Installation sccm client on workgroup client in DMZ

Similar Messages

• SCCM Task Sequence no longer installs SCCM Client

  I am using SCCM 2007 R3 with SP2 and MDT 2010
  My task sequences were all working fine until one of the other SCCM admins "Synced all sites" by transferring the site settings of one site to all the other sites.  How this broke OSD I don't know.
  At this point the best I can tell is that the SCCM client is not being installed in the Task Sequence and so when it reboots to the installed OS there is no longer any communication and the task sequence fails with an error of "Windows could not configure
  one or more system components. To install Windows, restart the computer and then restart the installation.
  I have run out of ideas to fix it so I am asking for the collective knowledge of the Interwebs for help.

  Please post the contents of C:\Windows\ccmsetup\logs\ccmsetup.log in order for us to help you further
  Blog: www.danielclasson.com/blog |
  LinkedIn:
  Daniel Classon | Twitter: @danielclasson

• MP/DP + SCCM clients in DMZ

  Hi,
  I have this MP/DP in DMZ. Firewall openings are documented inedeed here
  https://technet.microsoft.com/en-us/library/hh427328.aspx?f=255&MSPPError=-2147217396 but I'd need some extra info.
  The MP/DP: to which site server do you point the SCCM client on this server (to itself or to the "main" site server)
  => if to itself, this would also mean the clients in DMZ point to to the DMZ MP/DP and won't need any firewall openings, iow is there still communication needed from sccm clients to "main" site server or does everything go to MP/DP in DMZ?
  Please advise.
  J.
  Please see
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/6cbc9ab0-3e4e-4f14-a14d-a7d3f1c17cfc/install-sccm-client-to-server-in-dmz-mp-does-not-exist?forum=configmanagergeneral for more backgroundinfo on this question.
  Note: firewall ports to open:
  *DP => MP: TCP 80 and 443
  *MP => SQL: TCp 1433
  *site server <=> certificate registration point (sccm "main" server?) TCP 445 and 135, UDP 135
  *SUP => Internet: TCP 80
  Jan Hoedt

  The MP/DP will need an sccm client.
  No. Wrong assumption. Not needed from a ConfigMgr point of view (but required if you want to patch those systems and get inventory etc)
  Torsten Meringer | http://www.mssccmfaq.de

• Problems with SCCM client instalaltion after upgrade to R2 version

  Hi,
  Few days ago, I have upgraded SCCM 2012 Sp1+CU3 to SCCM 2012 R2. I see now manyy issies in component manager with SMS_EXECUTIVE and SMS_MP_CONTROL_MANAGER. Reaon of this is automatically process of installation SCCM client in latest version. This same
  issue apppear when I trying install SCCM manually. In both cases I have got in ccmsetup.log this:
  CcmCreateEmbeddedClientState. Creates the client state file, which is needed for write filter handing.
  CcmCreateEmbeddedClientStateRollback. Rolls back the action of creating the client state file.
  RegisterExtensionInfo. Registering extension servers
  WriteRegistryValues. Writing system registry values
  Could not write value SMSCFGRC to key \SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls.   Verify that you have sufficient access to that key, or contact your support personnel.
  Rollback. Rolling back action:
  Computer where I want install SCCM client, my adm account, Primary site server or NT SERVICE\TrustedInstaller has full right to this registry key but log file record is always this same. 
  AV and Firewall turned off. 
  What next?

  Hi Torsten,
  I have checked client.msi.log and there is this same:
  Note: 1: 1401 2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls 3: 5 
  Product: Configuration Manager Client -- Error 1406. Could not write value SMSCFGRC to key \SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls.  System error .  Verify that you have sufficient access to that key, or
  contact your support personnel.
  Error 1406. Could not write value SMSCFGRC to key \SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls.  System error .  Verify that you have sufficient access to that key, or contact your support personnel.
  User policy value 'DisableRollback' is 0
  Machine policy value 'DisableRollback' is 0
  InstallFinalize. Return value 3.

