App Management
App Management
App Management
TIP
If you're already familiar with how to manage applications in Configuration Manager, skip this article. Move on to creating
a sample application: Create and deploy an application.
What is an application?
Although application or app is a widely used term in computing, in Configuration Manager, it means something
specific. Think of an application like a box. This box contains one or more sets of installation files for a software
package (known as a deployment type), plus instructions on how to deploy the software.
When you deploy the application to devices, requirements decide which deployment type Configuration
Manager installs on the device.
You can do many more things with an application. You'll learn about these things as you read this guide. The
following sections introduce some concepts you'll need to know before you start to dig deeper:
Deployment type
If the application is the box, then the deployment type is the set of contents in the box. An application needs at
least one deployment type, as it determines how to install the app. Use more than one deployment type to
configure different content and installation program for the same application.
For example, your company has a line-of-business application called Astoria. The application developers provide
the following ways of installing the app:
Windows Installer package for full functionality on Windows 10 devices
An App-V package for use in the terminal server farm
An web app for mobile users
You create a single application for Astoria in Configuration Manager. The application defines the high-level
metadata about the app that's common across all installation methods and platforms. You then create three
deployment types for the available installation methods, and deploy the application to all users. Based on the
requirements and other configurations on the deployment types, Configuration Manager determines the right
method in each use case.
For more information, see Create deployment types for the application.
Requirements
In previous versions of Configuration Manager, you would create a collection of devices to deploy an application
to. Although you can still create a collection, use requirements to specify more detailed criteria for an application
deployment.
For example, specify that an application can only install on devices that run Windows 10. When you deploy the
application to all of your devices, it only installs on devices that run Windows 10.
Configuration Manager evaluates requirements to determine whether it installs an application and any of its
deployment types. Then it determines the correct deployment type by which to install an application. Every
seven days, by default, the Configuration Manager client reevaluates requirement rules to determine compliance
according to the client setting Schedule re-evaluation for deployments .
For more information, see Create and deploy an application and Deployment type Requirements.
Global conditions
While you use requirements with a specific deployment type in a single application, you can also create global
conditions. These conditions are a library of predefined requirements that you can use with any application and
deployment type. Configuration Manager includes a set of built-in global conditions, or you can create your
own.
For more information, see Create global conditions.
Simulated deployment
A simulated deployment evaluates the requirements, detection method, and dependencies for an application. A
client reports the results without actually installing the application.
For more information, see Simulate application deployments.
Deployment action
A deployment action specifies whether you want to install or uninstall the application you're deploying. Not all
deployment types support the uninstall action.
For more information, see Deploy applications.
Deployment purpose
The deployment purpose specifies whether the deployment app is Required or Available :
The client automatically installs a required deployment according to the schedule that you set. If the
application isn't hidden, a user can track its deployment status. They can also use Software Center to
install the application before the deadline.
If you deploy the application to a user as available, they see it in Software Center, and can request it on
demand.
For more information, see Deploy applications.
Revisions
When you make revisions to an application or a deployment type, Configuration Manager creates a new version
of the application. Take the following actions in the Configuration Manager console:
Display the history of each application revision
View its properties
Restore a previous version of an application
Delete an old version
For more information, see Revise applications.
Detection method
Use detection methods to discover whether a device has already installed an application. If the detection method
indicates the application is installed, Configuration Manager doesn't attempt to install it again.
For more information, see Deployment type Detection Method options.
Dependencies
Dependencies define one or more deployment types from another application that the client must install before
it installs this deployment type.
For more information, see Deployment type Dependencies.
Supersedence
Configuration Manager lets you upgrade or replace existing applications by using a supersedence relationship.
When you supersede an application, you specify a new deployment type to replace the deployment type of the
superseded application. You can also decide whether to upgrade or uninstall the superseded application before
the client installs the superseding application.
For more information, see Application supersedence.
User-centric management
Configuration Manager applications support user-centric management, which lets you associate specific users
with specific devices. Instead of having to remember the name of a user's device, deploy apps to the user and to
the device. This functionality helps you make sure the most important apps are always available on each of the
user's devices. If a user acquires a new computer, Configuration Manager automatically installs their apps on the
device before they sign in.
For more information, see Link users and devices with user device affinity.
Application group
Create a group of applications that you can send to a user or device collection as a single deployment. The
metadata you specify about the app group is seen in Software Center as a single entity. You can order the apps
in the group so that the client installs them in a specific order.
For more information, see Create application groups.
Software Center
Software Center is a Windows application installed with the Configuration Manager client. Use it for the
following actions:
Browse for and request applications deployed to the device or the user
Install and schedule software installations
View installation status for applications, software updates, and operating systems
Configure remote control settings
Set up power management
For more information, see the following articles:
Plan for and configure application management
Plan for Software Center
Software Center user guide
Next steps
Now that you understand the basic concepts of application management in Configuration Manager, continue to
the following articles:
Create and deploy an example application
Plan for and configure application management
Create applications
Create and deploy an application with
Configuration Manager
9/13/2022 • 7 minutes to read • Edit Online
TIP
The CMPivot standalone source file is in the Configuration Manager installation media or on the site server in the
CD.Latest folder. Find it in the following folder: \SMSSETUP\TOOLS\CMPivot\CMPivot.msi
This procedure is designed to give you an overview of how to create and deploy Configuration Manager
applications. However, it doesn't cover all the configuration options, or how to create and deploy applications for
other platforms.
For specific details that are relevant to each platform, see one of the following articles:
Create Windows applications
Create Windows Phone applications
Create Mac computer applications
Create Windows Embedded applications
If you're already familiar with Configuration Manager applications, you can skip this article. To learn about all the
options that are available when you create and deploy applications, see Create applications.
4. Choose Next . On the Impor t Information page, you'll see some information about the app and any
associated files that were imported to Configuration Manager. Once you're done, choose Next again.
5. On the General Information page, you can supply further information about the application to help
you sort and locate it in the Configuration Manager console.
The Installation program field lets you specify the full command line that will be used to install the
application on PCs. You can edit this field to add your own properties. For example, /q for an unattended
installation.
TIP
Some of the fields on this page of the wizard might have been filled in automatically when you imported the
application installation files.
You'll end up with a screen that looks similar to the following screenshot:
6. Choose Next . On the Summary page, you can confirm your application settings and then complete the
wizard.
You've finished creating the app. To find it, in the Software Librar y workspace, expand Application
Management , and then choose Applications . For this example, you'll see:
Add a requirement
Requirements specify conditions that must be met before an application is installed on a device. You can choose
from built-in requirements or you can create your own. In this example, you add a requirement that the
application will only get installed on devices that are running Windows 11.
1. On the deployment type properties page, switch to the Requirements tab.
2. Select Add to open the Create Requirement window. Specify the following information:
Categor y : Device
Condition : Operating system
Rule type : Value
Operator : One of
From the OS list, select All Windows 11 (64-bit) .
You'll end up with a dialog box that looks like this:
3. Select OK to close each property page that you opened. Then return to the Applications list in the
Configuration Manager console.
TIP
Requirements can help reduce the number of Configuration Manager collections you need. Because you just specified that
the application can only get installed on devices that are running Windows 11, you can later deploy this to a collection
that contains PCs that run many different operating systems. But the application will only get installed on Windows 11
devices.
TIP
To find out more about distribution points and content management in Configuration Manager, see Manage content and
content infrastructure.
TIP
Remember that only Windows 11 computers will install the application because of the requirements that you selected
earlier.
1. In the Configuration Manager console, choose Software Librar y > Application Management >
Applications .
2. From the list of applications, select the application that you created earlier (CMPivot ), and then, on the
Home tab in the Deployment group, choose Deploy .
3. On the General page of the Deploy Software Wizard , choose Browse to select the All Systems
device collection.
4. On the Content page, check that the distribution point from which you want PCs to install the application
is selected.
5. On the Deployment Settings page, make sure that the deployment action is set to Install , and the
deployment purpose is set to Required .
TIP
By setting the deployment purpose to Required , you make sure that the application is installed on PCs that meet
the requirements that you set. If you set this value to Available , then users can install the application on demand
from Software Center.
6. On the Scheduling page, you can configure when the application will be installed. For this example,
select As soon as possible after the available time .
7. On the User Experience page, choose Next to accept the default values.
8. Complete the wizard.
Use the information in the following Monitor the application section to see the status of your application
deployment.
TIP
There are a few ways you can monitor application deployments. For more information, see Monitor applications.
User experience
Users who have PCs that are managed by Configuration Manager and running Windows 11 see a message
telling them that they must install the CMPivot application. Once they accept the deployment, the application
gets installed.
Next steps
User notifications
Plan for and configure application management in
Configuration Manager
9/13/2022 • 3 minutes to read • Edit Online
NOTE
If you have any tools or automation that used the ApplicationViewService.asmx SOAP endpoint on the application catalog
website point, you need to change it. Update the URL in your tool to use the management point user service endpoint.
For example, https://mp.contoso.com/CMUserService_WindowsAuth
Next steps
Plan for Software Center
Understand user notifications
Security and privacy for application management
Plan for Software Center
9/13/2022 • 4 minutes to read • Edit Online
Use client settings to configure the appearance and behaviors of Software Center. For more information, see
Software Center client settings. The following list is a summary of some of the configurations:
Change the branding of Software Center to include your organization's name, colors, and logo. For more
information, see Brand Software Center.
Configure which default tabs are visible, and add up to five custom tabs to Software Center.
In Configuration Manager 2103 and earlier, when single sign on with multifactor authentication is used,
you may not be able to sign into custom tabs that load a website that's subject to conditional access
policies.
You can configure co-managed devices to use the Company Portal for both Intune and Configuration
Manager apps. For more information, see Use the Company Portal app on co-managed devices.
You can allow users to set in Software Center if they regularly use the computer for work. This option configures
an affinity between the user and device, which can affect some deployments. For more information, see Link
users and devices with user device affinity.
Be aware of the following settings for features that are no longer supported:
The client setting Use new Software Center in the Computer Agent group is enabled by default. The
previous version of Software Center is no longer supported.
The client setting Hide application catalog link in Software Center in the Software Center
Customizations is enabled by default. This link would appear on the Installation Status tab of
Software Center. The application catalog is no longer supported.
For more information, see Removed and deprecated features.
Software Center and user-available applications
When you deploy an app with the purpose Available to a user collection, users can see these available
applications in Software Center. This behavior provides a self-service capability for users to easily install
approved software, without requiring assistance from IT staff.
Software Center gets application deployment information in policy from the management point. It uses the
same management point from the assigned primary site as the Configuration Manager client. In a large
environment, you can scale client communication to management points by assigning them to boundary
groups.
Users can browse and install user-available applications on Azure Active Directory (Azure AD)-joined devices
and internet-based, domain-joined devices. For more information, see Prerequisites to deploy user-available
applications.
The site optimizes user-available deployments to reduce policy traffic between the server and clients. This
behavior allows a large number of applications to be available for the user without significantly affecting
performance of the overall infrastructure.
Support for enhanced HTTP
Starting in version 2107, Software Center can take advantage of enhanced HTTP when the management point is
configured for HTTP. This site configuration provides secure communication without the overhead of managing
PKI certificates. When you enable the site for enhanced HTTP, Software Center prefers secure communication
over HTTPS to get user-available applications from the management point.
TIP
On any version of Configuration Manager, when you configure the site or the management point to require HTTPS
communication, Software Center always uses HTTPS.
NOTE
To take full advantage of new Configuration Manager features, after you update the site, also update clients to the latest
version. The complete scenario isn't functional until the client version is also the latest.
For more information on how to configure the site, see enhanced HTTP.
Next steps
Software Center user guide
Plan for and configure application management
Use the Company Portal app on co-managed devices
NOTE
This article used to include more sections, which have moved to the following articles:
User notifications for required deployments
User notifications
9/13/2022 • 2 minutes to read • Edit Online
NOTE
By default, Windows 11 enables focus assist for the first hour after a user signs on for the first time. For more
information, see Reaching the Desktop and the Quiet Period.
Software Center notifications are currently suppressed during this time. For more information, see Turn Focus assist on or
off in Windows.
Required deployments
When users receive required software, and select the Snooze and remind me setting, they can choose from
the following options:
Later : Specifies that notifications are scheduled based on the notification settings configured in client
settings.
Fixed time : Specifies that the notification is scheduled to display again after the selected time. For
example, if you select 30 minutes, the notification displays again in 30 minutes.
The maximum snooze time is always based on the notification values configured in the client settings at every
time along the deployment timeline. For example:
You configure the Deployment deadline greater than 24 hours, remind users ever y (hours)
setting on the Computer Agent page for 10 hours.
The client displays the notification dialog more than 24 hours before the deployment deadline.
The dialog shows snooze options up to but never greater than 10 hours.
As the deployment deadline approaches, the dialog shows fewer options. These options are consistent
with the relevant client settings for each component of the deployment timeline.
For a high-risk deployment, such as a task sequence that deploys an OS, the user notification experience is more
intrusive. Instead of a transient taskbar notification, a dialog box like the following displays each time you're
notified that critical software maintenance is required:
Security guidance
Centrally specify user device affinity
Manually specify the user device affinity instead of letting users identify their primary device. Don't enable
usage-based configuration.
Don't consider information that's collected from users or from the device to be authoritative. If you deploy
software by using user device affinity that a trusted administrator doesn't specify, the software might be
installed on computers and to users who aren't authorized to receive that software.
Don't run deployments from distribution points
Always configure deployments to download content from distribution points rather than run from distribution
points. When you configure deployments to download content from a distribution point and run locally, the
Configuration Manager client verifies the package hash after it downloads the content. The client discards the
package if the hash doesn't match the hash in the policy.
If you configure the deployment to run directly from a distribution point, the Configuration Manager client
doesn't verify the package hash. This behavior means that the Configuration Manager client can install software
that's been tampered with.
If you must run deployments directly from distribution points, use NTFS least permissions on the packages on
the distribution points. Also use internet protocol security (IPsec) to secure the channel between the client and
the distribution points, and between the distribution points and the site server.
Don't let users interact with elevated processes
If you enable the options to Run with administrative rights or Install for system , don't let users interact
with those applications. When you configure an application, you can set the option to Allow users to view
and interact with the program installation . This setting allows users to respond to any required prompts in
the user interface. If you also configure the application to Run with administrative rights or Install for
system , an attacker at the computer that runs the program could use the user interface to escalate privileges on
the client computer.
Use programs that use Windows Installer for setup and per-user elevated privileges for software deployments
that require administrative credentials. Setup must be run in the context of a user who doesn't have
administrative credentials. Windows Installer per-user elevated privileges provide the most secure way to
deploy applications that have this requirement.
NOTE
When the user starts the application installation process from Software Center, the option to Allow users to view and
interact with the program installation can't control user interactions with any other processes created by the
application installer. Because of this behavior, even if you don't select this option, the user may still be able to interact with
an elevated process. To avoid this issue, don't deploy applications that create other processes with user interactions. If you
have to install this type of application, deploy it as Required and configure the user notification experience to Hide in
Software Center and all notifications .
Security issues
Low-rights users can change files that record software deployment history on the client computer.
Because the application history information isn't protected, a user can change files that report whether an
application is installed.
App-V packages aren't signed.
App-V packages in Configuration Manager don't support signing. Digital signatures verify the content is
from a trusted source and wasn't altered in transit. There's no mitigation for this security issue. Follow the
security best practice to download the content from a trusted source and from a secure location.
Published App-V applications can be installed by all users on the computer.
When an App-V application is published on a computer, all users who sign in to that computer can install
the application. You can't restrict the users who can install the application after it's published.
Privacy information
Application management lets you run any application, program, or script on any client in the hierarchy.
Configuration Manager has no control over the types of applications, programs, or scripts that you run or the
type of information that they transmit. During the application deployment process, Configuration Manager
might transmit information that identifies the device and sign-in accounts between clients and servers.
Configuration Manager maintains status information about the software deployment process. Unless the client
communicates by using HTTPS, software deployment status information isn't encrypted during transmission.
The status information isn't stored in encrypted form in the database.
The use of Configuration Manager application installation to remotely, interactively, or silently install software
on clients might be subject to software license terms for that software. This use is separate from the Software
License Terms for Configuration Manager. Always review and agree to the Software Licensing Terms before you
deploy software by using Configuration Manager.
Configuration Manager collects diagnostics and usage data about applications, which is used by Microsoft to
improve future releases. For more information, see Diagnostics and usage data.
Application deployment doesn't happen by default and requires several configuration steps.
The following features help efficient software deployment:
User device affinity maps a user to devices. A Configuration Manager administrator deploys software
to a user. The client automatically installs the software on one or more computers that the user uses most
often.
Software Center is installed automatically on a device when you install the Configuration Manager
client. Users change settings, browse for software, and install software from Software Center.
User device affinity privacy information
Configuration Manager might transmit information between clients and management point site systems.
The information might identify the computer, the sign-in account, and the summarized usage for sign-in
accounts.
Unless you configure the management point to require HTTPS communication, the information that's
transmitted between the client and server isn't encrypted.
The computer and sign-in account usage information is used to map a user to a device. Configuration
Manager stores this information on client computers, sends it to management points, and then stores it
in the site database. By default, the site deletes old information from the database after 90 days. The
deletion behavior is configurable by setting the Delete Aged User Device Affinity Data site maintenance
task.
Configuration Manager maintains status information about user device affinity. Unless you configure
clients to communicate with management points by using HTTPS, they don't encrypt status information
during transmission. The site doesn't store status information in encrypted form in the database.
Computer and sign-in usage information that's used to establish user and device affinity is always
enabled. Users and administrative users can supply user device affinity information.
Software Center privacy information
Software Center lets the Configuration Manager administrator publish any application, program, or script
for users to run. Configuration Manager has no control over the types of programs or scripts that are
published in Software Center or the type of information that they transmit.
Configuration Manager might transmit information between clients and the management point. The
information might identify the computer and sign-in accounts. Unless you configure the management
point to require clients connect by using HTTPS, the information that's transmitted between the client and
servers isn't encrypted.
The information about the application approval request is stored in the Configuration Manager database.
For requests that are canceled or denied, the corresponding request history entries are deleted after 30
days by default. You can configure this deletion behavior with the Delete Aged Application Request Data
site maintenance task. The site never deletes application approval requests that are in approved and
pending states.
When you install the Configuration Manager client on a device, it automatically installs Software Center.
Prerequisites to deploy user-available apps
9/13/2022 • 2 minutes to read • Edit Online
NOTE
For a client detected as on the intranet, but communicating via the cloud management gateway (CMG), it uses
Azure Active Directory (Azure AD) identity for devices joined to Azure AD. These devices can be cloud-joined or
hybrid-joined.
NOTE
If you apply a software restriction policy to the device, it can block the authentication prompt in Windows. Review any
domain or local group policies that you apply to the device. Then remove any that might interfere with this Software
Center behavior.
Next steps
Deploy applications
Create applications in Configuration Manager
9/13/2022 • 31 minutes to read • Edit Online
Create an application
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the Applications node.
2. On the Home tab of the ribbon, in the Create group, select Create Application .
Next, automatically detect or manually specify application information:
Automatically detect application information to create a basic application with a single deployment type.
For example, a Windows Installer file that has no dependencies or requirements. After you create an
application by using this procedure, edit it as needed. You can add or change deployment types, and add
detection methods, dependencies, or requirements.
Manually specify application information to create more complex applications. Define more than one
deployment type, dependencies, detection methods, or requirements.
Automatically detect application information
1. On the General page of the Create Application wizard, select Automatically detect information
about this application from installation files .
2. In the Type drop-down list, select the application installation file type that you want to use to detect
application information. For more information about the available installation types, see Deployment
types supported by Configuration Manager.
3. In the Location box, specify the application installation file that you want to use to detect application
information. This location is either a network path ( \\server\share\filename ) or a store link. You must
have access to the network path and any subfolders that include application content.
IMPORTANT
When you select Windows Installer (*.msi file) as an application type, the site imports all of the files in the
specified folder. It then sends these files to distribution points. Make sure that the specified folder contains only
the files that are necessary to install the application. Microsoft tests Configuration Manager to support up to
20,000 files in the application package. If your application has more files, consider creating multiple applications
with less files.
4. On the Impor t Information page of the Create Application wizard, review the information, and then
select Next . If necessary, select Previous to go back and fix any errors.
5. On the General Information page of the Create Application wizard, specify the following information:
NOTE
If Configuration Manager automatically detects this information from the application installation files, it's already
populated here. Additionally, the displayed options might be different depending on the application type that you
create.
General information about the application, like the application Name , Administrator
comments , Publisher , and Software version . To help you find the application in the
Configuration Manager console, specify an Optional reference , or select Administrative
categories .
Installation program : Specify the installation program and any required properties that are
needed to install the application deployment type.
TIP
If the installation program doesn't appear, choose Browse and browse to the installation program
location.
Install behavior : Select one of the three options for how Configuration Manager installs this
deployment type. For more information on these options, see User Experience.
Use an automatic VPN connection (if configured) : If you've deployed a VPN profile to the
device on which the user launches the app, connect the VPN when the app starts. This option is
only for Windows 8.1 and Windows Phone 8.1. On Windows Phone 8.1 devices, if you deploy
more than one VPN profile to the device, automatic VPN connections aren't supported. For more
information, see VPN profiles.
