Best Guide to Deploy SCCM Clients Using Group Policy
This article details the steps to deploy SCCM clients using group policy (GPO). You can also upgrade SCCM client agents using group policy.
You can use different methods to install the Configuration Manager client software. This article describes each method, so you can learn which one works best for your organization.
Listed below are all the methods to install the SCCM client agents:
- Group policy installation
- Logon script installation
- Manual installation
- Client Push installation
- Microsoft Intune MDM installation
Microsoft recommends using the client push installation method to deploy SCCM clients in the setup. That’s because it is easy and can be used to automatically install the client on all discovered computers.
However, some organizations prefer to deploy SCCM clients using group policy. A GPO works best when you have Windows computers joined to an Active Directory domain.
If you are planning to deploy SCCM clients using group policy, you must uncheck the option “Enable Automatic site wide client push installation” under client push installation properties.
If this option is enabled then the SCCM client agents would get installed automatically on all the systems after its discovery.
To disable Automatic site wide client push installation:
- Launch the Configuration Manager console
- Go to Administration\Overview\Site Configuration\Sites
- On the top bar, click Client Installation Settings and select Client Push Installation
- On the Client Push Installation properties, uncheck “Automatic site wide client push installation“.
- Click Apply and OK.
To create a GPO to deploy SCCM clients, you must have necessary permissions. I recommend testing the GPO on a few test machines first. If the SCCM client agent deployment GPO works, expand it to a larger set of computers.
Deploy SCCM Clients Using Group Policy
Let’s see the steps to create a group policy to deploy SCCM clients. Login to the domain controller machine or a member server installed with Group Policy Management console.
Launch the Windows Server Manager, click on Tools and select Group Policy Management.
In the GPMC console, right-click your domain and select Create a new policy. Specify the name as deploy SCCM clients using Group Policy.
Now right-click the new policy that you just created and select Edit.
In the Group Policy Management Editor, expand Computer Configuration, Policies and right click on Administrative Templates and click on Add/Remove Templates.
You can add new SCCM client agent templates by clicking on ADD. The Configuration Manager templates can be found in SMSSETUP\TOOLS\ConfigMgrADMTemplates.
You can also add it from <Drive>:Program Files\Microsoft Configuration Manager\tools\ConfigMgrADMTemplates. You need to add 2 templates ConfigMgrAssignment and ConfigMgrInstallation.
After you add both the templates, click on Close.
Expand Administrative Templates, Classic Administrative Templates, Configuration Manager, Configuration Manager Client.
Now on the right panel, we see both the Configuration Manager templates have been added. The state of these templates shows it’s not configured.
The next steps will cover the configuration part of the Configuration Manager Templates.
Configure Configuration Manager Site Assignment
Right click on Configure Configuration Manager 2012 Site Assignment template and click edit. Click Enabled to enable the policy.
Under Options specify Assigned Site code, Site Assignment Retry Interval to 5 minutes, Site Assignment Retry Duration to 1 hour (You can also choose to leave the options to default except site code). Click OK.
Configure Configuration Manager Client Deployment Settings
Right click Configure Configuration Manager 2012 Client Deployment Settings and click on Enabled.
Under options specify the installation properties for CCMSetup file. If you provide client installation parameters on the command line, they modify the installation behavior.
In our case, I have used following installation command CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL
Click on OK.
Create New Package to Deploy SCCM Client Agent via GPO
In this section, we will create a new software installation package to deploy SCCM client agent. Under Computer Configuration expand Policies, Software Settings. Right click Software Installation and click New > Package.
You have to specify or use the ccmsetup.msi as package. The ccmsetup.msi installer can be found in ConfigMgr_Media\SMS\SETUP\BIN\I386. Copy the ccmsetup.msi in a folder (Create a new folder on SCCM Server) and share it with permissions Read-only for Everyone.
Browse the file ccmsetup.msi to the folder that you created and Select the deployment method as Assigned. Click OK.
When you click on Software installation, you should see the following details about the Configuration Manager client. The details include Package, its Version, Deployment Status and Source.
The deployment status for ConfigMgr client package is Assigned. Close the Group Policy Management Editor.
Apply the Group Policy to OU
In the above steps we created a group policy to deploy SCCM clients. We also configured the ConfigMgr templates. The next step is to apply the group policy to computers.
You can choose to apply this policy at domain level or at OU level. If you apply it at domain level then every computer in your domain will get the SCCM client installation on next reboot.
I have created a OU called Windows Systems which consists of client computers. To link the policy to this OU, right click on OU Windows Systems, click Link an existing GPO, choose the GPO Deploy SCCM clients using Group Policy and click OK.
You need to perform gpupdate on domain controller first and then on client machines.