• Manage SCCM 2012 clients in DMZ (OS Deploy, Windows updates) via DP/MP

  Hi,
  We ’d like to manage (=OS Deploy, Packages,Windows updates) Windows clients (Windows 2008/2012 R2 servers for now, about 20 of them) in a DMZ (= different domain).
  There is this article
  https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which explains what to do … in 2011. Since then lots of things are changed I guess
  Before I dive in, I’d need to have an overview + do some administrative tasks (like asking for firewall accesses).
  Current setup DMZ:
  Our SCCM 2012 R2 server is on a Windows 2008 R2 OS
  Client communication is done via HTTP (not HTTPS)
  An extra physical Distribution point is setup (only DP, nothing more) in our current domain
  A new Windows 2012 server is setup in the DMZ which should host the DP and probably management point (since it should manage the clients over there)
  There are clients in DMZ that are currenlty managed by SCCM 2007 but 
  this server will be phased out, these client have:
  Correct sccm functionality
  Correct DNS resolution
  My steps/questions, please comment:
  Add the DMZ ip range to SCCM 2012 boundary as “DMZ”
  Add the network access account to be able to deploy as well clients as distribution point in DMZ
  In the DMZ accesses on firewall for server VLAN have to be asked
  When we have a distribution point and communication is “HTTP only” then http (port 80) from DMZ to sccm server should suffice, correct? Or are
   extra firewall openings needed for management point access/packages and windows updates sync?
  Now the sccm clients will be deployed to the servers in DMZ: deploy SCCM clients to hosts in DMZ, how this should be done: we connect a console to the SCCM-server in the DMZ then deploy the discovered clients?
  OS Deploy should be made available, but no dhcp is available in DMZ and it is not an option either, therefore we would boot from an ISO then enter an ip (or pre-enter it so there is already filled in an ip?). So tasksequences/deployments
  for servers in DMZ, where are they configured/deployed then? Via console access on DMZ management point or can we deploy on our domain SCCM management point (not in DMZ) and it will be synced to the DMZ management point? Not clear
  Selective sync of software to this distribution point (howto? not sure), we don’t need any Windows 8 software/drivers to be synced.
  Thanks for your input!
  J.
  Jan Hoedt

  No comment;
  I think you mean the client push installation account and the site system installation account;
  More ports are required, see site server > distribution point and distribution point > management point from the provided link;
  The console will always be connected to your primary site server. The client will be pushed from the primary site server and it will provide the initial files. The other files will be downloaded from the local distribution point;
  The task sequence deployment will be just like a normal taks sequence deployment. The only difference is the location of the server;
  Only the content that's distributed to the distribution point in the DMZ will be available on that distribution point.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• PKI SCCM Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.

  Hello everyone,
  I’m having issues with workgroup computers, not domain systems when I request a certificate.
  It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
  on windows 7 and it can’t see the certificate template.
  I have the following configuration:
  CA Enterprise
  I have created the SCCM Client Certificate
  I have created the SCCM Web Server Certificate
  I have created the SCCM Distribution Point Certificate
  GPO is configured
  SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
  Installed SCCM Client Certificate
  Installed SCCM Web Server Certificate
  Installed Distribution Point Certificate
  Deployed to a domain computer good on PKI
  Workgroup Computers:
  I’m having issues with deploying certificates
  Windows 7 –
  (ERROR) not successful
  Windows Server 2008 R2 –
  (ERROR) not successful
  Windows Server 2003 - successful
  Windows XP – successful
  How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
  http://www.ithierarchy.com/ITH/node/48
  I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
  Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
  Error --- Template not found.
  SCCMClientCertificate (this is my template)

  Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
  Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS Support
  working with me to resolve this issue since it was written by MSFT.
  http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
  and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
  http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx

• SCCM Client Push Installation Wizard does not install the client. CCMSetup folder - not created

  Hello,
  I have tried running the Client Push wizard for a single computer or a pilot collection of 8 computers, the result is always
  the same - no SCCM client is installed on any computer.
  The computers are running 32-bit Windows XP SP2.
  The Windows firewall is disabled.
  The client push installation account is setup and have domain admin and local admin privileges. Client Push automatic method
  is not enabled.
  The domain is AD WIndows 2000.
  The SCCM server is running Windows 2003 R2 SP2 64bit Standard.
  The AD schema has been extended.
  MP, and SLP are installed and published. (MP is published in DNS as well.)
  FSP is installed.
  MP, SLP and FSP are running on the same server.
  SQL 2005 server is running locally.
  System management container is created and all rights and permissions delegated.
  With the Push installation account I can access C$ share on the client computer from the SCCM server.
  RPC, Remote registry, WMI services are running on the client machines.
  All prerequisites are installed from the client folder on SCCM server- latest BITS 2.5, Windows installer 3.1 and MSXML6.
  All computers are in the same IP subnet which is listed in the boundaries.
  Yet, the client is not being installed.
  No CCMSetup folder is created on the client machines in Windows\System32 folder, so it is really difficult to troubleshoot
  what the is the issue. I do not see anything helpful in the ccm.log on the server.
  I have tried running the CCMSetup.exe manually on one of the workstations and that was successful and reported back to the
  SCCM server / console.
  What else I should check / try? I really want to push agents via the wizard.
  Thank you,
  Peter