Provision this application for all users on the device : Provision an application with a
Windows app package for all users on the device. For more information, see Create Windows
applications.
TIP
If you're modifying an existing application, this setting is on the User Experience tab of the Windows app
package deployment type properties.
6. Choose Next , review the application information on the Summar y page, and then finish the Create
Application wizard.
The new application now appears in the Applications node of the Configuration Manager console. You've
finished creating an application.
To add more deployment types or configure other settings, see Create deployment types for the application.
Manually specify application information
1. On the General page of the Create Application wizard, select Manually specify the application
information , and then choose Next .
2. Specify General Information about the application:
The application Name is required and must be fewer than 256 characters.
Administrator comments , Publisher , and Software version are additional metadata to
further describe the application.
To help you find the application in the Configuration Manager console, specify an Optional
reference , or select Administrative categories .
Date published
Select users or groups who are responsible for this application as Owners and Suppor t
contacts . By default, these values are set to your username.
3. On the Software Center page of the Create Application wizard, specify the following information:
Selected language : In the drop-down list, select the language version of the application that you
want to set up. Choose Add/Remove to set up more languages for this application.
Localized application name : Specify the application name in the selected language.
IMPORTANT
A localized application name is required for each language version that you set up.
User categories : Choose Edit to specify application categories in the selected language. Users of
Software Center use these categories to help filter and sort the applications.
NOTE
User categories for device-targeted application deployments show as filters in Software Center. These
deployments can be either available or required.
Renaming or deleting a category doesn't automatically apply to apps with this category. These changes apply
on the next revision of the app. To work around this issue for rename or delete:
First clear the checkbox for the category on any app that references it. Then apply that change, which
revises the app.
Instead of the rename action, next create a new category with the new name, and add the new
category to the relevant apps.
You can delete the category after you revise the apps.
User documentation : Specify the location of a file from which Software Center users can get
more information about this application. This location is a website address, or a network path and
file name. Make sure that users have access to this location.
Link text : Specify the text that appears in place of "Additional information" when user
documentation is specified.
Privacy URL : Specify a website address to the privacy statement for the application.
Localized description : Enter a description for this application in the selected language.
Keywords : Enter a list of keywords in the selected language. These keywords help Software
Center users search for the application.
Icon : Select Browse to select an icon for this application. If you don't specify an icon,
Configuration Manager uses a default icon. Icons can have pixel dimensions of up to 512x512.
4. On the Deployment Types page of the Create Application wizard, choose Add to create a new
deployment type. For more information, see Create deployment types for the application.
5. Choose Next , review the application information on the Summar y page, and then finish the Create
Application wizard.
The new application now appears in the Applications node of the Configuration Manager console.
NOTE
When you view the properties of an existing deployment type, the following sections correspond to tabs of the
deployment type properties window:
Content
Task Sequence
Detection Method
User Experience
Requirements
Return Codes
Dependencies
For information on the Install Behavior tab on the properties of a deployment type, see Check for running executable
files.
Start the Create Deployment Type wizard
There are three ways to start the Create Deployment Type wizard:
In the Applications node : In the Configuration Manager console, go to the Software Librar y
workspace, expand Application Management , and select the Applications node. Select an application,
and then select Create Deployment Type in the ribbon.
When creating an application : When you Manually specify application information in the Create
Application wizard, select Add on the Deployment Types page.
From application proper ties : Select an existing application in the Applications node and select
Proper ties . Switch to the Deployment Types tab, and select Add .
Then use one of the following procedures to automatically identify or manually specify deployment type
information.
Automatically identify deployment type information
1. On the General page of the Create Deployment Type wizard:
a. Select the application installation file Type to detect the deployment type information.
b. Select Automatically identify information about this deployment type from installation
files .
c. In the Location box, specify the application installation file that you want to use to detect the
deployment type information. This location is either a network path ( \\server\share\filename ) or
a store link. You must have access to the network path and any subfolders that include application
content.
2. On the Impor t Information page of the Create Deployment Type wizard, review the information, and
then select Next . If necessary, select Previous to go back and fix any errors.
3. On the General Information page of the Create Deployment Type wizard, specify the following
information:
NOTE
Some of the deployment type information might already be present if it was read from the application installation
files. Additionally, the displayed options might differ, depending on the deployment type that you're creating.
NOTE
When you view the properties of an existing deployment type, some of these options appear on the Content tab and
some on the Programs tab.
Content location : Specify the location of the content for this deployment type, or select Browse to
choose the deployment type content folder.
IMPORTANT
The System account of the site server computer must have permissions to the specified content location.
Persist content in the client cache : The Configuration Manager client indefinitely keeps in its
cache the deployment type content. The client persists the content even if the app is already
installed. This option is useful with some deployments, like Windows Installer–based software.
Windows Installer needs a local copy of the source content for applying updates. This option
reduces the available cache space. If you select this option, it might cause a large deployment to
fail at a later point if the cache doesn't have sufficient available space.
TIP
This option persists the specific version of content that the client installs. If you update the content for this
app, the client doesn't automatically cache this content again. Once an action happens that requires the
new content, the client downloads the new content version.
Installation program : Specify the name of the installation program and any required installation
parameters.
Installation star t in : Optionally specify the folder that has the installation program for the
deployment type. This folder can be an absolute path on the client or a path to the distribution point
folder that has the installation files.
Uninstall program : Optionally specify the name of the uninstall program and any required parameters.
Uninstall star t in : Optionally specify the folder that has the uninstall program for the deployment
type. This folder can be an absolute path on the client. It can also be a relative path on a distribution
point of the folder with the package.
Repair program : For Windows Installer and Script Installer deployment types, optionally specify the
name of the repair program and any required parameters.
Repair star t in : Optionally specify the folder that has the repair program for the deployment type.
This folder can be an absolute path on the client. It can also be a relative path on a distribution point of
the folder with the package.
Run installation and uninstall program as 32-bit process on 64-bit clients : Use the 32-bit file
and registry locations on Windows-based computers to run the installation program for the deployment
type.
Deployment type properties Content options
When you view the properties of a deployment type, the following options appear only on the Content tab:
Uninstall content settings :
Same as install content : If the install and uninstall content are the same, select this option. This
option is the default.
No uninstall content : If your application doesn't need content for uninstall, select this option.
Different from install content : If the uninstall content is different from the install content, select
this option.
Uninstall content location : Specify the network path to the content that's used to uninstall
the application.
Allow clients to use distribution points from the default site boundar y group : Specify if clients
should download and install the software from a distribution point in the site default boundary group
when the content isn't available from a distribution point in the current or neighbor boundary groups.
Deployment options : Specify if clients should download the application when they use a distribution
point from a neighbor or the default site boundary groups.
NOTE
Windows BranchCache is always enabled on clients. If the distribution point supports BranchCache, clients use it. For
more information, see BranchCache.
TIP
If your task sequence doesn't appear in the list, double-check that it doesn't include any OS deployment or OS upgrade
steps. Also confirm that it isn't marked as a high-impact task sequence. For more information, review the prerequisites for
the Task sequence deployment type.
Key (Required): Specify the registry key to search in the above hive. For example,
SOFTWARE\Microsoft\Office .
Value (Optional): Enter a specific value to detect in the above key. If you want the client to
detect the (Default) value, enable the option to Use (Default) registr y key value for
detection . When you enter a value or enable this option, you're required to select a Data
Type .
This registr y key is associated with a 32-bit application on 64-bit systems : Select
this option to first check 32-bit registry locations for the specified registry key. If the
registry key isn't found, the client searches 64-bit locations.
Windows Installer : Detect whether a specified Windows Installer file exists on a client device.
This detection indicates that the application is installed. Specify the MSI Product code to detect
on the client. If you select Browse , choose the MSI file from which to read the product code.
3. At the bottom of the Detection Rule window, specify whether the item must exist or satisfy a rule. For
example, if you detect with a file, the following option is selected by default: The file system setting
must exist on the target system to indicate presence of this application . Select the other option
to create a rule for detection based on file or folder properties. These properties include Date Modified,
Date Created, Version, or Size. These rule criteria are different for each setting type.
4. Select OK to close the Detection Rule dialog box.
When you create more than one detection method for a deployment type, you can group clauses together to
create more complex logic.
Group detection clauses (optional )
1. Create three or more detection method clauses on a deployment type.
2. Select two or more consecutive clauses, and then select Group . You'll see the parentheses added to the
associated columns, which show where the group starts and ends.
Example:
C O N N EC TO R ( C L A USE )
Or ( file1.text exists
3. To remove the group, select the grouped clauses, and then select Ungroup .
Continue to the next section on using a custom script as a detection method. Or skip to the User Experience
options for the deployment type.
Use a custom script to check for the presence of a deployment type
1. On the Detection Method page, select the Use a custom script to detect the presence of this
deployment type box. Then select Edit .
2. In the Script Editor dialog box, select a Script type to detect the deployment type: PowerShell, VBScript,
or JScript.
NOTE
When a Windows PowerShell script runs as a app detection method, the Configuration Manager client calls
PowerShell with the -NoProfile parameter. This option starts PowerShell without profiles. A PowerShell profile is
a script that runs when PowerShell starts.
3. In the Script contents box, enter the script that you want to use, or paste in the contents of an existing
script. Choose Open to browse to an existing saved script. Select Clear to remove the text in the Script
contents field. If necessary, enable the option to Run script as 32-bit process on 64-bit clients .
NOTE
The maximum size for a script is 32 KB.
4. Select OK to save the script and close the Script Editor dialog box. Back on the Create Deployment Type
wizard, the Script Type and Script Length fields update with details about your script.
About custom script detection methods
Configuration Manager checks the results from the script. It reads the values written by the script to the
standard output (STDOUT) stream, the standard error (STDERR) stream, and the exit code. If the script exits with
a non-zero value, the script fails, and the application detection status is Unknown. If the exit code is zero, and
STDOUT has data, the application detection status is Installed.
TIP
When writing a detection script, if you return a zero exit code but don't return output (data in STDOUT), the application
will not be detected as installed. For more information, see the following examples.
Use the following tables to check whether an application is installed from the output from a script:
Zer o exi t c o de
A P P L IC AT IO N DET EC T IO N
ST DO UT ST DERR SC RIP T RESULT STAT E
N o n -z er o exi t c o de
A P P L IC AT IO N DET EC T IO N
ST DO UT ST DERR SC RIP T RESULT STAT E
Ex a m p l e s
Use the following PowerShell/VBScript examples to write your own application detection scripts:
Example 1 : The script returns an exit code that's not zero. This code indicates the script failed to run
successfully. In this case, the application detection state is unknown.
Exit 1
WScript.Quit(1)
Example 2 : The script returns an exit code of zero, but the value of STDERR isn't empty. This result indicates the
script failed to run successfully. In this case, the application detection state is unknown.
Example 3 : The script returns an exit code of zero, which indicates it ran successfully. However, the value for
STDOUT is empty, which indicates the application isn't installed.
Exit 0
WScript.Quit(0)
Example 4 : The script returns an exit code of zero, which indicates it ran successfully. The value for STDOUT
isn't empty, which indicates the application is installed.
Example 5 : The script returns an exit code of zero, which indicates it ran successfully. The values for STDOUT
and STDERR aren't empty, which indicates the application is installed.
Installation program visibility : Specify the mode in which the deployment type runs on client devices.
Select one of the following options:
Maximized : The deployment type runs maximized on client devices. Users see all installation
activity.
Normal : The deployment type runs in the normal mode based on system and program defaults.
This mode is the default.
Minimized : The deployment type runs minimized on client devices. Users might see the
installation activity in the notification area or taskbar.
Hidden : The deployment type runs hidden on client devices. Users see no installation activity.
Allow users to view and interact with the program installation : Specify whether a user can
interact with the deployment type installation to set up the installation options.
If you selected the Install for user option in the Installation behavior drop-down list, this option is
enabled by default.
IMPORTANT
When you select the Install for system behavior, this setting is optional. This change is primarily to allow an end
user to interact with the installation during a task sequence. For example, to run a setup process that prompts the
end user for various options. Some application installers can't have user prompts silenced, or the installation
process may require specific configuration values only known to the user.
Installing in system context and allowing users to interact with the installation isn't a secure configuration. For
more information, see security and privacy for application management.
Maximum allowed run time (minutes) : Specify the maximum time in minutes that you expect the
deployment type to run on the client computer. Specify this setting as a whole number greater than zero.
The default value is 120 minutes (two hours).
Use this value for the following actions:
To monitor the results from the deployment type.
To check whether a deployment type is installed when you define maintenance windows on client
devices. When a maintenance window is in place, a deployment type only starts if enough time is
available in the maintenance window to accommodate the Maximum Allowed Run Time
setting.
IMPORTANT
A conflict might occur if the Maximum allowed run time is longer than the scheduled maintenance
window. If the user sets the maximum run time to a period greater than the length of any available
maintenance window, that deployment type doesn't run.
Estimated installation time (minutes) : Specify the estimated installation time of the deployment type.
Users see this time in Software Center.
Deployment type properties User Experience options
When you view the properties of a deployment type, the following options appear only on the User
Experience tab:
Enforce specific post-installation behavior. Select one of the following options:
Determine behavior based on return codes : Handle reboots based on the codes configured on the
Return Codes tab. Software Center displays Might Require a Reboot . If a user is signed in during the
install, they're prompted depending on the deployment's User Experience configuration.
No specific action : No reboot required after installation. Software Center reports that no reboot is
required.
The software install program might force a device restar t : Configuration Manager doesn't control
or initiate a reboot, but the actual installation might do so without warning. Use this setting to prevent
Configuration Manager from reporting installation failure when the installer initiates a reboot. Software
Center displays Might Require a Reboot .
Configuration Manager client will force a mandator y device restar t : Configuration Manager
forces a device reboot after successful installation. Software Center reports that a reboot is required. If a
user is signed in during the install, they're prompted depending on the deployment's User Experience
configuration.
Deployment type Requirements
Configuration Manager verifies these requirements on devices before installing the deployment type. Use
requirements to further refine and control the devices or users that receive this application. For example, if you
deploy the application to a user collection, specify the app's hardware requirements here.
1. On the Requirements page, select Add to open the Create Requirement dialog box.
2. In the Categor y drop-down list, select whether this requirement is for a Device or a User .
Select Custom to use a previously created global condition. When you select Custom , you can also
choose Create to create a new global condition. For more about global conditions, see How to create
global conditions.
IMPORTANT
If you deploy the application to a device collection, the client ignores any requirement of the category User and
the condition Primar y Device .
3. In the Condition drop-down list, select the condition to assess whether the user or device meets the
installation requirements. The contents of this list vary depending on the selected category.
4. In the Operator drop-down list, select the operator to use. This operator compares the selected condition
to the specified value. It assesses whether the user or device meets the installation requirement. The
available operators vary depending on the selected condition. When using the One Of operator, the
Values field has validation that you have to enter one entry per row.
NOTE
The available requirements differ depending on the device type that the deployment type uses.
5. In the Value box, specify the values to use for comparison. These values, along with the selected
condition and operator, evaluate whether the user or device meets the installation requirements. The
available values vary depending on the selected condition and the selected operator.
6. Choose OK to save the requirement and close the Create Requirement dialog box.
Deployment type Dependencies
Dependencies define one or more deployment types from another application that the client must install before
it installs this deployment type.
IMPORTANT
In some cases, a deployment type is dependent on a deployment type that also has dependencies. The maximum number
of supported dependencies in the chain is five.
TIP
Select View to display the properties of the selected application or deployment type.
NOTE
You don't need to deploy a dependent application for the client to automatically install it.
7. If you add more than one dependency, use the Increase Priority and Decrease Priority buttons. These
actions change the order in which the client evaluates each dependency.
8. Select OK to close the Add Dependency window.
Deployment type Return Codes
NOTE
This page isn't in the Create Deployment Type wizard. It's only a tab on the properties of an existing deployment type.
Specify return codes to control behaviors after the deployment type completes. For example, signal that a restart
is required, the installation is complete.
1. On the Return Codes tab of the deployment type properties window, select Add .
2. In the Add Return Code window, specify the Return Code Value that you expect from this deployment
type. This value is any positive or negative integer between -2147483648 and 2147483647 .
3. Select a Code Type from the drop-down list. This setting defines how Configuration Manager interprets
the specified return code from this deployment type. The available types vary based on the deployment
type technology.
Success (no reboot) : The deployment type successfully installed, and no reboot is necessary.
Failure (no reboot) : The deployment type failed to install.
Hard Reboot : The deployment type successfully installed, but requires the device to restart.
Nothing else can be installed until the device restarts.
Soft Reboot : The deployment type successfully installed, but requests the device to restart. Other
installations can occur before the device restarts.
Fast Retr y : Another installation is already in progress on the device. The client retries every two
hours, for a total of 10 times.
4. Optionally, enter a Name and Description for this return code.
5. Select OK to close the Add Return Code window.
Example: non-zero success
You're deploying an application that returns an exit code of 1 when it successfully installs. By default,
Configuration Manager detects this non-zero return code as a failure. Specify the Return Code Value of 1 , and
select the Code Type of Success (no reboot) . Now Configuration Manager interprets that return code as a
success for this deployment type.
Default return codes
When you create some deployment types, Configuration Manager automatically adds the following return
codes that are common to that technology:
W i n d o w s I n st a l l e r (*.m si fi l e )
VA L UE C O DE T Y P E
Sc r i p t I n st a l l e r
VA L UE C O DE T Y P E
VA L UE C O DE T Y P E
Import an application
Use the following procedure to import an application into Configuration Manager:
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the Applications node.
2. In the ribbon, on the Home tab and the Create group, select Impor t Application .
3. On the General page of the Import Application Wizard, specify the network path to the File to import.
For example, \\server\share\file.zip . This file is a valid compressed archive (ZIP format) of an exported
Configuration Manager application.
4. On the File Content page, select the action to take if this application is a duplicate of an existing
application. Create a new application, or ignore the duplicate and add a new revision to the existing
application.
5. On the Summar y page, review the actions, and then finish the wizard.
The new application appears in the Applications node.
TIP
The Windows PowerShell cmdlet Impor t-CMApplication has the same function as this procedure. For more
information, see Import-CMApplication.
For more information about how to export an application, see Management tasks for applications.
Windows app package (*.appx, *.appxbundle, *.msix, Windows app package files ( .appx or .msix ) or Windows
*.msixbundle) app bundle packages ( .appxbundle or .msixbundle ).
Windows app package (in the Windows Store) Specify a link to the app in the Windows Store, or browse the
store to select the app.No te 1
Windows Phone app package (*.xap file) A Windows Phone app package file.
Windows Phone app package (in the Windows Specify a link to the app in the Windows Store.
Phone Store)
Windows Installer through MDM (*.msi) Create and deploy Windows Installer-based apps to
Windows devices using on-premises mobile device
management (MDM). For more information, see Deploy
Windows Installer apps to MDM-enrolled Windows devices.
TIP
Some store links may cause the following error in the Create Application Wizard: "Invalid Application link". For example,
some store Featured Apps may cause this error. You can still select Next on the General page of the wizard.
Configuration Manager successfully creates the app, and you can successfully deploy it.
Next steps
After creating an application in Configuration Manager, the next step is to deploy the application.
Create a group of applications that you can send to a user or device collection as a single deployment. For more
information, see Create application groups.
For more information about creating applications on different OS platforms, see the following articles:
Create Windows applications
Create Mac applications
Create Windows Embedded applications
Create Mac computer applications with
Configuration Manager
9/13/2022 • 9 minutes to read • Edit Online
IMPORTANT
Starting in January 2022, this feature of Configuration Manager is deprecated. For more information, see Mac computers.
Keep the following considerations in mind when you create and deploy applications for Mac computers.
IMPORTANT
The procedures in this topic cover information about deploying applications to Mac computers on which you installed the
Configuration Manager client. Mac computers that you enrolled with Microsoft Intune do not support application
deployment.
General considerations
You can use Configuration Manager to deploy applications to Mac computers that run the Configuration
Manager Mac client. The steps to deploy software to Mac computers are similar to the steps to deploy software
to Windows computers. However, before you create and deploy applications for Mac computers that are
managed by Configuration Manager, consider the following:
Before you can deploy Mac application packages to Mac computers, you must use the CMAppUtil tool
on a Mac computer to convert these applications into a format that can be read by Configuration
Manager.
Configuration Manager does not support the deployment of Mac applications to users. Instead, these
deployments must be made to a device. Similarly, for Mac application deployments, Configuration
Manager does not support the Pre-deploy software to the user's primar y device option on the
Deployment Settings page of the Deploy Software Wizard .
Mac applications support simulated deployments.
You cannot deploy applications to Mac computers that have a purpose of Available .
The option to send wake-up packets when you deploy software is not supported for Mac computers.
Mac computers do not support Background Intelligent Transfer Service (BITS) for downloading
application content. If an application download fails, it is restarted from the beginning.
Configuration Manager does not support global conditions when you create deployment types for Mac
computers.
Step 1 : Prepare Mac applications for Configuration Manager Before you can create Configuration Manager applications
from Mac software packages, you must use the CMAppUtil
tool on a Mac computer to convert the Mac software into a
Configuration Manager.cmmac file.
