System Center 2012 R2 Configuration Manager – CcmSetup failed with error code 0x87d00280

Symptom: When trying to install the System Center 2012 R2 Configuration Manager client manually, the client seems to never finish the install.  When opening the install log in C:\Windows\ccmsetup\Logs\ccmsetup.log, you will notice the following behavior, pointing mostly to client HTTPS/certificate errors.

<![LOG[==========[ ccmsetup started in process 2576 ]==========]LOG]!><time=”16:00:01.707+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:9437″>
<![LOG[Running on platform X64]LOG]!><time=”16:00:01.817+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”util.cpp:1837″>
<![LOG[Launch from folder \\SCCM01\Manual Client Install\]LOG]!><time=”16:00:01.817+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:721″>
<![LOG[CcmSetup version: 5.0.7958.1000]LOG]!><time=”16:00:01.817+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:727″>
<![LOG[Running on 'Microsoft Windows 7 Professional ' (6.1.7601). Service Pack (1.0). SuiteMask = 272. Product Type = 18]LOG]!><time=”16:00:01.895+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”util.cpp:1919″>
<![LOG[Ccmsetup command line: "\\SCCM01\Manual Client Install\ccmsetup.exe" ]LOG]!><time=”16:00:01.895+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:3590″>
<![LOG[Local Machine is joined to an AD domain]LOG]!><time=”16:00:01.895+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:714″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[DhcpGetOriginalSubnetMask entry point is supported.]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:117″>
<![LOG[Begin checking Alternate Network Configuration]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1095″>
<![LOG[Finished checking Alternate Network Configuration]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1172″>
<![LOG[Adapter {39CB0535-CE77-4ED9-9807-2DB558378C86} is DHCP enabled. Checking quarantine status.]LOG]!><time=”16:00:02.051+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:436″>
<![LOG[Current AD site of machine is SomewhereOverTheRainbow]LOG]!><time=”16:00:02.066+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:770″>
<![LOG[Attempting to query AD for assigned site code]LOG]!><time=”16:00:02.066+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:2071″>
<![LOG[Performing AD query: '(&(ObjectCategory=MSSMSRoamingBoundaryRange)(|(&(MSSMSRangedIPLow<=3232279113)(MSSMSRangedIPHigh>=3232279113))))']LOG]!><time=”16:00:02.456+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:656″>
<![LOG[Performing AD query: '(&(ObjectCategory=mSSMSSite)(|(mSSMSRoamingBoundaries=192.168.1.0)(mSSMSRoamingBoundaries=SomewhereOverTheRainbox)(mSSMSSiteCode=001)))']LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:656″>
<![LOG[LSIsSiteCompatible : Verifying Site Compatibility for <001>]LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:5419″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[LSGetSiteVersionFromAD : Attempting to query AD for MPs for site '001']LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:5248″>
<![LOG[Performing AD query: '(&(ObjectCategory=mSSMSManagementPoint)(mSSMSSiteCode=001))']LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:656″>
<![LOG[LSGetSiteVersionFromAD : Successfully retrieved version '5.00.7958.1000' for site '001']LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:5317″>
<![LOG[LSIsSiteCompatible : Site Version = '5.00.7958.1000' Site Capabilities = <Capabilities SchemaVersion="1.0"><Property Name="SSL" Version="1"/><Property Name="SSLState" Value="63"/></Capabilities>]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:5474″>
<![LOG[LSIsSiteVersionCompatible : Site Version '5.00.7958.1000' is compatible.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:5385″>
<![LOG[LSIsSiteCompatible : Site <001> Version '5.00.7958.1000' is compatible.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:5486″>
<![LOG[LSGetAssignedSiteFromAD : Trying to Assign to the Site <001>]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:2192″>
<![LOG[Got site code '001' from AD.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:266″>
<![LOG[Performing AD query: '(&(ObjectCategory=mSSMSManagementPoint)(mSSMSDefaultMP=TRUE)(mSSMSSiteCode=001))']LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:656″>
<![LOG[OperationalXml '<ClientOperationalSettings><Version>5.00.7958.1000</Version><SecurityConfiguration><SecurityModeMask>63</SecurityModeMask><SecurityModeMaskEx>63</SecurityModeMaskEx><HTTPPort>80</HTTPPort><HTTPSPort>443</HTTPSPort><CertificateStoreName></CertificateStoreName><CertificateIssuers>CN=My Domain Root CA; OU=IT; O=My Domain; C=US</CertificateIssuers><CertificateSelectionCriteria></CertificateSelectionCriteria><CertificateSelectFirstFlag>1</CertificateSelectFirstFlag><SiteSigningCert>CertificateInfoRemoved</SiteSigningCert></SecurityConfiguration><RootSiteCode>001</RootSiteCode><CCM> <CommandLine>SMSSITECODE=001</CommandLine> </CCM><FSP> <FSPServer></FSPServer> </FSP><Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /><Property Name="SSLState" Value="63" /></Capabilities><Domain Value="mydomain.local" /><Forest Value="mydomain.local" /></ClientOperationalSettings>']LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsadcache.cpp:236″>
<![LOG[Unable to open Registry key Software\Microsoft\CCM. Return Code [80070002]. Client HTTPS state is Unknown.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmutillib.cpp:373″>
<![LOG[The MP name retrieved is 'SCCM01.mydomain.local' with version '7958' and capabilities '<Capabilities SchemaVersion="1.0"><Property Name="SSL" Version="1"/><Property Name="SSLState" Value="63"/></Capabilities>']LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsadcache.cpp:334″>
<![LOG[MP 'SCCM01.mydomain.local' is compatible]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsadcache.cpp:339″>
<![LOG[Retrieved 1 MP records from AD for site '001']LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsadcache.cpp:287″>
<![LOG[FromAD: command line = SMSSITECODE=001]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:288″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[CMPInfoFromADCache requests are throttled for 01:07:09]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsadcache.cpp:173″>
<![LOG[Found MP https://SCCM01.mydomain.local from AD]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:6197″>
<![LOG[SslState value: 255]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:4425″>
<![LOG[Ccmsetup was run without any user parameters specified. Running without registering ccmsetup as a service.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4490″>
<![LOG[Detected sitecode '001' from AD.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4500″>
<![LOG[CCMHTTPPORT: 80]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8617″>
<![LOG[CCMHTTPSPORT: 443]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8632″>
<![LOG[CCMHTTPSSTATE: 255]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8650″>
<![LOG[CCMHTTPSCERTNAME: ]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8668″>
<![LOG[FSP: ]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8720″>
<![LOG[CCMCERTISSUERS: CN=My Domain Root CA; OU=IT; O=My Domain; C=US]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8746″>
<![LOG[CCMFIRSTCERT: 1]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8778″>
<![LOG[Config file: ]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4539″>
<![LOG[Retry time: 10 minute(s)]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4540″>
<![LOG[MSI log file: C:\Windows\ccmsetup\Logs\client.msi.log]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4541″>
<![LOG[MSI properties: SMSSITECODE="001" CCMHTTPPORT="80" CCMHTTPSPORT="443" CCMHTTPSSTATE="255" CCMCERTISSUERS="CN=My Domain Root CA; OU=IT; O=My Domain; C=US" CCMFIRSTCERT="1"]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4542″>
<![LOG[Source List:]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4550″>
<![LOG[MPs:]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4569″>
<![LOG[ https://SCCM01.mydomain.local]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4584″>
<![LOG[No version of the client is currently detected.]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2748″>
<![LOG[Folder 'Microsoft\Configuration Manager' not found. Task does not exist.]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”wintask.cpp:622″>
<![LOG[Updated security on object C:\Windows\ccmsetup\.]LOG]!><time=”16:00:03.033+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9281″>
<![LOG[A Fallback Status Point has not been specified. Message with STATEID='100' will not be sent.]LOG]!><time=”16:00:03.033+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:9763″>
<![LOG[Downloading file \\SCCM01\Manual Client Install\ccmsetup.exe]LOG]!><time=”16:00:04.048+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:5685″>
<![LOG[Downloading \\SCCM01\Manual Client Install\ccmsetup.exe to C:\Windows\ccmsetup\ccmsetup.exe]LOG]!><time=”16:00:04.048+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:5769″>
<![LOG[File download 3% complete (61440 of 1614520 bytes).]LOG]!><time=”16:00:04.079+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 7% complete (122880 of 1614520 bytes).]LOG]!><time=”16:00:04.079+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 11% complete (184320 of 1614520 bytes).]LOG]!><time=”16:00:04.079+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 15% complete (245760 of 1614520 bytes).]LOG]!><time=”16:00:04.126+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 19% complete (307200 of 1614520 bytes).]LOG]!><time=”16:00:04.126+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 22% complete (368640 of 1614520 bytes).]LOG]!><time=”16:00:04.126+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 26% complete (430080 of 1614520 bytes).]LOG]!><time=”16:00:04.126+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 30% complete (491520 of 1614520 bytes).]LOG]!><time=”16:00:04.172+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 34% complete (552960 of 1614520 bytes).]LOG]!><time=”16:00:04.172+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 38% complete (614400 of 1614520 bytes).]LOG]!><time=”16:00:04.172+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 41% complete (675840 of 1614520 bytes).]LOG]!><time=”16:00:04.172+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 45% complete (737280 of 1614520 bytes).]LOG]!><time=”16:00:04.219+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 49% complete (798720 of 1614520 bytes).]LOG]!><time=”16:00:04.219+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 53% complete (860160 of 1614520 bytes).]LOG]!><time=”16:00:04.219+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 57% complete (921600 of 1614520 bytes).]LOG]!><time=”16:00:04.219+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 60% complete (983040 of 1614520 bytes).]LOG]!><time=”16:00:04.250+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 64% complete (1044480 of 1614520 bytes).]LOG]!><time=”16:00:04.250+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 68% complete (1105920 of 1614520 bytes).]LOG]!><time=”16:00:04.266+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 72% complete (1167360 of 1614520 bytes).]LOG]!><time=”16:00:04.266+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 76% complete (1228800 of 1614520 bytes).]LOG]!><time=”16:00:04.313+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 79% complete (1290240 of 1614520 bytes).]LOG]!><time=”16:00:04.313+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 83% complete (1351680 of 1614520 bytes).]LOG]!><time=”16:00:04.313+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 87% complete (1413120 of 1614520 bytes).]LOG]!><time=”16:00:04.313+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 91% complete (1474560 of 1614520 bytes).]LOG]!><time=”16:00:04.344+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 95% complete (1536000 of 1614520 bytes).]LOG]!><time=”16:00:04.344+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 98% complete (1597440 of 1614520 bytes).]LOG]!><time=”16:00:04.344+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 100% complete (1614520 of 1614520 bytes).]LOG]!><time=”16:00:04.391+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[Download complete.]LOG]!><time=”16:00:04.391+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:5867″>
