CM Client Deployment Overview


CM Client Deployment Overview.. 1

Client Deployment Overview.. 1

Components. 2

Assignments, Registration and Approval 2

System Roles used during deployment 2

Some of the existing client deployment methods that still exist in SCCM 2007 include the following: 4

What is new in SCCM CCMSETUP.EXE. 6

Link with CCM Switches. 7

Checking for Site Compatibility to Complete Site Assignment. 7

Troubleshooting Client Push. 7

SCCM Client installations Methods PRO and CONS.. 10

Software update based client installation. 10

GPO based installation. 10

Client Push Installation (Wizard): 10

Logon Script Client installation. 11



There were multiple challenges associated with using client push installation in SMS 2003. These ranged from client side firewall ports being blocked, requirement to provision an account that had local administrator rights, multiple binaries used for client deployment each with their own set of switches, the fact that the client install was not bandwidth aware and the lack of visibility into the progress of client installation. One of the new areas in deploying the client is that the dependant components are installed on demand as part of the client installation process. Another interesting area is around how the client is assigned to a site using the SMSSITECODE field. In SCCM 2007, the site code is populated manually with the site code where the client push property is configured from. By defaulting to the site code of the site, site assignment can now be based on where the client push installation originated. While this can be changed, if you are upgrading from SMS 2003 and have configured the SMSSITECODE installation property with AUTO, it will remain AUTO.


Client Deployment Overview


There are a few deployment methods for clients listed below , those listed in bold are new to ConfigMgr 2007


  1. Software Update Point (Client installed via WSUS as mandatory update)
  2. Group Policy Installation (with ADM files used to configure client MP and other properties, it use only MSI)
  3. Client push installation (new feature site system computer account can be used for installation and the local SiteCode is default, uses remote WMI instead of remote registry)
  4. Logon installation (for users with administrative rights)  - no use for US
  5. Software distribution (existing client upgrades, only if Upgrade in Place is performed)
  6. Manual installation


Note: CM Client NEED active SCCM MP server in order to COMPEATE install, versa old SSM 2003 DID not NEED it doing install as client was periodically pool for assigned MP.




The new client now only have 2 binaries, ccmsetup.exe and ccmsetup.msi (msi installations). When installing the new clients , some components needed by the client is also installed if they don’t already exist. The components are listed below. The ccmsetup.exe is now also used for uninstallation. New to the client is that its bandwith aware thanks to BITS.

  • BITS (Background Intelligent Transfer Service) 2.0 , 2.5 and 3.0 ( 2000 platforms= BITS 2.0, XP/2003 platforms= BITS 2.5 and Vista/Longhorn platforms= BITS 3.0)

*Note BITS 2.0 requires a reboot and setup will not continue until machine has been rebooted.

  • Windows Installer 3.1 v2 (KB893803)
  • Windows Update agent (WUA)
  • Core XML services (MSXML6.msi)
  • MSRDC (Remote differential compression) This is used for branch office scenarios, and its not possible to install this on a w2k machine which means that w2k clients dont support branch office distribution points.
  • Wimgapi.msi (Used in OSD scenarios)
  • Client.msi ( For the Conf Mgr 2007 client package, no longer possible to run this manually)


Assignments, Registration and Approval

  • ConfigMgr 2007 clients cannot be assigned to SMS 2003 or prior sites, though its possible to manage SMS 2003 clients with a ConfigMgr 2007 site.
  • Clients also need to register to be able to send and retrieve data to site systems.
  • There are three different approval methods for clients in mixed mode; this is needed for the clients to be able to use the network access account.
    • No automatic approval, manual approval needed
    • Automatic approval for domain joined clients
    • Automatic approval for all clients.

Note: Clients in native environments are automatically approved.


