There has definitely been a lot of hoopla around Service Pack (SP) 1 for System Center 2012 Configuration Manager (ConfigMgr). From lots of failures actually caused by certain, over-zealous anti-virus/security products to the fact the SP1 adds a lot of new features. All in all SP1 is a massive upgrade that also includes many new features and subtle changes. It can go very badly if you don’t plan for it. Thus, here’s my comprehensive (at least as comprehensive as I think I can get) guide.

First, make sure you review the official KB and the documents linked there: 2801416.

The following steps are in a little bit of different order than listed in the KB but that’s because there is no hard dependency chain between some of them.


1. Read the release notes for SP1, read the What’s New page on TechNet, review the myITforum Issues and Resolutions page, and be aware of notable configuration changes such as:

2. Get your product key.

Yes, you will need to enter this during the upgrade. Secret Squirrel info: everyone in the whole wide world has the same key no matter how they licensed ConfigMgr. Shhh, don’t tell anyone, particularly those Martians because I think they may have a different key.

3. Download everything you need ahead of time and replicate it to all of your site servers and site systems that may need the files.

Nothing is worse than sitting and waiting for something to download at 1AM in the morning when you want to get on with the actual “fun”. Also, the ADK is pretty big – 2.5GB big – so it may take a while to download.

Here’s a list of things to download:

4. Download the ConfigMgr 2012 SP1 pre-requisite files using setupdl.exe from the install media and replicate these to all site servers also for use during setup.

5. Run the Pre-requisite checker on all site servers using the same account that you will use when performing the upgrade.

You’ll get lots of errors, like WMF missing, ADK missing, and site server version errors when running on child primary sites, but at this point, those are acceptable because they are expected and going to be corrected. What you are looking for at this point is any other issues like permissions errors, collation errors (which are usually indicative of permissions issues), or anything else that you are not expecting so you can fix them now. Of course, once you’ve corrected the issues, rinse and repeat this step.

6. Backup.

Note that with 2012, a normal SQL Server DB backup is sufficient for restoring a ConfigMgr site. The only major difference between a SQL Backup and the site maintenance task is the use of the afterbackup.bat process to initiate additional backup processing. If you haven’t customized this batch file, then there is no difference. Note that inboxes are discarded for both methods.

7. Put your site servers in Operations Manager maintenance mode.

You are monitoring them with OpsMgr/SCOM, aren’t you?

8. Upgrade SQL Server to the latest supported SP and Cumulative Update.

Note that there’s been a lot of discussion about supported CU versions for SQL Server lately and what’s listed on TechNet. This has been asked of the product group numerous times and word from Wally is that once they establish a minimum CU level for an SP, they never test or verify any subsequently released CUs but unless explicitly stated, those subsequently released CUs are fully supported for a specific SP.

9. Resolve any major issues identified in the site status or component status.

This will never be perfect of course because the SMS_CLIENT_CONFIGURATION_MANAGER will always (if you are using auto client push) have failures. There are a couple of other components that typically also have transient or ignorable conditions also.

10. Install the latest Windows stability and security updates.

No need for any comments here.

11. Backup.

In addition to your normal backup location, make an extra copy particularly if you are using the built-in task where it overwrites the backup every time. If you don’t and you have an issue, the backup task may overwrite the known good DB and you’ll be toast.

12. Restore a copy of the DB to a test server and test the DB upgrade process using the /TESTDBUPGRADE option.

Make sure the test SQL Server instance is the same version, SP and CU as your production and that it has enough available free space to mount the DB.

13. Review your Windows Update group policies and make sure you do not have the Windows Update Agent (WUA) disabled.

The exact setting is Configure Automatic Updates and it should not be set to disabled. If you don’t do this, none of your client will update to the latest WUA agent as there is no stand-alone installer available for it. See for complete details.

14. Install the WSUS hotfix: 2734608.

Note that this hotfix includes 2720211 so there’s no need to download it or install it separately.

15. Remove all of your boot images from your DPs.

None of them can be used without being upgraded to WinPE4.0 anyway so having them on the DPs will just cause issues. The two default boot images are supposed to get upgraded during the upgrade process, but if you’ve customized them, they probably won’t. After the upgrade, you can either rec-create your custom boot images based on WinPE 4.0 or simply re-distribute the default ones if you are using them and they were successfully upgraded – you can check their version in the console after the upgrade to see if they upgraded successfully – version will be 6.1.9200.16384

16. Uninstall WAIK and install the ADK.

No need for any comments here.

