Monday, August 4, 2008

Sccm 2007 client agent deployment using Software updates

Sccm 2007 has a new client deployment method called Software update point based client installation. The idea behind Software update point based client installation is to publish the Sccm 2007 client as a critical update, and hence its name is installed from the Software update point. Most of you will probably now that Software Update management in Sccm 2007 integrates with Wsus 3.0 Sccm 2007 relies on Wsus to synchronize the catalog and to scan clients, but that's food for another post.
Why?

Why does sccm 2007 require a new installation method? What was wrong with the previous installation methods we had in sms 2003? To be honest, not much, but they all had their drawbacks. Let's just have a look at each of the installation methods and their drawbacks before we continue and see what Software update point based installation has in store for us.

Manual installation: This installation method lacks automation and requires the end-user to be a local administrator on the machine which is obviously a big NONO security wise.

Login script installation: Lacks from the same security issue as manual installation and is by consequence a NOGO.

Software Distribution based installation: Good installation method but this is often a chicken or egg kinda problem, you already need to have a software distribution mechanism out there for this to work.

Client Push Installation (Wizard): Great installation method but it has some requirements that could prove to be problematic in a real secure environment. It requires remote local admin privileges which is usually fine. But it also requires remote registry and access to the admin$ share. A secure environment should have file and print sharing disabled on desktops or laptops, or at the very least have them blocked by a personal firewall.

GPO based installation: Nice installation method with very modest requirements on the machine to be installed, but it suffers from its own drawbacks. The main problem with GPO based installation is that it is end-user driven. GPO's software installation only happens at logon or after a restart. Both events normally only happen after the end-user gave their user name and password or powered on the machine. If you have pesky users that just close their laptop lid in the evening and open it back up the next morning then your out of luck with gpo's. With todays more stable os's like Windows XP and Windows Vista It could take a pretty long time before the machine actually needs to be rebooted on the lan.

Software update based client installation: Superb installation method that mixes the benefits of GPO based installation with those of software distribution based installation. In other words it has pretty low requirements on the target machine, even lower as software distribution based installation as it does not require a software distribution solution in place and doesn't require the target machine to be in active directory. (You'll need a different way than adm templates to set the registry keys though). On top of that it offers a Schedule based installation which eliminates the end-user initiated drawback of gpo's. By the way if you install a newer version of the SCCM 2007 beta or install a Service pack after RTM you will be able to update your publication so that you can use this method to easily upgrade your existed install base to the new version.


How?

How do you get this to work? Remarkably easy actually.

STEP 1 Configure the Windows Update agent GPO:

Open a GPO
Go to Computer configuration\Windows Components\Windows Update
Configure the Configure automatic updates option, Set it to auto download and shedule the install
Choose your own schedule
Configure the Specify intranet microsoft update service location
Configure both options with the value http://Wsusserver

STEP 2 Import the SCCM-2007 adm template:

Download the adm template to configure SCCM 2007 client installation command line parameters http://www.blogcastrepository.com/files/folders/documents/entry15469.aspx
Open a GPO
In Computer Configuration Right-click on Administrative templates
Browse to the SCCM-2007 and add the template.
Go to Computer configuration\Windows Components\SCCM 2007\Software Update point client installation
Configure the command line with the parameters you want.

STEP 3 Publish the SCCM 2007 client (As documented in the SCCM 2007 help file)


To publish the Configuration Manager 2007 client to the WSUS server:


1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / / Site Settings / Client Installation Methods.
2. Right-click Software Update Point Client Installation, and click Properties.
3. To enable client installation, select the Enable Software Update Point Client Installation check box.
4. If the client software on the Configuration Manager 2007 site server is newer than that stored on the software update point, the Upgrade Client Package Version dialog box will open. You should click Yes in this dialog box to publish the most recent version of the client software to he software update point.
5. To finish configuring the software update point client installation, click OK.

Happy Client Deployement
Paddy,

No comments: