Enterprise Software Thread, SCCM 2012 and FEP 2012 in Technical; Still not had any luck! We're using HTTP (eg. whatever is default out of the box).
Driving me mad now!...
24th July 2012, 02:17 PM #16
Still not had any luck! We're using HTTP (eg. whatever is default out of the box).
Driving me mad now!
24th July 2012, 03:04 PM #17
Your setup looked like it completed OK (according to your ccmsetup.log) but it doesn't reference scep at all, it just references the client.msi.
Can you confirm your site server has the endpoint protection role? is it ok in monitoring/system status/component status?
The ccmsetup.log should the following in this order but with loads of rubbish in between:
*Item 'SCEPInstall.exe' is applicable. Add to the list.
*Discovering whether item 'SCEPInstall.exe' exists.
*Item SCEPInstall.exe has not been installed yet. Put to pending install list.
*Adding file 'http://someserver:80/SMS_DP_SMSPKG$/sitecode00002/SCEPInstall.exe' to BITS job, saving as 'C:\Windows\ccmsetup\SCEPInstall.exe'.
*C:\Windows\ccmsetup\SCEPInstall.exe is Microsoft trusted.
In 2012 it downloads scep and dumps it in C:\windows\ccmsetup. On another machine, do an install and keep an eye in the windows\ccmsetup\ folder for the files are you tell it to install and keep an eye on the ccmseup.log. Does it copy over all the content? for instance it grabs silverlight, then scep, then windowsfirewallconfigurationprovider just after the client has downloaded.
Try doing a manual install by getting the files off the server (handy to have anyway), you have something you can compare logs with.
Last edited by Theblacksheep; 24th July 2012 at 03:08 PM.
Thanks to Theblacksheep from:
localzuk (26th July 2012)
24th July 2012, 03:27 PM #18
I can't remember how I told the EP client agent to install but I suspect that's because it happens automatically once you add the role. It happens automatically for me now on Windows 7 computers so try this... (this is a step towards production but I'm still halfway twixt XP and 7 so it's workable as a test environment still)
* Set up your discovery methods if you haven't already (ask if you're not sure but there are links about, search Google for windows-noob.com results for some good stuff)
* Set up a GPO that only applies to Windows 7 computers with a WMI filter:
- use this GPO to set your SCCm server as the WSUS server under Windows Update]
select * from Win32_OperatingSystem where Version like "6.1%" and ProductType = "1"
* In SCCM, under Administration, expand Site Configuration, click on Sites and click on Client Installation Settings in the ribbon abd choose Software Update-Based Client Installation. Tick the box and OK.
* Just below that, cick Servers and Site System Roles and make sure your server is set up as an Endpoint Protection Point (right click and Add Site System Roles if it's not listed at the bottom)
* After that it should all just... work. It does here, anyway, and I faffed about doing it the HTTPS way.
As @Theblacksheep says, you should see hints of it in ccmsetup.log that's in c:\windows\ccmsetup. It sometimes takes a while to download stuff using BITS but once you've set a computer running windows update (gpupdate /force, then wuauclt /reportnow then wuauclt/detectnow) it will just do it all quietly in the background, you'll just have to check the systray and look for the green shield to see if it's worked.
Further reading (including automatic approval & deployment of definition updates): using SCCM 2012 RC in a LAB - Part 5. Enable the Endpoint Protection Role and configure Endpoint Protection settings - Configuration Manager 2012 - Release Candidate - www.windows-noob.com
EDIT: further check: has FEP installed on your SCCM server? It should do as part of setup, if it's not running on that server yet then it won't deploy to clients
Thanks to sonofsanta from:
localzuk (26th July 2012)
26th July 2012, 09:25 AM #19
Right. An update on this. I'm currently resolving some issues caused by the fact that we have a domain forest here, and the SCCM server was failing to publish to the AD as the permissions it had weren't good enough.
Also, there is an issue with our group policy somewhere as no registry settings are being applied for some reason. So, I'll work through those 2 issues and come back when it all works, with a description of exactly what caused all this!
26th July 2012, 10:36 AM #20
Aannddd.... Its working
I had to fix the AD publishing, and then add a Boundary Group.
I didn't at all do a fist pump or dance in the office...
26th July 2012, 01:42 PM #21
Originally Posted by localzuk
(I should add, as well, that the only reason I used the Windows 7 WMI filter earlier was because I'm rolling Win7 out at the moment and don't want to clog SCCM up with old XP clients that are about to die. It's not necessary)
26th July 2012, 01:58 PM #22
Indeed, I ignored it, as I don't care which machines get it. They'll all be Windows 7 by the end of next week.
Originally Posted by sonofsanta
Also found that something in our default domain policy was being weird too. Now fixed and all is as it should be. I shall reward myself with beer tonight!
26th July 2012, 02:14 PM #23
Glad you got it working.
Originally Posted by localzuk
The boundary group got me even after setting up. I had one range for testing and couldnt work out why a PC in new range (vlan) wasn't receiving the software. Low an behold SCCM2012 uses boundary groups to detect distribution groups and in turn content delivery. No boundary group, no content.
Last edited by Theblacksheep; 26th July 2012 at 02:21 PM.
By HMCTech in forum Enterprise Software
Last Post: 27th April 2012, 09:47 AM
By pete in forum Enterprise Software
Last Post: 7th June 2011, 01:17 PM
By earlyriser in forum Educational IT Jobs
Last Post: 23rd April 2011, 09:57 PM
By jj99 in forum O/S Deployment
Last Post: 30th March 2010, 03:33 PM
By azrael78 in forum O/S Deployment
Last Post: 3rd December 2009, 07:30 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)