{"id":216,"date":"2021-09-01T13:18:34","date_gmt":"2021-09-01T17:18:34","guid":{"rendered":"https:\/\/www.anthonyfontanez.com\/?p=216"},"modified":"2021-09-05T15:56:34","modified_gmt":"2021-09-05T19:56:34","slug":"configmgr-client-deployment-via-software-update","status":"publish","type":"post","link":"https:\/\/anthonyfontanez.com\/index.php\/2021\/09\/01\/configmgr-client-deployment-via-software-update\/","title":{"rendered":"ConfigMgr Client Deployment via Software Update"},"content":{"rendered":"\n

Hey folks, here with a quick post today in response to a question about ConfigMgr client deployment in the WinAdmins Community<\/a> the other day. The question was posed in regards to alternative ways to deploy the CM client without using Client Push, because Client Push is bad and no one should use it for various reasons. The common answer is to use some form of startup script, such as the ConfigMgr Client Health Script<\/a> by Anders R\u00f8dland, or the ConfigMgr Client Startup Script<\/a> by Jason Sandys. However, there’s another method that can be used in environments where using scripts like this is not desirable for one reason or another: software update based client deployment. Microsoft documents this use here<\/a>, however, I feel that their method could be made a bit more flexible.<\/p>\n\n\n\n

WARNING: This post will go over directly setting registry items that are normally configured via Group Policy administrative templates, which may or not be 100% supported. It works it theory and in practice, but be forewarned, your mileage may vary, etc.<\/em><\/p>\n\n\n\n

Prerequisites<\/h2>\n\n\n\n

<\/p>\n\n\n\n

  • At least one active Software Update Point in your ConfigMgr site<\/li>
  • Updates classification enabled in SUP configuration<\/li>
  • Software update based client installation option enabled<\/li>
  • ConfigMgr site published to Active Directory
    • Since software update based deployment does not support custom installation parameters, it must be able to discover the CM site information from AD<\/li><\/ul><\/li><\/ul>\n\n\n\n

      Configuration<\/h2>\n\n\n\n

      <\/p>\n\n\n\n

      Microsoft’s recommendation is to configure a Group Policy Object using the Windows Update admin template, similar to the following:<\/p>\n\n\n\n

      \"\"
      Specify intranet Microsoft update service location<\/figcaption><\/figure><\/div>\n\n\n\n

      This seems pretty simple, but now you need to think about where it is linked. This setting should not<\/strong> be configured via Group Policy on CM-managed clients, so we need a way for it to no longer apply once the client is installed. Aha, I’ll use a WMI filter!<\/p>\n\n\n\n

      select Name from Win32_service where Name = 'ccmexec'<\/pre><\/div>\n\n\n\n
      But that will filter on computers with the service, not without, and I don’t think it’s quick and easy to make a “not” version of that query. Welcome to the stage, Group Policy Preferences, and Item Level Targeting!<\/p>\n\n\n\n
      Instead of using the admin template, create 3 new computer registry preferences, as follows (replace “https:\/\/CM-SUP.ad.domain.tld:8531” with your top-level Software Update Point URL):<\/p>\n\n\n\n
      Hive:       HKLM\nKey Path:   SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\nValue Name: WUServer\nValue Type: String\nValue Data: https:\/\/CM-SUP.ad.domain.tld:8531\n\nHive:       HKLM\nKey Path:   SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\nValue Name: WUStatusServer\nValue Type: String\nValue Data: https:\/\/CM-SUP.ad.domain.tld:8531\n\nHive:       HKLM\nKey Path:   SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\nValue Name: UseWUServer\nValue Type: DWORD\nValue Data: 1<\/pre><\/div>\n\n\n\n
      \"\"
      Example configuration of WUServer value<\/figcaption><\/figure><\/div>\n\n\n\n
      Next, configure each of these preferences with Item Level Targeting:<\/p>\n\n\n\n
      Item Type:    Registry Match\nItem Options: Is Not\nMatch Type:   Key Exists\nHive:         HKEY_LOCAL_MACHINE\nKey Path:     SYSTEM\\CurrentControlSet\\Services\\CcmExec<\/pre><\/div>\n\n\n\n
      \"\"
      Targeting Editor<\/figcaption><\/figure><\/div>\n\n\n\n
      Once this GPO is configured, link it to an OU containing computer objects that you want to target, and when they next scan for updates, they will only be offered the ConfigMgr client, and become managed!<\/p>\n\n\n\n
      \"\"
      Windows Server 2022 Core host scanning against SUP to install the CM Client<\/figcaption><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"
      Hey folks, here with a quick post today in response to a question about ConfigMgr client deployment in the WinAdmins Community the other day. The<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8],"tags":[4],"class_list":["post-216","post","type-post","status-publish","format-standard","hentry","category-configmgr","tag-configmgr"],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/comments?post=216"}],"version-history":[{"count":13,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/216\/revisions"}],"predecessor-version":[{"id":242,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/216\/revisions\/242"}],"wp:attachment":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/media?parent=216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/categories?post=216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/tags?post=216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}