6. On the Welcome page, click Next.
7. On the System Configuration Check page, verify that all checks were successful, and then click Next.
8. On the Registry Information page, enter a Name and Company, and then click Next.
9. On the Feature Selection page, click Client Components and select Entire feature will be installed on
local hard drive, and then click Next.
Microsoft Application Virtualization Version 4.5
97
10. On the Authentication Mode page, click Mixed Mode, and enter and confirm a sa password.
11. Click Next.
12. On the Configuration Options page, select the Add user to the SQL Server Administrator role check
box, and then click Next.
13. On the Error and Usage Report Settings page, click Next.
14. Click Install.
15. When setup is finished click Next.
16. On the Completing Microsoft SQL Server 2005 Setup page, click the Surface Area Configuration
tool link.
17. Click the Surface Area Configuration for Services and Connections link.
18. In the console tree, under Database Engine, click Remote Connections.
19. In the details pane, select Local and remote connections and click Apply.
20. In the alert dialog, click OK.
21. In the console tree, under Database Engine, click Service.
22. Click Stop, wait until the MSSQLSERVER service stops, and then click Start to restart the
MSSQLSERVER service.
23. In the console tree, click SQL Server Browser.
24. In the details pane, select Automatic from the Startup type list box.
25. Click Apply.
26. Click Start to start the SQLBrowser service.
27. Click OK.
28. Close the SQL Server 2005 Surface Area Configuration page.
29. Click Finish.
Note: Do not "lock down" these or any component of this server, or try to reuse your standard
server image. The purpose of this limited trial is to evaluate Microsoft Application Virtualization in a
test lab—not to determine whether Microsoft Application Virtualization will run in your production
environment.
Microsoft Application Virtualization Version 4.5
98
SERVER INSTALLATION
Perform the following on the machine to be the App-V Management Server:
Note: Before beginning the installation, verify that the SQL Server (SQLEXPRESS) service is started.
1. Extract and run the setup executable for Microsoft System Center Application Virtualization
Management Server.
2. On the Welcome page (Figure 2), click Next.
Figure 2. Welcome page
3. Read and accept the license agreement, and then click Next.
4. On the Microsoft Update page, click Next.
5. On the Registering Information page, type a Name and Organization in the corresponding boxes, and
then click Next.
6. On the Setup Type page, click Typical install, and then click Next.
7. On the Configuration Database page (Figure 3), point to the Server drop-down list, and then
click Next.
Microsoft Application Virtualization Version 4.5
99
Figure 3. Configuration Database page
8. On the Configuration Database page (Figure 4), click Create a new database, and then click Next.
Microsoft Application Virtualization Version 4.5
100
Figure 4. Configuration Database page
9. On the Connection Security Mode page (Figure 5), click Next.
Note: Configuring the management server for secure connections is covered in the Setting up
Application Virtualization for Secure Connections portion of this guide.
Microsoft Application Virtualization Version 4.5
101
Figure 5. Connection Security Mode page
10. On the TCP Port Configuration page (Figure 6), click Next.
Microsoft Application Virtualization Version 4.5
102
Figure 6. TCP Port Configuration page
11. On the Administrator Group page (Figure 7), type the name of the AppV Administrators group, and
then click Next.
Microsoft Application Virtualization Version 4.5
103
Figure 7. Administrator Group page
You can also type the first few letters of the group name, and then click Next, to display a list of groups
(Figure 8). Click the AppV Administrators group, and then click Next.
Microsoft Application Virtualization Version 4.5
104
Figure 8. Group Selection page
12. On the Default Provider Group page, type the name of the App-V Users group, and then click Next.
Note: This is the group to which all users must belong for access to Microsoft Application
Virtualization-enabled applications.
13. On the Content Path page (Figure 9), accept the default location of the Microsoft System Center
Application Virtualization Management Server content folder, and then click Next.
Microsoft Application Virtualization Version 4.5
105
Figure 9. Content Path page
14. The wizard now has all the information it needs to perform the installation. Click Install.
The wizard will copy the necessary files, install services, and create a database as specified in the preceding
steps. When the wizard finishes, the Microsoft System Center Application Virtualization Management
Console shortcut is displayed in the Administrative Tools group.
15. Once the installation wizard completes, click Yes to restart the server.
16. Once the server has restarted, click Start | Administrative Tools | Services, select the Application
Virtualization Management Server service and click Start.
Note: The App-V Management Server service fails to start on boot when running in a virtualized
environment. It will be necessary to start the service after any reboot to the Management Server.
17. Open Windows Explorer, go to C:\Program Files\Microsoft System Center App Virt Management
Server\App Virt Management Server\content and share the content folder. Ensure that Read access
to this folder is given to Everyone.
In this guide we will share the folder using Windows file-sharing settings. However, in a production
environment you might chose a different means of sharing the folder.
Microsoft Application Virtualization Version 4.5
106
CREATE A PROGRAM EXCEPTION IN WINDOWS FIREWALL
1. Click Start, type Firewall, and select Windows Firewall with Advanced Security.
2. In the management console, select Inbound Rules.
3. In the Actions pane, click New Rule….
4. On the Rule Type page, select Program and click Next.
5. On the Program page, select This program path and then click Browse.
6. Navigate to C:\PogramFiles\Microsoft System Center App Virt Management Server\App Virt
Management Server\bin and select sghwdsptr.exe.
7. Click Next.
8. On the Action page select Allow the connection and click Next.
9. On the Profiles page, accept the default values and click Next.
10. Enter a Name and Description for the rule and click Finish.