Step 2 : Create a Configuration Manager application that Use the Create Application Wizard to create an
contains the Mac software application for the Mac software.
Step 3 : Create a deployment type for the Mac application This step is required only if you did not automatically import
this information from the application.
Step 4 : Deploy the Mac application Use the Deploy Software Wizard to deploy the
application to Mac computers.
Step 5 : Monitor the deployment of the Mac application Monitor the success of application deployments to Mac
computers.
NOTE
The application name can't be more than 128 characters.
To configure options for CMAppUtil , use the command-line properties in the following table:
P RO P ERT Y M O RE IN F O RM AT IO N
4. Ensure that the .cmmac file has been created in the output folder that you specified.
Create a Configuration Manager application that contains the Mac software
Use the following procedure to help you create an application for Mac computers that are managed by
Configuration Manager.
1. In the Configuration Manager console, choose Software Librar y > Application Management >
Applications .
2. On the Home tab, in the Create group, choose Create Application .
3. On the General page of the Create Application Wizard , select Automatically detect information
about this application from installation files .
NOTE
If you want to specify information about the application yourself, select Manually specify the application
information . For more information about how to manually specify the information, see How to create
applications with Configuration Manager.
4. In the Type drop-down list, select Mac OS X .
5. In the Location field, specify the UNC path in the form \\<server>\<share>\<filename> to the Mac
application installation file (.cmmac file) that will detect application information. Alternatively, choose
Browse to browse to and specify the installation file location.
NOTE
You must have access to the UNC path that contains the application.
6. Choose Next .
7. On the Impor t Information page of the Create Application Wizard , review the information that was
imported. If necessary, you can choose Previous to go back and correct any errors. Choose Next to
proceed.
8. On the General Information page of the Create Application Wizard , specify information about the
application such as the application name, comments, version, and an optional reference to help you
reference the application in the Configuration Manager console.
NOTE
Some of the application information might already be on this page if it was previously obtained from the
application installation files.
9. Choose Next , review the application information on the Summar y page, and then complete the Create
Application Wizard .
10. The new application is displayed in the Applications node of the Configuration Manager console.
Step 3: Create a deployment type for the Mac application
Use the following procedure to help you create a deployment type for Mac computers that are managed by
Configuration Manager.
NOTE
If you automatically imported information about the application in the Create Application Wizard , a deployment type
for the application might already have been created.
1. In the Configuration Manager console, choose Software Librar y > Application Management >
Applications .
2. Select an application. Then, on the Home tab, in the Application group, choose Create Deployment
Type to create a new deployment type for this application.
NOTE
You can also start the Create Deployment Type Wizard from the Create Application Wizard and from the
Deployment Types tab of the <application name> Proper ties dialog box.
3. On the General page of the Create Deployment Type Wizard , in the Type drop-down list, select Mac
OS X .
4. In the Location field, specify the UNC path in the form \\<server>\<share>\<filename> to the
application installation file (.cmmac file). Alternatively, choose Browse to browse to and specify the
installation file location.
NOTE
You must have access to the UNC path that contains the application.
5. Choose Next .
6. On the Impor t Information page of the Create Deployment Type Wizard , review the information
that was imported. If necessary, choose Previous to go back and correct any errors. Choose Next to
continue.
7. On the General Information page of the Create Deployment Type Wizard , specify information
about the application such as the application name, comments, and the languages in which the
deployment type is available.
NOTE
Some of the deployment type information might already be on this page if it was previously obtained from the
application installation files.
8. Choose Next .
9. On the Requirements page of the Create Deployment Type Wizard , you can specify the conditions
that must be met before the deployment type can be installed on Mac computers.
10. Choose Add to open the Create Requirement dialog box and add a new requirement.
NOTE
You can also add new requirements on the Requirements tab of the <deployment type name> Proper ties
dialog box.
11. From the Categor y drop-down list, select that this requirement is for a device.
12. From the Condition drop-down list, select the condition that you want to use to assess whether the Mac
computer meets the installation requirements. The contents of this list varies depending on the category
that you select.
13. From the Operator drop-down list, choose the operator to use to compare the selected condition to the
specified value to assess whether the user or device meets the installation requirements. The available
operators vary depending on the selected condition.
14. In the Value field, specify the values to use with the selected condition and operator to assess whether
the user or device meets in the installation requirement. The available values vary depending on the
condition and operator that you select.
15. Choose OK to save the requirement rule and exit the Create Requirement dialog box.
16. On the Requirements page of the Create Deployment Type Wizard , choose Next .
17. On the Summar y page of the Create Deployment Type Wizard , review the actions for the wizard to
take. If necessary, choose Previous to go back and change deployment type settings. Choose Next to
create the deployment type.
18. After the Progress page finishes, review the actions that have been taken, and then choose Close to
complete the Create Deployment Type Wizard .
19. If you started this wizard from the Create Application Wizard , you will return to the Deployment
Types page.
Deploy the Mac application
The steps to deploy an application to Mac computers are the same as the steps to deploy an application to
Windows computers, except for the following differences:
The deployment of applications to users is not supported.
Deployments that have a purpose of Available are not supported.
The Pre-deploy software to the user's primar y device option on the Deployment Settings page
of the Deploy Software Wizard is not supported.
Because Mac computers do not support Software Center, the setting User notifications on the User
Experience page of the Deploy Software Wizard is ignored.
The option to send wake-up packets when you deploy software is not supported for Mac computers.
NOTE
You can build a collection that contains only Mac computers. To do so, create a collection that uses a query rule and use
the example WQL query in the How to create queries topic.
General considerations
Configuration Manager supports the deployment of Windows app package ( .appx ) and app bundle (
.appxbundle ) formats.
When you create an application in the Configuration Manager console, select the application installation file
Type as Windows app package (*.appx, *.appxbundle, *.msix, *.msixbundle) . For more information on
creating apps in general, see Create applications. For more information on the MSIX format, see Support for
MSIX format.
NOTE
To take advantage of new Configuration Manager features, first update clients to the latest version. While new
functionality appears in the Configuration Manager console when you update the site and console, the complete scenario
isn't functional until the client version is also the latest.
IMPORTANT
Be careful with installing, provisioning, and updating different versions of the same Windows app package on a device,
which may cause unexpected results. This behavior may occur when using Configuration Manager to provision the app,
but then allowing users to update the app from the Microsoft Store. For more information, see the next step guidance
when you Manage apps from the Microsoft Store for Business.
When deploying offline apps to Windows devices with the Configuration Manager client, don't allow users to
update applications external to Configuration Manager deployments. Control of updates to offline apps is
especially important in multi-user environments such as classrooms. For more information, see Manage apps
from the Microsoft Store for Business and Education with Configuration Manager.
Configuration Manager supports app provisioning on all supported versions of Windows 10 and later.
To configure a Windows app deployment type for this feature, enable the option to Provision this application
for all users on the device . For more information, see Create applications.
NOTE
If you need to uninstall a provisioned application from devices to which users have already signed on, you need to create
two uninstall deployments. Target the first uninstall deployment to a device collection that contains the devices. Target the
second uninstall deployment to a user collection that contains the users who have already signed on to devices with the
provisioned application. When uninstalling a provisioned app on a device, Windows currently doesn't uninstall that app for
users as well.
NOTE
You need to be able to access the application's source content from the reference device.
The application's name can't have any special characters. Configuration Manager uses the app name as the name
of the output file.
Don't install this application on the reference device in advance.
You can install complex applications using task sequences via the application model. Add a task sequence
deployment type to an app either to install or uninstall the app. This deployment type provides the following
behaviors:
Display the app task sequence with an icon in Software Center. An icon makes it easier for users to find
and identify the app task sequence.
Define additional metadata for the app task sequence, including localized information
Starting in version 2010, deploy an app task sequence to a user collection
You can only add a non-OS deployment task sequence as a deployment type on an app. High-impact, OS
deployment, or OS upgrade task sequences aren't supported. A user-targeted deployment still runs in the
context of the local System account.
When you add this deployment type to an app, configure its properties on the Task Sequence page. For more
information, see Deployment type Task Sequence options.
Starting in version 2006, use the following Windows PowerShell cmdlets to add and configure a task sequence
deployment type:
Add-CMTaskSequenceDeploymentType
Set-CMTaskSequenceDeploymentType
NOTE
Consider the following scenario:
An application has a task sequence deployment type.
It's deployed as available.
A device has maintenance windows defined.
A user on the device runs the deployment in Software Center outside of a maintenance window.
Configuration Manager honors the user's intent to install the application, even though there's no available maintenance
window. In version 2107 and earlier, when the task sequence ran, the Restar t Computer step would fail because of the
maintenance window.
Starting in version 2111, this step now ignores maintenance windows only when the task sequence is run as an app
deployment type.
If you don't configure this registry key, Configuration Manager automatically sets this value to 1 the first time
you deploy an app to the device. If you've set this value to 0 , Configuration Manager can't automatically change
the value, and your line-of-business app deployment fails.
Digitally sign UWP line-of-business apps. Use a code-signing certificate that's trusted on each device to which
you deploy the app. Use certificates from your organization's PKI, or purchase a certificate from a third-party
provider whose public root certificate is already trusted by Windows.
To sign mobile app packages, use the following table to determine the type of code-signing certificate to use:
PA C K A GE SY M A N T EC N O N - SY M A N T EC
General considerations
When you deploy applications to Windows Embedded devices that are enabled for write filtering, you can
specify whether to disable the write filter on the device during the app deployment. You can then choose
to restart the write filter after the app deployment. If the write filter is not disabled, the software is
deployed to a temporary overlay. This means that unless another deployment forces changes to persist,
the software will no longer be installed when the device restarts.
When you deploy an application to a Windows Embedded device, make sure that the device is a member
of a collection that has a configured maintenance window. This lets you manage when the write filter is
disabled and enabled, and when the device restarts.
The setting that controls the write filter behavior is a check box named Commit changes at deadline
or during a maintenance window (requires restar ts) .
NOTE
You can edit global conditions only from the site where they were created.
NOTE
An assembly is a piece of code that can be shared between applications. Assemblies can have the .dll or
.exe file name extension. The Global Assembly Cache is a folder named %systemroot%\assembly on client
computers in which all shared assemblies are stored.
File system
Type – From the drop-down list, choose whether you want to search for a File or a Folder .
Path - Specify the path to the specified file or folder on client computers. You can specify
system environment variables and the %USERPROFILE% environment variable in the path.
NOTE
If you use the %USERPROFILE% environment variable in the Path or File or folder name fields,
all user profiles on the client computer will be searched. This could result in the discovery of
multiple instances of the file or folder.
File or folder name - Specify the name of the file or folder object that will be searched for.
You can specify system environment variables and the %USERPROFILE% environment
variable in the file or folder name. You can also use the * and ? wildcards in the file name.
NOTE
If you specify a file or folder name and use wildcards, this might produce a high numbers of results.
This could result in high resource use on the client computer and high network traffic when
reporting results to Configuration Manager.
Include subfolders – Enable this option if you also want to search any subfolders under
the specified path.
This file or folder is associated with a 64-bit application - Choose whether the 64-
bit system file location (%windir%\system32) should be searched in addition to the 32-bit
system file location (%windir%\syswow64) on Configuration Manager clients that run a 64-
bit version of Windows.
NOTE
If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-
bit computer, multiple files will be discovered by the global condition.
The File system setting type does not support specifying a UNC path to a network share in
the Path field.
IIS metabase
Metabase path - Specify a valid path to the IIS Metabase.
Proper ty ID - Specify the numeric property of the IIS Metabase setting.
Registr y key
Hive – From the drop-down list, choose the registry hive that you want to search in.
Key - Specify the registry key name that you want to search for. The format used should be
key\subkey.
This registr y key is associated with a 64-bit application - Specifies whether the 64-
bit registry keys should be searched in addition to the 32-bit registry keys on clients that
run a 64-bit version of Windows.
NOTE
If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit
computer, both registry keys will be discovered by the global condition.
Registr y value
Hive - From the drop-down list, select the registry hive that you want to search in.
Key - Specify the registry key name that you want to search for. The format used should be
key\subkey.
Value – Specify the value that must be contained within the specified registry key.
This registr y key is associated with a 64-bit application - Specifies whether the 64-
bit registry keys should be searched in addition to the 32-bit registry keys on clients that
run a 64-bit version of Windows.
NOTE
If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit
computer, both registry keys will be discovered by the global condition.
Script
Discover y script – Choose Add to enter, or browse to the script to use. You can use
Windows PowerShell, VBScript, or JScript scripts.
Run scripts by using the logged on user credentials – If you enable this option, the
script will run on client computers by using the credentials of the user who is signed in.
NOTE
The value returned by the script will be used to assess the compliance of the global condition. For
example, when you use VBScript, you could use the WScript.Echo Result command to return the
Result variable value to the global condition.
If your script returns multiple values, these values must be on a single line and separated with a
semi-colon. If each value is on a separate line, the evaluation will fail.
SQL quer y
SQL Ser ver instance – Choose whether you want the SQL query to run on the default
instance, all instances, or a specified database instance name.
NOTE
The instance name must refer to a local instance of SQL Server. To refer to a SQL Server Always On
failover cluster instance or availability group, you should use a script setting.
Database - Specify the name of the Microsoft SQL Server database for which the SQL
query will be run.
Column - Specify the column name returned by the Transact-SQL statement to use to
assess the compliance of the global condition.
Transact-SQL statement – Specify the full SQL query to use for the global condition. You
can also choose Open to open an existing SQL query.
WQL quer y
Namespace - Specify the WMI namespace that will be used to build a WQL query that will
be assessed for compliance on client computers. The default value is Root\cimv2.
Class - Specifies the WMI class that will be used to build a WQL query that will be assessed
for compliance on client computers.
Proper ty - Specifies the WMI property that will be used to build a WQL query that will be
assessed for compliance on client computers.
WQL quer y WHERE clause - You can use the WQL quer y WHERE clause item to
specify a WHERE clause to be applied to the specified namespace, class, and property on
client computers.
XPath quer y
Path - Specify the path to the XML file on client computers that will be used to assess
compliance. Configuration Manager supports the use of all Windows system environment
variables and the %USERPROFILE% user variable in the path name.
XML file name - Specify the file name that contains the XML query to use to assess
compliance on client computers.
Include subfolders - Enable this option if you also want to search any subfolders under
the specified path.
This file is associated with a 64-bit application - Choose whether the 64-bit system
file location (%windir%\system32) should be searched in addition to the 32-bit system file
location (%windir%\syswow64) on Configuration Manager clients that run a 64-bit version
of Windows.
XPath quer y - Specify a valid full XML path language (XPath) query to use to assess
compliance on client computers.
Namespaces - Opens the XML Namespaces dialog box to identify namespaces and
prefixes to use during the XPath query.
3. In the Data type drop-down list, choose the format in which data will be returned by the condition
before it is used to check requirements.
NOTE
The Data type drop-down list is not shown for all setting types.
4. Set up further details about this setting below the Setting type drop-down list. The items you can set up
will vary depending on the setting type you have selected.
5. Choose OK to save the rule and to close the Create Global Condition dialog box.
Set up an expression for the global condition
1. In the Condition Type drop-down list, choose Expression .
2. Choose Add Clause to open the Add Clause dialog box.
3. From the Select categor y drop-down list, select whether this expression is for a device or a user.
Alternatively, select Custom to use a previously configured global condition.
4. From the Select a condition drop-down list, select the condition to use to assess whether the user or
device meets the rule requirements. The contents of this list will vary depending on the selected category.
5. From the Choose operator drop-down list, choose the operator that will be used to compare the
selected condition to the specified value to assess whether the user or device meets the rule
requirements. The available operators will vary depending on the selected condition.
6. In the Value field, specify the values that will be used with the selected condition and operator to assess
whether the user or device meets the rule requirements. The available values will vary depending on the
selected condition and the selected operator.
7. Choose OK to save the expression and to close the Add Clause dialog box.
8. When you have finished adding clauses to the global condition, choose OK to close the Create Global
Condition dialog box and to save the global condition.
Create application groups
9/13/2022 • 3 minutes to read • Edit Online
TIP
This feature was first introduced in version 1906 as a pre-release feature. Beginning with version 2111, it's no longer a
pre-release feature.
This feature is optional in Configuration Manager, and enabled by default. For more information, see Enable optional
features from updates.
Process
1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Application
Management and select the Application Group node.
2. In the Create group in the ribbon, select Create Application Group .
3. On the General Information page, specify information about the app group.
4. On the Software Center page, include information that shows in Software Center.
5. On the Application Group page, select Add . Select one or more apps for this group. Reorder them
using the Move Up and Move Down actions.
6. Complete the wizard.
TIP
To manage app groups, you need permissions on the Application Groups object. The permissions for most
administrative operations are the same as on applications.
Deploy
Deploy the app group using the same process as for an application. For more information, see Deploy
applications. You can deploy an app group to device or user collections. Starting in version 2111, when you
deploy an app group as required to a device or user collection, you can specify that it automatically uninstalls
when the resource is removed from the collection. For more information, see Implicit uninstall.
After you deploy the group:
If you add a new app to the group, you have to separately distribute the new app content to distribution
points.
If you modify an app in the app group, redistribute the content.
To troubleshoot an app group deployment, use the following log files on the client:
AppGroupHandler.log
AppEnforce.log
SettingsAgent.log
App approval
Starting in version 2111, you can use the following app approval behaviors:
Deploy an app group to a user collection and require approval.
A user can then request the app group in Software Center.
You can approve or deny the user's request for the app group.
Deploy an app group to a device collection and require approval. The deployment is suspended on the
device until you trigger installation via automation. For example, use the Approve-CMApprovalRequest
PowerShell cmdlet.
From the Configuration Manager console, when you select a device, there's a new action in the Device
group of the ribbon to Install Application Group . For more information, see Install applications for a
device.
When you enable tenant attach, you can view status and take actions on app groups from the Microsoft
Endpoint Manager admin center. For more information, see Install an application from the admin center.
Known issues
The following deployment options may not work: alerts, phased deployment, repair.
You can't use application groups with the Install Application task sequence step.
You can't export or import app groups.
In version 2103 and earlier, don't include in the group any apps that require restart, or the group deployment
may fail.
In version 2107 and earlier, if you delete an app that's a part of an app group, you'll see the following
warning when you next view the properties of the app group: "Unable to load information about all
applications in the group." Make a small change to the app group and save it. For example, add a space to the
Administrator comments . When you save the change, it removes the deleted app from the group. Starting
in version 2111, you can't delete an app that's part of an app group.
In most scenarios, user categories on the app group don't display as filters in Software Center. If the app
group is deployed as available to a user collection, the categories display.
PowerShell
You can create and deploy app groups using Windows PowerShell. For more information, see the following
cmdlet articles:
Get-CMApplicationGroup
New-CMApplicationGroup
Remove-CMApplicationGroup
Set-CMApplicationGroup
Get-CMApplicationGroupDeployment
New-CMApplicationGroupDeployment
Remove-CMApplicationGroupDeployment
Set-CMApplicationGroupDeployment
Next steps
Deploy applications
Packages and programs in Configuration Manager
9/13/2022 • 14 minutes to read • Edit Online
TIP
Consider using the Scripts feature in the Configuration Manager console. Scripts may be a better solution for some of the
preceding scenarios instead of using packages and programs.
When you migrate packages from an earlier version of Configuration Manager, you can deploy them in your
Configuration Manager hierarchy. After migration is complete, the packages appear in the Packages node in the
Software Librar y workspace.
You can modify and deploy these packages in the same way you did by using software distribution. The Impor t
Package from Definition Wizard remains in Configuration Manager to import legacy packages.
Advertisements are converted to deployments when you migrate from Configuration Manager 2007 to a
Configuration Manager hierarchy.
NOTE
Use Package Conversion Manager to convert packages and programs into Configuration Manager applications. Package
Conversion Manager is integrated with Configuration Manager. For more information, see Package Conversion Manager.
Packages can use some new features of Configuration Manager, including distribution point groups and
monitoring. You can't deploy Microsoft Application Virtualization (App-V) applications with packages and
programs in Configuration Manager. To distribute virtual applications, create them as Configuration Manager
applications. For more information, see Deploy App-V virtual applications.
NOTE
The computer account of the site server must have read access permissions to the source folder that you
specify.
Windows limits the source path to 256 characters or less. This limit applies to package source as well as
applications. For more information, see Naming Files, Paths, and Namespaces.
If you want to pre-cache content on a client, specify the Architecture and Language of the
package. For more information, see Configure pre-cache content.
4. On the Program Type page of the Create Package and Program Wizard , select the Standard
program type for computers. Or you can skip this step and create a program later.
TIP
To create a new program for an existing package, first select the package. Then, in the Home tab, in the Package
group, choose Create Program to open the Create Program Wizard .
The Program for device type is a legacy option that only applies to mobile devices, which aren't currently
managed by Configuration Manager.
NOTE
To take full advantage of new Configuration Manager features, after you update the site, also update clients to the latest
version. While new functionality appears in the Configuration Manager console when you update the site and console, the
complete scenario isn't functional until the client version is also the latest.