Testing the SCCM Client Agent Installation
The group policy to install SCCM clients is now applied to your computers. Reboot the client machine, and after you log in to the client machine the configuration manager client installation begins.
You can see the cmmsetup.exe *32 service running on the computer. This confirms the ConfigMgr client agent installation has begun.
This completes the steps to deploy SCCM clients using Group Policy. If you have any questions, let me know in the comments section.
When I am trying to install SCCM client through Active Directory Group policy, I found that client could not install in computer. It’s showing following errors:
#. The latest version of the ADM files below are not available. This can be due to insufficient permissions or unavailable network resources. The local copy of these ADM files will be used.
#. Software Installation failed due to the error listed below: The installation source for this product is not available. Verify that the source exists and that you can access it.
I got this error in client machine when I run command rsop.msc
Hello Prajwal,
How can i do MECM agent installation using the startup script via group policy.
is there anyway to configure this only apply once and not every time GPO forces update? Thanks
Hi Nick
When i used to do client Push to system that had the sccm client , it would not push if it detects the sccm client is installed , i think it should be the same behavior here
Hi sir,
Can I do client installation to Devices connect via CMG using this method???
I have so many devices with inactive clients and they r connected via cmg
and i have just two actions,
machine poliy retrieval and evalution cycle
user policy retrieval and evalution cycle
in Software centar
hi man,
i have problem with Configure Configuration Manager 2012 Client Deployment Settings,
i dont understand what i need input for ccmsetup.exe , like you
CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL
pls halp me?
SMSSITECODE=See your site code in sccm server > Go to SCCM console > Administration > Site Cnfiguration > Site > See Site code
FSP=FQDN of SCCM Server (run systeminfo in CMD see Host name+Domain i.e. SCCM1.domain.com)
MP=FQDN of SCCM Server (run systeminfo in CMD see Host name+Domain i.e. SCCM1.domain.com)
Hi Prajwal,
I have configured SCCM server 2012 r2 on my test lab with the help of your tutorial and its working fine but in DP is not showing my SCCM. could please help me to resolve this issue.
I’m pushing out clients for an existing SCCM 1710 installation. I have a few questions if you don’t mind.
Does this method work the same for 1710, or do I need to follow a different guide?
Why in the client settings do you have ccmsetup.exe listed when you’re pushing out the msi? Is it because the msi points to the exe?
Also, next to the “Configure Configuration Manager Site Assignment” setting, there is a down arrow. Any idea what this means or if it keeps the client from successfully being pushed out?
Hi,
Always appreciate reading your blog posts. Our client installation is configured as such by my predecessor. We’ve since migrated to the latest SCCM CB and so upgrades come at a much higher pace now. So the clients need to be updated more frequently as well.
I was wondering what needs to be done when a new client version needs to be distributed in such a scenario. I’m assuming that just replacing the msi on the shared folder does not suffice and we also need changes to the group policy. Recreating the ConfigMgr Client Setup Bootstrap installation package seems necessary since the MSI code changes, right? Can I use client.msi from the \\SITESERVER\sms_SITECODE\Client location instead of ccmsetup.msi from the installation media?
You can use auto client upgrade feature. To do this click on Administration > Site Configuration > Sites. Click on the Hierarchy Settings button on the top ribbon. Click Client Upgrade tab and check the box Upgrade all clients in the hierarchy using production client. Select the desired number of days you want your upgrade to be run and click OK. A schedule task will be created on the clients and run within the specified number of days.
i believe the computers have issues contacting the DC. Check the communication from client to DC.
I have also verified the DNS server details on each client and reviewed internet connectivity. All the computers joing domain seem to be communiticating fine.
I have followed the exact instructions but when I run gpupdate on my DC (running Server 2012 R2), it shows below error:
https://uploads.disquscdn.com/images/ae31f7c05a04d9a4789b1c3d420ab9c4823591d740f1f09290148db212e2dff8.jpg
Upon research on this issue on TechNet, I have tried changing the GP time to 30 sec, under Computer Configuration > Policies > Administrative Templates > System > Group Policy > Policy > Specify Startup policy processing wait time but this did not help.
Any suggestions on this?
Hi Prajwal,
I was testing this policy on 2 machines. I was fine on one but the second one was not taking it. It was giving an error of not excepting the group policy before logon sort of thing. How can I fix it?
Thanks
Hi Prajwal,
I need a a bit of help. I want to deploy sccm clients to a domain with a power shell script running through Group policy. Can you please send detailed document for that including screen shots.
Regards
Hi Zia, i am working on another script. I will write a sccm client agent deployment script and will get back to you.
Hi Prajwal,
I have done this but I need help in deploying but locker if you can please
Ideally it should skip installing the clients if the computer has got client agents installed.