  Hi Wally,
  I have changed 2 things:
  1. Enabed automatic push installation (so I am not usign the wizard any more)
  2. Changed the IP subnet to IP ranges in the site boundairies.
  After runnignt the discovery, I was able to see some activities in the ccm.log. A ccmsetup folder is now created but the agent is still not instaleld. Here is the ccmsetup.log
  ==================================
  <![LOG[==========[ ccmsetup started in process 3140 ]==========]LOG]!><time="09:45:07.045+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:8853">
  <![LOG[Version: 4.0.5931.0000]LOG]!><time="09:45:07.045+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:1913">
  <![LOG[Command line parameters for ccmsetup have been specified.  No registry lookup for command line parameters is required.]LOG]!><time="09:45:07.045+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:3937">
  <![LOG[Command line: "C:\WINDOWS\system32\ccmsetup\ccmsetup.exe" /runservice /config:MobileClient.tcf]LOG]!><time="09:45:07.045+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:3946">
  <![LOG[CCMHTTPPORT:    80]LOG]!><time="09:45:07.045+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:7851">
  <![LOG[CCMHTTPSPORT:    443]LOG]!><time="09:45:07.045+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:7866">
  <![LOG[CCMHTTPSSTATE:    0]LOG]!><time="09:45:07.045+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:7884">
  <![LOG[CCMHTTPSCERTNAME:    ]LOG]!><time="09:45:07.045+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:7912">
  <![LOG[FSP:    HFXDBSSOM.CORP.EASTLINK.CA]LOG]!><time="09:45:07.045+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:7927">
  <![LOG[CCMFIRSTCERT:    0]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:7969">
  <![LOG[Config file:      C:\WINDOWS\system32\ccmsetup\MobileClient.tcf]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:4341">
  <![LOG[Retry time:       10 minute(s)]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:4342">
  <![LOG[MSI log file:     ]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:4343">
  <![LOG[MSI properties:    INSTALL="ALL" SMSSITECODE="PHX" CCMHTTPPORT="80" CCMHTTPSPORT="443" CCMHTTPSSTATE="0" FSP="HFXDBSSOM.CORP.EASTLINK.CA" CCMFIRSTCERT="0"]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:4344">
  <![LOG[Source List:]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:4352">
  <![LOG[                  \\HFXDBSSOM.corp.eastlink.ca\SMSClient]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:4359">
  <![LOG[                  \\HFXDBSSOM\SMSClient]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:4368">
  <![LOG[MPs:]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:4371">
  <![LOG[                  HFXDBSSOM.corp.eastlink.ca]LOG]!><time="09:45:07.061+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:4386">
  <![LOG[Updated security on object C:\WINDOWS\system32\ccmsetup\.]LOG]!><time="09:45:07.076+240" date="12-06-2007" component="ccmsetup" context="" type="0" thread="3108" file="ccmsetup.cpp:8692">
  <![LOG[Sending Fallback Status Point message, STATEID='100'.]LOG]!><time="09:45:07.076+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="3108" file="ccmsetup.cpp:9169">
  <![LOG[State message with TopicType 800 and TopicId {A450B407-619B-4777-B77E-C3352753B58A} has been sent to the FSP]LOG]!><time="09:45:07.326+240" date="12-06-2007" component="FSPStateMessage" context="" type="1" thread="3108" file="fsputillib.cpp:730">
  <![LOG[Running as user "SYSTEM"]LOG]!><time="09:45:07.326+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="2600" file="ccmsetup.cpp:2534">
  <![LOG[Detected 24292 MB free disk space on system drive.]LOG]!><time="09:45:07.326+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="2600" file="ccmsetup.cpp:465">
  <![LOG[DetectWindowsEmbeddedFBWF() Detecting OS Version]LOG]!><time="09:45:07.342+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="2600" file="ccmsetup.cpp:511">
  <![LOG[Client OS is not Windows XP Embedded]LOG]!><time="09:45:07.342+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="2600" file="ccmsetup.cpp:548">
  <![LOG[Successfully ran BITS check.]LOG]!><time="09:45:08.745+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="2600" file="ccmsetup.cpp:6948">
  <![LOG[Failed to successfully complete HTTP request. (StatusCode at WinHttpQueryHeaders: 401)]LOG]!><time="09:45:08.745+240" date="12-06-2007" component="ccmsetup" context="" type="3" thread="2600" file="ccmsetup.cpp:5813">
  <![LOG[Sending Fallback Status Point message, STATEID='308'.]LOG]!><time="09:45:08.760+240" date="12-06-2007" component="ccmsetup" context="" type="1" thread="2600" file="ccmsetup.cpp:9169">
  <![LOG[State message with TopicType 800 and TopicId {3BFABF82-FB74-43FB-8A4A-6DFDEAEAC25C} has been sent to the FSP]LOG]!><time="09:45:08.776+240" date="12-06-2007" component="FSPStateMessage" context="" type="1" thread="2600" file="fsputillib.cpp:730">
  ==============================================================
  There are two red errors I am concerned about:
  "Failed to successfully complete HTTP request. (StatusCode at WinHttpQueryHeaders: 401)
  and
  "Failed to download 'WindwosXP-KB923845-x86-ENU.exe' from http://HFXDBSSOM.corp.eastlink.ca/CCM_Client/i386/BITS25 with error code 0x80004005).
  What should I do to resolve these errors?
  Thanks,
  Peter

