Deploying Configuration Manager 2012 R2 Clients Using Group Policy

45537

Deploying Configuration Manager 2012 R2 Clients Using Group Policy In this post we will see the steps for Deploying Configuration Manager 2012 R2 Clients Using Group Policy. This is the post that I wanted to add to when I was working on SCCM 2012 SP1, however the same steps will still work if you want to deploy configuration manager clients using group policy using SCCM 2012 or SCCM 2012 SP1. In my previous post we saw the configuration manager 2012 R2 client installation using automatic site wide client push installation method and client push installation method. In this post we will see the steps for Deploying Configuration Manager 2012 R2 Clients Using Group Policy. At any point of time you can jump to configuration manager 2012 R2 step by step guide for my previous posts.

If you are planning to deploy SCCM 2012 R2 clients using group policy then you must make sure that in the client push installation properties, Enable Automatic site wide client push installation is not checked. If this is checked then the client would get installed on all the systems after its discovery. So first uncheck the option Enable Automatic site wide client push installation and proceed. In this post my domain controller is running on Windows Server 2012 R2 Datacenter edition, SCCM 2012 R2 running on Windows Server 2012 R2 Datacenter edition and the client machines are running windows 7 professional SP1 x64 and Windows 8.1.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

We will create a new policy first, click on Server Manager, click on Tools, click Group Policy Management. Right click on domain and create a new policy, we will name it as Deploying SCCM 2012 R2 Client. Right click on the policy that is created and click Edit.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

Expand Computer Configuration, Policies and right click on Administrative Templates and click on Add/Remove Templates.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

You can add the templates by clicking on ADD. The Configuration Manager templates can be found in SourceDVD\SMSSETUP\TOOLS\ConfigMgrADMTemplates or you can also add it from <Drive>:\Program Files\Microsoft Configuration Manager\tools\ConfigMgrADMTemplates. You need to add 2 templates ConfigMgrAssignment and ConfigMgrInstallation. Click on Close.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

Expand Administrative Templates, Classic Administrative Templates, Configuration Manager 2012, Configuration Manager 2012 Client. We see on the right pane that both the templates have been added but they not configured yet.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

Right click on Configure Configuration Manager 2012 Site Assignment template and click edit. Click Enabled to enable the policy, under Options specify Assigned Site code, Site Assignment Retry Interval to 5 minutes, Site Assignment Retry Duration to 1 hour (You can also choose to leave the options to default except site code). Click OK.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

Right click Configure Configuration Manager 2012 Client Deployment Settings and click on Enabled. Under options specify the installation properties for CCMSetup file. You can specify lots of installation properties for installation of configuration manager client, click the button below for knowing more on CCMSetup command line properties. In our case I have used following installation command CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL

CCMSetup Command Line Properties

Click on OK.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

Under Computer Configuration expand Policies, Software Settings. Right click Software Installation and click New -> Package.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

The ccmsetup.msi can be found in SOURCEDVD\SMSSETUP\BIN\I386 (SourceDVD Is the SCCM 2012 .ISO file). Copy the ccmsetup.msi in a folder (Create a new folder on SCCM Server) and share it with permissions Read-only for Everyone. Browse the file ccmsetup.msi to the folder that you created and Select the deployment method as Assigned. Click OK.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

When you click on Software installation you should see the name of the Package, its Version, Deployment Status and Source. You can now close the GPMC.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

You can choose to apply this policy at domain level or at OU level. If you apply it at domain level then every computer in you domain will get the SCCM 2012 R2 client installation on next reboot. I have created a OU called Windows Systems which consists of client computers. To link the policy to this OU, right click on OU Windows Systems, click Link an existing GPO, choose the GPO Deploying SCCM 2012 R2 Client and click OK.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

You need to perform gpupdate on domain controller first and then on client machines. Reboot the client machine and after you login to client machine the configuration manager 2012 R2 client installation begins. You can see the cmmsetup.exe *32 on one the client machines in the below screenshot.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

  • steven.parein@gmail.com

    Can you give me any reason why I want to use Group Policy instead of Site-wide Push?

    • If you enable the site wide push then all the machines that are discovered will have SCCM client installed. Pushing client using group policy is one of the method to install SCCM clients on systems. I just showed the steps on how can you deploy SCCM clients using GPO.

  • Steven

    I discovered when reinstalling the OS on a existing machine which previously had a client installed, the client push doesn’t install.
    Any idea why?

