ConfigMgr 2007 Client Deployment: Software Update Point Based Installation

October 29, 2008

Today we will explore the new client deployment method offered in System Center Configuration Manager 2007 called Software Update Point Based Installation. This new method of client deployment has proven to be one of the easiest, most efficient, and reliable forms of client deployment. This topic has been covered by Richard Dixon, Sr. Systems Engineer at Microsoft, Details for obtaining 100% ConfigMgr Client Installation & Reach and by Kim Oppalfens, SMS MVP, Sccm 2007 client agent deployment using Software updates

Software update point based client installation publishes the Configuration Manager 2007 client to WSUS, in fact, the software update point in SCCM, as an additional mandatory software update. This method of client installation can be used to install the ConfigMgr 2007 client on computers that do not already have the client installed, or to upgrade existing ConfigMgr 2007 clients. In addition, if a client is uninstalled for any reason, the client will be reinstalled at the next Windows Update Agent scan. This ensures that your servers and workstations are always able to be managed by Configuration Manager.

To use software update point based installation, you must use the same WSUS server for both client installation and software updates. This server must be the active software update point in a primary site. For more info, check out How to Create and Configure an Active Software Update Point.

Requirements

• WSUS and a Software Update Point configured as an Active SUP
  This information is not covered in this post, however, here are some helpful links to assist you in getting your SCCM installation configured for Software Update Point client installation.
  • How to Install Windows Server Update Services 3.0
  • How to Add the Software Update Point Site Role to a Site System
  • How to Create and Configure an Active Software Update Point
• Group Policy Object to configure WSUS settings for clients
• Organizational Unit to link a Group Policy Object to
  • This OU will contain the computer objects you want to push the ConfigMgr clients to via the Software Update Point client installation
• Configuration Manager ADM Templates
  • Can be found on the ConfigMgr 2007 installation media in the "\TOOLS\ConfigMgrADMTemplates directory" (The latest ADM templates can be found in the same directory in extracted Service Pack installation directories)
  • These templates allow you to provision site assignment and client installation properties that will be located in the registry prior to the client being installed.

Overview

Here is a high level overview of what you must complete to deploy clients via Software Update Point Based Installation. It’s actually quite simple.

1. Configure the Windows Update GPO
2. Configure Client Assignment and Installation Properties GPO (this is optional, I’ll explain why later)
3. Publish the ConfigMgr 2007 client to the Software Update Point (WSUS)

Yes, that’s it! We’ll add one more step to this, but that is only to verify our configuration and test a deployment on a pilot machine.

Configure Windows Update Group Policy Object

This step will configure the WSUS URL that clients will use to contact the Software Update Point and install the ConfigMgr 2007 client. It is important that the WSUS server is the same WSUS server used as the Configuration Manager Software Update Point, and that the SUP is configured as the Active Software Update Point. View the links in the Requirements section above for more information on how to do this.

Ensure there are no other GPO’s that configure WSUS settings that are applied to the clients. If clients receive policies from multiple GPO’s that configure WSUS settings, the client will generate GPO Policy Conflicts and will not be able to install the client via Software Updates. This could adversely affect the application of Software Updates via Configuration Manager.

• Create a new GPO and link it to the OU that contains the computer objects you wish to deploy the ConfigMgr client to.
• Navigate to Computer Configuration > Windows Components >Windows Update
• Configure the following options
  • Specify intranet Microsoft update service location
  • Configure Automatic Updates (optional)
• Set the intranet update service for detecting updates notes
  • Use an FQDN if configured, if not, use the NetBIOS name
  • You will need to prepend http:// and append the port number that WSUS is configured to use (80 or 8530 in Configuration Manager deployments)
  • To verify the port number WSUS is running on, reference the IIS Admin console and look at the properties of the WSUS web site Example: http://WSUSServer.domain.com:80

  • Set the intranet statistics server to the same value unless the statistics server is located elsewhere. Use same format as above.