You now have installed Microsoft System Center Application Virtualization Management Server. If you
encountered any errors during the process, please refer to the Troubleshooting section at the end of
this guide.
Microsoft Application Virtualization Version 4.5
107
Installing Microsoft Application Virtualization for Desktops
The section guides you through the step-by-step process of installing Microsoft Application Virtualization for
Desktops on a Vista desktop.
Perform the following on the machine to be the App-V Client:
1. Extract and run the setup executable for Microsoft Application Virtualization for Desktops.
2. The setup wizard will scan for and prompt you to install Microsoft C++ and Microsoft Application
Error Reporting (Figure 10).
Figure 10. Installation requirements
3. In the InstallShield Wizard dialog box, click Install.
4. On the Welcome page (Figure 11), click Next.
Microsoft Application Virtualization Version 4.5
108
Figure 11. Welcome page
5. Read and accept the license agreement, and then click Next.
6. On the Microsoft Update Opt In page, click Next.
7. On the Setup Type page (Figure 12), click the Custom radio button, and then click Next.
Microsoft Application Virtualization Version 4.5
109
Figure 12. Setup Type
8. On the Destination Folder page, click Next.
9. On the Application Virtualization Data Location page, leave the default settings and click Next.
10. On the Cache Size Settings page, leave the default data storage setting and then click Next.
11. On the Runtime Package Policy Configuration page, leave the default settings and click Next.
12. On the Publishing Server page (Figure 13), select Set up a Publishing Server now.
Microsoft Application Virtualization Version 4.5
110
Figure 13. Desktop Configuration Server page
13. In the Display Name box and in the Host Name box, type the FQDN of the Application Virtualization
Management Server.
14. In the Type drop-down list, select Application Virtualization Server.
15. In the Port box, ensure that port 554 is selected.
16. Leave the Automatically contact this server to update settings when a user logs in check box
selected, and then click Next.
17. Click Install to begin the installation of the Microsoft Application Virtualization Desktop Client.
18. When the installation is complete, click Finish.
19. Log off of the client machine.
Microsoft Application Virtualization Version 4.5
111
Testing the Default Application
You are now ready to test the basic functionality of the platform by launching the Default Application on a
Microsoft Application Virtualization Client. The Default Application was automatically installed during
Microsoft Application Virtualization platform installation.
Perform the following on the App-V Management Server:
1. Click Start | Administrative Tools | Application Virtualization Management Console.
The App-V Management Console is installed on the App-V Server by default. In a production
environment, you can install the Management Console on any system capable of running MMC.
2. In the App-V Management Console, click Actions | Connect to Application Virtualization System.
3. In the Configure Connection dialog box (Figure 14), click to deselect the User Secure Connection
checkbox.
4. In the Web Service Host Name field, type the FQDN of your management server, and then click OK.
Note: You can also use ―localhost‖ for the Web Service Host Name.
Microsoft Application Virtualization Version 4.5
112
Figure 14. Configure Connection dialog
Note: The account you are using to log on to the App-V Management Server computer must be a
member of the App-V Administrators group in Active Directory.
5. In the console tree, expand [server name], and then click Applications (Figure 15).
Microsoft Application Virtualization Version 4.5
113
Figure 15. Application Virtualization Management Console
6. In the details pane, click Default Application and then, in the Actions pane, click Properties.
7. In the Properties dialog (Figure 16), next to the OSD Path box, click Browse.
8. In the Open dialog, type \\[server name]\content and press Enter.
9. Select the DefaultApp.osd file and click Open.
10. Perform the previous steps to configure the Icon Path.
11. Ensure that both the OSD Path and Icon Path are in UNC format
(ex. (\\[server name]\content\DefaultApp.ico).
Microsoft Application Virtualization Version 4.5
114
Figure 16. Default Application Properties page
12. Click the Access Permissions tab and confirm that the App-V Users group is granted access to
the application.
13. Click the Shortcuts tab, and then click Publish to User’s Desktop.
14. Click OK to accept the changes for the default application.
15. Open Windows Explorer and go to the content directory.
16. Double-click the DefaultApp.osd file and open it with Notepad.
17. Change the HREF to the following:
CODEBASEHREF=”RTSP://SERVER.mdopdemo.net:554/DefaultApp.sft”.
18. Close the DefaultApp.osd file and save changes.
Microsoft Application Virtualization Version 4.5
115
Perform the following on the App-V Client:
1. Log on as a user who is a member of the Application Virtualization Users group.
Note: In order to meet Microsoft security standards, Microsoft Application Virtualization has
implemented the Microsoft Windows version of Kerberos as the default security provider. This ticket
must be refreshed through logging in and out of the system in order to refresh the group
membership information in the Windows token. Once this occurs, the virtual applications will be
refreshed with the updated assignments.
2. On the desktop, double-click the Default Application Virtualization Application shortcut.
A status bar, displayed above the notification area, reports that the application is launching. If a "Launch
Failed" message displays, click the message to see more information about the error. After a successful
launch, the title screen for the Default Application displays (Figure 17).
Figure 17. Default Application dialog box
3. Click OK to close the dialog box.
The Microsoft Application Virtualization system is now running. If you have encountered any errors
performing these procedures, please refer to the ―Troubleshooting‖ section at the end of this guide.
Microsoft Application Virtualization Version 4.5
116
Microsoft Application Virtualization for Terminal Servers
The installation and operation of Microsoft Application Virtualization for Terminal Services Client is almost
