Installing SCCM client on internet connected device

Skip B 91 Reputation points

I am working on upgrading the SCCM client on devices that either connect only to our IBCM server or are very rarely connected to our network via VPN.

I have noticed that when trying to do a manual install of the client on an internet connected device, the process fails. When I connect it to VPN, the install succeeds.

When connected via VPN, I see these lines in the ccmsetup.log:

Adding file '<primary site server>:80/SMS_DP_SMSPKG$/DOT00003/x64/WindowsFirewallConfigurationProvider.msi' to BITS job, saving as 'C:\windows\ccmsetup\WindowsFirewallConfigurationProvider.msi'.

Adding file '<primary site server>:80/SMS_DP_SMSPKG$/DOT00003/x64/client.msi' to BITS job, saving as 'C:\windows\ccmsetup\client.msi'.

Starting BITS download for client deployment files.
Download Update: 1120 out of 61009408 bytes transferred.
Successfully completed BITS download for client deployment files.

It looks like there are 2 files missing from the install package that I am manually running.

These files end up in the C:\windows\ccmsetup folder even though they already exist in the x64 folder.

The command line I use is:

ccmsetup.exe /UsePKICert /NoCRLCheck /mp:<site server> SMSMP="<site server>" CCMHOSTNAME="<IBCM server, external facing name>" SMSSITECODE="<site code>"

Do I have to specify something else?


Microsoft Configuration Manager
{count} votes

3 answers

Sort by: Most helpful
  1. Youssef Saad 3,401 Reputation points

    You have to check the configuration of your boundaries and boundary group in order to specify which DP will be used for which IP Address range/subnet.


    Youssef Saad | New blog:
    Please remember to ** “Accept answer” ** or upvote for useful answers, thank you!

    1 person found this answer helpful.
    0 comments No comments

  2. Youssef Saad 3,401 Reputation points

    What says the ccmsetup.log & client.msi.log files when you are trying the installation in the internet context?


    Youssef Saad | New blog:
    Please remember to ** “Accept answer” ** or upvote for useful answers, thank you!

  3. AllenLiu-MSFT 41,371 Reputation points Microsoft Vendor

    @Skip B
    Thank you for posting in Microsoft Q&A forum.
    When we use /mp, if the client connects to a management point using HTTPS, specify the FQDN not the computer name. The value must match the management point PKI certificate's Subject or Subject Alternative Name.

    When we use /source, the Windows user account for client installation needs Read permissions to the location.

    So when you use /source, it works now, right?

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.