locked
Configuring SCCM to cease management of end clients. RRS feed

  • General discussion

  • The title maybe a bit confusing, but consider the scenario at my new place of work.

    We have SCCM setup on Domain1 mainly for patching, which is largely working.

    There is a completely separate Domain2, in it's own network, completely segregated.

    Stakeholders would like to extend the scope of the SCCM on Domain1 to also cover Domain2 for patching purposes only. In my mind, the following was necessary:

    1. Define Boundaries and Boundary Groups for Domain2 end clients in Domain1's SCCM.
    2. Configure Firewall and Routing so the minimal traffic needed for SCCM can flow between Domain1 and Domain2.
    3. Deploy SCCM Client to Domain2 via appropriate means.
    4. Patch Domain2 clients via Domain1 SCCM.

    That’s a high level overview of the implementation plan. However, it turns out to the surprise of many that Domain2 already has a straightforward installation of SCCM! It’s not actively doing anything, but it has automatic Client Push configured and is actually managing all Domain2 clients.

    The plan remains the same, but I know have to take SCCM on Domain2 out of the picture:

    1. I disabled all Discovery Methods
    2. I disabled Automatic Client Push
    3. I deleted existing Boundary Groups

    Having performed 1-3 I thought the clients on Domain2 would eventually be in an orphaned state, but this is not the case. They're still pointing to SCCM on Domain2.

    I need some guidance one what I need to do to actively stop SCCM on Domain2 from managing the clients (without decommissing the infrastructure at this stage). Is it the case that the minute I push out the client from Domain1’s SCCM the clients will automatically point to the new MPs? I’m wondering whether that me disabling points 1-3 just prevented new clients from being pushed out and to prevent the end clients from flipping from the SCCM on Domain1 to Domain2 and vice versa.

     

     

    Wednesday, November 22, 2017 11:12 AM

All replies

  • > " I thought the clients on Domain2 would eventually be in an orphaned state"

    As you've discovered, none of those things that you've disabled in any way affect the actual managed state of current clients.

    > "Is it the case that the minute I push out the client from Domain1’s SCCM the clients will automatically point to the new MPs?"

    Yes, assuming that the communication path is truly open and there is no group policy in place forcing a client site code.

    > "I’m wondering whether that me disabling points 1-3 just prevented new clients from being pushed out"

    #1 and #2 above did that. #3 has nothing to do with which systems are managed or not.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, November 22, 2017 12:46 PM
  • Thanks for your input Jason, in that case, once I've ironed out the communication/network issues I should be able to manage Domain2 via Domain1's SCCM fairly shortly then, the key point is that there will no longer be a conflict between the two SCCM environments.


    Wednesday, November 22, 2017 3:08 PM