sccm automatic site assignment

Or at least not entirely useless

Managing Workgroup (Non-Domain) Clients With Configuration Manager

If you’re using Configuration Manager to manage clients then chances are you have the Client Access Licenses (CALs) to join them to the domain. However, for reasons that fall along the full spectrum of rational thought you may chose not to. Whether or not Configuration Manager can manage workgroup devices is a question that comes up fairly often on the Technet forums, Reddit, Slack, what-have-you. For the most part, Configuration Manager just doesn’t care whether your device is domain joined or not. Like all things however, there are exceptions to that rule and I will attempt to explain them all here. If I miss something, let me now and I’ll add it.

Network Access Accounts

Microsoft Doc: Manage accounts to access content in System Center Configuration Manager

One of the critical differences between workgroup and domain clients is how they authenticate. Particularly, how they authenticate to the distribution points (DP) when they need to download content. Every client will first attempt to authenticate with their local computer account. Since workgroup clients won’t have an Active Directory (AD) object that will always fail. The client then retries with the Network Access Account (NAA). If you have DPs in multiple domains that don’t all trust each other you will need multiple NAAs. The client will cycle through them until one of them successfully authenticates to the DP they are trying to reach. To set up your NAAs refer to the Microsoft documentation linked above.

The Network Access Accounts are sent to the clients as part of their machine policy and are stored ‘encrypted’ in a WMI class. There’s two implications that come from this. First, your NAAs should be true service accounts that are prevented from interactive logins to your domain devices. Do not trust whatever ‘encryption’ Configuration Manager uses to safeguard the NAA credentials. Second, you don’t really ever want to change the NAA’s password. Such a change would be nearly instantaneous for the domain controllers (replication not-withstanding) but take hours for all your clients to get once you’ve updated the account in the console. During this time they’ll be attempting to authenticate with the old, invalid password and quickly lock out the NAA account. If you need to change the password then simply create a whole new NAA, add it in Configuration Manager, and remove the original a day or two later.

When using Network Access Accounts you’ll eventually need to troubleshoot them. The easiest thing I’ve found to do is to grab a content URL from LocationServices.log and try to reach it. On a domain-joined device you should just be able to download without a problem. On a workgroup device you will be prompted for credentials. Use the NAA account and verify that you can download the package data. If you can’t, figure out why using normal IIS troubleshooting steps for permission issues.

Installing the Client

Microsoft Doc: How to install clients on workgroup computers

Client installation is one of the places where workgroup devices are most limited. All of the limitations are listed in the documentation linked above but here are the two key points of interest:

Workgroup clients cannot locate management points from Active Directory Domain Services, and instead must use DNS, WINS, or another management point.
You cannot use the client push installation method to install the client on workgroup computers.

What this basically means is that you are going to have to figure out some way of deploying the client outside of Configuration Manager. So hopefully you have some existing deployment solution otherwise you’re using sneakernet. Also, clients are going to need help to figure out what Management Point to talk to in order to join your site. There’s a few ways to accomplish this but the two I recommend are DNS or command line parameters.

Locate Management Points via DNS

Microsoft Docs: How to configure client computers to find management points by using DNS publishing

The first option is to have your clients query DNS for their Management Points (see documentation linked above). In order for that to work of course you will need to actually publish that information to DNS using the details outlined here . Once that’s in place you can use the DNSSUFFIX install parameter to tell the client which suffix to search for Management points:

CCMSetup.exe DNSSUFFIX=contoso.com

Specify Management Point via Installation Parameters

Microsoft Docs: About client installation properties

My preferred method is to simply tell the installer what Management Point to contact using installation parameters. There are two properties for Management Points which can be confusing. The first, simply /MP , tells the installer which Management Point to contact to locate the installation files. The MP will provide a list of DPs and if the client fails to get the data from the DPs it will eventually fall back and download directly from the MP. Multiple MPs can be listed here by separating them with semicolons. You can skip this if you’ve included all of the source files as part of your installer package. The second parameter, SMSMP , tells the newly installed client what MP to initially connect to. It will reach out this this single MP and get the list of MPs available. So your install command line will look a little like this:

CCMSetup.exe /mp:smsmp01.contoso.com SMSMP=smsmp01.contoso.com

Site Assignment

Once a client is installed and talking to a management point it must decide what site it will join. Similar to Management Points, there’s two ways to do this.

Automatic Site Assignment via Boundary Groups

Microsoft Docs: How to assign clients to a site

The first option for assigning workgroup devices to a site is to use your boundary groups. Since by definition workgroup devices aren’t joined to Active Directory Sites you’re going to have to use IP Subnet or Range boundaries for this. When using automatic assignment the clients will install, discover the Management Point, and then assign themselves to the site defined for the Boundary Group they are a member of. Remember, when using Boundary Groups for site assignment you may not overlap them.

Manually Assign Site via Installation Parameter

Call me a control freak but again my preference is to simply assign the site as part of the client installation. To do so you simply specify the 3 digit site code using the SMSSITECODE parameter which looks a lot like this:

CCMSetup.exe SMSSITECODE=XZY

Putting It All Together: Installation Parameters

If you chose to go the installation parameter route you’ll end up with something like this:

CCMSetup.exe /mp:smsmp01.contoso.com SMSMP=smsmp01.contoso.com SMSSITECODE=XZY

Client Push: What If It Did Work?

Despite client push not being supported for workgroup devices apparently you can work around it. Remember though, you are in fully unsupported territory here but it seems pretty harmless to me:

Only replace <USERNAME> in the string above, leave the COMPUTERNAME wildcard as-is.
Set the installation properties using the information above.

For full details see Peter van der Woude’s post: Using Client Push Installation on WORKGROUP systems with ConfigMgr 2012 .

Approving the Client

Ok, so you’re like 15 minutes into reading this damn blog post and all we’ve managed to do is install the client and get it talking to your Configuration Manager site. We’re ready to manage the heck of of these things … right? Nope, not yet. Devices that join a Configuration Manager site must be approved. By default, devices in a domain that Configuration Manager has a trust with are automatically approved. Workgroup devices aren’t in a domain at all let alone a trusted one so that’s not going to work. As if it’s some sort of theme here … there’s two ways to handle this.

Manually Approving Clients

Microsoft Doc: How to manage clients

If you select a client in the console you can approve them in the ribbon or the right-click context menu. This is very manual and sounds extremely tedious if you have more than a small handful of one-off workgroup devices.

Automatically Approving All Computers

The second option is to simply change the default configuration and allow all computers to be automatically approved. This setting is explicitly labeled as ‘not recommended’ right there in the console so you may want to think long and hard before going this route. I haven’t personally thought and argued my way though all the pitfalls here but one thing’s for sure: if you enable this then anyone can join any machine to your site. I’m not quite sure why that’s bad … but let’s just assume that’s bad. The biggest concern would seem to be the security of your service account credentials. So if you go down this road make sure the accounts you use are true service accounts that are prevented from interactive login. In any case, if you are simply out of shits to give then you can configure this by going to Administration / Site Configuration / Sites / Hierarchy Settings and selecting this option.

Approve Devices via a Script

Ok, so I lied. There’s another option here which is to simply script the approval. The only benefit I could conceive here is that you could create your own rules for validating that a client should be allowed to join your site. I’m lazy so I didn’t look that hard but 10 seconds of searching return a script by Peter van der Woude: Approve, Block, Unapprove, or Unblock a Client in ConfigMgr 2012 via PowerShell . That’s two links now to Peter’s stuff … must be a Dutch thing.

Upgrading the Client

Microsoft Doc: Upgrade clients in System Center Configuration Manager

As the documentation above states, there’s a few different ways to upgrade the Configuration Manager clients. Unless you have some crazy “I’m a special little snowflake” requirements you should be using the built in automatic client upgrade process. When doing so the first thing you may chose to do is to test client upgrades in a pre-production collection to make sure the new client works as expected. I mean let’s be real here … not every release of Current Branch has been perfect and early adopters have most certainly been bitten. Unfortunately, your workgroup clients must be kept out of the party. It strikes me as an odd limitation since your workgroup devices have the Network Access Account but they are unable to download the pre-production client data. If you try they will simply repeatedly fail and continually generate failure status messages. Once you promote the pre-production client to be the production client your workgroup devices will automatically upgrade just fine.

Other Limitations

Ok, I’ve spent roughly 1,700 words and untold minutes of your life just to get a client installed and talking to your site. It all sounds like, and truly is, a huge pain but the good news is that we’re pretty much done here. There’s only a few more caveats to outline. Again, if you know of something I’ve missed leave a comment and I’ll look into it.

Deploying Software To Users

Since you can’t sync local user accounts into Configuration Manager, software can only be targeted at Active Directory users. That precludes workgroup devices from receiving user-based deployments.

Remote Control Viewers

Related to the software deployment limitation, workgroup computers will not be able to authenticate domain users that are configured as Remote Control viewers. You can remotely control workgroup computers, you just need to define a local account to authenticate to. When connecting to workgroup devices you must preface the username with either the name of the device or simply ‘localhost’. For example: ‘localhost\DGA’. My recommendation is to create a shared local user that does not have rights to log in interactively … yet another theme here. This allows for a widely shared set of credentials that don’t have any real rights to do anything. You will still need a the credentials of a local account to login if the device is unattended.

Configuration Manager

Configuration Manager Workgroup

10 Comments

March 3, 2021 at 5:43 pm

Well authored, clear and kinda entertaining. I wish all technical blog posts read like this. Thank you.

February 8, 2021 at 6:36 pm

Hi there, I have 10 workstations and 3 shared IP printers facing the internet using the free version of Desktop Central for updating, patching, software deployment, etc… I already have a local admin account on each workstation where all remaining user accounts will be standard. Will this allow me to manage users on each workstation from my computer allowing me to: add users, change/reset passwords for users, and possibly disable users? I don’t think I can justify adding the cost of an active directory server as a domain to our network and would prefer allocate what this would cost towards protecting our environment. Thanks in advance for any reply

February 8, 2021 at 6:44 pm

If you’re asking about ManageEngine’s Destop Central I have no idea since I’ve never used or even seen that product in the wild.

You can certainly install the Configuration Manager client on them and manage the device that way. Though ConfigMgr has nothing built-in to allow for local-user management.

February 9, 2021 at 8:09 am

Thanks for the quick reply, I am looking for something that will allow me to create new users, change pw for a user, delete a user, and bonus if I can find something that can effectively disable an account.

