How to Install SCCM Client on Workgroup Computers

This article demonstrates how to install SCCM client on workgroup computers. By installing the ConfigMgr agent on non-domain-joined devices, you manage them using the SCCM console.

Installing the SCCM client on domain-joined Windows computers is straightforward and easy. There are multiple methods that you can use to install SCCM client on Windows 11 PC. A ConfigMgr hierarchy can manage clients in more than one AD forest as well as workgroup clients.

If you want to install SCCM client on workgroup computers, you cannot use the client push install method because it’s not supported. Workgroup clients cannot access the information published in AD by the client installation properties defined on the Client tab in the Client Push Installation Properties dialog box.

PatchMyPC HorizontalAD
Patch My PC Sponsored AD

You may be interested in the following guides:

Limitations of SCCM Workgroup Computers

When you plan to manage Workgroup computers using SCCM, there are several limitations.

  • Workgroup computers cannot locate Management Point from AD domain services.
  • Network Discovery and Heartbeat discovery are the only discovery methods that can discover computers in workgroups. You cannot run Active Directory Discovery methods to discovery workgroup computers with SCCM.
  • You cannot use client push install method to install client on workgroup computers. The client agent has to be installed manually on workgroup computers.
  • Application deployments targeted to users don’t work for workgroup computers in SCCM.
  • To support computers in a workgroup, you must manually approve these computers if they use HTTP client connections to site system roles. That’s because Configuration Manager cannot authenticate these computers by using Kerberos.
  • Workgroup clients cannot be a distribution point. In other words, you cannot install SCCM Distribution Point role on workgroup computers.

Prerequisites for SCCM Client Installation on Workgroup Devices

Let’s go through some important prerequisites that must be in place before you install the ConfigMgr agent on workgroup computers.

Check Name Resolution for SCCM Workgroup Devices

The workgroup clients cannot access AD Domain services to locate Management Point information because they are not a part of the domain. Therefore, it is critical that SCCM workgroup computers be able to resolve the FQDN of management point and distribution point; otherwise, the client installation will fail. Adding DP and MP entries to the host file might be required in some cases where the computers don’t resolve the MP and DP names.

Also ensure the DNS service is up and running. In most cases, if the DNS service is down or non-functional, any client will not be able to resolve the names or IP address of other computers.

On the Workgroup computer, you can run two essential commands to check if the computer can contact management point server and resolve the MP name.

  1. Use the Ping command to determine if the workgroup client can communicate with the Management Point.
  2. Use the NSlookup command to check if the workgroup computer can resolve the MP name.

If you find that both of the commands above work and that the workgroup client can talk to other clients and figure out the MP and DP, you can move on to the next step.

In case the workgroup computer is unable to resolve the management point name, you can edit the hosts.txt file and manually add the MP server IP details. The hosts.txt file is located in the C:\Windows\System32\drivers\etc. You can edit it with Notepad and add the management point details and save it.

Name Resolution for SCCM Workgroup Devices
Name Resolution for SCCM Workgroup Devices

Configure the Network Access Account

If you haven’t configured the network access account in SCCM, you must do that prior to installing the ConfigMgr client on workgroup computers. Refer to the guide on how to configure SCCM network access account. I have published a video tutorial on configuring NAA in SCCM.

Firewall Ports for WorkGroup Client to SCCM Server Communication

When you install SCCM client on workgroup computers (Windows 10 or Windows 11), the required firewall ports must be open for the communication between the clients and SCCM server. If the ports are blocked by firewall, the client installation will fail, and you have to review the SCCM log files for further troubleshooting.

If there is a firewall between the site system servers and the workgroup computer, confirm whether the firewall permits traffic for the ports that are required for the client installation. For the SCCM client installation to work on workgroup joined Windows devices, the following ports must be opened or allowed on the firewall.

FromToTCP PortDescription
Workgroup ComputerManagement Point10123, 80, 443Client Notification, HTTP, HTTPS
Workgroup ComputerDistribution Point80, 443HTTP, HTTPS
Workgroup ComputerAD Domain3268, 3269LDAP, LDAP SSL
Workgroup ComputerSoftware Update Point8530 or 8531WSUS
Firewall Ports for WorkGroup Client to SCCM Server Communication

Install SCCM Client Agents on Workgroup Computers

We will now go through the steps to install SCCM client on workgroup computers. The procedure involves manually running the ccmsetup.exe command with additional parameters on the workgroup computer.