identical to that of Microsoft Application Virtualization for Desktops.
TESTING APPLICATIONS
You can log on to the Terminal Server multiple times using Remote Desktop Protocol (RDP) and test the
various applications simultaneously.
Installing Microsoft Application Virtualization Sequencer
Microsoft Application Virtualization Sequencer packages the Microsoft Application Virtualization-enabled
applications that are streamed to Microsoft Application Virtualization Clients.
BEFORE YOU INSTALL MICROSOFT APPLICATION VIRTUALIZATION SEQUENCER
The Sequencer computer must meet the same minimum requirements as Microsoft Application Virtualization
for Desktops, but a fast workstation-class computer will significantly speed up the sequencing process. The
workstation should be set up with one or more hard disk drives with ample disk space.
There are two main methods for setting up the sequencer computer:
Option 1: Virtual Machine
Do a fresh install of a supported operating system to a virtual machine (VM). Do not use your "standard
desktop image" or install any other applications on this image at this time. Then, follow the product-specific
steps below.
Microsoft Virtual Server product: Add a second dynamically expanding virtual hard disk. Within the VM,
set the drive letter to "Q." Enable Undo disks and commit the existing configuration. After each time you
sequence an application, turn off the VM and discard the undo disk to this VM to get back to a "clean"
operating system.
Option 2: Local Image
Create at least two partitions on the hard disk. Make the first partition at least 4 GB in size for the operating
system. The second partition should consume the remainder of the hard disk space, preferably more than 10
GB in total size. Set the drive letter to "Q" for the second partition. Do a fresh install of a supported
operating system to the first partition. Do not use your "standard desktop image" or install any other
Microsoft Application Virtualization Version 4.5
117
applications on this image at this time. Using a utility like Symantec Ghost, store a disk image of the first
partition on the second partition. This method lets you rapidly restore the sequencing computer to a "clean"
installation of your operating system, after each time you sequence an application.
Why a Q Drive?
Why sequence to a Q drive? The purpose is for the core application installation path to remain constant
across all computers in the enterprise, which might not have constant system drives; for example, drive M for
terminal servers and drive C for desktop computers. This is accomplished using a real drive or partition on
the Microsoft Application Virtualization Sequencer computer and a virtual drive on Microsoft Application
Virtualization Clients. The virtual drive on Microsoft Application Virtualization Clients is created by
SystemGuard virtualization technology and not by a disk partitioning tool. The Q drive is the default drive
letter and can be changed if needed in a production roll out. Microsoft has a method to handle applications
that must be installed to a fixed drive; this is explained in Microsoft training courses.
Dynamic Suite Composition
Dynamic Suite Composition (DSC) provides a method for administrators to control which virtual applications
will be combined to create a unified, virtual working environment for an application set. DSC provides a way
for the admin to specify mandatory or optional dependencies between virtual applications. Once a virtual
application is run on the client, it will also launch the dependent virtual application’s environment, allowing
the combination of both virtual environments. DSC enables a ―one-to-many‖ scenario for middleware
applications. An example case for the use of DSC is applications that require the Java Runtime Environment
(JRE). The administrator would sequence the JRE into its own virtual application. The administrator would
then reset the sequencer, install the JRE locally and then sequence the dependent application. A dependency
would then be created between the single virtual JRE package and the different virtual dependent
applications. This ―one-to-many‖ scenario allows multiple virtual applications to share the same virtual JRE
package. DSC reduces the sequencing overhead as only one JRE needs to be sequenced instead of resequencing the JRE into each individual package. Updates are also simplified as the single JRE package
would be updated instead of multiple packages.
DSC is an important part of Microsoft Application Virtualization 4.5; however, for the sake of simplicity, this
guide does not include the process as part of the instructions. For more information on Dynamic Suite
Composition, please contact your Microsoft representative.
Microsoft Application Virtualization Version 4.5
118
Installing Microsoft Application Virtualization Sequencer
Perform the following on the machine to be the Microsoft Application Virtualization Sequencer:
Important: Do not install Microsoft Application Virtualization Sequencer on a computer that hosts
Microsoft System Center Application Virtualization Management Server or Microsoft Application
Virtualization for Desktops.
1. Run the setup executable for Microsoft Application Virtualization Sequencer.
2. The setup wizard will scan for and prompt to install Microsoft C++ (Figure 18).
Figure 18. Visual C++ installation
3. In the InstallShield Wizard dialog box, click Install.
4. On the Welcome page, click Next.
5. Read and accept the licensing agreement, and then click Next.
6. Accept the default installation path, and then click Next.
7. Click Install.
8. When the installation is complete, click Finish. Microsoft Application Virtualization Sequencer will start.
Microsoft Application Virtualization Version 4.5
119
Sequencer Files
To enable a Windows application for Microsoft Application Virtualization, the sequencer produces the
following files:
ICO – The .ico (icon) file specifies the icon that appears on the Microsoft Application Virtualization Client
desktop. When you double-click the icon, you are actually launching the shortcut to the corresponding .osd
file, described below, that begins the data streaming and application launch process. From the user
perspective, the experience of launching a Microsoft Application Virtualization-enabled application is
identical to launching a locally stored application.
OSD – The .osd (Open Software Description) file provides the information necessary to locate the .sft file for