<![LOG[Running as user "ej.admin"]LOG]!><time=”16:00:05.311+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:1995″>
<![LOG[Detected 223212 MB free disk space on system drive.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”util.cpp:628″>
<![LOG[Checking Write Filter Status.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2024″>
<![LOG[This is not a supported write filter device. We are not in a write filter maintenance mode.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2051″>
<![LOG[SiteCode: 001]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2076″>
<![LOG[SiteVersion: 5.00.7958.1000]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2077″>
<![LOG[Only one MP https://SCCM01.mydomain.local is specified. Use it.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:10080″>
<![LOG[Searching for DP locations from MP(s)...]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:11018″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[Current AD site of machine is SomewhereOverTheRainbow]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:770″>
<![LOG[DHCP entry points already initialized.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:75″>
<![LOG[Begin checking Alternate Network Configuration]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1095″>
<![LOG[Finished checking Alternate Network Configuration]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1172″>
<![LOG[Adapter {39CB0535-CE77-4ED9-9807-2DB558378C86} is DHCP enabled. Checking quarantine status.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:436″>
<![LOG[Sending message body '<ContentLocationRequest SchemaVersion="1.00">
<AssignedSite SiteCode="001"/>
<ClientPackage/>
<ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseInternetDP="0">
<ADSite Name="SomewhereOverTheRainbow"/>
<Forest Name="mydomain.local"/>
<Domain Name="mydomain.local"/>
<IPAddresses>
<IPAddress SubnetAddress="192.168.1.0" Address="192.168.1.73"/>
</IPAddresses>
</ClientLocationInfo>
</ContentLocationRequest>
']LOG]!><time=”16:00:05.342+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”siteinfo.cpp:96″>
<![LOG[Sending message header ‘<Msg SchemaVersion=”1.1″><ID>{F41949F6-9FCA-4C08-AB45-AD13397E03E4}</ID><SourceHost>MACHINENAME</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:MACHINENAME:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>https://SCCM01.mydomain.local</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2014-09-19T21:00:05Z</SentTime><Body Type=”ByteRange” Offset=”0″ Length=”1146″/><Hooks><Hook3 Name=”zlib-compress”/></Hooks><Payload Type=”inline”/></Msg>’]LOG]!><time=”16:00:05.342+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”siteinfo.cpp:177″>
<![LOG[CCM_POST 'https://SCCM01.mydomain.local/ccm_system/request']LOG]!><time=”16:00:05.342+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”httphelper.cpp:807″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:00:05.389+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Certificate Issuer 1 [CN=My Domain Root CA; OU=IT; O=My Domain; C=US]]LOG]!><time=”16:00:05.389+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4409″>
<![LOG[Finding certificate by issuer chain returned error 80092004]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4516″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Unable to find any Certificate based on Certificate Issuers]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4702″>
<![LOG[Locate client certificate bypassing Certificate Issuers restriction]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:6121″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Begin to select client certificate]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4706″>
<![LOG[The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmcert.cpp:4742″>
<![LOG[There are no certificates in the 'MY' store.]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4764″>
<![LOG[GetSSLCertificateContext failed with error 0x87d00280]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”ccmsetup.cpp:6141″>
<![LOG[A Fallback Status Point has not been specified. Message with STATEID='315' will not be sent.]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:9763″>
<![LOG[GetHttpRequestObjects failed for verb: 'CCM_POST', url: 'https://SCCM01.mydomain.local/ccm_system/request']LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”httphelper.cpp:947″>
<![LOG[GetDPLocations failed with error 0x87d00280]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”siteinfo.cpp:532″>
<![LOG[Failed to get DP locations as the expected version from MP 'https://SCCM01.mydomain.local'. Error 0x87d00280]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmsetup.cpp:11261″>
<![LOG[A Fallback Status Point has not been specified. Message with STATEID='101' will not be sent.]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:9763″>
<![LOG[Next retry in 10 minute(s)...]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:8835″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:10:09.190+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:10:09.190+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[Current AD site of machine is SomewhereOverTheRainbow]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:770″>
<![LOG[DHCP entry points already initialized.]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:75″>
<![LOG[Begin checking Alternate Network Configuration]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1095″>
<![LOG[Finished checking Alternate Network Configuration]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1172″>
<![LOG[Adapter {39CB0535-CE77-4ED9-9807-2DB558378C86} is DHCP enabled. Checking quarantine status.]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:436″>
<![LOG[Sending message body '<ContentLocationRequest SchemaVersion="1.00">
<AssignedSite SiteCode="001"/>
<ClientPackage/>
<ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseInternetDP="0">
<ADSite Name="SomewhereOverTheRainbow"/>
<Forest Name="mydomain.local"/>
<Domain Name="mydomain.local"/>
<IPAddresses>
<IPAddress SubnetAddress="192.168.1.0" Address="192.168.170.73"/>
</IPAddresses>
</ClientLocationInfo>
</ContentLocationRequest>
']LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”siteinfo.cpp:96″>
<![LOG[Sending message header ‘<Msg SchemaVersion=”1.1″><ID>{6DCC55BE-D180-41DC-ACF9-2B909F186F1A}</ID><SourceHost>MACHINENAME</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:MACHINENAME:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>https://SCCM01.mydomain.local</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2014-09-19T21:10:09Z</SentTime><Body Type=”ByteRange” Offset=”0″ Length=”1146″/><Hooks><Hook3 Name=”zlib-compress”/></Hooks><Payload Type=”inline”/></Msg>’]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”siteinfo.cpp:177″>
<![LOG[CCM_POST 'https://SCCM01.mydomain.local/ccm_system/request']LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”httphelper.cpp:807″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Certificate Issuer 1 [CN=My Domain Root CA; OU=IT; O=My Domain; C=US]]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4409″>
<![LOG[Finding certificate by issuer chain returned error 80092004]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4516″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Unable to find any Certificate based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4702″>
<![LOG[Locate client certificate bypassing Certificate Issuers restriction]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:6121″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Begin to select client certificate]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4706″>
<![LOG[The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmcert.cpp:4742″>
<![LOG[There are no certificates in the 'MY' store.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4764″>
<![LOG[GetSSLCertificateContext failed with error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”ccmsetup.cpp:6141″>
<![LOG[GetHttpRequestObjects failed for verb: 'CCM_POST', url: 'https://SCCM01.mydomain.local/ccm_system/request']LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”httphelper.cpp:947″>
<![LOG[GetDPLocations failed with error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”siteinfo.cpp:532″>
<![LOG[Failed to get DP locations as the expected version from MP 'https://SCCM01.mydomain.local'. Error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmsetup.cpp:11261″>
<![LOG[Failed to find DP locations from MP 'https://SCCM01.mydomain.local' with error 0x87d00280, status code 200. Check next MP.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmsetup.cpp:11117″>
<![LOG[Only one MP https://SCCM01.mydomain.local is specified. Use it.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:10080″>
<![LOG[Have already tried all MPs. Couldn't find DP locations.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”ccmsetup.cpp:11146″>
<![LOG[GET 'https://SCCM01.mydomain.local/CCM_Client/ccmsetup.cab']LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”httphelper.cpp:807″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Certificate Issuer 1 [CN=My Domain Root CA; OU=IT; O=My Domain; C=US]]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4409″>
<![LOG[Finding certificate by issuer chain returned error 80092004]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4516″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Unable to find any Certificate based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4702″>
<![LOG[Locate client certificate bypassing Certificate Issuers restriction]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:6121″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Begin to select client certificate]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4706″>
<![LOG[The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmcert.cpp:4742″>
<![LOG[There are no certificates in the 'MY' store.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4764″>
<![LOG[GetSSLCertificateContext failed with error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”ccmsetup.cpp:6141″>
<![LOG[GetHttpRequestObjects failed for verb: 'GET', url: 'https://SCCM01.mydomain.local/CCM_Client/ccmsetup.cab']LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”httphelper.cpp:947″>
<![LOG[DownloadFileByWinHTTP failed with error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”httphelper.cpp:1081″>
<![LOG[CcmSetup failed with error code 0x87d00280]LOG]!><time=”16:10:09.331+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:10879″>

