SCCM 2012 R2 - Deploy Application from DFS

[JerichoJones]

Hello All,

I have been struggling with this for the last few days. I have been trying to deploy Applications from a DFS share but cannot get it to work. It appears that the MSI cannot be found when MSIEXEC is invoked (error 1619). I have checked the paths and permissions and there does not appear to be an issue there (both the Site Server and installation user account have permissions). Under the Deployment Type I have the following:
Content Tab - Empty
Programs Tab
Installation Program: msiexec /i "\\dfsroot\Software\Install\7zip\7z920x64.msi"
Installation start in: \\dfsroot\Software\Install\7zip
User Experience Tab
Installation behavior: Install for system
Logon requirement: Whether or not a user is logged on
Installation program visibility: Hidden

I checked the event log on the client and MSIEXEC is getting invoked under the SYSTEM account. That obviously won't work.

What am I missing?

[GarthMJ]

1. Why would you use DFS, instead of a DP? This complete defeats the purpose of what CM12 does.

2. This is going to be a permission issue. Why because the local system account does NOT have access to the DFS server and therefore get accessed denied to the MSI.

[JerichoJones]

Well pointing at the server directly fails as well. It does work if I give "Everyone" access. So something strange is going on with how the permissions are parsed (I guess). Does anyone have ideas or links on troubleshooting permissions parsing? I've never had to get that deep into it.

[Ath3na]

You need to grant everyone permission to the share as the local system account of the computer does the installation as already pointed out by GarthMJ

[JerichoJones]

1. Why would you use DFS, instead of a DP? This complete defeats the purpose of what CM12 does.

2. This is going to be a permission issue. Why because the local system account does NOT have access to the DFS server and therefore get accessed denied to the MSI.

Answer to #1 - So I do not have to redo how we install software or maintain multiple repositories. Maybe I'm missing something though.

 

Oddly I have a friend at another institution that uses DFS successfully (or so he claims). Others on the Interwebs indicate that they are using it as well. Unfortunately I have had no success in finding a document that covers how to set this up.

[GarthMJ]

Answer to #1 - So I do not have to redo how we install software or maintain multiple repositories. Maybe I'm missing something though.

 

Oddly I have a friend at another institution that uses DFS successfully (or so he claims). Others on the Interwebs indicate that they are using it as well. Unfortunately I have had no success in finding I document that covers how to set this up.

 

#1, yes I think you are missing the whole point of CM12. DP should always be "near" client, they use BITS to download content or use branch cache to reduce network traffic.

#2, I'm sure you can make it work but you will be compromising security to do it. Again you are not using the benefits of CM12, branch cache, etc.

[JerichoJones]

You need to grant everyone permission to the share as the local system account of the computer does the installation as already pointed out by GarthMJ

 

OK. Why does does deploying an EXE work but not an MSI? This really confuses me.

[JerichoJones]

 

#1, yes I think you are missing the whole point of CM12. DP should always be "near" client, they use BITS to download content or use branch cache to reduce network traffic.

#2, I'm sure you can make it work but you will be compromising security to do it. Again you are not using the benefits of CM12, branch cache, etc.

#1, It would seem then that I have to have the same software in multiple places due to what appears to be a restrictive design choice by MS. Is there a sensible reason why SCCM does not use a domain account to do the installation? I don't get it.

 

#2, Agreed. We cannot give Everyone access.

[GarthMJ]

#1, It would seem then that I have to have the same software in multiple places due to what appears to be a restrictive design choice by MS. Is there a sensible reason why SCCM does not use a domain account to do the installation? I don't get it.

 

#2, Agreed. We cannot give Everyone access.

#1 how is it multiple place? aka how exact would it be different than DFS with respect to multiple places?

#1 Yes there is a reason, it is less secure to use a domain account that using the local system account, Plus it will not allow you to manage workgroup PC, *nix, mac, and mobile phone and increase your support cost.

[JerichoJones]

#1 how is it multiple place? aka how exact would it be different than DFS with respect to multiple places?

#1 Yes there is a reason, it is less secure to use a domain account that using the local system account, Plus it will not allow you to manage workgroup PC, *nix, mac, and mobile phone and increase your support cost.

Technically correct however from a user perspective it is one place. They go to one place to get the software. I go to one place to update it. Simple.

 

Unix & Mac? Really? I can deploy software to those? Is that new? Last I heard it could only do inventory.

As for mobile we have something designed specifically for that. CM12 is not even close to being a robust solution yet.

 

In any event I can get around the issue for now by using Packages which do use the domain account (Thanks go to REDDIT for that tidbit). Strangely MS does not view that as a security concern.