Group Policy required for Clients to communicate for SCCM tasks

This post is part of SCCM Current Branch Installation Guide series.
In this post we are going to create Group Policy for Clients which are mandatory for proper communication with Active Directory & SCCM Site Server.

Why we require Group Policy

For various tasks such as communicating with Active Directory Discovery, Remote administration and WMI connectivity, we require these policies. There are 3 types of settings we require:

  • To Ping Client Workstations (By default this communication is blocked if Firewall is enabled)
  • To connect to Clients Admin$ Share
  • To connect to clients WMI ( as SCCM heavily relies on WMI repository to store all policies, deployments and other tasks)

Default Behavior of client ( before creating Group Policy)

a. By default, we cannot ping the client workstations in case firewall is enabled. Even though machine is switched on and connected on same network, we will not receive the Ping response

b. We are not able to connect to admin$ share of client (ie clients “c:\windows” directory). This is required for various tasks including SCCM client push installation where setup files over the network copies under client’s c:\windows directory. Screenshot of error we will get:

c. Inbound remote administration is disabled by default, which means we cannot connect to clients WMI repository remotely. This is mandatory to install SCCM client and to download and save several SCCM policies, deployments & tasks. If we try connecting to clients WMI by using wbemtest (inbuilt tool on Windows), we will get error “0x800706ba

Create Group Policy for Clients

We have 2 client workstations “Win10-01” & “Win10-02” which is part of OU “Client”.

Logon to Domain Controller “DC01”, open “Group Policy Management” by typing gpmc.msc under Windows + Run command.
Navigate to Group Policy Management\Domains\MANBAN.COM\Client. Right click and select “Create a GPO in this domain, and Link it here…

Specify the Policy name as “Client Policy”. Right click policy and select edit to make changes in Policy
Navigate to Computer Configuration \ Policies \ Adminitrative Templates \ Network \ Network Connections \ Windows Firewall \ Domain Profile.
Following 3 policies are required to be set:

Edit “Windows Firewall: Allow inbound file and printer sharing exception” and enable the policy. This will allow us to connect to clients admin$ share

Edit “Windows Firewall: Allow ICMP exceptions“, enable the policy and make sure to check the box “Allow inbound echo request

Edit “Windows Firewall: Allow inbound remote administration exception”, enable the policy. This in turn enables connect to client’s WMI repository.

Verify the policy is working as expected

Once we have set all 3 required policies. We need to wait at clients end to receive the new Policy or we can use “gpupdate /force” to get the policy forcefully without any waiting. Once done we can see:

We are able to ping the system now
We are able to connect to \\Win10-01\Admin$ Share
Try Connecting to WMI of client by opening wbemtest (Windows + Run). Click on Connect and provide string \\Windows10-01\root and click on “Connect“.
Once connected, you will be able to see Namespace as “\\Win10-01\root

Leave a Reply

Your email address will not be published. Required fields are marked *