Obtaining the Windows Servicing Suite

The 1E Windows Servicing Suite comprises a number of 1E software products. While these can each be downloaded and installed separately, the entire suite along with an install wizard that coordinates the installation of all the required components can be obtained from the 1E Support Portal in a single ZIP file (1E Windows Servicing Suite.zip).

  1. Download the 1E Windows Servicing Suite Installer.zip from the WSS downloads page on the Support Portal.
  2. Unzip the file to a location that is accessible to the user who will be running the installation wizard.
  3. Install the Windows Servicing Suite by following the installation instructions here.
  4. When using Configuration Manager CB 1906 and later, download and apply the latest Accumulated Hotfix for 1EClient.
    The following link takes you to the 1E Client hotfixes page: https://1eportal.force.com/s/1eclienttopicdetail?tabset-ef7d3=3 

On this page:

Accounts and Active Directory groups required by the Windows Servicing Suite

The Windows Servicing Suite incorporates a number of components that each have service account and security group requirements. We recommend all service accounts are only granted the minimal security rights that are required for their specific functions. Any rights that are not needed, such as the Interactive Logon rights, should be removed. If Group Policy is used to manage the Log on as a service permission, you may need to add the Service accounts listed below to other groups according to Group Policy configuration.

Implementing the Self-service feature

The following service accounts are required if you are using the Self-service feature of the Windows Servicing Suite:

ServicesNotesSecurity requirements
Shopping Central serviceA domain user account for running the Shopping Central service
  • Local Administrator on the 1E application server.
  • Must be a member of the Shopping Configuration Manager Database Access (SHOPPINGCONSOLESMSUSERS) group. If the user installing Shopping Central has permissions to add accounts to this group, then the installer will automatically add the account to the group during installation.
Shopping receiver serviceA domain user account for running the Shopping Receiver service on the SCCM primary site servers.


The following Active Directory Groups are required if you are using the Self-service feature of the Windows Servicing Suite:

GroupsNotesSecurity requirements
Shopping Full Database Admin Access GroupThis group is used to set permissions on the Shopping database and is granted full access to the Shopping database. The Shopping Administrators group is included in this group.

This group must have Write permissions to itself, the 1E Shopping Limited Database Admin Access Group and the 1E Shopping Configuration Manager Database Access Group

Shopping Limited Database Admin Access GroupThis group is used to manage permissions on the Shopping database. Members have limited access to objects according to the Node Security defined by administrators

Members: Managed by Shopping

The 1E Shopping Full Database Admin Access Group must have Write access on this group to allow its members to update the group as Shopping administrators are added or removed

Shopping Configuration Manager Database Access GroupMembers are granted read access to Configuration Manager (specifically, this groups is added to the db_datareader role in Configuration Manager).

Members: Managed by Shopping

The 1E Shopping Full Database Admin Access Group must have Write access on this group to allow its members to update the group as Shopping administrators are added or removed

1E Shopping Administrators GroupThe Shopping Administrators group is used to manage Shopping and has access to the Administration tab on the web portal. This group is automatically added to the Shopping Full Database Admin access and Shopping Configuration Manager Database Access AD groups during installation. This allows the Shopping Administrator to add Shopping Admin Console users with the Node Security feature.

Members: AD accounts that administer Shopping
None
1E Shopping Report Managers GroupThe Reporting account/group will have visibility of the Reporting tab on the Shopping web portal and will be able to run reports based on Shopping activity.

Members: AD accounts that need to view Shopping reports
None
1E Shopping License Managers GroupThe License Manager account/group is notified via email where application license thresholds and maximum counts are exceeded.

Members: AD accounts that manage license counts for applications
None

The Shopping Receiver service manages the creation of Collections and Deployments in Configuration Manager and requires the following permissions in Configuration Manager. You can download the 1E Shopping Receivers Security Role.xml file referenced below and use this to import the Security Role in the Configuration Manager console, then assign the Shopping Receiver service account to the imported role to grant the account the necessary permissions.

The Receiver service account or group requires the following permissions in Configuration Manager.

ClassesPermissions
  • Application
  • Distribution Point
  • Distribution Point Group
  • Package
  • Site
  • Status Messages
  • Task Sequence Package
  • Users
  • Read
  • Collection
  • Configuration Item
  • Folder Class (new in CB1906)
  • Global Condition
  • All (Full)

These permissions are defined in an XML file and can be imported using the Configuration Manager console to create a 1E Shopping Receivers security role. Each Receiver service account or the Receivers group can then be assigned to this role. This is a one-time only manual procedure prior to installation of the first Receiver. The permissions for the 1E Shopping Receivers role have changed in Shopping 5.6 to include support for client notification. You will need to import one of the following files, depending on your Configuration Manager version:

When a Receiver creates a collection for deploying an application it needs to specify its limiting collection. By default, that is either All Systems or All Users and User Groups. However, these defaults are configurable in the Receiver's config file. Other collections can be mapped if the Shopping RBAC feature is used. If these collections are known, specify them, otherwise select All instances of the objects that are related to the assigned security roles option in the Security Scopes tab. For more information see Role based access control in Shopping.

