SCCM Interview Questions And Answers Latest

SCCM Interview Questions And Answers Latest. If you are looking for SCCM Interview Questions, here is the comprehensive list from basic to most advanced SCCM interview questions for 2+, 3+, 4+, 5+ years of experienced professionals. These system center configuration manager interview questions will help you to crack your SCCM job interview.

SCCM Interview Questions

  • The Configuration Manager Console and Collections
  • Sites and Hierarchies
  • Migration
  • Security and Role-Based Administration
  • Client Deployment and Operations
  • Mobile Devices
  • Remote Control
  • Software Deployment
  • Endpoint Protection

SCCM Interview Questions And Answers


The Configuration Manager Console and Collections Interview Questions

 The following frequently asked questions relate to the Configuration Manager console and collections.

A) Yes. The Configuration Manager console is a 32-bit program that can run on a 32-bit version of Windows and on a 64-bit version of Windows.

A) In System Center 2012 Configuration Manager, all collections must be limited to the membership of another collection. When you create a collection, you must specify a limiting collection. A collection is always a subset of its limiting collection.

Q) Can I include or exclude the members of another collection from my collection?

A) Yes. System Center 2012 Configuration Manager includes two new collection rules, the Include Collections rule and the Exclude Collectionsrule that allow you to include or exclude the membership of specified collections.

A) No. Collections configured by using query rules that use certain classes do not support incremental updates.

A) The All Unknown Computers collection contains two objects that represent records in the Configuration Manager database so that you can deploy operating systems to computers that are not managed by Configuration Manager, and so are unknown to Configuration Manager.

These computers can include the following:

  • A computer where the Configuration Manager client is not installed
  • A computer that is not imported into Configuration Manager
  • A computer that is not discovered by Configuration Manager

Q) Why does Install Client from the ribbon install the client to the whole collection when I’ve selected a single computer but installs to the selected computer only if I right-click the computer and then select Install Client?

A) If you choose Install Client from the ribbon when the Collection ribbon tab is selected, the client installs to all computers in the collection rather than to just the selected computer.

To install the client to just the selected computer, click the Home tab on the ribbon before you click Install Client from the ribbon, or use the right-click option.

A) For System Center 2012 Configuration Manager SP1 and later:

Because an ID for each device type (for example Windows computers, Mac computers, or Linux computers) is stored in the Configuration Manager database, you can create a collection that contains a query rule to return only devices with a specified ID.

A) For System Center 2012 Configuration Manager SP1 and later:

Create a collection with a query-based rule. Query the attribute class System Resource and the attribute Connected Standby Capable = TRUEto return computers that are Always On Always Connected capable.

A) The Configuration Manager console uses HTTP to the Internet in two scenarios:

  • When you use the geographical view from the Site Hierarchy node in the Monitoring workspace, which uses Internet Explorer to access Bing Maps.
  • When you use the Configuration Manager help file and click a link to view or search for information on TechNet.

If you do not require these functions, your firewall can block HTTP connections from the console without additional loss of functionality to Configuration Manager.

Q) How can I increase the number of search results in the Configuration Manager console?

A) By default, the Configuration Manager console limits search results to 1,000 items. You can change this value by using the Search tab. In the Options group. click Search Settings and then change the Search Results value in the Search Settings dialog box.

A) By default, the Configuration Manager console limits searches to the current folder. You can change this behavior by first clicking in the Search box in the results pane.

Then, in the Search tab, in the Scope group. click All Subfolders. In the results pane, the search is extended to AND Path <Current Node + Subfolders>. Add criteria if required, and type your search text to search the current folder and its subfolders.

Sites and Hierarchies in SCCM Interview Question

 The following frequently asked questions relate to sites and hierarchies in Configuration Manager.

A) No. The Active Directory schema extensions for System Center 2012 Configuration Manager are unchanged from those used by Configuration Manager 2007.

If you extended the schema for Configuration Manager 2007, you do not need to extend the schema again for System Center 2012 Configuration Manager or System Center 2012 Configuration Manager SP1.

A) No. Unless you were in a prerelease program that was supported by Microsoft (such as the Technology Adoption Program or the Community Evaluation Program) there is no supported upgrade path for prerelease versions of System Center 2012 Configuration Manager.

A) No. SMS 2003 sites and SMS 2003 clients are not supported by System Center 2012 Configuration Manager. You have two choices to move these sites and clients to System Center 2012 Configuration Manager:

  • Upgrade SMS 2003 sites and clients to Configuration Manager 2007 SP2, and then migrate them to System Center 2012 Configuration Manager.
  • Uninstall SMS 2003 sites and clients and then install System Center 2012 Configuration Manager sites and clients.

A) Yes. If the evaluation version is not a prerelease version of System Center 2012 Configuration Manager, you can upgrade it to the full version.

Q) Have the site types changed from Configuration Manager 2007?

A) System Center 2012 Configuration Manager introduces changes to both primary and secondary sites while the central administration site is new site type.
The central administration site replaces the primary site referred to as a central site as the top-level site of a multi-primary site hierarchy.
This site does not directly manage clients but does coordinate a shared database across your hierarchy, and it is designed to provide centralized reporting and configurations for your entire hierarchy.

A) In System Center 2012 Configuration Manager with no service pack, you cannot change the parent relationship of an active site. You can only add a site as a child of another site at the time you install the new site.

Because the database is shared between all sites, joining a site that has already created default objects or that has custom configurations can result in conflicts with similar objects that already exist in the hierarchy.