the application and set up and launch the application. This information includes the application name, the
name and path to the executable file, the name and path to the .sft file, the suite name, the supported
operating systems, and general comments about the application.
SFT – The .sft file contains the asset files that include one or more Windows applications. Microsoft
Application Virtualization Sequencer, without altering the source code, packages these asset files into chunks
of data that can be streamed to the Microsoft Application Virtualization Client. The file is divided into two
distinct blocks. The first block, called Feature Block 1 (FB1), consists of the application’s most-used features,
as configured by the sequencing engineer. FB1 is streamed to the Microsoft Application Virtualization Client
the first time the user launches the application. The remainder of the application is in Feature Block 2 (FB2).
FB2 is streamed to the Microsoft Application Virtualization Client on demand. By default, the blocks are
divided into 32 KB "chunks" of data.
SPRJ – The .sprj (Sequencer project) file is generated when a project is saved. The .sprj file contains a list of
files, directories, and registry entries that are excluded by the Sequencer. Load this file in the Sequencer to
add, change, delete, or upgrade any of the applications in the suite. A common example of when you might
use the .sprj files is when you add service packs to an application.
Manifest File – The manifest file (xml based) can be used by ESDs to deploy applications using App-V
sftmime scripting
MSI – App-V Sequencer generated .msi files can be deployed to clients configured for stand-alone
operations.
Microsoft Application Virtualization Version 4.5
120
Sequencing Word Viewer 2003
This section walks through a simple sequencing process. You can use Word Viewer 2003 as a test case that
you can easily and quickly deploy using the Microsoft Application Virtualization platform.
Perform the following on the App-V Sequencer:
1. Download Word Viewer 2003 and then copy the installer to a temporary directory on the App-V
Sequencer computer.
2. Open Windows Explorer, go to the Q:\ drive and create a folder named wdviewer.2k3.
3. Create a directory on the sequencer desktop called WordViewer2003. You will save the output of the
sequencer to this directory.
4. Click Start | All Programs | Microsoft Application Virtualization | Microsoft Application
Virtualization Sequencer to open Microsoft Application Virtualization Sequencer (Figure 19).
Figure 19. Microsoft Application Virtualization Sequencer
Microsoft Application Virtualization Version 4.5
121
5. Click File | New Package. The Sequencing Wizard displays.
6. On the Package Information page (Figure 20), provide the following information:
a. Package Name: Word Viewer 2003. The package name is a common label for all of the applications
in the software suite. For example, the package Microsoft Office 2007 comprises Microsoft Word,
Microsoft PowerPoint, etc.
b. Comments: Use this field to record relevant information, such as the person who sequenced the
application, specific configuration, etc.
Figure 20. Package Information page
Microsoft Application Virtualization Sequencer–generated .msi files can be deployed to clients configured for
stand-alone operations. See the Offline Deployment section of this guide for more information on
configuring clients for offline operation and deploying Sequencer-generated .msi files.
7. Click Next.
8. On the Monitor Installation page (Figure 21), click Begin Monitoring.
Microsoft Application Virtualization Version 4.5
122
Figure 21. Monitor Installation page
9. In the Browse For Folder section, go to Q:\wdviewer.2k3, and then click OK.
10. Wait for the monitor to load the virtual environment and to display the status Monitoring started.
Please begin installation.
Note: Open instances of Windows Explorer and command prompts will not be monitored. In
the following steps you can install the application using Windows Explorer.
11. Run the Word Viewer 2003 installer.
12. Accept the terms of the license agreement, and then click Next.
13. Click Browse, go to Q:\wdviewer.2k3, click the New Folder button to create the Microsoft Office
folder, navigate to the Microsoft Office folder and then click OK.
14. On the Install Word Viewer to page (Figure 22), click Install.
Microsoft Application Virtualization Version 4.5
123
Figure 22. Install Word Viewer to page
15. In the Success dialog box, click OK.
16. In Windows Explorer, go to Q:\wdviewer.2k3\Microsoft Office\OFFICE11 and
double-click WORDVIEW.
17. Click Cancel and close Word Viewer.
18. Switch to the Sequencing Wizard, and click Stop Monitoring.
19. When the monitoring is finished, click Next.
20. On the Add Files to Virtual File System page, click Next.
21. On the Configure Applications page (Figure 23), click Applications.
Microsoft Application Virtualization Version 4.5
124
Figure 23. Configure Applications page
22. In the details pane, click Microsoft Office 2003 component, and then click Remove.
23. Click OK.
24. In the details pane, click Microsoft Office Word Viewer 2003, and then click Edit.
25. In the Edit Application dialog box, set the following .osd file properties (Figure 24), and then click Save.
a. Name: Word Viewer
b. Version: 2003
c.
OSD Filename: WordViewer2003.osd.
Microsoft Application Virtualization Version 4.5
125
Figure 24. Edit Application dialog box
26. Click Save.
27. Under Applications, expand Word Viewer.
28. Click File Type Associations to view the FTAs the sequencer has recorded.
29. Click Shortcuts to view where the shortcuts for this application will be located on the Microsoft
Application Virtualization Client desktop.
30. When you are done viewing this information, click Next.
31. On the Launch Applications page (Figure 25), click Word Viewer, and then click Launch.
Microsoft Application Virtualization Version 4.5
126
Figure 25. Launch Applications page
The Launch Applications page lets you launch the applications associated with the shortcuts Microsoft
Application Virtualization created. This will determine Feature Block 1 (FB1), which contains the portion of
the application required to launch the application on the Microsoft Application Virtualization Client.
32. In the Open dialog box, click Cancel.
33. In Word Viewer, click File | Exit.
34. Click Next.