When I use the GPO method outlined here it works great…thank you. Once the client is installed, does the GPO skip devices that have the SCCM 2012 client installed or does it reinstall every time the GPO is applied.
Hello Prajwal Desai
I have an existing SCCM2007 Client installed across my production and I am Installing SCCM 2012, will this process overwrite the old Client version. My 2012 SCCM is running on a w2k8 server, and distributing to win7 platform. I have tried using the Client Push Installation and have found no joy with it I followed it to the letter. So I have chosen this method as it was what was used originaly.
I have pondered over if I would need to run an uninstall first using the GPO then try running this process.
Hi dear
thanks for your instruction.
i have doing everything in this post but sccm client does not install on destination. please guide me.
thanks
No ConfigMgr does not uninstall the existing clients. There is no upgrade path from 2003 to 2012. What you can do is create a package in 2003 to uninstall and then install the 2012 client..
Why did you delete the system management container ? You should have uninstalled the clients before you decommissioned SCCM server.
The purpose of deleting system management container is that i wanted to come up with a new site code. i though that config mgr wud uninstall sms 2003 advanced client.
now i have sms advanced client installed on windows 7 computers, i am not bothered about it unless it creates any problem with configmgr2012 agent. i have changed the site code for configmgr2012. when i deploy configmgr with new site code, will it get deployed on windows 7 computers having sms advanced client.
when deploying gpo i have given these settings /mp=sccm.mydomain.com /logon SMSSITECODE=COD /source:”\sccmccmsetup_configmgr”
is this right approach.
Hello Mr prajwaldesai,
Thanks alot for your support.
I am having sms 2003 installed and recently i have decommisoned it.
Now i am in the middle of installation of SCCM 2012 R2.
still my windows 7 computers are having SMS Advanced Client installed on them.
Do config mgr uninstalls SMS Advanced client.
I have changed the site code in SCCM 2012 R2 for that i have deleted the System Management
container in ActDir schema and came up with new sitecode. will it create any issue in removing sms advanced client.
@JueRgen – I will test this in my lab once again and update the post.
Hi, i think there is still a typo in your GPO deployment.
You write …
” In our case I have used following installation command CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL”
This seems not to work, ater reading some other Walkthroughs and the TechNet it should read.
SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL
You Need to remove the ccmsetup.exe from the command line.
Jürgen
First of all I want to say what a great Blog you have setup here. It is very informative and you do a fantastic job in explaining what can be somewhat hard to follow and cryptic instructions from Microsoft on the subject. Now for my question, I am trying to deploy the client using the GPO method and I can see in the Resultant Set of Policies that it is running against the client I am testing. The problem I see is that my client is running Windows Server 2008 R2 and although I can see the CCMSETUP *32 policy running, it never completes. I think this issue has been touched on a little already in previous comments, but what I really need to find out is if a registry edit would be needed to help define the install against 64 bit machines as opposed to 32 bit ones. Also, exactly what that registry edit would be if needed. I see many references to the WOW6432Node key location online, but I am hoping for a better explanation. Many thanks again for your site.
Hi David did you check ccmsetup.log file ? can you post it here ? Else you can post it here :- https://www.prajwaldesai.com/support
Thanks,
for installing client in AD-Machine, Shall I add ClientInstall user to domain admins group ?
Yes that can be done.
Hi Prajwal,
Thanks for taking time in helping.
Kindly suggest me, as I’m facing error while installing client on the machine’s also the same in AD, I belive its user account issue which logs says.
I’ve created user in AD as ClientInstall and add the same to SCCM Server local admins group, given the same account in client install settings.
Do we need to do any other settting for ClientInstall account in the machine where we’re installing it.
Find the Log entries:
—> Failed to connect to \\VM-AD\admin$ using machine account (5) $$
—> ERROR: Failed to connect to the \\VM-AD\admin$ share using account ‘Machine Account’ $$
—> Trying each entry in the SMS Client Remote Installation account list~ $$
—> Attempting to connect to administrative share ‘\\192.168.2.21\admin$’ using account ‘MYLAB\ClientInstall’~ $$
—> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account MYLAB\ClientInstall (00000005) $$
—> Attempting to connect to administrative share ‘\\192.168.2.21\admin$’ using machine account.~ $$
—> Failed to connect to \\192.168.2.21\admin$ using machine account (5) $$
—> ERROR: Failed to connect to the \\192.168.2.21\admin$ share using account ‘Machine Account’ $$
—> ERROR: Unable to access target machine for request: “2097152001”, machine name: “VM-AD”, access denied or invalid network path. $$
Execute query exec [sp_CP_SetLastErrorCode] 2097152001, 5~ $$
Stored request “2097152001”, machine name “VM-AD”, in queue “Retry”. $$
Execute query exec [sp_CP_SetPushRequestMachineStatus] 2097152001, 2~ $$
Execute query exec [sp_CP_SetLatest] 2097152001, N’03/13/2014 02:55:01′, 11~ $$
<======End request: "2097152001", machine name: "VM-AD". $$
The user account ClientInstall should have enough permissions to install client agent on the client machine, so the ClientInstall user account should be the member of local administrators group of the client machine.