Resolution: This behavior is 100% caused by an invalid configuration using HTTPS.  In this particular case, machines were not autoenrolling in machine based certificates, thus, System Center could not authenticate the client and would not allow setup to complete.

Here are some things to try to point you in the general direction of where something may have gone wrong in your deployment:

  1. If you are not using HTTPS (do not have a PKI environment), make sure you have turned off HTTPS configurations for your site.
  2. Ensure your clients are properly configured for autoenrollment
  3. Ensure your clients are actually receiving a machine certificate from autoenrollment
  4. Ensure your certificate authority’s certificate and CRL lists are not expired

DirSync (Directory Synchronization) (Windows Azure Active Directory Sync Tool) attributes federated to Office 365

Here is a complete listing of the attributes that are federated to Office 365 by your on-premise Active Directory environment.

An official listing of these attributes can be found on the following technet article: http://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-windows-azure-active-directory-sync-tool.aspx

Synced Object Attribute User Group Contact (Src) Description
assistant Read - Read The name of the assistant for an account.
authOrig Read Read Read Relationship that indicates that the mailbox for the target object is authorized to send mail to the source object.
C - - Read Two-letter ISO 3166 [ISO3166] country code.
cn Read Read Read The common name of the object.
co Read - Read The country/region in which the person (user or contact) or company is located.
company Read - Read The person’s (user or contact) company name.
countryCode Read - Read The country code for person’s (user or contact) language of choice.
department Read - Read The name of the person’s (user or contact) department.
description Read Read Read Human-readable descriptive phrases about the object.
displayName Read Read Read The display name for an object, usually the combination of the person’s first name, middle initial, and last name.
dLMemRejectPerms Read Read Read Relationship that indicates that members of the target object are not authorized to send mail to the source object.
dLMemSubmitPerms Read Read Read Relationship that indicates that members of the target object are authorized to send mail to the source object.
ExtensionAttribute1 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute10 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute11 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute12 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute13 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute14 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute15 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute2 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute3 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute4 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute5 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute6 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute7 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute8 Read Read Read Custom attribute that is defined in the customer on-premises directory.
ExtensionAttribute9 Read Read Read Custom attribute that is defined in the customer on-premises directory.
facsimiletelephonenumber Read - Read Telephone numbers (and, optionally, the parameters) for facsimile terminals.
givenName Read - Read Name strings that are the part of a person’s (user or contact) name that is not their surname.
GroupType - Read - Flag attribute indicating the type of group (security, global, etc.)
hideDLMembership - Read - Hide the membership list on a distribution list from senders.
homephone Read - Read The person’s (user or contact) main home telephone number.
info Read Read Read “Notes” field on “Telephone” tab of ADUC.
Initials Read - Read Strings of initials of some or all of an individual’s names, except the surname(s).
ipPhone Read - Read The TCP/IP address for the telephone.
l Read - Read Names of a locality or place, such as a city, county, or other geographic region.
legacyExchangeDN Read Read Read
mail Read Read Read The list of email addresses for a person (user or contact).
mailnickname Read Read Read
managedBy - Read - Resource/owner relationship, where the source object (a group) is the resource, and the target object is the owner.
manager Read - Read Manager/direct report relationship between two individuals, where the source object is the direct report, and the target object is the manager.
member - Read - Membership of the target object (of class User, Contact, or Group) in the group that is identified as the source object.
middleName Read - Read Additional names for a person (user or contact), for example, middle name, patronymic, matronymic, or other names.
mobile Read - Read The primary mobile phone number for a person (user or contact).
msDS-HABSeniorityIndex Read Read Read
msDS-PhoneticDisplayName Read Read Read
MsExchArchiveGUID Read - -
MsExchArchiveName Read - -
msExchArchiveStatus Read/Write - - Created in the Exchange cloud for “write back” to on-premises when the customer has a cloud archive.
msExchAssistantName Read - Read The name of the assistant for an account.
msExchAuditAdmin Read - -
msExchAuditDelegate Read - -
msExchAuditDelegateAdmin Read - -
msExchAuditOwner Read - -
MsExchBlockedSendersHash Read/Write - Read Populated through an upgrade from Business Productivity Online Standard Suite. Not synced from on-premises.
msExchBypassAudit Read - -
MsExchBypassModerationFromDLMembersLink Read Read Read
MsExchBypassModerationLink Read Read Read
msExchCoManagedByLink - Read -
msExchDelegateListLink Read - -
msExchELCExpirySuspensionEnd Read - -
msExchELCExpirySuspensionStart Read - -
msExchELCMailboxFlags Read - -
MsExchEnableModeration Read Read -
msExchExtensionCustomAttribute1 Read Read Read
msExchExtensionCustomAttribute2 Read Read Read
msExchExtensionCustomAttribute3 Read Read Read
msExchExtensionCustomAttribute4 Read Read Read
msExchExtensionCustomAttribute5 Read Read Read
MsExchGroupDepartRestriction - Read -
MsExchGroupJoinRestriction - Read -
msExchHideFromAddressLists Read Read Read Indicator to control the visibility of a mail recipient for name resolution.
MsExchImmutableID Read - -
msExchLitigationHoldDate Read Read Read
msExchLitigationHoldOwner Read Read Read
MsExchMailboxGuid Read - - The GUID of the user’s mailbox.
msExchMailboxAuditEnable Read - -
msExchMailboxAuditLogAgeLimit Read - -
MsExchModeratedByLink Read Read Read
MsExchModerationFlags Read Read Read
MsExchRecipientDisplayType Read Read Read
msExchRecipientTypeDetails Read Read Read
MsExchRemoteRecipientType Read - -
msExchRequireAuthToSendTo Read Read Read When enabled for a distribution list (DL), unauthenticated users are rejected.
MsExchResourceCapacity Read - -
MsExchResourceDisplay Read - -
MsExchResourceMetaData Read - -
MsExchResourceSearchProperties Read - -
msExchRetentionComment Read Read Read
msExchRetentionURL Read Read Read
MsExchSafeRecipientsHash Read/Write - Read Populated through an upgrade from Business Productivity Online Standard Suite. Not synced from on-premises.