System Roles used during deployment

  • Site Server - Used when you use the client push scenario
  • Management Point - Used for client and policy download
  • Server Locator Point - If you don’t extend your Active Directory you need SLP records for clients to work
  • Distribution Point - Used in OSD and software upgrade scenarios
  • Software Update Point - This is used when you deploy client with WSUS
  • Fallback Status Point (FSP) - If you want clients can send deployment status messaged to the FSP
  • PXE Boot - Can be used in OSD Bare metal scenarios
  • State Migration Point -Can be used in machine replacement scenarios



Some of the components that are used in the client deployment process include the following:


• CCMSetup.exe:

  • Used to Install
  • uninstall
  • upgrade

the SCCM 2007 client using client push installation or manual installation. It is low bandwidth aware and is the single way to launch client deployment.


·         You also do not need to use CCMClean to uninstall the client as the uninstall switch can be used instead.


• BITS: BITS 2.0 is required for Windows 2000 clients. BITS 2.5 is used for most of the Windows operating systems with the exception of Windows Vista which uses BITS 3.0.


Note: When installing BITS 2.0 on Windows 2000 SP4 machines, a restart is required. This means that if you do not have BITS 2.0, then ccmsetup will stop the install and wait until the next process of reboot before it starts the next process.


Microsoft Windows Installer v3.1 v2 (KB 893803): Update to all operating systems except Windows Server 2003 SP1 and later


Windows Update Agent (WUA) version 7.0.6000.363: Used on clients to support detection of applicable updates and deployment


MSXML6.msi - Windows installer script for installing the Core XML Services


MSRDC (Remote Differential Compression): Required for branch DP to support binary differential replication. For more information on binary differential replication, please visit .


Regarding windows 2000 clients, they don't support MSRDC, so Windows 2000 clients cannot be branch DP’s. Windows XP and later will install this utility and the associated windows server code will be used to install the bits.


Wimgapi.msi: Imaging API for custom tools for image management – For OSD


CCMSetup.msi: Windows installer package for deploying of the SCCM 2007 client using AD GPO. You cannot run CCMSetup.msi to install clients manually.


Some of the existing client deployment methods that still exist in SCCM 2007 include the following:


1. Client Push Installation: Client push installation can still be automated or via administrator control. One of the new features is that you can now use the site server computer account as the client push installation account. This will be used if all previous attempts have failed. In addition, the following options have also been changed:


  1. The default client push installation property is now SMSSITECODE=<the local site code>. In SMS 2003, the SMSSITECODE was set to AUTO.

NOTE: If you use AUTO, you lose the option of using AD published installation settings and must specify any other options via push installation properties or command line.

So in SCCM AUTO switch should not been used in our environment.



b. If AD is extended for SCCM 2007, the client push installation parameters are published to AD. This allows you to install the client by running ccmsetup.exe without any command line parameters. The client will then be pushed with the appropriate parameters that are set in the client push installation parameters (when installing manually).


c. The Remote Registry service is no longer used to target systems. Rather, remote WMI calls are made. This allows access to WMI in remote scenarios where the client versions need to be validated particularly for site assignment. à CHECK IF OUR SECURITY ALLOW THIS


2. Logon Installation ONLY for high rights (Local Admins) users. In SMS 2003, capinst.exe was used for low right users to create the client configuration request which in turn would ask the site server to help out with the installation. In SCCM 2007, there is no support for low rights installation.


3. Software Distribution. This option works great ONLY if you are doing an in place upgrade of your SMS 2003 clients.


4. Group Policy. In SMS 2003 it was possible to deploy the client however you couldn't use the command line parameters that were available with client.msi. In SCCM, there is now tighter integration to deploying the client. The installation properties are automatically published to AD and ccmsetup.msi is used for GP based software installation.


5. Manual Installation where ccmsetup.exe is launched off. The ccmsetup properties are published to AD and used automatically during the installation of the client.


