在 Configuration Manager 中将客户端部署到 Windows 计算机的先决条件Prerequisites for deploying clients to Windows computers in Configuration Manager

适用范围:Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

在环境中部署 Configuration Manager 客户端有下列外部依赖关系和产品内部依赖关系。Deploying Configuration Manager clients in your environment has the following external dependencies and dependencies within the product. 此外,每个客户端部署方法有其自己的先决条件,要成功安装客户端,必须满足其自己的先决条件。Additionally, each client deployment method has its own dependencies that must be met for client installations to be successful.

要详细了解 Configuration Manager 客户端的最低硬件和 OS 要求,请参阅支持的配置For more information on the minimum hardware and OS requirements for the Configuration Manager client, see Supported configurations.

备注

本文中显示的软件版本号仅列出所需的最低版本号。The software version numbers shown in this article only list the minimum version numbers required.

Windows 客户端的先决条件Prerequisites for Windows clients

请查看下列信息,确定在 Windows 设备上安装 Configuration Manager 客户端的先决条件。Use the following information to determine the prerequisites for when you install the Configuration Manager client on Windows devices.

Configuration Manager 的外部依赖关系Dependencies external to Configuration Manager

其中许多组件都是 Windows 默认启用的服务或功能。Many of these components are services or features that Windows enables by default. 请勿在 Configuration Manager 客户端上禁用这些组件。Don't disable these components on Configuration Manager clients.

组件Component 说明Description
Windows InstallerWindows Installer 这是支持将 Windows Installer 文件用于应用程序和软件更新所必需的。Required to support the use of Windows Installer files for applications and software updates.
Microsoft 后台智能传输服务 (BITS)Microsoft Background Intelligent Transfer Service (BITS) 需要允许客户端计算机和 Configuration Manager 站点系统之间的受限数据传输。Required to allow throttled data transfers between the client computer and Configuration Manager site systems.
Microsoft 任务计划程序Microsoft Task Scheduler 对于客户端操作(例如定期评估 Configuration Manager 客户端的运行状况)是必需的。Required for client operations, such as regularly evaluating the health of the Configuration Manager client.
Microsoft 远程差分压缩 (RDC)Microsoft Remote Differential Compression (RDC) 需要该项以优化网络上的数据传输。Required to optimize data transmission over the network.
SHA-2 代码签名支持SHA-2 code signing support 从版本 1906 开始,客户端需要对 SHA-2 代码签名算法的支持。Starting in version 1906, clients require support for the SHA-2 code signing algorithm. 有关详细信息,请参阅 SHA-2 代码签名支持For more information, see SHA-2 code signing support.

SHA-2 代码签名支持SHA-2 code signing support

由于 SHA-1 算法中存在缺点,并且为了符合行业标准,Microsoft 现在仅使用更安全的 SHA-2 算法来对 Configuration Manager 二进制文件进行签名。Because of weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft now only signs Configuration Manager binaries using the more secure SHA-2 algorithm. 旧式 Windows OS 版本需要更新才能获得 SHA-2 代码签名支持。Legacy Windows OS versions require an update for SHA-2 code signing support. 有关详细信息,请参阅 Windows 和 WSUS 的 2019 SHA-2 代码签名支持要求For more information, see 2019 SHA-2 code signing support requirement for Windows and WSUS.

如果未更新这些 OS 版本,则无法安装 Configuration Manager 客户端版本 1906。If you don't update these OS versions, you can't install the Configuration Manager client version 1906. 此行为适用于新的客户端安装或从以前的版本进行更新。This behavior applies to either a new client install or updating it from a previous version.

如果需要在未更新的 Windows 版本或早于上面列出的版本的 Windows 版本上管理客户端,请使用 Configuration Manager 扩展互操作性客户端 (EIC) 版本 1902。If you need to manage a client on a version of Windows that's not updated, or older than the versions listed above, use the Configuration Manager extended interoperability client (EIC) version 1902. 有关详细信息,请参阅扩展互操作性客户端For more information, see Extended interoperability client.

