Configuring Microsoft Endpoint Configuration Manager (MECM) for Internet Based Clients

Tags sccm


Enable MECM management for computers that connect to UO remotely. This article is intended for IT Administrators who manage MECM. In order to complete this procedure you will need access to create, modify and link group policy in your OU as well as administrative access to Microsoft Endpoint Configuration Manager (MECM).


In addition to the existing MECM infrastructure, there is an additional server that hosts the Management Point, Software Update Point, and Distribution Point roles for Internet-based clients. It is important to be aware that any deployments made to a single distribution point will not reach both intranet and internet-based clients. It is advised to use the Distribution Point Group instead which includes both the internal and external Distribution Points.

Install Client Certificate

  • Create a client deployment GPO
    1. Computers > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
      1. Configuration Model: Enabled
      2. Select Renew expired Certificates, update pending certificates, and remove revoked certificates
      3. Update certificates that use certificate templates
    2. Link to the OU in Active Directory (AD) where you want clients to receive this certificate
      1. (optional) If you would like to expedite the application of this new policy run the following on your client: gpupdate /force
  • Confirm Auto-Enrollment is working for your clients by checking personal store on client.
    • The client should have a certificate issued by SubCA using the IS MECM Client Certificate template.
    • The client's certificate status is visible in MECM by adding the Client Certificate column when viewing devices.

Client Configuration and Testing

Once the certificate is installed, the client should automatically register the new management point eventually (less than 24 hours).

If expediency is required the following steps can be performed:

  1. Restart the SMS Agent Host service (ccmexec)
  2. In Control Panel, open Configuration Manager
    • Run the Machine Policy Retrieval & Evaluation Cycle
    • Wait, then close and reopen Configuration Manager settings.
    • The Client Certificate should read: PKI
  3. Deploy an application to the client.
    • It is recommended to deploy content to the Distribution Point Group rather than an individual Distribution Point. This ensure that all clients will receive the content regardless of how they connect to MECM.
  4. Deploy software updates to the client.
    • Internet clients will get the advertisement from MECM, but it will download the content from the internet (Microsoft's servers).
  5. Relevant Log Files
    • Check the clientlocation.log to see if the client picked up the new management point (MP).
    • Check the locationservices.log to see if client is communicating with the MP
    • Check the ClientIDManagerStartup.log to ensure that the agent validates the certificate and the client is set to use HTTPS when available.
    • Check the CAS.log to ensure that the client is configured to receive update advertisements from MECM and whether the client is able to locate deployed content.
    • Check the datatransferservice.log for the status of content downloads.

Additional Information

The official documentation related to managing clients on the internet from Microsoft can be found here:


Article ID: 107505
Tue 5/12/20 4:27 PM
Thu 2/16/23 4:32 PM

Related Articles (2)

Provides information on how to use Microsoft's Software Center to install applications, updates and Operating System Upgrades.
This article is designed to guide instructors to support documentation for various software services that can be used for remote instruction and collaboration.