Below are some of the new deployment methods in SCCM 2007:


  1. Software Update Point (SUP) Client deployment. With this deployment method, clients that have Microsoft Windows Update Agent (version 7.0.6000.363) on them but are not SCCM clients will scan through the WSUS catalogue and see ccmsetup as a mandatory application update. The SCCM 2007 client will then get installed as part of the patching process and pull the associated ccmsetup installation properties from AD if the schema has been extended or optionally from GPO via the ConfigMgr2007Installation.adm .
  2. Note: XME ITMU Scan Agent is : 7.0.6000.374 – so it is capable to deploy CM agent, but it have to be drive with WSUS instead current ITMU


This is great deployment option that will allow you to leverage your existing WSUS scanning process.


In addition, using local system to run the WSUS agent bypasses a lot of the challenges associated with getting the client installed (firewall, etc.). There are also no issues with low right users with this installation option. The only requirement is that the client must be configured to point to the SCCM Software Update Point along with the port number via the Windows Update setting “Specify Intranet Microsoft Update Service Location “. For more information on how to install the SCCM 2007 client using the Software Update Point installation method, please visit " target="this_is_a_new_window">


Note: Command line properties cannot be added in using this deployment method as clients will obtain the installation properties from AD when the client is installed provided the schema has been extended. If the schema has not been extended, then GPO policies can be used to specify the ccmsetup properties.


2. Group Policy Installation. With this deployment option, you can deploy ccmsetup.msi using the software installation feature of Group Policy as shown below:


o        In addition, ConfigMgr2007Installation.adm can be used to define the installation properties and ConfigMgr2007Assignment.adm can be used for assignment.


Directly related to deploying the client, is the registration and assignment process. Registration is used by the client to provide its identity to the site whereas assignment is a requirement in order for registration to complete. As stated earlier, Client Assignment can now be configured through GPO using the ConfigMgr2007Assignment.adm template located in x:\ConfigMgr2007_RTM_ENU_5931_Eval\Tools\ConfigMgrADMTemplates. The assignment process is a little different then it was in SMS 2003 because now a site compatibility check is done to ensure the client version is correct. More information on planning for site assignment changes in SCCM 2007 can be found at .


To continue, one of the purposes of providing the administrative templates noted above is to allow resources to be assigned based on business functionality as opposed to basing it solely on network configuration. This can also be useful in scenarios where the AD Schema has not been extended or where clients have installation properties that need to be uniquely set.


Furthermore, in order for the SCCM 2007 clients to receive or send data from a MP, the client must first be registered. Registration is an automatic process after assignment. Once the client locates its default MP it will issue a registration request to the site. This provides the client identity (self signed certificate). Until this process happens, the client will not be fully functioning nor will it be able to communicate properly. Related to the registration process is the mode of the site. If you are running in mixed mode, you need to evaluate which approval option you want to configure for your site. For more information, please see my article on Mixed Mode in SCCM 2007


In summary, there are a variety of deployment methods that are available to you when installing the client. Each has its advantages and disadvantages along with the need to meet specific business requirements. I would recommend that before the client deployment process begins, you consider the following:


• Identify an appropriate size for the cache. The default cache size is 5GB. While this is not pre-created, it is used to check on whether there is sufficient space to accommodate Operating System Images to the client machine.


Implement a Fallback Status Point (FSP) before you begin to deploy clients. Although it is not required, it is highly recommended in identifying issues up front that are related to installation and assignment of the client. The Ccmsetup.exe as part of its process will generate state messages. Clients will send state messages for the deployment to the FSP if the client is configured to use a FSP. The FSP can be configurable on how often status messages are processed from a client and how frequently they get sent to the site server as shown below:


Once processed, you should then be able to run Reports that indicate the success or failure of client deployments and provide identification on failures.


Pre-stage the client dependencies (BITS/MSXML6/Windows Installer 3.1 v2, etc.) to ensure a higher success rate with minimal impact to your existing SMS 2003 operations.


When upgrading SMS 2003 clients to SCCM 2007, leave the mixed mode option “This site contains only SCCM 2007 clients” unchecked until the entire environment has been upgraded to SCCM 2007.