• Command line to run the SCCM client installation

  SCCM Client package have been distributed to all servers.  It will be available in \\servername\smspkgf$\GS2002B2
  Do we need a command line to run the SCCM client installation manually?

  More info:
  About Client Installation Properties in Configuration Manager
  http://technet.microsoft.com/en-us/library/gg699356.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Install SCCM client to server in DMZ: "MP does not exist"

  Hi,
  I’d need to put a management point/distribution point in a DMZ.
  Therefore I wanted to make sure this MP/DP works before I move it to this DMZ and I:
  *configured a Windows 2012 R2, (name: “DMZ01”) server with the prereqs*removed this server DMZ01 from the actual domain*added a DNS entry from DMZ to which I can connect successfully
  *added a network access account in order to push the sccm client
  *added correct boundary group
  Now when I try to deploy an SCCM client to it, I get a failure in the ccmsetup log saying MP does not exist:
  Failed to load mdmregistration.dll with error 0x8007007e          
  ccmsetup           
  27/04/2015 10:54:48       932 (0x03A4)
  Failed to load mdmregistration.dll. Continue deployment.        
  ccmsetup           
  27/04/2015 10:54:48       932 (0x03A4)
  An MP does not exist on this machine. ccmsetup           
  27/04/2015 10:54:48       932 (0x03A4)
  My questions:
  *should I use the management point affinity here to force finding the management point?
  *what about the domain certificate (that’s gone now since it isn’t domain joined anymore)? How to deal with this/revive this?
  Please advise.
  J.
  Jan Hoedt

  Ok, thanks.
  Note: there is no trust between the DMZ domain and the domain in which the "main" sccm server exists.
  What are the options there? F.e. could we use Mutual authentication just as with a Mac
  https://technet.microsoft.com/en-us/library/jj591553.aspx#BKMK_ManualCertifcateInstallation
  Jan Hoedt

• SCCM Client Installation Error and compmgr service issues

  Hi dudes,
  Hope you all are good. I am getting stuck in SCCM client installation. I have SCCM 2007 R3 setup. It's working perfect but recently getting errors in
  sccm client installation after facing some viruses issues in my environment.
  I search on that error but nothing found any relevant information related
  to the below error. I tried to manually installing the client but getting the error ccmsetup.exe is not a valid 32 bit application :(. Also while trying to start the configmgr service manager in tool box it gives the below snapshot error. Any help relevant
  to the below error very meaningful for me.
  Regards,
  Mohsin

  Hi Jason,
  Thank You for your response. Yes i tried it to manually start the service on client machine but it give the below error, 
  For component service manager, yes we are going forward to the restoration process using VM restore(as sccm is deployed on a VM and we take the full vm backup).
  Regards,
  Mohsin

• SCCM Client Installation - Options for "Retry" Setting

  Hey Guys - 
  I've got a fairly straightforward question for you.  When the SCCM Client is installed / deployed to a system, successfully downloads locally, but fails, it retries installation by default every 30 minutes.  When creating an Orchestrator runbook
  for Client Health, I'm needing ccmsetup to try only once.
  So basically, I'm trying to find out how to make ccmsetup.exe not retry installation and simply fail.  There is a "Retry" command line switch for ccmsetup (/retry:<Minutes>) where
  minutes may be specified, however, this does not pertain to the actual installation, but the initial download of the setup files.  It does not have an affect on the client installation, itself.
  Yes, a simple script could be created which could kill the process after X, but prefer a native (or at least better) solution.
  Any ideas?  Thanks!
  Ben K.

