rrasco

I found the certificates. I may be showing my greenness with certs (never could get my head wrapped around them) but I had to load the computer account certs in MMC. Running certmgr.msc only gives you user certs. My certs for SMS are indeed expired. Deleting them now and then I need to figure out how to repair the client.

I am troubleshooting an issue with some client machines with the client agent are appearing in the device list as 'No' under the client column. Checking the ClientIDManagerSetup.log I see this: Researching this, possible causes are incorrectly configured boundaries or certificate issues. I tried scouring the logs on SCCM to find a specific error why the registration is being rejected, but I couldn't find anything related. I believe my boundaries are configured correctly, I have two in a boundary group, an AD boundary along with an IP range for my client machines. The next step in my process is to verify the certificates on the client machines. Looking at the cert manager on the client machines, I don't see an SMS folder or any certs related to SCCM. I do see this key with two entries in the registry though. My question is, how can I verify the certificates are correct and not expired for SCCM?

Yesterday they kept showing up as a client after I uninstalled the client. It seems like it was pushing it back out to the clients, even after I disabled and restricted the discovery methods. It kept discovering them. Today, all those machines had the client again. I ran the uninstall again, deleted all the ccmsetup files (and CCM folder) from Windows directory and then removed them from SCCM console. It appears to have worked. For now.

I did. I have a few updates, and in turn a few more questions... The SCEP client was pushed out to one of the two computers in my managed endpoint desktop device collection. This was the collection I deployed the client settings to, which included the SCEP installation. There are two devices in this collection, one is listed as a client, one is not (the one it didn't install on). Why would one machine be listed as a client and the other not? All of the machines discovered that were pushed the client, also say 'Yes' in the client column. The other one says 'No'. I was surprised to know that the configuration client was pushed out to all discovered devices automatically. I am attempting to remove the client from machines it was installed to, as I am not ready to deploy this just yet and wasn't aware the client was pushed upon discovery. I did not think ccmsetup would run until I applied client settings to a device collection; specifically the computer agent. These devices are not in a collection, just discovered. My current issue is after running ccmsetup /uninstall on the client machines, then delete it from the device list in SCCM, it re-appears a little later. I'm assuming this is because the client is communicating with SCCM, thus it's rediscovered. I have modified my discovery methods to only discover 2 machines in a test OU. So, to summarize: 1. What is the criteria for a device to be a 'client' to SCCM? Specifically, showing a value of 'Yes' in the 'Client' column for devices? 2. How can I fully remove clients from SCCM (including uninstalling the client agent) once they have been discovered and pushed the client installation? Lastly, I REALLY appreciate all of you guys' help.

I was able to successfully deploy the management client but it does not appear to be including the SCEP client. I see SCEPInstall.exe in the ccmsetup directory on the client machine, but it does not appear to have installed any EP client?

Thanks for the guidance guys. There were only green checks in the Component Status console. Going off of Rocket Man's advice, I was looking for the Active Directory Forests status and discovered under the domain properties on the Publishing tab, there was an option 'Select the sites that will be published to this forest'. This is in addition to the check box on the Site properties dialog under the Publishing tab. Once I checked that box, the container immediately began populating. Now to see if I can get my endpoint clients pushed out.

I'll review them. EDIT: Is that compmon.log or compsumm.log? I followed the guides, but I don't think the SCCM machine had control over the new container and the schema was not extended prior to SCCM installation.

I know, I wasn't sure how much outside of the endpoint configuration I am actually doing by following your tutorials (thanks for those BTW). However, given your initial response to my question, I was able to work forward a little bit. I went ahead and extended the schema this afternoon, but I am still unable to get it to work. I'm waiting for SCCM to populate the System Management container, I have a feeling that is a major part of it now. Is there a way to do that manually, or do I just need to wait at this point? It's been a few hours. I've also tried rebooting the SCCM machine to kick it off, but to no avail.

Does this mean I do need to extend the schema? I saw in another post of yours, which was in reference to SCCM 2007, that said four things were required for clients to query AD, which evidently my client install is trying to do. http://www.windows-n...tory/#entry2785

I've also noticed that my System Management container in AD is empty. I was pretty sure I delegated control to the SCCM computer, but I did it to make sure. I also verified the site is set to publish to my domain, which it is. Is there anyway to envoke SCCM to create the AD entries in the System Management container?

I am really trying to do update-based client installations, but I was using the push as a test. After checking the ccm.log file, I could see there were no accounts setup for the client push, so I set one up. I also have this error below. File sharing and remote admin are enabled via GPO. And lastly this one: Once I setup the account, I tried an updated-based installation, but am receiving this in the client's ccmsetup.log now: Reading a few other posts online, I heard some people say to setup boundaries and boundary groups, so I did that as well. I still get the same errors about failing to get assigned site from AD.

I am having problems getting the endpoint protection client to push out to systems. I was curious, since I never extended my AD, does endpoint protection require the extended schema? I would have extended my schema, but I'm still testing and my only DC is in production and I wasn't sure if I even needed to extend the schema just for endpoint protection. That is all I am evaluating at this point. I have everything setup, Windows Update sees the client, but fails to install it. I just used the client push to install the client, which it says it did, but I still don't see endpoint on the client machine.