    • Hi Steve, when you do a client push on the client machine do you see a folder named ccmsetup ?? The folder path is \windows\ccmsetup

  • Leo

    “command CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=CCM.PRAJWAL.LOCAL” is this a typo on the MP? i have followed your guide and my test XP SP3 machine does not get the client installed. any ideas why? i have KB943729 installed on the test client

    • Yes, that was a typo and I have corrected it. On the test machine has the group policy been applied ? Check the rsop on client machine once.. You need to restart the windows XP machine once..

  • Leo

    I have this in the GPO settings CCMSetup.exe SMSSITECODE=ORG FSP=server.domain.com MP=server.domain.com .Do i need to add the /source at the end pointing to the ccmsetup.exe ?

    I can see the GPO is applied in gpresult /v but i can’t see anything in rsop.msc. notting in the administrative templates relating to SCCM

    • Nope, the command that you are using is the correct one. When you select the deployment method as “Assigned”, the software gets installed at the next logon. The source folder where ccmsetup.msi file is located, is it accessible from the XP machine ?

  • Leo

    Prajwal, Yes the location is accessible from the XP machine. i have given everyone read/write access

    • The client package is not getting copied from the source, do you see ccmsetup folder under \windows\ ?

  • Leo

    No i do not see that folder

    • That means the policy has not been applied and the client package is not copied to the system. You can delete the existing policy and create a new one and check …

  • Leo

    thanks for your help. I’ll create a fresh GPO and retest

  • Leo

    Its working now 🙂 i didn’t assign the GPO correctly. it was getting user setting but not computer setting. i added the test PC name to the “security filtering” on the GPO and it worked. Thank you for taking the time to help me and creating this helpful guide 🙂

  • Ed

    Will the /NoService tag work with this method? We are having an issue where without the noservice option the install fails.

    • Ideally it should work, but i have not tried this option yet. You need to check if the account with which the client installation happens must be configured with enough permissions so as to install the sccm client. I would recommend you to use an account which is a member of domain admins group for testing purpose.

  • Ren

    Hi Prajwal, am using active directory 2003; and sccm2012. i attempted adding the template but only one appeared (Client Deployment settings) under the templates. the other although added does not appear in the configuration manager 2012 folder under administrative template. Any reason why this is so?

    • Not really sure why the second template is not seen under administrative templates.. I haven’t tried this with AD 2003.. Is it that only the first template that you add is seen under administrative template ?

  • Ren

    Yes Prajwal, rightly so; the ConfigMgrInstallation.adm appears but the ConfigMgrAssignment.adm does not appear in the configuration manager 2012 folder under administrative template.

  • Leo

    This GPO is working for installs but can it be made silent? My users are seeing a install popup for about 1min prior to logging on with XP machines each time they sign in. I have this in the config line CCMSetup.exe SMSSITECODE=ORG FSP=server.domain.com MP=server.domain.com /logon

    • What kind of install popup ? Can you share more details.. The installation should happen in the background..

  • Leo

    i have tested it on an XP machine and it appears under the XP logo before you get to press CTRL ALT DEL where you normally see applying computer settings…

    It not a big deal since its not the popup i was told it was. I can live with it please ignore 🙂 thank you for the reply

  • James

    HI,
    I can not add the domanin machine to to SccM 2012 devices.. i need to deploy Endpoint Protection to my domain client machine.

    Thanks

    James

    • “I can not add the domanin machine to to SccM 2012 devices” – Are you trying to say that you are unable to add the computer to the device collection ?

  • Robert

    In the string of comments above Steven asked why the GPO would not work a second time after the machine was re-imaged with a new OS. I tested the GPO on my lab system and the first time it worked fine, but when I re-imaged with a clean image and tested a second time CCCMSetup.msi will not kick off from the GPO. Is there some kind of flag to reset? Thanks

    • Did you check the rsop on the client machine ? If the policy applied is seen in rsop then the client should be installed.

  • Robert

    I’ll check the rsop like you suggested, but I don’t understand why a GPO applies once on an OS, but if the machine name stays the same and the OS is reapplied the GPO fails to load. We are using MDT to re-image.

    Thanks for the response!!

  • Mohammed

    Hi Prajwal,

    Thanks for taking time in helping.

    Kindly suggest me, as I’m facing error while installing client on the machine’s also the same in AD, I belive its user account issue which logs says.
    I’ve created user in AD as ClientInstall and add the same to SCCM Server local admins group, given the same account in client install settings.
    Do we need to do any other settting for ClientInstall account in the machine where we’re installing it.