提示

如果未使用自动客户端更新,并且未使用其他机制更新客户端,请确保更新 ccmsetup 的版本。If you don't use automatic client update, and update clients with another mechanism, make sure to update the version of ccmsetup. 更早版本的 ccmsetup 可能无法正确验证版本 1906 客户端二进制文件中的新 SHA-2 代码签名证书。An older version of ccmsetup may not properly validate the new SHA-2 code signing certificate on the version 1906 client binaries. 例如,如果将 ccmsetup.exe 复制到文件共享,或者将 ccmsetup.msi 与组策略结合使用。For example, if you copy ccmsetup.exe to a file share, or use ccmsetup.msi with group policy.

不应影响以下客户端更新机制:The following client update mechanisms shouldn't be affected:

  • 客户端请求安装:它使用站点中的客户端包Client push installation: It uses the client package from the site
  • 基于软件更新的安装:站点更新重新发布到 WSUSSoftware update-based installation: The site update republishes to WSUS
  • Intune MDM 托管的 Windows 设备:此机制支持的版本已支持 SHA-2 代码签名,但使用最新的 ccmsetup.msi 仍很重要Intune MDM-managed Windows devices: The supported version for this mechanism already supports SHA-2 code signing, but it's still important to use the latest ccmsetup.msi

Configuration Manager 外部的、在安装过程中自动下载的依赖项Dependencies external to Configuration Manager and automatically downloaded during installation

Configuration Manager 客户端具备外部依赖项。The Configuration Manager client has external dependencies. 这些依赖项取决于 OS 版本以及客户端计算机上安装的软件。These dependencies depend on the OS version and the installed software on the client computer.

如果客户端需要这些依赖项来完成安装,则它会自动安装这些依赖项。If the client requires these dependencies to complete the installation, it automatically installs them.

组件Component 说明Description
Microsoft Core XML Services (MSXML) 版本 6.20.5002 或更高版本 (msxml6.msi)Microsoft Core XML Services (MSXML) version 6.20.5002 or later (msxml6.msi) 要求支持在 Windows 中处理 XML 文档。Required to support the processing of XML documents in Windows.
Microsoft Visual C++ 2013 可再发行程序包版本 12.0.40660.0 (vcredist_x*.exe)Microsoft Visual C++ 2013 Redistributable version 12.0.40660.0 (vcredist_x*.exe) 需要该项以支持客户端操作。Required to support client operations. 在客户端计算机上安装此更新时,可能需要重启才能完成安装。When you install this update on client computers, it might require a restart to complete the installation.
Windows 映像 API 6.0.6001.18000 或更高版本 (wimgapi.msi)Windows Imaging APIs 6.0.6001.18000 or later (wimgapi.msi) 需要该项以允许 Configuration Manager 管理 Windows 映像 (.wim) 文件。Required to allow Configuration Manager to manage Windows image (.wim) files.
Microsoft 策略平台 1.2.3514.0 或更高版本 (MicrosoftPolicyPlatformSetup.msi)Microsoft Policy Platform 1.2.3514.0 or later (MicrosoftPolicyPlatformSetup.msi) 需要该项以允许客户端评估符合性设置。Required to allow clients to evaluate compliance settings.
Microsoft .NET Framework 版本 4.5.2 或更高版本 (NDP452-KB2901907-x86-x64-AllOS-ENU.exe)Microsoft .NET Framework version 4.5.2 or later (NDP452-KB2901907-x86-x64-AllOS-ENU.exe) 需要该项以支持客户端操作。Required to support client operations. 如果未安装 Microsoft .NET Framework 4.5 或更高版本,则自动将其安装在客户端计算机上。Automatically installed on the client computer if it doesn't have Microsoft .NET Framework version 4.5 or later installed. 有关详细信息,请参阅有关 Microsoft .NET Framework 版本 4.5.2 的其他详细信息For more information, see Additional details about Microsoft .NET Framework version 4.5.2.
Microsoft SQL Server Compact 4.0 SP1 组件Microsoft SQL Server Compact 4.0 SP1 components 需要该项以存储与客户端操作相关的信息。Required to store information related to client operations.

重要

从 Current Branch 版本 1806 开始,不支持应用程序目录的 Silverlight 用户体验。The application catalog's Silverlight user experience isn't supported as of current branch version 1806. 自版本 1906 起,更新后的客户端自动使用管理点进行用户可用的应用程序部署。Starting in version 1906, updated clients automatically use the management point for user-available application deployments. 仍然无法安装新的应用程序目录角色。You also can't install new application catalog roles. 版本 1910 已终止对应用程序目录角色的支持。Support ends for the application catalog roles with version 1910.

