Recently ,I worked on on a SCCM project and as initial step ,it was mandatory to bring all the desktops and servers (where ever it was missing) into SCCM with Client installed.
Though ,there are different client installation methods available to install SCCM Client , one of the most widely used client installation method is Client startup script deployed via group policy.
Jason Sandys (MVP) created nice Client Startup Script (group policy) that install configmgr client agent during the system initial boot up.
If you want to achieve good client success rate ,would strongly recommend to look into script and get it implemented .
You can download the script from his blog post https://home.configmgrftw.com/configmgr-client-startup-script/ .It has pdf document with all the instructions ,how to edit the xml file to make necessary changes.
In this blog post, I will show you, how to implement Jason Sandys client start script in your environment starting from creation of SCCM client folder ,creation of group policy ,deploying the group policy and tracking the results incase of any failures. Hope this blog can help to start with.
1. Login to your SCCM server ,create a folder called SCCMClient in D:drive( any other)
2. Copy the SCCM Client installation source files from your SCCM installed directory to above created folder (SCCMClient).
Copy the client installation files to SCCMClient folder
3.Create folder called hotfix in SCCMClient folder to place the hotfixes if at all any. (If you do not have any hotfixes to install ,you can simply ignore this step) .This step is needed to install the hotfixes along with SCCM client . If you are running on configmgr R2 SP1 CU3, then you need copy CU3 hotfix files into it.
4. Since am running on SCCM 2012 R2 SP1 CU3 (KB3135680) ,go to your hotfix folder (D:\Program Files\Microsoft Configuration Manager\hotfix\KB3135680\Client) ,identify the correct KB (latest cumulative update) ,client folder, copy the folder into hotfix folder.
Copy above 2 folders into hotfix folder
5. Now we need to share this folder so that ,it can be accessed during the client install at system boot up time.
Right click on the folder properties ,Go to sharing tab ,advance sharing
Client on Permissions ,give full control to every one
Click Ok ,Ok ,Ok
Note the share folder path which is need to input into the control file (xml) later.
6. Now ,we will create another folder inside the SCCMClient to store the error logs for the client that fail for some reason so we can investigate at later times.
Create a folder called Errorlogs
7. With this ,we have finished with folder creation and copied all necessary files . Now lets edit the start up script file and move onto group policy creation.
Go to the downloaded script folder ,edit ConfigMgrStartup.xml using notepad and make necessary changes as said in the PDF document .
This xml file is used supply the input parameters need for vbscript during the client installation.
You are required to make couple of changes as listed below (mandatory).
Parameters to edit are:
AgentVersion—Client with less than this version will initiate SCCM client install
ClientLocation—Client installation folder what we created above initiate ccmsetup from specified.
ErrorLocation –to store the error logs (computername.log) incase of any SCCM client failure
AutoHotfix –if you have any hotfix to install ,will added to the ccmsetup.exe command line else ,you can ignore this .
SMSMP---Management Point
For all the location paths, I would recommend to use FQDN instead of hostname.
My xml file looks like this:
<?xml version="1.0"?>
<Startup>
<Option Name="LocalAdmin" >eskonr/localadmin</Option>
<Option Name="SiteCode" >P01</Option>
<Option Name="CacheSize">10120</Option>
<Option Name="AgentVersion">5.00.8239.1403</Option>
<Option Name="MinimumInterval">0</Option>
<Option Name="ClientLocation">\\SGCM01.apac.eskonr.com\SCCMClient</Option>
<Option Name="MaxLogFile">2048</Option>
<Option Name="ErrorLocation">\\SGCM01.apac.eskonr.com\SCCMClient\Errorlogs</Option>
<Option Name="AutoHotfix">\\SGCM01.apac.eskonr.com\SCCMClient\Hotfix</Option>
<Option Name="Delay" >5</Option>
<InstallProperty Name="FSP">SGCM01.apac.eskonr.com</InstallProperty>
<InstallProperty Name="SMSMP">SGCM01.apac.eskonr.com</InstallProperty>
<CCMSetupParameter Name="BITSPriority">HIGH</CCMSetupParameter>
<CCMSetupParameter Name="noservice" />
<ServiceCheck Name="BITS" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="winmgmt" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="wuauserv" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="lanmanserver" State="Running" StartMode="Auto" Enforce="True" />
<ServiceCheck Name="RpcSs" State="Running" StartMode="Auto" Enforce="True" />
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="EnableDCOM" Expected="Y" Enforce="True" Type="REG_SZ"/>
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="EnableRemoteConnect" Expected="Y" Enforce="False" Type="REG_SZ"/>
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="LegacyAuthenticationLevel" Expected="2" Enforce="False" Type="REG_DWORD"/>
<RegistryValueCheck Key="HKLM\SOFTWARE\Microsoft\Ole" Value="LegacyImpersonationLevel" Expected="2" Enforce="False" Type="REG_DWORD"/>
</Startup>
save the xml file .
we are now ready to implement the client start up script using Group policy.
if you are not authorized/permission issues to create group policy ,take the below scripts and handover to Active Directory guy to create start up script for you.
8.Login to the domain controller ,Go to Group Policy Management console ,create new Group policy and called it ‘Install Configmgr Client 2012’
Right on the GPO you created above and click on edit
Drill down to Policies –windows settings –scripts (startup/ Shutdown) ,double click on startup
Click on Show files
Now we need to place the vbscript and xml file in the startup folder
If you have issues with access denied when trying to place the files, you may have to open the actual folder (C:\windows etc) on your domain controller to place the files.
