The following information are general detailed instructions on how to setup the Windows Server Update Service Client Deployment and Client Remediation life cycle management.
Windows Server Update Service (WSUS)
WSUS must be setup and configured on the primary site server client will connect to for scanning for updates.
Configuration Manager Site with Software Update enabled
A SUP role must be setup and configured on the primary site server client will connect to for scanning for updates.
Organizational Unit or Security Group
An OU and Security Group must be setup that will hold the machine accounts of computers that will be managed by this solution.
2 Configuration Manager ADM Templates
There are 2 ADM templates that are required for this solution. You can obtain these ADM template from the Configuration Manager installation CD/DVD.
Active Directory Group Policy Object
An Active Directory group policy (GPO) is required for this solution. Ensure you have permissions to created AD group policies.
Setup and Configuration
Follow the step by step instructions below to setup and configure WSUS Client Deployment. These instructions assume you already have System Center Configuration Manager 2007 R3 installed. The following solution will help you obtain 99% client reach, discovery, remediation and deployment of the Configuration Manager client. This solution will automatically install and provision machine with the Configuration Manager client when the computer joins the domain and is a member of a specified OU or Security Group.
If for any reason the client is uninstalled or removed, this solution will automatically reinstall the client on the very next time the client machine scans for updates against the WSUS server on the primary site where this solution is configured.
Windows Server Update Service (WSUS)
Install the WSUS service on a Windows Server 200 R2 server.
Do not configure the WSUS service with the WSUS console at the completion of the WSUS installation.
Enable Software Update
Install / Enable the Software Update Point Role on the Primary site server where WSUS is installed.
Ensure this will be Active Software Update Point. This means this will be the SUP point clients actually connect to.
Organizational Unit (OU) or Security Group (SG)
Identify an Active Directory OU or Security Group that will contain all systems expected to be managed by your System Center Configuration Manager 2007 R3 site.
Note: There can only be one OU or Security Group designated for a Configuration Manager site. Meaning 1 site code per managed group. You cannot have an AD group provision clients for multiple site codes.
ADM Templates & GPO
2 Configuration Manager ADM Templates are required
Obtain the ADM Templates that comes on the Configuration Manager 2007 CD, located: on the CD\TOOLS\ConfigMgrADMTemplates.
ADM template names:
The "ConfigMgr2007Assignment.adm" is used to place the Configuration Manager site assignment settings in the clients registry
The "ConfigMgr2007Assignment.adm" template sets the following settings in the registry under: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client
- GPRequestedSiteAssignmentCode = <your site code>
- GPSiteAssignmentRetryDuration(Hour) = <Retry Duration (hours)>
- GPSiteAssignmentRetryInterval(Min) = <Retry Interval>
The image below shows the settings for the ConfigMgr2007Assignment.adm template after it’s imported into the GPO.
The "GPRequestedSiteAssignmentCode" is the site code your client should and will be assigned to. When the client is reassigned by any other method to a site code other than the site code specified in the GPO, these GPO policy settings will automatically reassign the client back to the site code you defined in the GPO policy.
The "GPSiteAssignmentRetryDuration(Hour)" is the amount of hours the client will keep attempting to reassign the client until successful or till reassigned to the site code specified in the GPO.
The "GPSiteAssignmentRetryInterval(Min)" is the interval the GPO policy will wake up and check to see if the client is assigned to the site code specified in the GPO.
The "ConfigMgr2007Assignment.adm" template sets the following settings in the registry under:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ccmsetup in a Value Name: SetupParameters.
The below settings is the CCMSETUP parameters that will to be set in the above location, which are the parameters the client will use when the installation starts.
/MP:msserver SMSSLP=smsslp.domain.com SMSSITECODE=XR2 FSP=smsfsp.domain.com CCMLOGMAXSIZE=100000 CCMENABLELOGGING=TRUE CCMLOGLEVEL=0 DISABLESITEOPT=TRUE DISABLECACHEOPT=TRUE CCMLOGMAXHISTORY=5 SMSCACHESIZE=9000
NOTE: When a client installation starts, ccmsetup.exe will first look to the command-line first for the ccmsetup parameters. If it does not find ccmsetup command-line parameters, the ccmsetup.exe will look to the registry for the ccmsetup.exe parameters, if the parameters are not found in the registry, the ccmsetup.exe will use Active Directory and assign the client based on Configuration Manager site boundaries.
The image below shows the settings for the ConfigMgr2007Installation.adm template after it’s imported into the GPO.
This type of client assignment forces clients to remain assigned to the site of choice.
Import these ADM templates, into a Group Policy Object targeting the OU or SG of clients to be managed.
An additional setting must added to this GPO the will set the Windows Update URL the clients will use to connect and scan for required offered updates.
This setting location can be found with the local GPO Mgr or GPO Management Console. You can find the location for these settings in the path below.
- Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Update
The image below shows the setting in a GPO object that allows you to set the WSUS/SUP server for clients to use to scan for updates.
A Got Cha: Watch Out! The policies settings these ADM templates places in the clients registry cannot be un-done by removing or disabling the GPO applied.
If you ever want to reassign clients that has been assigned and provisioned by the "Client Management GPO’s" (I call this solution client management GPOs) You must either manually remove the settings by hand or script. Or you can drop the computer object in another OU or SG having different "Client Management GPOs applying these settings for another Configuration Manager site.
Note: The reason why these settings don’t go away when a GPO is removed is because these ADM templates are not set in the Policies Hive of the registry. Settings set in the registry outside of the Policies Hive can’t be removed with a GPO, they only can be changed or modified with a GPO.
Active Directory Group Policy Object (GPO)
Apply a Group Policy Object targeting the OU or SG with membership of the systems you want assigned to a specific site.
- Remember: One Client Management GPO per site.
Once the above settings and configurations are set, publish the Configuration Manager client into WSUS.
To publish the Configuration Manager client to WSUS, from within the Configuration Manager console Navigate to the Site Management node > Then to the Site Settings Node > Then the Client Installation Methods node, Right click on Software Update Point Client Installation and click Properties.
At this point just simply enable the option "Enable Software Update Point Client Installation" shown below.
Warning: Also, ensure that no other AD policies are configuring the WSUS URL via any other policies in your environment. If clients receive policies from other GPO’s to also configure the WSUS URL, that client will generate AD Group Policy Conflict and fail the WSUS scan. The Configuration Manager client will seem like its broken and not communicate with the Site/MP.