What is new in SCCM CCMSETUP.EXE

In SMS 2003, client installation files were downloaded from an SMB share on the management point. In Configuration Manager 2007, the default behavior is to download these files using a HTTP connection in a mixed mode site, or HTTPS connection in a native mode site. You can still use an SMB share to download client installation files, but you must create this share yourself and specify the CCMSetup installation property /source.


The new executable has bandwidth awareness through BITS

New Switch in CCMSETUP.EXE:



Specify the download priority when client installation files are downloaded over an http connection. Possible values are as follows:

·                       FOREGROUND

·                       HIGH

·                       NORMAL

·                       LOW

The default value is NORMAL.

Example: CCMSetup.exe /BITSPriority:HIGH



Link with CCM Switches



·          Configuration Manager 2007 can automatically create a new client record for the duplicate record.

 This setting allows you to easily upgrade or deploy clients that might potentially have duplicate hardware IDs, without requiring manual intervention.



Checking for Site Compatibility to Complete Site Assignment

The improved functionality from SMS 2003 means that a Configuration Manager 2007 client will not work if it is assigned to a site running SMS 2003. To prevent this situation, site assignment in Configuration Manager 2007 now includes a version check to ensure compatibility between the client and its assigned site.

The Remote Registry service is no longer used to target systems. Rather, remote WMI calls are made. This allows access to WMI in remote scenarios where the client versions need to be validated particularly for site assignment.


Troubleshooting Client Push
Clients don't have to be approved to be listed as clients (Client = Yes) and function fine in the site.
Approval just lets clients use the Network Access Account.

a.      Do these clients have the firewall disabled?

a.      Do these clients have the f&p sharing exception enabled?

b.       Do these client push installation accounts have local admin rights on the client computer?


The error 80041003 is an Access Denied error from the WMI service.

Does the SMS admin account has admin rights on the box?

One way to test this is to use wbemtest.exe and try connecting to
\\yourmachine\root\cimv2 with that account (or other accounts) to find one
that works.
ou have used a FSP Fall back Status Point in your client deployment
you could look at the Client Deployment reports.
Have you configured a Fallback Status Point? And added FSP=thatservername to
your client push command?
You can use FSP reports to see better detail on failures.
New in SCCM is the ability to use the computer$ account for the install.
This means that you can now use the SMS server's computer account to do the install.  The best, and most secure way of doing this is to create a new global group, add the computer account, and then through group policy add that group to the local administrator group on the targeted clients. The KB320065 has details on how to accomplish this, in the past if you added an account to the local administrators group on domain computers it would overwrite, not append so make sure you test this process first.

How to Configure a Global Group to Be a Member of the Administrators Group on all Workstations
This article was previously published under Q320065
This article describes how to create a global group so that it is a member of the local administrators group on all workstations and member servers by using group policy restricted groups.
It may be useful to allow certain users to automatically become local administrators
on your Windows 2000-based workstations or member servers. To allow that type of
access to a controlled set of users and computers by using a group policy:
1. Start Active Directory Users and Computers from any domain controller.
2. Create an organizational unit, and then move all of the appropriate workstations
and member servers to that organizational unit.
3. Create a global group in that organizational unit, and then add the appropriate
users to that group.
IMPORTANT: Complete the remaining steps from a Windows 2000-based member server or a Windows 2000 Professional-based workstation with the Adminpak installed.
4. Start Active Directory Users and Computers, right-click the organizational unit,
and then click Properties.
5. Click the Group Policy tab, click NEW, and then name the policy.
6. Click the policy, and then click Edit.
7. Right-click Restricted Groups
(under Computer Configuration\Windows Settings\Security Settings\Restricted Groups),
and then click Add Group.
8. Click Browse. Focused on the local computer, click the group to which you want
your global group to be a member (in this case, the "Administrators" group),
click ADD, and then click OK. You are returned to the group policy
and you see the administrators group listed in the Restricted Groups window.
9. Right-click the group, and then click Security.
10. To the right side of the Members of this Group box, click ADD, and then click Browse.
11. Locate the group in the organizational unit that you want to place in the
administrators group, and then add it the group. After you do so, close the group policy.
12. At a command prompt, type secedit /refreshpolicy machine_policy /enforce,
and then press ENTER.
NOTE: From any of the workstations or member servers in that organizational unit, you can view the local groups and see that the global group is a member of the administrators local group. =================================================================================================
SCCM 2007 client agent deployment using Software updates
Client Push Installation (Wizard):

