This article demonstrates how to install SCCM client on workgroup computers. By installing the ConfigMgr agent on non-domain-joined devices, you manage them using the SCCM console.
Installing the SCCM client on domain-joined Windows computers is straightforward and easy. There are multiple methods that you can use to install SCCM client on Windows 11 PC. A ConfigMgr hierarchy can manage clients in more than one AD forest as well as workgroup clients.
If you want to install SCCM client on workgroup computers, you cannot use the client push install method because it’s not supported. Workgroup clients cannot access the information published in AD by the client installation properties defined on the Client tab in the Client Push Installation Properties dialog box.
You may be interested in the following guides:
- Install SCCM Client on Windows Server 2022
- Reinstall SCCM Client Agent – Proven Method
- How to Install SCCM Client on Windows Server Core
- How to install SCCM client agent on Mac Computers
- Install SCCM Client Agent On Linux Computers
Limitations of SCCM Workgroup Computers
When you plan to manage Workgroup computers using SCCM, there are several limitations.
- Workgroup computers cannot locate Management Point from AD domain services.
- Network Discovery and Heartbeat discovery are the only discovery methods that can discover computers in workgroups. You cannot run Active Directory Discovery methods to discovery workgroup computers with SCCM.
- You cannot use client push install method to install client on workgroup computers. The client agent has to be installed manually on workgroup computers.
- Application deployments targeted to users don’t work for workgroup computers in SCCM.
- To support computers in a workgroup, you must manually approve these computers if they use HTTP client connections to site system roles. That’s because Configuration Manager cannot authenticate these computers by using Kerberos.
- Workgroup clients cannot be a distribution point. In other words, you cannot install SCCM Distribution Point role on workgroup computers.
Prerequisites for SCCM Client Installation on Workgroup Devices
Let’s go through some important prerequisites that must be in place before you install the ConfigMgr agent on workgroup computers.
Check Name Resolution for SCCM Workgroup Devices
The workgroup clients cannot access AD Domain services to locate Management Point information because they are not a part of the domain. Therefore, it is critical that SCCM workgroup computers be able to resolve the FQDN of management point and distribution point; otherwise, the client installation will fail. Adding DP and MP entries to the host file might be required in some cases where the computers don’t resolve the MP and DP names.
Also ensure the DNS service is up and running. In most cases, if the DNS service is down or non-functional, any client will not be able to resolve the names or IP address of other computers.
On the Workgroup computer, you can run two essential commands to check if the computer can contact management point server and resolve the MP name.
- Use the Ping command to determine if the workgroup client can communicate with the Management Point.
- Use the NSlookup command to check if the workgroup computer can resolve the MP name.
If you find that both of the commands above work and that the workgroup client can talk to other clients and figure out the MP and DP, you can move on to the next step.
In case the workgroup computer is unable to resolve the management point name, you can edit the hosts.txt file and manually add the MP server IP details. The hosts.txt file is located in the C:\Windows\System32\drivers\etc. You can edit it with Notepad and add the management point details and save it.
Configure the Network Access Account
If you haven’t configured the network access account in SCCM, you must do that prior to installing the ConfigMgr client on workgroup computers. Refer to the guide on how to configure SCCM network access account. I have published a video tutorial on configuring NAA in SCCM.
Firewall Ports for WorkGroup Client to SCCM Server Communication
When you install SCCM client on workgroup computers (Windows 10 or Windows 11), the required firewall ports must be open for the communication between the clients and SCCM server. If the ports are blocked by firewall, the client installation will fail, and you have to review the SCCM log files for further troubleshooting.
If there is a firewall between the site system servers and the workgroup computer, confirm whether the firewall permits traffic for the ports that are required for the client installation. For the SCCM client installation to work on workgroup joined Windows devices, the following ports must be opened or allowed on the firewall.
|Workgroup Computer||Management Point||10123, 80, 443||Client Notification, HTTP, HTTPS|
|Workgroup Computer||Distribution Point||80, 443||HTTP, HTTPS|
|Workgroup Computer||AD Domain||3268, 3269||LDAP, LDAP SSL|
|Workgroup Computer||Software Update Point||8530 or 8531||WSUS|
Install SCCM Client Agents on Workgroup Computers
We will now go through the steps to install SCCM client on workgroup computers. The procedure involves manually running the ccmsetup.exe command with additional parameters on the workgroup computer.
