How to deploy clients to Windows computers in Configuration Manager. 25 minutes to read.In this articleApplies to: Configuration Manager (current branch)This article provides details on how to deploy the Configuration Manager client to Windows computers.
![]()
For more information on planning and preparing for client deployment, see these articles:.Client push installationThere are three main ways to use client push:.When you configure client push installation for a site, client installation automatically runs on computers that the site discovers. This method is scoped to the site's configured boundaries when those boundaries are configured as a boundary group.Start client push installation by running the Client Push Installation Wizard for a specific collection or resource within a collection.Use the Client Push Installation Wizard to install the Configuration Manager client, which you can use to the result. The installation will succeed only if one of the items returned by the query is the ResourceID attribute of the System Resource class.If the site server can't contact the client computer or start the setup process, it automatically retries the installation every hour. The server continues to retry for up to seven days.To help track the client installation process, install a fallback status point before you install the clients.
![]()
From the administration Pane-Site Hierarchy—Sites-Right click on site,you see client installation Settings—Client Push Installation. Move onto Accounts Tab and create New Account. If you have custom command properties to be used for the client installation like port used,cache size,FSP,provide them on installation properties. The client installation properties are used to install the client. These properties might be overwritten with new settings from its assigned site after the client is installed and has successfully been assigned to a Configuration Manager site.
When you install a fallback status point, it's automatically assigned to clients when they're installed by the client push installation method. To track client installation progress, view the client deployment and assignment reports.Client log files provide more detailed information for troubleshooting.
The log files don't require a fallback status point. For example, the CCM.log file on the site server records any problems that occur when the site server connects to the computer. The CCMSetup.log file on the client records the installation process. ImportantClient push only succeeds if all prerequisites are met. For more information, see. NoteWhen it uses client push to install the Configuration Manager client, the site server creates a remote connection to the client. Starting in version 1806, the site can require Kerberos mutual authentication by not allowing fallback to NTLM before establishing the connection.
This enhancement helps to secure the communication between the server and the client.Depending on your security policies, your environment might already prefer or require Kerberos over the older NTLM authentication. For more information on the security considerations of these authentication protocols, read about the.To use this feature, clients must be in a trusted Active Directory forest. Kerberos in Windows relies on Active Directory for mutual authentication.Select the system types to which Configuration Manager should push the client software. Select whether you want to install the client on domain controllers.On the Accounts tab, specify one or more accounts for Configuration Manager to use when it connects to the target computer. Select the Create icon, enter the User name and Password (no more than 38 characters), confirm the password, and then select OK.
Specify at least one client push installation account. This account must have local administrator rights on the target computer to install the client.
If you don't specify a client push installation account, Configuration Manager tries to use the site system computer account. Cross-domain client push fails when using the site system computer account. NoteTo use client push from a secondary site, specify the account at the secondary site that initiates the client push.For more information about the client push installation account, see the next procedure,.Specify any required installation properties on the Installation Properties tab.If you've extended the Active Directory schema for Configuration Manager, the site publishes the specified to Active Directory Domain Services. When CCMSetup runs without installation properties, it reads these properties from Active Directory. NoteIf you enable client push installation on a secondary site, set the SMSSITECODE property to the Configuration Manager site code of its parent primary site. NoteUse this wizard to install clients even if the site isn't configured for client push. Software update-based installationSoftware update-based client installation publishes the client to a software update point as a software update.
Use this method for a first-time installation or upgrade.If the Configuration Manager client is installed on a computer, the computer receives client policy from the site. This policy includes the software update-point server name and port from which to get software updates. ImportantFor software update-based installation, use the same Windows Server Update Services (WSUS) server for client installation and software updates. This server must be the active software update point in a primary site.
For more information, see.If the Configuration Manager client isn't installed on a computer, configure and assign a Group Policy Object. The Group Policy specifies the server name of the software update point.You can't add command-line properties to a software update-based client installation. If you've extended the Active Directory schema for Configuration Manager, the client installation automatically queries Active Directory Domain Services for the installation properties.If you haven't extended the Active Directory schema, use Group Policy to provision client installation settings. These settings are automatically applied to any software update-based client installation. For more information, see the section on and the article on.Use the following procedures to configure computers without a Configuration Manager client to use the software update point.
