Secure Configuration Manager enables you to install agents on remote computers and push service packs and hotfixes to existing Windows agents. This deployment process minimizes the time required to install and update agents in your environment. By using Deployment Agents you can also install and update agents in untrusted domains or highly secure networks.
NOTE:To use the deployment process for updating an existing Windows agent, the agent must be version 7.0 or later.
For more information about using the deployment feature, see Installing or Updating an Agent on Remote Computers.
By default, the deployment process uses port 700 and TLS with Diffie-Hellman protocol for communication between Core Services and the target computer. Moreover, Secure Configuration Manager provides the Deployment Agent function to establish a more secure connection between Secure Configuration Manager components during agent installation and updates. When you initiate deployment, Core Services passes instructions securely to the Deployment Agent over the designated ports. Then the Deployment Agent communicates with the target computer over port 700 using TLS with Diffie-Hellman. For more information about ports, see Understanding Port Requirements.
NOTE:If Secure Configuration Manager is in FIPS 140-2 mode, it uses TLS 1.1 for communication with the Windows agent.
Any Windows agent registered with Core Services can be a Deployment Agent. By default, Secure Configuration Manager uses the agent installed on the Core Services computer as the Deployment Agent. However, you can select additional Windows agents to serve as the Deployment Agent by enabling the Is Deployment Agent option in the Agent Component Properties window. You must have a Deployment Agent in each domain where you want to install or update agents. You must also specify a fully qualified host name for the Windows endpoint that represents the Deployment Agent. Otherwise, Core Services cannot use the agent for deployment.
The Deployment Agent also reduces the need for specifying credentials when installing and updating agents on remote computers. During deployment, you must have appropriate permissions, such as Local or Domain Administrator permissions, to modify the target computer. You can use the credentials of the Windows agent service that serves as the Deployment Agent. If a particular Deployment Agent does not have proper permissions, you can specify a separate set of credentials for accessing the remote computers. For more information about permissions, see Permissions Requirements.
Secure Configuration Manager also uses the Deployment Agent to enable discovery of new systems in Active Directory. For more information about system and endpoint discovery, see the User’s Guide for Secure Configuration Manager.
If you want to use the deployment process to install or update agents in a high-security network or domain, such as a demilitarized zone, you must locally install and register one agent in that network or domain. Secure Configuration Manager marks that first registered agent as the Deployment Agent for the network or domain. The deployment process then uses the secure connection between the Deployment Agent and Core Services to deploy packages to the target computers in the domain.