What should the GPO's say so SCEP will pull from the SCCM site server?
Let me explain....
I'm not at all confused about the policies on the SCCM side. SCCM manages those policies for SUP/SCEP by assigning LOCAL policies on the machine. My concern is existing GPO's and how they can supersede the local policies that SCEP and SCCM will implement. If I have any GPO, it will be considered a 'higher authority' than the SCEP and SCCM policies, and any settings you define in the processes you linked to can be over written. Having said that... We can put in the GPOs you discuss for client installation, but they impact SCEP.
This documentation is great if you are in a lab or a clean environment, where you have no pre-existing GPO policies that can create a conflict. And in fact, I already scoured them and have used them (great work BTW). We tried the SUP settings listed in there fhat you used for Client installation thinking they would simply duplicate the local policies the SCCM server creates. Those are for client installation. I would think those would work fine, but our inherited GPOs seem to create problems for our SCEP. And in fact, so do these. Clients can still update from MS, and if I leave everything default in SCEP, the updates still flow, but they don't pull updates from our SCCM server. (Have you verified that your updates are pulling from your SCCM server in your lab if you have those GPOs in place and that those clients are NOT pulling SCEP updates from MS? I'm betting they update from MS.)
When we have GPO's configured as you describe, SCEP updates from our SCCM server fail for us. (We limit where they can pull updates in our SCEP policies so they don't pull from MS sources for testing, and when we do that we fail an update process with and error: ?0x8024402c, which means it can't hit MS for updates)
In these docs, you don't discuss GPOs at all with regards to SCEP because SCCM doesn't need or use them. But MS docs for Forefront EP imply that having those settings can screw up local policies and create problems for SCEP. So, what we end up with is a client that is updating from MS, but not from my managed site server.
I'm building a production environment where we are migrating from a previous WSUS infrastructure, and I need to figure out a way to migrate through existing policies without creating a conflict. Right now, creating a GPO filter or creating a mirrored OU structure for machines while we migrate is a procress that I'd like to avoid if I can. What I need to do is identify what GPO setting CAN we set, what SHOULD we set, and what should we NOT set so that SUP and SCEP will work right and not get conflicted or confused.
I've seen plenty of confusion on what you can and cannot put in the SUP/FEP/SCEP GPOs. Some documents imply that if i specify the server AT ALL, I confuse SCEP/FEP, and it wont work as designed (because when it sees the server in the GPO, it presumes somehow that WAU and not SCCM is going to handle the downloading or similar issues). I HOPE I can create some GPOs that will overwrite my corporate ones (existing GPOs link at a higher point on the OU structure,and I would like to create downstream ones to overwrite the inherited policies to ones that will work right). This will make sure that SUP and SCEP both hit my SCCM box for updates.
I'm pretty sure out systems are working fine when we put a machine in an OU that doesn't pull ANY GPOs that refer to WSUS settings.
<message edited by COnfignoobie on Monday, August 13, 2012 1:16 PM>
Yes, I've seen those Anyweb, but that doesn't really answer my question. Which is :