SCCM client install fix

I recently had to add the SCCM client to a bunch of machines from a non-trusted domain to manage them because the group previously tasked with those machines could no longer handle it.  The majority of the machines installed correctly but some did not.  This fix takes a couple minutes but has fixed all of my client issues so far.

1. Check the CCMInstall\Logs\ folder.  Look at the logs, in particular look at ccmexec, clientIDmanagerstartup, and locationservices logs.  Also look at the ccmsetup folder for the ccmsetup.log and client.msi.log.  These logs can help you pinpoint the reasons for the installation problems.

2. If you see errors like "Unable to retrieve AMP for site code" in the CCMInstall\logs\LocationServices.log, the install may see more than 1 client certificate and not be able to pick one.  If you AD automatically enrolls the machines and issues a new cert, you can run mmc, add the certificates snap-in for the computer account, and remove the client certificates under personal.  If you can't delete those add CCMFIRSTCERT=1 to the client install options.  There are some other things you can do also to make sure the correct certificates are available on the untrusted client.

3. Uninstall the SCCM client if it already exists but isn't working correctly.  Go to a cmd window and change to the ccmsetup folder.  run ccmsetup.exe /uninstall.

4. (optional and I haven't seen any effects from not using it)  CCMClean does still work in SCCM 2007.  You can download the SMS2003ToolKit and copy just that one tool.  It helps remove registry links and orphaned files if any.

5. Cmd window and run "net stop winmgmt".  You may have to run this twice to get it to stop because sometimes the service will start again immediately.  As soon as it stops rename the c:\windows\system32\wbem\repository folder to oldrepository.  This will reset WMI when the service restarts which we will do with a reboot in a minute.

6. Delete the c:\windows\system32\ccm and ccmsetup folders on 32bit machines or the c:\windows\syswow64\ccm folder on 64bit machines.

7. Restart the machine and you will have a repaired WMI and ready for a clean install of the SCCM client.

Change in how to apply Patch with SCCM Client push

There used to be a couple of articles online explaining how to add the PATCH=... command to the Client Push installation properties, but those articles have disappeared.  I also began seeing error 1635 on machines trying to install with that argument.

The new way to add a patch, such as http://support.microsoft.com/kb/977384, is this:

In the Client source folder (%installdir%\Microsoft Configuration Manager\Client) create a folder called ClientPatch.  Copy the .msp file into that folder.

So it looks like this:
E:\
    Microsoft Configuration Manager\
          Client\
                ClientPatch\
                        sccm2007ac-sp2-kb977384-x86-enu.msp

That's it.  SCCM will automatically try to install any .msp files you put in that folder when the Client is pushed to machines.  Once I changed to that and removed the PATCH argument, my client pushes started working again.

Windows Malicious Software Removal Tool and SCCM Software Updates

The MSRT was not designed to be pushed as a regular update through SCCM Software Updates.  If you put it in an SU deployment package your machines will fail to install and will notify the users repeatedly that it failed.  If you want to push this update each month, you can do so with Group Policy or as a Software Package in SCCM.  Here is the related Technet article.

http://support.microsoft.com/?kbid=891716