Create a program
1. On the Program Type page of the Create Package and Program Wizard , choose Standard
Program , and then choose Next .
2. On the Standard Program page, specify the following information:
Name: Specify a name for the program with a maximum of 50 characters.
NOTE
The program name must be unique within a package. After you create a program, you can't modify its
name.
Command Line : Enter the command line to use to start this program, or choose Browse to
browse to the file location.
If you don't specify an extension for a file name, Configuration Manager attempts to use .com, .exe,
and .bat as possible extensions.
When the client runs the program, Configuration Manager searches for the file in the following
locations:
Within the package
The local Windows folder
The local %path%
If it can't find the file, the program fails.
Star tup folder (optional): Specify the folder from which the program runs, up to 127 characters.
This folder can be an absolute path on the client. It can also be a path that's relative to the
distribution point folder that contains the package.
Run : Specify the mode in which the program runs on client computers. Select one of the following
options:
Normal : The program runs in the normal mode based on system and program defaults.
This mode is the default.
Minimized : The program runs minimized on client devices. Users might see installation
activity in the notification area or on the taskbar.
Maximized : The program runs maximized on client devices. Users see all installation
activity.
Hidden : The program runs hidden on client devices. Users don't see any installation activity.
Program can run : Specify whether the program runs only when a user is signed in, only when no
user is signed in, or regardless of whether a user is signed in to the client computer.
Run mode : Specify whether the program runs with administrative permissions or with the
permissions of the user who's currently signed in.
Allow users to view and interact with the program installation : Use this setting, if
available, to specify whether to allow users to interact with the program installation. This option is
only available if the following conditions are met:
Program can run setting is Only when a user is logged on or Whether or not a user is
logged on
Run mode setting is to Run with administrative rights
Drive mode : Specify information about how this program runs on the network. Choose one of
the following options:
Runs with UNC name : Specify that the program runs with a Universal Naming
Convention (UNC) name. This setting is the default.
Requires drive letter : Specify that the program requires a drive letter to fully qualify its
location. For this setting, Configuration Manager can use any available drive letter on the
client. This setting requires the deployment to use the Deployment option Run program
from distribution point and the package's Data Access option enabled to Copy the
content in this package to a package share on distribution points .
Requires specific drive letter : Specify that the program requires a specific drive letter
that you specify to fully qualify its location. For example, Z:. If the client is already using the
specified drive letter, the program doesn't run. This setting requires the deployment to use
the Deployment option Run program from distribution point and the package's Data
Access option enabled to Copy the content in this package to a package share on
distribution points .
Reconnect to distribution point at log on : Indicate whether the client reconnects to the
distribution point when the user signs in. By default, the wizard doesn't enable this option.
3. On the Requirements page of the Create Package and Program Wizard, specify the following
information:
Run another program first : Identify a package and program that runs before this package and
program runs.
Platform requirements : Select This program can run on any platform or This program
can run only on specified platforms . Then choose the OS versions that clients must have to
install this package and program.
Estimated disk space : Specify the amount of disk space that the program requires to run on the
computer. The default setting is Unknown . If necessary, specify a whole number greater than or
equal to zero. If you set a value, also select units for the value.
Maximum allowed run time (minutes) : Specify the maximum time that you expect the
program to run on the client computer. The default value is 120 minutes. Only use whole numbers
greater than zero.
IMPORTANT
If you use maintenance windows on the same collection to which you deploy this program, a conflict could
occur if the Maximum allowed run time is longer than the scheduled maintenance window. If you set
the maximum run time to Unknown , the program starts to run during the maintenance window. It then
continues to run as needed after the maintenance window is closed. If you set the maximum run time to a
specific period that's greater than the length of any available maintenance window, then the client doesn't
run the program.
If you set this value to Unknown , Configuration Manager sets the maximum allowed run time as
12 hours (720 minutes).
NOTE
If the program exceeds the maximum run time, Configuration Manager stops it if the following conditions
are met:
You enable the option to Run with administrative rights
You don't enable the option to Allow users to view and interact with the program installation
NOTE
If multiple users are signed into the device, package and task sequence deployments may not appear in
Software Center.
Send wake-up packets : If you set the deployment purpose to Required and select this option,
the site first sends a wake-up packet to computers at the installation deadline time. Before you can
use this option, configure computers for Wake On LAN. For more information, see How to
configure Wake on LAN.
Allow clients on a metered Internet connection to download content after the
installation deadline, which might incur additional costs
NOTE
When you deploy a package and program, the option to Pre-deploy software to the user's primar y device
isn't available.
6. On the Scheduling page, configure when to deploy this package and program to client devices.
The options on this page vary depending on whether you set the deployment action to Available or
Required .
For Required deployments, configure the rerun behavior for the program from the Rerun behavior
drop-down menu. Choose from the following options:
Never rerun deployed program The client won't rerun the program. This behavior
happens even if the program originally failed or if the
program files are changed.
Always rerun program The client always reruns the program when the
deployment is scheduled. This behavior happens even if
the program has already successfully run. It's useful with
recurring deployments when you update the program.
Rerun if failed previous attempt The client reruns the program when the deployment is
scheduled, only if it failed on the previous run attempt.
Rerun if succeeded on previous attempt The client reruns the program only if it previously ran
successfully on the client. This behavior is useful with
recurring deployments when you routinely update the
program, and each update requires the previous update
to be successfully installed.
NOTE
When you deploy a package or program to a Windows Embedded device, make sure that the device is a
member of a collection that has a configured maintenance window. For more information about how
maintenance windows are used when you deploy packages and programs to Windows Embedded devices,
see Creating Windows Embedded applications.
IMPORTANT
If you configure the deployment option to Run program from distribution point , make sure to
enable the option to Copy the content in this package to a package share on distribution
points on the Data Access tab of the package properties. Otherwise the package is unavailable to run
from distribution points.
Allow clients to use distribution points from the default site boundar y group : When this
content isn't available from any distribution point in the current or neighbor boundary groups,
enable this option to let them try distribution points in the site default boundary group.
9. Complete the wizard.
View the deployment in the Deployments node of the Monitoring workspace and in the details pane of the
package deployment tab when you select the deployment. For more information, see Monitor packages and
programs.
TIP
When you import an object in the Configuration Manager console, it imports to the current folder. In earlier versions,
Configuration Manager always put imported objects in the root node.
Next steps
Scripts
Package Conversion Manager
Package definition files
Package definition files
9/13/2022 • 6 minutes to read • Edit Online
MIFFileName : The name of the Management Information Format (MIF) file that contains the package
status, up to 50 characters.
MIFName : The name of the package for MIF matching, up to 50 characters.
MIFVersion : The version number of the package for MIF matching, up to 32 characters.
MIFPublisher : The software publisher of the package for MIF matching, up to 32 characters.
[Program]
Include a [Program] section for each program that you specify in the Programs entry in the [Package
Definition] section. This section defines each program. Each program section provides the following
information:
Name : The name of the program, up to 50 characters. This entry must be unique within a package.
Icon (optional): Specify the file that contains the icon to use for this program. This icon replaces the
default program icon in the Configuration Manager console. The client also displays this icon when you
deploy the program to a collection.
Comment (optional): A comment about the program, up to 127 characters.
CommandLine : Specify the command line for the program, up to 127 characters. The command is
relative to the package source folder.
Star tIn : Specify the working folder for the program, up to 127 characters. This entry can be an absolute
path on the client computer or a path that's relative to the package source folder.
Run : Specify the program mode in which the program runs. You can specify Minimized , Maximized , or
Hidden . If you don't include this entry, the program runs in normal mode.
AfterRunning : Specify any special action that occurs after the program successfully completes. Options
available are SMSRestar t , ProgramRestar t , or SMSLogoff . If you don't include this entry, the program
doesn't run a special action.
EstimatedDiskSpace : Specify the amount of disk space that the software program requires to run on
the computer. The default value is Unknown . You can set the value as a whole number greater than or
equal to zero. If you specify a value, also include the units for the value.
Example:
EstimatedDiskSpace=38MB
EstimatedRunTime : Specify the estimated duration in minutes that you expect the program to run on
the client computer. The default value is 120 . You can set the value as a whole number greater than zero,
or Unknown .
Example:
EstimatedRunTime=25
Suppor tedClients : Specify the processors and operating systems on which this program runs. Separate
the platforms by commas. If you don't include this entry, the client doesn't check supported platforms for
this program.
Suppor tedClientMinVersionX , Suppor tedClientMaxVersionX : Specify the beginning-to-ending
range for version numbers for the operating systems that are specified in the Suppor tedClients entry.
Example:
SupportedClients=Win NT (I386),Win NT (IA64),Win NT (x64)
Win NT (I386) MinVersion1=5.00.2195.4
Win NT (I386) MaxVersion1=5.00.2195.4
Win NT (I386) MinVersion2=5.10.2600.2
Win NT (I386) MaxVersion2=5.10.2600.2
Win NT (I386) MinVersion3=5.20.0000.0
Win NT (I386) MaxVersion3=5.20.9999.9999
Win NT (I386) MinVersion4=5.20.3790.0
Win NT (I386) MaxVersion4=5.20.3790.2
Win NT (I386) MinVersion5=6.00.0000.0
Win NT (I386) MaxVersion5=6.00.9999.9999
Win NT (IA64) MinVersion1=5.20.0000.0
Win NT (IA64) MaxVersion1=5.20.9999.9999
Win NT (x64) MinVersion1=5.20.0000.0
Win NT (x64) MaxVersion1=5.20.9999.9999
Win NT (x64) MinVersion2=5.20.3790.0
Win NT (x64) MaxVersion2=5.20.9999.9999
Win NT (x64) MinVersion3=5.20.3790.0
Win NT (x64) MaxVersion3=5.20.3790.2
Win NT (x64) MinVersion4=6.00.0000.0
Win NT (x64) MaxVersion4=6.00.9999.9999
Assignment : Specify how the program is assigned to users. This value can be:
FirstUser : Only the first user who signs in to the client runs the program
Ever yUser : Every user who signs in runs the program
When CanRunWhen isn't set to UserLoggedOn , this entry is set to FirstUser .
Disabled : Specify whether you can deploy this program to clients. Available values are True or False .
The default value is False .
See also
Packages and programs
Deploy applications with Configuration Manager
9/13/2022 • 10 minutes to read • Edit Online
NOTE
You can only simulate the deployment of required applications, but not packages or software updates.
On-prem MDM-enrolled devices don't support simulated deployments, user experience, or scheduling settings.
Phased deployments allow you to orchestrate a coordinated, sequenced rollout of software based on
customizable criteria and groups. For example, deploy the application to a pilot collection, and then
automatically continue the rollout based on success criteria. For more information, see Create a phased
deployment.
General information
On the General page of the Deploy Software wizard, specify the following information:
Software : This value displays the application to deploy. Select Browse to choose a different application.
Collection : Select Browse to choose the target collection for this application deployment.
Use default distribution point groups associated to this collection : Store the application content
on the collection's default distribution point group. If you haven't associated the selected collection with a
distribution point group, this option is grayed out.
Automatically distribute content for dependencies : If any of the deployment types in the
application have dependencies, then the site also sends dependent application content to distribution
points.
NOTE
If you update the dependent application after deploying the primary application, the site doesn't automatically
distribute any new content for the dependency.
Content options
On the Content page, select Add to distribute the content for this application to a distribution point or a
distribution point group.
If you selected the option to Use default distribution points associated to this collection on the General
page, then this option is automatically populated. Only a member of the Application Administrator security
role can modify it.
If the application content is already distributed, then they appear here.
Deployment settings
On the Deployment Settings page, specify the following information:
Action : From the drop-down list, choose whether this deployment is to Install or Uninstall the
application.
NOTE
If you create a deployment to Install an app and another deployment to Uninstall the same app on the same
device, the Install deployment takes priority.
You can't change the action of a deployment after you create it.
Purpose : From the drop-down list, choose one of the following options:
Available : The user sees the application in Software Center. They can install it on demand.
NOTE
When you deploy apps as available to user collections, there are other requirements for some types of
clients. For more information, see Prerequisites to deploy user-available apps.
Required : The client automatically installs the app according to the schedule that you set. If the
application isn't hidden, a user can track its deployment status. They can also use Software Center
to install the application before the deadline.
NOTE
When you set the deployment action to Uninstall, the deployment purpose is automatically set to
Required . You can't change this behavior.
Allow end users to attempt to repair this application : If you created the application with a repair
command line, enable this option. Users see an option in Software Center to Repair the application.
Uninstall this application if the targeted object falls out of the collection : Starting in version
2107, when you remove the device from the target collection, Configuration Manager runs the uninstall
program on that device. For more information, see Implicit uninstall. This option is only available for
device-targeted deployments and when the deployment is Required .
Pre-deploy software to the user's primar y device : If the deployment is to a user, select this option
to deploy the application to the user's primary device. This setting doesn't require the user to sign in
before the deployment runs. If the user must interact with the installation, don't select this option. This
option is only available when the deployment is Required .
Send wake-up packets : If the deployment is Required , Configuration Manager sends a wake-up
packet to computers before the client runs the deployment. This packet wakes the computers at the
installation deadline time. Before using this option, computers and networks must be configured for
Wake On LAN. For more information, see Plan how to wake up clients.
Allow clients on a metered Internet connection to download content after the installation
deadline, which might incur additional costs : This option is only available for deployments with a
purpose of Required .
Automatically upgrade any superseded versions of this application : The client upgrades any
superseded version of the application with the superseding application.
NOTE
This option works regardless of administrator approval. If an administrator already approved the superseded
version, they don't need to also approve the superseding version. Approval is only for new requests, not
superseding upgrades.
For Available install purpose, you can enable or disable this option.
Approval settings
The application approval behavior depends upon whether you enable the recommended optional feature,
Approve application requests for users per device .
An administrator must approve a request for this application on the device : If you enable the
optional feature, the administrator approves any user requests for the application before the user can
install it on the requested device. If the administrator approves the request, the user is only able to install
the application on that device. The user must submit another request to install the application on another
device. This option is grayed out when the deployment purpose is Required , or when you deploy the
application to a device collection.
Require administrator approval if users request this application : If you don't enable the optional
feature, the administrator approves any user requests for the application before the user can install it.
This option is grayed out when the deployment purpose is Required , or when you deploy the application
to a device collection.
For more information, see Approve applications.
Deployment properties: Deployment settings
When you view the properties of a deployment, if supported by the deployment type technology, the following
option appears on the Deployment Settings tab:
Automatically close any running executables you specified on the install behavior tab of the
deployment type proper ties dialog box . For more information, see check for running executable files
before installing an application.
Scheduling settings
On the Scheduling page, set the time when this application is deployed or available to client devices.
By default, Configuration Manager makes the deployment policy available to clients right away. If you want to
create the deployment, but not make it available to clients until a later date, configure the option to Schedule
the application to be available . Then select the date and time, including whether that's based on UTC or the
client's local time.
If the deployment is Required , also specify the Installation deadline . By default this deadline is as soon as
possible.
For example, you need to deploy a new line-of-business application. All users need to install it by a certain time,
but you want to give them the option to opt in early. You also need to make sure that the site has distributed the
content to all distribution points. You schedule the application to be available in five days from today. This
schedule gives you time to distribute the content and confirm its status. You then set the installation deadline for
one month from today. Users see the application in Software Center when it's available in five days. If they do
nothing, the client automatically installs the application at the installation deadline.
If the application you're deploying supersedes another application, set the installation deadline when users
receive the new application. Set the Installation Deadline to upgrade users with the superseded application.
Delay enforcement with a grace period
You might want to give users more time to install required applications beyond any deadlines you set. This
behavior is typically required when a computer is turned off for a long time, and needs to install many
applications. For example, when a user returns from vacation, they have to wait for a long time as the client
installs overdue deployments. To help solve this problem, define an enforcement grace period.
First, configure this grace period with the property Grace period for enforcement after deployment
deadline (hours) in client settings. For more information, see the Computer agent group. Specify a
value between 1 and 120 hours.
On the Scheduling page of a required application deployment, enable the option to Delay
enforcement of this deployment according to user preferences, up to the grace period
defined in client settings . The enforcement grace period applies to all deployments with this option
enabled and targeted to devices to which you also deployed the client setting.
After the deadline, the client installs the application in the first non-business window, which the user configured,
up to this grace period. However, the user can still open Software Center and install the application at any time.
Once the grace period expires, enforcement reverts to normal behavior for overdue deployments.
NOTE
Most of the time, this feature addresses the scenario when the device is powered off while the user is out of the office.
Technically, the grace period starts when the client gets policy after the deployment deadline. The same behavior happens
if you stop the Configuration Manager client service (CcmExec), and then restart it at some time after the deployment
deadline.
Alerts
On the Aler ts page, configure how Configuration Manager generates alerts for this deployment. If you're also
using System Center Operations Manager, configure its alerts as well. You can only configure some alerts for
required deployments.
Next steps
Monitor applications
Disable and delete application deployments
Troubleshoot application deployments
Common error codes for app installation
Management tasks for applications
Software Center user guide
NOTE
This article used to include more sections, which have moved to the following articles:
Delete a deployment
User notifications for required deployments
Check for running executable files
Deploy user-available apps
Create phased deployments with Configuration
Manager
9/13/2022 • 8 minutes to read • Edit Online
Prerequisites
Security scope
Deployments created by phased deployments aren't viewable to any administrative user that doesn't have the
All security scope. For more information, see Security scopes.
Distribute content
Before creating a phased deployment, distribute the associated content to a distribution point.
Application : Select the target application in the console and use the Distribute Content action in the
ribbon. For more information, see Deploy and manage content.
Task sequence : You have to create referenced objects like the OS upgrade package before creating the
task sequence. Distribute these objects before creating a deployment. Use the Distribute Content action
on each object, or the task sequence. To view status of all referenced content, select the task sequence,
and switch to the References tab in the details pane. For more information, see the specific object type in
Prepare for OS deployment.
Software update : create the deployment package and distribute it. Use the Download Software Updates
Wizard. For more information, see Download software updates.
Phase settings
These settings are unique to phased deployments. Configure these settings when creating or editing the phases
to control the scheduling and behavior of the phased deployment process.
Optionally, use the following Windows PowerShell cmdlets to manually configure phases for software update
and task sequence phased deployments:
New-CMSoftwareUpdatePhase
New-CMTaskSequencePhase
Criteria for success of the first phase
Deployment success percentage : Specify the percent of devices that need to successfully complete
the deployment for the first phase to succeed. By default, this value is 95%. In other words, the site
considers the first phase successful when the compliance state for 95% of the devices is Success for this
deployment. The site then continues to the second phase, and creates a deployment of the software to the
next collection.
Number of devices successfully deployed : Specify the number of devices that need to successfully
complete the deployment for the first phase to succeed. This option is useful when the size of the
collection is variable, and you have a specific number of devices to show success before moving to the
next phase.
Conditions for beginning second phase of deployment after success of the first phase
Automatically begin this phase after a deferral period (in days) : Choose the number of days to
wait before beginning the second phase after the success of the first. By default, this value is one day.
Manually begin the second phase of deployment : The site doesn't automatically begin the second
phase after the first phase succeeds. This option requires that you manually start the second phase. For
more information, see Move to the next phase.
NOTE
This option isn't available for phased deployments of applications.
Gradually make this software available over this period of time (in days)
Configure this setting for the rollout in each phase to happen gradually. This behavior helps mitigate the risk of
deployment issues, and decreases the load on the network that is caused by the distribution of content to clients.
The site gradually makes the software available depending on the configuration for each phase. Every client in a
phase has a deadline relative to the time the software is made available. The time window between the available
time and deadline is the same for all clients in a phase. The default value of this setting is zero, so by default the
deployment isn't throttled. Don't set the value higher than 30.
Configure the deadline behavior relative to when the software is made available
Installation is required as soon as possible : Set the deadline for installation on the device as soon
as the device is targeted.
Installation is required after this period of time : Set a deadline for installation a certain number of
days after device is targeted. By default, this value is seven days.
IMPORTANT
The Create Phased Deployment wizard doesn't notify you if a deployment is potentially high-risk. For more
information, see Settings to manage high-risk deployments and the note when you Deploy a task sequence.
4. On the Settings page, choose one option for each of the scheduling settings. For more information, see
Phase settings. Select Next when complete.
5. On the Phases page, see the two phases that the wizard creates for the specified collections. Select Next .
These instructions cover the procedure to automatically create a default two-phase deployment. The
wizard lets you add, remove, reorder, edit, or view phases for a phased deployment. For more information
on these additional actions, see Create a phased deployment with manually configured phases.
6. Confirm your selections on the Summar y tab, and then select Next to complete the wizard.
NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see the old name in the Configuration Manager
product and documentation while the console is being updated.
Optionally, use the following Windows PowerShell cmdlets for this task:
New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment
NOTE
You can't currently manually create phases for an application. The wizard automatically creates two phases for application
deployments.
1. Start the Create Phased Deployment wizard for either a task sequence or software updates.
2. On the General page of the Create Phased Deployment wizard, give the phased deployment a Name ,
Description (optional), and select Manually configure all phases .
3. From the Phases page of the Create Phased Deployment wizard, the following actions are available:
Filter the list of deployment phases. Enter a string of characters for a case-insensitive match of the
Order, Name, or Collection columns.
