Internet based management of SCCM clients and management points ?

Similar Messages

• Internet based management point set automatically after upgrading to R2

  After upgrading the SCCM 2012 agent from SP1 to R2, the internet based MP seems to be getting set on the agents automatically (even for machines that did not have it set pre R2 upgrade). Aside from the MSI parameter to set the internet MP, is there something
  in the Client Settings or elsewhere in the site configuration that sets this value on the machines?

  And even if manually removed afterwards, something in ccmeval.exe seems to be setting it back when it runs every day (as long as the machine has an intranet connection, and not internet - on internet connection ccmeval doesn't seem to be setting it)
  In regards to your question, we are trying to keep the internet machines from receiving policies as users might be on very slow connections when travelling, and it seems there's no way in SCCM to specify "internet" connection as a slow connection,
  so we decided to not apply the Internet MP and make optional for users to set it.
  I wonder if anyone else is experiencing this or whether this is specific to our environment.

• Internet based management point on workgroup comuter

  Hi
  I have a question about internet based site system (mp and dp and maybe sup). I already have primary site and i want to install another site system with mp/dp/sup for internet clients on server in DMZ which is not in active directory. It is in regular workgroup.
  Is it possible or it has to be joined to domain??? For security reasons i would prefer if it wasnt in domain.
  Thx in advance.

  All site systems have to be domain-joined.
  Torsten Meringer | http://www.mssccmfaq.de

• Need help with Internet Based Management

  I work at a small university that just deployed SCCM 2012 R2 recently.  We are currently using it on our intranet in HTTP mode.  We would like to setup internet based management so that we can start managing and deploying software update to laptops
  that wander off campus.  At the moment we have a primary site server that manages all of our clients.  It's my understanding that these are our options:
  Use some type of reverse proxy on a DMZ that will forward requests to our internal primary site server.
  Setup a second server on a DMZ that will serve as a management and distribution point.  Since there is a requirement to have this DMZ server joined to a domain, we would poke holes in the firewall so this server can communicate with the primary site
  server and so it can be joined to our internal domain controller (obviously bad security practice)
  Setup a second server on a DMZ that will serve as a management and distribution point.  Setup a domain controller in the DMZ unrelated to our internal domain, so the SCCM server can be joined to a domain.  Poke holes in the firewall so this server
  can only communicate with the SQL server on the internal primary site server (more secure than option 2).
  Setup a DirectAccess server in the DMZ and have clients use DirectAccess to access the internal primary site SCCM server.
  Have I covered the main options here?  I would love to implement option 4, but not all of my clients are using Windows 7 Enterprise.  A lot of my clients are still on Windows 7 Pro.  We are no longer deploying the pro version, but we are stuck
  with the current ones for awhile.  The other issue is that we also have some Mac OS X clients that need to be managed as well.  Unfortunately, I have to eliminate this option for now.  Would the recommended solution be to use option 3 seeing
  that option 2 seems very insecure?  This whole internet based management seems very confusing to me.  If anyone has any suggestions or can point me to a good step-by-step guide that would be awesome.  Thanks...

  It all depends on the (security) requirements. In most cases it indeed comes down to either scenario 3, or 4.
  For some more information about the configuration see:
  http://www.petervanderwoude.nl/post/five-key-configuration-steps-for-implementing-internet-based-clients-in-configmgr-2012/;
  http://www.systemcenterdudes.com/internet-based-client-management/
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude
  Some question about option 3.  Is the domain controller in the DMZ just a dummy one?  In other words,
  does it just exist because of the requirement that a site server must be a member of a domain?  Are there any trust relationships between the DMZ domain and the internal domain?  Also what are the ramifications of joining the DMZ site server to the
  internal domain?  My boss want to cut back on the number of virtual machines to spin up.  Would installing the DMZ site server and domain controller on the same virtual machine be an acceptable compromise?