There's also a procedure for publishing the client software to the software update point. TipIf computers are in a pending restart state following a previous software installation, a software update-based client installation might cause the computer to restart. NoteIf you haven't already published the client software to the software update point, this dialog box is blank.The software update for the Configuration Manager client isn't automatically updated when there's a new version. When you update the site, repeat this procedure to update the client. Group Policy installationUse Group Policy in Active Directory Domain Services to publish or assign the Configuration Manager client.
The client installs when the computer starts. When you use Group Policy, the client appears in Add or Remove Programs in Control Panel.
The user can install it from there.Use the Windows Installer package CCMSetup.msi for Group Policy-based installations. This file is found in the bini386 folder on the site server. You can't add properties to this file to change installation behavior.
ImportantYou must have administrator permissions to access the client installation files.If you've extended the Active Directory schema for Configuration Manager, and you selected the domain on the Publishing tab of the Site Properties dialog box, client computers automatically search Active Directory Domain Services for installation properties. For more information, see.If you haven't extended the Active Directory schema, see the section on for information about storing installation properties in the Windows registry of computers. The client uses these installation properties when it installs.For more information, see. Manual installationManually install the client software on computers by using CCMSetup.exe.
You can find this program and its supporting files in the Client folder in the Configuration Manager installation folder on the site server. The site shares this folder to the network as:SMSClient is the primary site server name. Is the primary site code to which the client is assigned. To run CCMSetup.exe from the command line on the client, connect to this network location, and then run the command. ImportantYou must have administrator permissions to access the client installation files.CCMSetup.exe copies all necessary prerequisites to the client computer and calls the Windows Installer package (Client.msi) to install the client. You can't run Client.msi directly.To modify the behavior of the client installation, specify command-line options for both CCMSetup.exe and Client.msi. Make sure that you specify CCMSetup parameters that begin with / before you specify Client.msi properties.
TipFor the procedure to install the Configuration Manager client on a modern Windows 10 device by using Azure Active Directory (Azure AD) identity, see. That procedure is for clients on an intranet or the internet. Manual installation examplesThese examples are for Active Directory-joined clients on an intranet. NoteYou can't upgrade Configuration Manager 2007 clients by using this method.
Instead, use automatic client upgrade, which automatically creates and deploys a package that contains the latest version of the client. For more information, see.For more information about how to migrate from older versions of the Configuration Manager client, see. NoteThe computer on which the Configuration Manager deployment runs must have access to the specified network folder. Otherwise, the client installation fails.To change any of the client installation properties, modify the CCMSetup.exe command line on the General tab of the Configuration Manager agent silent upgrade Properties program dialog box. The default installation properties are /noservice SMSSITECODE=AUTO.Distribute the package to all distribution points that you want to host the client upgrade package.
Then deploy the package to device collections that contain clients that you want to upgrade.Intune MDM-managed Windows devicesDeploy the Configuration Manager client to devices that are enrolled with Microsoft Intune.This procedure is for a traditional client that's connected to an intranet. It uses traditional client authentication methods. To make sure the device remains in a managed state after it installs the client, it must be on the intranet and within a Configuration Manager site boundary.For the procedure to install the Configuration Manager client on a modern Windows 10 device by using Azure AD identity, see.After you install the Configuration Manager client, devices don't unenroll from Intune.
They can use the Configuration Manager client and MDM enrollment at the same time. For more information, see. NoteYou can use other client installation methods to install the Configuration Manager client on an Intune-managed device. For example, if an Intune-managed device is on the intranet, and joined to the Active Directory domain, you can use group policy to install the Configuration Manager client. Install the Configuration Manager client by using Intune.In Intune, that contains the Configuration Manager client installation file CCMSetup.msi. You can find this file in the bini386 folder of the Configuration Manager installation directory on the site server.In the Intune Software Publisher, enter command-line parameters.