Add a new phase:
a. On the General page of the Add Phase Wizard, specify a Name for the phase, and then
browse to the target Phase Collection . The additional settings on this page are the same
as when normally deploying a task sequence or software updates.
b. On the Phase Settings page of the Add Phase Wizard, configure the scheduling settings,
and select Next when complete. For more information, see Settings.
NOTE
You can't edit the phase settings, Deployment success percentage or Number of devices
successfully deployed , on the first phase. These settings only apply to phases that have a
previous phase.
c. The settings on the User Experience and Distribution Points pages of the Add Phase
Wizard are the same as when normally deploying a task sequence or software updates.
d. Review the settings on the Summar y page, and then complete the Add Phase Wizard.
Edit : This action opens the selected phase's Properties window, which has tabs the same as the
pages of the Add Phase Wizard.
Remove : This action deletes the selected phase.
WARNING
There is no confirmation, and no way to undo this action.
Move Up or Move Down : The wizard orders the phases by how you add them. The most recently
added phase is last in the list. To change the order, select a phase, and then use these buttons to
move the phase's location in the list.
IMPORTANT
Review the phase settings after changing the order. Make sure the following settings are still consistent
with your requirements for this phased deployment:
Criteria for success of the previous phase
Conditions for beginning this phase of deployment after success of the previous phase
4. Select Next . Review the settings on the Summar y page, and then complete the Create Phased
Deployment wizard.
Optionally, use the following Windows PowerShell cmdlets for this task:
New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequenceManualPhasedDeployment
After you create a phased deployment, open its properties to make changes:
Add additional phases to an existing phased deployment.
If a phase isn't active, you can Edit , Remove , or Move it up or down. You can't move it before an active
phase.
When a phase is active, it's read-only. You can't edit it, remove it, or move its location in the list. The only
option is to View the properties of the phase.
An application phased deployment is always read-only.
Next steps
Manage and monitor phased deployments:
Application
Software update
Task sequence
Approve applications in Configuration Manager
9/13/2022 • 8 minutes to read • Edit Online
NOTE
Starting in version 2111, you can also use most approval behaviors with application groups.
Approval settings
The application approval behavior depends upon whether you enable the recommended optional app approval
experience. One of the following approval settings appears on the Deployment Settings page of the
application deployment:
An administrator must approve a request for this application on the device
NOTE
Configuration Manager doesn't enable this feature by default. Before using it, enable the optional feature Approve
application requests for users per device . For more information, see Enable optional features from updates.
If you don't enable this feature, you see the prior experience.
The administrator approves any user requests for the application before the user can install it on the requested
device. If the administrator approves the request, the user is only able to install the application on that device.
The user must submit another request to install the application on another device. This option is grayed out
when the deployment purpose is Required , or when you deploy the application to a device collection.
NOTE
To take advantage of new Configuration Manager features, first update clients to the latest version. While new
functionality appears in the Configuration Manager console when you update the site and console, the complete scenario
isn't functional until the client version is also the latest.
View Application Requests under Application Management in the Software Librar y workspace of the
Configuration Manager console. There's a Device column in the list for each request. When you take action on
the request, the Application Request dialog also includes the device name from which the user submitted the
request.
If a request isn't approved within 30 days, it's removed. Reinstalling the client might cancel any pending
approval requests.
When you require approval on a deployment to a device collection, the app isn't displayed in Software Center. If
you require approval on a deployment to a user collection, the app is displayed in Software Center. You can still
hide it from users with the client setting, Hide unapproved applications in Software Center . For more
information, see Software Center client settings.
After you've approved an application for installation, you can Deny the request in the Configuration Manager
console. If users haven't already installed the application, this action stops them from installing new copies of
the application from Software Center. If an application was previously approved and installed, when you Deny
the request for the application, the client uninstalls the application from the user's device.
If you approve an app request in the console, and then deny it, you can approve it again. The app is reinstalled
on the client after you approve it.
Automate the approval process with the Approve-CMApprovalRequest PowerShell cmdlet. This cmdlet includes
the InstallActionBehavior parameter. Use this parameter to specify whether to install the application right
away or during non-business hours.
You can see which deployments require approval. Select an app in the Applications node. In the details pane,
switch to the Deployments tab. There's a column displayed by default, Requires Approval .
Retry the install of pre-approved applications
You can retry the installation of an app that you previously approved for a user or device. The approval option is
only for available deployments. If the user uninstalls the app, or if the initial install process fails, Configuration
Manager doesn't reevaluate its state and reinstall it. This feature allows a support technician to quickly retry the
app install for a user that calls for help.
1. Open the Configuration Manager console as a user that has the Approve permission on the Application
object. For example, the Application Administrator or Application Author built-in roles have this
permission.
2. Deploy an app that requires approval, and approve it.
TIP
Alternatively, install an application for a device. It creates an approved request for the app on the device.
If the application doesn't install successfully, or the user uninstalls the app, use the following process to retry:
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the Application Requests node.
2. Select the previously approved app. In the Approval Request group of the ribbon, select Retr y install .
Other app approval resources
Application approval improvements in ConfigMgr 1810
Updates to the application approval process in Configuration Manager
Require administrator approval if users request this application
NOTE
This experience applies if you don't enable the recommended optional app approval experience.
The administrator approves any user requests for the application before the user can install it. This option is
grayed out when the deployment purpose is Required , or when you deploy the application to a device
collection.
Application approval requests are displayed in the Application Requests node, under Application
Management in the Software Librar y workspace. If a request isn't approved within 30 days, it's removed.
Reinstalling the client might cancel any pending approval requests.
After you've approved an application for installation, you can Deny the request in the Configuration Manager
console. This action doesn't cause the client to uninstall the application from any devices. It stops users from
installing new copies of the application from Software Center.
Email notifications
You can configure email notifications for application approval requests. When a user requests an application,
you receive an email. Click links in the email to approve or deny the request, without requiring the Configuration
Manager console.
You can define the email addresses of the users who can approve or deny the request while creating a new
deployment for the application. If you need to change the list of email addresses afterwards, go to the
Monitoring workspace, expand Aler ts , and select the Subscriptions node. Select Proper ties from one of the
Approve application via email subscriptions that's related to your application deployment.
If there is more than one alert, you can determine which alert goes with which deployment. Open the alert
properties, and view the list of Selected aler ts on the General tab. The deployment is enabled as the alert for
this subscription.
Users can add a comment to the request from Software Center. This comment shows on the application request
in the Configuration Manager console. That comment also shows in the email. Including this comment in the
email helps the approvers make a better decision to approve or deny the request.
Prerequisites
To send email notifications and take action on internal network
With these prerequisites, recipients receive an email with notification of the request. If they are on the internal
network, they can also approve or deny the request from the email.
Enable the optional feature Approve application requests for users per device .
Configure email notification for alerts.
NOTE
The administrative user that deploys the application needs permission to create an alert and subscription. If this
user doesn't have these permissions, they'll see an error at the end of the Deploy Software Wizard : "You do not
have security rights to perform this operation."
NOTE
If you have multiple child primary sites in a hierarchy, configure these prerequisites for each primary site where you want
to enable this feature. The links in the email notification are for the administration service at the primary site.
NOTE
This scenario doesn't support CMG deployments with a virtual machine scale set until Configuration Manager
version 2207 or later is installed.
b. Replace <CMG FQDN> with the fully qualified domain name (FQDN) of your cloud
management gateway (CMG) service. For example, GraniteFalls.Contoso.com.
c. For Configuration Manager version 2111 and later, in the Implicit grant and hybrid
flows section, select the following options:
Access tokens (used for implicit flows)
ID tokens (used for implicit and hybrid flows)
d. Then select Save .
4. For Configuration Manager version 2107 and earlier, in the Manage menu, select Manifest .
a. In the Edit manifest pane, find the oauth2AllowImplicitFlow property.
b. Change its value to true . For example, the entire line should look like the following line:
"oauth2AllowImplicitFlow": true,
c. Select Save .
Configure email approval
1. In the Configuration Manager console, deploy an application as available to a user collection. On the
Deployment Settings page, enable it for approval. Then enter one or more email addresses to receive
notification. Separate email addresses with a semi-colon ( ; ).
NOTE
Anyone in your Azure AD organization who receives the email can approve the request. Don't forward the email
to others unless you want them to take action.
NOTE
The link to approve or deny is for one-time use. For example, you configure a group alias to receive notifications. Meg
approves the request. Now Bruce can't deny the request.
Maintenance
Configuration Manager stores the information about the application approval request in the site database. For
requests that are canceled or denied, the site deletes the request history after 30 days. You can configure this
deletion behavior with the Delete Aged Application Request Data site maintenance task. The site never
deletes any approved or pending application requests.
Next steps
Monitor applications from the Configuration Manager console
Install applications for a device
9/13/2022 • 2 minutes to read • Edit Online
From the Configuration Manager console you can install applications to a device in real time. This feature can
help reduce the need for separate collections for every application.
NOTE
Starting in version 2111, this behavior also supports application groups. When this article refers to an application, it also
applies to app groups.
Prerequisites
Enable the optional feature Approve application requests for users per device .
Deploy the application as Available to a device collection.
On the Deployment Settings page of the deployment wizard, select the following option: An
administrator must approve a request for this application on the device .
NOTE
With these deployment settings, no policy is sent to the client. The app isn't shown as available in Software
Center, and a user can't install the app with this deployment. After you use this action to install the app,
the user can run it, and see its installation status in Software Center.
TIP
In a hierarchy, wait for application and deployment information to replicate to the primary site to which the target client is
assigned.
Process
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Devices node. Select the target device, and then select the Install application action in the ribbon.
Starting in version 2111, select the Install Application Group action for an app group.
2. Select one or more applications from the list. The list only shows applications that you already deployed
with the prerequisite settings.
This action triggers the installation of the selected pre-deployed applications on the device.
To see status of the approval request, in the Software Librar y workspace, expand Application Management ,
and select the Application Requests node.
Monitor the app installation the same as usual in the Deployments node of the Monitoring workspace.
See also
Approve applications
Check for running executable files
9/13/2022 • 2 minutes to read • Edit Online
NOTE
If you configure an application to check for running executable files, and include it in the Install Application task sequence
step, the task sequence will fail to install it. If you don't configure this task sequence step to continue on error, then the
entire task sequence fails.
Next steps
Plan for user notifications when you deploy applications
Create deployment types for an application
Deploy applications
Share an application from Software Center
9/13/2022 • 2 minutes to read • Edit Online
TIP
To create a link in an Outlook email, press CTRL + K and then paste the URL.
Simulate application deployments with
Configuration Manager
9/13/2022 • 2 minutes to read • Edit Online
NOTE
You cannot use simulated deployments for collections of mobile devices.
You cannot deploy an application with a deployment purpose of Uninstall if a simulated deployment of the same
application is active.
LO C AT IO N USE
Create a deployment
Create a Microsoft Edge application using the built-in application experience, which makes Microsoft Edge easier
to manage:
1. In the console, under Software Librar y , there's a new node called Microsoft Edge Management .
2. Select Create Microsoft Edge Application from either the ribbon, or by right-clicking on the
Microsoft Edge Management node.
3. On the Application Settings page of the wizard, specify a name, description, and location for the
content for the app. Ensure the content location folder you specify is empty.
4. On the Microsoft Edge Settings page, select:
The channel to deploy
The version to deploy
If you want to Allow Microsoft Edge to automatically update the version of the client on the
end user's device (added in version 2002)
5. On the Deployment page, decide if you want to deploy the application. If you select Yes , you can specify
your deployment settings for the application. For more information about deployment settings, see
Deploy applications.
6. In Software Center on the client device, the user can see and install the application.
2. In the Software Librar y workspace, expand Microsoft Edge Management and click on the All
Microsoft Edge Updates node.
3. If needed, click Synchronize Software Updates in the ribbon to start a synchronization. For more
information, see Synchronize software updates.
4. Manage and deploy Microsoft Edge updates like any other update, such as adding them to your
automatic deployment rule. Some of the common updates tasks you can do from the All Microsoft
Edge Updates node include:
Create a phased deployment
Manually deploy software updates
Download software updates
Known issues
Hardware inventory may fail to process
Hardware inventory for devices might fail to process. Errors similar to the one below may be seen in the
Dataldr.log file:
Mitigation: To work around this issue, disable the collection of the Browser Usage (SMS_BrowerUsage)
hardware inventory class.
Next steps
Monitor applications
Monitor software updates
Manage and monitor phased deployments
Deploy App-V virtual applications with
Configuration Manager
9/13/2022 • 16 minutes to read • Edit Online
This method uses standard network protocols to stream Virtual applications are not streamed until the user runs the
package content from distribution points. application for the first time. In this scenario, a user might
receive program shortcuts for virtual applications and then
Program shortcuts for virtual applications invoke a disconnect from the network before running the virtual
connection to the distribution point, so the virtual applications for the first time. If the user tries to run the
application delivery is on demand. virtual application while the client is offline, the user sees an
error and can't run the virtualized application because a
This method works well for clients with high-bandwidth Configuration Manager distribution point is not available to
connections to the distribution points. stream the application. The application will be unavailable
until the user reconnects to the network and runs the
Updated virtual applications distributed throughout the application.
enterprise are available as clients receive policy that informs
them that the current version is superseded and they To avoid this, you can use the local delivery method for
download only the changes from the previous version. virtual application delivery to clients, or you can enable the
Internet-based client management for streaming delivery.
Access permissions are defined at the distribution point to
prevent users from accessing unauthorized applications or
packages.
The standard distribution point functionality is used to Disk space that equals up to twice the size of the virtual
download the package by using Background Intelligent application package is required on the client when the virtual
Transfer Service (BITS). application is persisted in the Configuration Manager cache.
ST EP M O RE IN F O RM AT IO N
Evaluate the users and devices to which the virtual Create Configuration Manager collections to group together
applications will be deployed. the users and devices to which you want to deploy the
virtual applications. See Introduction to collections.
Migrate App-V 5 connection groups to Configuration See the Migrate App-V 5 connection groups to
Manager virtual environments. Configuration Manager virtual environments section in this
topic.
ST EP M O RE IN F O RM AT IO N
Investigate to find out if any of your virtual applications exist For easier management, you can add the virtual application
as full applications in your Configuration Manager as a new deployment type to the existing full application. See
infrastructure. Create applications.
Create applications to replace your existing App-V packages. See Introduction to application management and Create
applications.
Distribute the content to the appropriate distribution points See Manage content and content infrastructure.
to enable local delivery of applications.
Configuration Manager no longer supports using packages See Planning for the migration of objects to Configuration
and programs that contain virtual applications. When you Manager current branch.
migrate from Configuration Manager 2007 to Configuration
Manager current branch, Configuration Manager converts
these packages into applications.
App-V Virtual Environment Results Shows information about a selected virtual environment that
is in a specified state for a selected collection (App-V 5 only).
REP O RT N A M E DESC RIP T IO N
App-V Virtual Environment Results For Asset Shows information about a selected virtual environment for
a specified asset and any deployment types for the selected
virtual environment (App-V 5 only).
App-V Virtual Environment Status Shows compliance information for a selected virtual
environment for a selected collection. The Retained column
in this report shows the assets in which a virtual
environment that was previously set up is no longer
applicable, but it is retained to persist user settings in
applications that run in the virtual environment (App-V 5
only).
Computers with a specific virtual application Shows a summary of computers that have the specified
App-V shortcut that the Application Virtualization
Management Sequencer created (App-V 4.6 only).
Computers with a specific virtual application package Shows a list of computers that have the specified App-V
application package installed (App-V 4.6 only).
Count all instances of virtual application packages Shows a count of all detected App-V application packages
(App-V 4.6 only).
Count all instances of virtual applications Shows a count of all detected App-V applications (App-V 4.6
only).
Log files
Configuration Manager records information about virtual application deployments in log files. For information
about the log files that virtual applications and Configuration Manager application management use, see Log
files.
For Windows 8.1, find logs for the App-V client in C:\ProgramData\Microsoft\Application Virtualization Client.
Disable and delete application deployments
9/13/2022 • 3 minutes to read • Edit Online
IMPORTANT
Neither of these actions by themselves cause an instant change on the client. You can use client notifications or other
automation tools to quickly request that clients refresh policy. But that still doesn't guarantee that a client won't run a
deployment.
Make sure you carefully plan app deployments. Simulate more complex deployments. When you deploy to a query-based
collection, use query results preview to make sure you understand the scope of the query.
Disable
Starting in version 2103, you can disable application deployments. Other objects already have similar behaviors:
Software update deployments: Disable the deployment
Phased deployments: Suspend the phase
Package: Disable the program
Task sequence: Disable the task sequence
Configuration baseline: Disable the baseline
For device-based deployments, when you disable the deployment or object, use the client notification action to
Download Computer Policy . This action immediately tells the client to update its policy from the site. If the
deployment hasn't already started, the client receives the updated policy that the object is now disabled.
For user-based deployments, the user needs to sign out of Windows. Policy updates when they sign in to
Windows, or every 24 hours by default.
NOTE
You can't disable an available deployment of an application to a user collection. You can only disable required deployments
to user collections, or both type of deployments to device collections. The following table summarizes the supported
scenarios to disable app deployments:
Available Yes No
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the Applications node.
2. Select an app that you've deployed. In the details pane, switch to the Deployment tab.
3. Select a deployment. In the ribbon, on the Deployment tab, select Disable .
4. For a device-based deployment, note the name of the collection in Collection field of the deployment.
TIP
When you select the deployment, press CTRL + C . This keyboard shortcut copies the values of the current
columns for the selected deployment.
5. Switch to the Assets and Compliance workspace, select the Device Collections node, and locate the
target collection for the deployment. The quickest method is to search for the collection name as
previously noted. You may need to select the option in the ribbon to search All subfolders .
6. Select the target collection for the deployment. In the ribbon, in the Collection group, select Client
Notification and choose the Download Computer Policy action.
To enable the deployment, repeat this process but select the Enable action on the application deployment.
NOTE
When you select a deployment, you can use the Collection action to change to the Assets and Compliance
workspace. But the current collection view doesn't support client notification actions.
Delete
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select either the Applications or Application Groups node.
2. Select the application or application group that includes the deployment you want to delete.
3. Switch to the Deployments tab of the details pane, and select the deployment.
4. In the ribbon, on the Deployment tab in the Deployment group, select Delete .
When you delete an application deployment, any instances of the application that clients have already installed
aren't removed. To remove these applications, deploy the application to computers to Uninstall . If you delete an
application deployment, the application is no longer visible in Software Center. The same behavior happens
when you remove a resource from the target collection for the deployment.
When you delete a deployment, you remove the policy that deploys an application to a specific collection. This
action doesn't delete the collection, any deployment types, or the application itself.
Next steps
Revise and supersede applications
Uninstall applications
Monitor applications from the Configuration
Manager console
9/13/2022 • 4 minutes to read • Edit Online
The following two tabs in the details pane are populated for the selected deployment:
Summar y : Displays general status information about an application deployment.
Deployment Types : Displays status for the application's deployment types.
Review deployment details
From the Deployments node, you can review deployment details for each compliance state and the resources
in that state. To review the deployment details, select View status on the Home tab of the ribbon. This action
opens the Deployment Status pane. Here you can review the assets in each compliance state. To display
Details list. Then select More Details on the right side of the window.
The maximum number of items that the Deployment Status pane can display is 20,000. If you need to
see more items, use Configuration Manager reports to review application status data.
The status of deployment types is aggregated in the Deployment Status pane. To display more detailed
information about the deployment types, use the Application Infrastructure Errors report.
Starting in version 2203, you can perform client notification actions, including Run Scripts , from the
Deployment Status view. Use the right-click menu on either a group of clients in a Categor y or a
single client in the Asset details pane to display the client notification actions.
Summarized data
The information on the Summar y and Deployment Types tabs is summarized data. When you select View
Status , the console displays current data from the site database. If these data don't match, select Run
Summarization .
To configure the default application deployment summarization interval:
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node.
2. Select the site for which you want to configure the summarization interval. Then in the Settings group of
the ribbon, choose Status Summarizers .
3. Select Application Deployment Summarizer , and the select Edit .
4. Configure the summarization intervals:
Frequency of status updates for a deployment that was modified in the last 30 days : By
default, this value is 60 minutes .
Frequency of status updates for a deployment that was modified in the last 31 to 90 days :
By default, this value is 24 hours .
Frequency of status updates for a deployment that was last modified over 90 days ago : By
default this value is 7 days .
NOTE
These values apply to application, task sequence, and package deployments.
The site calculates the period of time based on the deployment start time.
Next steps
Monitor phased deployments
Monitor app usage with software metering
Manage and monitor phased deployments
9/13/2022 • 4 minutes to read • Edit Online
This article describes how to manage and monitor phased deployments. Management tasks include manually
beginning the next phase, and suspend or resume a phase.
First, you need to create a phased deployment:
Application
Software update
Task sequence
Optionally, use the following Windows PowerShell cmdlet for this task: Move-CMPhasedDeploymentToNext.
NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see the old name in the Configuration Manager
product and documentation while the console is being updated.