• Report All SCCM clients and Collections

  Hi all
  I'm trying to create report
  All SCCM clients and Collections
  But I can't convert multiple rows (collections) in one row
  I got:
  Name        Collection Name
  ps1             serverDP
  ps1               Adobe
  ps2                CRT
  ps2               Note
  I need:
  Name        Collection Name
  ps1             serverDP ,Adobe
  ps2                 CRT,Note
  Im using following query ....but it doesn't work .Need help!!!  
  select
  v_FullCollectionMembership
  .Name
  as Name,
  CollName
  =
  stuff((SELECT
  + v_Collection.Name
  from
  v_Collection
  where
  v_Collection.CollectionID
  = v_FullCollectionMembership.CollectionID
  FOR
  XML
  PATH('')
  ), 1,
  1,'')
  FROM v_FullCollectionMembership
  Gerkin

  Hi,
  I recommend you use Report Builder to create the report.
  Using Matrix and LookupSet to merge the table.
  =join(LookupSet(Fields!Name.Value, Fields!Name.Value, Fields!CollName.Value, "DataSet_name"), ",")
  For more information, please review the link below:
  Adding a Matrix (Reporting Services)
  http://technet.microsoft.com/en-us/library/ms157334(v=SQL.100).aspx
  LookupSet Function (Report Builder and SSRS)
  http://msdn.microsoft.com/en-IN/library/ee240819.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• PXE boot OSD connects to Internet-only Management Point. A bug?

  So here is the deal: SCCM registers the Management Points to be used in DPs PXE in a Registry file, it is done in alphabetical order (or install order), so all PXE boots will always connect to the first MP (Microsoft, WTF?). In my case, the first is an INTERNET
  ONLY MP, why would PXE Booted OSD connect to that? Brrr..
  Solution is to edit the registry, put the MPs in the right order and then it works like a charm.. until some SCCM maintenance task overwrites it with the default MP list, including internet only MP as first.
  MPs don't respect boundaries and I cannot just block the ports (OSD will be slow, it first tries to connect to the internet MP, times out, then uses the next one).
  A) This behaviour is a bug. PXE Boot should NEVER connect to Internet Only MP (OSD is not supported for IBCM).
  B) Does anybody know what maintenance overwrites the DPs registry key "ManagementPoints"?
  I cannot just use one MP. All external MPs are configured for internet only, internal MPs are configured intranet only. 
  Ideas?

  The distribution manager on the site server is the component that populates the MP list on the registry of DP/PXE.
  Dist mgr currently writes all the MPs and does not filter-out the internet-facing MPs.
  Even if you manually edit the registry on the DP, dist mgr will over-write it the next time it updates the DP. You can try to put an ACL on the registry key which prevents the site server from updating it. However, the DP will never get updated by the site
  for other things.

• SCCM Client and SCEP Client Uninstall

  Hi, I have below questions with regard to the SCCM client software and the SCEP client software.
  Does SCCM client uninstallation removes SCEP client as well? If not, how does the Endpoint Protection get the updates after SCCM client is removed? How to remove/uninstall SCEP client?
  If the SCCM client uninstallation removes the SCEP client as well (by running ccmsetup.exe /uninstall), how to make it to NOT uninstall the SCEP client?
  Thanks.
  NM

  Yes, your SCEP client should still be able to update.
  If you're installing the ConfigMgr client again, and have manage SCEP client enabled in the ConfigMgr client settings, it does more then just adding the update source. It allows you to manage the SCEP client configuration (like scan settings, exclusions,
  etc), perform remote actions (like initiating a scan) and report about them.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Rediscover SCCM Client And Rerun Deployment

  I deleted a client from the console and waited for it to be rediscovered. I then re-added it to its prior collections some of which were targeted for deployments. Question is should I expect that the client would rerun past deployments that successfully
  ran already? I'd guess that the rediscovered client would have a different resource ID but not sure if that would cause the deployments to rerun as the run history would still be in the registry on that client unless I uninstalled it first right?

  Ok I think I'm starting to understand. Can you validate the following statements and tell me if they are correct? I've read
  http://blogs.catapultsystems.com/jsandys/archive/2011/04/05/configmgr-program-rerun-behavior.aspx as well.
  The client is aware of the execution history via the registry/WMI. The server only knows of this by what information is sent back to it from the client (status messages, state messages, etc). So removing the registry value and restarting SMS service
  would cause the client to rerun a deployment it has already successfully ran regardless of the deployment settings.
  If I successfully installed Office 2013 for example by a mandatory deployment. I delete that client from the console and it is rediscovered when the client heartbeats and a DDR is created. I re-add that client to the "Office 2013" collection for
  example. The deadline is in the past and it already successfully ran. The deployment is set to only rerun on failure. Office 2013 will or will not attempt a reinstall?

• Clients and Access points?

  Hello everyone! I have a specific question?
  You can configure the controller to clients so that they can connect to certain access points. For example, we have 4 access points and 5 clients. Clients 1, 3, 4 can be connected to the APs 1, 3, but can not connect to the APs 2, 4. And clients 2, 5 can be connected to the APs 1, 2, 3, but can not connect to the AP 4.
  And is it possible to carry out the same operations with SSIDs? For example SSID 1 see clients 1, 2, but don't see clients 3, 4, 5. And SSID 2 see clients 3, 4, 5, but don't see clients 1, 2.
  Or that is not practicable?