有关详细信息,请参阅下列文章:For more information, see the following articles:

如果仍在使用应用程序目录网站用户体验,则客户端需要 Microsoft Silverlight 5.1.41212.0。If you're still using the application catalog website user experience, the client requires Microsoft Silverlight 5.1.41212.0. 客户端不自动安装 Silverlight。The client doesn't automatically install Silverlight. 应用程序目录的主要功能现在包含在软件中心内。The primary functionality of the application catalog is now included in Software Center.

有关 Microsoft .NET Framework 版本 4.5.2 的其他详细信息Additional details about Microsoft .NET Framework version 4.5.2

备注

不再支持 .NET 4.0、4.5 和 4.5.1。.NET 4.0, 4.5, and 4.5.1 are no longer supported. 有关详细信息,请参阅 Microsoft .NET Framework 支持生命周期策略常见问题解答For more information, see Microsoft .NET Framework Support Lifecycle Policy FAQ.

Microsoft .NET Framework 版本 4.5.2 可能需要重启才能完成安装。Microsoft .NET Framework version 4.5.2 may require a restart to complete the installation. 用户将在系统托盘中看到“需要重启”通知。The user sees a Restart required notification in the system tray. 下面是需要客户端计算机重启的常见情况:The following common scenarios require client computers to restart:

  • 计算机上正在运行.NET 应用程序或服务。.NET applications or services are running on the computer.

  • .NET 安装所需的一个或多个软件更新丢失。One or more software updates required for .NET installation are missing.

  • 计算机正在等待从 .NET Framework 软件更新的先前安装中重启。The computer is pending a restart from prior installation of .NET framework software updates.

安装 .NET Framework 4.5.2 后,可能需要其他更新。After .NET Framework 4.5.2 is installed, it may require additional updates. 这些后续更新可能需要再次重启计算机。These later updates may require additional computer restarts.

Configuration Manager 依赖关系Configuration Manager dependencies

有关详细信息,请参阅确定客户端的站点系统角色For more information, see Determine the site system roles for clients.

组件Component 说明Description
管理点Management point 无需管理点即可部署 Configuration Manager 客户端。To deploy the Configuration Manager client, you don't require a management point. 客户端需具备管理点才可通过站点传输信息。Clients require a management point to transfer information with the site. 没有管理点就无法管理客户端计算机。Without a management point, you can't manage client computers.
分发点Distribution point 分发点是可选的,但建议使用该站点系统角色部署和管理客户端。The distribution point is an optional, but recommended site system role for client deployment and management. 所有分发点都托管客户端源文件。All distribution points host the client source files. 客户端在客户端部署或更新过程中找到从中下载源文件的最近分发点。Clients find the nearest distribution point from which to download the source files during client deployment or update. 如果站点没有分发点,则计算机从其管理点中下载客户端源文件。If the site doesn't have a distribution point, computers download the client source files from their management point.
回退状态点Fallback status point 回退状态点是可选的,但建议为客户端部署使用该站点系统角色。The fallback status point is an optional, but recommended site system role for client deployment. 当 Configuration Manager 站点中的计算机不能与管理点通信时,回退状态点会跟踪客户端部署并允许这些计算机发送状态消息。The fallback status point tracks client deployment and enables computers in the Configuration Manager site to send state messages when they can't communicate with a management point.
Reporting Services 点Reporting services point Reporting Services 点是可选的,但建议使用该站点系统角色。The reporting services point is an optional, but recommended site system role. 它会显示与客户端部署和管理相关的报表。It displays reports related to client deployment and management. 有关详细信息,请参阅报表简介For more information, see Introduction to reporting.

安装方法依赖项Installation method dependencies

以下先决条件特定于客户端的各种不同安装方法。The following prerequisites are specific to the various methods of client installation.

客户端请求安装Client push installation

  • 站点通过客户端请求安装帐户连接到计算机来安装客户端。The site uses client push installation accounts to connect to computers to install the client. 在客户端请求安装属性的“帐户”选项卡上指定这些帐户。Specify these accounts on the Accounts tab of the Client Push Installation Properties. 该帐户必须是目标计算机上本地管理员组的成员。The account must be a member of the local Administrators group on the destination computer.

