SCCM Configmgr 2012 Manage Workgroup Computers for Deployment,Remote tools etc

SCCM Configmgr 2012 Manage Workgroup Computers for Deployment,Remote tools etc


In my earlier post,we saw how to manage work group computers using SCCM Configmgr 2007.http://www.windows-noob.com/forums/index.php?/topic/2029-managing-workgroup-computers-in-sccm-sms-environment/

In this blog post,we are going to see how to manage workgroup/ DMZ computers using SCCM Configmgr 2012. This procedure involves working with lmhost and host files  on work group machines.

For some reason,i find that ,Technet library is not so clear on how to manage workgroup computershttp://technet.microsoft.com/en-us/library/bb680962.aspx. TEchnet document just illustrates the overall procedure but not in detail.

Before we jump into the details of updating lmhost,other files,lets have a look at workgroup limitations,site assignment,approval etc.

There are some limitation while managing the workgroup computers listed below:

Limitations:

  • Workgroup clients cannot locate management points from AD and instead we must use DNS, WINS or another Management Point.

  • Global Roaming is not supported because clients cannot query AD for site information.

  • AD discovery cannot discover computers in workgroups.

  • You cannot deploy software to users of Workgroup computers.

  • You cannot use client push installation method to install client on workgroup computers.

  • Workgroup clients cannot use Kerberos for authentication so might require manual approval.

  • Workgroup client cannot be configured as a Distribution Point. SCCM 2012 requires that distribution point computer be members of a Domain.

 Site Assignment:

  • After you install the Client, it must join a configmgr primary site before it can be managed. The site that a client joined is referred to as its assigned site.

  • Clients cannot be assigned to CAS or secondary Site.

  • A client is considered to be unmanaged when it is installed but not assigned to a site or is assigned to a site but cannot communicate with a management Point.

Manual Vs. Auto assignment:

  • Auto assignment will not work for workgroup clients

  • To manually assign the workgroup clients SMSSITECODE installation property must be used

  • Ccmsetup.exe SMSSITECODE=PRI SMSMP=cm12pri.eskonr.com

  • Use SMSMP property to specify management point or use DNSSUFFIX for the clients to automatically locate MP from DNS.

  • Ccmsetup.exe SMSSITECODE=PRI DNSSUFFIX=eskonr.com

Client approval:

  • You can either choose to approve all automatically (not recommended) or manually approve each workgroup client from site setting properties.

Softwares/Application deployment to Workgroup clients:

  • Setup Network Access Account

  • If boundaries and boundary groups are configured properly clients can automatically locate Distribution Points.

  • If boundaries and Boundary Groups are not configured, you should setup the deployment option

  • Package properties: Deployment option: download content from DO and run locally which means all these clients will fall under SLOW.

Note : The above information is captured from Taj mohammed (Microsoft) session.

Before installing SCCM client on workgroup machines,we need to do some configurations on the workgroup/DMZ computer.

If  have managed to get work group computer working with SCCM using SCCM 2007 ,you may find the steps more or like same in this blog post.

Do the below steps on Workgroup machine.

Disable the Firewall,If you don't want to disable,allow the required ports http://technet.microsoft.com/en-us/library/hh427328.aspx (ccmhttp and WSUS ports mainly to inbound rules)

work with Network Team to get the required port opened for communication between the Client and SCCM Server (Management Point,it could be the primary MP or secondary MP,SUP) and DP and FSP (if you running on different server).

Go to the control Panel-->Network Connections-->Local Area Network
Go to Internet TCP IP Protocol .Click on Properties---> click on Advanced --->Go to DNS Tab .
add the DNS suffix as shown below.

wKioL1UnPOPhmR-sAACKBvLtMCo179.jpg

Next to DNS,WINS Tab,select ‘Enable NetBIOS Over TCP\IP

wKioL1UnPQvzrEcEAACA7cvlv8Q220.jpg

Next Go to C:\Windows\System32\drivers\etc

open lmhost file with admin rights using notepad

copy the below lines to the host file

192.168.1.10 SGCMCEN                        #PRE
192.168.1.10 "MP_PRI         \0x1A"      #PRE 

Where SGCMCEN is SCCM Primary site name and PRI is Site code

Make sure you have 20 characters (Including blank Spaces) between the quotes .

