Installation account permissions
Nomad client is now part of the 1E Client. Please refer to 1E Client 5.1 for details of how to deploy the 1E Client with the Nomad client enabled.
The 1E Client should be installed on all Windows clients. You must use the correct installer according to the Windows architecture of the device:
Download GUI tool installer for optional installation on clients: NomadBranchGui.msi.
This is a troubleshooting, testing, and administrative tool only. It should not be installed generally on devices in your network.
ConfigMgr console extensions: NomadBranchAdminUIExt.msi
The installer should be run on all Windows workstations and servers that have Configuration Manager Console installed, including Site servers.
ConfigMgr OSD Tools: NomadBranchTools.msi
The installer copies the Nomad binaries to the ConfigMgr site installation folder .\OSD\bin\<Architecture> on the SMS Provider server. This enables the files to be injected into the OSD boot image allowing Nomad to be used during the WinPE deployment phase. The installer will also extend the ConfigMgr site WMI namespace to include definitions of the 1E Nomad built in task sequence steps.
The installer must be run on all Site Servers (except Secondary) and all SMS Provider servers. Specifically servers which Configuration Manager Consoles may connect to.
The zip for 1E Client for Windows is available for download from the 1E Support Portal .
Professional and Enterprise editions of Windows 10 are supported.
All versions are provided with 32-bit & 64-installers, and can be installed on physical and virtual computers.
This list is automatically updated to show only those OS versions in mainstream support by Microsoft, and therefore supported by 1E, and by 1E Client 5.1. However the following OS continue to be supported as exceptions to help customers during their migration to the latest OS:
Please refer to Constraints of Legacy OS regarding end of mainstream support.
For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.
Please refer to https://1eportal.force.com/s/support-for-msft-rapid-release-cycle for details of which Current Branch versions are supported by 1E products, and known issues regarding specific versions.
For installation guidance on Windows, please refer to 1E Client 5.1 - Deploying 1E Client on Windows.
For Windows Server 2016 Core Server installations:
Nomad and Nomad Multicast require MSXML6 to communicate with the Configuration Manager client. This is present in all the supported versions of Windows (with the required service packs).
Peer copy over HTTP or HTTPS is the recommended method of peer sharing content.
|There is no dependency on database servers.|
1E maintains a testing cycle for our products relative to the Current Branch release cycle. Please refer to https://1eportal.force.com/s/support-for-msft-rapid-release-cycle for latest information on future releases of CM Current Branch, and any advisories related to these releases.
When using CB 1910, be sure to apply Hotfix Rollup KB4537079 or later. Prior to this update there is an issue that prevents Alternate Content Providers downloading certain types of content referenced in Task Sequences.
Microsoft, and therefore 1E, no longer support CB1706. If you are running CB1706 and find that NomadAdminUI is not working as expected, we recommend you apply KB4036267 to address the issue.
For each Configuration Manager site server where you intend to administer task sequence packages to use Nomad as the alternate download provider, you need to ensure that:
If these conditions are not met, the Nomad settings for task sequences will not be created correctly. This is the case even if you install a remote Configuration Manager Admin Console with the Nomad Admin Console GUI extension, except for Nomad Branch Tools which are required to be installed on Configuration Manager Site Server only.
The Nomad Dashboard and dynamic pre-cache features require ActiveEfficiency to synchronize with the Configuration Manager database. For standalone primary site environments, permissions are assigned to the ActiveEfficiency service account automatically using the ConfigMgr_DViewAccess localgroup native to Configuration Manager. For a CAS, this group is not created natively therefore additional steps are required to allow access. Please refer to ActiveEfficiency Server 1.10 - Preparation: Granting access to the Configuration Manager site database.
If your set-up is across three distributed servers hosting the ActiveEfficiency service, the database and the Configuration Manager database and you plan to use the Nomad Dashboard or the Nomad pre-cache features (or if you get the
Nomad depends on the same core requirements as IIS that a Configuration Manager DP role depends on, such as (but not limited to) the following:
If IIS filtering is enabled, you may encounter problems during downloads if certain types of content are present in the download. Please refer to Post-installation tasks: IIS filtering.
.NET Framework is required for the Admin Console GUI extensions, the Download Monitor, and NomadBranch GUI. It is not a requirement for other features of Nomad.
.NET Framework 4.6 and 4.6.1 have associated Microsoft hotfixes. We recommend you ensure the following are applied before installing or using Admin Console GUI extensions, the Download Monitor, or NomadBranch GUI.
The following Nomad features require ActiveEfficiency:
If you will be using any of these features with Nomad 7.0 you must install ActiveEfficiency 1.10 with the latest accumulated hotfix available on the 1E Support Portal (https://1eportal.force.com/s/article/LatestHotfixes).