35. On the Sequence Package page, when the sequencing is complete, click Finish.
36. On the Sequencer summary page, click the Deployment tab.
37. Set the following properties for the package (Figure 26):
a. Protocol: RTSP
b. Hostname: FQDN of Management Server
c.
Path: WordViewer2003
d. Generate Microsoft Windows Installer (MSI) Package: Enabled
e. Compression Algorithm: Compressed (ZLIB)
Microsoft Application Virtualization Version 4.5
127
Figure 26. Deployment Tab
38. Click File | Save, and then go to the folder WordViewer2003 that you created on the desktop and save
your work as WordViewer2003.sprj.
39. Close the Sequencer.
40. Copy the WordViewer2003 folder to the content share on the App-V Management Server.
The files produced by Microsoft Application Virtualization Sequencer (.ico, .osd, .sft, and .sprj) must be in the
shared content directory on the App-V Management Server (the default location is C:\Program
Files\Microsoft System Center App Virt Management Server\App Virt Management Server\content).
Microsoft Application Virtualization Version 4.5
128
Perform the following on the App-V Management Server:
1. In Administrative Tools, click Application Virtualization Management Console.
2. In the console tree, right-click [server name] and click System Options….
3. On the General tab, in the Default Content Path textbox, enter the UNC path to the content share on
the server, \\[server name]\content.
4. Click OK.
5. In the console tree, expand [server name], and then click Applications.
6. Right-click Applications, and then click Import Applications….
7. Navigate to \\[server name]\content, and open the WordViewer2003 folder.
8. Click the WordViewer2003.sprj file and click Open. The New Application Wizard will launch.
9. On the General Information page, verify that the OSD Path and Icon Path are in UNC format (for
example, \\server\content\WordViewer2003\WordViewer2003.osd) and that the Enabled checkbox
is selected.
10. Click Next.
11. On the Published Shortcuts page, click to select the appropriate shortcut location checkboxes and
click Next.
12. On the File Associations page, click Next.
13. On the Access Permissions page, click Add.
14. In the Add/Edit User Group dialog, navigate to the appropriate user group to access the application
(App-V Users) and click OK.
15. Click Next.
16. On the Summary page, review the configuration information and click Finish.
To access the newly published application, log off of the Microsoft Application Virtualization Desktop Client
machine and log on as a member of the user group to which the application is assigned. The application will
now be available to clients at the designated shortcut locations.
Microsoft Application Virtualization Version 4.5
129
Sequencing Silverlight 1.0 for Internet Explorer
This section walks you through creating a virtual environment for Windows Internet Explorer with the
Microsoft Silverlight plug-in. The web plug-in will appear only in a virtualized copy of Internet Explorer, and
will not be installed in the local Internet Explorer. Because Internet Explorer is part of the operating system,
we will point to the local Internet Explorer executable file on each Microsoft Application Virtualization Client,
and apply the changes within the virtual environment on top of the local environment.
Perform the following on the App-V Sequencer:
1. Open Windows Explorer and go to drive Q.
2. Create a directory named slvrlght.001.
3. Click Start | All Programs | Microsoft Application Virtualization | Microsoft Virtual Application
Sequencer.
4. Click File | New Package.
5. On the Package Information page, type the following information in the relevant boxes:
a. Package Name: Silverlight
b. Comments: Sequenced on Windows Vista using 4.5
6. Click Next.
7. On the Monitor Installation page, click Begin Monitoring.
8. In the Browse For Folder dialog, go to Q:\slvrlight.001 and click OK.
9. Wait a moment for the virtual environment to load and the status text to read ―Monitoring started.
Please begin installation.‖
10. Open Windows Explorer, go to C:\Lab Files\Silverlight, and then double-click Silverlight.exe.
11. Wait until the installation process completes.
12. Click Start | Internet.
13. Close Internet Explorer.
14. Switch to the Sequencer and click Stop Monitoring.
15. Click Next.
16. On the Add Files to the Virtual File System page, leave the default values, and click Next.
17. On the Configure Applications page, select Launch Internet Explorer and click Edit.
Microsoft Application Virtualization Version 4.5
130
18. Enter the following information in the relevant fields:
a. Name: IE with Silverlight
b. Version: 1.0
c.
OSD File Name: Silverlight.osd
19. Click Save.
20. Click Next.
21. On the Launch Applications page, click Next.
22. Click Yes.
23. On the Sequence Package page, click Finish.
24. On the Sequencer summary page, click the Deployment tab.
25. Enter the following information in the relevant fields:
a. Protocol: RTSP
b. Hostname: FQDN of the Management Server
c.
Path: Silverlight
d. Compression Algorithm: Compressed (ZLIB)
26. Click File | Save.
27. Go to the desktop and create a folder named Silverlight.
28. Open the Silverlight folder.
29. Change the File Name to Silverlight.
30. Click Save and close the Sequencer.
31. Copy the folder Silverlight to the content directory on the App-V Management Server.
32. Add the new application to the App-V Management Console, following instructions provided with the
pre-sequenced application.
33. On the App-V Desktop Client, log on and off to receive the newly published application. If needed,
follow the instructions in the section Testing the Default Application earlier in this guide.
Microsoft Application Virtualization Version 4.5
131
Microsoft System Center Application Virtualization Streaming Server
The Microsoft System Center Application Virtualization Streaming Server has streaming capabilities that
include active/package upgrade without the Active Directory or SQL Server requirements of the Microsoft
System Center Application Virtualization Management Server. However, it does not have a Desktop
Configuration Service, licensing, or metering capabilities. This service is intended to provide lightweight
virtual application delivery at branches without the additional management overhead of Active Directory or
Microsoft SQL Server in each branch. The Desktop Configuration Service of the Microsoft System Center