September 18, 2020 at 5:08 am

good explanation of what problems ae with non-domain clients thanks

June 19, 2019 at 5:29 am

how to deploy application on work group client machine ??? I have tried to deploy in my environment but its not getting installed. I have checked log files in which i seen that content not getting downloaded by client machine.

June 19, 2019 at 8:58 am

Once you have the client installed and properly assigned to a site then being joined to a domain is entirely irrelevant for deployments. Everything’s happening over HTTP/HTTPS via IIS and normal troubleshooting processes apply.

June 20, 2019 at 2:58 am

installed clients successfully also site has been assigned correctly. But still content not getting downloaded as per CAS.log

June 2, 2019 at 9:41 am

This is great, thanks!!!

March 26, 2019 at 12:12 am

very useful for the beginners like me…

Notifications

ConfigMgr client automatic site assignment behavior in a multi site environment

I’m currently working on a project where we implement a new ConfigMgr 2012 hierarchy in a forest where several ConfigMgr 2007 hierarchies already exist. The new ConfigMgr 2012 environment will be installed in a new domain within that existing Forest and we will not migrate any content from these ConfigMgr 2007 environments, but install every client using the OSD functionality of ConfigMgr 2012, but other deployment methods could be necessary for special scenario’s.

Even though this isn’t such a common scenario, I think the results of the test provide some insight on what you can expect in your own migration from ConfigMgr 2007 to ConfigMgr 2012, therefore I decided to share my findings. I hope it will be useful for someone reading this article.

Because one of the requirements for the implementation of ConfigMgr 2012 is that the impact on the existing environment should be as minimal as possible we did some test on what would happen if a ConfigMgr 2007 client would assign itself to a ConfigMgr 2012 environment and possible ways to prevent that.

Install a ConfigMgr 2007 client when conflicting boundaries are configured on both ConfigMgr 2007 and ConfigMgr 2012
Install a ConfigMgr 2007 client when there is only a boundary group with corresponding boundary defined in ConfigMgr 2012
Install a ConfigMgr 2007 client and see what happens when it assigns to the ConfigMgr 2012 site and automatic client upgrade is turned on
Install a ConfigMgr 2007 client and see what happens if only a boundary for Content Location in ConfigMgr 2012 is defined.

First there are some known and documented rules which we need to take into account:

A ConfigMgr 2012 client cannot attach itself to a ConfigMgr 2007 site. During Automatic Site Assignment, the ConfigMgr 2012 client will do a version check and when the site it tries to attach to isn’t at the correct level, it will fail to assign to that site.

In order to test the scenario’s, we build the following test environment

ConfigMgr 2007 Primary Site (pss1.nl.domain.local) in the NL child domain, with code N01

ConfigMgr 2012 Primary site (pss2.emea.domain.local) in the EMEA child domain, with site code E01

Test 1:Conflicting boundaries configured on both the ConfigMgr 2007 as the ConfigMgr 2012 site

Configured an IP range boundary on the ConfigMgr 2007 site
Configured an IP range boundary on the ConfigMgr 2012 site, and created a boundary group containing this boundary serving as a boundary group for both site assignment and content location
Installed Windows 7 from its original ISO file in a VM
Joined the Windows 7 client to the NL domain
Started CCMSetup.exe from the \\<site server>\SMS_N01\Client folder.

Automatic Site Assignment process

LocationServices.log

<![LOG[A Fallback Status Point has not been specified. Message with STATEID=’500′ will not be sent.]LOG]!><time=”13:51:54.708+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2064″ file=”fspclientdeployassign.cpp:53″>

<![LOG[Current AD site of machine is ADAM]LOG]!><time=”13:51:54.708+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2064″ file=”lsad.cpp:457″>

<![LOG[ This client might be within the boundaries of more than one site – AD SiteCode search matched 2 entries ]LOG]!><time=”13:51:55.130+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”2″ thread=”2064″ file=”lsad.cpp:1915″>

<![LOG[ The client will be assigned to the first valid site ]LOG]!><time=”13:51:55.130+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2064″ file=”lsad.cpp:1916″>

<![LOG[LSGetAssignedSiteFromAD : Trying to Assign to the Site <N01>] LOG]!><time=”13:51:55.130+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2064″ file=”lsad.cpp:1922″>

<![LOG[LSVerifySiteVersion : Verifying Site Version for <N01>]LOG]!><time=”13:51:55.130+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2064″ file=”lsad.cpp:5321″>

<![LOG[LSGetSiteVersionFromAD : Successfully retrieved version ‘4.00.6487.0000’ for site ‘N01’]LOG]!><time=”13:51:55.145+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2064″ file=”lsad.cpp:5129″>

<![LOG[LSVerifySiteVersion : Verified Client Version ‘4.00.6487.2000’ is not greater than Site Version ‘4.00.6487.0000’. Client can be assigned to site <N01> .]LOG]!><time=”13:51:55.145+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2064″ file=”lsad.cpp:5452″>

<![LOG[ Current assigned site code for the client is ‘N01’ ]LOG]!><time=”13:51:55.176+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2064″ file=”lsad.cpp:3589″>

Even though the AD lookup returns 2 possible sites, the client assigns to the N01 site.

Automatic Site Assignment from the Control Panel fails.

New Questions based on this result are:

1.Does it assign to the N01 site, because that site is member of the NL domain as well (meaning, the computer account for the PSS for Site 1 resided in the NL domain)?

2.Does it assign to the N01 site, because maybe that’s the last site being returned from the Query (N01 is the last in the array)? 3. What happens if a ConfigMgr 2007 client gets assigned, and we turn on automatic client upgrade.

We repeated this scenario for another time, to see whether the N01 site code match was random, but the client assigned to the N01 site again. This does say nothing though, because we need to conduct several similar test to be really sure. But for now are guess is that probably N01 is the last site returned from the query, and which will be used.

We also repeated this scenario, but instead of joining the client to the NL domain we joined the client to the EMEA domain. Same behavior though, the client still auto assigned to the NL1 site.

Test 2:Boundary configured on ConfigMgr 2012 site only

Removed the IP range boundary on the ConfigMgr 2007 site

Automatic Site Assignment process:

<![LOG[A Fallback Status Point has not been specified. Message with STATEID=’500′ will not be sent.]LOG]!><time=”15:03:56.034+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”fspclientdeployassign.cpp:53″>

<![LOG[ Current AD site of machine is ADAM ]LOG]!><time=”15:03:56.034+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”lsad.cpp:457″>

<![LOG[LSGetAssignedSiteFromAD : Trying to Assign to the Site <E01>] LOG]!><time=”15:03:56.440+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”lsad.cpp:1922″>

<![LOG[LSVerifySiteVersion : Verifying Site Version for <E01>]LOG]!><time=”15:03:56.440+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”lsad.cpp:5321″>

<![LOG[LSGetSiteVersionFromAD : Successfully retrieved version ‘5.00.7711.0000’ for site ‘E01’]LOG]!><time=”15:03:56.456+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”lsad.cpp:5129″>

<![LOG[LSVerifySiteVersion : Verified Client Version ‘4.00.6487.2000’ is not greater than Site Version ‘5.00.7711.0000’. Client can be assigned to site <E01>.] LOG]!><time=”15:03:56.456+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”lsad.cpp:5452″>

<![LOG[Current assigned site code for the client is ‘E01’]LOG]!><time=”15:03:56.487+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”lsad.cpp:3589″>

<![LOG[A Fallback Status Point has not been specified. Message with STATEID=’700′ will not be sent.]LOG]!><time=”15:03:56.487+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”fspclientdeployassign.cpp:53″>

<![LOG[Attempting to retrieve default management point from AD]LOG]!><time=”15:03:56.487+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”lsad.cpp:2537″>

<![LOG[ Retrieved Default Management Point from AD: PSS2.EMEA.DOMAIN.LOCAL ]LOG]!><time=”15:03:56.487+-120″ date=”06-26-2012″ component=”LocationServices” context=”” type=”1″ thread=”2292″ file=”lsad.cpp:2543″>

The ConfigMgr 2007 client can assign successfully to the ConfigMgr 2012 site. After a while the Actions Tab of the ConfigMgr 2007 client gets filled with all the available actions, and we see that HW inventory is working for example because the Resource Explorer returns the version of the ConfigMgr 2007 client. Even a optional deployment to the computer of a Package turns up in the Run Advertised Programs control panel applet on the ConfigMgr 2007 client.

We do see though, that there are a lot of logs with faults, like the policyevaluator.log :

<![LOG[Failed to update policy CCM_Policy_Policy4.PolicyID=”{542af439-2433-4bcc-987a-af641d17a67b}”,PolicySource=”SMS:E01″,PolicyVersion=”3.00″]LOG]!><time=”15:34:57.665+-120″ date=”06-26-2012″ component=”PolicyAgent_PolicyEvaluator” context=”” type=”3″ thread=”1464″ file=”policyutil.cpp:6852″>

Test 3:Automatic Client Upgrade options turned on.

New in ConfigMgr 2012 is the option to automatically upgrade a client which is below a certain defined version. In the RTM version this is every client with a version lower than 5.0.7711.0. Peter Daalmans, a ConfigMgr MVP has described its functionality in a blogpost which can be found here: http://www.systemcenterblog.nl/2012/02/22/configuration-manager-2012-client-upgrade-settings/

Microsoft doesn’t recommend this method as your primary method to install your ConfigMgr 2012 clients though, please keep this in mind. Prefer to use any other available method. You can use this method though in certain special scenario’s. Further I hope that MS is going to make this method standard so we can centrally configure client upgrade after a patch is made available for example. Just like we do in SCOM.

Turned on Automatic Client Upgrade in the ConfigMgr 2012 Hierarchy settings.

We see the same behavior as in Test 2, only after a while we see in the task manager that a new CCMSetup.exe is started, which uninstalls the ConfigMgr 2007 client, and installs the ConfigMgr 2012 client. We don’t see any Automatic Site Assignment taking place though, which means that the ConfigMgr 2012 client uses the settings of the previously installed ConfigMgr 2007 client.

Testscenario 4:No sites defined for client assignment.

Configured an IP range boundary on the ConfigMgr 2012 site, and modified the boundary group containing this boundary serving as a boundary group for only content location
Started CCMSetup.exe from the \\<site server>\SMS_NL\Client folder.