    如果未指定客户端请求安装帐户,站点服务器则使用其自己的计算机帐户。If you don't specify a client push installation account, the site server uses its computer account.

  • 站点需要发现要在其上安装客户端的计算机。The site needs to discover the computer on which you're installing the client. 至少需要一个 Configuration Manager 发现方法。At least one Configuration Manager discovery method is needed.

  • 计算机具有 ADMIN$ 共享。The computer has an ADMIN$ share.

  • 要对所发现的资源自动推送 Configuration Manager 客户端,请在客户端请求安装属性中选择“对已分配资源启用客户端请求安装”。To automatically push the Configuration Manager client to discovered resources, select the option to Enable client push installation to assigned resources in the Client Push Installation Properties.

  • 客户端计算机需要与分发点或管理点进行通信,以便下载源文件。The client computer needs to communicate with a distribution point or a management point to download the source files.

  • 如果需要 Kerberos 相互身份验证,客户端必须位于受信任的 Active Directory 林中。When you require Kerberos mutual authentication, clients must be in a trusted Active Directory forest. Windows 中的 Kerberos 依赖 Active Directory 进行相互身份验证。Kerberos in Windows relies upon Active Directory for mutual authentication.

要使用客户端请求,需要具备以下安全权限:To use client push, you need the following security permissions:

  • 配置客户端请求安装帐户:“站点”对象的“修改”和“读取”权限 。To configure the client push installation account: Modify and Read permission for the Site object.

  • 使用客户端请求将客户端安装到集合、设备和查询:“集合”对象的“修改资源”和“读取”权限 。To use client push to install the client to collections, devices and queries: Modify Resource and Read permission for the Collection object.

“基础结构管理员”默认安全角色包括管理客户端请求安装所需的权限。The Infrastructure Administrator default security role includes the required permissions to manage client push installations.

基于软件更新点的安装Software update point-based installation

  • 如果尚未扩展 Active Directory 架构,或者要从另一个林安装客户端,请使用组策略预配 CCMSetup.exe 的安装参数。If you haven't extended the Active Directory schema, or you're installing clients from another forest, use group policy to provision installation parameters for CCMSetup.exe. 有关详细信息,请参阅如何预配客户端安装属性For more information, see How to provision client installation properties.

  • 将 Configuration Manager 客户端发布到软件更新点。Publish the Configuration Manager client to the software update point.

  • 要下载源文件,客户端计算机需要与分发点或管理点进行通信。To download the source files, the client computer needs to communicate with a distribution point or a management point.

有关管理 Configuration Manager 软件更新所需的安全权限,请参阅软件更新的先决条件For the security permissions required to manage Configuration Manager software updates, see Prerequisites for software updates.

基于组策略的安装Group policy-based installation

  • 如果尚未扩展 Active Directory 架构,或者要从另一个林安装客户端,请使用组策略预配 CCMSetup.exe 的安装参数。If you haven't extended the Active Directory schema, or you're installing clients from another forest, use group policy to provision installation parameters for CCMSetup.exe. 有关详细信息,请参阅如何预配客户端安装属性For more information, see How to provision client installation properties.

  • 要下载源文件,客户端计算机需要与分发点或管理点进行通信。To download the source files, the client computer needs to communicate with a distribution point or a management point.

基于登录脚本的安装Logon script-based installation

要下载源文件,客户端计算机需要与分发点或管理点进行通信。To download the source files, the client computer needs to communicate with a distribution point or a management point. 除非使用命令行参数 ccmsetup /source 指定 CCMSetup.exeUnless you specified CCMSetup.exe with the following command-line parameter: ccmsetup /source

手动安装Manual installation

要下载源文件,客户端计算机需要与分发点或管理点进行通信。To download the source files, the client computer needs to communicate with a distribution point or a management point. 除非使用命令行参数 ccmsetup /source 指定 CCMSetup.exeUnless you specified CCMSetup.exe with the following command-line parameter: ccmsetup /source

Microsoft Intune MDM 安装Microsoft Intune MDM installation

  • 需要 Microsoft Intune 订阅和相应的许可证。Requires a Microsoft Intune subscription and appropriate licenses.