  Why this approach. What is the business need. You can broadcast different SSIDs on different Aps via ap groups.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• SCCM 2012 Internet based client management

  I used the link below to get started. I'm testing now on my test client. The test client is showing Client Certificate: Self-signed. The connection type however is correct: Currently Internet. Also under Internet-based management point. The
  server name is correct. However when looking at the client's ccmexec.log. It appears to be trying HTTP instead of HTTPS. 
  http://www.systemcenterdudes.com/internet-based-client-management/
  Thoughts?

  If it shows a self-signed certificate the client won't be able to connect. The Internet-based management could be because you've provided it during the installation of the client, or if the client was on the intranet before, received via a client policy.
  If you just installed that client while not on the intranet, start with the
  ClientIDManagerStartup.log. If the client was working before on the intranet, start with the
  CcmMessaging.log.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• How to enable for Internet-Based Client Management existing "intranet" clients

  Hello,
  Step #1
  I have an existing "intranet-only" SCCM 2012 SP1 CU1 environment. It is made of HTTP Intranet-Only MP.
  All clients are properly communicated with one of the intranet MP
  All clients are leveraging auto-enrollment of our AD PKI and have a working client certificate recognized by SCCM client
  Step #2
  I expanded the above infrastructure to support IBCM clients. Basically I want the existing intranet clients still be managed when they are outside our network
  I added MP, DP, SUP, FSP on dedicated DMZ servers. It has been published on Internet, and properly declared with public DNS
  The DMZ MP has been configured for HTTPS / Internet client only
  When I tested first this setup in my lab, it was working fine, and my "intranet" client moving to Internet was properly detecting this configuration, and was starting to contact the "DMZ/Internet MP" without any problem
  I did the same on my production environment but this time, my client moving to "internet" detectes it is connected on Internet but does not have any clue about the DMZ/Internet MP to contact. According to logfile, it is trying to check on DNS,
  WINS, etc. but obviously it is already too late when in Internet, this information is no longer available.
  I guess I did something in my lab environment to make it work but I don't what. Any idea how to tell to existing clients they should use a new "Internet-Only" MP when they are on Internet ?
  Regards.

  Basically I found my problem...
  In my lab, I manually configured the SCCM client option Internet-based management point (FQDN) to use the public DNS address of my Internet/DMZ MP.
  If I do the same for my production sample client, it works fine now.
  Question: how can I enforce this change on all my existing clients ?

• Internet Based Client Communication can not be established

  Hi,
  I have one Primary Site Server and a Database Server. It was only using HTTP connection before. By reading several articles I created PKI environment and made SCCM communicate with a test client via https. I dont have DMZ, so I want to use the existing site
  server for both internal and internet clients communication.  
  To test https communication, I installed MS Project while Client Configuration Manager General properties showed Client Certificate=PKI and Connection Type=Intranet. So obviously it can communicate via https on intranet.
  To test HTTPS Communication on Internet side, I entered a public DNS manually on the client computer and deleted DNS records for that PC from DNS. I also editted hosts file on the client by entering sccm.mydomain.com with public ip address. I set firewall to
  allow 443 on that public ip address.
  I checked and the Client Configuration Manager General properties shows Certificate=PKI and Connection Type=Internet.
  First I entered the address https://sccm.mydomain.com from the test client I see a IIS8 Web page. Then, I tried to get a report which shows installed programs on a computer and report result was not reflecting the latest changes I made. So I am not sure whether
  https on internet is working or not.
  I noticed  that  Client Configuration Manager Properties Network Tab, Internet Based Management Point (FQDN) is blank. I guess there should be sccm server internet address(sccm.mydomain.com). I installed client manually with the command below meaning
  I already entered the internet address for SCCM but IBMP FQDN is blank.
  ccmsetup.exe /usepkicert smsmp="sccm2012.mydomain.local" ccmhostname="sccm.mydomain.com" smssitecode="XYZ"
  Please advise.
  1. How can I test if https working on Internet Side?
  2. Is it normal to have Internet Based Management Point (FQDN) as blank?
  3. Is there anything wrong with the design I am trying to implement above?
  Thanks a lot
  Yavuz Selim Atmaca

