SCCM Policies and SCEP Deployment Issues

I'm having several issues with SCCM 2012 R2.

I have inherited an existing SCCM 2012 R2 installation.  The company does not want me to rebuild it from the ground using best practices, so I'm doing what I can with it.

Issue #1: SCEP does not auto deploy to new systems;
Issue #2: Client policies do not update;
Issue #3: Anti-malware policies do not update.

Starting out, I guess I need to look at issue #2 before I look at the others.

The client is auto-deploying as far as I can tell.  I do not have any GPOs that push the software to the clients, so it appears that the system wide deployment of the client is working correctly.

As for the policies not being updated, I have created a new policy that is assigned to newly defined device collections.  I have check the membership of the collections and it is populating/selecting the assets correctly. 

I have picked a handful of computers out of the collection to use for information gathering.  Looking at the log files, it shows that it is applying policies, but it does not identify which policy from the SCCM server.

With the new policies that Ive created, Ive enabled Endpoint Proection, Hardware Inventory, Power Management, Remote Tools, Software Deployment, Software Metering, and User and Device Affinity.  After 13 days, the options within the policy have not taken effect as I have check the clients and the settings from the Remote Tools and Power Management havent been applied. I waited this long since several of the settings were set at 7 days before re-evaluation.

Im not sure where to go next on this issue.

On the issue #1 & 3, the computers that did get the initial config push and SCEP install, before I came on, are operating and reporting back to the SCCM manager that they are in a managed state, which is fine, but they are not applying any newly defined policies.  Checking the logs on the clients show that they are applying the Default Client Settings and not any of the other policies that are set to deploy to All systems or any other collection Ive defined.  Also checking the anti-malware policy logs on the clients, they are also still applying the Default Client Antimalware Policy, not any of the custom policies, just like the SCCM client issue.  In the EndpointProtectionAgent.log, i have several lines showing "Deployment WMI is NOT ready."  The same is in several of the other log files, so I've check that all the WMI services are running and I have tested management with the PoshCat utility and all of the commands are working in there and the output reports all seem to be reporting correctly.

Any pointers or starting points would be greatly appreciated.

February 20th, 2015 2:08pm

Should be a really simple fix. How many client polcies do you have deployed? Where are they deployed? Does inventory or software distribution function?
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2015 3:37pm

For the 'Client Settings', I have 4 listed.  Default Client Settings, EP Settings (existing that I have set to deploy to a group that only has 1 computer left in it), Server Policy, and Workstation Policy (applies to all clients that have 'workstation' in the version name).

For SCEP, just 2.  Default Client  and Custom SCEP.

The inventory and software distribution... let's look at the inventory function.  I have nothing showing in '\Assets and compliance\Overview\Asset Intelligence\Inventoried Software'.

As for software distribution, I am not sure how to check that -- I haven't set up any deployed software packages yet... but the SCEP and Windows Updates are the only things showing up.  SCEP is not deploying to any new workstations, but it appears all the Windows Updates are deploying correctly to all the workstations.
I just checked the SrcUpdateMgr.log on a client and I've found several lines of 'Instance of CCM_SourceUpdateClientConfig doesn't exist in WMI'

Checking the SoftwareCatalogUpdateEndpoint.log file, I have several lines that just repeat...
---
Software catalog update endpoint is starting
Logo event received
Logon user SID: [...]
Retrieving URL for software Catalog
Software Catalog update endpoint is loading
Received notification for client agent setting or portal information change
Retrieving URL for Softwware Catalog
Making call to determin whether catalog Url should be added to the trusted sites zone
Updating the registry for Software Catalog for user '[...]'
Notification system applicaton: C:\Windows\CCM\UpdateTrustedSites.exe
Started UpdateTrustedSites process
Making call to determine whether keys to enable Silverlight elevated trust should be added
Enable elevated trust is set to false. Setting the keys to 0
CSoftwareCatalogUpdateHandler::UpdateSilverlightRegistry: Successfully set elevated trust on this client for Silverlight
CSoftwareCatalogUpdateHandler::UpdateSilverlightRegistry: Successfully set elevated trust on this client for Silverlight
CSoftwareCatalogUpdateHandler::UpdateSilverlightRegistry: Successfully set elevated trust on this client for Silverlight
Received notification for client agent setting or portal information change
---

and it does show the Silverlight lines 3 times each time in the repeats. The repeat time stamp looks like it happens alternating 20 minutes, then 2 hours, then 20 minutes, then 2 hours, etc.

February 20th, 2015 4:31pm

In the Updates Deployment log, I have the following lines:

Software Updates client configuration policy has not been received.
Software updates functionality will not be enabled until the configuration policy has been received. If this issue persists please check client/server policy communication.
Software Updates feature is disabled.

Free Windows Admin Tool Kit Click here and download it now
February 20th, 2015 4:34pm

I have now found the following lines in CCMNotificationAgent.Log:

<![LOG[Bgb client agent is starting...]LOG]!><time="11:06:21.650+360" date="02-23-2015" component="BgbAgent" context="" type="1" thread="588" file="agentendpoint.cpp:238">
<![LOG[Bgb client agent is disabled]LOG]!><time="11:06:21.676+360" date="02-23-2015" component="BgbAgent" context="" type="2" thread="588" file="agentendpoint.cpp:242">
<![LOG[TCP Listener is disabled.]LOG]!><time="11:06:21.678+360" date="02-23-2015" component="BgbAgent" context="" type="2" thread="588" file="agentendpoint.cpp:247">
<![LOG[BgbController main thread is started with settings: {bgb enable = 0}, {tcp enabled = 0}, {tcp port = 0} and {http enabled = 0}.]LOG]!><time="11:06:21.681+360" date="02-23-2015" component="BgbAgent" context="" type="1" thread="588" file="bgbcontroller.cpp:126">

This is also found on all computers, the ones that have had an initial policy working, but that are not longer updating.

February 23rd, 2015 6:44pm

Yes, I know this is an old post, but Im trying to clean them up. Did you solve this problem, if so what was the solution?

Free Windows Admin Tool Kit Click here and download it now
June 13th, 2015 3:10pm

Hi Garth.  I have not received any information yet and have had no solution.
June 17th, 2015 9:37am

Since no one has answer this post, I recommend opening  a support case with Microsoft Customer Support Services (CSS) as they can work with you to solve this problem.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 11:02am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics