Then deploy the package to device collections that contain clients that you want to upgrade. This procedure is for a traditional client that's connected to an intranet. It uses traditional client authentication methods. To make sure the device remains in a managed state after it installs the client, it must be on the intranet and within a Configuration Manager site boundary. After you install the Configuration Manager client, devices don't unenroll from Intune.
For more information, see Co-management overview. You can use other client installation methods to install the Configuration Manager client on an Intune-managed device.
For example, if an Intune-managed device is on the intranet, and joined to the Active Directory domain, you can use group policy to install the Configuration Manager client.
In the Intune Software Publisher, enter command-line parameters. For example, use this command with a traditional client on an intranet:. For an example of a command to use with a Windows client using Azure AD authentication, see How to prepare internet-based devices for co-management.
Assign the app to a group of the enrolled Windows computers. Preinstall the Configuration Manager client on a reference computer that you use to create an OS image.
Manually install the Configuration Manager client software on the reference computer. For more information, see How to install Configuration Manager clients manually. Remove any certificates that are stored in the local computer store on the reference computer. For example, if you use PKI certificates, before you image the computer, remove the certificates in the Personal store for Computer and User.
If the clients are installed in a different Configuration Manager hierarchy than the hierarchy of the reference computer, remove the trusted root key from the reference computer.
If clients can't query Active Directory Domain Services to locate a management point, they use the trusted root key to determine trusted management points. If you deploy all imaged clients in the same hierarchy as that of the master computer, leave the trusted root key in place. If you deploy the clients in different hierarchies, remove the trusted root key. Also provision these clients with the new trusted root key. For more information, see Planning for the trusted root key.
Configuration Manager supports client installation for computers in workgroups. Install the client on workgroup computers by using the method specified in How to install Configuration Manager clients manually. Manually install the client on each workgroup computer.
During installation, the interactive user must have local administrator rights. To access resources in the Configuration Manager site server domain, configure the network access account for the site.
Specify this account in the software distribution site component. For more information, see Site components. Workgroup clients can't locate management points from Active Directory Domain Services. Instead, they use DNS or another management point. Global roaming isn't supported. Workgroup clients can't query Active Directory Domain Services for site information. You can't configure a workgroup client as a distribution point. Configuration Manager requires that distribution point computers be members of a domain.
Check the prerequisites, and then follow the directions in the section How to install Configuration Manager clients manually. This example requires the client to be on a network location that's configured in a boundary group. If this requirement isn't met, automatic site assignment won't work. This property helps to track client deployment and to identify any client communication issues. This section doesn't apply to clients that use a cloud management gateway.
To install internet-based clients by using a cloud management gateway, see Install and assign Configuration Manager clients using Azure AD for authentication. When the Configuration Manager site supports internet-based client management for clients that are sometimes on an intranet and sometimes on the internet, you have two options when you install clients on the intranet:.
Include the Client. When you use this method, directly assign the client to the site. You can't use automatic site assignment. See the How to install Configuration Manager clients manually section, which provides an example of this configuration method. Install the client for intranet client management, and then assign an internet-based client management point to the client. Change the management point by using the client properties on the Configuration Manager page in Control Panel, or by using a script.
When you use this method, you can use automatic client assignment. For more information, see the How to configure clients for internet-based client management after client installation section.
Provide a mechanism for these clients to temporarily connect to the intranet with a VPN. Then install the client by using any appropriate client installation method. Use an installation method that's independent of Configuration Manager.
For example, package the client installation source files onto removable media and send the media to users. On the media, include a script to manually copy over the client folder.
From this folder, install the client by using CCMSetup. Configuration Manager doesn't support installing a client directly from the internet-based management point or from the internet-based software update point. Clients that are managed over the internet must communicate with internet-based site systems.
Ensure that these clients also have public key infrastructure PKI certificates before you install the client. Install these certificates independently from Configuration Manager.
For more information, see PKI certificate requirements. So why is this account so important?. This account is used to connect to computers and install the Microsoft System Center Configuration Manager client software if you deploy clients using Client Push Installation. If the Client Push Installation account is not specified, the site server account is used to try to install the Configuration Manager client software. Note that the Client Push Installation account is not automatically created, the CM administrator needs to create it.
The administrator can create multiple Client Push Installation accounts or can use a single account across multiple sites. The Client Push Installation account must be in the local administrators built-in group on the computers where the Configuration Manager client software is to be installed. To specify a client push installation account, launch the Configuration Manager console, click on Administration , under Site Configuration click on Sites. Skip to main content.
This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Submit and view feedback for This product This page. View all page feedback. In this article. When expanding a standalone site to include a central administration site, this account requires either Full Administrator or Infrastructure Administrator role-based administration rights at the standalone primary site.
The site server uses the Site system installation account to install, reinstall, uninstall, and set up site systems. If you set up the site system to require the site server to initiate connections to this site system, Configuration Manager also uses this account to pull data from the site system after it installs the site system and any roles. Each site system can have a different installation account, but you can set up only one installation account to manage all roles on that site system.
