Client deployment in Microsoft System Center Configuration Manager 2007 introduces a number of changes and new features designed to improve the ease and security of client deployment, and to improve the identification of any problems using standard reports.
The following section details some of the new or improved features.
New Client Icon Named Configuration Manager
The Systems Management icon in the Windows Control Panel of Configuration Manager 2007 client computers has been renamed to Configuration Manager, and displays as follows:
The Configuration Manager client icon that replaces the Systems Management icon from SMS 2003.
Checking for Site Compatibility to Complete Site Assignment
The improved functionality from SMS 2003 means that a Configuration Manager 2007 client will not work if it is assigned to a site running SMS 2003. To prevent this situation, site assignment in Configuration Manager 2007 now includes a version check to ensure compatibility between the client and its assigned site.
For site assignment to complete in Configuration Manager 2007, you must either extend the Active Directory schema for Configuration Manager 2007 or clients must be able to communicate with a server locator point in the hierarchy. Additionally, if you have extended Active Directory but have clients from a separate forest, or clients from workgroups, you will need a server locator point.
|If a Configuration Manager 2007 client cannot complete the check for site compatibility, site assignment will not succeed.|
Client Prerequisite Checks
When CCMSetup installs the Configuration Manager 2007 client, it checks the destination computer for the correct prerequisites required by your Configuration Manager 2007 site. If these are not found, CCMSetup will install these before installing the client.
For more information, see Prerequisites for Configuration Manager Client Deployment.
Approval for Clients in Mixed Mode
A new procedure called approval helps to protect the security of a site in mixed mode. Only clients that are approved will be sent policies that might contain sensitive data. You should ensure that all client computers that you trust are approved with their assigned site.
The default site setting for approval in Configuration Manager 2007 is to automatically approve trusted computers. This means that in most circumstances you will not have to manually approve many computers, unless they are from a separate Active Directory forest or a workgroup. However, if your Configuration Manager 2007 spans multiple domains, ensure that the site's default management point (or NLB management point) is configured with an intranet fully qualified domain name (FQDN).
If a client computer is no longer trusted, the Configuration Manager administrator can block the client from the Configuration Manager infrastructure. Blocked clients are rejected by Configuration Manager so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages to the site. This action is especially useful for laptop computers or mobile devices that are lost or stolen, to help prevent attackers from using a trusted client to attack the Configuration Manager 2007 site or the network. However, it does not replace the use of certificate revocation checking if this is supported in a public key infrastructure (PKI) environment.
For more information, see Determine If You Need to Block Configuration Manager Clients and How to Block Configuration Manager Clients.
Fallback Status Point
The fallback status point is a new site system role in Configuration Manager 2007 that receives state messages from client computers during the installation process, and if they cannot connect to a management point. This information is then displayed in reports to help you more easily identify computers that have failed to install the client software or that cannot communicate with their site.
The fallback status point is not published to Active Directory Domain Services as a site setting, so it must be assigned to clients during installation.
Group Policy Based Installation and Assignment
Configuration Manager 2007 supports using Windows Group Policy to install or assign the client software to computers in your enterprise. You can use this method to assign new or existing clients to a Configuration Manager 2007 site. An administrative template to perform site assignment is included on the Configuration Manager 2007 installation media.
For more information, see How to Install Configuration Manager Clients Using Group Policy and How to Assign Configuration Manager Clients to a Site.
Software Update Point Based Client Installation
Software update point based client installation is a new client deployment method introduced in Configuration Manager 2007 that allows the administrator to publish the latest version of the Configuration Manager 2007 client into the WSUS catalog. This allows the latest client software to be installed using standard software update deployment methods. One of the advantages of this installation method is that it does not require local administrative rights on the target computer.
Default Management Point Published to DNS
The most secure method for a client to find its default management is through Active Directory Domain Services. However, if this is not possible either because Active Directory is not extended, or because clients are from a separate Active Directory forest or a workgroup, DNS publishing offers a recommended alternative.