  • 要求设备能访问 Internet,即使它不基于 Internet。Requires the device has internet access, even if it isn't internet-based.

  • 根据用例,可能还需要以下一种或两种技术:Depending upon the use case, you may also require one or both of the following technologies:

    • Azure Active DirectoryAzure Active Directory

    • 云管理网关Cloud management gateway

工作组计算机安装Workgroup computer installation

要访问 Configuration Manager 站点服务器域中的资源,请为该站点配置网络访问帐户。To access resources in the Configuration Manager site server's domain, configure a network access account for the site.

有关如何配置网络访问帐户的详细信息,请参阅内容管理的基本概念For more information about how to configure the network access account, see the Fundamental concepts for content management.

基于软件分发的安装(仅针对升级)Software distribution-based installation (for upgrades only)

  • 如果尚未扩展 Active Directory 架构,或者要从另一个林安装客户端,请使用组策略预配 CCMSetup.exe 的安装参数。If you haven't extended the Active Directory schema, or you're installing clients from another forest, use group policy to provision installation parameters for CCMSetup.exe. 有关详细信息,请参阅如何预配客户端安装属性For more information, see How to provision client installation properties.

  • 要下载源文件,客户端计算机需要与分发点或管理点进行通信。To download the source files, the client computer needs to communicate with a distribution point or a management point.

有关使用应用程序管理升级 Configuration Manager 客户端所需的安全权限,请参阅应用程序管理的安全和隐私For the security permissions required to upgrade the Configuration Manager client using application management, see Security and privacy for application management.

自动客户端升级Automatic client upgrades

你必须是“完全权限管理员” 安全角色的成员才能配置自动客户端升级。You must be a member of the Full Administrator security role to configure automatic client upgrades.

防火墙要求Firewall requirements

如果站点系统服务器与你要在其上安装 Configuration Manager 客户端的计算机之间存在防火墙,请参阅客户端的 Windows 防火墙和端口设置If there's a firewall between the site system servers and the computers onto which you want to install the Configuration Manager client, see Windows Firewall and port settings for clients.

移动设备客户端的先决条件Prerequisites for mobile device clients

在移动设备上安装 Configuration Manager 客户端并注册设备时,请使用此信息来确定先决条件。When you install the Configuration Manager client on mobile devices and enroll them, use this information to determine the prerequisites.

Configuration Manager 的外部依赖关系Dependencies external to Configuration Manager

  • Microsoft 企业证书颁发机构 (CA) 及证书模板,用于部署和管理移动设备所需的证书。A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for mobile devices.

    颁发 CA 必须在注册过程中自动批准来自移动设备用户的证书请求。The issuing CA must automatically approve certificate requests from the mobile device users during the enrollment process.

    有关证书要求的详细信息,请参阅证书配置文件的安全和隐私For more information about the certificate requirements, see Security and privacy for certificate profiles.

  • 一个安全组,其中包含可注册其移动设备的用户。A security group that contains the users that can enroll their mobile devices.

    此安全组用于配置在移动设备注册过程中使用的证书模板。This security group is used to configure the certificate template that is used during mobile device enrollment.

  • 可选但建议使用:名为 ConfigMgrEnroll(CNAME 记录)的 DNS 别名。Optional but recommended: a DNS alias (CNAME record) named ConfigMgrEnroll. 为注册代理点的服务器名称配置此别名。Configure this alias for the server name of the enrollment proxy point.

    需要此 DNS 别名以支持注册服务的自动发现。This DNS alias is required to support automatic discovery for the enrollment service. 如果未配置此 DNS 记录,则用户必须在注册过程中手动指定注册代理点的名称。If you don't configure this DNS record, users must manually specify the name of the enrollment proxy point as part of the enrollment process.

  • 运行注册点和注册代理点站点系统角色的计算机的站点系统角色依赖项。Site system role dependencies for the computers that run the enrollment point and the enrollment proxy point site system roles.

    有关详细信息,请参阅站点系统服务器支持的操作系统For more information, see Supported operating systems for site system servers.

Configuration Manager 依赖关系Configuration Manager dependencies

有关详细信息,请参阅确定客户端的站点系统角色For more information, see Determine the site system roles for clients.