MsExchSafeSendersHash Read/Write - Read Populated through an upgrade from Business Productivity Online Standard Suite. Not synced from on premises.
MsExchSenderHintTranslations Read Read Read
msExchTeamMailboxExpiration Read - -
msExchTeamMailboxOwners Read - -
msExchTeamMailboxSharePointLinkedBy Read - -
msExchTeamMailboxSharePointUrl Read - -
msExchUCVoiceMailSettings Read/Write - -
msExchUsageLocation Read - -
msExchUserHoldPolicies Read/Write - - Litigation Hold allows cloud services to determine which users are under Litigation Hold
msOrg-IsOrganizational - Read -
msRTCSIP-ApplicationOptions Read - -
msRTCSIP-DeploymentLocator Read - Read Fully qualified DNS name of the Microsoft Lync Server 2010 deployment, as specified in the authoritative (customer, on-premises) directory.
msRTCSIP-Line Read - Read The device ID (either the Session Initiation Protocol (SIP) uniform resource identifier (URI) or the TEL URI) of the telephone that the user controls.
msRTCSIP-OwnerUrn Read - -
msRTCSIP-PrimaryUserAddress Read - Read SIP URI for instant messaging, as specified in the authoritative (customer, on-premise) directory.
msRTCSIP-UserEnabled Read - Read Indicates whether the user is currently enabled for SIP instant messaging, as specified in the authoritative (customer, on-premises) directory.
msRTCSIP-OptionFlags Read - Read
objectGUID Read Read Read Key for the object: this key is immutable, even if the object moves from one context to another, for example, as a result of a company merge or split.
oOFReplyToOriginator - Read - Governs whether out-of-office notifications should be sent to a sender of a message to this distribution list (DL).
otherFacsimileTelephone Read - Read A list of alternative facsimile numbers.
otherHomePhone Read - Read A list of alternative home telephone numbers.
otherIpPhone Read - Read A list of alternative TCP/IP addresses for the telephone.
otherMobile Read - Read A list of alternative mobile phone numbers.
otherPager Read - Read A list of alternative pager numbers.
otherTelephone Read - Read A list of alternative office telephone numbers.
pager Read - Read The primary pager number.
photo Read - -
physicalDeliveryOfficeName Read - Read Names that a postal service uses to identify a post office.
postalCode Read - Read Codes that a postal service uses to identify postal service zones.
postOfficeBox Read - Read Postal box identifiers that a postal service uses when a customer arranges to receive mail at a box on the premises of the postal service.
PreferredLanguage Read - - The preferred written or spoken language for a user.
proxyAddresses Read/Write Read/Write Read/Write The address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system.
PublicDelegates Read/Write Read Read Cross-premises public delegation: allows users to specify delegates for their mailbox.
reportToOriginator - Read - Governs whether to send delivery reports to the message originator when a message that is sent to a group is not delivered. The delivery report lets the group owner know that the message was not delivered.
ReportToOwner - Read -
samAccountName Read - -
sn Read - Read Name strings for the family names of a person (user or contact).
st Read - Read The full names of states or provinces.
streetAddress Read - Read The person’s (user or contact) address.
targetAddress Read - Read The destination address for the person (user or contact).
TelephoneAssistant Read - Read
telephoneNumber Read - Read Telephone numbers that comply with the ITU Recommendation E.123.
thumbnailphoto Read - Read Persons Photo – 10kb maximum size limit
title Read - Read The title of a person (user or contact) in the person’s organizational context.
unauthOrig Read Read Read Relationship that indicates that the mailbox for the target object is not authorized to send mail to the source object.
url Read - Read The list of alternative web pages.
userAccountControl Read - - Flag attribute to indicate settings.
userCertificate Read Read - Contains certificates used as part of the Exchange SMIME feature set.
UserPrincipalName Read - - The user principal name (UPN) that is an Internet-style logon name for a user, as specified in RFC 822.
userSMIMECertificate Read Read - Contains certificates used as part of the Exchange SMIME feature set.
wWWHomePage Read - Read The primary web page.

Office 365 – Change the Alias attribute of an Exchange mailbox for a federated user

Scenario: A federated Office 365 user’s Alias is incorrect.  You wish to change it, but changing the proxyAddress or Mail attribute in Active Directory does not update the Alias.

Before this tutorial, you can see the Alias has a typo in it (the m and o are out of place)

Office 365 - User Mailbox - Alias - TypoAfter completing this tutorial, we will update the Alias to look correct

Office 365 - User Mailbox - Alias - Typo Fixed

Solution: Complete the following steps below to update the Alias

  1. Login to one of your Domain Controllers and open up Active Directory Users and Computers
    Server Manager - Active Directory Users and Computers
  2. Find the user that owns the mailbox, right click on them, and select Properties
    Active Directory Users and Computers - User - Properties
  3. Select the Attribute Editor Tab and find the mailNickname attribute
    Active Directory Users and Computers - User - Properties - Attribute Editor - mailNickname

    1. Note: You will need to Enable Advanced Features on Active Directory Users and Computers to see this tab
      Active Directory Users and Computers - View - Advanced Features
  4. Type in the desired value you wish to show up in the Alias field on the Office 365 Exchange Portal and click OK
    Active Directory Users and Computers - User - Properties - Attribute Editor - mailNickname - String Attribute Editor
  5. Click Apply on the Active Directory Users and Computers dialog
    Active Directory Users and Computers - User - Properties - Attribute Editor - mailNickname - Apply
  6. Wait for the Office 365 Directory Synchronization tool runs and updates the users online
    1. Note: Tutorial on how to do this can be found here: http://jackstromberg.com/2012/08/force-directory-synchronization-with-office-365/
  7. Ensure that the Alias field has updated in the Exchange Administrative portal
    Office 365 - User Mailbox - Alias - Typo Fixed

 

System Center 2012 R2 Configuration Manager – Configuration Manager console cannot connect to the Configuration Manager site database (SQL Server)

Symptom: When opening up the System Center 2012 R2 Configuration Manager, you receive the following error message.

Configuration Manager cannot connect ot the site (CODE – FQDN)

The Configuration Manager console cannot connect to the Configuration Manager site database. Verify the following:

• This computer has network connectivity to the SMS Provider computer.
• Your user account has Remote Activation permission on the Configuration Manager site server and the SMS Provider computer.
• The Configuration Manager console version is supported by the site server.
• You are assigned to at least one role-based administration security role.
• You have the following WMI permissions to the Root\SMS and Root\SMS\site_<site code> namespaces: Execute Methods, Provider Write, Enable Account, and Remote Enable.