  Here's a guide I made (MP/DP in a DMZ) but it should work for your scenario.
  http://www.systemcenterdudes.com/?p=193
  Make sure that your certificate requirement are ok and that your server FQDN is publicly published and available.
  You must have an internet FQDN in your client properties. You can enter it manually, use a script or by using the ccmhostnameproperties in your client installation. (as you did)
  To test, I usually connect directly on the internet bypassing the corporate network. It's the best test you can made.
  Your scenario and troubleshooting steps are fine, you're probably just missing a minor thing.
  Benoit Lecours | Blog: System Center Dudes

• Internet based client activity

  I am setting up clients for internet based client management.  We were already have PKI certs for all of our clients.  The client shows the connection type as currently internet, but the client activity shows inactive in the console.  Where
  would I start to trouble shoot this?

  The client indeed needs to have the information the Internet-based Management Point information. Normally the client should get that information as a policy when it's correctly communicating with a Management Point, or as a property during the client installation.
  Also, indirect it's at least one of the things that counts with the InternetEnabled property.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• WMI issues in VMware based Machine Windows 2008 R2 Servers affecting SCCM Clients

  Dear
  Brothers,<o:p></o:p>
  I came to
  an observation particularly in dealing with Windows 2008R2 Servers Vmware Based
  Virtual Machines with SCCM Clients.<o:p></o:p>
  Observation:<o:p></o:p>
  1. Windows
  2008R2 Virtual Machine with Vmware Tools installed (Also depending in the
  entries of WMI, I supposed). <o:p></o:p>
  When the SCCM Server Pushes the client on this Servers, I found out that the SCCM Client
  seems to be installed perfectly but when I tried to perform a remote WMI Query
  and the response is displayed below (The RPC Server is unavailable).<o:p></o:p>
  Now, I know that this kind of issues is something to do about DCOM Configuration
  for Remote Access right?
  Well, sad to say the settings has been checked, trippled checked actually to make sure it is correct with the correct permissions required and proven correct up to the last settings.
  I even compare the settings to those in some Windows Servers with Working WMI Remote Access.
  =========
  What I have observed is that when we make a VMware Systems and install the
  VMware Tools (see picture below) first before installing the
  SCCM Client and the issue regarding WMI Remote access issues happens (The RPC Server is unavailable).
  I proved it by creating a new VM Machine, then conduct installation in this order
  SCCM Client first and then the
  VMware Tools by this way so far the WMI Remote access works perfectly.
  Now the Question:
  Since we have atleast 70 VM Servers in production with this issue, and I proven that the VMware Tools is something to do with this issue, somehow now I need to resolved this in a logical manner.
  For some of us who can guide me to resolved the issue without uninstalling the VMware Tools and fixing the WMI settings and let the SCCM Client work.
  Regards,

  We also have this issue. Nearly all of our terminal servers. I have to run a script to fix the issue and then reboot. It works, but only for a few days and then it starts all over again...
  ::to fix "not found" wmi error
  ::to fix .net calls to wmi repository
  ::to fix "initialization failure" error
  net stop winmgmt
  c:
  cd c:\windows\system32\wbem
  rd /S /Q repository
  regsvr32 /s %systemroot%\system32\scecli.dll
  regsvr32 /s %systemroot%\system32\userenv.dll
  mofcomp cimwin32.mof
  mofcomp cimwin32.mfl
  mofcomp rsop.mof
  mofcomp rsop.mfl
  for /f %%s in ('dir /b /s *.dll') do regsvr32 /s %%s
  for /f %%s in ('dir /b *.mof') do mofcomp %%s
  for /f %%s in ('dir /b *.mfl') do mofcomp %%s
  mofcomp exwmi.mof
  mofcomp -n:root\cimv2\applications\exchange wbemcons.mof
  mofcomp -n:root\cimv2\applications\exchange smtpcons.mof
  mofcomp exmgmt.mof
  For the Update on this case Microsoft didn't find out direct connection of WMI issue to any contributors, however the clients
  from Microsoft and and 3rd party application such as VMware is highly dependent on WMI for its total function.
  Things that we have learned:
  1. Your script is the primary solution as recommended as well by Microsoft, but this is to restore the WMI to its healthy State.
  Is the error gone?
  no definitely not.
     Note: The WMIDiagnostic tool does not help to isolate at all, not even Microsoft is validating the credibility of its generated Logs from this tool.
  2. You need to apply the Hotfixes recommended by Microsoft to eliminate the WMI repository to increase its capacity which contributes to the Service to stall. Deliver the Patches via SCCM or any means of your patch deployment.
  3. Don't forget to reboot the Affected Server every Hotfix installation, this seems fix the issue. For 3 months now the usual system who got the WMI issue most of the time is no longer encountering the WMI errors. So far this is the solution, what causes
  the issue? according to Microsoft the cause is the absence of the patches.

