CCMSETUP, /MP and SMSMP

There’s always a lot of confusion on exactly how to use CCMSETUP and the various switches and properties for it even though it’s fully documented on TechNet.

The first thing to note about CCMSETUP is that it is used for all client agent installation activity (except client agent installation from WSUS). Yes, even client push uses CCMSETUP. Basically, client push simply delivers CCMSETUP to target systems and starts it. What that ultimately means is that no matter how you install the client, it’s always the same process so there is no technical difference between any of the methods (except using WSUS as mentioned).

Next, it’s important to note that CCMSETUP is simply a bootstrapper that in turn initiates a handful of of other things including the following (this isn’t an exhaustive list, just the main relevant points for this discussion):

arrow_right_20Copies itself to C:\Windows\ccmsetup, installs itself as a service, starts that service, and then immediately exits. Why would it do this? Reboot resilience. Thus, if the system reboots for whatever reason without CCMSETUP actually finishing the entire installation process, it will restart after the reboot automatically. The main ramification to keep in mind here is that that service runs as the local System account. That means that if CCMSETUP needs access to anything else on the network, it will use the AD computer account of the system. If the system is not a member of a domain, it has no AD computer account to use (obviously) and thus won’t be able to authenticate as anything other than anonymous.

arrow_right_20Downloads prerequisites – like .Net Framework 4.0 client profile and Silverlight — and other files needed to install the client – like client.msi — and installs prerequisites not already installed on the system.

Where does it download these from? By default (in 2012), CCMSETUP locates an MP using normal MP location rules (AD, DNS, WINS) and then asks the MP for the closest DP. Then, using BITS, it downloads the files using BITS from the DP returned by the MP which follows normal content location rules which are purely based on boundaries within content distribution boundary groups. If for whatever reason, no valid DPs exist or are available for the target system based upon the boundaries, the files will be downloaded from the MP itself. Note that this BITS download will work fine for anonymous clients – like those in a workgroup or untrusted domain and does not require any special permissions or access.

arrow_right_20Finally, it installs the client agent from the locally downloaded files by initiating the install using client.msi.

That brings us to /mp and SMSMP. Both are valid on the CCMSETUP command-line, but both are completely different in multiple ways.

/mp

“Options” like /mp that are prefixed with a forward-slash are parameters for CCMSETUP itself. Thus, they control or affect the behavior of CCMSETUP and not the client agent. So, even though /mp contains the letters ‘m’ and ‘p’, this does not in any way mean that it sets the MP for the client agent. What /mp actually does is instruct CCMSETUP which MP to use to query for a DP (as mentioned above) thus bypassing the normal MP lookup.

Multiple MPs can be specified using /mp by separating them with a comma (this enables the lookup to try each MP in order if availability of the MPs is a concern):

ccmsetup.exe /mp:mp1.mydomain.local,mp2,mydomain.local

Additionally, if an MP requires HTTPS communication, you should specify the prefix in URL format including the protocol:

ccmsetup.exe /mp:https://securemp.mydomain.local

It is always a good practice to use the full FQDN and ensure that name resolution is working for this name on the target clients. If name resolution is not working, you’ve got bigger problems that CCMSETUP cannot magically solve. Note also that CCMSETUP setup parameters require a colon between the option name and the value specified for that option.

SMSMP

“Options” like SMSMP that are in all capital letters are public properties that are not processed or used in any way by CCMSETUP but are instead passed directly to client.msi when CCMSETUP executes it. Thus, these properties do directly affect the client agent and its configuration. Note that you don’t actually have to specify the properties in all capital letters on the command-line, but it is best to do this so that they clearly stand-out.

SMSMP specifies the initial MP that the client agent uses (“initial” because with 2012, we can have multiple MPs within a single primary site and this will rotate periodically on clients). Without SMSMP, the client agent relies on normal MP location processes (AD, DNS, WINS) just like CCMSETUP does to initially set the MP that the client agent will use.

As with /mp, you should use the full FQDN of the MP and if an MP uses HTTPS, you should also specify the name of the MP in URL format including the prefixed protocol:

ccmsetup.exe SMSMP=https://mp.mydomain.local

ccmsetup.exe SMSMP=https://securemp.mydomain.local

Unlike /mp, you can only specify a single MP with SMSMP. Also, public properties are not prefixed with a forward-slash and use an equals sign to set the value of the property.

One thing to make sure of is that you specify all CCMSETUP parameters on the command-line before you specify any public properties. This simply has to do with how CCMSETUP parses the command-line: it assumes that all parameters come first so as soon as it encounters a property, it stops looking for anymore parameters.

You can of course use both these options together which is common because the reason for using them is the same: you don’t want to (or can’t) rely on normal MP lookup. If MP lookup is working, then there’s no reason to use either. The only time to really expect any issues with MP lookup is when the target client is untrusted like when it’s in a workgroup. Remember that during a Build and Capture task sequence, the target/reference system should not be joined to a domain so specifying SMSMP in the Setup Windows and ConfigMgr task should be done – no need to specify /mp though because the source files needed by CCMSETUP are part of the client agent install package and thus already resident locally.

Although I haven’t tested explicitly and so I’m not sure of the exact ramifications, if a client is destined to be within a secondary site’s scope, you should still specify the MP for the primary site for both of these options instead of the MP at the secondary site. Remember, that clients always need to be able to communicate the MP in their primary site even if they are within the scope of a secondary.

Finally (yes finally), some of the behavior above can be overridden using the available parameters; e.g., use /noservice to prevent CCMSETUP from installing itself as a service (this changes the authentication discussion above because CCMSETUP is no longer running as the local System but is instead running as the user that initiated it so beware) and /source to explicitly specify a network UNC to download the necessary files from using SMB instead of a DP using BITS (this also changes the authentication discussion above because gaining access to an SMB share is not allowed by default to anonymous requestors). These additional parameters (and much more) is all detailed in the TechNet article I linked at the top. If you already have too many bookmarks, simply remember to search for “Configuration Manager 2012 ccmsetup”: it is always the first hit in real search engines (like Bing) and evil search search engines also.

email

Written by , Posted .