System Center 2012 R2 Configuration Manager cannot connect to the site

Additionally, when you browse to INSTALLEDDRIVE:\Program Files\Microsoft Configuration Manager\AdminConsole\AdminUILog\SmsAdminUI.log, you see the following error:

[15, PID:11000][06/24/2014 08:20:34] :System.Management.ManagementException\r\nGeneric failure \r\n at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__0.MoveNext()\r\nManagementException details:
instance of SMS_ExtendedStatus
{
CauseInfo = “”;
Description = “Unable to get SQL connection.”;
ErrorCode = 3242263810;
File = “e:\\nts_sccm_release\\sms\\siteserver\\sdk_provider\\smsprov\\sspobjectquery.cpp”;
Line = 2181;
Operation = “ExecQuery”;
ParameterInfo = “SELECT * FROM SMS_CombinedDeviceResources WHERE ((ClientType is null AND EASDeviceID is null) OR ClientType != 3)”;
ProviderName = “WinMgmt”;
SQLMessage = “[08001][-2146893022][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection”;
SQLSeverity = 0;
SQLStatus = 2148074274;
StatusCode = 2147749889;
};
\r\n
[15, PID:11000][06/24/2014 08:20:34] :Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryException\r\nThe SMS Provider reported an error connecting to the ConfigMgr site database server. Verify that the SQL Server is online and that ConfigMgr site server computer account is an administrator on the ConfigMgr site database server.\r\n at Microsoft.ConfigurationManagement.ManagementProvider.WqlQueryEngine.WqlQueryResultsObject.<GetEnumerator>d__0.MoveNext()
at Microsoft.ConfigurationManagement.AdminConsole.QueryAdapter.DoAction(DataQueryBase query, IList`1 dataSources, IDictionary`2 parameters, IList`1 inputs, String outputCollectionName)\r\nConfigMgr Error Object:
instance of SMS_ExtendedStatus
{
CauseInfo = “”;
Description = “Unable to get SQL connection.”;
ErrorCode = 3242263810;
File = “e:\\nts_sccm_release\\sms\\siteserver\\sdk_provider\\smsprov\\sspobjectquery.cpp”;
Line = 2181;
Operation = “ExecQuery”;
ParameterInfo = “SELECT * FROM SMS_CombinedDeviceResources WHERE ((ClientType is null AND EASDeviceID is null) OR ClientType != 3)”;
ProviderName = “WinMgmt”;
SQLMessage = “[08001][-2146893022][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection”;
SQLSeverity = 0;
SQLStatus = 2148074274;
StatusCode = 2147749889;
};

Unable to get SQL connection.

SmsAdminUI_log - Unable to get SQL connection

Solution: During your installation you may have tried to change the default SSL certificate on the database.  Based on what documentation I could find, by design, System Center requires you use the default SSL certificate that gets autogenerated during the installation process.  In this case, you need to ensure you have a seperate SQL Server instance dedicated solely to the System Center installation and can use the dedicated system center SSL certificate.

Notes: If you receive errors like  like [SQL Server Native Client 10.0] SSL provider: The target principle is incorrect or  [SQL Server Native Client 10.0] Client unable to establish connection. you might need to install the Server 2008 Native SQL Client (which can be obtained from here).

Office 365 – Call us overprotective, but we need to verify your account again before opening this document.

Symptom:

When trying to open a document in Office 2013 ProPlus from Office 365’s SharePoint environment, you are periodically prompted for credentials to SharePoint Online, OneDrive, and Lync Onlinet (using your email address and password).  Additionally, the affected users are those that have been synchronized from an on-premise Active Directory environment via ADFS.

Side Note: Not sure if this is relevent or not, but we noticed this started to happen after upgrading our ADFS Proxy Servers to Server 2012 R2 (ADFS v3).

You are prompted with the following Sign In box:

Call us overprotective, but we need to verify your account again before opening this document.
Sign In

Once you try signing in, you receive the following error:

We are unable to connect right now. Please check your network and try again later.

Sign In 2

Inside of the Lync 2013 client, you might see the following dialog as well:

Credentials are required

Lync needs your user name and password to connect for retrieving calendar data from Outlook

Sign In 3

Solution:

This error is caused by a variety of different issues.  Please try all of the following below.

If you have a single client having issues

  • Clearing cache of Internet Explorer
  • Running an online repair of Office 365 ProPlus
  • Switching Accounts inside of Outlook (File->Office Account->Switch Account)
  • Deactiving office from Office 365 settings and reactivating

If this is a widespread issue on multiple machines in your environment

  • Verify all proxy servers are functioning
    • If you have multiple proxy servers, ensure your Network Load Balancer is functioning correctly
  • You might be hitting a known bug with the Office 2013 Suite.  See the following KB article on how to try a workaround (this was the fix for an environment I worked on using ADFS and Server 2012): http://support.microsoft.com/kb/2913639

System Center 2012 R2 – The user account running the Configuration Manager console has insufficient permissions to read information from the Configuration Manager site database

Symptom: When any user account, other than the individual who originally configured SCCM, tries to manage System Center Configuration Manager (SCCM), they are presented with the following error:

The user account running the Configuration Manager console has insufficient permissions to read information from the Configuration Manager site database.  The account must belong to a security role in Configuration Manager.  The account must also have the Windows Server Distributed Componenet Object Model (DCOM) Remote Activation permission for the computer running the Configuration Manager site server and the SMS Provider. Configuration Manager cannot connect to the site - System Center 2012 R2 Configuration Manager

Solution: We need to provide a list of users/groups to have access to System Center through the configuration console.  Follow the steps below on how to grant access.

  1.  Open up the System Center Configuration Manager Console System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Administration
    System Center 2012 R2 Configuration Manager - Administration
  3. Expand Security, select Administrative Users, and select Add User or Group at the top
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group
  4. Click the Browse button to add security group or user you wish to add for the User or group name
    1. Note about Domain Admins: the first group you might try to add is Domain Admins, however if you add that group you will notice that users in this group will still be unable to open the console.  This is due to the behavior of user context logged in.  If UAC is enabled on the machine, you won’t have access to the SCCM you login to the machine with a domain admin account, unless you right click on the console and run it is Administrator.  If you want this to work as intended, you will need to create a new security group in Active Directory, add Domain Admins to it, and then specify that group in SCCM.
  5. Click the Add… button
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group - Add
  6. Check Full Administrator, and click OK
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group - Add - Add Security Role
  7. Click OK
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group - Group and Security Roles assigned
  8. The end result should now look like this.  At this point, any member or group inside of SCCM Admins should have access to manage SCCM now via the console.
    System Center 2012 R2 - Administration - Security - Administrative Users - Security Group and User

How to install .NET Framework 3.5 on Windows Server 2012 and Windows Server 2012 R2

Symptom: When trying to add the .NET Framework 3.5 feature through the Add Roles and Features Wizard in Server 2012 (R2), you receive the following error:

Do you need to specify an alternate source path?  One or more installation selections are missing source files on the destination server.  The server will try to get missing source files from Windows Update, or from a location that is specified by Group Policy.  You can also click the “Specify an alternate source path” link on this page to provide a valid location for the source files.

NET Framework 3-5 - Do you need to specify an alternate source path

Solution: Complete the steps below to manually install .NET Framework 3.5 from the Server 2012 (R2) installation media.  You can complete this task via command line or via the wizard.

  1. Option 1: Command Line
    1. Insert the Windows Sever 2012 installation media
      Server 2012 - Installation Media
    2. Open up an elevated command prompt
      Elevated Command Prompt
    3. Execute the following command
      1. dism /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS\ /LimitAccess
        dism netfx3 from disk

        1. Here is a breakdown of the following command:
          /Online                 – Targets the running operating system.
          /Enable-Feature – Enables a specific feature in the image.
          /All                          – Enables all parent features of the specified feature.
          /LimitAccess        – Prevents DISM from contacting WU/WSUS.
  2. Option 2: GUI
    1. Insert the Windows Sever 2012 installation media
      Server 2012 - Installation Media
    2. On the Add Roles and Features wizard, click on Specify an alternate source path
      NET Framework 3-5 - Specify an alternate source path
    3. Enter D:\Sources\SxS\ to point to the Server 2012
      NET Framework 3-5 - Specify an alternate source path - Dialog

Once done installing through the GUI or command prompt, if you navigate back to the Add Roles and Features Wizard, you should see the feature has been successfully installed now.

Add Roles and Features Wizard - Server 2012 R2 - NET Framework 3

SYSVOL and Group Policy out of Sync on Server 2012 R2 DCs using DFSR

Recently while making changes to group policy, I noticed a slew of issues between clients not accepting the policy.  This eventually led me to the discovery that two of the DCs in this particular environment were not replicating properly and were resulting in inconsistent SYSVOL shares.

