SCCM 2012, SCEP and Windows FW

Hi guys,
I’ve seen it a couple of times now and decided to put it on the blog.
Couple of my clients, where I’ve installed SCCM 2012, had the exact same problem – the installation of the SCCM client failed, something to do with SCCM server wasn’t able to access the WMI on the remote machine.
In short – the problem was that the Windows FW was on, and he blocked the WMI access. I have created a special FW rule using GPO to allow remote management from the SCCM server, and that solved the problem.
More in-depth explanation – SCEP checks to see if the Windows FW is on during the installation of SCEP. If the FW is on, and the SCEP policy is configured to disable it – it disables it. But, if you enable the windows FW using GPO (and by default, if you haven’t change anything – it’s on) than the Windows FW will simple be turned on by the Windows during the next GPO refresh cycle. SCEP doesn’t not check the FW after the product installation, which means that the FW is kept on.
I could simply disable the FW using GPO, but I decided to keep it on and simply add a rule that allows remote management from the SCCM server (Computer Configuration -> Policies -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Windows Firewall: Allow inbound remote administration exception)

Incoming search terms:

  • scep exceptions
  • scep firewall ports
  • server 2012 scep exceptions

What do you think about this post?