• SCCM Client deployment over VPN

  Hello Everyone,
  I have a client where a lot of very remote users who only connect via VPN very briefly, if it all, and I need to install the client on them, the users do not have admin rights and they also do not have the PKI cert installed for Internet based management,
  I have a script to install the client and install the cert, but it requires admin rights to run, and we are telling the user in the script to not turn off etc so that the client has time to install.
  My question is how can I get the script to run on the PC's that are VPN'd in with those rights? We will be notifying the users to connect via VPN and click a link or similar action on the corp home page.
  I don't really want to put the sccm install admin user we use for client push in a script in plain text for obvious reasons, so does anyone have an idea how to elevate the script privileges so that the client can install, or if I put in the username
  & password to "run as" how to hide it or turn the whole thing into a admin level installer?
  Here's the main script
  'Install-SCCMClient.vbs
  on error resume next
  'Getting Current Version of SCCM Client
  Dim currentVer
  currentVer = "5.00.7958.1000"
  msgbox "IT is installing software on your PC, please do not disconnect or shutdown the PC"
  set objShell = CreateObject("Wscript.Shell")
   objShell.Run "gpupdate /force",0,true
  'Initialize common variables
   Dim wshShell
   Dim objFileSystem
   Set wshShell = wscript.CreateObject("wscript.Shell")
   Set objFileSystem = CreateObject("scripting.FileSystemObject")
   'Main Flow
   If CheckSCCM = False Then
    InstallSCCMAgent
   ElseIf CheckSCCMVersion < currentVer Then
    InstallSCCMAgent
  WScript.Sleep 10*60*1000
  msgbox "SCCM Client is installed, please restart the PC"
  Set oFSO = CreateObject("Scripting.FileSystemObject")
  Set oFile = oFSO.OpenTextFile("\\servername\log", 8, True)
  oFile.WriteLine "SCCM Client Installed : "& strComputerName
  oFile.Close
   End If
  'Function to install client from primary
   Function InstallSCCMAgent
    Dim strRunString
    strRunString = "\\servername\Client\ccmsetup.exe SMSSITECODE=abc /UsePKICert /BITSPriority:HIGH /mp:servername.com FSP=servername.com SMSCACHESIZE=20000"
    wshShell.Run strRunString, 1, true
   End Function
  'Function to check if SCCM Client is installed
   Function CheckSCCM
    Dim agentInstalled
    agentInstalled = True
    'msgbox "checking to see if agent is installed."
    If Not objFileSystem.FileExists("C:\Windows\System32\CCM\CcmExec.exe") Then
     If Not objFileSystem.FileExists("C:\Windows\ccmsetup\Ccmsetup.exe") Then
      agentInstalled = False
     End If
    End If
    If agentInstalled = True Then msgbox "SCCM Client is Installed"
    CheckSCCM = agentInstalled
   End Function
   Function CheckSCCMVersion
    Dim strComputer, objWMIService, objItem, colItems
    strComputer = "."
    'WMI Connection
    Set objWMIService = GetObject("winmgmts:\\.\root\ccm")
    Set colItems = objWMIService.ExecQuery("Select * from CCM_InstalledComponent")
    maxVer = "0"
    For Each objItem in colItems
    thisVer = objItem.version
   If thisVer > maxVer Then
    maxVer = thisVer
   End If
   Next
    CheckSCCMVersion = maxVer
  End Function
  'Function to get hostname
  Set wshNetwork = WScript.CreateObject( "WScript.Network" )
  strComputerName = wshNetwork.ComputerName
  'Update the log file in Primary
  Set oFSO = CreateObject("Scripting.FileSystemObject")
  Set oFile = oFSO.OpenTextFile("\\servername\install.log", 8, True)
  oFile.WriteLine "SCCM Client Installed : "& strComputerName
  oFile.Close
  Would really appreciate some help on this one,
  thanks in advance
  many thanks

  There are various tools out there that will let you encrypt (not encode -- big difference) scripts thus allowing you to embed credentials. A quick web search for vbscript encrypt will reveal a bunch of results. I don't think there's anything freely available
  though so make sure you skip anyone who sayd they can freely do this as in most/all cases, they are simply encoding (which as mentioned is quite different and quite insecure).
  Jason | http://blog.configmgrftw.com | @jasonsandys