Application Virtualization Management Server can also be used in conjunction with the Microsoft System
Center Application Virtualization Streaming Server, so the Management Server centrally controls the virtual
application publishing, but the local Streaming Server dynamically delivers it from the local network. This
guide will show how these two capabilities can be used together.
CONFIGURE THE MICROSOFT APPLICATION VIRTUALIZATION STREAMING SERVER
Perform the following on the machine to be the App-V Streaming Server:
Installation
1. Launch the Streaming Server setup executable. The Microsoft Application Virtualization Streaming
Server installation wizard will appear.
2. On the Welcome page, click Next.
3. Accept the terms of the licensing agreement, and then click Next.
4. On the Microsoft Update Opt In page, click Next.
5. On the Customer Information page, enter a User Name and Organization, and then click Next.
6. On the Installation Path page, click Next.
7. On the Connection Security Mode page, click Next.
8. On the TCP Port Configuration page, click Next.
9. On the Content Root page, click Next.
10. On the Advanced Settings page (Figure 27), uncheck Enable User authentication.
11. Change the Package update (sec) to 10 sec.
Normally this setting is 30 minutes, but for the purposes of our demonstration we will change it to
10 seconds to speed up the process.
Microsoft Application Virtualization Version 4.5
132
Figure 27. Advanced Settings page
12. Click Next.
13. On the Ready to Install the Program page, click Install.
14. On the Completed page, click Finish.
15. Click Yes to restart the server.
16. In Windows Explorer, go to C:\Program Files\Microsoft System Center App Virt Streaming
Server\content, and share the content folder. Ensure that Read access to this folder is given
to Everyone.
17. Copy the WordViewer2003 folder, from the content share on the Management Server, into the content
share on the Streaming Server.
CLIENT CONFIGURATION
Perform the following on the Microsoft Application Virtualization client:
1. Click Start | Administrative Tools | Application Virtualization Client.
2. In the console tree, click Applications.
3. Right-click Word Viewer 2003 and click Delete.
4. Click Yes and close the Application Virtualization Client console.
5. Open the Registry Editor.
Microsoft Application Virtualization Version 4.5
133
6. In the Registry Editor, go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client\Configuration (Figure 28).
7. In the details pane, double-click AllowIndependantFileStreaming, enter a value of 1, and then click OK.
8. In the details pane, double-click ApplicationSourceRoot.
9. Enter the URL to the streaming server. For example, if your streaming server name is ―StreamingServer‖
then you would enter ―RTSP://StreamingServer:554‖ and then click OK.
Figure 28. Configuration
10. Close the Registry Editor.
11. In the system tray, right-click the Microsoft Application Virtualization icon and click
Refresh Applications.
12. On the desktop, double-click Word Viewer 2003. Word Viewer will load and stream from the
Streaming Server, and then launch an Open dialog box.
13. Click Cancel, and then close Word Viewer 2003.
14. In the Administrative Tools, click Application Virtualization Client.
15. In the console tree, click Applications.
16. Right-click Word Viewer 2003 and click Properties.
17. Click the Package tab and view the Package URL field.
You will notice that the package is now streaming from the Microsoft System Center Application
Virtualization Streaming Server content share.
Microsoft Application Virtualization Version 4.5
134
Offline Deployment Using the Sequencer-Generated .msi File
The Microsoft Application Virtualization Sequencer now has an option to create an .msi file that automates
the addition of the virtual application. The .msi contains metadata so an ESD system can recognize it and
control the virtualized applications. Stand-alone mode requires the client to go into stand-alone mode,
which only allows .msi-based updates of the virtual applications; streaming is not allowed while in standalone mode. This mode is meant for those rarely connected users that need the power of virtualized
applications, but do not have access to a server. Microsoft will be releasing a Group Policy administrative
template (.adm) to manage these settings centrally through group policy with the final General Availability
version of Microsoft Application Virtualization 4.5.
CONFIGURING THE CLIENT FOR STAND-ALONE MODE
Perform the following on the Microsoft Application Virtualization client:
1. Click Start | Administrative Tools | Application Virtualization Client.
2. In the console tree, click Applications.
3. Right-click Word Viewer 2003 and click Delete.
4. Click Yes to confirm and close the Application Virtualization Client.
5. Open the Registry Editor.
6. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client\Configuration (Figure 29).
7. In the details pane, double-click RequireAuthorizationIfCached.
8. In the Value data field, type 0, and then click OK.
Microsoft Application Virtualization Version 4.5
135
Figure 29. Configuration
9. In the console tree, under Client, click Network (Figure 30).
10. In the details pane, double-click AllowDisconnectedOperation.
11. In the Value data field, ensure the setting is 1, and then click OK.
12. In the details pane, double-click Online.
13. In the Value data field, ensure the setting is 0, and then click OK.
Figure 30. Network
Microsoft Application Virtualization Version 4.5
136
14. In the console tree, under Client, click Permissions (Figure 31).
15. In the details pane, double-click ToggleOfflineMode.
16. In the Value data field, type 0, and then click OK.
Figure 31. Permissions
17. Close the Registry Editor.
18. Copy WordViewer2003.msi from the files sequenced earlier in the guide to the client computer.
19. In the Word Viewer 2003 wizard (Figure 32), on the Welcome page, click Next.
Microsoft Application Virtualization Version 4.5
137
Figure 32. Word Viewer 2003 Wizard Welcome page
20. On the Installation Complete page, click Close.
21. Click Start | Programs | Word Viewer 2003. The application will launch an Open dialog box.
22. Click Cancel, and then close Word Viewer.
Microsoft Application Virtualization Version 4.5
138
Setting up Application Virtualization for Secure Connections
The following role must be installed on the domain controller computer:

