Managing Workgroup Clients in SCCM

This details are from technet but always i had found it hard to find\search it out

To support workgroup clients, the following requirements must be met:

Ø During client installation, the logged-on user must possess local administrator rights on the workgroup system. The only account that Configuration Manager 2007 can use to perform activities that require local administrator privileges is the account of the user that is logged on to the computer.

Ø The Configuration Manager client must be installed from a local source on each client machine. This requirement ensures a local source for repair and client update application will be available for the client.

Ø Workgroup clients must be able to locate a server locator point for site assignment because they cannot query Active Directory Domain Services. The server locator point can be manually published in WINS, or it can be specified in the CCMSetup.exe installation command-line parameters.

Ø Workgroup clients use the Network Access Account, downloaded as part of their machine policy, to access package source files on distribution points.


Until a workgroup client has been approved in the Configuration Manager console, it will be unable to download machine policies containing the Network Access Account


Although workgroup computers can be Configuration Manager 2007 clients, there are inherent limitations in supporting workgroup computers:

ü Workgroup clients cannot reference Configuration Manager 2007 objects published to Active Directory Domain Services. For workgroup clients to locate their default management point computer, it must be registered and accessible to workgroup clients in either WINS or DNS.

ü Active Directory system, user, or user group discovery is not possible.

ü User targeted advertisements are not possible.

ü The client push installation method is not supported for workgroup client installation.

ü Using a workgroup client as a branch distribution point is not supported. Configuration Manager 2007 requires that branch distribution point computers be members of a domain.

If you have a ports opened on the firewall, Detail of ports need to be opened can be found on the following Microsoft Article: