Details for obtaining 100% ConfigMgr Client Installation & Reach

  • Article

Requirements:

  • Windows Server Update Service (WSUS)
  • Configuration Manager Site with Software Update enabled
  • Organizational Unit or Security Group
  • 2 Configuration Manager ADM Templates
  • Active Directory Group Policy Object
  1. Windows Server Update Service (WSUS)
    1. Install the WSUS service on a Windows 2003 SP2 server
    2. Do not configure the WSUS service with the WSUS console at the completion of the WSUS installation.
  2. Configuration Manager Site with Software Update enabled
    1. Start your ConfigMgr installation or push a Software Update Point Role on to the WSUS server.
  3. Organizational Unit (OU) or Security Group (SG)
    1. Identify a OU or Security Group that will contain all systems expected to be managed by by your ConfigMgr site.
    2. Note: There can only be one OU or SG designated for 1 ConfigMgr site. You cannot have one OU or SG provisioning clients for multiple site codes.
  4. 2 Configuration Manager ADM Templates
    1. Obtain the ADM Templates that comes on the Configuration Manager 2007 CD, located: on the CD\TOOLS\ConfigMgrADMTemplates
    2. One ADM template is named: "ConfigMgr2007Assignment.adm" and the other is named: "ConfigMgr2007Installation.adm"
    3. The ADM template named "ConfigMgr2007Assignment.adm" is used to place the ConfigMgr site assignment settings in the clients registry
      1. Those settings are shown below:
        1. The "ConfigMgr2007Assignment.adm" template sets the following settings in the registry under: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client
          • GPRequestedSiteAssignmentCode = <your site code>
          • GPSiteAssignmentRetryDuration(Hour) = <Retry Duration (hours)>
          • GPSiteAssignmentRetryInterval(Min) = <Retry Interval>
          • The image below shows the settings for the ConfigMgr2007Assignment.adm template after its imported into the GPO.
          • image Click image to enlarge.
          • Description and uses of the above settings:
          • The "GPRequestedSiteAssignmentCode" is the site code your client should and will be assigned to. When the client is reassigned by any other method to a site code other than the site code specified in the GPO, these GPO policy settings will automatically reassign the client back to the site code you defined in the GPO policy.
          • The "GPSiteAssignmentRetryDuration(Hour) " is the amount of hours the client will keep attempting to reassign the client until successful or till reassigned to the site code specified in the GPO.
          • The "GPSiteAssignmentRetryInterval(Min) " is the interval the GPO policy will wake up and check to see if the client is assigned to the site code specified in the GPO.
        2. The "ConfigMgr2007Assignment.adm" template sets the following settings in the registry under:
        3. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ccmsetup in a Value Name: SetupParameters.
        4. The below settings is a string of the ccmsetup parameters that are to be set for the above setting, which is what the client will use when the installation starts.
          • /MP:msserver SMSSLP=smsslp.domain.com SMSSITECODE=XR2 FSP=smsfsp.domain.com CCMLOGMAXSIZE=100000 CCMENABLELOGGING=TRUE CCMLOGLEVEL=0 DISABLESITEOPT=TRUE DISABLECACHEOPT=TRUE CCMLOGMAXHISTORY=5 SMSCACHESIZE=9000
        5. NOTE: When a client installation starts, ccmsetup.exe will first look to the command-line first for the ccmsetup parameters. If it does not find ccmsetup command-line parameters, the ccmsetup.exe look to the registry for the ccmsetup.exe parameters, if the parameters are not found in the registry, the ccmsetup.exe will use Active Directory and assign the client based on ConfigMgr site boundaries. 
        6. The image below shows the settings for the ConfigMgr2007Installation.adm template after its imported into the GPO.
        7. image Click image to enlarge.
        8. This type of client assignment basically forces the clients to remain assigned to the site of choice.
    4. Import these ADM templates, into a Group Policy Object targeting your OU or SG of your clients to be managed.
    5. A additional setting you must add to this GPO is the Windows Update URL the clients will use to scan for required offered updates.
    6. This setting location can be found with the local GPO Mgr or GPO Management Console. You can find this location for this settings in the path below.
      1. Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Update
      2. The image below shows the setting in a GPO object that allows you to set the WSUS/SUP server for clients to use to scan for updates.
      3.  image Click image to enlarge.
  5. A Got Cha: Watch Out! The policies that these ADM templates places in the clients registry cannot be un-done by removing the GPO from the OU or SG.
  6. If you ever want to reassign these clients that has been previously assigned and provisioned by the "Client Management GPO's" (I call this solution client management GPOs) You must either manually remove the settings by hand or script. Or you can drop the computer object in another OU or SG having different "Client Management GPOs applying these settings for another ConfigMgr site.
  7. The reason why these settings don't go away when a GPO is removed, is because these ADM templates are not set in the Policies Hive of the registry. And settings set in the registry out side of the Policies Hive can't be removed with a GPO, Only changed or modified.
  8. Active Directory Group Policy Object (GPO)
    1. Apply a Group Policy Object targeting the OU or SG with membership of all the systems you want assigned to a specific site.
  9. Remember: One Client Management GPO per site.
  10. Once the above setting and configuration are set, Publish the ConfigMgr client into WSUS.
  11. To publish the ConfigMgr client to WSUS, from within the ConfigMgr console Navigate to the Site Management node > Then to the Site Settings Node > Then the Client Installation Methods node, Right client on Software Update Point Client Installation and click Properties.
  12. At this point just simply enable the option "Enable Software Update Point Client Installation" shown below.
  13. clip_image002Click image to enlarge.
  14. Also, ensure that no other AD policies are configuring the WSUS URL via any other policies in your environment. If clients receive policies from other GPO's to also configure the WSUS URL, that client will generate AD Group Policy Conflict and fail scanning for ConfigMgr. To ConfigMgr the client would seem broken and not communicating with the Site/MP.

Disclaimer: P.S. When I say 100% I am, of course, referring to compatible online computers in the targeted OU.

Technorati Tags: ConfigMgr,SCCM,WSUS,Windows Server Update Service,Client Installation,ADM Template