  Hey - Thanks for the reply...
  I totally understand what you are saying - but - the only reason I thought I'd ask is because it's being used in an Orchestrator Runbook as mentioned and processes which run after it won't start until it completes.  When it loops, it never completes.
  Basically, yes - I understand what you are saying and have done it 100 times, but in this case was wondering if there was a more "supported" method by chance.
  Thanks - 
  Ben K.

• Sccm client push installation problem

  in my company 22000 users and install sccm 2012(1 primary site in main dc  and 4 site system server in branch  )
  i enable automatic site-wide client push installation . only sccm client installed in 11000 computers during 7 month and  increment installation it very slowly 2-10 per month 
  how i install  svvm client in another computers automaticly
  please help me

  Yes. You can also manually create boundaries. Each client must fall under a boundary (eg IP Subnet, IP Range, AD site). You need to check that all are covered. Boundaries have to be added to boundary groups which are configured for site assignment.
  http://www.gerryhampsoncm.blogspot.ie/2013/02/sccm-2012-sp1-step-by-step-guide-part-6.html
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• Prevent SCCM Client Installation on the target computers

  I need a sure-fire way to prevent manual, automated, deployment, or push SCCM Client installs from specific computers (they are medical, and will violate FDA regulations if non-approved software is installed on them).  I'm aware of the Registry entry
  on the Site Server, but, am looking for something on the target computer side (RegHack, phoney file/folder, etc.).  Discovery of the computers, but inability to install the client is OK (we'll be removing them from the Discovery LDAP queries
  as needed).
  Our SCCM Hierarchy is in one Domain, and the clients all in other Domains, so, I could look at excluding the client install account, but, that won't stop a manual or automated install.
  Thanks.

  Did you see the following link?
  How to Prevent the Configuration Manager Client Software from Being Installed on Specific Computers
  Sabrina
  TechNet Community Support
  Hi Sabrina,
  i saw that this is for SCCM 2007 is it also working for SCCM 2012?
  I can't find the regsitry key for the 64 OS. Do i have to create it? Do you have any experience if ist working?

• Issue with sccm client installation

  hi,
  iam facing issue with sccm client 2007 installation on secondary site.please find the logs below,

  Refer for the above error : http://www.myitforum.com/forums/MSI-SMS-Advanced-Client-does-not-support-peruser-installations-m183336.aspx
  Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.

• SCCM Client Push installation comms/ports

  Hi all,
  I've done a bit of reading of articles/resources and I'm not quite clear on communication requirements. I read that ICMP ping is required in addition to various TCP ports for client push installation. Our setup is a hub and spoke design with firewalls which
  we don't administer between premises (convenient how 'site' is a key word in SCCM grrr) :)
  I thought we would be able to have Distribution Points/Management Points on remote premises and have the clients on those premises do all necessary communication with the local server in their same subnet in order to deploy the SCCM client and report status.
  Do I require ping etc through to the main server before it will use the local Distribution Point to deploy and report via the local Management Point?
  We have a few clients manually installed at a couple of remote premises which are reporting but can't push the client and we have many clients at our central premises which have had client push installation and reported back successfully - presumably because
  they are in the same subnet with no firewalls between.
  I also have a couple of manually installed clients at remote premises which are not reporting client activity but I'll look into that further once the main client push feature is working.
  Thanks for any clarification, I'm building my SCCM knowledge!
  R

  Hi Gerry,
  Thanks for your response and the resources on your blog.
  I have looked at the link but I'm still not clear on instances (if any) where direct communication is required between the client and the primary site server.
  Should clients be expected to be able to communicate only with their local distribution point/management point which is in the same subnet if they are firewalled from the primary site server as I have? How does SCCM know to have a remote distribution point
  do the communication to a client that is local to it without knowing the IP address? My servers have exceptions setup between them but the clients are fairly restricted to their own premises.
  My boundaries are configured per AD Site but unless SCCM checks DNS for IP address would it be able to determine the AD Site to have the nearest DP/MP handle all the client interaction?
  My query about ICMP was based on this link https://technet.microsoft.com/en-us/library/gg682180.aspx which says:
  "In addition to the ports listed in the following table, client push installation also uses Internet Control Message Protocol (ICMP) echo request messages from the site server to the client computer to confirm whether the client computer is available on
  the network."
  Edit: I see Jason has partly answered my question above - I spent too long typing this post :)
  Thanks