Active Directory Certificate Services
The following items must be configured on the management server computer:
Server Certificate
Perform the following on the Microsoft Application Virtualization Management Server:
To configure the App-V Management Server for secure connections a certificate has to be provisioned to the
server. The following requirements must be met for the App-V Management server to use a provisioned
certificate for secure configuration:

Certificate must be valid.

Certificate must contain the correct Enhanced Key Usage (EKU) – Server Authentication
(OID 1.3.6.1.5.5.7.3.1).

Certificate FQDN must match the server on which it is installed.

Client (and server) need to trust the root CA.

Certificate Private Key has to have permissions changed to allow App-V Service account access to the
certificate (see below).
Perform the following to issue a certificate to the Management Server and configure it for use with Microsoft
Application Virtualization:
1. Click Start, type mmc, and press Enter.
2. In the console, click File | Add/Remove Snap-in….
3. In the Available snap-ins list, select Certificates and click Add.
4. On the Certificates snap-in page, select Computer account and click Next.
5. On the Select Computer page, click Finish.
6. Click OK.
7. In the console tree, expand Certificates.
8. Right-click Personal and click All Tasks | Request New Certificate….
9. On the Certificate Enrollment page click Next.
10. Select the Computer check box and click Enroll.
Microsoft Application Virtualization Version 4.5
139
11. Click Finish.
12. In the console tree, expand Personal and click Certificates.
13. In the details pane, right-click the certificate issued to the computer and click All Tasks | Manage
Private Keys….
14. Click Add, type Network Service and press Enter.
15. Give the NETWORK SERVICE account Read permissions on the certificate.
16. Click OK.
17. Close the MMC console.
Configure IIS 7.0 to Allow Secure Connections:
Perform the following to secure connections to the Microsoft Application Virtualization management service.
1. Click Start | Administrative Tools | Internet Information Services (IIS) Manager.
2. Expand [server name] | Sites and click Default Web Site.
3. In the Actions pane, click Bindings….
4. In the Site Bindings dialog, click Add….
5. From the Type: drop-down select https, from the SSL certificate select the certificate issued to the server
from the CA, and then click OK.
6. Click Close.
Secure the Application Virtualization Management Console Connection to the Web Service
1. Click Start | Administrative Tools | Application Virtualization Management Console.
2. In the console tree, select [server name] and in the Actions pane click Configure Connection….
3. In the Configure Connection dialog (Figure 33), select the User Secure Connection checkbox.
Microsoft Application Virtualization Version 4.5
140
Figure 33. Configure Connection dialog
4. Click OK.
Configuring the Application Virtualization Management Console for RTSPS:
1. In the Application Virtualization Management Console, expand [server name] | Server Groups and click
Default Server Group.
2. In the details pane, right-click [server name] and click Properties.
3. In the server properties dialog, click the Ports tab.
4. On the Ports tab (Figure 34), under Enhanced Security, click Server Certificate….
Microsoft Application Virtualization Version 4.5
141
Figure 34. Ports tab
5. In the Certificate Wizard, on the Welcome page, click Next.
6. On the Available Certificates page (Figure 35), select the certificate you provisioned for use with AppV
and click Next.
Microsoft Application Virtualization Version 4.5
142
Figure 35. Available Certificates page
7. On the Certificate Summary page, click Finish.
8. In the server properties dialog (Figure 36), on the Ports tab, click to select the RTSPS port check box and
deselect the RTSP port checkbox.
Microsoft Application Virtualization Version 4.5
143
Figure 36. Ports tab
9. Click OK.
10. In the warning dialog, click OK.
11. Click Start | Administrative Tools | Services, select the Application Virtualization Management
Server service and click Restart.
12. Close Services.
13. Open Windows Explorer and go to the content directory.
14. Double-click the DefaultApp.osd file and open it with Notepad.
15. Change the HREF to the following:
Microsoft Application Virtualization Version 4.5
144
CODEBASEHREF=”RTSPS://SERVER.mdopdemo.net:322/DefaultApp.sft”.
16. Close the DefaultApp.osd file and save changes.
Configuring the Application Virtualization Client for RTSPS:
Perform the following on the Microsoft Application Virtualization Client:
1. Click Start | Administrative Tools | Application Virtualization Client.
2. In the console tree, click Publishing Servers.
3. In the details pane, right-click [server name] and click Properties.
4. In the server properties dialog (Figure 37), expand the Type drop-down and click Enhanced Security
Application Virtualization Server.
Figure 37. Server Properties dialog
Microsoft Application Virtualization Version 4.5
145
5. Click OK.
6. In the console tree, click Applications.
7. In the details pane, right-click DefaultApp and click Unload.
8. Close Application Virtualization Client.
9. On the desktop, double-click Default Application.
10. In the Microsoft Application Virtualization Default Application dialog, click OK.
Troubleshooting
This section addresses some of the most common pitfalls you might encounter when you install, configure,
and test the Microsoft Application Virtualization platform.
If you need additional help, search either the Microsoft Knowledge Base or the Application Virtualization
TechCenter.
COMMON ERRORS ON MICROSOFT APPLICATION VIRTUALIZATION CLIENT
The following sections list the most common errors encountered with Microsoft Application Virtualization
Desktops and the most common solutions to those errors.