However, in System Center 2012 Configuration Manager SP1, you can expand a stand-alone primary site into a hierarchy that includes a new central administration site.

A) With System Center 2012 Configuration Manager, primary sites have changed to support only secondary sites as child sites, and the new central administration site as a parent site.

Unlike Configuration Manager 2007, primary sites no longer provide a security or configuration boundary. Because of this, you should only need to install additional primary sites to increase the maximum number of clients your hierarchy can support, or to provide a local point of contact for administration.

A) In System Center 2012 Configuration Manager, secondary sites require either SQL Server, or SQL Server Express to support database replication with their parent primary site. When you install a secondary site, Setup automatically installs SQL Server Express if a local instance of SQL Server is not already installed.

A) Database replication uses SQL Server to quickly transfer data for settings and configurations to other sites in the Configuration Manager hierarchy. Changes that are made at one site merge with the information stored in the database at other sites.

Content for deployments, and other file-based data, still replicate by file-based replication between sites. Database replication configures automatically when you join a new site to an existing hierarchy.

A) Active Directory Forest discovery is a new discovery method in System Center 2012 Configuration Manager that allows you to discover network locations from multiple Active Directory forests.

This discovery method can also create boundaries in Configuration Manager for the discovered network locations and you can publish site data to another Active Directory forest to help support clients, sites, and site system servers in those locations.

A) Yes. System Center 2012 Configuration Manager applies a hierarchy-wide set of default client settings (formerly called client agent settings) that you can then modify on clients by using custom client settings that you assign to collections.

This creates a flexible method of delivering customized client settings to any client in your hierarchy, regardless of the site it is assigned to, or where it is located on your network.

A) Configuration Manager supports site-to-site (intersite) communication when a two-way forest trust exists between the forests. Within a site, Configuration Manager supports placement of site system roles on computers in an untrusted forest.

Configuration Manager also supports clients that are in a different forest from their site’s site server when the site system role that they connect to is in the same forest as the client.

A) No. Because System Center 2012 Configuration Manager supports installing most site system roles in untrusted forests, there is no requirement to have a separate site for this scenario, unless you have exceeded the maximum number of supported clients for a site.

A) System Center 2012 Configuration Manager clients can find available management points by using the management point that you specify during client deployment, Active Directory Domain Services, DNS, and WINS.

Clients can connect to more than one management point in a site, always preferring communication that uses HTTPS, when this is possible because the client and management point uses PKI certificates.

There are some changes here since Configuration Manager 2007, which accommodate the change that clients can now communicate with more than one management point in site, and that you can have a mix of HTTPS and HTTP site system roles in the same site.

A) System Center 2012 Configuration Manager has replaced the native mode site configuration in Configuration Manager 2007 with individual site system role configurations that accept client communication over HTTPS or HTTP.

Because you can have site system roles that support HTTPS and HTTP in the same site, you have more flexibility in how you introduce PKI to secure the intranet client endpoints within the hierarchy. Clients over the Internet and mobile devices must use HTTPS connections.

Q) Where are the supported scenarios and network diagrams for Internet-based client management that you had for Configuration Manager 2007?

A) Unlike Configuration Manager 2007, there are no design restrictions to support clients on the Internet, providing you meet the requirements in the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic.
Because of the following improvements, you can more easily support clients on the Internet to fit your existing infrastructure:
  • The whole site does not have to be using HTTPS client connections
  • Support for installing most site system roles in another forest
  • Support for multiple management points in a site

If you use multiple management points and dedicate one or more for client connections from the Internet, you might want to consider using database replicas for management points.

A) No. Although both configurations use the Internet, they are independent from each other. Clients on the intranet can use cloud-based distribution points and these clients do not require a PKI client certificate.

However, you still require PKI certificates if you want to use cloud-based distribution points; one for the Windows Azure management certificate that you install on the site system server that hosts the cloud-based distribution points, and one for the cloud-based distribution point service certificate that you import when you configure the cloud-based distribution point.

A) Configuration Manager supports some site system roles only at specific sites in a hierarchy, and some site system roles have other limitations as to where and when you can install them. When Configuration Manager does not support the installation of a site system role, it is not listed in the wizard.

For example, the Endpoint Protection point cannot be installed in a secondary site, or in a primary site if you have a central administration site. So if you have a central administration site, you will not see the Endpoint Protection point listed if you run the Add Site System Roles Wizard on a primary site.

Other examples include you cannot add a second management point to a secondary site, and you cannot add a management point or distribution point to a central administration site.

In addition, in Configuration Manager SP1, you do not see the Microsoft Intune connector listed as an available site system role until you have created the Microsoft Intune subscription.

Use the following procedure to configure the Network Access Account:

How to configure the Network Access Account for a site

  1. In the Administration workspace, expand Site Configuration, click Sites, and then select the site.

  2. On the Settings group, click Configure Site Components, and then click Software Distribution.

  3. Click the Network Access Account tab, configure the account, and then click OK.

A) Configuration Manager offers a number of high availability solutions.

SCCM Migration Interview Questions

The following frequently asked questions relate to migrating Configuration Manager 2007 to System Center 2012 Configuration Manager.

A) The version of System Center 2012 Configuration Manager that you use to run migration determines the versions of Configuration Manager 2007 or System Center 2012 Configuration Manager that are supported for migration:

  • When you use System Center 2012 Configuration Manager with no service pack, Configuration Manager 2007 sites with SP2 are supported for migration.
  • When you use System Center 2012 Configuration Manager with SP1, Configuration Manager 2007 sites with SP2 and System Center 2012 Configuration Manager sites with SP1 are supported for migration.