  • 为 HTTPS 客户端连接配置并为移动设备启用的管理点Management point that's configured for HTTPS client connections and enabled for mobile devices

    必须使用管理点才能在移动设备上安装 Configuration Manager 客户端。A management point is always required to install the Configuration Manager client on mobile devices. 除了 HTTPS 要求和为移动设备启用的要求外,还必须将管理点配置为具有 Internet FQDN 并接受来自 Internet 的客户端连接。In addition to the configuration requirements of HTTPS and enabled for mobile devices, the management point must be configured with an internet FQDN and accept client connections from the internet.

  • 注册点和注册代理点Enrollment point and enrollment proxy point

    注册代理点管理来自移动设备的注册请求,注册点完成注册过程。An enrollment proxy point manages enrollment requests from mobile devices and the enrollment point completes the enrollment process. 注册点必须位于站点服务器所在的 Active Directory 林中,但注册代理点则可位于另一个林中。The enrollment point must be in the same Active Directory forest as the site server, but the enrollment proxy point can be in another forest.

  • 移动设备注册的客户端设置Client settings for mobile device enrollment

    配置客户端设置以允许用户注册移动设备并至少配置一个注册配置文件。Configure client settings to allow users to enroll mobile devices and configure at least one enrollment profile.

  • Reporting Services 点Reporting services point

    Reporting Services 点是可选的,但建议使用该站点系统角色,它能够显示与移动设备注册和客户端管理相关的报表。The reporting services point is an optional, but recommended site system role that can display reports related to mobile device enrollment and client management.

    有关详细信息,请参阅报表简介For more information, see Introduction to reporting.

  • 要针对移动设备配置注册,你必须具有下列安全权限:To configure enrollment for mobile devices, you must have the following security permissions:

    • 添加、修改和删除注册站点系统角色:“站点”对象的“修改”权限 。To add, modify, and delete the enrollment site system roles: Modify permission for the Site object.

    • 配置注册的客户端设置:默认客户端设置需要“站点”对象的“修改”权限,自定义客户端设置需要“客户端代理”权限 。To configure client settings for enrollment: Default client settings require Modify permission for the Site object, and custom client settings require Client agent permissions.

    “完全权限管理员”默认安全角色包括配置注册站点系统角色所需的权限。The Full Administrator default security role includes the required permissions to configure the enrollment site system roles.

  • 要管理注册的移动设备,你必须具有下列安全权限:To manage enrolled mobile devices, you must have the following security permissions:

    • 擦除或停用移动设备:“集合”对象的“删除资源”权限 。To wipe or retire a mobile device: Delete resource for the Collection object.

    • 取消擦除或停用命令:“集合”对象的“删除资源”权限 。To cancel a wipe or retire command: Delete resource for the Collection object.

    • 允许和阻止移动设备:“集合”对象的“修改资源”权限 。To allow and block mobile devices: Modify resource for the Collection object.

    • 远程锁定或重置移动设备上的密码:“集合”对象的“修改资源”权限 。To remote lock, or reset the passcode on a mobile device: Modify resource for the Collection object.

    “操作管理员”默认安全角色包括管理移动设备所需的权限。The Operations Administrator default security role includes the required permissions to manage mobile devices.

    有关如何配置安全权限的详细信息,请参阅基于角色的管理的基础配置基于角色的管理For more information about how to configure security permissions, see Fundamentals of role-based administration and Configure role-based administration.

防火墙要求Firewall requirements

诸如路由器和防火墙以及 Windows 防火墙(如果适用)等干预网络设备必须允许与移动设备注册相关联的通讯:Intervening network devices such as routers and firewalls, and Windows Firewall if applicable, must allow the traffic associated with mobile device enrollment:

  • 移动设备和注册代理点之间:HTTPS(默认为 TCP 443)Between mobile devices and the enrollment proxy point: HTTPS (by default, TCP 443)

  • 注册代理点和注册点之间:HTTPS(默认为 TCP 443)Between the enrollment proxy point and the enrollment point: HTTPS (by default, TCP 443)

如果使用的是代理 Web 服务器,则必须针对 SSL 隧道对其进行配置。If you use a proxy web server, it must be configured for SSL tunneling. 移动设备不支持 SSL 桥接。SSL bridging isn't supported for mobile devices.