In my earlier post,we saw how to manage work group computers using SCCM Configmgr 2007. http://www.windows-noob.com/forums/index.php?/topic/2029-managing-workgroup-computers-in-sccm-sms-environment/
In this blog post,we are going to see how to manage workgroup/ DMZ computers using SCCM Configmgr 2012. This procedure involves working with lmhost and host files on workgroup computers.
For some reason,i find that ,Technet documentation is not very clear on how to manage workgroup computers http://technet.microsoft.com/en-us/library/bb680962.aspx. Technet document just illustrates the overall procedure but not in detail.
Before we jump into the details of updating lmhost,other files,lets have a look at workgroup limitations,site assignment,approval etc.
There are some limitation while managing the workgroup computers listed below:
- Workgroup clients cannot locate management points from AD and instead we must use DNS, WINS or another Management Point.
- Global Roaming is not supported because clients cannot query AD for site information.
- AD discovery cannot discover computers in workgroups.
- You cannot deploy software to users of Workgroup computers.
- You cannot use client push installation method to install client on workgroup computers.
- Workgroup clients cannot use Kerberos for authentication so might require manual approval.
- Workgroup client cannot be configured as a Distribution Point. SCCM 2012 requires that distribution point computer be members of a Domain.
- After you install the Client, it must join a configmgr primary site before it can be managed. The site that a client joined is referred to as its assigned site.
- Clients cannot be assigned to CAS or secondary Site.
- A client is considered to be unmanaged when it is installed but not assigned to a site or is assigned to a site but cannot communicate with a management Point.
Manual Vs. Auto assignment:
- Auto assignment will not work for workgroup clients
- To manually assign the workgroup clients SMSSITECODE installation property must be used
- Ccmsetup.exe SMSSITECODE=PRI SMSMP=cm12pri.eskonr.com
- Use SMSMP property to specify management point or use DNSSUFFIX for the clients to automatically locate MP from DNS.
- Ccmsetup.exe SMSSITECODE=PRI DNSSUFFIX=eskonr.com
- You can either choose to approve all automatically (not recommended) or manually approve each workgroup client from site setting properties.
Softwares/Application deployment to Workgroup clients:
- Setup Network Access Account
- If boundaries and boundary groups are configured properly clients can automatically locate Distribution Points.
- If boundaries and Boundary Groups are not configured, you should setup the deployment option
- Package properties: Deployment option: download content from DO and run locally which means all these clients will fall under SLOW.
Note : The above information is captured from Taj mohammed (Microsoft) session.
Before installing SCCM client on workgroup machines,we need to do some configurations on the workgroup/DMZ computer.
If you have managed to get workgroup computer working using SCCM 2007 ,you may find the steps more or like same in this blog post.
Do the below steps on Workgroup machine.
Disable the Firewall,If you don't want to disable,allow the required ports http://technet.microsoft.com/en-us/library/hh427328.aspx (ccmhttp and WSUS ports mainly to inbound rules)
For workgroup clients to communicate with SCCM server (MP,DP,SUP etc) ,you need to work with network team to get the required ports opened for communication between the Client and SCCM Server .
By default ,ccmhttp: 80 and WSUS port:8530 to be open from Workgroup to SCCM server (MP,DP, WSUS) ,if you have used custom ports ,get them opened .(do telnet servername port to test if they are working).
Login to the DMZ/workgroup computer ,perform the following steps.
Go to the control Panel-->Network Connections-->Local Area Network
Go to Internet TCP IP Protocol .Click on Properties---> click on Advanced --->Go to DNS Tab .
add the DNS suffix of your domain as shown below.
Next to DNS tab,select WINS Tab,select ‘Enable NetBIOS Over TCP\IP (This is only applicable if you are using Static IP ) ,click Ok to save Changes.
Open CMD as administrator ,Open Notepad and select lmhost file from C:\Windows\System32\drivers\etc
copy the below lines to the lmhost file
192.168.1.10 SGCMCEN #PRE
192.168.1.10 "MP_PRI \0x1A" #PRE
Where SGCMCEN is SCCM Primary site server name and PRI is Site code
Make sure you have 20 characters (Including blank Spaces) between the quotes .
Note:Am not adding SLP entries to lmhost file since SLP is integrated into Management Point in CM12 and later versions.
save the changes as “lmhost” with no extensions in C:\Windows\System32\drivers\etc
Note:If you have Name resolution issues,you are required to add the Management point and Distribution Point entries to host (C:\windows\system32\drivers\etc) file.The entries look like below:
10.64.152.53 sgcmcen sgcmcen.cm12lab.com
10.64.144.146 sgcmdp1 sgcmdp1.cm12lab.com
Next ,we need to purge and preload Remote cache table. To do this, open cmd with admin rights again and run the below commands
You will see, the changes are loaded into cache.
Next is ,to have local administrator Account for remote control using SCCM 2012 .If you do not have this account,remote control will not work.
Now we are done with the required changes and we are ready to install Configmgr Client.
Copy the sccm client installation files to local drive to workGroup machine (C:\client).