Step 1: Copy SCCM Client Install Files to Workgroup computer

Before you install SCCM client on workgroup computers, you’ll need the client source files for installation. The client source files should be copied to the workgroup computer first, then the client agent installation should be started, according to Microsoft.

You can connect an external device, such as a USB drive or HDD, to the workgroup computer and copy the client source files to the device. Alternately, you can copy the client installation files to a network-shared folder and access that folder to get the files.

The client source files can be copied from SCCM server from the following two locations:

  • <ConfigMgr_Installation>:\Program Files\Microsoft Configuration Manager\Client
  • <primary site server>\SMS_SiteCode\Client
Copy SCCM Client Install Files to Workgroup computer
Copy SCCM Client Install Files to Workgroup computer

The client installation files are now copied to the workgroup computer in C:\ drive.

Copy SCCM Client Install Files to Workgroup computer
Copy SCCM Client Install Files to Workgroup computer

Step 2: Manually Run SCCM Client installation on Workgroup Computer

On the workgroup machine, launch the command prompt as administrator. Change the path to the folder where the client install files are present. You can install the SCCM client on workgroup (non-domain joined) Windows computer using the following command line.

Command Syntax:

ccmsetup.exe /mp:<Management Point FQDN> SMSSITECODE=PPP SMSMP=<Management Point FQDN> DNSSUFFIX=<domain suffix>

Command Usage:

ccmsetup.exe /mp:tec.prajwal.local SMSSITECODE=TEC SMSMP=tpcm.prajwal.local DNSSUFFIX=prajwal.local

Note: The account that you are using to install the client should be a local administrator account or a member of local administrators group.

Install SCCM Client on Workgroup Computers
Install SCCM Client on Workgroup Computers

Step 3: Monitor Client Installation on Non Domain Joined Computers

After you install SCCM client on workgroup computers, you can monitor the installation using different methods. When you initiate the client install, the first thing that you see on the workgroup computer is the ccmsetup.exe process. This confirms that the SCCM client installation has been initiated on the computer.

Install SCCM Client on Workgroup Computers
Install SCCM Client on Workgroup Computers

Log files are the recommended method to monitor the client installation on workgroup computers. You can use tools such as CMTrace or ConfigMgr log file viewers to read the log files. On the workgroup computer, review the ccmsetup.log located in C:\Windows\ccmsetup\Logs to track the progress of client installation.

The following lines from the ccmsetup.log confirms that client installation is successful on SCCM workgroup computers.

Successfully deleted the ccmsetup service ccmsetup
CcmSetup is exiting with return code 0 ccmsetup
Install SCCM Client on Workgroup Computers
Install SCCM Client on Workgroup Computers

On the Configuration Manager Primary site server, you can review ClientLocation.log, LocationServices.log and ccm.log files to track the progress of client installation.

On the workgroup computer, launch the Configuration Manager applet from control panel. You can run the shortcut command “control smscfgrc” to launch the Configuration Manager Properties. Switch to the Actions tab, and now we see there are only 2 client actions listed. Take a look at the list of all the Configuration Manager client actions.

  • Machine Policy Retrieval & Evaluation Cycle
  • User Policy Retrieval & Evaluation Cycle

On the workgroup computer, we see only two action cycles listed because the client is still not approved in the SCCM console. Once you approve the workgroup computer in SCCM console, you’ll see all the action cycles in the Configuration Manager properties.

Monitor Client Installation on Workgroup Computers
Monitor Client Installation on Workgroup Computers

Step 4: Manually approve Workgroup Computers in SCCM console

After you install SCCM client on workgroup computers, you must manually approve them in the console. By default, the client approval method in Configuration Manager is set to Automatically approve computers in trusted domains. You can configure the client approval method under the site hierarchy settings.

Under the Hierarchy Settings properties, switch to Client Approval and Conflicting Records tab. Under the client approval method, you’ll notice three options:

  • Automatically approve computers in trusted domains (recommended)
  • Manually approve each computer
  • Automatically approve all computers (not recommended)

If you choose the option “Automatically approve all computers (not recommended)“, all the workgroup computers are automatically approved by SCCM. However, this is not a secure option and you must avoid using this.

Manually approve Workgroup Computers in SCCM console
Manually approve Workgroup Computers in SCCM console

The workgroup computer on which we installed the ConfigMgr agent should be now listed in the console with Not Approved status. Use the following steps to manually approve Workgroup computers in SCCM console:

  • Launch the Configuration Manager console.
  • Navigate to Assets and Compliance\Overview\Devices.
  • Right-click on workgroup computer and select Approve.
Manually approve Workgroup Computers in SCCM console
Manually approve Workgroup Computers in SCCM console

You see a message box with following message: You are about to approve computers to be managed by this Configuration Manager hierarchy. Approve computers only if you trust them. Are you sure you want to approve these computers? Click Yes to approve the SCCM workgroup computers.

