IT Consultant Everyday Notes

Just some problems/solutions storage

Tag Archives: Workgroup

Install SCCM on a Workgroup machine(s) using PSEXEC

Sysinternals (now Microsoft) offers a tool for remote management called PSEXEC. It is a part of Microsoft PSTools and can be downloaded from here:

One of my Clients recently needed to install SCCM client on a number of Workgroup machines.

The tool can be used for that. I slightly modified scripts I found here and here is the result:

I am using my ConfigMgr where I logged on as SCCMADMIN for this purposes.

1. Be sure you can resolve your Workgroup Machine name either via DNS or WINS or (in my case, good for test – just a hosts file)


2. Be sure you have an account with Local Administrator permissions on the Workgroup Machine. Ideally you may have an account with the same name as your domain account (in my case SCCMADMIN) and the same password. In this case you do not need to provide it in PSEXEC options.


3. Firewall should allow File and Print Sharing and Windows Remote Administration on the Workgroup machine (we are going to connect to it remotely!)


4. Now we are ready for some scripting. We will need three files:

      a. SCCM_Clients.txt  – a list of Workgroup computers we are going install SCCM Client to

      b. Start.bat  command file – to read the list and initiate execution

rem =======================

for /F %%a IN (sccm_clients.txt) DO call data.bat %%a

rem =======================

       c. Finally data.bat execution file itself. There is some logic in the script – it checks if CCMSETUP folder is already on the machine to avoid multiple install. I added DNSSUFFIX parameter to ccmsetup command line and hardcoded SCCM MP location (since workgroup machine cannot get from AD). DNSSETUP should be enough to get it from DNS, but if the workgroup machine won’t go to AD DNS for some reasons it won’t find it. So I hardcoded it to be on safe side.

rem ===========================
IF NOT EXIST “\\%1\c$\” GOTO noaccess
IF EXIST “\\%1\c$\” GOTO found

Echo %1 is off>>results.txt

Echo Found on %1>>results.txt
psexec \\%1 cmd /c “md c:\ccmtemp”
xcopy /Y /s \\<SCCCM_SERVER_NAME>\SMS_TOR\Client \\%1\c$\ccmtemp
psexec \\%1 -s c:\ccmtemp\ccmsetup.exe /service /mp  <Sccm_Server_Name> SMSSITECODE=TOR

Echo Not on %1>>results.txt

rem ===========================

Note: DNSSUFFIX switch must be on the same line as ccmsetup commund

5. I started a command line (As Administrator) navigated to a folder where I put my scripts (assuming PSEXEC is available from that command line) and started Start.bat (as you can see I have Echo ON for debugging purposes, so the output a bit chatty:


6. As soon as the Client is installed and contacted MP I can see it my SCCM console. I need to Approve it (since I have Automatic Approval for Domain Clients only)


7. Now client can be managed. I can deploy Apps and use remote connection Tool Smile




P.S. On MMS 2013 one of presenters mentioned it is not necessary to use Boundaries Group for site assignments. In my case I needed to add Site assignment; otherwise the client could not read policies. So probably it is still necessary:


Another note: SCCM Client Source files are copied to a local drive before installation; you may decide to create an SCCM program to remove the folder as soon as the machine is manageable

SCCM 2012: How to manage servers in DMZ

(in progress…)

I decided to figure out how to get DMZ servers managed using SCCM 2012.

  • Draft design: MP, DP and SUP are on Internal network. We are panning to manage servers in DMZ. The server belongs to a different domain. I am planning to publish ports 443 and 80 (if necessary) on my reverse proxy and hope it will work.Smile. Update: it does not work via proxy since a Client Certificate is used and proxy (at least TMG) cannot pass it to the MP located on Intranet. So I need to either configure firewall to allow TCP 443 from the Server in DMZ to MP on Intranet or (less secure) create a server publishing rule on TMG (keeping the source IP unchanged) and create a static route on MP so the traffic back to DMZ server pass via TMG, not default gateway (if TMG is not dg of course). 
  • I added dedicated MP/DP to Intranet and configure both of them to answer to Intranet and Internet requests. Important: add Internet name during installation, there is no way to add it later.
  • The server name for Internet and Intranet are different, so I have to add SAN to certificates.
  • Certificates:
Site settings As per Microsoft document I need set my site to serve both HTT and HTTPS and add CA root certificate to the site (in Site Properties). I am using Two level CA in a different forest, so I added both Root CA and Issuing CA certificates.
MP certificate It must be certificate with “Client Authentication” EKU. I created a duplicate from “Workstation” template with exportable private key and issued a certificate for the server Internet name as CN and Intranet name as SAN
ConfigMgr Web certificate I created a duplicate of “Web Server” template with exportable private key and issued a certificate for Internet name as CN and Intranet name as SAN
DP certificate This is a “Client Authentication” certificate again, so I decided to try to use the same I used for MP
  • Firewall: open 80 and 443 from server in DMZ to SCCM servers
  • Add Internet names to a hosts file on managed nodes (for test, planning to move the manes to DMZ DNS in future)
  • Install SCCM Client on a managed machine using: ccmsetup /usePKICert /NOCRLCheck /mp: SMSSITECODE=TOR  (where is Internet name for my MP/DP designated for DMZ management)



1. It is better to install IIS and assign ConfigMgr WEB certificate to  default web site before MP and DP installation.

2. After I installed MP it should grab a proper certificate from Local Store. It did it, but for some reasons setup could not verify connection to this new MP. it failed with error: Failed to send http request /SMS_MP/.sms_aut?MPLIST. Error 12175. I tried to restart SMS services, but it did not help. Reboot the new server fixed the issue.

3. Ideally you should have CRL available for clients. If this is not the case and you do not want to fix it – Disable CRL check


Finally the Client connected to SCCM:


4. Updates: Client should receive both update locations (Windows Updates site and SP).


BITS will try Microsoft site first – (it fails since I do not have Internet access from my DMZ systems):


CDTSJob::HandleErrors: DTS Job ‘{2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5}’ BITS Job ‘{AA69D14E-270B-4EF2-BA03-D91288D37D95}’ under user ‘S-1-5-18’ OldErrorCount 2440 NewErrorCount 2441 ErrorCode 0x80072EFD

CDTSJob::HandleErrors: DTS Job ID='{2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5}’ URL=’′ ProtType=1

and it switches to a Distribution point after that:

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} switched to location ‘:443/SMS_DP_SMSPKG">https://sccm.lab.<my domain here>:443/SMS_DP_SMSPKG$/0257c940-6d4b-4278-9b5e-a6d88c06e10f’.


DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} in state ‘RetrievedData’.

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} successfully completed download.

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} in state ‘NotifiedComplete’.

DTS job {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} has completed:
    Status : SUCCESS
    Start time : 08/28/2012 19:53:27
    Completion time : 08/30/2012 16:17:53
    Elapsed time : 92 seconds