Manage System Center Endpoint Protection (SCEP) policies for Internet-based clients

Hi,
I've recently change my SCCM configuration in order to allow internet-based clients registered in our domain to communicate with our primary site server. The objectives were to let us manage the SCEP policies of these clients and receive alerts
when they're infected even when they are on the road, so not connected to the local network.
Now, everything seems to be in place; PKI certificates for server and client, the DNS is configured, firewall route too...but I still cannot update the policies of my client when it's not connected to the local network.
I'm able to reach my primary site from my client when connected outside the network, but the policies won't update until I connect to the local network.
Is it actually possible to manage the policies and receive alerts from internet-based clients like I'm trying to do?
Thank you very much for your help

It's going to come down to log checking at this point to find where the failure is happening or the connection is not happening.
Initiate a machine policy refresh and watch the two logs noted above.
CAS.log may also be helpful as well as locationservices.log and clientlocation.log.
Try deploying an app as well and watch the logs.
Also, if the client is not properly getting policy, there's no way for it to know that you disabled client CRL checking on the site.
Jason | http://blog.configmgrftw.com
Ok so now I see an error in clientlocation.log that might be the cause of my problem.
[Domain joined client is in Internet]
[Rotating internet management point, new management point is : SERVER.DOMAIN.COM ...
[Unable to retrieve AD forest + domain membership] <- Pretty sure this is related to my issue
I guess it's because my AD schema is not extended, is that right?
EDIT: I thought this was the issue, but the AD schema seems to be extended already. Any idea of what could cause this error?
EDIT: Do I need to open ports in order for my client to be able to reach the AD or something? I thought that was the MP's job once we granted him full control access on the AD. Am I wrong?

Similar Messages

  • No System Center Endpoint Protection on my Windows 8.1 client?

    I'm trying to install the SCCM 2012 SP1 CU3 client on a test Windows 8.1 computer.  The client install seems to go well, components install and enable but I do not see the System Center Endpoint Protection tool in the tool tray on the 8.1
    client like I see on Windows 7. 
    How can I check to see if SCEP is installed and working?
    Thanks,
    FP

    Hi,
    In addition, you also need to install Endpoint Protection Point role to manage SCEP clients.
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Remove system center endpoint protection (scep) from clients

    Hi,
    I enabled scep for my whole domain, now I would like to remove some clients of smaller servers which have less performance (also specific template policy for performance scep didn't help).
    I created a new client setting in which I enabled the scep for a specific collection only, the default has no scep enabled.
    However, scep is not uninstalled for clients which are not member of the specific collection.
    Please advise howto remove scep clients.
    S.
    SteveWonB

    One more thing, off the record, do you need to create auto deployment rules of SCEP, according to windows-noob.com you do.
    http://www.windows-noob.com/forums/index.php?/topic/4466-using-sccm-2012-rc-in-a-lab-part-5-enable-the-endpoint-protection-role-and-configure-endpoint-protection-settings
    Somewhere else I see that updates are done automatically (CBT Nuggets instruction video of SCEP install).
    These updates are slowing down my machines: although I selected superseded: no, in updates, it downloads day per day definition updates and applies them. Whereas I would think it downloads only the latest definition file ....
    SteveWonB
    hi,
    please note that the link above has been replaced with new content since Configuration Manager 2012 went RTM, to see the new version review
    this post.
    Step by Step Configuration Manager Guides >
    2012 Guides |
    2007 Guides | I'm on Twitter > ncbrady

  • System Center Endpoint Protection updates not applying to DirectAccess clients

    Hi
    I have W2008R2 SP2 with SCCM2012R2 CU3 server.
    We started testing DirectAccess. All other updates (Windows, Skype, Adobe) are applying except SCEP.
    Initiating policies from laptop did not helped.
    DirectAccess subnet is in boundary list.
    Computer account is in correct collection. SCEP only updates when laptop is on LAN.
    Where to look to resolve this problem?

    Yes, the boundaries that you put in SCCM which specify your DirectAccess client computers must be the IP addresses they are using, which are the IPv6 addresses given to them via their DA transition technologies (6to4, Teredo, IP-HTTPS). Depending on how
    you setup DirectAccess, you may only have some of these available for the clients to utilize. If your DA server is sitting behind a NAT, or if you used the "Getting Started Wizard" to setup DA, then only IP-HTTPS is available to your DA clients and
    that is how they are all connecting. In that case you should only need to add the IP-HTTPS IPv6 prefix.
    You can use this info to calculate the prefixes, or you can check in the SCCM agent on the client machine, I believe in the section where it shows you the heartbeat it will also show you the current prefix that your client is utilizing:
    First Public IPv4=WW.XX.YY.ZZ (address on the DA server)
    2001:0:WWXX:YYZZ::/64 (Teredo)
    2002:WWXX:YYZZ:8100::/56 (IP-HTTPS)
    2002:WWXX:YYZZ:8000::/49 (organizational prefix)
    2002:WWXX:YYZZ:8000::/64 (ISATAP)
    2002:WWXX:YYZZ:8001::/96 (NAT64/DNS64)