Locationservices.log

<![LOG[A Fallback Status Point has not been specified. Message with STATEID=’500′ will not be sent.]LOG]!><time=”14:09:15.299+-120″ date=”06-27-2012″ component=”LocationServices” context=”” type=”1″ thread=”2684″ file=”fspclientdeployassign.cpp:53″>

<![LOG[Current AD site of machine is ADAM]LOG]!><time=”14:09:15.299+-120″ date=”06-27-2012″ component=”LocationServices” context=”” type=”1″ thread=”2684″ file=”lsad.cpp:457″>

<![LOG[Attempting to retrieve SLPs from AD]LOG]!><time=”14:09:15.377+-120″ date=”06-27-2012″ component=”LocationServices” context=”” type=”1″ thread=”2684″ file=”lsad.cpp:2261″>

<![LOG[Retrieved SLPs from AD]LOG]!><time=”14:09:15.705+-120″ date=”06-27-2012″ component=”LocationServices” context=”” type=”1″ thread=”2684″ file=”lsad.cpp:2265″>

<![LOG[Current AD site of machine is ADAM]LOG]!><time=”14:09:15.721+-120″ date=”06-27-2012″ component=”LocationServices” context=”” type=”1″ thread=”2684″ file=”lsad.cpp:457″>

<![LOG[Raising event:

instance of CCM_CcmHttp_Status

DateTime = “20120627120915.830000+000”;

HostName = “PSS1”;

HRESULT = “0x00000000”;

ProcessID = 2712;

StatusCode = 0;

ThreadID = 2684;

]LOG]!><time=”14:09:15.830+-120″ date=”06-27-2012″ component=”LocationServices” context=”” type=”1″ thread=”2684″ file=”event.cpp:525″>

<![LOG[LSGetAssignedSiteFromSLP : No site code returned from SLP ]LOG]!><time=”14:09:15.846+-120″ date=”06-27-2012″ component=”LocationServices” context=”” type=”3″ thread=”2684″ file=”lsad.cpp:2076″>

Client fails to assign successfully to a ConfigMgr site, which means that it is unmanaged and is expected behavior

Overall Conclusion:

When you have a similar situation, and currently you use automatic site assignment for your ConfigMgr 2007 environment, you have some challenges to overcome when you configure conflicting boundaries for your ConfigMgr 2012 clients. This is a common scenario issue which you need to overcome when migrating clients, especially while the two systems are active on the same time for a while.

If automatic site assignment is used, you need to have insight in the boundaries used, and determine if a client can possibly assign itself to the ConfigMgr 2012 environment when overlapping boundaries are present. If that is the case, you can’t use automatic site assignment on one of the sites. In our case this wasn’t a problem since we would use OSD to install the ConfigMgr client and therefore will not use Automatic Site Assignment by specifying a boundary group enabled for this.

Site assignment during OSD works a little bit different. Below is how assignment works in the ConfigMgr 2007 Setup Windows and ConfigMgr Task Sequence Step.

Source : http://technet.microsoft.com/en-us/library/bb693951.aspx

The client should automatically be assigned to a site by the Config Windows and ConfigMgr action. We do not allow you to specify what site the client joins because it needs to join a specific site for the task sequence to complete successfully:

1. If the task sequence is started from the Full OS on an existing client then the site assignment will be migrated 2. If the task sequence is started from PXE it will be assigned to the PXE server’s site 3. If the task sequence is started from media it will be assigned to the site the media was created on.

At time of writing the expected behavior for ConfigMgr 2012 clients isn’t documented yet. But we can expect this to work similar to ConfigMgr 2007. Except for option 3, since we now have 2 media options, one specific for a site, and one media which is hierarchy wide. I would expect this information to show up here: http://technet.microsoft.com/en-us/library/hh846237.aspx

Microsoft has the following statement about this scenario, as stated in the Supported Configurations ( http://technet.microsoft.com/en-us/library/gg682077#BKMK_SupConfigSiteAssignment )

To prevent Configuration Manager 2007 clients from unintentionally assigning to a System Center 2012 Configuration Manager site when the two hierarchies have overlapping boundaries, configure Configuration Manager 2007 client installation parameters to assign clients to a specific site.

Privacy Overview

Best Guide to Deploy SCCM Clients Using Group Policy

This article details the steps to deploy SCCM clients using group policy (GPO). You can also upgrade SCCM client agents using group policy.

You can use different methods to install the Configuration Manager client software . This article describes each method, so you can learn which one works best for your organization.

Listed below are all the methods to install the SCCM client agents:

Group policy installation
Logon script installation
Manual installation
Client Push installation
Microsoft Intune MDM installation

Microsoft recommends using the client push installation method to deploy SCCM clients in the setup. That’s because it is easy and can be used to automatically install the client on all discovered computers.

However, some organizations prefer to deploy SCCM clients using group policy. A GPO works best when you have Windows computers joined to an Active Directory domain .

If you are planning to deploy SCCM clients using group policy, you must uncheck the option “ Enable Automatic site wide client push installation ” under client push installation properties.

If this option is enabled then the SCCM client agents would get installed automatically on all the systems after its discovery.

To disable Automatic site wide client push installation :

Launch the Configuration Manager console
Go to Administration \ Overview \ Site Configuration \ Sites
On the top bar, click Client Installation Settings and select Client Push Installation
On the Client Push Installation properties, uncheck “ Automatic site wide client push installation “.
Click Apply and OK .

To create a GPO to deploy SCCM clients, you must have necessary permissions. I recommend testing the GPO on a few test machines first. If the SCCM client agent deployment GPO works, expand it to a larger set of computers.

Deploy SCCM Clients Using Group Policy

Let’s see the steps to create a group policy to deploy SCCM clients. Login to the domain controller machine or a member server installed with Group Policy Management console.

Launch the Windows Server Manager , click on Tools and select Group Policy Management .

In the GPMC console, right-click your domain and select Create a new policy . Specify the name as deploy SCCM clients using Group Policy.

Now right-click the new policy that you just created and select Edit .

In the Group Policy Management Editor, expand Computer Configuration , Policies and right click on Administrative Templates and click on Add/Remove Templates .

You can add new SCCM client agent templates by clicking on ADD . The Configuration Manager templates can be found in SMSSETUP\TOOLS\ConfigMgrADMTemplates .

You can also add it from <Drive>:Program Files\Microsoft Configuration Manager\tools\ConfigMgrADMTemplates. You need to add 2 templates ConfigMgrAssignment and ConfigMgrInstallation .

After you add both the templates, click on Close .

Expand Administrative Templates , Classic Administrative Templates , Configuration Manager , Configuration Manager Client .

Now on the right panel, we see both the Configuration Manager templates have been added. The state of these templates shows it’s not configured.

The next steps will cover the configuration part of the Configuration Manager Templates.

Deploying Configuration Manager 2012 R2 Clients Using Group Policy

Configure Configuration Manager Site Assignment

Right click on Configure Configuration Manager 2012 Site Assignment template and click edit . Click Enabled to enable the policy.

Under Options specify Assigned Site code , Site Assignment Retry Interval to 5 minutes, Site Assignment Retry Duration to 1 hour (You can also choose to leave the options to default except site code). Click OK.

Configure Configuration Manager Site Assignment

Configure Configuration Manager Client Deployment Settings

Right click Configure Configuration Manager 2012 Client Deployment Settings and click on Enabled .

Under options specify the installation properties for CCMSetup file. If you provide client installation parameters on the command line, they modify the installation behavior.

In our case, I have used following installation command CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL

Click on OK.

Configure Configuration Manager Client Deployment Settings

Create New Package to Deploy SCCM Client Agent via GPO

In this section, we will create a new software installation package to deploy SCCM client agent. Under Computer Configuration expand Policies , Software Settings . Right click Software Installation and click New > Package .

You have to specify or use the ccmsetup.msi as package. The ccmsetup.msi installer can be found in ConfigMgr_Media\SMS\SETUP\BIN\I386 . Copy the ccmsetup.msi in a folder (Create a new folder on SCCM Server) and share it with permissions Read-only for Everyone .

Browse the file ccmsetup.msi to the folder that you created and Select the deployment method as Assigned . Click OK .

When you click on Software installation, you should see the following details about the Configuration Manager client. The details include Package , its Version , Deployment Status and Source .

The deployment status for ConfigMgr client package is Assigned . Close the Group Policy Management Editor.

Apply the Group Policy to OU

In the above steps we created a group policy to deploy SCCM clients. We also configured the ConfigMgr templates. The next step is to apply the group policy to computers.

You can choose to apply this policy at domain level or at OU level. If you apply it at domain level then every computer in your domain will get the SCCM client installation on next reboot.

I have created a OU called Windows Systems which consists of client computers. To link the policy to this OU, right click on OU Windows Systems , click Link an existing GPO , choose the GPO Deploy SCCM clients using Group Policy and click OK .

You need to perform gpupdate on domain controller first and then on client machines.

Testing the SCCM Client Agent Installation

The group policy to install SCCM clients is now applied to your computers. Reboot the client machine, and after you log in to the client machine the configuration manager client installation begins.

You can see the cmmsetup.exe *32 service running on the computer. This confirms the ConfigMgr client agent installation has begun.

Testing the SCCM Client Agent Installation

This completes the steps to deploy SCCM clients using Group Policy. If you have any questions, let me know in the comments section.

Sign Up For Newsletter

Join our newsletter to stay updated and receive all the top articles published on the site get the latest articles delivered straight to your inbox..

When I am trying to install SCCM client through Active Directory Group policy, I found that client could not install in computer. It’s showing following errors: #. The latest version of the ADM files below are not available. This can be due to insufficient permissions or unavailable network resources. The local copy of these ADM files will be used.

#. Software Installation failed due to the error listed below: The installation source for this product is not available. Verify that the source exists and that you can access it.

I got this error in client machine when I run command rsop.msc

Hello Prajwal,

How can i do MECM agent installation using the startup script via group policy.

is there anyway to configure this only apply once and not every time GPO forces update? Thanks

When i used to do client Push to system that had the sccm client , it would not push if it detects the sccm client is installed , i think it should be the same behavior here

Can I do client installation to Devices connect via CMG using this method???

I have so many devices with inactive clients and they r connected via cmg

and i have just two actions, machine poliy retrieval and evalution cycle user policy retrieval and evalution cycle in Software centar

hi man, i have problem with Configure Configuration Manager 2012 Client Deployment Settings, i dont understand what i need input for ccmsetup.exe , like you CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL pls halp me?

