Best Practices for Client Deployment in Configuration Manager

This client deployment method has the benefit of using existing Windows technologies, integrates with your Active Directory infrastructure, requires the least configuration in Configuration Manager, is the easiest to configure for firewalls, and is the most secure. By using security groups and WMI filtering for the Group Policy configuration, you also have a lot of flexibility to control which computers install the Configuration Manager client.

For more information about how to install clients by using software update-based installation, see the How to Install Configuration Manager Clients by Using Software Update-Based Installation section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

When you extend the Active Directory schema for Configuration Manager and the site is published to Active Directory Domain Services, many client installation properties are published to Active Directory Domain Services. If a computer can locate these client installation properties, it can use them during Configuration Manager client deployment. Because this information is automatically generated, the risk of human error associated with manually entering installation properties is eliminated.

For more information, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.

Minimize the effect of the CPU processing requirements on the site server by planning a phased rollout of clients over a period of time. Deploy clients outside business hours so that critical business services have more available bandwidth during the day and users are not disrupted if their computer slows down or requires a restart to complete the installation.

Configuration Manager with no service pack only

Automatic client upgrades are useful when you want to upgrade a small number of client computers that might have been missed by your main client installation method. For example, you have completed an initial client upgrade, but some clients were offline during the upgrade deployment. You then use this method to upgrade the client on these computers when they are next active.

For more information about client deployment method, the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

The SMSMP property specifies the initial management point for the client to communicate with and removes the dependency on service location solutions such as Active Directory Domain Services, DNS, and WINS.

Use the FSP property and install a fallback status point so that you can monitor client installation and assignment, and identify any communication problems.

For more information about these options, see About Client Installation Properties in Configuration Manager.

If you install client language packs on a site after you install clients, you must reinstall the clients before they can use the additional languages. For mobile device clients, this means you must wipe the mobile device and enroll it again.

For more information about how to add support for additional client languages, see Install Sites and Create a Hierarchy for Configuration Manager.

To manage devices on the Internet, enrolled mobile devices, and Mac computers, you must have PKI certificates on site systems (management points and distribution points) and the client devices. For many customers, this requires advanced planning and preparation, especially if you have a separate team who manages your PKI. On production networks, you might require change management approval to use new certificates, restart site system servers, or users might have to logoff and logon for new group membership. In addition, you might have to allow sufficient time for replication of security permissions and for any new certificate templates.

For more information about the PKI certificates that are required, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the certificates that is suitable for a test environment, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority.

Although you can configure client settings and maintenance windows before or after clients are installed, configure any required settings before you install clients so that these settings are used as soon as the client is installed.

If users will enroll their own Mac computers and mobile devices by using Configuration Manager, plan and prepare the user experience. For example, you might script the installation and enrollment process by using a web page so users enter the minimum amount of information necessary, and you send them instructions with a link by email.

Embedded devices that use Enhanced Write Filters (EWF) are likely to experience state message resynchronizations. If you have just a few embedded devices that use Enhanced Write Filters, you might not notice this. However, when you have a lot of embedded devices that resynchronize their information, such as sending full inventory rather than delta inventory, this can generate a noticeable increase in network packets and higher CPU processing on the site server.

When you have a choice of which type of write filter to enable, choose File-Based Write Filters and configure exceptions to persist client state and inventory data between device restarts for network and CPU efficiency on the Configuration Manager SP1 client. For more information about write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic.

For more information about the maximum number of Windows Embedded clients that a primary site can support, see the Site and Site System Role Scalability section in the Supported Configurations for Configuration Manager topic.