I have two questions to ask: 1- I have SCCM Server CAS+PRI and having about 7000 clients and 1500 clients are showing un-managed in SCCM console. i want to know the way to troubleshoot my deployed custom SCEP policy and how turn un-managed to managed clients.
2- All of my clients currently receiving definition updates from configmgr (ADR) & UNC share, i have one upstream/downstream WSUS servers, my questions is can i create Automatic Rule on WSUS server to provide an extra update source to my clients.
1. With an abundance of clients showing as unmanaged one of the first things I would look for would be to make sure boundaries are correct. Looking at logs on the clients located at c:\windows\ccmsetup to see if there are errors, also looking at c:\windows\ccm\logs and would check LocationServices.log and clientlocation.log.
2. Yes, but there are some things to consider. If group policy sets a WSUS server it will supercede the policy that SCCM makes if you are doing updates from SCCM. With that in mind it will keep updates from SCCM from working correctly. If you decide to use WSUS when configuring your AntiMalware policies just be sure WSUS is checked as a source for definition updates.
Thanks dear for your reply.
boundaries are correct and i will re-check them as my clients are distributed location wise. more can you tell me about the logs for SCEP on server side and client side. i usually check mpcmdrun and mpsig.....
2- yes GP is set but im using the same WSUS server in GPO as my SCCM servers. i just wanted to know that as i have created the ADR in sccm to download SCEP update automatically can i create a rule in WSUS server too.
If there is a GPO conflict it will tell you in the deployment monitoring of the ADR.
Like Peter says make sure all the clients are in a collection with endpoint enabled in the client settings and make sure they have received policy.
I usually create a couple of couple of collections for client state:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceId = SMS_R_System.ResourceId where SMS_G_System_CH_ClientSummary.ClientActiveStatus = 0
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.Client is null or SMS_R_System.Client = 0) and SMS_R_System.Name != 'Unknown'If these clients don't show in any of the two above collections then as long as they are receiving the endpoint enabled settings and malware policy you should be ok.
- Edited by Richard.Knight Saturday, August 30, 2014 10:19 AM
I have checked my ConfigMgr boundaries and definition updates via WSUS is working fine. Actually i have issues with some client showing as unmanaged although they're healthy and receiving updates/policy but i see them as unmanaged in console, Moreover i also seeing some false reporting on my console that majority of my client are up to date but their definition dates are older in console. Is there any database level issue which causing this?