Information Technology
Welcome to UF
  • Current Students
  • Family & Visitors
  • Faculty & Staff

Onboarding First Steps

Preface

Currently this document only addresses on-domain/on-campus client installs. Information regarding off-campus and off-domain installs can be found here.

NOTE: the UFIT-SCCM-Client-Install-Health-Template GPO is not meant to be linked directly. It is intended to be a template that units can copy and build from. Likewise, the contents of the \\ad.ufl.edu\ufad\SCCM\UF2-ClientInstallation share are not meant to be used to deploy installs from. The contents of this folder is meant to be copied to a share that is hosted by the unit. Endpoints should read the health script and client install files from the unit-hosted share. Directly utilizing the UFIT provided GPO or share could cause problems for units after any SCCM updates, as these items may change.

Onboarding Steps

  1. Submit service request:
    • Submit a ticket in the category of End-Point Computing > End-Point Management > SCCM - Windows Platform Management. The UFEM team will provide a template to fill with all required info to get the onboarding process started
  2. Console Installation:
    • Files located here prefixed with UF2: \\ad.ufl.edu\ufad\SCCM\UF2-ConsoleInstallation. Run ConsoleSetup.exe
    • Site to connect: ufit-cm-p-01.ad.ufl.edu
    • Make sure to run the software as your admin account/account that has access to connect to the server
    • Grab the toolkit here (CMTrace in particular is invaluable in reading the log files)
  3. Client Installation:
    • Recommended method is to use the Client Health script:
      • Copy the contents of \\ad.ufl.edu\ufad\SCCM\UF2-ClientInstallation\ to a network share that your endpoints have read access to
      • Utilize the Group Policy template provided (UFIT-SCCM-Client-Install-Health-Template) for automated client installation. Copy this template and tweak the settings as needed for your unit. Be sure to replace all references to \\ad.ufl.edu\ufad\SCCM\UF2-ClientInstallation\ConfigMgrClientHealth-x.x.x with the UNC path to the location where you copied the install files to. This GPO schedules an automated task that runs every time a user logs in to the computer. This does NOT delay the user login process as it simply kicks it off and runs silently in the background when a user logs in
    • Deploy the Client Health Script yourself:
    • Note: Your devices will briefly disappear for ~10 minutes when the client is installed, this is normal and expected behavior due to the way the query builds the collection
  4. Share Creation:
    • SCCM requires a file share that you manage for Application Management, OSD, Driver Packages, and Software Updates. The following items need to be completed and/or added to the file share
    • ACL exception for inbound: 10.253.27.0/24
    • The security group UFAD\UFIT-CM-P-SMSProviders needs Full Control rights at both the NTFS level and the SMB Share level. In addition to setting the share-level permission, ensure that the NTFS permission is set at the top-most directory in the share and that these permissions propagate all the way down to the files in all sub directories
    • Create the following 3 folders and subfolders inside the share:
      • ApplicationManagement
        • Applications
        • Packages
      • DriverPackages
      • OSD
      • SoftwareUpdates
  5. Software Updates:
    • Enabling Clients for Software Updates:
      • Link the GPO UFIT-UFEM-SCUP-Client-Settings-Template to enable 3rd party patch support
      • Configure and deploy the Software Updates Client Settings under Administration >Client Settings
      • Ensure Automatic Updates are still enabled:
        • If you have automatic updates configured your windows update agent will automatically be upgraded when needed, but this will display windows update alerts in windows update and sccm
        • If you don’t enable automatic updates, you won’t see additional alerts, but you need to manually manage your windows agent updates
        • Manage Settings for Software Updates - Automatic Update Configuration
    • Setting Maintenance Windows:
      • Maintenance windows are critical to ensuring your computers are patched while minimizing user downtime
      • From Assets and Compliance > Device Collections determine how you want to split your computers and create the appropriate groups (prefixed by DEPT-). You can use direct membership rules or query rules to target OUs in AD (look at the properties of an exisiting computer in SCCM to get the parameters correct)
      • Right Click a Collection > Properties > Maintenance Windows and configure it according to your department's needs
    • Create Software Update groups/:
      • Software Update groups are essentially groups of updates that you package together for deployment. Each group cannot contain more than 1000 updates so it is recommended to break your groups out by OS version (Windows 7, 8, 10, etc.). As newer updates for Windows and Office 365 are bundled together this becomes less of a problem
      • In CM > Software Library > Software Updates > All Software Updates, select a group of updates you wish to add to a Software Update Group. It is recommended to use the search filters to specify an OS version/date range and to save those searches with the buttons at the top
      • Once you have the updates selected you can either Create Software Update Group to create a new group or Edit Membership to add them to an existing group. If creating a new group remember to name it DEPT-RelevantNameHere
      • Deployment Packages are the vehicle that CM uses to download the updates from the internet to your network share which then get copied to the Distribution Points. You can use one or multiple Deployment Package, there is no benefit to either method
      • Once a group is created you will need to download it to your file share so that it can be sent to the Distribution Points. Under Software Update Groups select the group and click Download, alternatively you can select Deploy which will walk through both the download and deployment of the updates
      • If the files exist already in a Deployment Package you will not need to specify a download location, otherwise you will need to create/add them to an existing deployment package. Give the package a name and:
        1. Point it at your Software Updates folder (or subfolder)
        2. Add the UF2 distribution point group
        3. Enable Automatic Download
        4. Select English (or other relevant languages)
      • The updates will download and be copied to the distribution points
      • You can then Deploy the updates to the appropriate collection by selecting the Software Update Group > Deploy. To make things easier once you have filled out the settings relevant to your department you can save it as a Deployment Template from within the wizard and then reuse that for existing deployments. Make sure to select the settings appropriate to your department
      • More detailed information can be found in Microsoft's documentation
    • Automatic Deployment Rules
      • This great video that Joe posted with a walkthrough of how to do this properly.
  6. Client Settings:
    • There are Default settings pushed out automatically but if you wish to customize these navigate to Administration > Client Settings
    • Click Create Custom Client Device Settings, name it DEPT-Default Settings, and customize it to your liking
    • Make sure to deploy it to a collection once finished
    • A few common settings to change:
      • Software Center > Specify your department name
      • Computer Agent > Organization name
      • Computer Restart > Software update restart settings
      • Software Updates > Enable updates on computers, including Office 365 updates

University of Florida
Gainesville, FL 32611
UF Operator: (352) 392-3261
Website text-only version

Resources

Campus

Website