For example, use this command with a traditional client on an intranet:CCMSETUPCMD='/MP: SMSMP= SMSSITECODE= DNSSUFFIX='. ImportantDon't specify a Configuration Manager site code for the client in the CCMSetup.exe command-line properties.At a command prompt, type net stop ccmexec to stop the SMS Agent Host service (CcmExec.exe) on the reference computer.Delete the SMSCFG.INI file from the Windows folder on the reference computer.Remove any certificates that are stored in the local computer store on the reference computer. For example, if you use PKI certificates, before you image the computer, remove the certificates in the Personal store for Computer and User.If the clients are installed in a different Configuration Manager hierarchy than the hierarchy of the reference computer, remove the trusted root key from the reference computer. NoteIf clients can't query Active Directory Domain Services to locate a management point, they use the trusted root key to determine trusted management points. If you deploy all imaged clients in the same hierarchy as that of the master computer, leave the trusted root key in place.If you deploy the clients in different hierarchies, remove the trusted root key. Also provision these clients with the new trusted root key. For more information, see.Use your imaging software to capture an image of the reference computer.Deploy the image to the destination computers.Workgroup computersConfiguration Manager supports client installation for computers in workgroups.
Install the client on workgroup computers by using the method specified in. Prerequisites.Manually install the client on each workgroup computer. During installation, the interactive user must have local administrator rights.To access resources in the Configuration Manager site server domain, configure the network access account for the site. Specify this account in the software distribution site component.
For more information, see.Limitations.Workgroup clients can't locate management points from Active Directory Domain Services. Instead, they use DNS, WINS, or another management point.Global roaming isn't supported.
Workgroup clients can't query Active Directory Domain Services for site information.Active Directory discovery methods can't discover computers in workgroups.You can't deploy software to users of workgroup computers.You can't use the client push installation method to install the client on workgroup computers.Workgroup clients can't use Kerberos for authentication, and they might require manual approval.You can't configure a workgroup client as a distribution point. Configuration Manager requires that distribution point computers be members of a domain.Install the client on workgroup computersCheck the prerequisites, and then follow the directions in the section. Workgroup example 1This example does the following actions:.
Installs the client for intranet client management. Specifies the site code.
Specifies the DNS suffix to locate a management pointCCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=constoso.com Workgroup example 2This example requires the client to be on a network location that's configured in a boundary group. If this requirement isn't met, automatic site assignment won't work. The command includes a fallback status point on server FSPSERVER.
This property helps to track client deployment and to identify any client communication issues.CCMSetup.exe FSP=fspserver.constoso.com Internet-based client management. NoteThis section doesn't apply to clients that use a. To install internet-based clients by using a cloud management gateway, see.When the Configuration Manager site supports for clients that are sometimes on an intranet and sometimes on the internet, you have two options when you install clients on the intranet:.Include the Client.msi property CCMHOSTNAME= when you install the client, by using manual installation or client push, for example. When you use this method, directly assign the client to the site. You can't use automatic site assignment. See the section, which provides an example of this configuration method.Install the client for intranet client management, and then assign an internet-based client management point to the client. Change the management point by using the client properties on the Configuration Manager page in Control Panel, or by using a script.
![]()
When you use this method, you can use automatic client assignment. For more information, see the section.To install clients that are on the internet, choose one of the following supported methods:.Provide a mechanism for these clients to temporarily connect to the intranet with a VPN. Then install the client by using any appropriate client installation method.Use an installation method that's independent of Configuration Manager. For example, package the client installation source files onto removable media and send the media to users. The client installation source files are located in the Client folder on the Configuration Manager site server. On the media, include a script to manually copy over the client folder. From this folder, install the client by using CCMSetup.exe and all the appropriate CCMSetup command-line properties.
NoteConfiguration Manager doesn't support installing a client directly from the internet-based management point or from the internet-based software update point.Clients that are managed over the internet must communicate with internet-based site systems. Ensure that these clients also have public key infrastructure (PKI) certificates before you install the client. Install these certificates independently from Configuration Manager. For more information, see. Install clients on the internet by specifying CCMSetup command-line properties.Follow the directions in the section. Always include the following options:.CCMSetup command-line parameter /source:.CCMSetup command-line parameter /UsePKICert.Client.msi property CCMHOSTNAME=.Client.msi property SMSSIGNCERT=.Client.msi property SMSSITECODE=.