Implementing the Application Migration feature

Application Migration installation requires the SLA Platform service account has the following role in SQL Server:

  • dbcreator on the SQL Server instance that hosts the SLA Platform databases

The following service accounts are required if you are using the Application Migration feature of the Windows Servicing Suite:

ServicesNotesSecurity requirements
SLA Platform ServiceA domain user account to run the SLA Platform services

Logon as a service (granted automatically by the installer)

Catalog Update ServiceA domain user account to run the Catalog update service

Logon as a service (granted automatically by the installer)

Implementing the Wake peers for content feature

The following service account is required if you are using the Wake peers for content feature of the Windows Servicing Suite. The NightWatchman Management Center (and therefore NightWatchman Console service account) is only required if Wake-on-LAN with the option to Wake peers for content (i.e. Nomad integration) is going to be used. For Wake-on-LAN without Nomad integration, the NightWatchman Management Center is not required and therefore the NightWatchman Console Service account is not required.

ServicesNotesSecurity requirements
NightWatchman Console serviceA domain user account for running the NightWatchman Console service

Logon as a service right (granted automatically by the installer process)

The following Active Directory Groups are required to support the Wake peers for content feature.

GroupsNotesSecurity requirements
NightWatchman Management Console AdminsA group for allowing administrative access to the NightWatchman Management Center Console

Members: AD accounts that require access to the NightWatchman Management Centre Console

None

Implementing the Windows Servicing Suite in a Configuration Manager environment with a CAS

Normally, components of the Windows Servicing Suite rely on access to the Configuration Manager database that is granted on Primary Site servers through the ConfigMgr_DViewAccess local group. However, on a CAS, this group and the corresponding SQL permissions in the CAS database do not exist by default, so they must be created manually as follows.

  1. On the CAS server, create a local group called the ConfigMgr_DViewAccess (this should already exist on a Primary site database server, but will not exist for a CAS or any Configuration Manager current branch site database servers).
  2. Execute the ConfigMgr_DViewAccess_permissions.SQL script on the Configuration Manager database – it creates a SQL login, if not already present, and grants execute rights on fnGetSiteNumber, exactly the same way as found natively on standalone Primaries.
  3. When you install the Windows Servicing Suite, your account will need local administrator rights on the server to update the ConfigMgr_DViewAccess local group.

Configuration Manager and application source shares

The 1E Windows Servicing Suite Installer wizard requires the path, in UNC format, to locations where it can create the various 1E client agent installation source folders. We recommend separate source locations for Configuration Manager Applications and Packages. For example:

\\CM01\Sources\Applications
\\CM01\Sources\Packages

The account used to execute the 1E Windows Servicing Suite Installer must have read and write permissions to the share and folders that are used.

Networking

When installing the Self-service feature (Shopping), a DNS alias (CNAME record) must be created to resolve your preferred host header for the self-service portal Web service to the server on which it is installed.

For example, if Shopping is installed on a server named 1eappserver.mydomain.com and your host header for Shopping is APPSTORE, you must create a CNAME record in the mydomain.com Forward Lookup Zone in DNS that resolves APPSTORE to 1eappserver.mydomain.com

Sizing and deployment considerations

The table below shows server sizing guidelines and recommended configurations for deploying the SLA platform, Catalog, Shopping and ActiveEfficiency for Nomad in production environments.


Small[1]Medium 1Medium 2Large 1Large 2Large 3
Number of seatsUp to 5,000Up to 25,000Up to 50,000Up to 100,000Up to 200,000Up to 500,000
Database server (SLA, Catalog, Shopping, ActiveEfficiency)
CPU cores105910

14

20
RAM20 GB12 GB20 GB29 GB39 GB84 GB
SQL Instance Max Memory4 GB8 GB16 GB25 GB35 GB78 GB
Disk space required for Databases17.5 GB36.5 GB44 GB62.5 GB103.5 GB508 GB
ActiveEfficiency server and Scout
CPU cores
457914
RAM
8 GB9 GB10 GB10 GB16 GB
Shopping Server
CPU cores
33468
RAM
4 GB4 GB6 GB8 GB16 GB
SLA server and the Catalog Web service
CPU cores
33344
RAM
8 GB12 GB12 GB12 GB12 GB

[1] Small Configuration for up to 5,000 seats is a single server configuration with all server and database components hosted on the same server