Follow the steps in the next section to begin on-boarding clients into your ITSO subscription.

Remember: 

• An ITSO may proceed at its own pace.
• Clients may be onboarded in a phased approach.
• The IT Support Organization will be considered successfully on-boarded once 20% of its discovered devices have the client installed and appear in its "All [DeptCode] Clients" collection and any OS images it uses have the client pre-installed.

Basic Client On-boarding Steps

Ensure that the prerequisites to onboarding have been followed: Prerequisites to Onboarding

Recommended pre-check steps

• Ensure network connectivity exists between client and Configuration Manager.
  • If you already have a general communication allowance for the Campus Management Network (10.157.254.0/23), then this should allow required Configuration Manager traffic.
  • To specifically define communication rules for Configuration Manager traffic, explicitly allow 10.157.254.208 (aus-sccm.austin.utexas.edu)
  • Ports used for connections - Configuration Manager | Microsoft Docs for specific communication port requirements between clients and site systems. Most communication occurs over 443, but there are some other ports to consider.
  • Client Device authentication – This can take place with a PKI certificate obtained by GPO or InCommon certificate enrollment or possibly with an Azure AD access token. 

    • Use PowerShell to test the connection over port 443 from a client:  

      PS> Test-NetConnection -ComputerName aus-sccm.austin.utexas.edu -Port 443
      
      ComputerName     : aus-sccm.austin.utexas.edu
      RemoteAddress    : 10.157.254.208
      RemotePort       : 443
      InterfaceAlias   : ***********
      SourceAddress    : ***.***.***.***
      TcpTestSucceeded : True

• In the console under "Device Collections\[DeptCode]\" verify the computer account you plan to deploy to appears under "All [DeptCode] Non-Client Discovered Devices"
  • This is to verify Configuration Manager knows about the computer and is ready to immediately update details about it once the CM client is installed and checks in.
  • If the computer is not found, this may indicate a potential issue.  See the troubleshooting section at the bottom of this page.
    
    
• OU Location:  A clients' domain account must reside somewhere under a CSU-delegated OU under "OU=Departments,DC=austin,DC=utexas,DC=edu"
   

Client Installation

Install the Configuration Manager client with elevated credentials onto an existing computer or into a computer image. The preferred option for deploying the client to existing computers is to use your current software deployment mechanism to deploy a package that runs the installer with all required switches.

• For computers currently managed by Ivanti, you can create a scheduled deployment task using the "SCCM Client Installer" package found under "Distribution Packages\Public Packages\SCCM\"
• Individual computers may also be manually on-boarded on an ad-hoc basis by downloading the pre-made batch script and accompanying files from the client share, then running the batch file from an elevated user session
• If you are imaging new systems, be sure to include the client in that process.

Run the installer with all required switches:

\\aus-dp.austin.utexas.edu\sccmclient\CCMSETUP.EXE /UsePKICert /NoCRLCheck /MP:aus-sccm.austin.utexas.edu SMSSITECODE=AUS SMSMP=https://aus-sccm.austin.utexas.edu/ CCMFIRSTCERT=1 CCMHTTPPORT=80 CCMHTTPSPORT=443 DNSSUFFIX=austin.utexas.edu CCMLOGMAXSIZE=3145728 CCMLOGLEVEL=0 CCMLOGMAXHISTORY=2 CCMHTTPSSTATE=31 FSP=aus-sccm.austin.utexas.edu CCMHOSTNAME=aus-sccm.austin.utexas.edu SMSSLP=aus-sccm.austin.utexas.edu

Alternatively call the premade batch file that already references the installer and required switches:

\\aus-dp.austin.utexas.edu\sccmclient\Install AUS SCCM Client x64.bat

Verification

Verify successful deployment by viewing the client in the Configuration Manager console. Client initiation takes time both on the client itself and reporting initial inventory data to the site server.  

1. 1. In the console under "Device Collections\[DeptCode]\" folder check which ITSO level collection contains the computer account
   2. Once the installation succeeds and the client checks in, the computer account should move to the "All [DeptCode] Clients" collection from the "All [DeptCode] Non-Client Discovered Devices" after some time for the client to collect inventory and report into the server.
      You may experience delays of up to 1 hour (possibly longer) before clients are visibly seen as active in the console.
      
      

Client installation does not generally require an endpoint to reboot, however there may be some components that create this need if ccmsetup.exe determines these components are required during installation. If the last line of the client log (C:\Windows\ccmsetup\Logs\ccmsetup.log) says "CcmSetup is exiting with return code 7" then reboot the endpoint, and wait for the client to check in.

What to expect

• The client will not show up right away in your console. 

WSUS Policy

After most or all clients have been onboarded to Configuration Manager, any Group Policies that set the Windows Update Server must be removed in order for Configuration Manager to properly assume the duty of patching clients. The Configuration Manager client leverages the already existing Windows Update Agent binaries on endpoints to do update scanning and reporting. When the WUServer registry entry points to anything other than the site server the CM client can't properly report applicability and get a manifest of updates that need to be installed.

This step is recommended after the ITSO is happy with the progress of migration for a critical mass of clients.

Troubleshooting steps

If the computer does not show up in your ITSO Clients collection and your deployment mechanism reports installation success, you can check the status of the installation on the computer's log files.

1. Confirm the last line in the c:\Windows\ccmsetup\logs\ccmsetup.log is "CcmSetup is exiting with return code 0".
   
   1. If the last line of the client log (C:\Windows\ccmsetup\Logs\ccmsetup.log) says "CcmSetup is exiting with return code 7" then reboot the endpoint, and wait for the client to check in.
      
      
2. Confirm that the Configuration Manager control panel applet exists under System and Security and that its general tab shows.
   • "SMS:AUS" as the site code.
   • aus-sccm.austin.utexas.edu as the Assigned management point
   • and PKI as the Client certificate.
     
     

3. Verify connectivity between the client and CM server

   Testing Connectivity

   Test-NetConnection -ComputerName aus-sccm.austin.utexas.edu -Port 443

Active Directory System Discovery of computer objects only discovers objects that have logged into the domain in the last 180 days, in an effort to keep the abandoned objects from cluttering Configuration Manager.  If you find you have active, in use, devices that are not being discovered, investigate line of sight issue to domain controllers, and connect the VPN so the device can check in with the domain.

Related Information

• Page:
  MCM Preparing your environment (Endpoint Management)

  • onboarding
  • configmgr
• Page:
  MCM Introduction (Endpoint Management)

  • configmgr
  • onboarding
• Page:
  MCM Onboarding Clients (Endpoint Management)

  • onboarding
  • configmgr
• Page:
  MDE Onboarding and Deployment (Endpoint Management)

  • configmgr
  • mde
  • onboarding
• Page:
  Managing Defender Policies (Endpoint Management)

  • configmgr
  • mde
  • onboarding
  • unrestored-unknown-attachment
• Page:
  MCM Prerequisites for Onboarding (Endpoint Management)

  • onboarding
  • configmgr