Recently, at a client site, I was asked to install the SCCM client to manage workgroup servers in the DMZ with SCCM.

Following our a recent post on how to install a DP/MP/SUP in untrusted domain, I thought that documenting the process could be helpful.

In this post, we will detail how to install the SCCM client on workgroup computers.


  • The client must be able to resolve the FQDN of the management point.
    • Depending on network security, it might not actually ping. The important is that it can associate the FQDN to the IP of the management point.
    • Adding an entry to the Host file might be required.
  • Port
    • Client -> Management point : TCP 80 or 443
    • Client -> Software Update Point : TCP 8530 or 8531
    • More details on SCCM ports requirement, here
  • Manual installation of the SCCM client
    • There is no way to use the Client Push Installation for workgroup computers
    • Management Point must be provided in the install command line, as the client will not be able to find it in Active Directory
    • Site code must be provided in the install command line

SCCM Client Install Workgroup Computers

  • Copy the source of SCCM client locally on the computer

SCCM Client Install Workgroup Computers

  • Open a command prompt as Administrator

SCCM Client Install Workgroup Computers

  • Set the working directory and run the CCMsetup command line
    • ccmsetup.exe /mp:<Management Point FQDN> SMSSITECODE=001 SMSMP=<Management Point FQDN> DNSSUFFIX=<domain suffix>

SCCM Client Install Workgroup Computers

  • Validate Management Point configuration and communication
    • When a client can’t resolve the FQDN of the management point, it might show up empty

SCCM Client Install Workgroup Computers

  • Action are limited as the client is not yet approved to connect to the SCCM server.

  • Important logs at this point are
    • C:\Windows\CCM\Logs\ClientLocation.log
    • C:\Windows\CCM\Logs\LocationServices.log
    • Those logs provide details to the connection to the management point
    • If you see any error at this point, you are missing connection prerequisites of some sort.
  • Client show up in the SCCM console

SCCM Client Install Workgroup Computers

Approve Workgroup Computer Client in SCCM

In most environment, SCCM client approval method is set to Automatically approve computers in trusted domains.

This settings can be found under Administration / Site Configuration / Sites / Hierarchy Settings

When using this settings, workgroup computers will not be automatically approved for this SCCM site.

With this said, we need to approve clients once they show up in the SCCM console.

  • The ease management, we first create a Collection for Not Approved clients.
    • Be sure to set the limiting collection to All System, as the not approved clients don’t have much information to based query on.

[su_box title=”Collection Unapproved clients” style=”glass” title_color=”#F0F0F0″]


SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_CM_RES_COLL_SMS00001 on SMS_CM_RES_COLL_SMS00001.ResourceId = SMS_R_System.ResourceId where SMS_CM_RES_COLL_SMS00001.IsApproved= ‘0’


  • To validate the Not Approved status, simply add the column Approved

  • To approve a client, right-click on the client and select Approve

  • Confirmation of approval

  • The approved column will change to Approved

  • After a couple minutes, SCCM agent will have all is action available

  • Client will show online and will eventually start reporting inventory

For more details about the approval methods, click here 


Comments (8)


12.30.2019 AT 02:54 PM
I've gone through the setup to install the Client manually, but it's not adding the site code. I've verified that by opening up the UI from control panel. On the general tap for management point there is nothing. I've added the ConfigMgr Server IP and FQDN to the hosts file. The only log I see coming in to the CCM Logs folder to view from your document is the ClientLocation.log. I do no have the Locationservices.log. What could be stopping this from getting the site code?

Kevin downward

11.01.2019 AT 05:38 AM
HI Guys, I have a Windows 10 LTSC PC on a domain, I am trying to extract an image of it with SCCM, when i do this with the PC on the domain I get an SCCM error which advises to remove the PC from the domain. I have removed the PC from the domain and added it to a workgroup then logged in as local admin, now I cant see the package in Windows System Center to sysprep then extract the image. The PC is still showing as authorised in SCCM but last connection was when it was on the domain any advise?


07.17.2019 AT 04:31 AM
This worked well for me. Thank you. I installed using the command cmsetup / SMSSITECODE=RAN

Robert Ferguson

08.03.2018 AT 01:33 PM
What about the workstation certificates for the clients?


05.08.2018 AT 02:06 PM
Nice job here. I would change the command: ccmsetup.exe /mp: SMSSITECODE=001 SMSMP= DNSSUFFIX= TO: ccmsetup.exe /source:"C:\Temp\SCCMClient" SMSSITECODE=001 SMSMP= DNSSUFFIX= The /mp option tells the ccmsetup.exe to query the MP from a DP to download the client.msi and prereqs. Since you have all the installation and prereqs in your PC, you do not have to download it again. Regards

matthew moore

08.18.2017 AT 10:53 AM
I have done the same but unable to push any software to the workgroup computer. Is there any steps that i need to take that might be missing ? What logs do i look at to see the issue.

jakob jensen

07.27.2018 AT 02:03 AM
Hi Matthew - i am facing the same issue - did you manage to push out the software updates to workgroup clients?


08.03.2017 AT 05:57 AM
Hello Jonathan, Good tutorial, thank you. What aboyt updating LMHOSTS file on each client first in order to allow for name resolution, isn't this needed anymore ? Siteserver #PRE "SMS_SLP \0x1A" #PRE "SMS_MP \0x1A" #PRE "SMS_NLB \0x1A" #PRE (Only needed if the MP is load balanced) Also there must be 20 characters between the quotation marks for each entry.