17. Put your site servers in Operations Manager maintenance mode.

18. Install WMF 3.0 (not needed if your site is hosted on Server 2012 but of course everything you do is unsupported if you were actually running ConfigMgr 2012 RTM on Server 2012 including upgrade it to SP1).

WMF 3.0 will break your RTM Management Point (MP), so plan on doing this shortly before the actual upgrade. Installing WMF 3.0 usually requires a reboot also.

19. Run the pre-requisite checker again on all site servers.

Everything should come up OK (except the site version on child primary sites). There is also a known issues when checking for permissions in AD so that one is probably ignorable but you should verify that AD publishing is OK before simply writing this one off. If there are any other issues, fix them and then rinse and repeat this step again.

20. Disable your anti-virus product.

This doesn’t mean turn it off, but actually stop the services and disable them, all of them. You may need to use task manager to kill the processes even, it depends on what product that you are using. Do whatever you have to do to “kill” them as this is the number one cause of upgrade failures (and even some post upgrade issues).

21. Disable the Delete Aged Client Operations site maintenance task on all sites.


1. Put your site servers in Operations Manager maintenance mode.

2. Restart the site servers.

You may have just done this for the WMF install, if so, skip it and press on. This is completely optional of course.

3. Run setup! Follow the wizard.

4. Watch the log.

Well, not an absolute must, but it’s nice to know progress is being made. It’s also makes for some comedy when you read log lines that say things like ignore all of the failed login attempts before this. Don’t get too uptight about warnings and errors in the log, many are expected and normal (like the login attempts at the beginning that may fail). Also remember that CMTrace highlights lines in red if it simply sees the word error, not just because the line is representative of an error. Thus, lines showing stored procedures that have “error” in their name will be colored red in CMTrace when they are upgraded.

5. Review the log.

Not really necessary if you are a gluten for punishment and did #4. But make sure the GUI and the log say complete successfully.


1. Perform your standard health checks like reviewing replication, site status, and component status.

Note that it may take a day or two for everything to return to normal. Many things were offline at the time of the upgrade so you will have some errors due to this. You should examine the status messages for every component reporting an error or warning and determine whether the issue was transient and/or expected or not.

2. Perform a backup.

Make sure you don’t overwrite any of the pervious backups made during the course of upgrading the sites – you may still need them.

3. Perform a functionality check.

Create a new deployment, run a deployment, try remote tools, run a report, run a query, update a collection, import a new computer, etc. Basically, anything that is critical in your environment. It may be worth having a whole separate checklist for this.

4. Update the Configuration Manager Client Package on the DPs.

This will ensure that the latest bits are available on the DPs for the client when they upgrade. I’m not totally sure whether this is supposed to happen automatically during the upgrade or not; I’ve got a bug files around it though.

5. Re-enable the Delete Aged Client Operations site maintenance task on all sites.

6. Recreate any necessary boot images using WinPE 4.0 and deploy to the DPs or simply redeploy the default boot images to your PXE enabled DPs if they were successfully updated.

This may be a bigger job than it sounds like depending upon the number of models you support because of drivers. In general, you should be injecting fewer drivers into your boot images though because they will hopefully already be built in. Also note of course that older systems (6+ years or so) are not Win8 (and thus not WinPE 4.0) compatible and neither are some ATOM processors because of the lack of some processor options. This goes for some versions of VMWare also. There is currently no supported fix or work-around for this – you have been warned.

7. Deploy the updated client agent.

You can do this in many ways, but the auto-upgrade process was completely re-designed in 2012 SP1 to handle this for any size organization (in fact, they used this at Microsoft to upgrade all 250,000+ clients to SP1).

8. Track ConfigMgr client and WUA upgrade process.

I’ll post a simple report later this week for this.

9. Re-enable your Anti-virus product (if you dare).

Make sure you have all of the recommended exclusions in place before doing this. If you are using SCEP, there are templates built-in. If you are running a third-party product, then you can use one of these:

10. Push the “That was Easy” button.


Thanks to both Ryan Boswell and Eric Morrison for contributing to this list.