    Find the Log entries:

    —> Failed to connect to \\VM-AD\admin$ using machine account (5) $$
    —> ERROR: Failed to connect to the \\VM-AD\admin$ share using account ‘Machine Account’ $$
    —> Trying each entry in the SMS Client Remote Installation account list~ $$
    —> Attempting to connect to administrative share ‘\\192.168.2.21\admin$’ using account ‘MYLAB\ClientInstall’~ $$
    —> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account MYLAB\ClientInstall (00000005) $$
    —> Attempting to connect to administrative share ‘\\192.168.2.21\admin$’ using machine account.~ $$
    —> Failed to connect to \\192.168.2.21\admin$ using machine account (5) $$
    —> ERROR: Failed to connect to the \\192.168.2.21\admin$ share using account ‘Machine Account’ $$
    —> ERROR: Unable to access target machine for request: “2097152001”, machine name: “VM-AD”, access denied or invalid network path. $$
    Execute query exec [sp_CP_SetLastErrorCode] 2097152001, 5~ $$
    Stored request “2097152001”, machine name “VM-AD”, in queue “Retry”. $$
    Execute query exec [sp_CP_SetPushRequestMachineStatus] 2097152001, 2~ $$
    Execute query exec [sp_CP_SetLatest] 2097152001, N’03/13/2014 02:55:01′, 11~ $$
    <======End request: "2097152001", machine name: "VM-AD". $$

    • The user account ClientInstall should have enough permissions to install client agent on the client machine, so the ClientInstall user account should be the member of local administrators group of the client machine.

  • Mohammed

    Thanks,

    for installing client in AD-Machine, Shall I add ClientInstall user to domain admins group ?

  • David

    First of all I want to say what a great Blog you have setup here. It is very informative and you do a fantastic job in explaining what can be somewhat hard to follow and cryptic instructions from Microsoft on the subject. Now for my question, I am trying to deploy the client using the GPO method and I can see in the Resultant Set of Policies that it is running against the client I am testing. The problem I see is that my client is running Windows Server 2008 R2 and although I can see the CCMSETUP *32 policy running, it never completes. I think this issue has been touched on a little already in previous comments, but what I really need to find out is if a registry edit would be needed to help define the install against 64 bit machines as opposed to 32 bit ones. Also, exactly what that registry edit would be if needed. I see many references to the WOW6432Node key location online, but I am hoping for a better explanation. Many thanks again for your site.

  • JueRgen

    Hi, i think there is still a typo in your GPO deployment.

    You write …

    ” In our case I have used following installation command CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL”

    This seems not to work, ater reading some other Walkthroughs and the TechNet it should read.
    SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL
    You Need to remove the ccmsetup.exe from the command line.
    Jürgen

  • @JueRgen – I will test this in my lab once again and update the post.

  • RisingFlight

    Hello Mr prajwaldesai,

    Thanks alot for your support.
    I am having sms 2003 installed and recently i have decommisoned it.
    Now i am in the middle of installation of SCCM 2012 R2.
    still my windows 7 computers are having SMS Advanced Client installed on them.
    Do config mgr uninstalls SMS Advanced client.
    I have changed the site code in SCCM 2012 R2 for that i have deleted the System Management
    container in ActDir schema and came up with new sitecode. will it create any issue in removing sms advanced client.

  • No ConfigMgr does not uninstall the existing clients. There is no upgrade path from 2003 to 2012. What you can do is create a package in 2003 to uninstall and then install the 2012 client..

    Why did you delete the system management container ? You should have uninstalled the clients before you decommissioned SCCM server.

    • RisingFlight

      The purpose of deleting system management container is that i wanted to come up with a new site code. i though that config mgr wud uninstall sms 2003 advanced client.
      now i have sms advanced client installed on windows 7 computers, i am not bothered about it unless it creates any problem with configmgr2012 agent. i have changed the site code for configmgr2012. when i deploy configmgr with new site code, will it get deployed on windows 7 computers having sms advanced client.

      when deploying gpo i have given these settings /mp=sccm.mydomain.com /logon SMSSITECODE=COD /source:”\sccmccmsetup_configmgr”
      is this right approach.

  • Majid Taheri

    Hi dear
    thanks for your instruction.
    i have doing everything in this post but sccm client does not install on destination. please guide me.
    thanks

  • phil

    Hello Prajwal Desai

    I have an existing SCCM2007 Client installed across my production and I am Installing SCCM 2012, will this process overwrite the old Client version. My 2012 SCCM is running on a w2k8 server, and distributing to win7 platform. I have tried using the Client Push Installation and have found no joy with it I followed it to the letter. So I have chosen this method as it was what was used originaly.

    I have pondered over if I would need to run an uninstall first using the GPO then try running this process.

  • Ideally it should skip installing the clients if the computer has got client agents installed.

  • zia

    Hi Prajwal,

    I need a a bit of help. I want to deploy sccm clients to a domain with a power shell script running through Group policy. Can you please send detailed document for that including screen shots.

    Regards