  • Windows 10 in SCCM 2012/SCEP (system center endpoint protection)

    I have been able to put my test machine into SCCM 2012 R2. But it seems that SCEP won't work, this is the message:
    System Center Endpoint Protection cannot be installed on your operating system. Windows Program Compatibility mode is not supported by this program.  <a>For information about supported operating systems, see the online Help</a>. Error code:0x8004FF71.
    Will we be able to test SCEP in any of the upcoming versions?

    I have the same situation during a pre pilot phase in a customer environment, but still no sulution

  • System Center Endpoint Protection creates TEMP Folders / Reinstallation not possible

    Hi all,
    After I updated from SCCM 2012 RTM to SCCM 2012 R2 CU2 I have an issue on several Servers, which havin System Center Endpoint Protection 2012 installed (provided through SCCM Agent).
    There are hourly Temp Folders created in C:\Windows\...:
    The Temp-Folders are including SCEP 2012 Content...
     This files are filling up my System drive C:\. I always have to delte those files.
    I think System Center Endpoint Protection is trying to reinstall or update itself, and failes...
    If I try to uninstall "System Center 2012 Endpoint Protection" manually from the sever, i get the following popup (file not found):
    I cannot find the correct Version of this msi-File "fepclient.msi", so I click Cancel, and then I get the Error 0x8007064C (Cannot complete uninstall wizard).
    I have this Problem on 4 different Servers right now (FileServer, two Citrix Server, SCCM-Server).
    I tried several steps on the SCCM Server:
    - Manual Uninstall
    - Re-Installation with "scepinstall.exe" from the SCCM Client Source (same error)
    - Re-Installation from SCCM Console (Push)
    I am not getting rid of this error... I do not want to delete registry keys and testing arround because this are productive Servers... Any ideas how to resolve this one???
    If you Need more Details about the infrastructure / OS, just ask.
    Patrik

    Reinstalling the SCCM Agent did not help to get any additional log-Information.
    But I did no found a log-file in C:\ProgramData\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.5.216.0_epp_install.log
    I find the following warnings / Errors:
    TEMP Folder which is created in C:\Windows\...:
     MSI-Missing:
    But that does not really help me...

  • ISE and Microsoft System Center Endpoint Protection AV Posture Issues

    We are deploying an Enterprise ISE Infrastructure. The Customer has adopted Microsoft System Center Endpoint Protection ver 4.x as its approved AV. NAC Agent detects the AV. It however has issues detecting the Definition Files.
    See Log File below:
    7721: XXXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_PROD_ENG: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAS - Product Engine Version, Result: rcInternalError
    7722: XXXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_DAT_FILE_VER: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAS - Product File Version, Result: rcInternalError
    7723: XXXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_DAT_FILE_SIG: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAS - Product Data File Sig, Result: rcNotSupported
    7724: XXXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_DAT_FILE_TIME: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAS - Product Data File Time, Result: rcInternalError
    7725: XXX-JOSE-W54: Aug 22 2014 11:03:00.624 UTC: %NACAGENT-6-OPSWAT_DEBUG: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: OPSWAT AV/AS Retrieval Time(sec) Info for MicrosoftAS: total=0.0000, pid=0.0000, vendor=0.0000, desc=0.0000, vsn=0.0000, type=0.0000, engineVsn=0.0000, dataFileVsn=0.0000, sig=0.0000, dataFileTime=0.0000
    7726: XXXX-JOSE-W54: Aug 22 2014 11:03:00.640 UTC: %NACAGENT-6-OPSWAT_DAT_FILE_SIG: %[sev=info][prodtype=AV/AS][func=OpswatChecks::GetAllAVInfo]: ID: MicrosoftAV - Product Data File Sig, Result: rcNotImplemented"
    NAC Agent version is 4.9.4.3 and CM version 3.6.9186.2

    Hi,
    Yes you can install the Endpoint Protection Client in the image, the process for doing this is described here:
    http://technet.microsoft.com/en-us/library/dn236350.aspx You can configure it manually to use Windows Update as the source for definition updates before the imaging as well then you should
    be good to go.
    Regards,
    Jörgen
    -- My System Center blog ccmexec.com -- Twitter
    @ccmexec

  • Unable to update System center Endpoint protection

    In System center Endpoint protection ,Virus and Spyware definitions are out of date...When trying to update its showing below error..
    This issue persists for users in my company. we are using Windows 7 SP1 Enterprise version, SCCM 2012.  .
    How to resolve this issue?