This account requires local administrative permissions on the target site systems. Additionally, this account must have Access this computer from the network in the security policy on the target site systems. If you have many domain controllers and these accounts are used across domains, before you set up the site system, check that Active Directory has replicated these accounts. When you specify a local account on each site system to be managed, this configuration is more secure than using domain accounts.
It limits the damage that attackers can do if the account is compromised. However, domain accounts are easier to manage. Consider the trade-off between security and effective administration. The following site system roles use the Site system proxy server account to access the internet via a proxy server or firewall that requires authenticated access:.
Specify an account that has the least possible permissions for the required proxy server or firewall. For more information, see Proxy server support. For more information, see Configure alerts. The site server uses the Software update point connection account for the following two software update services:.
The site system installation account can install components for software updates, but it can't do software update-specific functions on the software update point. If you can't use the site server computer account for this functionality because the software update point is in an untrusted forest, you must specify this account along with to the site system installation account.
This account must be a local administrator on the computer where you install WSUS. For more information, see Plan for software updates. This account requires Read permissions to site objects in the source site to gather data for migration jobs. If you have Configuration Manager distribution points or secondary sites with colocated distribution points, when you upgrade them to Configuration Manager current branch distribution points, this account must also have Delete permissions to the Site class.
This permission is to successfully remove the distribution point from the Configuration Manager site during the upgrade. Both the source site account and the source site database account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console. For more information, see Migrate data between hierarchies. The migration process uses the Source site database account to access the SQL Server database for the source site. If you use the Configuration Manager current branch computer account, make sure that all the following are true for this account:.
Windows Setup uses the Task sequence domain join account to join a newly imaged computer to a domain. This account is required by the Join Domain or Workgroup task sequence step with the Join a domain option. This account can also be set up with the Apply Network Settings step, but it isn't required.
Create one domain user account with the minimal permissions to join the domain, and use it for all task sequences. The task sequence engine uses the Task sequence network folder connection account to connect to a shared folder on the network.
This account is required by the Connect to Network Folder task sequence step. This account requires permissions to access the specified shared folder. It must be a domain user account.
Create one domain user account with minimal permissions to access the required network resources, and use it for all task sequences. The task sequence engine uses the Task sequence run as account to run command lines or PowerShell Scripts with credentials other than the Local System account. This account is required by the Run Command Line and Run PowerShell Script task sequence steps with the option Run this step as the following account chosen.
Set up the account to have the minimum permissions required to run the command line that you specify in the task sequence. The account requires interactive sign-in rights.
It usually requires the ability to install software and access network resources. For the Run PowerShell Script task, this account requires local administrator permissions. Never set up roaming profiles for this account. When the task sequence runs, it downloads the roaming profile for the account. This leaves the profile vulnerable to access on the local computer.
Limit the scope of the account. For example, create different task sequence run as accounts for each task sequence. Then if one account is compromised, only the client computers to which that account has access are compromised.
If the command line requires administrative access on the computer, consider creating a local administrator account solely for this account on all computers that run the task sequence.
Delete the account once you no longer need it. Configuration Manager automatically creates and maintains the following user objects in SQL. Modifying or removing these objects may cause drastic issues within a Configuration Manager environment. We recommend that you don't make any changes to these objects.
This object is used to run queries under the read-only context. This object is used with several stored procedures. The following stored procedure is used with this function: spSRExecQuery.
Configuration Manager automatically creates and maintains the following role objects in SQL. These roles provide access to specific stored procedures, tables, views, and functions.
These roles either get or add data in the Configuration Manager database. Don't change these objects. The following list is for information purposes only. Configuration Manager grants this permission to administrative user accounts based on role-based access to import volume license information for Asset Intelligence. Configuration Manager grants the computer account that hosts the Asset Intelligence synchronization point account access to get Asset Intelligence proxy data and to view pending AI data for upload.
Configuration Manager grants permission to the computer account of the site system that supports the certificate registration point for Simple Certificate Enrollment Protocol SCEP support for certificate signing and renewal. Configuration Manager grants permission to the computer account of the site system that supports the certificate registration point configured for PFX support for signing and renewal.
Configuration Manager grants this permission to computer account for a management point that has the option Allow mobile devices and Mac computers to uses this management point , the ability to provide support for MDM enrolled devices.
Configuration Manager grants this permission to the computer account that hosts the service connection point to retrieve and provide diagnostic data, manage cloud services, and retrieve service updates. Configuration Manager grants this permission to the computer account of the primary site servers on the CAS when the SQL Server distributed views option is selected in the replication link properties.
Configuration Manager grants this permission to the computer account that hosts the data warehouse role. Configuration Manager grants this permission to the computer account that hosts the enrollment point to allow for device enrollment via MDM. For the hierarchy manager service. Configuration Manager grants permissions this account to manage failover state messages and SQL Server Broker transactions between sites within a hierarchy.
Configuration Manager grants this permission to the computer account of the distribution point that supports multicast. Configuration Manager grants this permission to the computer account that hosts the management point role to provide support for the Configuration Manager clients.
Configuration Manager grants this permission to the computer account that hosts the management point that manages BitLocker for an environment. Configuration Manager grants this permission to the computer account that hosts the management point to support user-based application requests.
0コメント