Configuration Manager hierarchies that have data you want to migrate are called source hierarchies. The Configuration Manager hierarchy you re migrating data into, is called the destination hierarchy.

Q) Can I use Configuration Manager SP1 to migrate my existing System Center 2012 Configuration Manager hierarchy with no service pack to a new Configuration Manager SP1 hierarchy?

A) No. The new functionality in Configuration Manager SP1 supports migration from an existing Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy, in addition to supporting migration from Configuration Manager 2007 SP2 to Configuration Manager SP1.

A) Several important changes introduced with System Center 2012 Configuration Manager prevent an in-place upgrade; however, System Center 2012 Configuration Manager does support migration from Configuration Manager 2007 with a side-by-side deployment.

For example, System Center 2012 Configuration Manager is native 64 bit application with a database that is optimized for Unicode and that is shared between all sites. Additionally, site types and site relationships have changed. These changes, and others, mean that many existing hierarchy structures cannot be upgraded.

A) Typically, you will migrate data from a Configuration Manager 2007 or System Center 2012 Configuration Manager hierarchy (the source hierarchy) over a period of time that you define.

During the period of migration, you can continue to use your source hierarchy to manage clients that have not migrated to your new System Center 2012 Configuration Manager hierarchy (the destination hierarchy).

Additionally if you update an object in the source hierarchy after you have migrated that object to your destination hierarchy, you can re-migrate that object again up until you decide to complete your migration.

A) When you migrate a Configuration Manager 2007 package to System Center 2012 Configuration Manager, it remains a package after migration.

If you want to deploy the software and packages that migrate from your Configuration Manager 2007 hierarchy by using the new application model, you can use Microsoft System Center Configuration Manager Package Conversion Manager to convert them into System Center 2012 Configuration Manager applications.

A) This type of information is easily recreated by an active client when it sends data to its new site in the destination hierarchy. Typically, it is only the current information from each client that provides useful information.
To retain access to historical inventory information you can keep a Configuration Manager 2007 or System Center 2012 Configuration Manager source site active until the historical data is no longer required.

A) When you assign a site in the destination hierarchy to own the content, you are selecting the site that maintains that content in the destination hierarchy. Because the site that owns the content is responsible for monitoring the source files for changes, plan to specify a site that is near to the source file location on the network.

When you migrate content between a source and destination hierarchy, you are really migrating the metadata about that content. The content itself might remain hosted on a shared distribution point during migration, or on a distribution point that you will upgrade or reassign to the destination hierarchy.

A) Shared distribution points are distribution points at sites in the source hierarchy that can be used by clients in the destination herarchy during the migration period.

A distribution point can be shared only when the source hierarchy that contains the distribution point remains the active source hierarchy and distribution point sharing is enabled for the source site that contains the distribution point. Sharing distribution points ends when you complete migration from the source hierarchy.

A) System Center 2012 Configuration Manager can upgrade supported distribution points from Configuration Manager 2007 source hierarchies, and reassign supported distribution points from System Center 2012 Configuration Manager source hierarchies.

When you upgrade or reassign a shared distribution point, the distribution point site system role and the distribution point computer are removed from the source hierarchy, and installed as a distribution point at a site you select in the destination hierarchy. This process allows you to maintain your existing distribution points with minimal effort or disruption to your network.

You can also use the prestage option for System Center 2012 Configuration Manager distribution points to reduce the transfer of large files across low-bandwidth network connections.

A) You can perform an in-place upgrade of a Configuration Manager 2007 distribution point that preserves all content during the upgrade. This includes an upgrade of a distribution point on a server share, a branch distributing point, or standard distribution point.

A) You can perform an in-place upgrade of a Configuration Manager 2007 secondary site to a System Center 2012 Configuration Manager distribution point. During the upgrade, all migrated content is preserved.

A) During the upgrade to a System Center 2012 Configuration Manager distribution point, all migrated content is copied and then converted to the single instance store.

When you migrate to a hierarchy that runs System Center 2012 Configuration Manager with no service pack, the original Configuration Manager 2007 content remains on the server until it is manually removed.

However, when you migrate to a hierarchy that runs System Center 2012 Configuration Manager SP1, the original Configuration Manager 2007 content is removed after the copy of the content is converted.

A) You can migrate data from more than one source hierarchy, and the source hierarchies do not need to be the same version as each other.

This means you can migrate from one or more Configuration Manager 2007 hierarches, one or more System Center 2012 Configuration Manager hierarchies, and from one or more hierarchies that each run a different version of Configuration Manager. However, you can only migrate from one hierarchy at a time.

You can migrate the hierarchies in any order. However, you cannot migrate data from multiple hierarchies that use the same site code. If you try to migrate data from a site that uses the same site code as a migrated site, or that uses the same site code as a site in your destination hierarchy, this corrupts the data in the System Center 2012 Configuration Manager database.

A) System Center 2012 Configuration Manager supports migrating a Configuration Manager 2007 environment that is at a minimum of Service Pack 2.