    

• OPTIONAL CONFIGURATION: Configure Automatic Updates
  • This is an optional configuration and is not required to install clients. By default, a scan will run at 3:00am everyday. To override this default option, configure the following:
  • Configure automatic updating: 4-Auto download and schedule the installation

  • Set the Schedule install day and Scheduled install time value

    

Verifying the settings on the client

• Remember this is a computer configuration GPO and will only apply to computer objects in the OU and child OU’s that the GPO is linked to.
• On the client, open up a command prompt and run the command gpupdate /force
• Open the Registry Editor (Start –> Run –> regedit.exe) and navigate to the following key:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
  • Verify the following keys and values are created:
    

    Key	Value
    WUServer	<http://WSUSServer.domain.com:80&gt;
    WUStatusServer	<http://WSUSServer.domain.com:80&gt;

Configure Client Assignment and Installation settings via Group Policy

If you have not extended the Active Directory schema, or you wish to assign client installation properties via Group Policy to ensure that clients not able to query Active Directory for site assignment information, you can use Windows Group Policy to provision client installation settings to computers in your site. These settings will automatically be applied to any software update point based client installations.

Additionally, it is useful to use the Client Assignment Group Policy template as a method to ensure that your clients are always assigned to the appropriate site. If a client unexpectedly is assigned to another site, Group Policy will override this setting and assign the client to it’s correct site.

Importing the templates

• Locate the ADM Templates in the following directory of the ConfigMgr 2007 installation media: "\TOOLS\ConfigMgrADMTemplates” directory (The latest ADM templates can be found in the same directory in extracted Service Pack installation directories)
• Import the Templates in Group Policy by opening the Group Policy Object Editor, expanding Computer Configuration, right-clicking Administrative Templates and choosing Add/Remove Templates. Click Add and browse for the ConfigMgr 2007 ADM templates.
• The templates will be imported into Computer Configuration –> Administrative Templates –> Configuration Manager 2007 –> Configuration Manager 2007 Client

If you cannot see the properties of the imported administrative template, this might be because the filtering options for your Group Policy editor are preventing these from being displayed. Specify less restrictive filter options to display these properties. For instance, in the Filtering options dialog box of the Windows Group Policy Object Editor, clear the checkbox Only show policy settings that can be fully managed.

Configure Client Assignment

This policy configures site assignment for Configuration Manager 2007 clients. The Site Assignement Retry Interval (Mins) specifies how frequently the client attempts to assign to the site. The Site Assignment Retry Duration (Hours) specifies how long the client attempts to assign to the site before failing. Additional information can be found at How to Assign Configuration Manager Clients to a Site

• Open the Configure Configuration Manager 2007 Site Assignment Properties dialog.
• Click Enabled
• Type the site code you wish to assign in the Assigned Site text box
• Site Assignment Retry Interval: How often the Group Policy setting will activate and check site assignment

• Site Assignment Retry Duration: How long a client will attempt to reassign until successful or until it is reassigned to the site code specified in the GPO.

  

   

Verifying client settings

You can check the following settings in the registry on the client to verify the GPO applied successfully: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client. You may need to run the command gpupdate /force on the local client to see this policy take effect immediately.

• GPRequestedSiteAssignmentCode = <your site code>
• GPSiteAssignmentRetryDuration(Hour) = <Retry Duration (hours)
• GPSiteAssignmentRetryInterval(Min) = <Retry Interval>

Configure Client Installation Properties

Enabling this policy supercedes the client deployment properties configured in the Configuration Manager console under Client Push Installation and uses Group Policy to configure client deployment properties. For more information on assigning client properties using Group Policy, see How to Provision Configuration Manager Client Installation Properties using Group Policy.

For more information on client installation properties, please see About Configuration Manager Client Installation Properties.

• Open the Configure Configuration Manager 2007 Client Deployment Settings dialog.
• Click Enabled

• Type the Client Installation Properties that you want CCMSetup to use when installing the client.

  

When CCMSetup is run from the command line without any installation properties, it will query the registry for these settings first, then will attempt to query Active Directory.

Verifying client settings

You can check the following settings in the registry on the client to verify the GPO applied successfully: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ccmsetup. You may need to run the command gpupdate /force on the local client to see this policy take effect immediately.