Symptoms

On the clients we were seeing the following errors when executing the gpupdate command:

gpupdate - processing of group policy failed - registry-based policy settings

Event Viewer Logs

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 7/25/2014 10:46:45 AM
Event ID: 1096
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: mymachine.mydomain.local
Description:
The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,cn={CF25ED30-3895-4147-8EB7-38789553F6A0},cn=policies,cn=system,DC=mydomain,DC=local. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

On the DCs we were seeing the following events inside of Event Viewer -> Applications and Service Logs -> DFS Replication

Log Name: DFS Replication
Source: DFSR
Date: 7/25/2014 1:04:30 PM
Event ID: 4612
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC02.mydomain.local
Description:
The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner DC01.mydomain.local. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.

Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 2276C68D-BC24-46BF-B492-067919163EDA
Replication Group Name: Domain System Volume
Replication Group ID: D50C64AE-0A01-4F97-B838-069F0BCBE369
Member ID: 7ADF2D7C-7947-412C-A619-C0C0D72F6A9C
Read-Only: 0


Log Name: DFS Replication
Source: DFSR
Date: 7/25/2014 1:04:30 PM
Event ID: 5002
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC02.mydomain.local
Description:
The DFS Replication service encountered an error communicating with partner DC01 for replication group Domain System Volume.

Partner DNS address: DC01.mydomain.local

Optional data if available:
Partner WINS Address: DC01
Partner IP Address: 192.168.1.5

The service will retry the connection periodically.

Additional Information:
Error: 1753 (There are no more endpoints available from the endpoint mapper.)
Connection ID: D50C64AE-0A01-4F97-B838-069F0BCBE369
Replication Group ID: 4DCE6A8E-6271-48B6-A0D0-5447718B8FAB

Solution

We ended up having to manually preform an authoritive synchronization between the two DCs.  As you may know, DFSR no longer uses the same steps as FSR to do an authoritive sync.  Below are my notes and expereinces on completing an authoritive DFSR sync.  You can find the ofificial notes from Microsoft here: http://support.microsoft.com/kb/2218556/en-us

  1. Logon to your primary DC
  2. Stop the DFS Replication service
    1. Click on the Start menu, select Administrative Tools, and then click ServicesServices
    2. In the Name column, right-click DFS Replication or Netlogon, and then click Stop
  3. Open up ADSI Edit
    Server Manager - ADSI Edit
  4. Open up the Default naming context
    ADSI Edit - Connection Settings - Default naming context
  5. Navigate to the following
    1. CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name to replicate from>,OU=Domain Controllers,DC=<domain>
      ADSI Edit - Default Naming Context - Domain Controllers - DC01 - DFSR-LocalSettings - Domain System Volume
  6. Change the following attributes to the following values
    1. msDFSR-Enabled=FALSE
      msDFSR-options=1
      ADSI Edit - Default Naming Context - Domain Controllers - DC01 - DFSR-LocalSettings - Domain System Volume - msDFSR-Enabled - False
      ADSI Edit - Default Naming Context - Domain Controllers - DC01 - DFSR-LocalSettings - Domain System Volume - msDFSR-Options - 1
      Both values applied
      ADSI Edit - Default Naming Context - Domain Controllers - DC01 - DFSR-LocalSettings - Domain System Volume - msDFSR-Options - msDFSR-Enabled

      1. Note: If you cannot see msDFSR-options, uncheck Show only attributes that have values
        ADSI Edit - Default Naming Context - Domain Controllers - DC01 - DFSR-LocalSettings - Domain System Volume - Show only attributes that have values
  7. On the ALL other DCs, change the msDFSR-Enabled attribute to False
    ADSI Edit - Default Naming Context - Domain Controllers - DC01 - DFSR-LocalSettings - Domain System Volume - msDFSR-Enabled - False
  8. Force Active Directory replication throughout the domain (ensure all sync resposnes terminate with no errors).
    1. repadmin /syncall primary_dc_name /APed
      repadmin -syncall -aped

      1. NOTE: Here is a list of what the switches mean
        1. /A: Perform /SyncAll for all NC’s held by <Dest DSA> (ignores <Naming Context>)
        2. /P: Push changes outward from home server (default: pull changes)
        3. /e: Enterprise, cross sites (default: only home site)
        4. /d: ID servers by DN in messages (instead of GUID DNS)
  9. Start the DFSR service back up on the authoritive DC
    1. Click on the Start menu, select Administrative Tools, and then click Services
      Services
    2. In the Name column, right-click DFS Replication or Netlogon, and then click Start
  10. Open up event viewer and navigate to Applications and Services Logs -> DFS Replication.  Verify you see Event ID 4114.
    Event Viewer - Applications and Services Logs - DFS Replication - Event 4114
  11. Navigate back to the following in ADSI
      1. CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name to replicate from>,OU=Domain Controllers,DC=<domain>
        ADSI Edit - Default Naming Context - Domain Controllers - DC01 - DFSR-LocalSettings - Domain System Volume
  12. Set the value of msDFSR-Enabled to TRUE
    ADSI Edit - Default Naming Context - Domain Controllers - DC01 - DFSR-LocalSettings - Domain System Volume - msDFSR-Enabled - True
  13. Execute the following via an elevated command prompt
    1. DFSRDIAG POLLAD
      1. NOTE: This is a utility apart of DFS Managment Tools.  I completed the guide successfully without running this command, but Microsoft recommends you do run this command.
  14. Force Active Directory replication throughout the domain
    1. repadmin /syncall primary_dc_name /APed
      repadmin -syncall -aped
  15. Wait a few minutes and you should see Event ID 2002 and 4602
    Event Viewer - Applications and Services Logs - DFS Replication - Event 4602 - Event 2002
  16. Navigate back to each of your secondary DCs and change the value of msDFSR-Enabled to TRUE
    ADSI Edit - Default Naming Context - Domain Controllers - DC01 - DFSR-LocalSettings - Domain System Volume - msDFSR-Enabled - True
  17. Execute the following via an elevated command prompt
    1. DFSRDIAG POLLAD
      1. NOTE: This is a utility apart of DFS Managment Tools. I completed the guide successfully without running this command, but Microsoft recommends you do run this command. Force Active Directory replication throughout the domain
  18. Verify you see Event ID 2002 and 4602 on each of the secondary DCs
    Event Viewer - Applications and Services Logs - DFS Replication - Event 4602 - Event 2002

At this point, try running a gpupdate on your client.  If all has gone well, each of your shared SYSVOL folders on your DCs should contain the same amount of policies and your client should successfully pull down all policies.

gpupdate - success

System Center 2012 R2 Configuration Manager – Deploying Endpoint Protection

This guide is in continuation to my guide on deploying system center 2012 r2 configuration manager, as found here.

In this tutorial, we will cover basic deployment/configuration of Endpoint Protection to client workstations.  This tutorial is largly based off of user anyweb’s guide on windows-noob.com  Make sure to give him some credit over on his forum :) Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies

Definition

Per the following Technet article (http://technet.microsoft.com/en-us/library/hh508781.aspx) Endpoint Protection in System Center 2012 Configuration Manager provides security, antimalware, and Windows Firewall management for computers in your enterprise.