This configuration requires an entry in DNS that is added either automatically or manually, and configuration on the client.
For more information, see Determine If You Need to Publish to DNS and Configuration Manager and Service Location (Site Information and Management Points).
Uninstalling the Configuration Manager Client Software
The ccmclean.exe utility provided with SMS 2003 Toolkit 2 cannot be used to uninstall the Configuration Manager 2007 client software. To successfully uninstall the Configuration Manager 2007 client software you must use the CCMSetup.exe executable together with the /uninstall property.
For more information, see How to Uninstall the Configuration Manager Client.
Client Network Access Account
The SMS 2003 client network access account is no longer used for client push installations in Configuration Manager 2007.
For more information, see How to Install Configuration Manager Clients Using Client Push.
Client Installation Properties Published in Active Directory
If you have extended the Active Directory schema for Configuration Manager 2007 and the site is configured to publish to Active Directory Domain Services, a number of client installation properties are published. These settings can remove the need to specify CCMSetup command line properties under certain circumstances, such as when you install the Configuration Manager 2007 client using software update point based installation or use Group Policy installation.
For more information, see About Configuration Manager Client Installation Properties Published to Active Directory Domain Services.
Provision Client Installation Properties Using Group Policy
You can use Windows Group Policy to provision client installation properties on computers prior to installing the Configuration Manager 2007 client. When the client is installed, these properties will be used if no other installation properties have been specified. An administrative template to provision client computers with installation properties is included on the Configuration Manager 2007 installation media.
For more information, see How to Provision Configuration Manager Client Installation Properties using Group Policy.
Low Rights Client Installation No Longer Supported
In SMS 2003, users without administrative rights to the computer could manually install the SMS advanced client. These computers would then submit a CCR to the site server which would initiate the installation. In Configuration Manager 2007, this feature is no longer supported. You can install the Configuration Manager 2007 client on computers logged on with non-administrator rights using the following methods:
- Client push installation (if a valid client
push installation account has been specified)
- Software update point based client
- Group Policy installation
For more information, see How to Install Configuration Manager Clients Using Client Push, How to Install Configuration Manager Clients Using Software Update Point Based Installation and How to Install Configuration Manager Clients Using Group Policy.
CAPINST.EXE is No Longer Supported
Capinst.exe is no longer used in Configuration Manager 2007 for logon script client installation. For information about how to install Configuration Manager 2007 clients using a logon script, see How to Install Configuration Manager Clients Using Logon Scripts.
Client Installation Files are Downloaded from the Management Point over HTTP (Mixed Mode) or HTTPS (Native Mode)
In SMS 2003, client installation files were downloaded from an SMB share on the management point. In Configuration Manager 2007, the default behavior is to download these files using a HTTP connection in a mixed mode site, or HTTPS connection in a native mode site. You can still use an SMB share to download client installation files, but you must create this share yourself and specify the CCMSetup installation property /source.
For more information, see About Configuration Manager Client Installation Properties.
Managing Client Identity
Configuration Manager 2007 manages client identity to help eliminate duplicate GUIDs. For each client computer, Configuration Manager 2007 calculates a hardware ID using a proprietary algorithm to help ensure that each client is uniquely identified. If Configuration Manager 2007 detects a duplicate hardware ID, Configuration Manager 2007 can automatically create a new client record for the duplicate record. This setting allows you to easily upgrade or deploy clients that might potentially have duplicate hardware IDs, without requiring manual intervention.
However, with this setting, if you recover a computer and it maintains the original hardware ID, Configuration Manager 2007 will create a new record and you lose the historical continuity for reporting purposes. If you want to manually resolve conflicting records, you can change the setting on the Site Properties Advanced tab so that conflicting records will be displayed in the Conflicting Records node. If you enable manual conflict resolution for all sites in a hierarchy branch, then the administrator at the top of the branch can manually resolve conflicts for all child sites.
For more information, see How to Manage Conflicting Records for Configuration Manager Clients.