• SetupParameters = <client installation properties>

Publish the Configuration Manager 2007 client to the WSUS server

• In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Client Installation Methods.
• Right-click Software Update Point Client Installation, and click Properties.
• To enable client installation, select the Enable Software Update Point Client Installation check box.

• If the client software on the Configuration Manager 2007 site server is a later version than the client version stored on the software update point, the Upgrade Client Package Version dialog box will open. Click Yes to publish the most recent version of the client software to the software update point.

  

Verifying publishing is successful to the Software Update Point

1. To verify the latest version of the ConfigMgr client has been published to WSUS, look for the following entry in the ConfigMgr log file called WCM.log (located in <SCCM install dir>\Logs\WCM.log)
   1. successfully published client with id <GUID> and version <Version of client>
   2. Example: successfully published client with id a331d4c8-8ba4-4791-a35f-9fa475a7a0d4 and version 4.00.6221.1000
   3. The version can be compared to the version that is listed in the Software Update Point Client Installation dialog in the ConfigMgr Console
   4. Client Versions: RTM – 4.00.5931, SP1 – 4.00.6221

Beginning Client Installation

Client installation will begin when the next scheduled scan starts on client machines. The default value is every day at 3:00AM, however, this may be different if you have configured the Configure Automatic Updates Group Policy setting covered in the Configure Windows Update Group Policy Object above. This section will help you force the Windows Update Agent scan and verify the install is successful. This is useful in a test installation or pilot deployment.

you can force the scan by running the following command on the client machine:

wuauclt.exe /detectnow

• To verify wuauclt.exe is running, view the process in Task Manager (Ctrl+Shift+Esc)
• If there are no preceding updates, the Configuration Manager install should start within several minutes.
• You can verify the install has started by viewing the Task Manager and looking for the running process ccmsetup.exe
• Also, the following directory is created when the ConfigMgr setup initiates: %windir%\System32\ccmsetup
• Event Viewer logs entries are written by the Windows Update agent

Source: Windows Update Agent Category: Installation Event ID: 18
Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Tuesday, October 28, 2008 at 5:05 PM: – Configuration Manager Client Installation

Source: Windows Update Agent Category: Installation Event ID: 19
Installation Successful: Windows successfully installed the following update: Configuration Manager Client Installation

Verifying a successful installation

• CCMSetup logs provide more details on the status of the client installation
• They can be viewed at %windir%\ccmsetup\ccmsetup.log
• Use a log parser like trace32.exe available in the Configuration Manager Toolkit or the SMS 2003 2 toolkit
• Look for the log entry called "Installation succeeded"
• You can view what installation properties were used for the install by looking for the log entry:
  • "MSI PROPERTIES are"
  • Example: MSI PROPERTIES are SMSSITECODE=<Site_Code> SMSSLP=<SMS_SLP> CCMHTTPPORT="80" CCMHTTPSPORT="443" CCMHTTPSSTATE="0" CCMFIRSTCERT="0" INSTALL=ALL
• These installation properties are found by the client querying AD. If your machines aren’t able to query AD, or you want set these ahead of time, you can provision them by using GPO ADM templates covered in the section Configure Client Assignment and Installation settings via Group Policy above.
• It is important to note this installation method requires that Site Boundaries are created and that the client being installed fall within the site boundary entries. When a client queries AD, it uses Site Boundaries to determine which site to connect to. In order to bypass this requirement, provision client installation properties ahead of time using Group Policy.
• You can verify the client was successfully installed by opening the Configuration Manager applet in Control Panel and checking the settings. You will see the Assigned Site and Management Point the client is using.

On Windows XP machines, BITS 2.5 is a pre-requisite to install the ConfigMgr clients. If BITS 2.5 is not installed, it will be installed automatically during the ConfigMgr setup routine. This may reboot clients automatically, then start the ConfigMgr installation. If BITS 2.5 is pre-installed, the ConfigMgr installation will not require a reboot. If a restart for computers without BITS 2.5 is not desired, pre-deploy BITS 2.5 before the Configuration Manager client installation