mbkowns

As of now its possible without blocking to remove Endpoint Protection from the add remove programs wizard (I could block this as well). If I do this manually after deploying FEP through a client setting deployment it will not reinstall. I do full hw inventory and download machine policy but it never evaluates and installs again. I could build a package in SCCM with logic or based off a CI and baseline to do this but I am wondering how this is supposed to work without that. It appears that a client policy should refresh and detect if it is installed and perform a redeployment based on that. Let me know what you guys are doing to keep your FEP clients managed. Thanks

It appears that I needed to use the FQDN of the Internet name not the hostname of the machine. Once I used that it worked properly.

I am trying to validate HTTP using the link below but I receive the error Error 403.7 - Forbidden. I can go to https://hostname.fqdn.com/ and everything comes up fine, its only when I go to the test link. SCCM 2012 R2 on Server 2012(MP) with all windows patches. Server 2008 R2 (Primary) mpcontrol.log shows Completed validation of Certificate [Thumbprint ba0ace702cd3add1972a84b48e4eba876e23d9ec] issued to 'hostname.fqdn.com' SMS_MP_CONTROL_MANAGER 10/28/2013 4:30:28 PM 3184 (0x0C70) Certificate doesn't have SAN2 extension. SMS_MP_CONTROL_MANAGER 10/28/2013 4:30:28 PM 3184 (0x0C70) Using custom selection criteria based on the machine NetBIOS name. SMS_MP_CONTROL_MANAGER 10/28/2013 4:30:28 PM 3184 (0x0C70) Failed to retrieve client certificate. Error -2147467259 Call to HttpSendRequestSync failed for port 443 with -2147467259 error code. https://hostname.fqdn.com/SMS_MP/.sms_aut?MPLIST HTTP Error 403.7 - Forbidden The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes. Most likely causes: The page you are attempting to access requires an SSL client certificate. You are browsing to the page using HTTP. The client certificate has expired or the effective time has not been reached. The root certificate (the Certificate Authority certificate) of the client certificate issuing server is not installed on the Web server. Things you can try: Contact the site administrator to obtain a valid client certificate for the Web site. Try browsing to the page using HTTPS. If you have a client certificate installed, check if it has expired or if the effective time has not been reached. Verify that the root certificate is installed on the Web server.

The SITE is configured for HTTP/HTTPS so globally clients communicate on both ports. When I set a Management point to HTTPS it stops responding to clients through HTTP. Is there a way to keep communication to those clients without PKI certs?

bump

Domain A is untrusted by Domain B. Domain A has the working PKI enabled sccm infrastructure, with a operating certificate authority. I want to manage clients from Domain B. I see that I can add the domain forest in the console with an account for discovery that part is straight forward. Also ensuring local admin accounts for pushing the client are created in Domain B and populated in the SCCM infrastructure of Domain A. Again that part is straight forward, but how do I go about getting PKI to work. How do I configure functioning PKI from Domain A to work on Domain B without a domain trust? Do I need another certificate authoirty on Domain B, export the cert and add it to the SCCM infrastructure on Domain A? Is there a way to use a single certificate authority to manage the cross forest untrusted domain? The next question is how do I get auto enrollment to work with the cert on Domain B? thanks for your help!

Is there a way I could remove computers not found in AD from a collection membership? Using this to grab all systems select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM.SystemRole = "Workstation")