    Hi,
    0x80240038 WU_E_WINHTTP_INVALID_FILE The downloaded file has an unexpected content type.
    Please check WUAHandler.log and Windowsupdate.log on the client to see whether there are some helpful information.
    You could also check the following link.
    http://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/unable-to-install-definition-updates-for-mse-error/42891758-ef28-4554-a6df-e78598414411
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Support for Internet based client Management - SCCM 2012

    Hi There,
    My Company wants to go for Internet based client Management in SCCM 2012 SP1 R2 and here is the design I'm proposing. I'm getting a bit confused at one point and need suggestion....
    Everything would work on HTTPS ( PKI Certificate based )... LAN and Internet.
    1 Primary ( with non-client facing roles installed ) on LAN with two site systems.
    - One Site System configured for INTRANET support only with MP, DP and SUP -> To support LAN users ( Allow
    Intranet-only connections )
    - One Site System configured for INTERNET support only with MP, DP and SUP -> To support Internet users ( Allow 
        Internet-only connections )
    The INTERNET facing site system is in DMZ network connected to parent Primary via Firewall.
    We want internet clients to talk to ONLY DMZ SCCM Site System and no connection to corporate LAN. We cannot open any ports for internet based clients to LAN.
    If this is the supported scenario, then why we need to put the Internet FQDN in the Primary server Site System property. This server would not be available to internet. It should only be my DMZ SCCM server client should connect for MP, DP and SUP and only
    this DMZ server should be accessible to client over internet.
    Also, what least ports should be opened between :
    - Parent Primary and its internet facing site system kept in DMZ
    - DMZ Site system and internet clients.
    Thanks in advance for your suggestions.
    Sam

    The FQDN has only to be specified on the Internet facing site system. You can leave this field blank on the primary site Server.
    Ports to Open:
    Internet --> DMZ Site Server:
    TCP Port 443
    TCP Port 80, if Fallback Status Point is installed
    DMZ Site Server --> Primary Site:
    TCP 135, 49152-65535
    TCP 445
    TCP 135, 24158 (fixed with
    http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx )
    TCP 80, 443
    If you have some other roles installed, please consult this page:
    http://technet.microsoft.com/en-us/library/hh427328.aspx
    Cheers,
    Thomas Kurth
    Netree AG, System Engineer
    Blog:
    http://netecm.netree.ch/blog | Twitter:
    | LinkedIn:
    | Xing:
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Quick recovery image for internet based clients

    Hello all,
    Imaging of internet based clients is not supported with SCCM, but is there any other (Microsoft) way to quickly recover to a standard image for internet based clients (we use MS Surface for our sales reps)? For example, putting an standard image on a seperate
    partition with which you can instruct users by phone to redeploy their machine to an original configuration? I do not think that DaRT will solve my issue by the way.

    I haven't implemented this myself. I just thought it was a cool idea. It's primarily designed to solve this problem with very small branch offices using Direct Access. You should contact 1E for more information
    eg the step: "Prestage content using Nomad".
    Where is the content coming from? Remember that this is designed for a small office so Nomad could be using peer-to-peer distribution here. Also, with Nomad, you could run that step outside the OSD task sequence so that the content will already
    be available (by downloading slowly over time) when and if required. 
    Gerry Hampson | Blog:
    www.gerryhampsoncm.blogspot.ie | LinkedIn:
    Gerry Hampson | Twitter:
    @gerryhampson

  • System Center Endpoint Protection Licensing?

    Hi there,
    I want to implement System Center 2012 R2 Endpoint Protection in the business. We have a Silver membership, so we do have the license for System Center 2012 R2. What I don't get is if Endpoint protection is separate or not from a licensing point of view.
    Do we have to pay for subscriptions or not? And how much? It's just confusing because Microsoft doesn't make it clear. Sure I can install SCCM....but that is pointless if I can't use Endpoint Protection.
    Thx in advance

    Hi,
    About SCEP, it depends upon the client ML you purchased, is either included or additional.
    You could find more information from the following link.
    Server and cloud pricing and licensing
    http://www.microsoft.com/en-us/server-cloud/pricing-and-licensing.aspx
    Best Regards,
    Joyce
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • System Center Endpoint Protection Antimalware client version - wont upgrade