Step 1: Copy SCCM Client Install Files to Workgroup computer
Before you install SCCM client on workgroup computers, you’ll need the client source files for installation. The client source files should be copied to the workgroup computer first, then the client agent installation should be started, according to Microsoft.
You can connect an external device, such as a USB drive or HDD, to the workgroup computer and copy the client source files to the device. Alternately, you can copy the client installation files to a network-shared folder and access that folder to get the files.
The client source files can be copied from SCCM server from the following two locations:
- <ConfigMgr_Installation>:\Program Files\Microsoft Configuration Manager\Client
- <primary site server>\SMS_SiteCode\Client
The client installation files are now copied to the workgroup computer in C:\ drive.
Step 2: Manually Run SCCM Client installation on Workgroup Computer
On the workgroup machine, launch the command prompt as administrator. Change the path to the folder where the client install files are present. You can install the SCCM client on workgroup (non-domain joined) Windows computer using the following command line.
ccmsetup.exe /mp:<Management Point FQDN> SMSSITECODE=PPP SMSMP=<Management Point FQDN> DNSSUFFIX=<domain suffix>
ccmsetup.exe /mp:tec.prajwal.local SMSSITECODE=TEC SMSMP=tpcm.prajwal.local DNSSUFFIX=prajwal.local
Note: The account that you are using to install the client should be a local administrator account or a member of local administrators group.
Step 3: Monitor Client Installation on Non Domain Joined Computers
After you install SCCM client on workgroup computers, you can monitor the installation using different methods. When you initiate the client install, the first thing that you see on the workgroup computer is the ccmsetup.exe process. This confirms that the SCCM client installation has been initiated on the computer.
Log files are the recommended method to monitor the client installation on workgroup computers. You can use tools such as CMTrace or ConfigMgr log file viewers to read the log files. On the workgroup computer, review the ccmsetup.log located in C:\Windows\ccmsetup\Logs to track the progress of client installation.
The following lines from the ccmsetup.log confirms that client installation is successful on SCCM workgroup computers.
Successfully deleted the ccmsetup service ccmsetup
CcmSetup is exiting with return code 0 ccmsetup
On the Configuration Manager Primary site server, you can review ClientLocation.log, LocationServices.log and ccm.log files to track the progress of client installation.
On the workgroup computer, launch the Configuration Manager applet from control panel. You can run the shortcut command “control smscfgrc” to launch the Configuration Manager Properties. Switch to the Actions tab, and now we see there are only 2 client actions listed. Take a look at the list of all the Configuration Manager client actions.
- Machine Policy Retrieval & Evaluation Cycle
- User Policy Retrieval & Evaluation Cycle
On the workgroup computer, we see only two action cycles listed because the client is still not approved in the SCCM console. Once you approve the workgroup computer in SCCM console, you’ll see all the action cycles in the Configuration Manager properties.
Step 4: Manually approve Workgroup Computers in SCCM console
After you install SCCM client on workgroup computers, you must manually approve them in the console. By default, the client approval method in Configuration Manager is set to Automatically approve computers in trusted domains. You can configure the client approval method under the site hierarchy settings.
Under the Hierarchy Settings properties, switch to Client Approval and Conflicting Records tab. Under the client approval method, you’ll notice three options:
- Automatically approve computers in trusted domains (recommended)
- Manually approve each computer
- Automatically approve all computers (not recommended)
If you choose the option “Automatically approve all computers (not recommended)“, all the workgroup computers are automatically approved by SCCM. However, this is not a secure option and you must avoid using this.
The workgroup computer on which we installed the ConfigMgr agent should be now listed in the console with Not Approved status. Use the following steps to manually approve Workgroup computers in SCCM console:
- Launch the Configuration Manager console.
- Navigate to Assets and Compliance\Overview\Devices.
- Right-click on workgroup computer and select Approve.
You see a message box with following message: You are about to approve computers to be managed by this Configuration Manager hierarchy. Approve computers only if you trust them. Are you sure you want to approve these computers? Click Yes to approve the SCCM workgroup computers.
After you initiate the above action, the status of the workgroup computer is changed from Not Approved to Approved.
After you have approved the workgroup computers in SCCM, launch the configuration manager properties by running control smscfgrc command. Switch to Actions tab and now see we see all the actions that a client should have. This confirms the client agent installation is successful on non-domain joined computers.
You can also launch the Software Center on the workgroup computer and install applications like you normally do on domain joined computers.