SMSSITECODE=See your site code in sccm server > Go to SCCM console > Administration > Site Cnfiguration > Site > See Site code FSP=FQDN of SCCM Server (run systeminfo in CMD see Host name+Domain i.e. SCCM1.domain.com) MP=FQDN of SCCM Server (run systeminfo in CMD see Host name+Domain i.e. SCCM1.domain.com)

Hi Prajwal,

I have configured SCCM server 2012 r2 on my test lab with the help of your tutorial and its working fine but in DP is not showing my SCCM. could please help me to resolve this issue.

I’m pushing out clients for an existing SCCM 1710 installation. I have a few questions if you don’t mind.

Does this method work the same for 1710, or do I need to follow a different guide?

Why in the client settings do you have ccmsetup.exe listed when you’re pushing out the msi? Is it because the msi points to the exe?

Also, next to the “Configure Configuration Manager Site Assignment” setting, there is a down arrow. Any idea what this means or if it keeps the client from successfully being pushed out?

Always appreciate reading your blog posts. Our client installation is configured as such by my predecessor. We’ve since migrated to the latest SCCM CB and so upgrades come at a much higher pace now. So the clients need to be updated more frequently as well. I was wondering what needs to be done when a new client version needs to be distributed in such a scenario. I’m assuming that just replacing the msi on the shared folder does not suffice and we also need changes to the group policy. Recreating the ConfigMgr Client Setup Bootstrap installation package seems necessary since the MSI code changes, right? Can I use client.msi from the \\SITESERVER\sms_SITECODE\Client location instead of ccmsetup.msi from the installation media?

You can use auto client upgrade feature. To do this click on Administration > Site Configuration > Sites. Click on the Hierarchy Settings button on the top ribbon. Click Client Upgrade tab and check the box Upgrade all clients in the hierarchy using production client. Select the desired number of days you want your upgrade to be run and click OK. A schedule task will be created on the clients and run within the specified number of days.

i believe the computers have issues contacting the DC. Check the communication from client to DC.

I have also verified the DNS server details on each client and reviewed internet connectivity. All the computers joing domain seem to be communiticating fine.

I have followed the exact instructions but when I run gpupdate on my DC (running Server 2012 R2), it shows below error: https://uploads.disquscdn.com/images/ae31f7c05a04d9a4789b1c3d420ab9c4823591d740f1f09290148db212e2dff8.jpg Upon research on this issue on TechNet, I have tried changing the GP time to 30 sec, under Computer Configuration > Policies > Administrative Templates > System > Group Policy > Policy > Specify Startup policy processing wait time but this did not help.

Any suggestions on this?

I was testing this policy on 2 machines. I was fine on one but the second one was not taking it. It was giving an error of not excepting the group policy before logon sort of thing. How can I fix it?

I need a a bit of help. I want to deploy sccm clients to a domain with a power shell script running through Group policy. Can you please send detailed document for that including screen shots.

Hi Zia, i am working on another script. I will write a sccm client agent deployment script and will get back to you.

I have done this but I need help in deploying but locker if you can please

Ideally it should skip installing the clients if the computer has got client agents installed.

When I use the GPO method outlined here it works great…thank you. Once the client is installed, does the GPO skip devices that have the SCCM 2012 client installed or does it reinstall every time the GPO is applied.

Hello Prajwal Desai

I have an existing SCCM2007 Client installed across my production and I am Installing SCCM 2012, will this process overwrite the old Client version. My 2012 SCCM is running on a w2k8 server, and distributing to win7 platform. I have tried using the Client Push Installation and have found no joy with it I followed it to the letter. So I have chosen this method as it was what was used originaly.

I have pondered over if I would need to run an uninstall first using the GPO then try running this process.

Hi dear thanks for your instruction. i have doing everything in this post but sccm client does not install on destination. please guide me. thanks

No ConfigMgr does not uninstall the existing clients. There is no upgrade path from 2003 to 2012. What you can do is create a package in 2003 to uninstall and then install the 2012 client..

Why did you delete the system management container ? You should have uninstalled the clients before you decommissioned SCCM server.

The purpose of deleting system management container is that i wanted to come up with a new site code. i though that config mgr wud uninstall sms 2003 advanced client. now i have sms advanced client installed on windows 7 computers, i am not bothered about it unless it creates any problem with configmgr2012 agent. i have changed the site code for configmgr2012. when i deploy configmgr with new site code, will it get deployed on windows 7 computers having sms advanced client.

when deploying gpo i have given these settings /mp=sccm.mydomain.com /logon SMSSITECODE=COD /source:”\sccmccmsetup_configmgr” is this right approach.

Hello Mr prajwaldesai,

Thanks alot for your support. I am having sms 2003 installed and recently i have decommisoned it. Now i am in the middle of installation of SCCM 2012 R2. still my windows 7 computers are having SMS Advanced Client installed on them. Do config mgr uninstalls SMS Advanced client. I have changed the site code in SCCM 2012 R2 for that i have deleted the System Management container in ActDir schema and came up with new sitecode. will it create any issue in removing sms advanced client.

@JueRgen – I will test this in my lab once again and update the post.

Hi, i think there is still a typo in your GPO deployment.

You write …

” In our case I have used following installation command CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL”

This seems not to work, ater reading some other Walkthroughs and the TechNet it should read. SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=SCCM.PRAJWAL.LOCAL You Need to remove the ccmsetup.exe from the command line. Jürgen

First of all I want to say what a great Blog you have setup here. It is very informative and you do a fantastic job in explaining what can be somewhat hard to follow and cryptic instructions from Microsoft on the subject. Now for my question, I am trying to deploy the client using the GPO method and I can see in the Resultant Set of Policies that it is running against the client I am testing. The problem I see is that my client is running Windows Server 2008 R2 and although I can see the CCMSETUP *32 policy running, it never completes. I think this issue has been touched on a little already in previous comments, but what I really need to find out is if a registry edit would be needed to help define the install against 64 bit machines as opposed to 32 bit ones. Also, exactly what that registry edit would be if needed. I see many references to the WOW6432Node key location online, but I am hoping for a better explanation. Many thanks again for your site.

Hi David did you check ccmsetup.log file ? can you post it here ? Else you can post it here :- https://www.prajwaldesai.com/support

for installing client in AD-Machine, Shall I add ClientInstall user to domain admins group ?

Yes that can be done.

Thanks for taking time in helping.

Kindly suggest me, as I’m facing error while installing client on the machine’s also the same in AD, I belive its user account issue which logs says. I’ve created user in AD as ClientInstall and add the same to SCCM Server local admins group, given the same account in client install settings. Do we need to do any other settting for ClientInstall account in the machine where we’re installing it.

Find the Log entries:

—> Failed to connect to \\VM-AD\admin$ using machine account (5) $$ —> ERROR: Failed to connect to the \\VM-AD\admin$ share using account ‘Machine Account’ $$ —> Trying each entry in the SMS Client Remote Installation account list~ $$ —> Attempting to connect to administrative share ‘\\192.168.2.21\admin$’ using account ‘MYLAB\ClientInstall’~ $$ —> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account MYLAB\ClientInstall (00000005) $$ —> Attempting to connect to administrative share ‘\\192.168.2.21\admin$’ using machine account.~ $$ —> Failed to connect to \\192.168.2.21\admin$ using machine account (5) $$ —> ERROR: Failed to connect to the \\192.168.2.21\admin$ share using account ‘Machine Account’ $$ —> ERROR: Unable to access target machine for request: “2097152001”, machine name: “VM-AD”, access denied or invalid network path. $$ Execute query exec [sp_CP_SetLastErrorCode] 2097152001, 5~ $$ Stored request “2097152001”, machine name “VM-AD”, in queue “Retry”. $$ Execute query exec [sp_CP_SetPushRequestMachineStatus] 2097152001, 2~ $$ Execute query exec [sp_CP_SetLatest] 2097152001, N’03/13/2014 02:55:01′, 11~ $$ <======End request: "2097152001", machine name: "VM-AD". $$

The user account ClientInstall should have enough permissions to install client agent on the client machine, so the ClientInstall user account should be the member of local administrators group of the client machine.

I’ll check the rsop like you suggested, but I don’t understand why a GPO applies once on an OS, but if the machine name stays the same and the OS is reapplied the GPO fails to load. We are using MDT to re-image.

Thanks for the response!!

In the string of comments above Steven asked why the GPO would not work a second time after the machine was re-imaged with a new OS. I tested the GPO on my lab system and the first time it worked fine, but when I re-imaged with a clean image and tested a second time CCCMSetup.msi will not kick off from the GPO. Is there some kind of flag to reset? Thanks

Did you check the rsop on the client machine ? If the policy applied is seen in rsop then the client should be installed.

HI, I can not add the domanin machine to to SccM 2012 devices.. i need to deploy Endpoint Protection to my domain client machine.

“I can not add the domanin machine to to SccM 2012 devices” – Are you trying to say that you are unable to add the computer to the device collection ?

i have tested it on an XP machine and it appears under the XP logo before you get to press CTRL ALT DEL where you normally see applying computer settings…

It not a big deal since its not the popup i was told it was. I can live with it please ignore 🙂 thank you for the reply

This GPO is working for installs but can it be made silent? My users are seeing a install popup for about 1min prior to logging on with XP machines each time they sign in. I have this in the config line CCMSetup.exe SMSSITECODE=ORG FSP=server.domain.com MP=server.domain.com /logon

What kind of install popup ? Can you share more details.. The installation should happen in the background..

Yes Prajwal, rightly so; the ConfigMgrInstallation.adm appears but the ConfigMgrAssignment.adm does not appear in the configuration manager 2012 folder under administrative template.

Hi Prajwal, am using active directory 2003; and sccm2012. i attempted adding the template but only one appeared (Client Deployment settings) under the templates. the other although added does not appear in the configuration manager 2012 folder under administrative template. Any reason why this is so?

Not really sure why the second template is not seen under administrative templates.. I haven’t tried this with AD 2003.. Is it that only the first template that you add is seen under administrative template ?

Will the /NoService tag work with this method? We are having an issue where without the noservice option the install fails.

Ideally it should work, but i have not tried this option yet. You need to check if the account with which the client installation happens must be configured with enough permissions so as to install the sccm client. I would recommend you to use an account which is a member of domain admins group for testing purpose.

Its working now 🙂 i didn’t assign the GPO correctly. it was getting user setting but not computer setting. i added the test PC name to the “security filtering” on the GPO and it worked. Thank you for taking the time to help me and creating this helpful guide 🙂

No probs Leo..Thank you. 🙂

thanks for your help. I’ll create a fresh GPO and retest

No i do not see that folder

That means the policy has not been applied and the client package is not copied to the system. You can delete the existing policy and create a new one and check …

Prajwal, Yes the location is accessible from the XP machine. i have given everyone read/write access

The client package is not getting copied from the source, do you see ccmsetup folder under \windows\ ?

