wilbywilson Posted July 10, 2014 Report post Posted July 10, 2014 We are in the process of migrating machines into a new domain, which already has SCCM 2012 configured. Shortly after migrating a machine, it will show up in the SCCM 2012 console (via AD System discovery ). From that point, we can highlight it, and push down the SCCM 2012 client. Usually this happens quickly, but in a couple of cases its taken some extra time. That potential/initial delay isnt that big of a deal in my opinion; the big issue is that the SCEP client does not always come down promptly after the main client installation. I configured SCEP according to Microsoft recommendations: its not part of the default SCCM client settings, its part of a separate/custom SCCM client setting. We have SCEP policies for laptops, desktops, VMs, servers, etc. Each of those policies is associated with an SCCM collection. So, the issue is that when a machine gets the SCCM client, it then has to run software/hardware inventory, and report back to the MP. From there, it will join itself to the proper EndPoint collection, and subsequently get the SCEP client and correct SCEP policy. This is all working; its just taking a while (a few hours, or sometimes the next day), and in the interim, clients have no anti-virus installed. (The machines previously had an anti-virus software called Vipre, and we are removing Vipre with a script right before we push down the SCCM client. Unfortunately, SCEP 2012 cannot automatically remove Vipre when it installs itself. So unless we want 2 anti-virus programs running at the same time, we need to remove Vipre beforehand.) So, we are mostly worried about that interim period. Especially for laptop users that may leave the office with the SCCM client, but not necessary with SCEP, if they havent got the SCEP client/policy delivered to their machine yet. I guess that we could manually add each machine to the appropriate EndPoint collection (the SCEP client *does* come down very quickly if we do that), but that is a manual step, and were trying to automate things as much as possible. Does anyone have an suggestions on how we can make this as smooth as possible, without exposing the clients to that interim period where they have no anti-virus software? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted July 10, 2014 Report post Posted July 10, 2014 you can force a machine policy on those machines at the end of OSD or via another method, this will speed things along as expected. here's a script Eswar created http://eskonr.com/2011/01/script-to-trigger-sccm-machine-policy-or-hardware-inventory-action-agent-on-sccm-clients/ Quote Share this post Link to post Share on other sites More sharing options...