Note:am not adding SLP entries to lmhost file since SLP is integrated into Management Point in CM12.

wKiom1UnPA2xU3lfAAArVOxQQCE470.jpg

save as “lmhost” in C:\Windows\System32\drivers\etc

wKiom1UnPF6ymdbZAAAxKLAR-PU977.jpg

Note:If you have Name resolution issues,you are required to add the Management point info and Distribution Point info to hosts file.entries look like below:

10.64.152.53    sgcmcen     sgcmcen.cm12lab.com

10.64.144.146   sgcmdp1  sgcmdp1.cm12lab.com

Next to purge and preload Remote cache table. To do this, open cmd with admin rights again and run the below commands

nbtstat �CR

wKioL1UnPdzxj06TAAAyER998Ro946.jpg

nbtstat -c

wKiom1UnPKXz9wwLAAA9RLyHxdQ462.jpg

You see the changes are loaded into cache.

Next is to have local administrator Account for remote control using SCCM 2012 .If you do not have this account,remote control will not work.

Now we are done with the required changes for the client installation.

Copy the sccm client installation files to local drive on work Group machine.

Run the command prompt with local admin rights .

use the below command to install sccm client on your workgroup computer.

ccmsetup.exe /source:C:\client SMSSITECODE=PRI SMSMP=sgcmcen.cm12lab.com DNSSUFFIX=cm12lab.com

monitor ccmsetup.log from C:\Windows\ccmsetup\Logs

notice from ccmsetup.log installation is completed.

wKiom1UnPOXRivVHAABRHRnmtKU275.jpg

lets look at configuration manager applet from control panel

wKiom1UnPQHC6PFTAACK4hGK73Y794.jpg

go to Site tab and try to discover the site to see if it work or not

wKiom1UnPR2R4usXAAB_Q-SKZ58952.jpg

look at Actions Tab if all the agents are loaded or not

wKiom1UnPUDRqzJMAABlSwLvaKU150.jpg

from the above screen,there are just only 2 actions loaded and this is because ,client is not approved in SCCM yet. (By default ,the site is set to approve clients in trusted domain)

go back to Configuration manager console,assets and compliance,devices ,search for the computer, and approve it.

wKiom1UnPXfDqu6nAAAbgmHAxfw206.jpg

Right click on the computer and approve.

Go back to the client,see if you see more than 2 actions or not.

wKiom1UnPZWzb6ChAAB7O4d1LlY544.jpg

If you have issues appearing the client in console,you will have to checkclientIDmanagerStartup.logclientlocation.log and locationservices.log

Till now we saw ,how to manage the Workgroup SCCM client is able to communicate MP,getting policies etc.

Now we see if Application Deployment,Remote Tools and Other functions work not.

Try to create simple application or if you already have any ,Deploy it to workgroup computer.

Note: Make sure you configured Network Access Account to access resources from domain for the workgroup computer.

I deployed 7zip application and it appears in software center.

wKioL1UnPxrCTmLZAAA_i1CqAVc285.jpg

run the installation

wKioL1UnPzuDpeBWAAAzItWfGZA585.jpg

You see it is successfully ran.

wKiom1UnPgezVFcXAAAyhQWLSks876.jpg

same way,you can also deploy software updates,packages and what else you can,Do it.

What next ,Remote Control ?

For this to happen,you need to add the workgroup IP address,hostname in your sccm server host file(C:\windows\system32\drivers\etc\hosts)

After you do this,try to do remote control of the Workgroup computer from sccm console,you get prompt for authentication since domain cred wont work.

workgroup hostname\administrator and password.

Note:if your local administrator account is disabled for other reasons,use the account which as local admin rights on the workgroup computer.

wKiom1UnPkeB1Ab7AABoWFqatHQ240.jpg

Note: By Default ,windows 7 and later Operating Systems,GPO setting set to Classic-Local Users Authenticate themselves.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options-->Network access: Sharing and security model for local accounts

On the workgroup computer,you see something like this ,you can change the settings to not ask user permission in client agent settings.

wKioL1UnP63gtr_mAABEZ132dLo456.jpg

Update: If you are trying to manage Windows XP Workgroup computers,GPO setting is not set to classic by Default and it is required to change it manually or via scripting else you keep on prompting for password that never works.

wKiom1UnPn6hXbbyAABPZ5cCvdE237.jpg

Thanks to Niall for finding the GPO setting on WinXP computers.

Hope it helps!

转载自:http://eskonr.com/2013/08/sccm-configmgr-2012-manage-workgroup-computers-for-deploymentremote-tools-etc/

你可能感兴趣的:(SCCM,workgroup)