When you use Endpoint Protection with Configuration Manager, you have the following benefits:

  • You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings.
  • You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.
  • You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Creating Endpoint Protection Hierarchy via Folders

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. On the Assets and Compliance pane, select Device Collections, and then right click and select Create Folder
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Device Collections - New Folder
  3. Enter Endpoint Protection for the folder name and click OK
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Device Collections - New Folder - Endpoint Protection
  4. Select your Endpoint Protection folder under Device Collections and create two more folders called Endpoint Protection Managed Clients and Endpoint Protection Managed Servers
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Device Collections - Endpoint Protection Managed Clients-Servers

Create Device Collections to categorize devices managed by SCCM

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. On the Assets and Compliance pane, select Device Collections, Endpoint Protection Managed Clients, and right click select Create Device Collection
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Endpoint Protection Managed Clients - Create Device Collection
  3. Enter Endpoint Protection Managed Desktops for the name and then a comment describing what the group will hold (Desktops in this example), and then click Browse…
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Managed Desktops
  4. Select All Systems and click OK
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Managed Desktops - Select Collection
  5. Click Next >
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Managed Desktops - All Systems
  6. Click Next >
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Membership Rules
  7. Click OK on the dialog box explaining we have set no rules
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Membership Rules - Dialog
  8. Click Next >
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Summary
  9. Click Close
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Create Device Collection - Completion
  10. Repeat steps 2-9 to create another group for Laptops
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Endpoint Protection Managed Clients - Desktops and Laptops
  11. Select Endpoint Protection Managed Servers and repeat steps 2-9 to create the following groups
    1. Note: This step is optional, this i more for organization.  If you don’t have all of these services/servers deployed in your environment, you don’t have to create these Collections.
      1. Endpoint Protection Managed Servers – Configuration Manager
      2. Endpoint Protection Managed Servers – DHCP
      3. Endpoint Protection Managed Servers – Domain Controller
      4. Endpoint Protection Managed Servers – Exchange
      5. Endpoint Protection Managed Servers – File Server
      6. Endpoint Protection Managed Servers – Hyper-V
      7. Endpoint Protection Managed Servers – IIS
      8. Endpoint Protection Managed Servers – Operations Manager
      9. Endpoint Protection Managed Servers – SharePoint
      10. Endpoint Protection Managed Servers – SQL Server
        System Center 2012 R2 Configuration Manager - Assets and Compliance - Assets and Compliance - Endpoint Protection Managed Servers

Enable the Endpoint Protection Role

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select AdministrationSite ConfigurationServers and Site System Roles, and right click on your Primary site and select Add Site System Roles
    System Center 2012 R2 Configuration Manager - Administration - Servers and Site System Roles - Add Site System Roles
  3. Click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - General
  4. Click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - Proxy
  5. Check Endpoint Protection point
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Endpoint Protection point
  6. Click OK on the Configuration Manager dialog
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Endpoint Protection point - Confirm
  7. Click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Endpoint Protection point - Checked
  8. Check I accept the Endpoint Protection license terms and click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Endpoint Protection - Accept EULA
  9. Check Advanced membership and click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - System Role Selection - Microsoft Active Protection Service

    1. Note: MAPS can be joined with a basic or an advanced membership. Basic member reports contain the information described above. Advanced member reports are more comprehensive and may include additional details about the software Endpoint Protection detects, including the location of such software, file names, how the software operates, and how it has impacted your computer. These reports, along with reports from other Endpoint Protection users who are participating in MAPS, help Microsoft researchers discover new threats more rapidly. Malware definitions are then created for programs that meet the analysis criteria, and the updated definitions are made available to all users through Microsoft Update.  See http://technet.microsoft.com/library/hh508835.aspx for full details.
    2. My thoughts on this are to go with Advanced.  If you are using the AV product, may as well help contribute towards making the product detect anomalies more accurately (I’ll turn my Microsoft fan-boyness off now :))
  10. Click Next >
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - Summary
  11. Click Close
    System Center 2012 R2 Configuration Manager - Add Site System Roles Wizard - Completion

 Configuring Endpoint Protection Alerting

  1. Email Alerting
  2. Device Collection Alerting

Configure SUP for Endpoint Protection

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Administration, Overview, Site Configurion, Sites and select Settings, Configure Site Components, Software Update Point
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Configure Site Components - SUP
  3. Select the Products tab and then check Forefront Endpoint Protection 2010 and click OK
    System Center 2012 R2 Configuration Manager - Software Update Point Components Properties - Forefront Endpoint Protection 2010
  4. Select Software Library, expand Software Updates and right click on All Software Updates and select Synchronize Software Updates
    System Center 2012 R2 Configuration Manager - Software Library - Software Updates - All Software Updates - Synchronize Software Updates
  5. Click Yes on the Run Synchronization dialog box
    System Center 2012 R2 Configuration Manager - Run Synchronization - check SMS_WSUS_SYNC_MANAGER for component status

Configure SUP to deliver Definition Updates using an Automatic Deployment Rule

  1. Create a new shared folder called EndpointProtection in your WSUS directory
    System Center 2012 R2 Configuration Manager - EndpointProtection Folder
  2. Share the folder with the Everyone group
    1. Right click on the folder and select Properties
      System Center 2012 R2 Configuration Manager - EndpointProtection Folder - Properties
    2. Select the Sharing tab and then click the Share… button
      System Center 2012 R2 Configuration Manager - EndpointProtection Folder - Properties - Sharing
    3. Type Everyone and then click Add.  Ensure the Permission level is Read and then click Share
      System Center 2012 R2 Configuration Manager - EndpointProtection Folder - Properties - Sharing - Everyone
  3. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  4. Select Software Library, Expand Overview, Software Updates, and select Automatic Deployment Rules.  Right click and select Create Automatic Deployment Rule
    System Center 2012 R2 Configuration Manager - Software Library - Software Updates - Automatic Deployment Rules - Create
  5. Enter in a Name and Description for your Automatic Deployment Rule and then click on the Browse… button
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - General
  6. Select one of the Device Collections we made prior back and then click OK
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - General - Select Collection
  7. Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - General - Collection
  8. Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Settings
  9. Check Date Released or Revised and and Product, set Date Released or Revised to Last 1 day and Product to Forefront Endpoint Protection 2010 and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Software Updates
  10. Check Run the rule on a schedule, click the Customize… button, and then select 1 days at 12:00AM, and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Software Updates - Custom Schedule
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Evaluation Schedule
  11. Set Time based on UTC and set Installation deadline As soon as possible and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Schedule
  12. Check Servers on Device restart behavior (this will prevent a server from restarting from an update), and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - User Experience
  13. Check Generate an alert when the following conditions are met and click Next >
    1. NOTE: This is an optional step.  If you would like to set an alert to be triggered when X% of your clients do not have the latest virus definitions, use this option.  If you do not wish to be alerted leave the box unchecked and click Next >  In this particular example, after 15% of the clients have virus definitions out of date will receive an alert.
      System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Alerts
  14. Check Download software updates from distribution point and install, check Download and install software updates from the fallback content source location, and click Next >
    1. Optionally, you can check If software updates are not available on preferred sitribution point or remote distirbution point, download content from Microsoft Update, to always ensure your client has a source to download the latest virus defitions.
      System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Download Settings
  15. Enter Endpoint Protection Definition Updates for the Name, the following DescriptionThis new deployment package will contain our Endpoint Protection defition updates.  We will run this automatic deployment rule only once and then retire it.  We do this in order to create the Deployment Package.  In the next automatic deployment rule we will select this package instead of creating a new deployment package., and type in the share path to your sccm folder (\\sccm\EndpointProtection).  Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Package
  16. Click Add, Distribution Point
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Package - Distribution Points
  17. Check your site and click OK
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Package - Distribution Points - Add
  18. Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Deployment Package - Distribution Points - Added
  19. Ensure Download software updates from the Internet is checked and click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Download Location
  20. Check the languages you want to support and then click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Language Selection
  21. Click Save As Template…, click Browse… and enter Endpoint Protection Managed Servers and click Save
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Summary
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Summary - Save as Template
  22. Click Next >
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Summary - Next
  23. Click Close
    System Center 2012 R2 Configuration Manager - Create Automatic Deployment Rule Wizard - Endpoint Protection - Completion
  24. Right click on your Endpoint Protection rule and select Disable
    System Center 2012 R2 Configuration Manager - Software Library - Software Updates - Automatic Deployment Rules - Endpoint Protection - Disable
  25. Repeat steps 3-23, using Endpoint Protection Managed Servers as a template in Step 4 for each of the Device Collection groups we created.
    System Center 2012 R2 Configuration Manager - Software Library - Software Updates - Automatic Deployment Rules - Endpoint Protection Rules

Configure custom antimalware policies

In this section we will configure how Endpoint Protection will function on the client machines.

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Assets and Compliances, Endpoint Protection, and then click the Create Antimalware Policy button
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Create
  3. Set a Name and Description for your Endpoint Protection Antimalware Policy, and then check each of the boxes for the options you wish to configure.  Go through each of the tabs and customize how you wish the agent to run.  Then click OK
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Create - General
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Create - Definition updates
  4. Right click on your custom policy and click Deploy
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Deploy
  5. Select the group you wish to target (in this case, configuration manager), and click OK
    System Center 2012 R2 Configuration Manager - Overview - Endpoint Protection - Antimalware Policies - Deploy - Select Collection

Configure Custom Device Settings

In this section we will configure the client policy to tell the machine it is managed by Endpoint Protection.