When you attempt to refresh the server you get an error that says, "The client failed to download..." and
"The server could not authorize you to access the requested data..."

The application shortcut is not on the Microsoft Application Virtualization Client desktop.

The application did not stream to the Microsoft Application Virtualization Client. If the application fails to
stream you see the "Launch Failed" error message above the notification area.
POSSIBLE CAUSES

The user account used to log on to the Microsoft Application Virtualization Client is not a member of the
Microsoft Application Virtualization Users group or is not a domain user account.

The .sft, .ico, and/or .osd files are not in the Microsoft System Center Application Virtualization
Management Server ―content‖ folder. Copy these file to C:\Program Files\Microsoft Application
Virtualization\Microsoft System Center Application Virtualization Server\Application Virtualization
Server\content.

Mistyped .osd and .ico paths in the application record in Microsoft System Center Application
Virtualization Management Console.
Microsoft Application Virtualization Version 4.5
146

The Microsoft Application Virtualization client cannot access the ―content‖ directory on the Microsoft
System Center Application Virtualization Server. Check the permissions settings on the content share.

The Microsoft Application Virtualization client cannot access the Microsoft System Center Application
Virtualization Management Server. Check network settings and cabling.

The ―content‖ folder on the Microsoft System Center Application Virtualization Management Server is
not set to share or to be shared with everyone who has read access.

The Microsoft Application Virtualization client is not a member of the domain.

The user lacks necessary permissions to access the application. Reread and follow the procedure
regarding importing .osd files, paying close attention to setting the access group.

The operating system of the Microsoft Application Virtualization Client computer is not listed in the .osd
file of the application.
If none of the above appears to be the cause of the problem, check the Microsoft Application Virtualization
Client log (Sftlog.txt) in C:\Program Files\Microsoft Application Virtualization\Microsoft Application
Virtualization for Desktops for errors.
Accessing the Microsoft Support Knowledge Base
To access the Microsoft Support knowledge base and search for answers to the most frequently asked
questions, go to Microsoft Support.
Contacting Microsoft Training
To register for training courses, to obtain course descriptions, and to get information about Microsoft
certifications, go to Microsoft Training & Events.
Microsoft Application Virtualization Version 4.5
147
Download PDF