A) The list of objects you can migrate depends on the version of your source hierarchy. You can migrate most objects from Configuration Manager 2007 to System Center 2012 Configuration Manager, including the following:

  • Advertisements
  • Boundaries
  • Collections
  • Configuration baselines and configuration items
  • Operating system deployment boot images, driver packages, drivers, images, and packages
  • Software distribution packages
  • Software metering rules
  • Software update deployment packages and templates
  • Software update deployments
  • Software update lists
  • Task sequences
  • Virtual application packages

When you migrate between System Center 2012 Configuration Manager hierarchies, the list is similar, and includes objects that are only available in System Center 2012 Configuration Manager, such as Applications.

Q) Can I migrate maintenance windows?

A) Yes. When a collection migrates, Configuration Manager also migrates collection settings, which includes maintenance windows and collection variables. However, collection settings for AMT provisioning do not migrate.

Q) Will advertisements rerun after they are migrated?

A) No. Clients that you upgrade from Configuration Manager 2007 will not rerun advertisements that you migrate. System Center 2012 Configuration Manager retains the Configuration Manager 2007 Package ID for packages you migrate and clients that upgrade retain their advertisement history.

Security and Role-Based Administration Interview Questions in SCCM

 The following frequently asked questions relate to security and role-based administration in Configuration Manager.

A) Because role-based administration is integrated into the configuration of the hierarchy and management functions, there is no separate documentation section for role-based administration. Instead, information is integrated throughout the documentation library.

The Configuration Manager console lists the description of each role-based security role that is installed with Configuration Manager, and the minimum permissions and suitable security roles for each management function is included as a prerequisite in the relevant topic.

Q) What is the minimum I have to configure if I don’t want to use role-based administration while I’m testing System Center 2012 Configuration Manager?

 A) If you install System Center 2012 Configuration Manager, there is no additional configuration because the Active Directory user account used to install Configuration Manager is automatically assigned to the Full Administrator security role, assigned to All Scopes, and has access to the All Systems and All Users and User Groups collections.

However, if you want to provide full administrative permissions for other Active Directory users to access System Center 2012 Configuration Manager, create new administrative users in Configuration Manager using their Windows accounts and then assign them to the Full Administrator security role.

A) Unlike Configuration Manager 2007, sites no longer provide a security boundary. Instead, use role-based administration security roles to configure the permissions different administrative users have, and security scopes and collections to define the set of objects they can view and manage.

These settings can be configured at a central administration site or any primary site and are enforced at all sites throughout the hierarchy.

Q) Should I use security groups or user accounts to specify administrative users?

 A) As a best practice, specify a security group rather than user accounts when you configure administrative users for role-based administration.


Q) Can I deny access to objects and collections by using role-based administration?

A) Role-based administration does not support an explicit deny action on security roles, security scopes, or collections assigned to an administrative user. Instead, configure security roles, security scopes, and collections to grant permissions to administrative users.

If users do not have permissions to objects by use of these role-based administration elements, they might have only partial access to some objects, for example they might be able to view, but not modify specific objects. However, you can use collection membership to exclude collections from a collection that is assigned to an administrative user.

Q) How do I find which object types can be assigned to security roles?

A) Run the report Security for a specific or multiple Configuration Manager objects to find the object types that can be assigned to security roles. Additionally you can view the list of objects for a security role by viewing the security roles Properties and selecting the Permissions tab.


Q) Can I use security scopes to restrict which distribution points are shown in the Distribution Status node in the Monitoring workspace?

 A) No, although you can configure role-based administration and security scopes so that administrative users can distribute content to selected distribution points only, Configuration Manager always displays all distribution points in the Monitoring workspace.
A) The following frequently asked questions relate to deploying and managing clients on computers and mobile devices in Configuration Manager.

Q) Does System Center 2012 Configuration Manager support the same client installation methods as Configuration Manager 2007?

A) Yes. System Center 2012 Configuration Manager supports the same client installation methods that Configuration Manager 2007 supports: client push, software update-based, group policy, manual, logon script, and image-based.

Q) What’s the minimum permission an administrative user requires for the Client Push Installation Wizard?

A) To install a Configuration Manager client by using the Client Push Installation Wizard, the administrative user must have at least the Modify resource permission.

Q) What’s the difference between upgrading clients by using the supplied package definition file and a package and program, and using automatic client upgrade that also uses a package and program?

A) When you create a package and program to upgrade Configuration Manager clients, this installation method is designed to upgrade existing System Center 2012 Configuration Manager clients.

You can control which distribution points hosts the package and the client computers that install the package. This installation method supports only System Center 2012 Configuration Manager clients and cannot upgrade Configuration Manager 2007 clients.

In comparison, the automatic client upgrade method automatically creates the client upgrade package and program and this installation method can be used with Configuration Manager 2007 clients as well as System Center 2012 Configuration Manager clients.

The package is automatically distributed to all distribution points in the hierarchy and the deployment is sent to all clients in the hierarchy for evaluation. This installation method supports System Center 2012 Configuration Manager clients and Configuration Manager 2007 clients that are assigned to a System Center 2012 Configuration Manager site.

Because you cannot restrict which distribution points are sent the upgrade package or which clients are sent the deployment, use automatic client upgrade with caution and do not use it as your main method to deploy the client software.

Q) Do references to “devices” in System Center 2012 Configuration Manager mean mobile devices?

