Client Migration from Configuration Manager 2007 to Configuration Manager 2012

Hi, I am Naveen Kumar Akkugari and I work at Microsoft in the Management Platforms and Service Delivery (MPSD) organization. I work on the Configuration Manager Infrastructure team which provides services to roughly 300,000 client machines at Microsoft.  Below I share the process we followed to migrate client machines from Configuration Manager 2007 to Configuration Manager 2012. We currently have a little over 200,000 machines migrated to Configuration Manager 2012 from two different primary sites in Configuration Manager 2007.  In this blog post, I focus specifically on our client migration from one primary site (corporate headquarters) which has 120,000 client machines.

After reviewing multiple options for client migration and installation (more info on client migration options can be found here -, we decided to continue using SUP based client installation. We also based GPO assignment on security groups due to some unique scenarios in our infrastructure.


As we prepared to migrate our clients to Configuration Manager 2012, we had several goals for client migration, including:

  1. Migrate clients within project timeline (effectively and efficiently)
  2. Avoid any negative end-user impact for the existing services, such as patching and software distribution
  3. Validate Configuration Manager 2012 client installation options (SWD, CPI, SUP) to provide feedback to the product group
  4. The client migration approach needed to be simple for client migration testing, implementation , maintenance, and troubleshooting
  5. Ensure migrated clients remain in Configuration Manager 2012 hierarchy and should not move back to Configuration Manager 2007 hierarchy
  6. Avoid any client side changes such as domain or OU change for machines as that would have AD and GPO implications


In Configuration Manager 2007, we had a single primary site supporting all corporate headquarters machines (120,000 client machines) in one domain with one AD site. As you know, that scenario is not supported due to exceeding the maximum number of clients per site. We wanted to fix this unsupported scenario in Configuration Manager 2012, so we configured two primary sites and used security groups to split clients between the two sites. We then targeted the Client install command line and Windows Server Update Services (WSUS) settings via Group Policy Objects (GPO).  Figure 1, below, shows the details of this approach.


Figure 1: Policy Process


In order to best manage the migration process and minimize any possible support impact, we decided to migrate systems in phases with approximately 5,000 machines in each phase. Once a phase had completed and we verified the clients were healthy, we would proceed to the next set of machines. This was the process we followed for each phase:


a)      Create GPO with client installation settings and WSUS settings, then assign to security group where we moved all machines

b)      Publish the client in WSUS (enable the WSUS client install option on site)

c)       Identify the list of machines to migrate

d)      Populate the machines in a new Security Group (SG)

e)      Create a collection on the ConfigMgr 2007 site based on the security group

f)       Wait until security group membership replicates across all Domain controllers

g)      Once machines added to the security group and replicated to all Domain controllers, deploy packages on them to update the security group membership

h)      As the clients updated their local security group membership, they received the assigned GPOs to install the client with the correct install command line and WSUS settings

i)        As Configuration Manger client is already published in WSUS, machines will now get the Configuration Manger 2012 client installed automatically


Figure 2 below shows the end-to-end process described above for Client Migration.



Figure 2: Client Process


The followings tips may be useful to you as you plan your own client migrations.


a.       Use the following Criteria to identify the list of machines to migrate.

      • Machines should be in the targeted domain, and workstation OU
      • Heartbeat should be less than 7 days old

 b.      Populate the  machines in Security group with this VB script


We used the VBS script below to populate the machines to security group (add the domain name in the script).


Option Explicit 

Dim objFile, objGroup, objFSO, strFile, strGroup,VBInfo

Dim strNTName, objComputer, strNetBIOSDomain, intCount, input

Dim objLogFile, strLogFileName, strScriptFullName


strNetBIOSDomain = "Domain Name"


Const ForReading = 1

Const ForAppending = 8

Const OverWriteExisting = True


strScriptFullName = Wscript.ScriptFullName

strLogFileName = Left(strScriptFullName, Len(Wscript.ScriptFullName) - 4) & ".log"


' Check for required arguments.

If (Wscript.Arguments.Count < 2) Then

     MSGBox "Required Argument(s) are missing" & vbCrLf & "Syntax:  cscript AddMachinestoSG.vbs MachineList.txt SecGroupName",vbExclamation


End If

 strFile = Wscript.Arguments(0)

strGroup = Wscript.Arguments(1)

 ' Open the text file of user names.

Set objFSO = CreateObject("Scripting.FileSystemObject")

On Error Resume Next

Set objFile = objFSO.OpenTextFile(strFile, ForReading)

If (Err.Number <> 0) Then

    On Error GoTo 0

    Wscript.Echo "Unable to open file " & strFile

    WriteToLog("Unable to open file " & strFile)


End If

Set objLogFile = objFSO.OpenTextFile(strLogFileName, ForAppending, True)

If (Err.Number <> 0) Then

    On Error GoTo 0

    Wscript.Echo "Unable to open Log file " & strLogFile

    WriteToLog("Unable to open Log file " & strLogFile)


End If

 ' Bind to the group object in Active Directory, using the WinNT provider.