Optionally, use the following Windows PowerShell cmdlets for this task:
Suspend-CMPhasedDeployment
Resume-CMPhasedDeployment
Monitor
Phased deployments have their own dedicated monitoring node, making it easier to identify phased
deployments you have created and navigate to the phased deployment monitoring view. From the Monitoring
workspace, select Phased Deployments , then double-click one of the phased deployments to see the status.
This dashboard shows the following information for each phase in the deployment:
Total devices or Total resources : How many devices are targeted by this phase.
Status : The current status of this phase. Each phase can be in one of the following states:
Deployment created : The phased deployment created a deployment of the software to the
collection for this phase. Clients are actively targeted with this software.
Waiting : The previous phase hasn't yet reached the success criteria for the deployment to
continue to this phase.
Suspended : An administrator suspended the deployment.
Progress : The color-coded deployment states from clients. For example: Success, In Progress, Error,
Requirements Not Met, and Unknown.
Success criteria tile
Use the Select Phase drop-down list to change the display of the Success Criteria tile. This tile compares the
Phase Goal against the current compliance of the deployment. With the default settings, the phase goal is 95%.
This value means that the deployment needs a 95% compliance to move to the next phase.
In the example, the phase goal is 65%, and the current compliance is 66.7%. The phased deployment
automatically moved to the second phase, because the first phase met the success criteria.
The phase goal is the same as the Deployment success percentage on the Phase Settings for the next phase.
For the phased deployment to start the next phase, that second phase defines the criteria for success of the first
phase. To view this setting:
1. Go to the phased deployment object on the software, and open the Phased Deployment Properties.
2. Switch to the Phases tab. Select Phase 2 and click View .
3. In the phase Properties window, switch to the Phase Settings tab.
4. View the value for Deployment success percentage in the Criteria for success of the previous phase
group.
For example, the following properties are for the same phase as the success criteria tile shown above where the
criteria is 65%:
PowerShell
Use the following Windows PowerShell cmdlets to manage phased deployments:
Automatically create phased deployments
New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment
Manually create phased deployments
New-CMSoftwareUpdatePhase
New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequencePhase
New-CMTaskSequenceManualPhasedDeployment
Get existing phased deployment objects
Get-CMApplicationPhasedDeployment
Get-CMSoftwareUpdatePhasedDeployment
Get-CMTaskSequencePhasedDeployment
Get-CMPhase
Monitor phased deployment status
Get-CMPhasedDeploymentStatus
Manage existing phased deployments
Move-CMPhasedDeploymentToNext
Resume-CMPhasedDeployment
Suspend-CMPhasedDeployment
Modify existing phased deployments
Set-CMApplicationPhasedDeployment
Set-CMSoftwareUpdatePhase
Set-CMSoftwareUpdatePhasedDeployment
Set-CMTaskSequencePhase
Set-CMTaskSequencePhasedDeployment
Remove-CMApplicationPhasedDeployment
Remove-CMSoftwareUpdatePhasedDeployment
Remove-CMTaskSequencePhasedDeployment
Software metering in Configuration Manager
9/13/2022 • 9 minutes to read • Edit Online
IMPORTANT
Software metering is used to monitor Windows PC desktop apps with a filename ending in .exe . Software metering does
not monitor modern Windows apps (such as those used by Windows 8).
DEP EN DEN C Y M O RE IN F O RM AT IO N
Client settings for software metering. To use software metering, the client setting Enable
software metering on clients must be enabled and
deployed to computers. You can deploy software metering
settings to all computers in the hierarchy, or you can deploy
custom settings to groups of computers. See Configure
software metering in this topic.
The reporting services point. You must configure a reporting services point before you
can view software metering reports. For more information,
see Introduction to reporting.
NOTE
Software metering rules can share the same name if the file name contained in the rules is different.
File Name - The name of the program file that you want to meter. You can click Browse to display
the Open dialog box, in which you can select the program file to use.
NOTE
If you type the executable file name in the File name box, no checks are carried out to determine whether
this file exists or whether it contains the necessary header information. When possible, click Browse and
select the executable file to be metered.
Wildcard characters are not permitted in the file name.
This box is optional if a value for Original file name is specified.
Original File Name - The name of the executable file that you want to meter. This name matches
information in the header of the file, not the file name itself so that it can be useful in cases where
the executable file has been renamed but you want to meter it by the original name.
NOTE
Wildcard characters are not permitted in the original file name.
This box is optional if a value for File Name is specified.
Version - The version of the executable file you that want to meter. You can use the wildcard
character ( * ) to represent any string of characters or the wildcard character ( ? ) to represent any
single character. If you want to meter for all versions of an executable file, use the default value ( *
).
Language - The language of the executable file to meter. The default value is the current locale of
the operating system you are using. If you select an executable file to be metered by clicking the
Browse button, this box is automatically filled if language information is present in the header of
the file. To meter all language versions of a file, select Any in the drop-down list.
Description - An optional description for the software metering rule.
Apply this software metering rule to the following clients – Select whether you want to
apply the software metering rule to all clients in the hierarchy or to the clients that are assigned to
the site specified in the Site list.
4. To continue, click Next .
5. Review and confirm the settings and then complete the wizard to create the software metering rule. The
new software metering rule is displayed in the Software Metering node in the Assets and
Compliance workspace.
NOTE
By default, software metering rules that are automatically created are disabled. Before you can begin to collect usage data
from these rules, you must enable them.
1. In the Configuration Manager console, click Assets and Compliance > Software Metering , and then,
in the Home tab, in the Settings group, click Software Metering Proper ties .
2. In the Software Metering Proper ties dialog box, configure the following:
Data retention (in days) - Specifies the amount of time that data generated by software
metering rules are kept in the site database. The default value is 90 days.
Enable the option Automatically create disabled metering rules from recent usage
inventor y data .
Specify the percentage of computers in the hierarchy that must use a program before
a software metering rule is automatically created - The default value is 10 percent.
Specify the number of software metering rules that must be exceeded in the hierarchy
before the automatic creation of rules is disabled - The default value is 100 rules.
3. Click OK to close the Software Metering Proper ties dialog box.
M A N A GEM EN T TA SK DETA IL S
IMPORTANT
Depending on the type of application or deployment type, some management options might not be available.
Manage applications
In the Software Librar y workspace, expand Application Management , and select the Applications node.
Select the application to manage, and then choose a management task in the ribbon.
Manage access accounts
Use this action to control access to the associated content on distribution points.
When you Add an account:
1. Specify one of the following account types:
User : Any account that Windows can authenticate.
Guest : An unauthenticated user.
Administrator : An account that Windows recognizes as an administrator.
Windows User : A specific user account. It can either be from a local machine or Active Directory.
2. Specify one of the following access rights:
No access : Explicitly block the specified account type from accessing the content associated with this
application.
Read
Change
Full control
By default, the Administrator type has Full control access, and the User type has Read access.
Create prestaged content file
Prestaged content files help you to manage the delivery of content to remote distribution points. When
scheduling and throttling options don't provide a valid solution for the remote distribution point, you can
prestage the content.
For more information, see Deploy and manage content.
Revision history
View and manage the revisions to this application. For more information, see How to revise and supersede
applications.
Update statistics
Updates the information that's displayed in the Deployments node of the Monitoring workspace about the
deployments of this application. For more information, see Monitor applications from the Configuration
Manager console.
Create deployment type
Add a new deployment type to the selected application. For more information, see Create deployment types for
the application.
Convert to .MSIX
Convert an existing Windows Installer (.msi) application to the MSIX format. For more information, see Support
for MSIX format.
Reinstate
If you previously retired an application, use this action to reinstate it. When you reinstate a retired app, you can
then deploy it again.
Retire
When you retire an application, it's no longer available for deployment. Configuration Manager doesn't delete
the application and any deployments. If the app was installed on clients, Configuration Manager doesn't remove
the app. Configuration Manager deletes any revisions to the app after 60 days in retirement.
Before you delete an application:
1. Retire the application.
2. Delete all deployments.
3. Remove references to the application by other deployments
4. Delete all of the application's revisions.
For more information, see Revise and supersede applications.
Export
Export the selected applications to a .zip file that you can archive or import to another site. If you choose to
export application content, Configuration Manager creates a folder with the content.
You can export:
Application dependencies
Supersedence relationships and conditions
Content for the application and its dependencies
To automate this process, use the following Configuration Manager PowerShell cmdlets:
Export-CMApplication
Import-CMApplication
For more information, see Import and export applications.
Copy (application)
Duplicate the application to create a new one. This action is useful to test something or when you need to create
a similar application. The site creates a new application, and appends -copy to the name. While the site copies
most of the metadata to the new application, it doesn't copy any deployments.
Delete (application)
Delete the currently selected applications.
You can't delete an application if any of the following conditions are true:
Other applications are dependent on it
It has an active deployment
It has dependent task sequences
Before you delete an application, retire it.
Simulate deployment
Test the results of an application deployment to computers without installing or uninstalling it. For more
information, see Simulate application deployments.
Deploy
Deploy the selected application to a collection of computers. For more information, see Deploy applications.
Create phased deployment
Phased deployments automate a coordinated, sequenced rollout of software across multiple collections. For
example, deploy software to a pilot collection, and then automatically continue the rollout based on success
criteria. For more information, see Create phased deployments.
Distribute content
Copy the content for the selected application to distribution points. For more information, see Distribute content.
Move
Move the selected application to another folder in the Applications node.
Set security scopes
Select the security scopes for the selected application. For more information, see Security scopes.
Categorize
Administrative categories help you organize apps in the Configuration Manager console. You can add the
Administrative categories column to the Applications node.
With this action, you can:
Quickly add the selected app to an administrative category.
Clear all categories on the current app.
Select Manage categories to create, rename, or delete categories.
You can also manage categories on the application properties, General information tab.
TIP
To help users find apps by category in Software Center, define user categories for your apps. You can add these
categories on the application properties, Software Center tab.
View relationships
Show a graphical diagram of the relationships of the selected applications to other applications. Choose one of
the following relationship types:
Dependency : Shows applications that are dependent on the selected application and the applications
that the selected application depends on. For more information, see Deployment type Dependencies.
Supersedence : Shows applications that the selected application supersedes, and applications that the
selected application is superseded by. For more information, see Supersedence.
Global Conditions : Shows the global conditions that this application references. For more information,
see Create global conditions.
Properties
Display and edit the metadata for this application.
Next steps
Import and export applications
Revise and supersede applications
Uninstall applications
Link users and devices with user device affinity in
Configuration Manager
9/13/2022 • 6 minutes to read • Edit Online
NOTE
The Primar y Users list shows users who are already primary users of this device, and the method by which each
user-device relationship was assigned.
NOTE
The Primar y Devices list shows devices that are already set up as primary devices for this user, and the method
by which each user-device relationship was assigned.
Automatically create user device affinities (Windows PCs only)
Configuration Manager reads data about user logon events from the Windows event log. To automatically create
user device affinities, turn on these two options in the local security policy on client computers to store logon
events in the Windows event log:
Audit account logon events
Audit logon events
To configure these settings, use Windows Group Policy.
IMPORTANT
If an error causes the Windows event log to generate a high number of entries, it might create a new event log. If this
behavior occurs, existing logon events might not be available to Configuration Manager.
NOTE
Starting in Configuration Manager version 2010, the troubleshooting portal in Microsoft Endpoint Manager admin center
allows you to search for a user and view their associated devices. Tenant attached devices that are assigned user device
affinity automatically based on usage are returned when searching for a user. For more information, see Tenant attach:
ConfigMgr client details in the admin center.
Import user device affinities from a file
To create many relationships at one time, import a file that has the details for multiple user device affinities.
Make sure the target devices are already discovered by the site and exist as resources in the Configuration
Manager database.
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select either
the Users or Devices node.
2. On the Home tab in the ribbon, in the Create group, choose Impor t User Device Affinity .
3. In the Import User Device Affinity Wizard, on the Choose Mapping page, set this information:
File name . Specify a comma-separated values (CSV) file that has a list of users and devices
between which you want to create an affinity. In this file, each user-and-device pair must be on its
own row, with values separated by a comma. Use this format:
<domain>\<username>,<device NetBIOS name>
This file has column headings for reference purposes . If the .csv file has a top-row header,
select this option. The site ignores the header row during the import.
4. If the file you import has more than two items in each row, use Column and Assign to specify which
columns represent users and devices, and which columns to ignore during import.
5. Complete the wizard.
NOTE
If you modify the default client settings, the site deploys them to all computers in the hierarchy. For more
information, see Configure client settings.
2. In the User and Device Affinity group, enable the setting to Allow user to define their primar y
devices .
Set up a user device affinity in Software Center
Users can use Software Center to set affinity.
1. In Software Center, go to the Options tab.
2. In the Work information section, select the option I regularly use this computer to do my work .
Next steps
You can also use Microsoft Intune to find the primary use of an enrolled device. For more information, see Find
the primary user of an Intune device in the Intune documentation.
Manage apps from the Microsoft Store for Business
and Education with Configuration Manager
9/13/2022 • 5 minutes to read • Edit Online
IMPORTANT
Starting in November 2021, this feature of Configuration Manager is deprecated. For more information, see Evolving the
Microsoft Store for Business and Education.
The Microsoft Store for Business and Education is where you find and acquire Windows apps for your
organization. When you connect the store to Configuration Manager, you then synchronize the list of apps
you've acquired. View these apps in the Configuration Manager console, and deploy them like you deploy any
other app.
C A PA B IL IT Y O F F L IN E A P P S O N L IN E A P P S
Set up synchronization
When you synchronize the list of Microsoft Store for Business and Education apps that your organization
acquired, you see these apps in the Configuration Manager console.
Connect your Configuration Manager site to Azure AD and the Microsoft Store for Business and Education. For
more information and details of this process, see Configure Azure services. Create a connection to the
Microsoft Store for Business service.
Make sure the service connection point and targeted devices can access the cloud service. For more information,
see Prerequisites for Microsoft Store for Business and Education - Proxy configuration.
Supplemental information and configuration
On the App page of the Azure Services Wizard, first configure the Azure environment and Web app . Then
read the More Information section at the bottom of the page. This information includes the following other
actions in the Microsoft Store for Business and Education portal:
Configure Configuration Manager as the store management tool. For more information, see Configure
management provider.
Enable support for offline licensed apps. For more information, see Distribute offline apps.
Acquire at least one app. For more information, see Find and acquire apps.
On the Configurations page of the Azure Services Wizard, specify the following information:
Path to Microsoft Store for Business app content storage : Specify a shared network path,
including a folder. For example, \\server\share\folder . When the site server syncs with the store, it
caches content in this location. When you create an application in Configuration Manager, the site server
copies the app content from this local cache to the site's content library.
Selected languages : Select the languages to sync from the store and display to users in Software
Center. For example, if the user configures Windows for German, then Software Center shows German
strings for the store app. This behavior requires that language to be synchronized, and to exist for the
specific application.
Default language : If the user's language is unavailable, select a default language to use.
NOTE
Configuration Manager doesn't synchronize the app icon from the store. If you need an icon to display for this app in
Software Center, manually add it in the app properties. For more information, see Manually specify application
information.
Next steps
Troubleshoot the Microsoft Store for Business and Education integration with Configuration Manager
Create App-V virtual environments in Configuration
Manager
9/13/2022 • 2 minutes to read • Edit Online
IMPORTANT
Do not rely on App-V virtual environments to provide security protection, such as from malware.
Use the following procedure to create an App-V virtual environment in Configuration Manager.
Export
1. In the Configuration Manager console, select the Applications node. In the Create group of the ribbon,
choose Expor t Application .
2. On the General screen, enter a path to a new ZIP file to export into. Optionally, specify whether to export
dependencies, supersedence relationships, conditions, and virtual environments, and content for the
selected applications and dependencies. Enter any necessary administrator comments, and select Next .
3. Verify the application and any dependencies are listed on the Related Objects page and select Next .
4. On the Summary page, select Next .
5. Once the process completes, it creates the ZIP file, and you can close the wizard.
IMPORTANT
If you're going to copy this application to another environment, take both the ZIP file and the folder that accompanies it.
The ZIP file must exist in the same directory as the created folder.
Import
NOTE
You can only import applications from UNC paths, you can't directly import from your local disk.
1. In the Configuration Manager console, select the Applications node. In the Create group of the ribbon,
choose Impor t Application .
2. Choose the ZIP file that you'd like to import and select Next .
3. The File Content window shows what happens when you import the application. Select Next .
4. Review the summary screen and select Next .
5. Close the wizard. The application is now available in the site.
TIP
Starting in version 2010, when you import an object in the Configuration Manager console, it now imports to the current
folder. Previously, Configuration Manager always put imported objects in the root node.
Automation
If you want to automate the import and export of applications, use the following PowerShell cmdlets:
Import-CMApplication
Export-CMApplication
Next steps
Deploy applications
Revise and supersede applications in Configuration
Manager
9/13/2022 • 5 minutes to read • Edit Online
Revisions
When you make revisions to an application or a deployment type, Configuration Manager creates a new
revision of the application. You can display the history of each application revision. You can also view its
properties, restore a previous revision of an application, or delete an old revision.
Display the history of application revisions
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the Applications node. Then choose the application that you want.
2. On the Home tab of the ribbon, in the Application group, select Revision Histor y . This action opens
the Application Revision Histor y window.
View an application revision
1. In the Application Revision Histor y window, select an application revision, and then select View .
2. In the Proper ties dialog box, examine the properties of the selected application.
NOTE
This view of application properties is read-only.
IMPORTANT
You can only delete the current application revision after you retire the application and it has no references.
Supersedence
Application management in Configuration Manager lets you upgrade or replace existing applications by using a
supersedence relationship. When you supersede an application, you specify a new deployment type to replace
the deployment type of the superseded application. You can also decide whether to upgrade or uninstall the
superseded application before the client installs the superseding application. It's best to limit supersedence
chains to five levels deep at a maximum.
IMPORTANT
When you choose the option to uninstall the superseded deployment type, a deployment type can't be superseded by a
deployment type that was deployed to a different type of collection. For example, a deployment type that was deployed
to a device collection can't be superseded by a deployment type that was deployed to a user collection.
7. If you want users to still see in Software Center deployments for both applications, select the option to
Allow users to see deployments for this application and all applications that it supersedes in
Software Center.. With this option, you give users the choice to still install an older version of the app if
needed. By default, this option isn't selected, so only the superseding application displays in Software
Center. This option is only for available deployments to user collections.
8. Select OK to save your changes and close the windows.
Display applications that supersede the current application
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the Applications node. Then choose the application that you want.
2. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
3. Switch to the References tab.
4. For the Relationship type , choose Applications that supersede this application .
View supersedence relationships
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Application
Management , and select the Applications node. Then choose the application that you want.
2. On the Home tab of the ribbon, in the Relationships group, select View relationships , and then select
Supersedence .
This action shows a graphical diagram of the relationships of the selected application to other applications. For
the supersedence relationships, it shows applications that the selected application supersedes, and applications
that the selected application is superseded by.
Manage supersedence with PowerShell
You can add, view, and remove supersedence relationships using the following PowerShell cmdlets:
Get-CMDeploymentTypeSupersedence
Set-CMApplicationSupersedence
Next steps
Uninstall applications
Uninstall applications with Configuration Manager
9/13/2022 • 5 minutes to read • Edit Online
TIP
Version 2107 and later supports Implicit uninstall.
A deployment with the Uninstall action doesn't check requirement rules. If the application is installed on
the target device, Configuration Manager uninstalls it.
Process
When you create the application, select the option to Automatically identify information about this
deployment type from installation files . If the information is available in the installation files, the uninstall
command line is automatically added to the deployment type properties.
For an existing application, use the following steps to configure its uninstall properties:
1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Application
Management and select the Applications node.
2. Select the application. In the details pane, switch to the Deployment Types tab.
3. Select the deployment type. Then in the ribbon, on the Deployment Type tab, select Proper ties .
4. Switch to the Content tab and configure the following settings:
Uninstall content settings : Select an option for where Configuration Manager gets the content
to uninstall the application:
Same as install content : The install and uninstall content are the same. This option is the
default.
No uninstall content : Your application doesn't need content for uninstall.
Different from install content : The uninstall content is different from the install content.
Uninstall content location : If you select the third option for content settings, specify the
network path to the content that's used to uninstall the application.
5. Switch to the Programs tab and configure the following settings:
Uninstall program : Specify the command line and any required parameters to uninstall the
application.
Uninstall star t in : Optionally specify the folder that has the uninstall program for the
deployment type. This folder can be an absolute path on the client. It can also be a relative path on
a distribution point of the folder with the package.
Run installation and uninstall program as 32-bit process on 64-bit clients : Use the 32-
bit file and registry locations on Windows-based computers to run the uninstall program for the
deployment type.
Then deploy the application. On the Deployment Settings page of the wizard, select the deployment action to
Uninstall .
NOTE
When you select a deployment action of Uninstall, the deployment purpose is automatically configured as Required .
Implicit uninstall
Many customers have lots of collections because for every application they need at least two collections: one for
install and another for uninstall. This practice adds overhead of managing more collections, and can reduce site
performance for collection evaluation.
Starting in version 2107, you can enable an application deployment to support implicit uninstall. If a resource is
in a collection, the application installs. Then when you remove the resource from the collection, the application
uninstalls.