A) The term “device” in System Center 2012 Configuration Manager applies to a computer or a mobile device such as a Windows Mobile Phone.
A) A client’s assigned site is the primary site that creates the client policy to manage the device. Clients are always assigned to primary sites, even if they roam into another primary site or reside within the boundaries of a secondary site.
The client’s installed site refers to the site that sent the client the client installation files to run CCMSetup.exe. For example, if you used the Client Push Installation Wizard, you can specify Install the client software from a specified site and select any site in the hierarchy.
The resident site refers to the site that owns the boundaries that the client currently resides in. For example, this might be a secondary site of the client’s primary site. Or, it might be another primary site if the client is roaming and temporarily connected to a network that belongs to another site in the hierarchy.

A) Yes, client status is new in System Center 2012 Configuration Manager and allows you to monitor the activity of clients and check and remediate various problems that can occur.

A) You can use compliance settings in Configuration Manager to check for additional items that you consider required for the health of your clients. For example, you might check for specific registry key entries, files, and permissions.

A) Configuration Manager contains many improvements since Configuration Manager 2007 to help you manage clients when they are on the Internet:

  • Configuration Manager supports a gradual transition to using PKI certificates, and not all clients and site systems have to use PKI certificates before you can manage clients on the Internet.
  • The certificate selection process that Configuration Manager uses is improved by using a certificate issuers list.
  • Although deploying an operating system is still not supported over the Internet, you can deploy generic task sequences for clients that are on the Internet.
  • If the Internet-based management point can authenticate the user, user polices are now supported when clients are on the Internet. This functionality supports user-centric management and user device affinity for when you deploy applications to users.
  • Configuration Manager Internet-based clients on the Internet first try to download any required software updates from Microsoft Update, rather than from an Internet-based distribution point in their assigned site. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point.

Q) What is the difference between Internet-based client management and DirectAccess?

A) DirectAccess is a Windows solution for managing domain computers when they move from the intranet to the Internet. This solution requires the minimum operating systems of Windows Server 2008 R2 and Windows 7 on clients.

Internet-based client management is specific to Configuration Manager, and it allows you to manage computers and mobile devices when they are on the Internet.

The Configuration Manager clients can be on workgroup computers and never connect to the intranet, and they can also be mobile devices. The Configuration Manager solution works for all operating system versions that are supported by Configuration Manager.

Unless you are using Windows Server 2012 with only Windows 8 clients for DirectAccess, both solutions require PKI certificates on clients and servers. However, DirectAccess requires a Microsoft enterprise certification authority, whereas Configuration Manager can use any PKI certificate that meets the requirements.

Not all Configuration Manager features are supported for Internet-based client management. In comparison, because a client that connects over DirectAccess behaves as if it is on the intranet, all features, with the exception of deploying an operating system, are supported by Configuration Manager.

A) Probably. You can reduce the disk space required to install the Configuration Manager client by using customized settings, such as excluding installation files that the client does not require and specifying the client cache to be smaller than the default size.

A) You can manage Intel vPro computers by using out of band management in System Center 2012 Configuration Manager.

A) AMT-based computers that were provisioned with Configuration Manager 2007 must have their provisioning data removed before you migrate them to System Center 2012 Configuration Manager, and then provisioned again by System Center 2012 Configuration Manager.

Because of functional changes between the versions, the security group, OU, and web server certificate template have different requirements:

  • If you used a security group in Configuration Manager 2007 for 802.1X authentication, you can continue to use this group if it is a universal security group. If it is not a universal group, you must convert it or create a new universal security group for System Center 2012 Configuration Manager. The security permissions of Read Members and Write Members for the site server computer account remain the same.
  • The OU can be used without modification. However, System Center 2012 Configuration Manager no longer requires Full Control to this object and all child objects. You can reduce these permissions to Create Computer Objects and Delete Computer Objects on this object only.
  • The web server certificate template from Configuration Manager 2007 cannot be used in System Center 2012 Configuration Manager without modification. This certificate template no longer uses Supply in the request and the site server computer account no longer requires Read and Enroll permissions.

Q) Is there a limit to the number of certificate templates that I can use with certificate profiles?

A) Yes, you are limited to three certificate templates per hierarchy and each of these certificate templates are restricted to the three key usages that the Network Device Enrollment Service supports: signing, encryption, and both signing and encryption. So, for example, you couldn’t use two certificate templates that supported both signing and encryption.


Although different servers running the Network Device Enrollment Service can be configured to use different certificate templates, Configuration Manager cannot support this configuration because you cannot assign clients to specific servers.

If you have multiple certificate registration point site system servers in the hierarchy that communicate with multiple servers running the Network Device Enrollment Service, Configuration Manager non-deterministically assigns clients to the available servers to automatically load balance the requests.

A) Do I really need Windows Server 2012 R2 to deploy certificate profiles?

A) Yes, although you do not need Windows Server 2012 R2 for the certificate registration point, you do need this operating system version (or later) to install the Configuration Manager Policy Module on the server that runs the Network Device Enrollment Service.

Before this version of the operating system, the Network Device Enrollment Service was designed for secured intranet environments only, to accept interactive computer certificate requests for network equipment such as routers.

Changes in Windows Server 2012 R2 now accommodate user certificates as well as computer certificates, and the new support for a policy module makes this solution scalable for an enterprise environment.

In addition, the increased security now supports running this service in a perimeter network (also known as a DMZ), which is important for devices that you manage on the Internet, such as iOS and Android devices.

Q) How can I tell which collections of computers have a power plan applied?

A) There is no report in System Center 2012 Configuration Manager that displays which collections of computers have a power plan applied. However, in the Device Collections list, you can select the Power Configurations column to display whether a collection has a power plan applied.