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Administration, Client Settings, and then click on Create Custom Client Device SettingsSystem Center 2012 R2 Configuration Manager - Overview - Client Settings - Create Custom Client Device Settings
  3. Enter in a Name (Custom Client Device Settings – Endpoint Protection Managed Servers – Configuration Manager), Description (Custom client device settings for servers related to configuration manager), and check Endpoint Protection
    System Center 2012 R2 Configuration Manager - Overview - Client Settings - Create Custom Client Device Settings - General Tab
  4. On the Endpoint Protection tab use the following settings and then click OK
    1. Manage Endpoint Protection client on client computeres: Yes
      Allow Endpoint Protection client installation and restarts outside maintenance windows.  Maintenance windows must be at least 30 minutes long for client installation: Yes
      System Center 2012 R2 Configuration Manager - Overview - Client Settings - Create Custom Client Device Settings - Endpoint Protection Tab
  5. Right click on your new Custom Client Device Settings policy and select Deploy
    System Center 2012 R2 Configuration Manager - Administration - Client Settings - Deploy Custom Client Device Settings
  6. Select the group of machines you want to deploy the agents to and select OK
    System Center 2012 R2 Configuration Manager - Administration - Client Settings - Deploy Custom Client Device Settings - Select Collection

Verify the client shows the policy

  1. Open the Endpoint Protection agent and select About
    System Center Endpoint Protection Client - About
  2. Verify you see your custom antimalware policy
    System Center Endpoint Protection Client - About - Custom Antimalware Policy

System Center 2012 R2 Configuration Manager – Client Web Service Point and Deploying the SCCM Agent

This guide is in continuation to my guide on deploying system center 2012 r2 configuration manager, as found here.

This guide will go over installing the Application Catalog to allow users to choose software they may wish to download and install (that you have already approved), configuring the SCCM client options, deploying the client, and verifying the client has been installed.

Configuring Application Catalog

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Click on Administration in the bottom left corner
    System Center 2012 R2 Configuration Manager - Administration
  3. Expand Site Configuration and select Sites and right click on your site and select Add Site System Roles
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Add Site System Roles
  4. Click Next >
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Add Site System Roles Wizard - General
  5. Click Next >
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Add Site System Roles Wizard - Proxy
  6. Check Application Catalog Web Service Point, Application Catalog Website Point, and click Next >
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Add Site System Roles Wizard - System Role Selection - ACWSP
  7. Click Next >
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Add Site System Roles Wizard - System Role Selection - ACWSP - HTTP

    1. NOTE: If you have a PKI environment, go ahead and check HTTPS and hit Next > to encrypt your network traffic
  8. Click Next >
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Add Site System Roles Wizard - System Role Selection - ACWSP IIS
  9. Enter your Organization name, select a Website theme, and click Next >
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Add Site System Roles Wizard - System Role Selection - ACWP
  10. Click Next >
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Add Site System Roles Wizard - System Role Selection - Summary
  11. Click Close
    System Center 2012 R2 Configuration Manager - Administration - Site Configuration - Sites - Add Site System Roles Wizard - Completion
  12. Verify you can access the website from a remote machine (you will need Silverlight in order to browse the page)
    1. https://sccm.mydomain.com/cmapplicationcatalog
      System Center 2012 R2 Configuration Manager - cmapplicationcatalog

 Configuring SCCM Agent Settings

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Click on Administration in the bottom left corner
    System Center 2012 R2 Configuration Manager - Administration
  3. Click Client Settings, right click on Default Client Settings, select Properties
    System Center 2012 R2 Configuration Manager - Administration - Client Settings
  4. Select Computer Agent and then click on the Set Website… button near Default Application Catalog website point
    System Center 2012 R2 Configuration Manager - Administration - Client Settings - Default Settings - Computer Agent
  5. Select the value that matches your intranet FQDN and click OK
    System Center 2012 R2 Configuration Manager - Administration - Client Settings - Default Settings - Computer Agent - Configure Client Settings
  6. Select Yes under Add default Application Catalog website to Internet Explorer trusted site zone
    System Center 2012 R2 Configuration Manager - Administration - Client Settings - Default Settings - Computer Agent - IE Trusted sites
  7. Click on Software Updates and schedule software updates to happen every 1 days
    1. NOTE: We want software updates to scan every day to deploy Endpoint Protection (antivirus) defitions to all of our clients.  If you will not be using Endpoint Protection, you may want to leave this at 7 days or however frequently you wish to push updates.
      System Center 2012 R2 Configuration Manager - Administration - Client Settings - Default Settings - Software Updates - Daily
  8. Click on User and Device Affinity and set Allow user to define their primary devices to Yes
    1. NOTE: What is User Device Affinity?  User device affinity in Microsoft System Center 2012 Configuration Manager is a method of associating a user with one or more specified devices. User device affinity can eliminate the need to know the names of a user’s devices in order to deploy an application to that user. Instead of deploying the application to all of the user’s devices, you deploy the application to the user. Then, user device affinity automatically ensures that the application install on all devices that are associated with that user.  More info can be found here: http://technet.microsoft.com/en-us/library/gg699365.aspx
      System Center 2012 R2 Configuration Manager - Administration - Client Settings - Default Settings - User and Device Affinity - Yes
  9. Click OK

Preparing deployment credentials to install SCCM Agent to clients

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Click on Administration in the bottom left corner
    System Center 2012 R2 Configuration Manager - Administration
  3. Select Site Configuration, Sites, and then click Settings->Client Installation Settings->Client Push Installation
  4. Check Enable automatic site-wide client push installation and check all options to under System types to cover all machines in your environment
    1. NOTE: This step is optional.  If you wish to manually deploy the SCCM client every time you add a machine to your environment, leave this option unchecked.
      System Center 2012 R2 Configuration Manager - Client Installation Settings - Client Push Installation Properties
  5. Select the Accounts tab and then click the yellow star and select New Account
    System Center 2012 R2 Configuration Manager - Client Installation Settings - Client Push Installation Properties - Accounts - New Account
  6. Enter in the SCCMCP user credentials (that have local admin privileges on the remote machines), click the Verify button, and type in the path to one of the shared folders on your machine.
    System Center 2012 R2 Configuration Manager - Client Installation Settings - Client Push Installation Properties - Accounts - New Account - Windows User Account
  7. Click Test Connection and hit OK on the Configuration Manager dialog
    1. NOTE: If this step failed, ensure your folders are being shared properly.  The sharing properties on this folder should have been configured automatically when WSUS was being installed.
      System Center 2012 R2 Configuration Manager - Client Installation Settings - Client Push Installation Properties - Accounts - New Account - Windows User Account - Verify
  8. Click OK

Deploy the SCCM Agent to clients

  1. Launch the System Center 2012 R2 Configuration Manager console
    System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Devices, right click on the client you wish to deploy the agent to and select Install Client
    System Center 2012 R2 Configuration Manager - Assets and Compliance - Devices - Client - Install Client
  3. Click Next >
    System Center 2012 R2 Configuration Manager - Install Configuration Manager Client Wizard - Before You Begin
  4. Check Always install the client software optionally check the others and click Next >
    1. Note: Since we only have one site, the Install the client software from a specific site option will default to your only site and in this case, since we aren’t installing the agent on a domain controller, the first checkbox won’t be applicable during installation.
      System Center 2012 R2 Configuration Manager - Install Configuration Manager Client Wizard - Installation Options
  5. Click Next >
    System Center 2012 R2 Configuration Manager - Install Configuration Manager Client Wizard - Summary
  6. Click Close
    System Center 2012 R2 Configuration Manager - Install Configuration Manager Client Wizard - Completion

After about 5 minutes or so, you should see an entry in your start menu called Software Center.  If you see this, you have successfully deployed the SCCM client! :)

Windows 8 - Start Menu - System Center 2012 R2 - Software Center