It is likely that Nomad performance will be impaired by antivirus programs. To mitigate this, we have detailed suggested antivirus exclusions you can implement. Please refer to Post-installation tasks: Anti-virus exceptions.
The following Nomad features require Tachyon Platform 5.1 or later with 1E Client (with Tachyon client enabled) deployed to all devices. A license for Tachyon and Nomad integration is also required.
Tachyon clients can optionally use Nomad (1E Client with Nomad client features enabled) to provide more efficient downloading of Tachyon content.
Nomad 7.0.200 includes support for a future version of VMware Workspace One to use Nomad to download and share VMWare content.
Constraints of Legacy OS
In this documentation, the following are referred to as legacy OS. Below are described some known issues for these OS.
1E does not provide support for 1E products on the following OS unless the OS is explicitly listed as being supported for a specific 1E product or product feature. This is because Microsoft has ended mainstream support for these OS or they are not significantly used by business organizations.
For Microsoft product lifecycle details, please refer to https://support.microsoft.com/en-us/lifecycle/search.
Certificate limitations - SHA2
Like most software vendors, 1E software requires the OS to support SHA2. If your organization has a PKI configured to use SHA2 256 or higher encryption, then your legacy OS may have already been updated to support it.
Windows XP and Server 2003 require an update as described in KB968730. Microsoft no longer provides this hotfix as a download. You must contact Microsoft Support if you need it.
Windows 7 and Server 2008 R2 require an update as described in KB3033929. This update is not available for Vista and Server 2008.
Windows 8, 8.1, Server 2012, Server 2012 R2 and later OS already support SHA2.
Certificate limitations - encrypted certificate requests
Windows XP and Server 2003 are unable to encrypt certificate requests, whereas later OS are able to support higher more secure RPC authentication levels. If you are using a Microsoft CA and expect these clients to request (enrol) certificates then the CA must have its IF_ENFORCEENCRYPTICERTREQUEST flag disabled. It is disabled by default on Windows 2003 and 2008 CA, but is enabled by default on Windows 2012 CA.
To determine which InterfaceFlags are set, execute the following command on the CA server:
certutil -getreg CA\InterfaceFlags
If the following is specified then it means the flag is enabled.
IF_ENFORCEENCRYPTICERTREQUEST -- 200 (512)
To disable the encrypt certificate requests flag, execute the following commands on the CA server:
certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
sc stop certsvc
sc start certsvc
Certificate limitations - signing certificates missing
On Windows computers, the installation MSI files, and binary executable and DLL files of 1E software are digitally signed. The 1E code signing certificate uses a timestamping certificate as its countersignature. 1E occasionally changes its code signing certificate, and uses it for new releases and patches for older versions, as shown in the table(s) below.
Root Certificate Authorities are implicitly trusted to validate certificates, and their certificates must be correctly installed to do this. Your computers should already have the necessary root CA certificates installed, however this may have been prevented by your organization's security policies, or inability to connect to the Internet, or they are legacy OS. In general this is not an issue because by default Windows allows software to be installed and run without validation, although you may see a warning or experience a delay. However, you must have relevant CA certificates installed if you are using 1E Client (which self-validates its own files), or your organization has applied more secure polices (for example UAC, AppLocker or SmartScreen).
Typical reasons for issues with signing certificate are:
- If your organization has disabled Automatic Root Certificates Update then you must ensure the relevant root CA certificates are correctly installed on each computer
- If computers do not have access to the Internet then you must ensure the relevant root and issuing CA certificates are correctly installed on each computer, numbered in the table(s) below.
The signature algorithm of the 1E code signing certificate is SHA256RSA. In most cases, the file digest algorithm of an authenticode signature is SHA256, and the countersignature is a RFC3161 compliant timestamp. The exception is on legacy OS (Windows XP, Vista, Server 2003 and Server 2008) which require the file digest algorithm of an authenticode signature to be SHA1, and a legacy countersignature.
The table below applies to software and hotfixes released in 2020.
TIMESTAMP-SHA256-2019-10-15 and DigiCert Timestamp Responder
DigiCert EV Code Signing CA (SHA2)
DigiCert SHA2 Assured ID Timestamping CA
and DigiCert Assured ID CA-1
DigiCert High Assurance EV Root CA
DigiCert Assured ID Root CA
Certificate limitations - expired root certificates
Ensure that your Root CA Certificates are up-to-date on clients and servers. The Automatic Root Certificates Update feature is enabled by default, but its configuration may have been changed or restricted by Group Policy Turn off Automatic Root Certificates Update.
If this GPO is enabled, then you will see
DisableRootAutoUpdate = 1 (dword) in