A) Yes. Wake-up proxy in Configuration Manager SP1 has its own client service named ConfigMgr Wake-up Proxy that runs separately from the SMS Agent Host (CCMExec.exe).

This service is installed when a client is configured for wake-up proxy and then new client checks make sure that this wake-up proxy service is running and that the startup type is automatic.

A) If you have enabled the wake-up proxy client setting on Configuration Manager SP1 clients, and then disable it, the ConfigMgr Wake-up Proxy service is removed from clients.

A) A manager computer for the sleeping computer’s subnet responds to the first connection attempt and wakes up the sleeping computer, which then contacts the network switch.

After the computer is awake and the network switch is updated, subsequent connection attempts will successfully connect to the destination computer. Most TCP connections automatically retry and you will not see that the first connection (and possibly additional connections) time out.

For Remote Desktop connections, however, you are more likely to see an initial failed connection and must manually retry. For computers that must come out of hibernation, you will probably experience a longer delay than for computers that are in other sleep states.

A) To better support virtual desktop infrastructure (VDI) environments and large-scale client deployments, System Center 2012 Configuration Manager has a randomization delay for scheduled activities.

This means that for scheduled activities, clients are unlikely to run the action at the exact time that you configure. In Configuration Manager SP1 only, you can use client settings to enable or disable the randomization delay for required software updates and required applications. By default, this setting is disabled.

Q) Where is the documentation for the Configuration Manager client for Mac Computers?

For System CenterA)  2012 Configuration Manager SP1 and later:

Because the management of computers that run the Mac OS X operating system is similar to managing Windows-based computers in System Center 2012 Configuration Manager, there is no separate documentation section for Mac computers. Instead, information is integrated throughout the documentation library.

Mobile Devices – SCCM Interview Questions

The following frequently asked questions relate specifically to mobile devices in Configuration Manager.

Q) If I wipe a mobile device that is enrolled by Configuration Manager and discovered by the Exchange Server connector, will it be wiped twice?

A)  No. In this dual management scenario, Configuration Manager sends the wipe command in the client policy and by using the Exchange Server connector, and then monitors the wipe status for the mobile device.
As soon as Configuration Manager receives a wipe confirmation from the mobile device, it cancels the second and pending wipe command so that the mobile device is not wiped twice.

A) Yes, if you only want to find mobile devices and retrieve inventory data from them as a read-only mode of operation, you can do this by granting a subset of the cmdlets that the account uses to connect to the Exchange Client Access server. The required cmdlets for a read-only mode of operation are as follows:

  • Get-ActiveSyncDevice
  • Get-ActiveSyncDeviceStatistics
  • Get-ActiveSyncOrganizationSettings
  • Get-ActiveSyncMailboxPolicy
  • Get-ExchangeServer
  • Get-Recipient
  • Set-ADServerSettings

A) Yes. You must specify a work or school account before you can install the Microsoft Intune connector in Configuration Manager SP1.

A) Yes. You require specific application certificates before users can install applications on Windows RT, Windows Phone 8, and iOS. You do not require certificates to make applications available to mobile devices that run Android.

Q) Do I need a my own PKI to enroll mobile devices by using Microsoft Intune?

A) No. Although the Microsoft Intune connector uses PKI certificates, Microsoft Intune automatically requests and installs these certificates for you.

A) No. Windows RT and Windows Phone 8 includes a management client that Configuration Manager uses, and Configuration Manager manages mobile devices that run iOS by directly calling APIs.

A) No. Without the Microsoft Intune connector, you can manage these devices by collecting hardware inventory, configure settings such as passwords and roaming, and remotely wipe the device. However, if you want to make company apps available to Android devices, you must install the Microsoft Intune connector.

A) No. Mobile devices that are enrolled by Configuration Manager support only required apps, so users cannot choose company apps to install. Users who have mobile devices that are enrolled by Microsoft Intune install company apps from the company portal. However, if these apps require approval, users must first request approval from the Application Catalog.

Remote Control – SCCM Interview Questions

The following frequently asked questions relate to remote control in Configuration Manager.

A) By default, remote control is disabled on client computers. Enable remote control as a default client setting for the hierarchy, or by using custom client settings that you apply to selected collections.

A) TCP 2701 is the only port that System Center 2012 Configuration Manager uses for remote control. When you enable remote control as a client setting, you can select one of three firewall profiles that automatically configure this port on Configuration Manager clients: DomainPrivate, or Public.

A) The Permitted Viewers List grants an administrative user the Remote Control permission for a computer, and the role-based administration security role of Remote Tools Operator grants an administrative user the ability to connect a Configuration Manager console to a site so that audit messages are sent when they manage computers by using remote control.

Q) Can I send a CTRL+ALT+DEL command to a computer during a remote control session?

 A) Yes. In the Configuration Manager remote control window, click Action, and then click Send Ctrl+Alt+Del.

A) You can find this out by using the remote control reports: Remote Control – All computers remote controlled by a specific user and Remote Control – All remote control information.

Q) What happened to the Remote Control program in Control Panel on Configuration Manager clients?

A) The remote control settings for System Center 2012 Configuration Manager clients are now in Software Center, on the Options tab.

SCCM Software Deployment Interview Questions

The following frequently asked questions relate to content management, software updates, applications, packages and programs, scripts, and operating system deployment with supporting task sequences and device drivers in Configuration Manager.

