Prerequisites for Windows Client Deployment in Configuration Manager

For Configuration Manager client computers with no service pack that will connect to the Application Catalog:

Configure Internet Explorer to exclude the ActiveX control Microsoft.ConfigurationManager.SoftwareCatalog.Website.ClientBridgeControl.dll from ActiveX filtering and allow it to run in the browser.

If you run Configuration Manager with no service pack, the Application Catalog website uses an ActiveX control for Internet Explorer, which coordinates application installation and approval requests with the Configuration Manager client. The ActiveX control file is named Microsoft.ConfigurationManager.SoftwareCatalog.Website.ClientBridgeControl.dll and is automatically installed on the client when the Configuration Manager client is installed.

You must configure Internet Explorer to exclude this ActiveX control from ActiveX filtering and allow it to run in the browser. You can manually configure Internet Explorer or use Group Policy settings. For more information, see your Windows documentation.

Install the hotfix described in KB2552033 on site servers that run Windows Server 2008 R2.

The hotfix described in KB2552033 must be installed on site servers that run Windows Server 2008 R2 when client push installation is enabled.

Microsoft Task Scheduler service

The Microsoft Task Scheduler service must be enabled on the client for the client installation to complete.

Windows Update Agent version 7.0.6000.363

Required by Windows to support update detection and deployment.

Microsoft Remote Differential Compression (RDC)

Required to optimize data transmission over the network.

Microsoft Visual C++ 2008 Redistributable version 9.0.30729.4148.

For Microsoft System Center 2012 Configuration Manager SP1 or earlier.

Required to support client operations.

Microsoft Visual C++ 2013 Redistributable version 12.0.21005.1

For Microsoft System Center 2012 Configuration Manager SP2 and System Center 2012 R2 Configuration Manager SP1.

Required to support client operations.

Microsoft Policy Platform 1.2.3514.0

Required to allow clients to evaluate compliance settings.

Microsoft Silverlight 5.1.10411.0

For Microsoft System Center 2012 Configuration Manager SP1.

Required to support the Application Catalog website user experience.

Microsoft Silverlight 5.1.30514.0

For Microsoft System Center 2012 Configuration Manager SP2 and System Center 2012 R2 Configuration Manager SP1.

Required to support the Application Catalog website user experience.

Microsoft SQL Server Compact 3.5 SP2 components

Required to store information related to client operations.

Management point

Although a management point is not required to deploy the System Center 2012 Configuration Manager client, you must have a management point to transfer information between client computers and System Center 2012 Configuration Manager servers. Without a management point, you cannot manage client computers.

Fallback status point

The fallback status point is an optional, but recommended site system role for client deployment. The fallback status point tracks client deployment and enables computers in the System Center 2012 Configuration Manager site to send state messages when they cannot communicate with a management point.

Client push installation

• Client push installation accounts are used to connect to computers to install the client and are specified on the Accounts tab of the Client Push Installation Properties dialog box. The account must be a member of the local administrators group on the destination computer.

  If you do not specify a client push installation account, the site server computer account will be used.

• The computer on which you are installing the client must have been discovered by at least one System Center 2012 Configuration Manager discovery method.

• The computer has an ADMIN$ share.

• Enable client push installation to assigned resources must be selected in the Client Push Installation Properties dialog box if you want to automatically push the System Center 2012 Configuration Manager client to discovered resources.

• The client computer must be able to contact a distribution point or a management point to download the supporting files.

You must have the following security permissions to install the Configuration Manager client by using client push:

• To configure the Client Push Installation account: Modify and Read permission for the Site object.

• To use client push to install the client to collections, devices and queries: Modify Resource and Read permission for the Collection object.

The Infrastructure Administrator security role includes the required permissions to manage client push installation.

For more information about how to configure the requirements in the Client Push Installation Properties dialog box, see the How to Install Configuration Manager Clients by Using Client Push section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

For more information about how to configure the discovery of computers, see Configuring Discovery in Configuration Manager.

Group Policy-based installation

• If the Active Directory schema has not been extended, or you are installing clients from another forest, installation properties for CCMSetup.exe must be provisioned in the registry of the computer by using Group Policy. For more information, see the How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

• The client computer must be able to contact a management point in order to download supporting files.

Manual installation

• The client computer must be able to contact a distribution point or a management point in order to download supporting files unless, at the command prompt, you specified CCMSetup.exe with the command-line property ccmsetup /source.

Software distribution-based installation (for upgrades only)

• If the Active Directory schema has not been extended, or you are installing clients from another forest, installation properties for CCMSetup.exe must be provisioned in the registry of the computer by using Group Policy. For more information, see the How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

• The client computer must be able to contact a distribution point or a management point to download the supporting files.

For the security permissions required to upgrade the Configuration Manager client using application management, see Prerequisites for Application Management in Configuration Manager.

A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for mobile devices.

The issuing CA must automatically approve certificate requests from the mobile device users during the enrollment process.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

Optional but recommended: a DNS alias (CNAME record) named ConfigMgrEnroll that is configured for the site system server name on which you will install the enrollment proxy point.

This DNS alias is required to support automatic discovery for the enrollment service: If you do not configure this DNS record, users must manually specify the site system server name of the enrollment proxy point as part of the enrollment process.

Management point that is configured for HTTPS client connections and enabled for mobile devices

A management point is always required to install the System Center 2012 Configuration Manager client on mobile devices. In addition to the configuration requirements of HTTPS and enabled for mobile devices, the management point must be configured with an Internet FQDN and accept client connections from the Internet.

Client settings for mobile device enrollment

Configure client settings to allow users to enroll mobile devices and configure at least one enrollment profile.

To configure enrollment for mobile devices, you must have the following security permissions:

• To add, modify, and delete the enrollment site system roles: Modify permission for the Site object.

• To configure client settings for enrollment: Default client settings require Modify permission for the Site object, and custom client settings require Client agent permissions.

The Full Administrator security role includes the required permissions to configure the enrollment site system roles.

To manage enrolled mobile devices, you must have the following security permissions:

• To wipe or retire a mobile device: Delete resource for the Collection object.

• To cancel a wipe or retire command: Delete resource for the Collection object.

• To allow and block mobile devices: Modify resource for the Collection object.

• To remote lock, or reset the passcode on a mobile device: Modify resource for the Collection object.

The Operations Administrator security role includes the required permissions to manage mobile devices.

For more information about how to configure security permissions, see the Configure Role-Based Administration section in the Configuring Security for Configuration Manager topic.