I have this in the GPO settings CCMSetup.exe SMSSITECODE=ORG FSP=server.domain.com MP=server.domain.com .Do i need to add the /source at the end pointing to the ccmsetup.exe ?

I can see the GPO is applied in gpresult /v but i can’t see anything in rsop.msc. notting in the administrative templates relating to SCCM

Nope, the command that you are using is the correct one. When you select the deployment method as “Assigned”, the software gets installed at the next logon. The source folder where ccmsetup.msi file is located, is it accessible from the XP machine ?

“command CCMSetup.exe SMSSITECODE=IND FSP=SCCM.PRAJWAL.LOCAL MP=CCM.PRAJWAL.LOCAL” is this a typo on the MP? i have followed your guide and my test XP SP3 machine does not get the client installed. any ideas why? i have KB943729 installed on the test client

Yes, that was a typo and I have corrected it. On the test machine has the group policy been applied ? Check the rsop on client machine once.. You need to restart the windows XP machine once..

I discovered when reinstalling the OS on a existing machine which previously had a client installed, the client push doesn’t install. Any idea why?

Hi Steve, when you do a client push on the client machine do you see a folder named ccmsetup ?? The folder path is \windows\ccmsetup

Can you give me any reason why I want to use Group Policy instead of Site-wide Push?

If you enable the site wide push then all the machines that are discovered will have SCCM client installed. Pushing client using group policy is one of the method to install SCCM clients on systems. I just showed the steps on how can you deploy SCCM clients using GPO.

PatchMyPC Sponsored AD

Recast Sponsored AD

SCCM 2012 R2 Step by Step Guide

How To Deploy Software Updates Using SCCM ConfigMgr

How to Install WSUS for SCCM | SUP Role | ConfigMgr

Fix Skype for Business (Lync) Recording Shows Pending Status

Fix Skype for Business Recording Shows Pending Status

Complete SCCM 2403 Upgrade Guide

Fix Microsoft Edge Error Code 3 (0X800706B5)

Renew Apple MDM Push Certificate in Intune

How to Deploy Cisco Jabber Using SCCM (ConfigMgr)

Subscribe Newsletter

Subscribe to our newsletter to get our newest articles instantly!

Our Services
Free products

Subscription

Boundary Management using SCCM Boundary Report

Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 8 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intune deployments.

Benoit Lecours

Table of Content

Sccm boundary reports.

Get the latest insights and exclusive content delivered to your inbox

Boundaries and boundary groups in Microsoft Endpoint Configuration Manager play an important role in site assignment, policies , content download etc. The client is unusable unless site assignment, boundaries and boundary groups are configured. It’s the basis you need to understand in an SCCM implementation. Configured incorrectly, your clients may get content from the wrong site system.

We created a set of reports to ease your SCCM boundary management. If you’re used to SCCM boundary and their definitions, you can skip the article and jump to the SCCM Boundary Report section.

You can create boundaries with different types as listed below:

Active Directory site name
IPv6 prefix
IP address range

For more information about boundaries and boundary groups, refer to the Microsoft Documentation .

Starting with SCCM 1802 , Microsoft introduced fallback options for boundary groups. This helps clients to expand their search to additional boundary groups to find an available site system.

Boundary references:

Boundary group relationships:

With so many options for boundaries and boundary groups, validation of site systems, site assignments, fallback options can be a confusing and tedious process.

There are no built-in reports in SCCM for you to monitor the boundary configuration settings. We decided to develop a bundle of reports that help you to identify and monitor the boundary configurations of your SCCM site. This set of SCCM Boundary Report will help you :

Quickly identify specific boundary information with its assigned site, site systems and fallback options
Troubleshoot content downloads and site assignment issues
Track the fallback options for boundaries with its site system names

The bundle contains 2 reports :

Configuration Manager – Boundaries
This report list all the boundaries along with site assignment and site systems. You have the flexibility to search for a specific site system, boundary type, site system count, boundary description name

Following are the parameters explained:
Site system: Key in site system name
Display Name: the Display name of the boundary
Site system count: This will be the count of site systems that are assigned to the boundary. Ex: You configured boundary and assigned with 2 site systems (MP/DP/SUP/SMP)

If you want to see the boundary group configurations for a specific boundary then, you can click on any boundary that you see in the report. This will open the second boundary report :

As you can see above, the selected boundary is configured with the site system and fallback options are also configured for this boundary.

The second report (Boundary groups) helps you to get a list of all boundary groups with site system names, fallback options configured (if they are applicable).

This report is a must if you have lots of boundaries and groups. If you’re interested in our product :

Download the report File (RDL) from our product page , in the Configuration Manager report section
Upload the report to your Reporting Point and change the data source
Run the report

Only authorized users can leave comments

naudetiaan1989

ALEX WILLIAMSON

Microsoft has released the first SCCM version for 2024 as the release cadence is now reduced to 2...

Some releases of SCCM versions require that you upgrade your site server Operating System to...

If you’ve always been managing your Office 365 (Now Microsoft 365 Apps) clients with SCCM,...

Please fill out the form, and one of our representatives will contact you in Less Than 24 Hours . We are open from Monday to Friday .

Consulting Services

Reports and Guides

I'm interested in working with you

Consulting services and time banks are used for generic requests. All others are fixed-price plans.

Thank you for your request. You will receive an email with more details. Take note that we normally work from Monday to Friday. We will get in touch with you as soon as possible.

Thank for your reply!

Something went wrong!

SCCM Site Takeover via Automatic Client Push Installation

Chris Thompson

Posts By SpecterOps Team Members

tl;dr: Require Extended Protection for MSSQL and SMB signing on site database servers. Install hotfix KB15599094 and disable NTLM for client push installation.

While reading SCCM Current Branch Unleashed and stepping through the site installation process, I found something interesting — the primary site server’s domain computer account is required to be a member of the local Administrators group on the site database server.

During site installation, this account is also added to the sysadmins group in the site database.

This means that if:

automatic site assignment and automatic site-wide client push installation are enabled
fallback to NTLM authentication is enabled (default)
PKI certificates are not required for client authentication (default)

AND either:

4a. MSSQL is reachable on the site database server

4b: SMB is reachable and SMB signing isn’t required on the site database server

SCCM site takeover is possible by coercing NTLM authentication from the site server’s computer account , relaying it to the site database server, and using MSSQL statements to grant the Full Administrator SCCM role, providing the attacker with complete control of every system in the site.

Skip to mitigation and detection guidance

Skip to attack step by step

When I posted about coercing NTLM authentication from SCCM servers last year, I thought that the only way to take over an SCCM site via automatic client push installation was when the WebClient service was running on the site server. In this scenario, it is possible to coerce and relay HTTP NTLM authentication to LDAP to conduct RBCD, Shadow Credentials, or AD CS attacks. This service is not typically installed on Windows Server versions, so I thought it would be fairly uncommon to see in the wild.

However, the required configurations for site takeover may be more common than I previously thought.

By default, when client push installation occurs, the primary site server connects to the remote system via SMB and attempts to authenticate with each configured account, followed by its computer account. Typically, computer accounts are not added to the local Administrators group on other machines, which is required for successful SMB to SMB relay attacks, so I didn’t pay much attention to the SMB authentication being useful for anything other than client takeover, until now.

Knowing that the primary site server’s computer account is a member of the local Administrators group on the site database server means that we can relay coerced SMB authentication for this computer account to SMB or MSSQL on the site database server and grant ourselves privileges over the site.

Not only does the primary site server computer account have to be a member of the local Administrators group on the site database server, but also on every site server hosting the “SMS Provider” role in the hierarchy. If there is a central administration site (CAS) or secondary sites, the site server’s computer account must be an administrator on the site servers and databases there as well. It is also the default account used to install SCCM roles on other servers (e.g., distribution points, software update points, etc.). This may present other opportunities for site or client takeover that I may dive into another time.

SCCM Site Takeover

Attack path diagram, lab configuration.

The attacker host and relay server can be the same system if you have administrator privileges, but for the sake of simplicity for this demonstration, we’re going to use a Linux system on the same network. If you’re using the same system for both the attack and relay, detailed instructions can be found here .

The following demo video depicts the full attack path, including all commands executed on each system. The lab machines are displayed in the same corners of the screen as in the diagram above.

Assumptions and Prerequisites

the three-character site code for the SCCM site (e.g., PS1)
the NetBIOS name, FQDN, or IP address of a site management point
the NetBIOS name, FQDN, or IP address of the site database server
that MSSQL is reachable on the site database server

Attack Step by Step

1. On the attacker host, use SharpSCCM to get the hex-formatted SID of the Active Directory user you’d like to grant the Full Administrator role in SCCM:

Update : the get user-sid command was changed to local user-sid since this blog post was published.

2. On the relay server, start ntlmrelayx with SOCKS enabled, targeting the MSSQL service at the IP address of the site database server:

3. On the attacker host, coerce automatic client push installation from the site server, targeting the relay server:

After a few seconds, you should receive an SMB connection on the relay server that is forwarded to the site database server to establish a SOCKS connection:

4. Configure /etc/proxychains4.conf to use port 1080, then proxy mssqlclient to the site database server, using the full name of the computer account displayed by ntlmrelayx and anything for the password:

5. Switch to the site database (named “CM_<site code>” by default):

6. Add the SID, name of the current user, and site code to the RBAC_Admins table:

7. Get the AdminID for the newly added record:

8. Add records to the RBAC_ExtendedPermissions table granting the AdminID the Full Administrator ( SMS0001R) RoleID for the “All Objects” scope (SMS00ALL), the “All Systems” scope (SMS00001), and the “All Users and User Groups” scope (SMS00004):

9. Verify your new privileges by querying the WMI provider on the management point:

10. Conduct post-exploitation activities via SCCM with your new privileges (e.g., https://posts.specterops.io/relaying-ntlm-authentication-from-sccm-clients-7dccb8f92867 ).