A) No, site servers do not compress the content that it distributes to distribution points that are enabled for bandwidth control. Whereas site-to-site transfers potentially resend files that might already be present, only to be discarded by the destination site server, a site server sends only the files that a distribution point requires. With a lower volume of data to transfer, the disadvantages of high CPU processing to compress and decompress the data usually outweigh the advantages of compressing the data.

A) System Center 2012 Configuration Manager applications contain the administrative details and Application Catalog information necessary to deploy a software package or software update to a computer or mobile device.

A) A deployment type is contained within an application and specifies the installation files and method that Configuration Manager will use to install the software. The deployment type contains rules and settings that control if and how the software is installed on client computers.

A) The deployment purpose defines what the deployment should do and represents the administrator’s intent. For example, an administrative user might require the installation of software on client computers or might just make the software available for users to install themselves. A global condition can be set to check regularly that required applications are installed and to reinstall them if they have been removed.

A) Global conditions are conditions used by requirement rules. Requirement rules set a value for a deployment type for a global condition. For example, “operating system =” is a global condition; a requirement rule is “operating system = Win7.”

A) To make a deployment optional, configure the deployment purpose as Available in the applications deployment type. Available applications display in the Application Catalog where users can install them.

A) Yes. Users can browse a list of available software in the Application Catalog. Users can then request an application which, if approved, will be installed on their computer. To make a deployment optional, configure the deployment purpose as Available in the applications deployment type.

A) Some scenarios, such as the deployment of a script that runs on a client computer but that does not install software, are more suited to using a package and program rather than an application.

A) Yes. You can configure multiple deployment types for an application. Rules that specify which deployment type is run allows you to specify how the application is made available to the user.

A) Yes. Configuration Manager collects usage statistics from client devices that can be used to automatically define user device affinities or to help you manually create affinities.

A) No. you must create a new deployment that can include extra options that include scheduling and user experience.

A) In this case, the following rules apply:

  • If both deployments have a purpose of Available, the user deployment will be installed.
  • If both deployments have a purpose of Required, the deployment with the earliest deadline will be installed.
  • If one deployment has a purpose of Available and the other deployment has a purpose of Required, the deployment with the purpose of Required will be installed.

Q) Can I migrate my existing packages and programs from Configuration Manager 2007 to a System Center 2012 Configuration Manager hierarchy?

A) Yes. You can see migrated packages and programs in the Packages node in the Software Library workspace. You can also use the Import Package from Definition Wizard to import Configuration Manager 2007 package definition files into your site.

A) Yes. In System Center 2012 Configuration Manager, the term software includes software updates, applications, scripts, task sequences, device drivers, configuration items, and configuration baselines.

A) Depending on the deployment purpose you have specified in the deployment type of an application, System Center 2012 Configuration Manager periodically checks that the state of the application is the same as its purpose.

For example, if an application’s deployment type is specified as Required, Configuration Manager reinstalls the application if it has been removed. Only one deployment type can be created per application and collection pair.

A) No, you can continue to deploy packages and programs that have been migrated from your Configuration Manager 2007 site. However, packages and programs cannot use some of the new features of System Center 2012 Configuration Manager such as requirement rules, dependencies and supersedence.

A) Deployments to users or devices are summarized based on the worst result. For example, if a deployment is successful on one device and the application requirements were not met on another device then the deployment for the user is summarized as Requirements Not Met. If none of the user’s devices has received the application, the deployment is summarized as Unknown.

A) If you don’t require HTTPS connections (for example, users will not connect from the Internet), you can use the following the quick guide instructions:

  1. Make sure that you have all the prerequisites for the Application Catalog site roles.
  2. Install the following Application Catalog site system roles and select the default options:
    • Application Catalog web service point
    • Application Catalog website point
  3. Configure the following Computer Agent device client settings by editing the default client settings, or by creating and assigning custom client settings:
    • Default Application Catalog website pointAutomatically detect
    • Add default Application Catalog website to Internet Explorer trusted site zoneTrue
    • Install PermissionsAll users

Q) How often are application deployments summarized?

A) Although you can configure the application deployment summarization interval, by default, the following values apply:

  • Deployments that were modified in the last 30 days – 1 hour
  • Deployments that were modified in the last 31 to 90 days – 1 day
  • Deployments that were modified over 90 days ago – 1 week

You can modify the application deployment summarization intervals from the Status Summarizers dialog box. Click Status Summarizers from the Sites node in the Administration workspace to open this dialog box.

A) In most cases, a deployment with an action of Uninstall will always uninstall a deployment type if it is detected unless the client type is different. For example, if you deploy a mobile device application with an action of Uninstall to a desktop computer, the deployment will fail with a status of Requirements not met as it is impossible to enforce this uninstall.

A) Although you cannot deploy a simulated and a standard deployment of an application to the same collection, you can target a computer with both if you deploy them to different collections and the computer is a member of both collections. In this scenario, for both deployments, the computer reports the results of the standard deployment. This explains how you might see deployment states for a simulated deployment that you would usually only see for a standard deployment, such as

In this scenario, for both deployments, the computer reports the results of the standard deployment. This explains how you might see deployment states for a simulated deployment that you would usually only see for a standard deployment, such as In Progress and Error.

A) You can install applications only when the write filter on the Windows Embedded device is disabled. If you try to install an application on a Windows Embedded device that has write filters enabled, you see an error message that you have insufficient permissions to install the application and the installation fails.

