SCCM 2012 part 3, client configuration.
In my previous post, we configured some server roles, created boundaries, imported users and computers, and we checked that the installed server roles actually worked
Now we are going to go trough the Client Policy settings, create a new dynamic collection for Windows 8, and distribute a client (Manually and via the console )
Remember that you can have multiple client settings, since we are going to create a new dynamic collection, we can click the button on the top menu called Create Custom Client Device Settings, in pop-up window that appears we have the option to choose what we want this new policy to include. So if we don’t choose for instance “Network Access Protection” , that client will then get the “Network Access Protection” info from the Default client settings.
But you can also see that the Default Client Settings has a priority of 10 000, so If I were to create a NAP policy which has the priority of 10, then that policy would override the default one.
So lets create that custom policy
Which will have these settings, (For best practices give it a unique name and give it a good description )
We can start by looking at the Client Policy, this is were you define how often the client should do a policy refresh against the site ( As you can see its 60 min by default, and on internet facing clients it is disabled until they are back on the lan ) Im going to tune that down to 15 min (Since this site will only have a few clients ) Remember that by lowering this will cause a large increase on data to your site so don’t overdo it!
Next we go to the Compliance Settings (Which basically just says if the clients so run baselines and return with a compliance (we will get back to that later) By default this is set to true so we will leave it at that,
Next is Computer Agent, most of the Client settings are put here. Here we define our Deployment deadlines, and we define the URL of the application catalog (Since this is already installed on the same server, I’ve just set that to automatically detect, and remember to set the “add default app…. to trusted sites” to True so you don’t encounter any issues regarding the portal. And If you want the users to have permission to install software we set that value to true.
Now next to computer restart, just leave that to the default.
And then Endpoint protection.
As you can see here, the options are greyed out… Why ?
Because we forgot to install the Endpoint protection rule, so we have to install that after, but lets finish the policy first.
(Then we will go back and alter the Endpoint policies ) Hardware inventory this is enabled by default, but we should double-check and se if we want it to report more or less. So push on the “Set classes” The list that you see here is what the ConfigMgr agent will report back to the site regarding hardware.
So if you want the Agent to report more regarding hardware just mark the class you want info on. In my case I want the agent to report back if it has a TPM (Trusted Platform Module) chip so I mark that and press OK.
Next we have power management, which basically does is enable power management on the client. And/Or allows your users to exclude their clients from power management.
We will get back to that later. So let this stay at the default, so we go into Remote Tools.
By default you have the option to activate Remote Desktop, Remote Assistance and something called
Remote Control (This only works when the clients are connected to the site, so it won’t work on
internet facing clients since it needs Kerberos, but if you are using Direct Access it will work)
But lets start with the first option, enabling Remote Control.
Next I add myself as a Remotr control and Remote Assitance viewer and change any other settings I wish.
Software inventory, enables the agent to collect information about software installed on the clients.
Here you decide which type of files the agent should get info about, I’m going to just include .exe files here
since this covers most of the applications that I want.
Software Metering, allows you to monitor the usage of specific application. Which is useful if you have
concurrent license usage. This option just enables software metering on clients.
Now that we have gone trough the policy settings, click OK and we get back to the Console.
We see that the policy has the priority of 1, but it needs to be deployed to a collection of
computers before it is actually used.
So now we can go to create the dynamic computer collection.
Since we want a collection that includes ONLY Windows 7 computers, go into Assets and Compliance ->
Device Collection -> there you have the option to create a new device collection.
So Give it a name and choose a limiting collection (This means that the query will run on the limiting collection and say “Hey windows 7 computers I want you to join my collection as well”)
Click next, and here is were we choose a query rule.
In the query rule , we can enter this query.
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from sms_r_system where OperatingSystemNameandVersion like ‘%Workstation 6%’
So now it looks like this
Tthis query will only include workstation computers that have version 6%. FYI you have tons of options regarding queries here. You can for instance, create a dynamic collection that checks if the client has Office installed, if it hasn’t it will join that collection you create and you can have office as a required software deployment for that collection, and when the application is installed and the next time the query is run the computer is going to be removed from that collection.
Now we can just finish the Query wizard, and create the collection. So now we turn to the client. We can install the client manually, group policy, push install via console. For this demo we are going to use the client push.
I just want to include that if you are going to install the client manually you have a lot of parameters available.
You can see all the switch parameters for the setup here –> http://technet.microsoft.com/en-us/library/cc181242.aspx
For instance if you haven’t expanded the AD schema with the SCCM update, you will need to add the parameter ccmsetup.exe /MP:10.0.0.0(IP) SMSSITECODE=TST (If you set the SMSSITECODE=AUTO) It will try to get the site code from AD.
So ill just add my Windows 7 computer to the domain, and the AD sync will automatically add it to the SITE. As you can see it appears in the collection.
It also says Site code = TST even thou I haven’t installed the client yet, why ?
Because this computer is part of the TST boundary. Now before we install we need to install the Endpoint protection role.
So go to the administration –> Servers and site system roles –> right click on your primary server and choose add site system role. Then we choose the Endpoint protection role. this time we can continue with the setup.
Basically just accept the terms, choose “Do not join MAPS” , next , next finish. We go back to the Client policy settings we created and alter the “Endpoint Protection settings.” Choose enable on the “Manage endpoint protection client” and leave the rest to default, and choose OK.
Now, go back to the collection, right click on the client and choose install client.
Mark the last part, next , next , finish.
But since it doesn’t have admin access on that computer we have to give it that.
After we done that, try installing the agent again.
Now when you’ve done that, open task manager and choose processes on the client.
You can now see that its trying to install the agent.
If you want to check the progress, there are some setup logs created in the C:\windows\ccmsetup folder.
ccmsetup.log and client.msi.log
When the installation is complete you will get a new application called Software center in your start menu.
And a new option in the control panel called, Configuration Manager Properties.
Since this just recently finished installing not all the configuration items are displaying yet (will cover that in my next post) But you can see that my agent is now connected to the MP Configmgr.test.local and assigned to the site TST.
And is now appearing in my ConfigrMgr console as active.
Posted on april 17, 2012, in Uncategorized and tagged client configuration sccm 2012, client install sccm 2012, configmgr2012, custom client policy settings, sccm. Bookmark the permalink. 4 kommentarer.