Mitigation and Recommendations

Install this hotfix , then disable the “Allow connection fallback to NTLM” client push installation setting. These are the only actions needed to prevent the attack technique noted in this blog post. However, this does not prevent NTLM authentication coerced via other means (e.g., via RPC using Coercer by @podalirius_ ) from being relayed to the site database server, as pointed out by @gladiatx0r .
Require Extended Protection on the site database MSSQL service to prevent successful relay of coerced NTLM authentication to the MSSQL service.
Require SMB signing on site servers to prevent successful relay of coerced NTLM authentication to the SMB service.
Block MSSQL and SMB connections from unnecessary systems to site servers.
Use software update-based, group policy-based, or manual client installation instead of automatic site-wide client push installation.
Configure the site to require PKI certificates for client authentication . This prevents new client devices from being registered with a self-signed certificate or a PKI certificate that’s already associated with a client.

Detection Guidance

Please refer to the Detection Guidance section at https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8260a .

I’m interested in hearing your experiences testing or administering SCCM environments! Please consider filling out this 10 question survey to assist with further research into SCCM security.

You can find me in the #SCCM channel in the BloodHoundGang Slack and I would love to chat with you. Hit me up there @Mayyhem or on Twitter ( @_Mayyhem ) with any questions or feedback! Thanks for reading!

Written by Chris Thompson

Adversary Simulation @SpecterOps

Rooting out Risky SCCM Configs with Misconfiguration Manager

Tl;dr: i wrote a script to identify every takeover and elevate attack in misconfiguration manager..

Evan McBroom

LSA Whisperer

Thank you to specterops for supporting this research, to elad for helping draft this blog, and to sarah, daniel, and adam for proofreading….

Will Schroeder

Certified Pre-Owned

Active directory certificate services has a lot of attack potential.

Coercing NTLM Authentication from SCCM

Tl;dr: disable ntlm for client push installation, recommended from medium.

ObjectSharp (a Centrilogic Company)

CODEOWNERS in Azure Repos?

Many of you are probably familiar with the codeowners file in github..

Duane Michael

Misconfiguration Manager: Overlooked and Overprivileged

Tl;dr: misconfiguration manager is a central knowledge base for all known microsoft configuration manager tradecraft and associated….

Staff Picks

Stories to Help You Level-Up at Work

Self-Improvement 101

Productivity 101

The Best Laptop for Cyber Security in 2024 🔐

This one if for all my it people.

paulpierce34

Active Directory Enumeration & Exploitation

Welcome to my second blog post here i will outline the steps taken to complete one of the skills assessment ad labs on htb academy. in….

Huriye Özdemir

GOAD Active Directory Lab Setup from a Windows host

In this blog post, i am going to explain how i set up the goad active directory lab from my windows host using vmware, along with a number….

SOCFortress

SOCFortress Integrations — Ubiquiti Networks

Text to speech

All about Microsoft Intune

Peter blogs about Microsoft Intune, Microsoft Intune Suite, Windows Autopilot, Configuration Manager and more

Overlapping Boundaries and ConfigMgr 2012

In ConfigMgr 2007 everybody’s first reaction about overlapping boundaries was “ don’t do it! ”, but is that the same in ConfigMgr 2012? Well, the answer on that differs per situation. In this post I will describe the three different situations/ scenario’s about overlapping boundaries and ConfigMgr 2012.

Scenario 1 – Overlapping boundaries for automatic site assignment : NOT supported! The site to which the client will assign is still unpredictable when there are multiple boundary groups that includes the current network location of the client (and of course, the boundary groups are assigned to different sites).
Scenario 2 – Overlapping boundaries for content locations : Supported ! It will enable the client to get a list of all the content locations that are connected with a boundary group that includes the current network location of the client. So it creates a sort of fallback scenario.
Supported for ConfigMgr 2012 –clients. ConfigMgr 2012 –clients are able to check the version of the CofigMgr –site and they can’t assign to a ConfigMgr 2007 –site.
Not supported for ConfigMgr 2007 –clients. ConfigMgr 2007 –clients are not able to check the version of the CofigMgr –site and they can incorrectly assign to a ConfigMgr 2012 –site.

Besides that it’s almost not possible to avoid the overlapping boundaries between the different hierarchies… The only thing that can done to stop the problems, is to stop automatic site assignment for ConfigMgr 2007 –clients. This avoids the ConfigMgr 2007 –clients from automatic assigning to the wrong site and the ConfigMgr 2012 –clients will keep on assigning to their own site.

See for more information: http://technet.microsoft.com/en-us/library/gg712679.aspx

8 thoughts on “Overlapping Boundaries and ConfigMgr 2012”

Thank you for this article, lots of useful information. But I would like to ask a question if I may.

If I have a single boundary in a boundary group with a protected DP, have you ever seen the system not list that DP in the location.log? For some reason I have a few boundary groups that are doing this. This site was using a single boundary group for site assignment, but it also contained all the 2007 converted site servers in that group as content locations. This was causing my clients to pull packages from various corners of the state. Once those were removed and the groups were set to assign their on site settings, this issue started showing up.

Thanks in advance.

No I’ve not seen that specific behavior. Are you still seeing this issue?

We have a SCCM environment and two boundaries defined in it based on our two AD sites. I need to install another SCCM instance in the same domain, which will be used for testing purpose. I have two questions pertaining to this situation 1. Is it ok to install another SCCM instance in the same domain? Could this new installation use the same “system management” container (and we just grant the new SCCM server account permission to the existing container) 2. We have boundaries defined in our existing SCCM based on our two AD sites. Could I define boundaries in the new SCCM environment based on the same AD sites.

We wont be pushing agents from the new environment on to the machines which have agents reporting to the old environment

If you’re only manually installing agents for that test environment, you don’t need to do anything with the AD as you can provide the required information during the client installation.

I’m going to do a side by side migration from 2012 to current branch when I migrate the boundaries I noticed on the 2012 the site assignment is not checked I thought I had to uncheck it when I migrate the boundaries to CB to have the clients go to new site when I upgrade them is there a best practice ? I’m a noob and nervous

Hi Anthony, The key is to not have overlapping site assignment configuration. When a boundary exists in both environments, only one should have site assignment configured. Peter

Thank you Peter for the response really helps to know guys like you were out there to help guys like me

So my plan is to migrate the boundaries remove the site Assigment away from the old environment enable on the new then upgrade the clients it’s about 3000 or so in phases does that sound OK

Hi Anthony, That sounds fine. Site assignment is used during the installation of a client, so for installing clients in the old environment you can still specify the site information in the parameters. Regards, Peter

View, manage, and install add-ins for Excel, PowerPoint, and Word

When you enable an add-in, it adds custom commands and new features to Microsoft 365 programs that help increase your productivity. Because add-ins can be used by attackers to do harm to your computer, you can use add-in security settings to help protect yourself.

Note: This article only applies to Microsoft 365 applications running on Windows.

View installed add-ins

Screenshot of the add-ins in Office from Home tab.

You can directly install add-ins from this page or select More Add-ins to explore.

In the Office Add-ins dialog, select My Add-ins tab.

Select an add-in you want to view the details for and right-click to select Add-in details option.

Click a heading below for more information .

Add-in categories explained

Active Application Add-ins Add-ins registered and currently running on your Microsoft 365 program.

Inactive Application Add-ins These are present on your computer but not currently loaded. For example, XML schemas are active when the document that refers to them is open. Another example is the COM add-in: if a COM add-in is selected, the add-in is active. If the check box is cleared, the add-in is inactive.

Document Related Add-ins Template files referred to by open documents.

Disabled Application Add-ins These add-ins are automatically disabled because they are causing Microsoft 365 programs to crash.

Add-in The title of the add-in.

Publisher The software developer or organization responsible for creating the add-in.

Compatibility Look here for any compatibility issues.

Location This file path indicates where the add-in is installed on your computer.

Description This text explains the add-in function.

Note: Microsoft Outlook has one add-in option in the Trust Center: Apply macro security settings to installed add-ins . InfoPath has no security settings for add-ins.

Permanently disable or remove an add-in

To disable or remove an add-in follow these steps:

Select File > Get Add-ins . Alternatively, you can select Home > Add-ins .

In the Office Add-ins dialog, select My Add-ins tab.

Select an add-in you want to remove and right click to select Remove option.

View or change add-in settings

You can see and change add-in settings in the Trust Center, descriptions of which are in the following section. Add-in security settings may have been determined by your organization so not all options may be available to change.

Select File > Get Add-ins .

Select More Add-ins > Manage My Add-ins.

Select Trust Center > Trust Center Settings > Add-ins.

Check or uncheck the boxes you want.

Add-in settings explained

Require Application Add-ins to be signed by Trusted Publisher Check this box to have the Trust Center check that the add-in uses a publisher's trusted signature. If the publisher's signature hasn’t been trusted, the Microsoft 365 program doesn’t load the add-in, and the Trust Bar displays a notification that the add-in has been disabled.

Disable notification for unsigned add-ins (code will remain disabled) When you check the Require Application Extensions to be signed by Trusted Publisher box, this option is no longer grayed out. Add-ins signed by a trusted publisher are enabled, but unsigned add-ins are disabled.

Disable all Application Add-ins (may impair functionality) Check this box if you don't trust any add-ins. All add-ins are disabled without any notification, and the other add-in boxes are grayed out.

Note: This setting takes effect after you exit and restart your Microsoft 365 program.

While working with add-ins, you may need to learn more about digital signatures and certificates , which authenticate an add-in, and trusted publishers , the software developers who often create add-ins.

Manage and install add-ins

Use the following instruction to manage and install add-ins.

To install a new add-in:

You can directly install popular add-ins on the page or go to More Add-ins to explore.

Select the add-in and select Add . Or browse by selecting Store tab in the Office add-in dialog to find other add-ins to install and select Add for that add-in.

To manage your add-ins:

Select File > Get Add-ins and from the bottom, select More Add-ins. Or select Home > Add-ins > More add-ins.

In the Office dialog, select My Add-ins tab. If you are not able to see your add-ins, select Refresh to reload your add-ins.

Select Manage My Add-in to manage and select Upload to browse and add an add-in from your device.

How to cancel a purchased add-in

If you've subscribed to an add-in through the Microsoft 365 Store that you don't want to continue, you can cancel that subscription.

Open the Microsoft 365 application and go to the Home tab of the ribbon.

Select Add-ins and then select More Add-ins > My Add-ins tab to view your existing add-ins.

Select the app you want to cancel and select Manage My Add-ins .

Under the Payment and Billing section choose Cancel Subscription .

Select OK and then Continue .

Once that's complete you should see a message that says "You have cancelled your app subscription" in the comments field of your apps list.

Why is my add-in crashing?

