常见sccm客户端无法部署问题

1.sms client config manage 提示客户端无法安装成功，1003，依存服务无法启动

客户端的BITS ,WMI 服务没有启动

2. 启动安装客户端的命令

客户端Remote Registry无法启动

3.如果windows firewall启用，一些端口需要设置例外

客户端请求安装
为了成功使用客户端请求来安装 Configuration Manager 2007 客户端，您必须将下列项目作为例外添加到Windows 防火墙：

文件和打印机共享 Windows 管理规范 (WMI)

客户端请求

为了使客户端计算机与 Configuration Manager 2007 站点系统通信，您必须将下列项目作为例外添加到Windows 防火墙：

TCP 端口 80（用于 HTTP 通信）

TCP 端口 443（用于 HTTPS 通信）

这些是默认端口号，可以在 Configuration Manager 2007 中更改。有关详细信息，请参阅如何为Configuration Manager 客户端配置请求端口。如果这些端口已更改，您还必须在 Windows防火墙上配置匹配的例外。

网络访问保护
为了使客户端计算机与系统健康验证程序点成功通信，您需要允许下列端口：

UDP 67 和 UDP 68，用于 DHCP

TCP 80/443，用于 IPSec

远程控制

为了使用 Configuration Manager 2007 的远程工具功能，您需要允许下列端口：

TCP 端口 2701

TCP 端口 2702

远程协助和远程桌面
要支持从 SMS管理员控制台启动远程协助，请将自定义程序 helpsvc.exe 和自定义端口 TCP 135 添加到客户端计算机上 Windows防火墙中的许可程序和服务列表中。此外，还必须配置 Windows防火墙以允许远程协助和远程桌面。如果用户从该计算机启动远程协助请求，Windows防火墙将自动配置为允许远程协助和远程桌面

Modifying the Ports and Programs Permitted by WindowsFirewall

To modify the ports and programs permitted by WindowsFirewall:

On the computer running Windows Firewall, open ControlPanel.
Right-click WindowsFirewall andclick Open.
Onthe Exceptions tabof the Windows FirewallSettings dialog box, selectenable any required exceptions in the list box, or Click AddProgram or Add Port to create custom programs or ports

Programs and Ports Required by Configuration Manager 2007

The following Configuration Manager 2007 features requireexceptions to be made on the Windows Firewall:

Queries

If you are running the Configuration Manager console on acomputer running Windows Firewall, queries will fail the first timethey are run.

After failing to run the first time, the operating systemdisplays a dialog box asking if you want to unblock statview.exe.If you unblock statview.exe, future queries will run withouterrors. You can also manually add statview.exe to the list ofprograms and services onthe Exceptions tabof the Windows Firewall prior to running a query.

Client Push Installation

In order to successfully use client push to install theConfiguration Manager 2007 client, you must add the following asexceptions to the Windows Firewall:

File and Printer Sharing
Windows Management Instrumentation (WMI)

Client Installation using Group Policy

In order to successfully use Group Policy to install theConfiguration Manager 2007 client, you mustadd File and PrinterSharing as an exception tothe Windows Firewall.

Client Requests

In order for client computers to communicate with ConfigurationManager 2007 site systems, you must add the following as exceptionsto the Windows Firewall:

TCPPort 80 (forHTTP communication)

TCPPort 443 (forHTTPS communication)

Network Access Protection

In order for client computers to successfully communicate withthe system health validator point, you need to allow the followingports:

UDP 67 andUDP 68 forDHCP
TCP 80/443 forIPsec

Remote Control

In order to use the remote tools features of ConfigurationManager 2007, you need to allow the following ports:

TCPport 2701
TCPport 2702
TCPport 135

Remote Assistance and Remote Desktop

To enable Remote Assistance to be initiated from the SMSAdministrator console, add both the customprogram helpsvc.exe andthe custom portTCP 135 tothe list of permitted programs and services in Windows Firewall onthe client computer. Also, Windows Firewall must be configured topermit RemoteAssistance and RemoteDesktop. If a user initiates a request for RemoteAssistance from that computer, Windows Firewall will automaticallybe configured to permit Remote Assistance and Remote Desktop.

Windows Event Viewer, Windows Performance Monitor and WindowsDiagnostics

To enable Windows event viewer, Windows performance monitor andWindows diagnostics to be accessed from the Configuration Managerconsole, you must enable Fileand Printer Sharing as anexception on the Windows Firewall.

============

客户端批准方式怎么选的, 自动批准全部还是自动批准信任域? 如果是只批准信任域,站点又是跨域的,需要在Management Point上设置信任域。如果有非域内的机器，需要手动批准。

http://technet.microsoft.com/en-us/library/bb694183.aspx

还有其他可能原因，例如：

1. GUID重复。可以在客户端运行CCMDelCert强制获得新的GUID。

http://support.microsoft.com/kb/828367

2. 客户端和MP在不同的林并而且为外部信任关系。MP对客户端的批准是要通过Kerberos验证的。Kerberos不能穿透林。

===================================

根据该错误信息，我建议您尝试以下步骤来解决该问题：

步骤1：请在一台有问题的客户端上检查，确保SCCM push installation帐户属于本地管理员组。

步骤2：在那台有问题的客户端，暂时关闭firewall，然后再次测试该问题。

步骤3：在那台有问题的客户端，打开命令行窗口，运行“net share”，确保admin$ share存在

步骤4：在那台有问题的客户端上，确保客户端不要启用SMB signing，检查以下注册表键值： Hkey_Local_Machine\System\CurrentControlSet\Services\LanManServer\Parameters EnableSecuritySignature -> make sure the value is set to 1 RequireSecuritySignature -> make sure the value is set to 0 Hkey_Local_Machine\System\CurrentControlSet\Services\LanManworkstation\Parameters EnableSecuritySignature -> make sure the value is set to 1 RequireSecuritySignature -> make sure the value is set to 0

如果更改了以上任何注册表键值，请重启该客户端，然后再次尝试从SCCM服务器端安装客户端。如果问题仍然存在，请帮我收集以下信息： SCCM server： <SCCM installation path>\logs\ 在那台有问题的客户端: %systemroot%\system32\ccmsetup

另外：

1. 该客户端的IP地址是被属于Site boundary中的。

2. 此外，我想知道您是如何定义source file的，即您在哪里存放client.msi文件和ccmsetup.exe文件，请告诉我您的share path。请确保该share path中没有空格。

3. 另外，请从一台好的客户端上导出%systemroot%\system32\ccmsetup上的日志文件，这样我可以做一个比较。

本站仅提供存储服务，所有内容均由用户发布，如发现有害或侵权内容，请点击举报。