Starting in version 2111, this behavior also supports application groups. When this article refers to an
application, it also applies to app groups.
NOTE
In version 2111 and later, this behavior applies to deployments to device or user collections. In version 2107, this
behavior only applies to deployments to device collections.
Starting in version 2203, if you deploy an application or app group to a user collection that's based on a security
group, and you enable implicit uninstall, changes to the security group are now honored. When the site
discovers the change in group membership, Configuration Manager uninstalls the app for the user that you
removed from the security group.
Enable implicit uninstall
When you deploy the application to a collection, configure the following settings on the Deployment Settings
page:
Action : Install
Purpose : Required
Enable the following option: When a resource is no longer a member of the collection, uninstall
the application
TIP
In version 2107, this option is named: Uninstall this application if the targeted object falls out of the
collection
IMPORTANT
Be careful with enabling this option on deployments to large query-based collections. Especially queries to external
sources like Active Directory groups. An unexpected external change could automatically trigger a large number of devices
to uninstall the application.
NOTE
For this behavior, the site can process up to 1000 collection membership changes every 10 minutes.
If the uninstall doesn't occur, it's likely that there's a conflicting install deployment of the same application, application
group, or a different application group with the same apps. Configuration Manager always honors an install
deployment over an uninstall deployment.
Known issues
You configure an app's installation behavior to Install for system , and then deploy it to a user collection. A
device has multiple users who are both in the collection, and the app installs on the device. If you then remove
one user from the collection, the app is uninstalled from the device for all users.
Next steps
How to manage collections
Monitor applications from the Configuration Manager console
Log file reference
Create and run PowerShell scripts from the
Configuration Manager console
9/13/2022 • 13 minutes to read • Edit Online
NOTE
In version 2006 and earlier, Configuration Manager doesn't enable this optional feature by default. You must enable this
feature before using it. For more information, see Enable optional features from updates.
With this integration in Configuration Manager, you can use the Run Scripts functionality to do the following
things:
Create and edit scripts for use with Configuration Manager.
Manage script usage through roles and security scopes.
Run scripts on collections or individual on-premises managed Windows PCs.
Get rapid aggregated script results from client devices.
Monitor script execution and view reporting results from script output.
WARNING
Given the power of scripts, we remind you to be intentional and careful with their usage. We have built in additional
safeguards to assist you; segregated roles and scopes. Be sure to validate the accuracy of scripts before running them
and confirm they are from a trusted source, to prevent unintended script execution. Be mindful of extended characters
or other obfuscation and educate yourself about securing scripts. Learn more about PowerShell script security
Certain anti-malware software may inadvertently trigger events against the Configuration Manager Run Scripts or
CMPivot features. It is recommended to exclude %windir%\CCM\ScriptStore so that the anti-malware software permits
those features to run without interference.
Prerequisites
To run PowerShell scripts, the client must be running PowerShell version 3.0 or later. However, if a script you
run contains functionality from a later version of PowerShell, the client on which you run the script must be
running that version of PowerShell.
Configuration Manager clients must be running the client from the 1706 release, or later in order to run
scripts.
To use scripts, you must be a member of the appropriate Configuration Manager security role.
To import and author scripts - Your account must have Create permissions for SMS Scripts .
To approve or deny scripts - Your account must have Approve permissions for SMS Scripts .
To run scripts - Your account must have Run Script permissions for Collections .
For more information about Configuration Manager security roles:
Security scopes for run scripts
Security roles for run scripts
Fundamentals of role-based administration.
Limitations
Run Scripts currently supports:
Scripting languages: PowerShell
Parameter types: integer, string, and list.
WARNING
Be aware that when using parameters, it opens a surface area for potential PowerShell injection attack risk. There are
various ways to mitigate and work around, such as using regular expressions to validate parameter input or using
predefined parameters. Common best practice is not to include secrets in your PowerShell scripts (no passwords, etc.).
Learn more about PowerShell script security
IMPORTANT
As a best practice, you shouldn't allow a script author to approve their own scripts. It should only be allowed in a lab
setting. Carefully consider the potential impact of changing this setting in a production environment.
Security scopes
Run Scripts uses security scopes, an existing feature of Configuration Manager, to control scripts authoring and
execution through assigning tags that represent user groups. For more information on using security scopes,
see Configure role-based administration for Configuration Manager.
Create a script
1. In the Configuration Manager console, click Software Librar y .
2. In the Software Librar y workspace, click Scripts .
3. On the Home tab, in the Create group, click Create Script .
4. On the Script page of the Create Script wizard, configure the following settings:
Script Name - Enter a name for the script. Although you can create multiple scripts with the same
name, using duplicate names makes it harder for you to find the script you need in the Configuration
Manager console.
Script language - Currently, only PowerShell scripts are supported.
Impor t - Import a PowerShell script into the console. The script is displayed in the Script field.
Clear - Removes the current script from the Script field.
Script - Displays the currently imported script. You can edit the script in this field as necessary.
5. Complete the wizard. The new script is displayed in the Script list with a status of Waiting for approval .
Before you can run this script on client devices, you must approve it.
IMPORTANT
Avoid scripting a device reboot or a restart of the Configuration Manager agent when using the Run Scripts feature.
Doing so could lead to a continuous rebooting state. If needed, there are enhancements to the client notification feature
that enable restarting devices. The pending restart column can help identify devices that need a restart.
Script parameters
Adding parameters to a script provides increased flexibility for your work. You can include up to 10 parameters.
The following outlines the Run Scripts feature's current capability with script parameters for; String, Integer data
types. Lists of preset values are also available. If your script has unsupported data types, you get a warning.
In the Create Script dialog, click Script Parameters under Script .
Each of your script's parameters has its own dialog for adding further details and validation. If there's a default
parameter in the script, it will be enumerated in the parameter UI and you can set it. Configuration Manager
won't overwrite the default value since it will never modify the script directly. You can think of this as "pre-
populated suggested values" are provided in the UI, but Configuration Manager doesn't provide access to
"default" values at run-time. This can be worked around by editing the script to have the correct defaults.
IMPORTANT
Parameter values can't contain a single quote.
There is a known issue where parameter values that include or are enclosed in single quotes don't get passed to the script
properly. When specifying default parameter values containing a space within a script, use double quotes instead. When
specifying default parameter values during creation or execution of a Script , surrounding the default value in either
double or single quotes is not necessary regardless of whether the value contains a space or not.
Parameter validation
Each parameter in your script has a Script Parameter Proper ties dialog for you to add validation for that
parameter. After adding validation, you should get errors if you're entering a value for a parameter that doesn't
meet its validation.
Example: FirstName
In this example, you're able to set the properties of the string parameter, FirstName.
The validation section of the Script Parameter Proper ties dialog contains the following fields for your use:
Minimum Length - minimum number of characters of the FirstName field.
Maximum Length - maximum number of characters of the FirstName field
RegEx - short for Regular Expression. For more information on using the Regular Expression, see the next
section, Using Regular Expression validation.
Custom Error - useful for adding your own custom error message that supersedes any system validation
error messages.
Using Regular Expression validation
A regular expression is a compact form of programming for checking a string of characters against an encoded
validation. For example, you could check for the absence of a capital alphabetic character in the FirstName field
by placing [^A-Z] in the RegEx field.
The regular expression processing for this dialog is supported by the .NET Framework. For guidance on using
regular expressions, see .NET Regular Expression and Regular Expression Language.
Script examples
Here are a couple examples that illustrate scripts you might want to use with this capability.
Create a new folder and file
This script creates a new folder and a file within the folder, given your naming input.
Param(
[Parameter(Mandatory=$True)]
[string]$FolderName,
[Parameter(Mandatory=$True)]
[string]$FileName
)
Get OS Version
This script uses WMI to query the machine for its OS version.
TIP
Don't edit a script that's actively running on clients. They won't finish running the original script, and you may not get the
intended results from these clients.
Edit a script
1. Go to the Scripts node under the Software Librar y workspace.
2. Select the script to edit, then click Edit in the ribbon.
3. Change or reimport your script in the Script Details page.
4. Click Next to view the Summar y then Close when you're finished editing.
Copy a script
1. Go to the Scripts node under the Software Librar y workspace.
2. Select the script to copy, then click Copy in the ribbon.
3. Rename the script in the Script name field and make any additional edits you may need.
4. Click Next to view the Summar y then Close when you're finished editing.
Run a script
After a script is approved, it can be run against a single device or a collection. Once execution of your script
begins, it's launched quickly through a high priority system that times-out in one hour. The results of the script
are then returned using a state message system.
To select a collection of targets for your script:
1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, click Device Collections .
3. In the Device Collections list, click the collection of devices on which you want to run the script.
4. Select a collection of your choice, click Run Script .
5. On the Script page of the Run Script wizard, choose a script from the list. Only approved scripts are shown.
6. Click Next , and then complete the wizard.
IMPORTANT
If a script does not run, for example because a target device is turned off during the one hour time period, you must run
it again.
Script monitoring
After you have initiated running a script on a collection of devices, use the following procedure to monitor the
operation. You are able to monitor a script in real time as it executes, and later return to the status and results for
a given Run Script execution. Script status data is cleaned up as part of the Delete Aged Client Operations
maintenance task or deletion of the script.
1. In the Configuration Manager console, click Monitoring .
2. In the Monitoring workspace, click Script Status .
3. In the Script Status list, you view the results for each script you ran on client devices. A script exit code
of 0 generally indicates that the script ran successfully.
Script output
Client's return script output using JSON formatting by piping the script's results to the ConvertTo-Json cmdlet.
The JSON format consistently returns readable script output. For scripts that do not return objects as output, the
ConvertTo-Json cmdlet converts the output to a simple string that the client returns instead of JSON.
Scripts that get an unknown result, or where the client was offline, won't show in the charts or data set.
Avoid returning large script output since it's truncated to 4 KB.
Convert an enum object to a string value in scripts so they're properly displayed in JSON formatting.
You can view detailed script output in raw or structured JSON format. This formatting makes the output easier
to read and analyze. If the script returns valid JSON-formatted text or the output can be converted to JSON
using the ConvertTo-Json PowerShell cmdlet, then view the detailed output as either JSON Output or Raw
Output . Otherwise the only option is Script Output .
Example: Script output is convertible to valid JSON
Command: $PSVersionTable.PSVersion
Log files
On the client, by default in C:\Windows\CCM\logs:
Scripts.log
CcmMessaging.log
On the MP, by default in C:\SMS_CCM\Logs:
MP_RelayMsgMgr.log
On the site server, by default in C:\Program Files\Configuration Manager\Logs:
SMS_Message_Processing_Engine.log
Recommendations
Familiarize yourself with PowerShell security guidance using the various links referenced below.
Sign your scripts : Another method for keeping scripts secure is by having them vetted and then signed,
before importing them for usage.
Don't store secrets (such as passwords) in PowerShell scripts and learn more about how to handle secrets.
Environment recommendations
The following list includes general recommendations for PowerShell administrators:
Deploy the latest version of PowerShell, such as version 5 or later, which is built into Windows 10 or later. You
can also deploy the Windows Management Framework.
Enable, and collect PowerShell logs, optionally including Protected Event Logging. Incorporate these logs into
your signatures, hunting, and incident response workflows.
Implement Just Enough Administration on high-value systems to eliminate or reduce unconstrained
administrative access to those systems.
Deploy Windows Defender Application Control policies to allow pre-approved administrative tasks to use the
full capability of the PowerShell language, while limiting interactive and unapproved use to a limited subset
of the PowerShell language.
Deploy Windows 10 or later to give your antivirus provider full access to all content (including content
generated or de-obfuscated at runtime) processed by Windows Scripting Hosts including PowerShell.
Package Conversion Manager
9/13/2022 • 5 minutes to read • Edit Online
IMPORTANT
If you previously installed an older version of Package Conversion Manager, first uninstall it before upgrading your site.
This integrated version doesn't require installation, but may conflict with existing versions.
This integrated version of Package Conversion Manager works on packages in the Configuration Manager
current branch site. It's not a standalone tool. If you have packages and programs in an older version of
Configuration Manager, first migrate the packages into your current branch site. For more information, see
Migrate data between hierarchies.
Planning
Before you start converting packages into applications, first develop a plan. The following process is an example
plan:
Define a detailed package conversion plan
Select and prepare packages for conversion
Select test packages
Analyze, investigate, and convert packages
Test and deploy the applications
Define a detailed package conversion plan
This section describes two sample package conversion plans:
A high-resource test environment: You have a test environment with the resources, permissions, and
architecture to fully replicate your production environment.
A limited-resource test environment: You don't have a test environment that fully replicates your
production environment.
Adjust these plans as necessary for other issues specific to your environment.
Sample plan for a high-resource test environment
Your test environment has the resources, permissions, and architecture similar to your production environment.
Use the test environment to efficiently analyze and convert all of your packages, and then test all of your
Configuration Manager applications. After completing that work, transfer it to the production environment.
Your package conversion plan may be similar to the following steps:
1. Select the packages you want to convert.
2. Migrate the packages for conversion into your test environment.
3. Prepare the packages for conversion.
4. Select test packages.
5. Analyze, investigate, and convert the test packages.
6. Test the converted applications.
7. Analyze and convert the remaining (non-test) packages.
8. Export the applications from the test environment. Import them into your production environment.
Sample plan for a limited-resource test environment
Your test environment doesn't have the resources, permissions, and architecture similar to your production
environment. You can't analyze, test, and convert all of your packages. In this scenario, only analyze, investigate,
convert, and test your test packages. Then migrate the remaining packages to the production environment to
analyze and convert.
Your package conversion plan may be similar to the following steps:
1. Select the packages you want to convert.
2. Select test packages.
3. Migrate the test packages into your test environment.
4. Prepare the test packages for conversion.
5. Analyze, investigate, and convert the test packages.
6. Test the converted applications.
7. Export the test applications from the test environment. Then import them into your production
environment.
8. Migrate the remaining packages into the production environment and prepare them for conversion.
9. Analyze, investigate, and convert the remaining packages in the production environment.
10. Release the remaining applications to the production environment.
Select and prepare packages for conversion
Select the packages that you want to convert
Not all packages are suitable to be converted into applications. Before you begin to convert packages, identify
the packages that won't be converted.
The best types of package for conversion to applications are those that contain user-facing software, for
example:
Windows Installer files (.msi and .msu)
Microsoft Application Virtualization (App-V) programs
Windows executable files (.exe)
The types of package that are best kept as packages and not converted to applications include:
System maintenance tools. For example, scripts or backup utilities.
Packages for software that are out of support.
TIP
After identifying packages that aren't appropriate for conversion into applications, move them to a separate folder in the
Configuration Manager console. To create a package folder in the Configuration Manager console:
Right-click the Packages node.
Select Folders , and then select Create Folder .
Enter the folder name, for example Not Converted .
Click OK .
NOTE
See the Package Conversion Status node in the Monitoring workspace. It displays summary information about the
analysis and conversion processes.
NOTE
See the Package Conversion Status node in the Monitoring workspace. It displays summary information about the
analysis and conversion processes.
Recommendations
Use the Package Conversion Status node in the Monitoring workspace. It displays summary
information about the analysis and conversion processes.
Investigate the programs in your packages known as wrappers. Use the Package Conversion Manager
plug-in to convert their functions into the equivalent Configuration Manager functionality.
Ensure that you thoroughly test each converted application before you deploy it in a production
environment.
Next steps
How to analyze and convert packages
How to analyze and convert packages with Package
Conversion Manager
9/13/2022 • 4 minutes to read • Edit Online
TIP
Optionally, you can use the following PowerShell cmdlet to analyze a package: Invoke-CMAnalyzePackage.
NOTE
When you convert a package, the site records the date and time of the conversion as the UTC time.
4. Follow the instructions in the window. Select either View applications or Close .
TIP
Optionally, you can use the following PowerShell cmdlet to convert a package: Invoke-CMConvertPackage.
NOTE
If you haven't converted any of the listed dependent packages, first convert those packages. Then restart the
package conversion process.
If a dependency isn't required, delete it, or ignore it and continue the conversion process.
5. On the Deployment Type page, review the deployment types for the new application. Change their
priorities, or delete the deployment types.
6. If any of the new deployment types don't have an associated detection method, the Detection Method
column displays a warning icon. Complete the following actions:
a. Select Edit Detection Method .
b. Select Add .
c. In the Detection Rule dialog box, specify a Setting Type .
d. For the specified setting type, enter the additional information required for the detection rule.
e. Select OK . If necessary, repeat this process to add multiple detection methods to each deployment
type.
f. Select OK . Verify the Detection Method column displays an icon to confirm a correctly specified
detection method.
7. Select Next .
8. On the Requirements Selection page, review the deployment types of the new application. Select a
deployment type, and review the requirements for that deployment type.
NOTE
The wizard only displays the requirements that Package Conversion Manager converts. It doesn't convert all WQL
queries in device collections to requirements.
NOTE
When you convert a package, the site records the date and time of the conversion as the UTC time.
Monitor
Go to the Monitoring workspace of the Configuration Manager console, and select Package Conversion
Status . This dashboard shows the overall analysis and conversion state of packages in the site. A new
background task automatically summarizes the analysis data.
TIP
Package Conversion Manager integrated with Configuration Manager doesn't require you to schedule analysis of
packages. This action is handled by the integrated summarization task. Scheduled package analysis runs every seven days
by default.
Technical Reference for Application Deployment in
Configuration Manager
9/13/2022 • 2 minutes to read • Edit Online
SELECT APP.CI_ID [App CI ID], APP.CI_UniqueID [App Unique ID], APP.DisplayName [App Name],
DT.CI_UniqueID [DT Unique ID], DT.ContentId [DT Content ID],
CIA.Assignment_UniqueID [Assignment ID], CIA.CollectionID, CIA.CollectionName,
CASE CIA.OfferTypeID WHEN 0 THEN 'Required' WHEN 2 THEN 'Available' WHEN 3 THEN 'Simulate' ELSE 'Unknown'
END AS [Deployment Purpose],
CASE C.CollectionType WHEN 1 THEN 'User Collection' WHEN 2 THEN 'Device Collection' ELSE 'Unknown' END AS
[Collection Type],
DT.Technology, DT.DisplayName [DT Name]
FROM fn_ListApplicationCIs(1033) APP
JOIN fn_ListDeploymentTypeCIs(1033) DT ON DT.AppModelName = APP.ModelName AND DT.IsLatest = 1
LEFT JOIN v_CIAssignmentToCI CIACI ON CIACI.CI_ID = APP.CI_ID
LEFT JOIN v_CIAssignment CIA ON CIACI.AssignmentID = CIA.AssignmentID
LEFT JOIN v_Collection C ON C.CollectionID = CIA.CollectionID
WHERE APP.IsLatest = 1 AND APP.DisplayName = 'Application Name' -- Replace Application Name
IMPORTANT
When you execute this query, you must use the Application Name listed in the General Information tab of Application
Properties, instead of using the Localized application name listed in the Software Center tab of Application properties.
Next Steps
Application Deployment Policy
Application Deployment Policy
9/13/2022 • 2 minutes to read • Edit Online
Policy Creation
When you deploy an application, an instance of SMS_ApplicationAssignment class is created which represents
the assignment of an application to a collection. This activity can be tracked in the SMSProv.log .
In the Configuration Manager database, this information is stored in the CI_CIAssignments table where
AssignmentType 2 represents an application deployment. When the assignment is created, SMS Database
Monitor component detects a change in the table then notifies Object Replication Manager to process the CI
Assignment (CIA) policy. Object Replication Manager component then creates the policy for the application
assignment in the database, which is stored in the Policy table in the database, and the Policy ID is based on
the Application Unique ID. This activity can be tracked in the objreplmgr.log by referencing the Assignment
Unique ID, which can be obtained from the SQL query referenced in the Before You Begin section.
The policy for the application assignment can be seen in the database using a SQL query similar to below.
Policy Targeting
After the policy is generated, the Policy Provider component assigns this policy to the resources in the collection
that's targeted by the application deployment. The policy targeting information is stored in the ResPolicyMap
table in the database. You can use the PADBID returned by the above query to track this activity in policypv.log .
However, the PADBID recorded in the log may not always match the PADBID returned by the above query if
multiple policies are getting processed simultaneously.
NOTE
ResPolicyMap table does not contain any targeting information for applications that are deployed as Available to User
collections. Software Center queries a list of these applications from the Management Point, and policy targeting
information for these applications is generated dynamically when a user requests an application from Software Center.
Next Steps
Application Deployment to Device Collections
Application Deployment to User Collections
Application Deployment for Device Collections
9/13/2022 • 2 minutes to read • Edit Online
TIP
All the information necessary to review the client logs can be obtained by running the SQL query referenced in the Before
you begin section.
Policy Download
After the policy for the application deployment is targeted to the client, the client would download the policy at
the next policy polling cycle. When the client downloads the policy, it downloads related policies in addition to
the deployment policy. These related policies include the policy for the application, deployment type, global
conditions, etc. Policy download activity can be tracked in the PolicyAgent.log on the client, using either the
Application or Assignment Unique ID.
After the policies are downloaded on the client, the Scheduler component creates schedules for deployment
activation and enforcement.