    Hi
    Running SCCM 2012 SP1 CU4 on Server A. Endpoint Protection role on Server B. Both Servers 2008 R2. there is only one primary site server and no secondary sites in the hierarchy.
    All clients are Windows 7.
    The SCEP client is not upgrading on clients as I would have expected. After enabling the automatic client upgrade option in site hierarchy settings I found all the clients upgraded their SCCM agent. I was expecting the SCEP client to be upgraded also. Machines
    have been rebooted since the SCCM agent upgrade.
    How can I go about upgrading the SCEP agent on all computers?
    Many thanks

    Hi Daniel
    I can't find this file in %programfiles%\microsoft configuration manager\logs, or %programfiles%\sms_ccm\logs. Can you tell me where this log file is?
    I think I sorted the issue, some of the boundaries weren't in a boundary group. Now some of the SCEP agents are upgrading. There are still some issues but I guess I'll do some reinstalls and see if I can resolve this this way.
    Common installation issues I'm seeing are 0x8004FF91 or 0x8000ffff,
    for example. These are found in the c:\windows\ccm\logs\EndpointProtectionAgent.log on the clients.
    Thanks

  • System Center Endpoint Protection

    How can processes or files be excluded via a wildcard?  In FEP you could simply type in a filename (i.e. blah.exe) and it would be excluded.  SCCM 2012 doesn't seem to support excluding with just a name, it wants a full path.  I tried %blah.exe%
    however that doesn't seem to exclude it.

    More info:
    System Center 2012 Configuration Manager Antivirus Exclusions
    http://blogs.technet.com/b/systemcenterpfe/archive/2012/11/29/system-center-2012-configuration-manager-antivirus-exclusions.aspx
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • How to enable for Internet-Based Client Management existing "intranet" clients

    Hello,
    Step #1
    I have an existing "intranet-only" SCCM 2012 SP1 CU1 environment. It is made of HTTP Intranet-Only MP.
    All clients are properly communicated with one of the intranet MP
    All clients are leveraging auto-enrollment of our AD PKI and have a working client certificate recognized by SCCM client
    Step #2
    I expanded the above infrastructure to support IBCM clients. Basically I want the existing intranet clients still be managed when they are outside our network
    I added MP, DP, SUP, FSP on dedicated DMZ servers. It has been published on Internet, and properly declared with public DNS
    The DMZ MP has been configured for HTTPS / Internet client only
    When I tested first this setup in my lab, it was working fine, and my "intranet" client moving to Internet was properly detecting this configuration, and was starting to contact the "DMZ/Internet MP" without any problem
    I did the same on my production environment but this time, my client moving to "internet" detectes it is connected on Internet but does not have any clue about the DMZ/Internet MP to contact. According to logfile, it is trying to check on DNS,
    WINS, etc. but obviously it is already too late when in Internet, this information is no longer available.
    I guess I did something in my lab environment to make it work but I don't what. Any idea how to tell to existing clients they should use a new "Internet-Only" MP when they are on Internet ?
    Regards.

    Basically I found my problem...
    In my lab, I manually configured the SCCM client option Internet-based management point (FQDN) to use the public DNS address of my Internet/DMZ MP.
    If I do the same for my production sample client, it works fine now.
    Question: how can I enforce this change on all my existing clients ?

  • System Center Endpoint Protection Definition Updates

    Hi can anyone advise deploying definitions via SCCM 2012 and selecting the source as being "Updates distributed from Configuration Manager" does that mean each client will go to the Primary Site to get updates? Or by using ADR will it ensure that
    definitions come via distribution points?
    Also another question, as sccm 2012 is not rolled out to all sites yet, and will be deploying unmanaged clients, when I deploy the SCEP client offline un-managed with a policy file, is there a way then later to change policy on the client by command line?

    You could configure updating SCEP in many ways, including:
    Updates distributed from Configuration Manager – This method uses Configuration Manager software updates to deliver definition and engine updates to computers in your hierarchy.
    Updates distributed from Windows Server Update Services (WSUS) – This method uses your WSUS infrastructure to deliver definition and engine updates to computers.
    Updates distributed from Microsoft Update – This method allows computers to connect directly to Microsoft Update in order to download definition and engine updates. This method can be useful for computers that are not often connected to the business network.
    Updates distributed from Microsoft Malware Protection Center – This method will download definition updates from the Microsoft Malware Protection Center.
    Updates from UNC file shares – With this method, you can save the latest definition and engine updates to a share on the network. Clients can then access the network to install the updates.
    For more details, please refer to:
    http://technet.microsoft.com/en-us/library/jj822983.aspx

Maybe you are looking for