Run the command prompt with local admin rights .
use the below command to install sccm client on your workgroup computer.
ccmsetup.exe /source:C:\client SMSSITECODE=PRI SMSMP=sgcmcen.cm12lab.com DNSSUFFIX=cm12lab.com
monitor ccmsetup.log from C:\Windows\ccmsetup\Logs ,after couple of minutes,should see that ,CcmSetup is exiting with return code 0
After the installation is successful (C:\windows\ccmsetup\logs\ccmsetup.log), look for “C:\Windows\CCM\Logs\ClientIDManagerStartup.log”,if the client is registered successfully or not with Management point.If the registration is not done, client will not go further to get policies and it requires troubleshooting.
you should see something like below if the client is registered successfully.
[RegTask] - Client is registered. Server assigned ClientID is GUID:154B113F-DCDB-4327-B245-52CEA8A69036. Approval status 0
Simultaneously ,you can also look at Site server MP logs for the client registration successful or not for troubleshooting purpose. The log to look at is:<Drive Letter>:\SMS_CCM\Logs\MP_RegistrationManager.log
Now ,lets have look at configuration manager applet from control panel
go to Site tab and try to discover the site to see if it work or not
look at Actions Tab if all the agents are loaded or not
from the above screen,there are just only 2 actions loaded and this is because ,client is not approved in SCCM yet. (By default ,the site is set to approve clients in trusted domain)
After the client is registered ,you need to go to your Configuration manager console ,Devices ,look for the Client entry ,right click on the client and select Approve. This will help client to get through the policies from Configmgr and able to manage the client for deployment stuff.
Right click on the computer and approve.
Go back to the client,see if you see more than 2 actions or not.
If you have issues appearing the client in console,you will have to check clientIDmanagerStartup.log, clientlocation.log and locationservices.log as part of troubleshooting.
so far ,we have seen how to edit the lmhost file ,install the SCCM client and approve the client for client to be able to communicate with Management Point.
Now we will see if Application Deployment,Remote Tools and Other functions work or not.
Try to create simple application or if you already have any ,Deploy it to workgroup computer.
Note: Make sure you configured Network Access Account to access resources from domain for the workgroup computer.
I deployed 7zip application and it appears in software center.
run the installation
You see it is successfully ran.
same way,you can also deploy software updates,packages and what else you can,Do it.
What next ,Remote Control ?
For this to happen,you need to add the workgroup IP address,hostname in your sccm server host file(C:\windows\system32\drivers\etc\hosts)
After you do this,try to do remote control of the Workgroup computer from sccm console,you get prompt for authentication since domain cred wont work.
workgroup hostname\administrator and password.
Note:if your local administrator account is disabled for other reasons,use the account which as local admin rights on the workgroup computer.
Note: By Default ,windows 7 and later Operating Systems,GPO setting set to Classic-Local Users Authenticate themselves.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options-->Network access: Sharing and security model for local accounts
On the workgroup computer,you see something like this ,you can change the settings to not ask user permission in client agent settings.
Update: If you are trying to manage Windows XP Workgroup computers,GPO setting is not set to classic by Default and it is required to change it manually or via scripting else you keep on prompting for password that never works.
Thanks to Niall for finding the GPO setting on WinXP computers.
Hope it helps!
Configure Windows defender in workgroup system and different domain joined system, It's possible to manage via SCCM. If it's possible kindly give the steps.
As long as the workgroup device is being managed through sccm, you can push all sort of deployments except task sequence limitations but defender updates, you shoud use. Never tested defender but pls give a try and let me know how it works
I followed the article, I am successful till client installation. i added the machine to collection and ran machine policy cycle. the deployments are not in software center. also i ran software update scan cycle. got error.
Onsearchcomplete -failed to end search job Error =0x8024401c
0x8024401c translates to Same as HTTP status 408 - the server timed out waiting for the request. Check the windowsupdate.log and also ccmmessaging.log if your client is able to communicate to site server or not.
Can we also manage open internet workgroup clients also with this method
No, you need to use IBCM in SCCM 2012 or cloud management gateway in current branch.
thanks for this beautiful article. I have followed all the point you mentioned here.
just to know how to add network access account in workgroup computer or it doesn't needed and also from workgroup system we are not able to ping or access share of our PSS.
Network access account should be defined in SCCM console and to access the content from workgroup to site ,NAA will be used to connect.
Follow the article to define NAA https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/manage-accounts-to-access-content
Thanks for a helpful article, and I noticed that it doesn't work on a workgroup computer until I added the SLP locator (although it is integrated with MP in CM 2012) to the LMHOSTS file as:
10.200.30.12 "SMS_SLP x1A" #PRE
Then the client can find site successfully 🙂
SCCM is full of deep caves as you know .........
It did work for me without slp but anyhow, adding slp solved your issue. That would help someone who read the comments.
Thanks for sharing the information.
192.168.1.10 SGCMCEN #PRE
192.168.1.10 "MP_PRI x1A" #PRE
SGCMCEN is host name of SCCM machine or site name. If site name so where I can see my site name.
After adding this nbtstat -c
no names in cache.
I adding SGCMCEN as a host name.
Please help me.
Sgcmcen is sccm primary site name(hostname) that client can talk to register its guid.