Deployment Activation
Application evaluation is initiated when the deployment is activated. Scheduler component creates a schedule to
activate the assignment at the Available Time configured in the deployment. This activity can be tracked in
Scheduler.log on the client using the Application Assignment Unique ID.
For Required deployments, the activation schedule is created, but has a delay of up to two hours to
avoid resource contention on Site Servers and Distribution Points. The delay helps avoid contention since
application content may be downloaded during evaluation if the application is applicable based on
defined Requirement Rules.
For Available deployments, the activation schedule is created to be fired off at the Available Time
configured in the Deployment.
SMSTrigger '1E4F8C4000080001' for scheduler 'Machine/{3AC57DFE-3F87-4C59-930B-B9F57CB41B91}' will
fire at 08/15/2019 01:13:33 PM without randomization.
When the schedule time arrives, Scheduler component sends the activation message to DCM Agent to perform
application evaluation.
DCM Agent receives the activation message, and creates a job to evaluate the application.
Deployment Enforcement
Application installation is initiated when the deployment is enforced.
For Required deployments, Scheduler creates a deadline schedule after policy is downloaded to enforce
the application at deployment deadline. The deadline schedule isn't randomized by default.
Randomization behavior for activation can be controlled by the Disable deadline randomization client
setting.
At the deadline, Scheduler component sends the deadline message to DCM Agent.
DCM Agent receives the deadline message, and creates a job to enforce the application.
NOTE
For deployments with deadline in the past, the application is activated and enforced immediately by the same
DCM Agent job which performs the evaluation, download and installation actions.
For Available deployments, there's no deadline schedule since the enforcement occurs when the
application installation is initiated by the user from Software Center. When the user starts an installation,
a DCM Agent job is created to perform application evaluation, download, and installation. This activity can
be tracked in DCMAgent.log on the client.
Next Steps
Understanding application deployment client components
Application Deployment Policy for Users
9/13/2022 • 2 minutes to read • Edit Online
TIP
All the information necessary to review the client logs can be obtained by running the SQL query referenced in the Before
you begin section.
Required Deployments
The policy for a required application deployment to a User collection is targeted to all the users in the collection
when the deployment is created. Client-side processing for these deployments is similar to a required
deployment to a Device collection. Deployment activation occurs at the defined Available Time, and enforcement
occurs at the defined Deadline time. For more information, see Application Deployment to Device Collections.
Available Deployments
Applications that are deployed to a user collection as Available behave differently. This behavior change allows
the Administrator to make applications available to the users without causing resource contention for policy.
When a user launches the Software Center, a list of applications that are available for the user is queried from
the Management Point in real time. This request is made to the CMUserService_WindowsAuth virtual directory on
the Management Point and can be seen in the SCClient_[UserName].log on the client.
When the Management Point receives this request, it queries the list of applications available to the user by
executing usp_GetApplicationPropertyValuesFiltered stored procedure. This activity can be tracked in the
UserSer vice.log on the Management Point.
GetFilteredApplications, startItem = 0, max rows = 60, search text = '', filter = '', user =
CONTOSO\UserName, api = 4.0, source = UserService_WinAuth_SoftwareCenter, platform = <OSPlatform>
GetFilteredApplications: returned 1 rows out of 1 total
Software Center receives the list and displays the applications that the user can install. When the user clicks on
the application, additional information about the application is queried from the Management Point, which
involves execution of stored procedures such as usp_GetApplicationInfo,
usp_GetAppModelApplicationSupersedence, usp_GetDeploymentTypeForAnApp, etc.
The deployment is activated when the user selects the application and clicks on the Install button, and a DCM
Agent Job is created to evaluate the application. If the application is applicable, another DCM Agent Job is
created to download and enforce the application. This activity can be tracked in the DCMAgent.log on the
client.
Next Steps
Understanding application deployment client components
Understanding Application Deployment Client
Components
9/13/2022 • 3 minutes to read • Edit Online
DCM Agent
DCM Agent is the high-level client component responsible for evaluation of configuration items, which includes
applications. When a deployment is activated or enforced, a DCM Agent job is created which reads the
assignment policy and determines the actions that need to be performed. This activity can be tracked in the
DCMAgent.log on the client using the DCM Agent Job ID, which can be identified by looking for the Application
Unique ID.
Device Deployments
For Required deployments, DCMAgent.log would show the applicable actions. These actions may differ
depending on whether the deployment deadline has already passed.
For Available deployments, DCMAgent.log shows that the deployment is not mandatory . For these
deployments, application evaluation is done but enforcement is skipped unless the user initiated the
installation.
User Deployments
For Required deployments, DCMAgent.log would show the applicable actions. These actions may differ
depending on whether the deployment deadline has already passed.
# Evaluation Job example:
DCMAgentJob({65D9688D-1781-4DA3-B07A-193D481251C6}): CDCMAgentJob::PopulateCIsFromAssignment - CI
policy Id:ScopeId_C8F7EAE6-DBA8-4970-B3FF-47ED706868DE/RequiredApplication_6b39398b-fd20-47ca-bd68-
074274509f98 version:2 with actions: Evaluation, Content Download
For Available deployments, DCM Agent jobs are created for evaluation and enforcement when the
application installation is initiated by the user.
CI Agent
CI Agent is the client component responsible for evaluation and remediation of configuration items. DCM Agent
reads the assignment policy and creates a job for the CI Agent component to perform the requested actions.
DCMAgent.log records the CI Agent Job ID, which is useful for tracking the CI Agent activity in the
CIAgent.log on the client.
A typical CI Agent job goes through multiple phases, which can be identified by filtering CIAgent.log on the CI
Agent Job ID and then looking for TransitionState . Some of the key phases for an application deployment CI
Agent job are:
DownloadingCIs
During this phase, application metadata required to evaluate the application is downloaded. The
metadata includes detection method, requirement rules, global conditions, etc. This activity can be
tracked in CIDownloader.log and DataTransferSer vice.log . For Available deployments, this
process occurs during the first evaluation of the application. For Required deployments however, this
process occurs immediately after the policy is downloaded.
InvokingSdmMethod
During this phase, the application detection method is used to check if the application is installed and
the desired state is determined. This activity can be tracked in AppDiscover y.log and
AppIntentEval.log . For more information about this phase, see Application Evaluation.
StateDownloadingContents
During this phase, application content is downloaded if necessary. This activity can be tracked in
CAS.log , ContentTransferManager.log , LocationSer vices.log , and DataTransferSer vice.log .
For more information about this phase, see Application Download.
StateEnforcingCIs
During this phase, the application installation is initiated. This activity can be tracked in
AppEnforce.log . For more information about this phase, see Application Installation.
StateEnforcementRepor ting
During this phase, application installation state is recorded for reporting to the Management Point.
This activity can be tracked in StateMessage.log .
Although the CI Agent job goes through all the phases, it skips the phase if it isn't required. As an example, for
Available deployments StateDownloadingContents and StateEnforcingCIs phases are skipped until the user
attempts to install the application from Software Center. However, for Required deployments, the
StateDownloadingContents phase downloads application content (if necessary) when the assignment is
activated, but the StateEnforcingCIs phase is skipped if the deadline is in the future. This behavior can be
observed in the CIAgent.log by filtering on the CI Agent Job ID and looking for Skipping policy .
{57AF6FA1-3482-4469-9881-A63F41D18406} - Skipping policy CI <CI Unique ID> and all dependents for
ContentDownload task since CI action was not requested.
{57AF6FA1-3482-4469-9881-A63F41D18406} - Skipping policy CI <CI Unique ID> and all dependents for Enforce
task since CI action was not requested.
Next Steps
Application Evaluation
Application Download
Application Installation
Application Deployment Evaluation
9/13/2022 • 2 minutes to read • Edit Online
Performing detection of app deployment type ConfigMgr Toolkit - Windows Installer (*.msi file)
(ScopeId_B63CEBE7-8A69-4FBE-994F-5AD0A8488D27/DeploymentType_1d49ef88-cf3b-42fa-b198-388d220ccb44, revision
2) for system.
+++ Did not detect app deployment type ConfigMgr Toolkit - Windows Installer (*.msi file)(ScopeId_B63CEBE7-
8A69-4FBE-994F-5AD0A8488D27/DeploymentType_1d49ef88-cf3b-42fa-b198-388d220ccb44, revision 2) for system.
NOTE
Above example shows detection for an MSI application where the detection is done by checking if the MSI Product Code
is installed on the device. For applications using alternate detection methods, the appropriate detection method is used to
check if the application is installed.
Next, the client evaluates the desired state of the application based on the Deployment Purpose. This step also
involves detecting whether the application has any dependencies or supersedence rules that should be honored
for the application. This activity can be tracked in AppIntentEval.log using the Application and Deployment
Type Unique ID.
In the log entry above, Current State indicates whether the application is currently installed on the device.
Applicability indicates whether the application is applicable based on defined requirement rules.
ResolvedState indicates the desired state of the application based on the deployment purpose.
TIP
Use the Deployment Monitoring Tool to view the application state, applicability state and requirement violations.
Next Steps
Application Download
Application download in Configuration Manager
9/13/2022 • 3 minutes to read • Edit Online
Download initiation
Application content download is started by the CI Agent component on the client during the
StateDownloadingContents phase. This process is the same, regardless of whether the application is
deployed to a Device Collection or a User collection.
For Available deployments, application content is downloaded when the user starts the application
installation from Software Center.
For Required deployments, application content is downloaded when the assignment is activated and the
application is found Applicable after evaluation. To understand when the assignment is activated, see the
Application Deployment to Device Collections or Application Deployment to User Collections articles.
When CI Agent starts the content download, it creates a task that is handled by the CI Task Manager component.
CI Task Manager then starts the content download. This activity can be tracked in the CITaskMgr.log by using
the Deployment Type Unique ID.
IMPORTANT
Although Location Services component handles the location requests, it doesn't directly request locations from the
Management Point. All requests to the Management Point typically go through CCM Messaging component, which logs
to CcmMessaging.log .
Location reply XML contains the list of distribution points based on the client's boundary group. This list is
parsed and persisted in WMI on the client according to the Content Source Priority. This activity can be seen in
ContentTransferManager.log , by using the Content Unique ID and looking for Persisted location .
If the location reply XML doesn't contain any distribution points, ContentTransferManager.log would show
Received empty location update and the client may get stuck at 0% while downloading the application. This
reply can typically occur because of boundary group configuration issues. For more information, see Download
failures.
Content Download
Once the Distribution Point locations are obtained, Content Access component creates a Content Transfer job.
This activity can be tracked in CAS.log using the Content Unique ID.
Content Transfer Manager then creates a Data Transfer Service job to do the content download. This activity can
be tracked in ContentTransferManager.log on the client using the Content Unique ID.
NOTE
This log entry can be used to identify the CTM and DTS job ID's, which can be used to track the progress of the Content
Transfer in ContentTransferManager.log and DataTransferSer vice.log respectively.
Data Transfer Service downloads the application content by creating a Background Intelligent Transfer Service
(BITS) job and waiting for the download to complete. This activity can be tracked in DataTransferSer vice.log
on the client using the DTS Job ID obtained from ContentTransferSer vice.log .
After the download is complete, Content Access component is notified. Content Access component then verifies
the downloaded content to ensure that the content wasn't altered during download. This activity can be tracked
in CAS.log using the Content Unique ID.
Finally, after content is verified, CI Agent receives the task complete notification and the CI Agent job moves to
the next phase.
CIAgentJob({2BF84225-C9E8-49A6-A308-A160C4B799D3}): CAgentJob::HandleEvent(Event=CITaskComplete,
CurrentState=StateDownloadingContents)
Next steps
Application Installation
Application Installation
9/13/2022 • 2 minutes to read • Edit Online
Enforcement Initiation
Application installation is initiated by the CI Agent component on the client during the StateEnforcingCIs
phase. This process is the same, regardless of whether the application is deployed to a Device Collection or a
User collection.
For Available deployments, the application is installed when the user initiates the application installation
from Software Center.
For Required deployments, the application is installed at deployment deadline. However, the user can initiate
the installation from Software Center before the deadline.
When CI Agent initiates the application installation, it creates a task that is handled by the CI Task Manager
component. CI Task Manager then initiates the installation. This activity can be tracked in the CITaskMgr.log by
using the Deployment Type Unique ID.
Application Enforcement
After the application enforcement is initiated, the client performs the application detection again to ensure the
application isn't already installed. Once it's determined that the application isn't installed, the application
installation is initiated. This activity can be tracked in the AppEnforce.log on the client using the Deployment
Type Unique ID.
+++ Starting Install enforcement for App DT "ConfigMgr Toolkit - Windows Installer (*.msi file)"
ApplicationDeliveryType - ScopeId_B63CEBE7-8A69-4FBE-994F-5AD0A8488D27/DeploymentType_1d49ef88-cf3b-42fa-
b198-388d220ccb44, Revision - 2, ContentPath - C:\WINDOWS\ccmcache\2, Execution Context - System
Executing Command line: "C:\WINDOWS\system32\msiexec.exe" /i "ConfigMgrTools.msi" /q /qn with user
context
Process 7292 terminated with exitcode: 0
Status is switching to Success
Installation Verification
After the application is installed, the application detection method is used again to ensure that the application
was detected as installed.
Performing detection of app deployment type ConfigMgr Toolkit - Windows Installer (*.msi file)
(ScopeId_B63CEBE7-8A69-4FBE-994F-5AD0A8488D27/DeploymentType_1d49ef88-cf3b-42fa-b198-388d220ccb44, revision
2) for system.
+++ Discovered MSI application [AppDT Id: ScopeId_B63CEBE7-8A69-4FBE-994F-
5AD0A8488D27/DeploymentType_1d49ef88-cf3b-42fa-b198-388d220ccb44, Revision: 2, MSI Product code: {4FFF7ECC-
CCF7-4530-B938-E7812BB91186}, MSI Product version: ]
++++++ App enforcement completed (3 seconds) for App DT "ConfigMgr Toolkit - Windows Installer (*.msi file)"
[ScopeId_B63CEBE7-8A69-4FBE-994F-5AD0A8488D27/DeploymentType_1d49ef88-cf3b-42fa-b198-388d220ccb44],
Revision: 2, User SID: ] ++++++
Finally, after enforcement is complete, CI Agent receives the task complete notification and the CI Agent job
moves to the next phase.
CIAgentJob({2BF84225-C9E8-49A6-A308-A160C4B799D3}): CAgentJob::HandleEvent(Event=CITaskComplete,
CurrentState=StateEnforcingCIs)
Next Steps
Troubleshoot application deployments
Common error codes for app installation
Application installation common error codes
reference
9/13/2022 • 21 minutes to read • Edit Online
Applications can be installed on clients by creating deployments from the Configuration Manager console or by
targeting applications to tenant attached devices from the Microsoft Endpoint Manager admin center. Use the
information in this article to assist with troubleshooting application installation errors.
You may also find that searching through multiple files for a specific string is useful. For instance, you might
want to search all the client .mof files for a specific class, or you might want to search logs for a specific ID.
Using a specific ID when searching can give you an understanding of how components are related to each other.
Use the select-string cmdlet in those instances.
MSI errors
ERRO R C O DE ERRO R SO URC E ERRO R M ESSA GE
Windows errors
ERRO R C O DE ERRO R SO URC E ERRO R M ESSA GE
692
Message : Debugger terminated process
Additional information for error resolution : Detach any debuggers attached to the process and retry the
application installation.
0x80000003
Message : One or more arguments are invalid
Additional information for error resolution : Review the Windows event logs around the time of the failure
in combination with the installation logs to determine the possible cause of the error.
0x80000007L
Message : Operation aborted
Additional information for error resolution : Use the installation logs and Configuration Manager
application logs to determine why installation stopped. Merge the logs so you can easily review what happened
before the 0x80000007L error. Use eventvwr.msc to review the Windows event logs for additional events that
occurred around the time of the installation failure.
0x80000009
Message : General access denied error
Additional information for error resolution : If the issue isn't clear from the logs, using eventvwr.msc to
review Windows event logs and Process Monitor can help identify problematic files or processes. If needed, use
the Windows user interface or icacls to modify permissions on the problematic file.
Additional tips for file permissions in Windows operating systems:
Deny permissions always take precedence over Allow permissions.
Explicit permissions take precedence over inherited permissions.
If NTFS permissions conflict, or example, if group and user permissions are contradictory, the most liberal
permissions take precedence.
Permissions are cumulative.
0x80004005
Message : Unspecified error
Additional information for error resolution : Use the installation logs and Configuration Manager
application logs to determine why installation stopped. Merge the logs so you can easily review what happened
before the 0x80004005 error. Use eventvwr.msc to review the Windows event logs for additional events that
occurred around the time of the installation failure. Follow the application troubleshooting guide to help resolve
the error. Process Monitor can also help identify the failure.
0x8000FFFF
Message : Catastrophic failure
Additional information for error resolution : Review the Windows event logs around the time of the failure
in combination with the installation logs to determine the possible cause of the error.
0x80040154
Message : Class not registered
Additional information for error resolution : This is typically a configuration-related DCOM error. Review
DCOM configuration settings using dcomconfig. If there's a problematic .dll file, you can use regsvr32 to register
the dll file and try the install again. A large number of problematic files could be a sign of an underlying issue
that needs to be resolved before you can install the application.
0x80091007
Message : The hash value is not correct
Additional information for error resolution : The hash of a file isn't correct and the installation can't
complete. Typically you will see this error in the CAS.log . Check to see if file contents for the application were
recently updated. There may be an issue with the package, in some cases you may need to rebuild and
redistribute it. This issue can also happen if there is a sharing violation on a file, such as a security application
scanning the file. Configuration Manager expects exclusive access to the file during a hash check. You can
identify the problematic process by running a Process Monitor and adding a filter. The condition to be met is if
the Result contains Sharing Violation then Include the event.
0xC0000142
Message : Initialization of the dynamic link library failed. The process is terminating abnormally
Additional information for error resolution : If there is a problematic .dll file, you can use regsvr32 to
register the dll file and try again. A large number of problematic files could be a sign of an underlying issue that
needs to be resolved before you can install the application.
SMS Provider
Package Conversion Manager uses the SMS Provider. For more information, see Plan for the SMS Provider.
If the SMS Provider isn't working properly, the Configuration Manager console including the Package
Conversion Manager doesn't work.
Package readiness
Before converting a package to an application, analyze the package using the Package Conversion Manager
Analyze function. After the analysis, add the Readiness column in the Packages node of the Configuration
Manager console. The list of packages displays one of the following readiness states of the analyzed package:
Automatic : The package can be directly converted using the Conver t function.
NOTE
An automatic conversion doesn't convert WQL queries into application requirements. Use the Fix and Conver t
process to convert these queries.
Manual : The package needs some additions or changes before you can convert it using the Fix and
Conver t function.
Not Applicable : The package isn't suitable for conversion. Either correct any problems with the package,
or continue to deploy it as a package.
Error : The package contains errors. Manually correct these errors before you can analyze and convert it.
The details pane of the Packages node in the Configuration Manager console shows any readiness issues.
Select a package, and then select the Summar y tab in the details pane.
Log files
Enable logging
When you enable logging for Package Conversion Manager, it logs all of its actions, exceptions, and errors.
To enable logging for this component in the Configuration Manager, modify
Microsoft.ConfigurationManagement.exe.Config . By default, this configuration file is located in the
following path:
C:\Program Files (x86)\Microsoft Endpoint
Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe.config
IMPORTANT
Starting in version 1910, this path changed to use the Microsoft Endpoint Manager folder. Make sure you don't use an
older version of the file that might exist in another folder.
Insert the following switches and trace XML elements in the system.diagnostics element after the last
sources element:
</sources>
<switches>
<add name="PcmLogging" value="3"/>
</switches>
<trace autoflush="true" indentsize="4">
<listeners>
<add name="PcmTraceListener"
type="Microsoft.ConfigurationManagement.UserCentric.Logging.RolloverLogTraceListener,
Microsoft.ConfigurationManagement.UserCentric.Logging"
initializeData="%UserProfile%\AppData\Local\Temp\PcmTrace.log"/>
</listeners>
</trace>
</system.diagnostics>
This sample uses the file PCMTrace.log . This log is on the computer running the Configuration Manager
console in the following path:
%UserProfile%\AppData\Local\Temp
To configure the level of detail, change the PcmLogging trace switch setting. Set the this value to four levels of
detail, from least detailed ( 1 ) to most detailed ( 4 ).
SMSProv.log
In some situations, information relevant to troubleshooting the package conversion process is in the
SMSProv.log file. This file captures information from the Configuration Manager SMS Provider.
By default, this log file is located on the Configuration Manager site server at the following path:
C:\Program Files\Microsoft Configuration Manager\Logs
If you see one of the following error messages, the SMSProv.log file may contain relevant troubleshooting
information:
The SMS Provider reported an error
Generic Failure
These error messages typically indicate that an error occurred on the site server, and that the error information
wasn't sent to the Configuration Manager console.
For more information, see Technical reference for Package Conversion Manager error messages.
See also
Technical reference for Package Conversion Manager error messages
Technical reference for Package Conversion
Manager error messages
9/13/2022 • 2 minutes to read • Edit Online