On Error Resume Next

Set objGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strGroup & ",group")

If (Err.Number <> 0) Then

    On Error GoTo 0

        Wscript.Echo "Unable to bind to security group " & vbCrLf & strGroup

WriteToLog("Unable to bind to security group " & vbCrLf & strGroup)



End If

On Error GoTo 0

 'wscript.echo objGroup.Name

' Read machine names from the text\CSV file, bind to the computers, and add them to the security group.

Do Until objFile.AtEndOfStream

    strNTName = Trim(objFile.ReadLine)

    If (strNTName <> "") Then

        On Error Resume Next

        Set objComputer = GetObject("WinNT://" & strNetBIOSDomain & "/" & strNTName & "$")

        If (Err.Number <> 0) Then

            On Error GoTo 0

            Wscript.Echo strNTName & ";" & "ERROR" & ";" & "Machine not found, please ensure the computer account exists"

    WriteToLog(strNTName & ";" & "ERROR" & ";" & "Machine not found, please ensure the computer account exists")


    If (objGroup.IsMember(objComputer.AdsPath) = False) Then

                ' Add the computer to the group.


            If (Err.Number <> 0) Then

'Wscript.echo Err.Number & " - " & Err.Description

                On Error GoTo 0

                        Wscript.Echo strNTName & ";" & "ERROR" & ";" & "Error adding machine to group " & strGroup

WriteToLog(strNTName & ";" & "ERROR" & ";" & "Error adding machine to group " & strGroup)


                On Error GoTo 0

                        Wscript.Echo strNTName & ";" & "SUCCESS" & ";" &  "Machine sucessfully added to " & strGroup

WriteToLog (strNTName & ";" & "SUCCESS" & ";" &  "Machine sucessfully added to " & strGroup)

                        End If


Wscript.echo strNTName & ";" & "SUCCESS" & ";" & "Machine already in group " & strGroup

WriteToLog(strNTName & ";" & "SUCCESS" & ";" & "Machine already in group " & strGroup)

    End If

        End If

    End If



' Clean up.




Sub WriteToLog(Message)


'*  To write messages to the log file or to console if /Debug is passed as command line argument


On Error Resume Next


If IsObject(objLogFile) Then

objLogFile.WriteLine  Now & ";" & Message


End If


On Error GoTo 0


End Sub 'WriteToLog()



 Here’s how we used the script to populate machines to a Security group:

a. Copy the files from the release folder to any location locally.

b. Create a text file, and populate with required system names (without any prefix/suffix like $) on each line.        

c. At command prompt, Run the following command from the location where script is copied.

c:\> cscript AddMachinesToSG.vbs <MachineList.txt> <Security_Group_Name>

ex: cscript AddMachinesToSG.vbs MachineList.txt DOG_Servicesd

 d. Use the Klist utility via Software Distribution to minimize client impact for machine reboot and expedite the deployment by forcing the computer to recognize the group policies for the security group:


    • klist.exe -li 0x3e7 purge 
    • gpupdate.exe /target:computer /force


The graph in Figure 3 below shows the client deployment trend of a more recent site we migrated using this client deployment process. 



Figure 3. Client Deployment Trend


I hope you enjoy this blog entry about how we deployed clients in our environment.  Today we’re just past 200,000 clients on Configuration Manager 2012, and we’re looking forward to finishing our client migrations. Any questions on how are migrating to Configuration Manager 2012, please just let us know.





Comments (11)

  1. Anoop C Nair says:

    Great Info Naveen.

    Even I've a PowerShell script to add computers to a security group.


  2. Anonymous says:

    Thanks for sharing the information

  3. Hi, Ram – Naveen's working on your request for post deployment configuration. Look for a post soon!

  4. Anonymous says:

    I want to know a good way to warm up IP addresses for SMTP services, I am willing to pay for a proven methord?
    Akshat asked 16 hrs ago – 3 days left to answer
    I want to know a good way to warm up IP addresses for SMTP services, I am willing to pay for a proven methord

    we Need experts on SMTPs anyone who can warm IP addresses we are willing to pay or someone who can provide to us some warmed up IP addresses. we have tried some services but they were not very good

  5. Abhishek Joshi says:

    Nice Blog Navin !!!

  6. Philip says:

    Nice one 🙂 Naveen

  7. Ram Neti says:

    Excellent information. Pl. share some insights experience and problem areas if any post configuration– especially within the first 180 days of deployment.

  8. Nsikak Attah says:

    Hi, I'm wondering if using software distribution using existing config manager 2007 with appropriate command line options would not have achieved same objective especially for sites that don't have the luxury of fast links to remote locations

  9. Binayak says:

    can we install client after client migration from 2007 to 2012 . not autometic upgrade , need manual upgrade from 2012

  10. satish says:

    We have 6 site server for config manager 2007. Now we have deployed sccm2012 and created separate DP server for each site. How do I upgrade old sms site to config mgr 2012? I have tried push method in sccm2012 but not all the machine got upgraded.

    Pending servers to upgrade

    – RO domain controller (used to be site servers for config mgr 2007)

    – and core operating system (windows 2008)

Skip to main content