Great installation method but it has some requirements that could prove to be problematic in a real secure environment. It requires remote local admin privileges which is usually fine. But it also requires remote registry and access to the admin$ share.  

A secure environment should have file and print sharing disabled on desktops or laptops, or at the very least have them blocked by a personal firewall.

GPO based installation:

Nice installation method with very modest requirements on the machine to be installed, but it suffers from its own drawbacks.  

The main problem with GPO based installation is that it is end-user - computer driven.
GPO's software installation only happens at logon or after a restart.

Both events normally only happen after the end-user gave their user name and password or powered on the machine.

If you have pesky users that just close their laptop lid in the evening and open it back up the next morning then your out of luck with gpo's. With todays more stable os's like Windows XP It could take a pretty long time before the machine actually needs to be rebooted on.

Software update (WSUS) based client installation:

Superb installation method


That mixes the benefits of GPO based installation with those of software distribution based installation. In other words it has pretty low requirements on the target machine, even lower as software distribution  based installation as it does not require a software distribution solution in place and doesn't require the target machine to be in active directory.
(You'll need a different way than adm templates to set the registry keys though).
On top of that it offers a Schedule based installation which eliminates the end-user initiated drawback of gpo's. By the way if you install a newer version of the SCCM 2007 beta or install a Service pack after RTM you will be able to update your publication so that you can use this method to easily upgrade your existed install base to the new version.


How do you get this to work? Remarkably easy actually.


STEP 1 Configure the Windows Update agent GPO:
Open a GPO
Go to Computer configuration\Windows Components\Windows Update
Configure the Configure automatic updates option, Set it to auto download and shedule the install
Choose your own schedule
Configure the Specify intranet microsoft update service location
Configure both options with the value http://Wsusserver
STEP 2 Import the SCCM-2007 adm template:
Download the adm template to configure SCCM 2007 client installation command line parameters
Open a GPO
In Computer Configuration Right-click on Administrative templates
Browse to the SCCM-2007 and add the template.
Go to Computer configuration\Windows Components\SCCM 2007\Software Update point client installation
Configure the command line with the parameters you want.
STEP 3 Publish the SCCM 2007 client (As documented in the SCCM 2007 help file)
To publish the Configuration Manager 2007 client to the WSUS server:
In the Configuration Manager console,
navigate to System Center Configuration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Client Installation Methods.
Right-click Software Update Point Client Installation, and click Properties.
To enable client installation, select the Enable Software Update Point Client Installation check box.
If the client software on the Configuration Manager 2007 site server is newer
than that stored on the software update point, the Upgrade Client Package Version dialog box will open.  You should click Yes in this dialog box to publish the most recent version of the client software to the software update point.
To finish configuring the software update point client installation, click OK.


SCCM Client installations Methods PRO and CONS




Software update based client installation

·         Low requirements on the target machine

Need to configure the WUA GPO

Not sure how to automate the client auto client assignment

·         It does not require a software distribution



·         Doesn't require the target machine to be in AD.


But need a different way than adm templates to set the registry keys

·         Offers a Schedule based installation



GPO based installation


GPO's software installation only happens at logon or after a restart








Client Push Installation (Wizard):


It requires remote local admin privileges








Logon Script Client installation


Require Local Admin Right user

We can build in the automatic right elevations, but is not secure and need extra administrations








Sccm 2007 client agent deployment using Software updates