I’ll check the rsop like you suggested, but I don’t understand why a GPO applies once on an OS, but if the machine name stays the same and the OS is reapplied the GPO fails to load. We are using MDT to re-image.
Thanks for the response!!
In the string of comments above Steven asked why the GPO would not work a second time after the machine was re-imaged with a new OS. I tested the GPO on my lab system and the first time it worked fine, but when I re-imaged with a clean image and tested a second time CCCMSetup.msi will not kick off from the GPO. Is there some kind of flag to reset? Thanks
Did you check the rsop on the client machine ? If the policy applied is seen in rsop then the client should be installed.
HI,
I can not add the domanin machine to to SccM 2012 devices.. i need to deploy Endpoint Protection to my domain client machine.
Thanks
James
“I can not add the domanin machine to to SccM 2012 devices” – Are you trying to say that you are unable to add the computer to the device collection ?
i have tested it on an XP machine and it appears under the XP logo before you get to press CTRL ALT DEL where you normally see applying computer settings…
It not a big deal since its not the popup i was told it was. I can live with it please ignore 🙂 thank you for the reply
This GPO is working for installs but can it be made silent? My users are seeing a install popup for about 1min prior to logging on with XP machines each time they sign in. I have this in the config line CCMSetup.exe SMSSITECODE=ORG FSP=server.domain.com MP=server.domain.com /logon
What kind of install popup ? Can you share more details.. The installation should happen in the background..
Yes Prajwal, rightly so; the ConfigMgrInstallation.adm appears but the ConfigMgrAssignment.adm does not appear in the configuration manager 2012 folder under administrative template.
Hi Prajwal, am using active directory 2003; and sccm2012. i attempted adding the template but only one appeared (Client Deployment settings) under the templates. the other although added does not appear in the configuration manager 2012 folder under administrative template. Any reason why this is so?
Not really sure why the second template is not seen under administrative templates.. I haven’t tried this with AD 2003.. Is it that only the first template that you add is seen under administrative template ?
Will the /NoService tag work with this method? We are having an issue where without the noservice option the install fails.
Ideally it should work, but i have not tried this option yet. You need to check if the account with which the client installation happens must be configured with enough permissions so as to install the sccm client. I would recommend you to use an account which is a member of domain admins group for testing purpose.
Its working now 🙂 i didn’t assign the GPO correctly. it was getting user setting but not computer setting. i added the test PC name to the “security filtering” on the GPO and it worked. Thank you for taking the time to help me and creating this helpful guide 🙂
No probs Leo..Thank you. 🙂
thanks for your help. I’ll create a fresh GPO and retest
No i do not see that folder
That means the policy has not been applied and the client package is not copied to the system. You can delete the existing policy and create a new one and check …
Prajwal, Yes the location is accessible from the XP machine. i have given everyone read/write access
The client package is not getting copied from the source, do you see ccmsetup folder under \windows\ ?
I have this in the GPO settings CCMSetup.exe SMSSITECODE=ORG FSP=server.domain.com MP=server.domain.com .Do i need to add the /source at the end pointing to the ccmsetup.exe ?
I can see the GPO is applied in gpresult /v but i can’t see anything in rsop.msc. notting in the administrative templates relating to SCCM
Nope, the command that you are using is the correct one. When you select the deployment method as “Assigned”, the software gets installed at the next logon. The source folder where ccmsetup.msi file is located, is it accessible from the XP machine ?
“command CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=CCM.PRAJWAL.LOCAL” is this a typo on the MP? i have followed your guide and my test XP SP3 machine does not get the client installed. any ideas why? i have KB943729 installed on the test client
Yes, that was a typo and I have corrected it. On the test machine has the group policy been applied ? Check the rsop on client machine once.. You need to restart the windows XP machine once..
I discovered when reinstalling the OS on a existing machine which previously had a client installed, the client push doesn’t install.
Any idea why?
Hi Steve, when you do a client push on the client machine do you see a folder named ccmsetup ?? The folder path is \windows\ccmsetup
Can you give me any reason why I want to use Group Policy instead of Site-wide Push?
If you enable the site wide push then all the machines that are discovered will have SCCM client installed. Pushing client using group policy is one of the method to install SCCM clients on systems. I just showed the steps on how can you deploy SCCM clients using GPO.