A) In Configuration Manager 2007, you had to use collections to identify which devices should install software, such as applications, task sequences, and software updates. In System Center 2012 Configuration Manager, you must continue to use collections for task sequences, but for applications, you can now use requirement rules as a method to control which devices install the software.

For example, you could deploy an application to the All Desktop and Server Clients collection, but include a requirement rule that specifies that the application should be installed only on computers that run Windows 8. Software updates already have this requirements capability built in, so you do not need to configure this yourself.

Although defining the requirements within the application deployment usually requires more work initially, it has longer term benefits because it reduces the administrative overhead of maintaining, using, and searching many collections. Additionally, requirements are evaluated by the client at deployment time, whereas query-based collections are evaluated periodically and often depend on the results of hardware inventory collection that might run only once a week. Another consideration when you have many collections with complex query rules is that the collection evaluation can result in noticeable CPU processing on the site server.

Additionally, requirements are evaluated by the client at deployment time, whereas query-based collections are evaluated periodically and often depend on the results of hardware inventory collection that might run only once a week. Another consideration when you have many collections with complex query rules is that the collection evaluation can result in noticeable CPU processing on the site server.

Another consideration when you have many collections with complex query rules is that the collection evaluation can result in noticeable CPU processing on the site server.

In summary, we recommend that for most application deployments, you use requirement rules instead of collections. Continue to use collections for task sequences, package and programs, testing purposes, and one-off application deployments.

A) No. Software update groups are new in System Center 2012 Configuration Manager and replace update lists that were used in Configuration Manager 2007.

A) Software update groups provide a more effective method for you to organize software updates in your environment. You can manually add software updates to a software update group or software updates can be automatically added to a new or existing software update group by using an automatic deployment rule. You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group and they will automatically be deployed.

You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group and they will automatically be deployed.

A) Yes. You can create automatic deployment rules to automatically approve and deploy software updates that meet specified search criteria.

A) In Configuration Manager 2007, superseded software updates are automatically expired during full software updates synchronization. In System Center 2012 Configuration Manager, you can choose to automatically expire superseded software updates during software updates synchronization just as it is in Configuration Manager 2007.

Or, you can specify a number of months before a superseded software update is expired. This allows you to deploy a superseded software update for the period of time while you validate and approve the superseding software update in your environment.

This allows you to deploy a superseded software update for the period of time while you validate and approve the superseding software update in your environment.

A) System Center 2012 Configuration Manager might automatically remove expired and superseded software updates. Consider the following scenarios:

  • Expired software updates that are not associated with a deployment are automatically removed up every 7 days by a site maintenance task.
  • Expired software updates that are associated with a deployment are not automatically removed by the site maintenance task.
  • Superseded software updates that you have configured not to expire for a specified period of time are not removed or deleted by the site maintenance task.

You can remove expired software updates from all software update groups and software update deployments so that they are automatically removed. To do this, search for expired software updates, select the returned results, choose edit membership, and remove the expired software updates from any software update group for which they are members.

A) The software update group icons are different in the following scenarios:

  • When a software update group contains at least one expired software update, the icon for that software update group contains a black X.
  • When a software update group contains no expired software updates, but at least one superseded software update, the icon for that software update group contains a yellow star.
  • When a software update group has no expired or superseded software updates, the icon for that software update group contains a green arrow.

A) The compliance percentage (Compliance %) is calculated by taking the number of users or devices with a deployment state of Success added to the number of devices with a deployment state of Requirements Not Met and then dividing this total by the number of users or devices that the deployment was sent to.

A) The following reasons might cause the numbers shown in Completions Statistics and the View Status pane to differ:

  • The completion statistics are summarized and the View Status pane displays live data – Select the deployment in the Deployments node of the Monitoring workspace and then, in the Home tab, in the Deployment group, click Run Summarization. Refresh the display in the Configuration Manager console and after summarization completes, the updated completion statistics will display in the Configuration Manager console.
  • An application contains multiple deployment types. The completion statistics display one status for the application; the View Status pane displays status for each deployment type in the application.
  • The client encountered an error. It was able to report status for the application, but not for the deployment types contained in the application. You can use the report Application Infrastructure Errors to troubleshoot this scenario.

A) When a pull-distribution point downloads content from a source distribution point, that access is counted as a client access for the purpose of this report.

A) Yes. You can use media such as a CD, DVD set, or a USB flash drive to capture an operating system image and to deploy an operating system. Deployment media includes bootable media, prestaged media, and stand-alone media.

A) Yes. When you deploy an operating system you can add steps to your task sequence that capture and restore the user state. The captured data can be stored on a state migration point or on the computer where the operating system is deployed.

A) Yes. These types of computers are referred to as unknown computers. For more information about how to deploy operating systems to unknown computers.

A) Yes. Use multicast to simultaneously send data to multiple Configuration Manager clients rather than sending a copy of the data to each client over a separate connection.

The following frequently asked questions relate to Endpoint Protection in Configuration Manager.

A) Endpoint Protection is fully integrated with System Center 2012 Configuration Manager and no longer requires a separate installation. In addition, there are a number of new features and enhancements in Endpoint Protection.

A) Yes, you can deploy Endpoint Protection definitions by using Configuration Manager software updates.

Q) Endpoint Protection than in Forefront Endpoint Protection 2010?

A) Yes, System Center 2012 Endpoint Protection uses Configuration Manager alerts to more quickly notify you when malware is detected on client computers.

2 thoughts on “SCCM Interview Questions And Answers Latest”

  1. Cheers, great stuff, I enjoying.


Leave a Comment