Some add-ins might not be compatible with your organization's IT department policies. If that is the case with add-ins recently installed on your Microsoft 365 program, Data Execution Prevention (DEP) will disable the add-in and the program might crash.

Learn more about DEP

Get a Microsoft 365 Add-in for Outlook

Get a Microsoft 365 Add-in for Project

Taking linked notes

If you're looking for Help on linking notes in OneNote to a Word or PowerPoint document, see Take linked notes .

Excel Windows Add-ins

If you're looking for Help on specific Excel Add-ins, such as Solver or Inquire, see Help for Excel for Windows add-ins .

If you're looking for additional help with Excel add-ins using the COM Add-ins dialog box, see Add or remove add-ins in Excel .

Get a Microsoft 365 Add-in for Excel

Need more help?

Want more options.

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Find solutions to common problems or get help from a support agent.

Online support

Was this information helpful?

Thank you for your feedback.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

How clients find site resources and services

8 contributors

Applies to: Configuration Manager (current branch)

Configuration Manager clients use a process called service location to locate site system servers. Clients can communicate with these servers and they provide services that clients can use. To better configure your sites to successfully support client tasks, you need to understand how and when clients use service location to find site resources. These configurations can require the site to interact with domain and network configurations like Active Directory Domain Services and DNS. They can also require you to configure more complex alternatives.

Some examples of site system roles that provide services include:

The core site system server for clients.
The management point.
Other site system servers that the client can communicate with, like distribution points and software update points.

Fundamentals of service location

When a client uses service location to find a management point to communicate with, it evaluates the following aspects:

Current network location
Communication protocol preference
Assigned site

Client communication with a management point

A client communicates with a management point (MP) to:

Download information about other management points for the site. It then builds a list of known management points for future service location cycles. This list is also known as the MP list .

Upload configuration details, like inventory and status.

Download a policy that sets configurations on the client, informs it of software to install, and other related tasks.

Request information about other site system roles that provide services that the client can use. For example, distribution points for software that the client can install, or a software update point for metadata about software updates.

Client service location requests

A Configuration Manager client makes a service location request:

Every 25 hours of continuous operation.

When the client detects a change in its network configuration or location.

When the ccmexec.exe service on the computer starts. This Windows service is the core client service.

When the client needs to locate a site system role that provides a required service.

Client requests for site system roles

When a client attempts to find servers that host roles, it uses service location. It tries to find a role that supports its communication protocol, either HTTP or HTTPS. By default, clients use the most secure method available to them.

To use HTTPS, you need a public key infrastructure (PKI) and install PKI certificates on clients and servers. For more information, see PKI certificate requirements for Configuration Manager .

For roles that use IIS and support client communication, you configure them for HTTP or HTTPS. If you use HTTP, also consider signing and encryption choices. For more information, see Planning for signing and encryption .

Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure the site for HTTPS or Enhanced HTTP. For more information, see Enable the site for HTTPS-only or enhanced HTTP .

Determine assigned management point

Primary sites support multiple management points. Each client independently identifies a management point as its default. When a client first assigns to a primary site, it selects its default management point. This default management point then becomes that client's assigned management point.

You can use client installation properties to set the assigned management point for a client. For more information, see Client installation properties .

A client selects a management point to communicate with based on the client's current network location and boundary group configurations. Even though it has an assigned management point, this server may not be the management point that the client uses.

A client always uses the assigned management point for registration messages and certain policy messages. This behavior happens even when other communications are sent to a proxy or local management point.

You can use preferred management points. Preferred management points are management points from a client's assigned site that are associated with a boundary group that the client uses to find site system servers. A preferred management point's association with a boundary group is similar to how distribution points or state migration points are associated with a boundary group. If you enable preferred management points for the hierarchy, when a client uses a management point from its assigned site, it tries to use a preferred management point before using other management points from its assigned site.

You can configure management point affinity with a registry key configuration on the client. Management point affinity overrides the default behavior for assigned management points and lets the client use one or more specific management points. For more information, see this blog post from a Microsoft Premier engineer .

Each time a client needs to contact a management point, it first checks the MP list . The client creates an initial MP list when it installs. The client then periodically updates the list with details about each management point in the hierarchy.

When the client can't find a valid management point in its MP list, it searches the service location sources. It uses the following sources in order, until it finds a management point that it can use:

Management point
Active Directory Domain Services (AD DS)

After a client successfully locates and contacts a management point, it downloads the current list of available management points. It then updates its own local MP list.

This process is the same for all clients. For example, when a Configuration Manager client that's on the internet connects to an internet-based management point, the management point sends that client a list of available internet-based management points. A client that's not on the internet only gets a list of internal management points.

The MP list

The MP list is the preferred service location source for a client. It's a prioritized list of management points that the client previously identified. The client sorts its MP list based on its current network location. It stores the list locally in WMI.

Build the initial MP list

During installation of the client, the client uses the following rules to build its initial MP list:

Include management points specified during client installation. For example, when you use the SMSMP property or /mp parameter.

Query AD DS for published management points. The client identifies management points from AD DS that are in its assigned site and the same product version.

If it doesn't get any management points from the first two rules, the client checks DNS for published management points.

MP list categories

Clients organize their list of management points by using the following categories:

Proxy : A management point at a secondary site.

Local : Any management point that's associated with the client's current network location, as defined by site boundaries.

When a client belongs to more than one boundary group, it determines the list of local management points from the union of all boundaries that include the current network location of the client.

Local management points are typically a subset of a client's assigned management points. Unless the client is in a network location that's associated with another site with management points servicing its boundary groups.

Assigned : Any management point that's in the client's assigned site.

You can use preferred management points. Management points at a site that aren't associated with a boundary group, or that aren't in a boundary group associated with a client's current network location, aren't considered preferred. The client uses these management points when it can't find an available preferred management point.

Select a management point to use

For typical communications, a client tries to use a management point in the following order, based on the client's network location:

The client always uses the assigned management point for registration messages and certain policy messages. This behavior happens even when it sends other communication to a proxy or local management point.

Within each category , the client attempts to use a management point based on preferences, in the following order:

HTTPS-capable in a trusted or local forest
HTTPS-capable not in a trusted or local forest
HTTP-capable in a trusted or local forest
HTTP-capable not in a trusted or local forest

From the set of management points sorted by preference, the client attempts to use the first management point on the list. This sorted list of management points is otherwise randomized and can't be ordered any further. The order of the list can change each time the client updates its MP list.

When a client can't contact the first management point, it tries each successive management point on its list. It tries each preferred management point in the category before trying the non-preferred management points. If a client can't successfully communicate with any management point in the category, it attempts to contact a preferred management point from the next category, until it finds a management point to use.

After a client establishes communication with a management point, it continues to use that same management point until:

The client is unable to communicate with the management point for five attempts over a period of 10 minutes.

The client then randomly selects a new management point to use.

Active Directory

Domain-joined clients can use AD DS for service location. This behavior requires sites to publish data to Active Directory .

A client can use AD DS for service location when all the following conditions are true:

You extended the Active Directory schema .

You configured the Active Directory forest for publishing , and you configured the Configuration Manager site to publish.

The client computer is a member of an Active Directory domain and can access a global catalog server.

If a client can't find a management point to use for service location from AD DS, it attempts to use DNS.

Clients on the intranet can use DNS for service location. This behavior requires at least one site in a hierarchy to publish information about management points to DNS.

Consider using DNS for service location when any of the following conditions are true:

You haven't extended the AD DS schema to support Configuration Manager.

Clients on the intranet are in a forest that you haven't enabled for Configuration Manager publishing.

You have clients on workgroup computers, and you haven't configured those clients for internet-only client management. A workgroup client configured for the internet communicates only with internet-facing management points and won't use DNS for service location.

You can configure clients to find management points from DNS .

When a site publishes service location records for management points to DNS:

Publishing is applicable only to management points that accept client connections from the intranet.

Publishing adds a service location resource record (SRV RR) in the DNS zone of the management point server. That server needs a corresponding host entry in DNS.

By default, domain-joined clients search DNS for management point records from the client's local domain. You can configure a client installation property to specify another domain suffix.

For more information, see How to configure client computers to find management points by using DNS publishing .

Publish management points to DNS

To publish management points to DNS, the following two conditions must be true:

Your DNS servers support service location resource records, by using a version of BIND that's at least 8.1.2.

The specified intranet FQDNs for the management points in Configuration Manager have host entries (A records) in DNS.

Configuration Manager DNS publishing doesn't support a disjointed namespace. If you have a disjointed namespace, you can manually publish management points to DNS. You can also use one of the other service location methods.

DNS configuration scenarios

The dns server supports automatic updates.

You can configure Configuration Manager to automatically publish management points on the intranet to DNS, or you can manually publish these records to DNS. When Configuration Manager publishes management points to DNS, it adds their intranet FQDN and port number in the service location (SRV) record. You configure DNS publishing in the site's Management Point Component Properties . For more information, see Site components - Management point .

The DNS zone is set to "Secure only" for dynamic updates

With default permissions, only the first management point can successfully publish to DNS.

If only one management point can successfully publish and change its DNS record, clients can get the full MP list from that management point. As long as that one published management point is healthy, clients can then find their preferred management point.

The DNS server doesn't support automatic updates but supports service location records

In this scenario, manually publish management points to DNS. Manually configure the service location resource record (SRV RR). Configuration Manager supports RFC 2782 for service location records. These records have the following format: _Service._Protocol.Name TTL Class SRV Priority Weight Port Target

To publish a management point to Configuration Manager, specify the following values:

_Service : _mssms_mp_<sitecode> . For example, _mssms_mp_xyz
._Protocol : ._tcp
.Name : Specify the DNS suffix of the management point, for example contoso.com
TTL : Use 14400 for four hours.
Class : Specify IN for RFC 1035.
Priority : Configuration Manager doesn't use this field.
Weight : Configuration Manager doesn't use this field.
Port : Specify the port number that the management point uses. For example, 443 by default for HTTPS.
Target : Specify the intranet FQDN of the site system server with the management point role.

Configure Windows Server DNS

If you use Windows Server DNS, use the following procedures to enter this DNS record for intranet management points.

Configure automatic publishing for a site

In the Configuration Manager console, go to the Administration workspace, expand Site Configuration , and select the Sites node.

Select the site to configure publishing. In the ribbon, select Configure Site Components and choose Management Point .

Select the management points that you want to publish. This selection applies to publishing for AD DS and DNS.

Enable the option to Publish selected intranet management points in DNS .