After you initiate the above action, the status of the workgroup computer is changed from Not Approved to Approved.

Manually approve Workgroup Computers in SCCM console
Manually approve Workgroup Computers in SCCM console

After you have approved the workgroup computers in SCCM, launch the configuration manager properties by running control smscfgrc command. Switch to Actions tab and now see we see all the actions that a client should have. This confirms the client agent installation is successful on non-domain joined computers.

You can also launch the Software Center on the workgroup computer and install applications like you normally do on domain joined computers.

Install SCCM Client on Workgroup Computers
Install SCCM Client on Workgroup Computers

Leave a Reply

Your email address will not be published. Required fields are marked *

11 Comments

  1. when I’m installed application from software center on workgroup status stuck on 0%

    1. I have a guide published to troubleshoot the applications stuck at downloading. Please refer to that guide.

  2. Installtion failing when installing client in workgroup computer
    Failed (0x87d0027e) to send location request to ‘sccm.xyz’. StatusCode 403, StatusText ‘Forbidden’ ccmsetup 11/22/2021 11:36:50 AM 32 (0x0020)
    Failed to send location message to ‘sccm.xyz’. Status text ‘Forbidden’ ccmsetup 11/22/2021 11:36:50 AM 32 (0x0020)
    GetDPLocations failed with error 0x87d0027e ccmsetup 11/22/2021 11:36:50 AM 32 (0x0020)
    Failed to get DP locations as the expected version from MP ‘sccm.xyz.com’. Error 0x87d0027e ccmsetup 11/22/2021 11:36:50 AM 32 (0x0020)
    Failed to find DP locations from MP ‘sccm.xyz.com’ with error 0x87d0027e, status code 403. Check next MP. ccmsetup 11/22/2021 11:36:50 AM 32 (0x0020)
    Have already tried all MPs. Couldn’t find DP locations. ccmsetup 11/22/2021 11:36:50 AM 32 (0x0020)

  3. Hi Praj,
    Am I correct in thinking that once the client is installed, it will not receive future Client update versions automatically from the MP? We would need to install newer Client versions manually?

    Thanks!

  4. Thanks for this, I was wondering the implications of adding guest computers?
    We’re a University offering labs remotely using free software, but pre-configured. We would like to explore adding their personal computers to our SCCM, but in the most basic way possible. IE. Just grant a list of applications and packages for optional installs. I don’t want to manage any other aspect of their computers (no WSUS, inventories, etc.), nor do I want their computers somehow compromising our system either. Which makes me wonder why they ask “only if you trust them”.
    Is it hard to keep them separate from our fully managed computers within the console?
    Can you eject them from your SCCM after they graduate/leave?

  5. I am using PKI environment in SCCM 1802. i have deployed client certificate using GPO for all domain joined machine and the SCCM agent installation is also working for domain joined machine.

    But when i try to install agent manually in workgroup computer it fails. even i have created new certificate template in local CA to get certificate based on common name rather than DNS name and install client certificate in workgroup machine. Also install rootca in same machine to validate the certificate.

    i run following command from command prompt.

    ccmsetup.exe /mp:sccm-iraq.domain.local SMSSITECODE=001 SMSMP=sccm-iraq.domain.local DNSSUFFIX=domain.local

    Following full ccmsetup.log.

    <![LOG[Sending message header '{346D8B85-DA21-45AE-A9A3-5C62C4DC2B04}HUAWEI-CHECKmp:[http]MP_LocationManagerdirect:HUAWEI-CHECK:LS_ReplyLocations36005931sccm-iraq.domain.localMP_LocationManagerSynchttp2018-08-21T08:24:54Z’]LOG]!>

    <![LOG[Sending message body '

    ‘]LOG]!>
    <![LOG[Sending message header '{C59EE9D7-FC8D-485E-A0E8-7CD4897BFF50}HUAWEI-CHECKmp:[http]MP_LocationManagerdirect:HUAWEI-CHECK:LS_ReplyLocations36005931sccm-iraq.domain.localMP_LocationManagerSynchttp2018-08-21T08:24:54Z’]LOG]!>

  6. Hi i manage to deploy the agent onto win10 client but the client is unable to detect the windows update. May i please check what to configure for network access account

  7. I have quick question.
    Will sccm be able to apply monthly patch via software while machine is not domain join?