Go back to the startup script properties and click add and browse to select vb script
select ConfigMgrStartup1.75.vbs
In the script parameters ,type in /Config:ConfigMgrStartup.xml
Click ok
Click ok and close the Group Policy Management Editor .
we are now ready to link the GPO to any OU that you want the computers receive Configmgr client during the system boot up.
For troubleshooting ,script will create log file with name Scriptfilename.log (ConfigMgrStartup1.75.vbs.log) in C:\windows\temp folder and for some reason ,the client did not install ,it will copy the log file to errorlog location with computer name as log file.
Hope it helps.
21 Comments
Hello, is this up to datefor Win11 and Win server 2023? The website doesn't exist anymore (https://home.configmgrftw.com/configmgr-client-startup-script/). Is
Hi,
The website is owned and maintained by Jason however the script should continue to work with ConfigMgr current branch (latest) and win11 as well.
Thanks,
Eswar
Good morning,
Thanks for setup documents. I have a couple of Questions
Does the shared location have to be on Console server?
Can I ask why the shared location has to have Full control to everyone? Can we just put the script on a local drive to test?
Does the script run under a System Account which you can specify in the XML file? This account then has access full control for everyone? Or is that required just for the initial script share?
Many Thanks for any response
Hi Ian,
The Configmgr files can be on the any shared location as you intend . As long as the you grant the permissions to the shared location, client can pick it up during the startup and perform the installation.
For the startup script to work, you will need to grant the permissions to everyone. I have not tested if it works just with domain computers only.
I followed the steps provided by the author of the script (Jason)
Thanks,
Eswar
Great thanks for the response and apologies for the duplication. I have a couple of new questions to ask on this, sorry.
Do you know what the script does if its finds the client up and running and intact when the startup script runs?
Plus the created permissions for this indicate that everyone needs Full Control access to the share. But then later it advises that if it is a startup script then only Domain computers need share and NTFS Read permissions for the Domain Computers group?
Thanks for any help on this, Ian
Hi Ian,
Sorry for the late response. The script does the version check and if it matches, script does nothing. if the installed version is older than the script version, it upgrade to latest one.
For the permissions, you can go for domain computers in NTFS where as security, everyone, and i dont see any harm in that.
thanks
eswar
Hi Eswar, Am testing this script on CB 2203 Config MGr. I have a couple of questions..
Can you share the Client files from any network location please? they reside on your CM server here.
I guess I can add my config to the XML file and then run locally as VBS script on device for testing?
Also, can I ask is there a way to avoid full control on the share permissions please. We have available read-only share which we were thinking of trying to use?
Thanks for mapping out solution to get into MECM
Thank you for sharing
Pingback: SCCM ConfigMgr Current Branch 2002 is available as in-console and baseline version | All about Microsoft Endpoint Manager
I'm having an issue where it wants to reinstall each time the system reboots (it's like it's not checking the AgentVersion against the installed version). Any ideas why?
hi,
If you have updated the configuration manager to latest build ,please make sure you update the xml file with your current version of configmgr client.
The client install detect the version based on the xml file you supplied.
Thanks,
Eswar
Hi Eswar,
I have changed the XML config as below, and re-created shares with everyone permissions, NTFS defaults.
client isn’t being installed and there is nothing in the error log file to say why. Please an you help?
BITS
server1.com\svc-install
auto
5120
5.00.8740.1012
0
\\Share1\SCCMClient, \\share2\sccm\client
2048
\\share1\SCCMClient\Error, \share2\sccm\client\error
\\Share1\SCCMClient\HotFix, \\share2\SCCM\HotFix
SCCM01.server.com
SCCM01.server.com
HIGH
Pingback: SCCM ConfigMgr Current Branch 1906 is available as in-console update | Eswar Koneti Blog
Hello Eswar, I have amended the xml file as my environment but not working.
do i need to have something changed in .vbs file
no, you dont need to change anything .Did you look at the logs on the client ccmsetup.log?
Thanks,
Eswar
I am getting the error "user is not a local admin" in some computers
Hi Densi,
This GPO script is startup and it doesnt need user admin rights to install unless the account that you configured in xml file is not member of local admin.
Did you configure the account that used to member of local admin on all computers as said in article.
Thanks,
Eswar
Hi Eswar, thank you for your post, the script has made it possible for us to migrate from one sccm site to another. However, have you experienced the script not running on computers that connect wirelessly to the network? Just wondering if you have seen this issue before or have heard of any one else experiencing this as well?
Hi Flavio,
if you want to migrate your clients from one site to other, you can use this script with enough changes to the xml file . Script simply perform the installation of sccm client by verify certain things before it runs.
So when computer start up ,script verify the installed client version and if that matches ,assume that client is installed ,check the client health status etc.
So if you want to migrate clients from one site to other,you can definitely use this script but make sure you have configured the boundaries ,boundary groups correctly on the new site .This will help clients to pick the right distribution point to download the client installation files and assign the client to new site.
Regards,
Eswar
Does this work in 1710 or 1802?
This script works on all environments like SCCM 2007,sccm 2012 and SCCM current branch and all older builds as well.
Regards,
Eswar