Manually publish management points to DNS on Windows Server

In the DNS management console, select the DNS zone for the management point computer.

Verify that there's a host record ( A or AAAA ) for the intranet FQDN of the site system. If this record doesn't exist, create it.

Select New Other Records , choose Service Location (SRV) , and then choose Create Record .

Specify the following information, and then select Done :

Domain : If necessary, enter the DNS suffix of the management point, for example contoso.com .
Service : _mssms_mp_<sitecode> . For example, _mssms_mp_xyz
Protocol : ._tcp
Host offering this service : Specify the intranet FQDN of the site system server with the management point role.

Repeat these steps for each management point on the intranet that you want to publish to DNS.

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

IMAGES

Automatically document your SCCM infrastructure with a Visio diagram
Create a SCCM Automatic Deployment Rule
Automatically document your SCCM infrastructure with a Visio diagram
SCCM Site Takeover via Automatic Client Push Installation
Configuring Automated Deployment Rule in SCCM l ManageEngine Patch
SCCM ADR Automatic Deployment Rule Creation Process HTMD Blog

VIDEO

Step by Step SCCM CB upgrade to 1802 Primary Standalone
SCCM L2 Training 2 2023 03 13 Day 4
Mass Effect 2: Assignment
SCCM Site Takeover via Automatic Client Push Installation Using SharpSCCM
Установка обновлений при помощи SCCM 2012 R2
26. SCCM Training For Beginners

COMMENTS

Assign clients to a site
Automatic site assignment. Automatic site assignment typically happens during client deployment. To manually start automatic site assignment, select Find Site on the Advanced tab of the Configuration Manager control panel. The Configuration Manager client compares its network location with the boundaries for the hierarchy.
About boundary groups
A newly installed client that uses automatic site assignment joins the assigned site of a boundary group that contains the client's current network location. After assigning to a site, a client doesn't change its site assignment when it changes its network location. For example, a client roams to a new network location.
How Client Assignment and Client Push Happen in SCCM
Having COUNT (itemkey) > 1) This could also lead to client push not able to be triggered because the particular resource is assigned to both primary and secondary site code. To fix this issue, uncheck the site assignment from Secondary's boundary and you can see these duplicates immediately disappear and automatic client push will be triggered ...
Managing Workgroup (Non-Domain) Clients With Configuration Manager
When using automatic assignment the clients will install, discover the Management Point, and then assign themselves to the site defined for the Boundary Group they are a member of. ... Devices that join a Configuration Manager site must be approved. By default, devices in a domain that Configuration Manager has a trust with are automatically ...
How to assign clients to a site in Configuration Manager
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window.
SCCM Site Takeover via Automatic Client Push Installation
During site installation, this account is also added to the sysadmins group in the site database. This means that if: automatic site assignment and automatic site-wide client push installation are enabled; fallback to NTLM authentication is enabled (default) PKI certificates are not required for client authentication (default) AND either: 4a.
ConfigMgr client automatic site assignment behavior in a multi site
A ConfigMgr 2012 client cannot attach itself to a ConfigMgr 2007 site. During Automatic Site Assignment, the ConfigMgr 2012 client will do a version check and when the site it tries to attach to isn't at the correct level, it will fail to assign to that site. In order to test the scenario's, we build the following test environment
Configuring Discovery and Boundaries in SCCM
Select Boundaries from the left pane, right click the Default-First-Site-Name. Click Properties, under Boundary Groups you will find the First Boundary Group Added Automatically. Once you install Configuration Manager, the initial configuration usually begins by configuring discovery methods. You want SCCM to discover the resources.
How to Assign Clients to a Site in Configuration Manager
Automatic site assignment can occur during client deployment, or when you click Find Site in the Advanced tab of the Configuration Manager Properties in the Control Panel. The Configuration Manager client compares its own network location with the boundaries that are configured in the System Center 2012 Configuration Manager hierarchy.
Best Guide to Deploy SCCM Clients Using Group Policy
Launch the Windows Server Manager, click on Tools and select Group Policy Management. In the GPMC console, right-click your domain and select Create a new policy. Specify the name as deploy SCCM clients using Group Policy. Now right-click the new policy that you just created and select Edit.
SCCM Current Branch
They enable clients to find a primary site for client assignment (automatic site assignment). ... In the System Center Configuration Manager console, click on "Administration", expand "Hierarchy Configuration" and click on "Boundary Groups". Right-click on the blank space and choose "Create Boundary Group".
How to Create Boundary Groups in ConfigMgr
Right-click on the Boundaries node. Select Create New Boundary. SCCM Create New Boundary. This is where you need to get the IP range or AD Site or IP Subnet details to create SCCM boundaries. There are different options to create boundaries. Select General tab. Configure the setting for the boundary.
Clients reassigning themselves to old site : r/SCCM
We're in the progress of migrating clients from a SCCM 2012 site to SCCM CB 1906. ... We do not have site assignment boundary groups set up on either site. Clients are installed with an explicit site code, and obviously in the case of the migration the new site code is explicitly stated in the script. ... Disable automatic site discovery in ...
Boundary Management using SCCM Boundary Report
This set of SCCM Boundary Report will help you : Quickly identify specific boundary information with its assigned site, site systems and fallback options. Troubleshoot content downloads and site assignment issues. Track the fallback options for boundaries with its site system names. The bundle contains 2 reports :
Site components
Site component configurations apply to a site, and to each instance of an applicable site system role at the site. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. Select a site. In the Settings group of the ribbon, choose Configure Site Components.
ConfigMgr VPN Boundary Setup Process Explained
- Although each SCCM boundary group supports both site assignment and site system reference, create a separate set of boundary groups to use only for site assignment. Avoid overlapping boundaries for automatic site assignment. How to Create VPN Boundary. Let's learn how to create VPN boundaries in this section: Launch Configuration Manager ...
Coercing NTLM Authentication from SCCM
Network locations (e.g., IP subnets/address ranges, Active Directory sites) that include client systems managed by the site. Automatic Site Assignment. A setting that automatically assigns systems discovered in a specific boundary group to a specific site (e.g., all systems discovered in AD domain X are automatically assigned to site Y).
SCCM Site Takeover via Automatic Client Push Installation
automatic site assignment and automatic site-wide client push installation are enabled; fallback to NTLM authentication is enabled (default) PKI certificates are not required for client authentication (default) AND either: 4a. MSSQL is reachable on the site database server. OR. 4b: SMB is reachable and SMB signing isn't required on the site ...
Overlapping Boundaries and ConfigMgr 2012
Well, the answer on that differs per situation. In this post I will describe the three different situations/ scenario's about overlapping boundaries and ConfigMgr 2012. Scenario 1 - Overlapping boundaries for automatic site assignment: NOT supported! The site to which the client will assign is still unpredictable when there are multiple ...
Set-CMAssignedSite (ConfigurationManager)
Description. The Set-CMAssignedSite cmdlet assigns a client computer to a primary site. When you install a client agent, the installation determines the primary site for the client. This cmdlet assigns a client to a different primary site.
View, manage, and install add-ins for Excel, PowerPoint, and Word
Note: This article only applies to add-ins in Excel, PowerPoint, and Word.For guidance on how to view, install, and manage add-ins in Outlook, see Use add-ins in Outlook.
Find site resources
Configure automatic publishing for a site. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node. Select the site to configure publishing. In the ribbon, select Configure Site Components and choose Management Point.

Managing Workgroup (Non-Domain) Clients With Configuration Manager

Network Access Accounts

Installing the Client

Locate Management Points via DNS

Specify Management Point via Installation Parameters

Site Assignment

Automatic Site Assignment via Boundary Groups

Manually Assign Site via Installation Parameter

Putting It All Together: Installation Parameters

Client Push: What If It Did Work?

Approving the Client

Manually Approving Clients

Automatically Approving All Computers

Approve Devices via a Script

Upgrading the Client

Other Limitations

Deploying Software To Users

Remote Control Viewers

10 Comments

Leave a Reply Cancel reply

Recent Comments

Navigation Menu

Saved searches

ConfigMgr client automatic site assignment behavior in a multi site environment

Test 1:Conflicting boundaries configured on both the ConfigMgr 2007 as the ConfigMgr 2012 site

New Questions based on this result are:

Test 2:Boundary configured on ConfigMgr 2012 site only

Test 3:Automatic Client Upgrade options turned on.

Testscenario 4:No sites defined for client assignment.

Overall Conclusion:

Leave a Reply Cancel reply

Privacy Overview

Best Guide to Deploy SCCM Clients Using Group Policy

Deploy SCCM Clients Using Group Policy

Configure Configuration Manager Site Assignment

Configure Configuration Manager Client Deployment Settings

Create New Package to Deploy SCCM Client Agent via GPO

Apply the Group Policy to OU

Testing the SCCM Client Agent Installation

Sign Up For Newsletter

Leave a Reply Cancel reply

PatchMyPC Sponsored AD

Recast Sponsored AD

Popular Articles

SCCM 2012 R2 Step by Step Guide

How To Deploy Software Updates Using SCCM ConfigMgr

How to Install WSUS for SCCM | SUP Role | ConfigMgr

Fix Skype for Business Recording Shows Pending Status

Complete SCCM 2403 Upgrade Guide

Fix Microsoft Edge Error Code 3 (0X800706B5)

Renew Apple MDM Push Certificate in Intune

How to Deploy Cisco Jabber Using SCCM (ConfigMgr)

Subscribe Newsletter

Boundary Management using SCCM Boundary Report

Table of Content

SCCM Site Takeover via Automatic Client Push Installation

SCCM Site Takeover

Assumptions and Prerequisites

Attack Step by Step

Mitigation and Recommendations

Detection Guidance

Written by Chris Thompson

More from Chris Thompson and Posts By SpecterOps Team Members

Rooting out Risky SCCM Configs with Misconfiguration Manager

LSA Whisperer

Certified Pre-Owned

Coercing NTLM Authentication from SCCM

CODEOWNERS in Azure Repos?

Misconfiguration Manager: Overlooked and Overprivileged

Staff Picks

Stories to Help You Level-Up at Work

Self-Improvement 101

Productivity 101

The Best Laptop for Cyber Security in 2024 🔐

Active Directory Enumeration & Exploitation

GOAD Active Directory Lab Setup from a Windows host

SOCFortress Integrations — Ubiquiti Networks

Overlapping Boundaries and ConfigMgr 2012

8 thoughts on “Overlapping Boundaries and ConfigMgr 2012”

Leave a Comment Cancel reply