What's new
Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

SOLVED DEPLOYING CLIENT TO ALL NON SERVER DEVICES

  • Thread starter Thread starter soundmagus
  • Start date Start date
  • Replies Replies 7
  • Views Views 2K
Status
Not open for further replies.
soundmagus

soundmagus

Active Member
Messages
35
Reaction score
4
Points
8
HI there,

We are trying to make sure that SCCM under NO circumstances deploys the CLIENT EVER (the client has been deployed to servers in error by someone at somepoint in the past) to ANY servers unless specifically stated. We only want it to deploy to Laptops and desktops.

Can someone please point me to a method to accomplish this? The domain is cross forrest and a little "messy" in regards to the SCCM setup. What would be the best way to accomplish this?

Mark
 
Sort by date Sort by votes
There is No way to true accomplish this. SCCM NEVER installs the client on anything unless you tell it to.
 
Last edited:
Upvote 0 Downvote
Garth said:
There is No way to true accomplish this. SCCM the NEVER install the client on anything unless you tell it to.
Click to expand...
Thanks Garth although i dont really understand what your saying (Your sentence is pretty confusing). Are you saying SCCM will only install to devices we tell it to? Or are you saying there is no way to tell SCCM NOT to install to certain devices ever? namely ALL SERVERS?
 
Upvote 0 Downvote
Remove the "the" in the second sentence and add an "s" to install.

SCCM will only installs the client when you tell it install the client.
 
Upvote 0 Downvote
Garth said:
Remove the "the" in the second sentence and add an "s" to install.

SCCM will only installs the client when you tell it install the client.
Click to expand...
So it looks like someone has manually installed the client to the all desktop and server clients Device Collections.
Can you answer this question : If the client has been installed on a server and we remove it using the RCT uninstall will it be reinstalled even though client push installation has workstations only selected?
The reason i ask is that when using RCT to uninstall the CCMSETUP folder under c>windows, it remains and inside that the ccmsetup.exe seup file and logs folder are still there.
Will SCCM continue to try and install the client because it has alreadydone so or will it ignore it from now on?

thanks for your help,

Mark
 
Upvote 0 Downvote
As for the client getting re-pushed. Your answer probably depends on how they got pushed to begin with, if someone:
  • manually pushed clients to them well there you go, train those badmin's not to monkey with stuff.
  • implemented it via GPO it might reinstall when upon the next policy update after removal (not sure, I don't use this) but generally that's a 15 minute wait to find out.
  • enabled software update-based installation it'd probably re-push once it sees it's missing (again not something I use so not 100% on this) upon the next update check.
  • checked "Servers" on Client Push Installation Properties, you unchecking it will put an end to it.

As for the data leftover in the "%WinDir%\" it doesn't 100% clean up after itself, once the removal is complete (can verify via the log left) you can safely delete (may not see all of these):
  • CCM
  • ccmcache
  • ccmsetup
  • ccmtemp
I find your removal of the client sacrilegious though! Those poor servers, alone in the dark with no ccmexec to keep them safe. :(
 
Upvote 0 Downvote
Come to think of it, while training is nice you could implement further measures to prevent this from reoccurring using GPO:
  1. Create a security group in AD containing all systems you don't want SCCM clients on (if you don't already have one).
  2. Create a GPO containing the following setting: Computer>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignment: Deny access to this computer from the network
  3. Add any account listed in the Client Push Installation Accounts list.
  4. Modify the security filtering. Remove Authenticated Users (add it back in delegation with read), and add the group you created in step 1.
  5. Link the GPO at the highest level to apply to all systems with appropriate link order.
  6. Restart the systems if you had to create a new group in step 1 so they notice their changed membership.
This will stop it from happening via the CM site, to completely prevent people from logging on to a system with necessary rights to browse to the share on the CM server and get the client you'd need a GPO with firewall settings to block connections to/from the CM server outright. Getting a bit much though...
 
Upvote 0 Downvote
Thanks for the help guys, we wrote a script to remove the clients then made sure badmins no longer have access.

Much appreciated :)

Mark
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

  • PENDING Distribution Point transfer problems
  • PENDING Problems after upgrading to CM2509
  • PENDING Collection based on machines using KMS server
  • PENDING Failed to download_2026-01_Cumulative Update for Windows 11, version 25H2 from SCCM.
  • PENDING Deploying Microsoft Defender for Endpoint via MECM

    • Forum statistics

    Threads
    7,170
    Messages
    27,983
    Members
    18,286
    Latest member
    SteveL

    Latest posts

    Trending content
    Back
    Top