NoteIf the site has more than one internet-based management point, it doesn't matter which one you specify for the CCMHOSTNAME property. When a Configuration Manager client connects to the specified internet-based management point, it sends the client a list of available internet-based management points in the site. The client randomly selects one from the list.If you don't want the client to check the certificate revocation list (CRL), specify the CCMSetup command-line parameter /NoCRLCheck.If you're using an internet-based fallback status point, specify the Client.msi property FSP=.If you're installing the client for internet-only client management, specify the Client.msi property CCMALWAYSINF=1.Determine whether you have to specify additional CCMSetup command-line parameters.
For example, if the client has more than one valid PKI certificate, you might have to specify a certificate selection criterion. NoteThe Internet tab is available only if the client has a client PKI certificate.If the client accesses the internet by using a proxy server, enter the proxy server settings.Configure clients for internet-based client management after client installation by using a script PowerShell.Open a PowerShell in-line editor, like PowerShell ISE or Visual Studio Code. You can also use a text editor, like Notepad.Copy and insert the following lines of code into the editor.
Replace 'mp.contoso.com' with the internet FQDN of your internet-based management point. $newInternetBasedManagementPointFQDN = 'mp.contoso.com'$client = New-Object -ComObject Microsoft.SMS.Client$client.SetInternetManagementPointFQDN($newInternetBasedManagementPointFQDN)Restart-Service CcmExec$client.GetInternetManagementPointFQDN. NoteThe last line is there only to verify the new internet management point value.To delete a specified internet-based management point, remove the server FQDN value inside the quotation marks. The line becomes $newInternetBasedManagementPointFQDN = '.Save the file with a.ps1 extension.Run the script with elevated rights on client computers. Use one of these methods:.Deploy the file to existing Configuration Manager clients by using a package and a program.Run the file locally on existing Configuration Manager clients by double-clicking the script file in File Explorer.You might have to restart the client for the changes to take effect. Provision client installation propertiesProvision client installation properties for group policy and software update-based client installations. Use Windows Group Policy to provision computers with Configuration Manager client installation properties.
These properties are stored in the registry of the computer. The client reads them when it installs. This procedure isn't normally required, but it might be needed for some client installation scenarios, such as:.You're using the group policy settings or software update-based client installation methods.
You haven't extended the Active Directory schema for Configuration Manager.You want to override client installation properties on specific computers. TipBy default, ConfigMgrInstallation.adm doesn't support strings larger than 255 characters. This configuration can impact adding multiple parameters or parameters with long values, such as CCMCERTISSUERS.To workaround this issue:.
Edit ConfigMgrInstallation.adm in Notepad. For the property VALUENAME SetupParameters, change the MAXLEN value to a larger integer. For example, MAXLEN 511.Configure and assign client installation properties by using a group policy object.Import the ConfigMgrInstallation.adm administrative template into a new or existing group policy object (GPO) by using an editor like Windows Group Policy Object Editor. You can find this file in the TOOLSConfigMgrADMTemplates folder on the Configuration Manager installation media.Open the properties of the imported setting Configure Client Deployment Settings.Select Enabled.In the CCMSetup box, enter the required CCMSetup command-line properties. For a list of all CCMSetup command-line properties and examples of their use, see.Assign the GPO to the computers that you want to provision with Configuration Manager client installation properties.Recommended Content.
You may want to perform a manual uninstall of the client.
1) In windows explorer naviagate to C:WindowsCCM and ensure you can browse in that folder.
2) Open an elevated CMD and change directory to C:WindowsCCM and type ccmsetup.exe /uninstall.
3) While that is uninstalling go to the SCCM console and delete that object from the CM database.
4) After the client has been rebooted remove the folders:
C:WindowsCCM
C:Windowsccmcache
C:ccmsetup
5: Ensure the computer name is in the correct OU in Active Directory so it inherits all the correct permissions it needs (usually people add the SCCM account used for software installs in a GPO to get added to the local admin group of the client PC).
6. Reinstall the client.
![]() Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |