Configuring Microsoft Endpoint Configuration Manager (SCCM) for Internet Based Clients

Overview

Enable SCCM management for computers that connect to UO remotely. This article is intended for IT Administrators who manage SCCM. In order to complete this procedure you will need access to create, modify and link group policy in your OU as well as administrative access to Microsoft Endpoint Configuration Manager (SCCM).

Architecture

In addition to the existing SCCM infrastructure, there is an additional server that hosts the Management Point, Software Update Point, and Distribution Point roles for Internet based clients. It is important to be aware that any deployments made to a single distribution point will not reach both intranet and internet based clients. It is advised to use the Distribution Point Group instead which includes both the internal and external Distribution Points.

Install Client Certificate

  • Create a client deployment GPO
    1. Computers > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
      1. Configuration Model: Enabled
      2. Select Renew expired Certificates, update pending certificates, and remove revoked certificates
      3. Update certificates that use certificate templates
    2. Link to OU in AD where you want clients to receive this certificate
      1. (optional) If you would like to expidite the application of this new policy run the following on your client: gpupdate /force
  • Confirm Auto-Enrollment is working for your clients by checking personal store on client.
    • The client should have a certificate issued by SubCA using the IS SCCM Client Certificate template.
    • The client's certificate status is visible in SCCM by adding the Client Certificate column when viewing devices.

Client Configuration and Testing

Once the certificate is installed, the client should automatically register the new management point eventually (less than 24 hours).

If expediency is required the following steps can be performed:

  1. Restart the SMS Agent Host service (CcmExec)
  2. In Control Panel, open Configuration Manager
    • Run the Machine Policy Retrieval & Evaluation Cycle
    • Wait (longer than you think it should take) and then close and reopen Configuration Manager settings.
    • The Client Certificate should read: PKI
  3. Deploy an application to the client.
    • It is recommended to deploy content to the Distribution Point Group rather than an individual Distribution Point. This ensure that all clients will receive the content regardless of how they connect to SCCM.
  4. Deploy software updats to the client.
    • Internet clients will get the advertisement from SCCM, but it will download the content from the internet (Microsoft's servers).
  5. Relevant Log Files
    • Check the clientlocation.log to see if the client picked up the new management point.
    • Check the locationservices.log to see if client is communicating with the MP
    • Check the ClientIDManagerStartup.log to ensure that the agent validates the certificate and the client is set to use HTTPS when available.
    • Check the CAS.log to ensure that the client is configured to receive update advertisements from SCCM and whether the client is able to locate deployed content.
    • Check the datatransferservice.log for the status of content downloads.

Additional Information

The official documentation related to managing clients on the internet from Microsoft can be found here:

Details

Article ID: 107505
Created
Tue 5/12/20 4:27 PM
Modified
Mon 6/1/20 1:25 PM

Related Articles (2)

Provides information on how to use Microsoft's Software Center to install applications, updates and Operating System Upgrades.
This article is designed to guide instructors to support documentation for various software services that can be used for remote instruction and collaboration.