RE: [mssms] RE: SCEP 2012 policy reset/force download

[Mote, Todd]

Yea, I've been to the console place, the trouble is the date there for last
update is sometime in June, and the same polices applied in the Endpoint
Protection | Policies node all list 10/1 as the last update date.  I need
the two to match, I would think.  The registry is a good nugget, and it has
the policy as applying fine and last, but there's no date there, so because
I didn't change the name, only the contents of the policy, the registry
looks like it should I think.  

 

I guess my question is what mechanism delivers the policies?  CCM client
policy update?  Windows Update?  I mean I can use notifications to start
scans or download definitions, but how does it get updated policy?  And
where does it store the stuff in the policy, like definition update location
and/or the order?  Or are we not meant to see any of that for security
reasons?

 

 

 

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
On Behalf Of Niall Brady
Sent: Monday, October 7, 2013 12:06 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: SCEP 2012 policy reset/force download

 

you probably know this already but you can see what policies are applied to
the client in  the console here (policies applied)

or via the registry (last applied policy)







 

On Mon, Oct 7, 2013 at 6:21 PM, Lutz, Ken <kl...@spokanecounty.org
<mailto:kl...@spokanecounty.org> > wrote:

You can also run the ConfigSecurityPolicy.exe with the full path and name of
your xml policy file to apply a policy.  
But you may have already known that.

 

Thanks,

Ken .

 

From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com
<mailto:listsad...@lists.myitforum.com> ] On Behalf Of
christopher.catl...@us.sogeti.com <mailto:christopher.catl...@us.sogeti.com>

Sent: Monday, October 07, 2013 9:15 AM


To: mssms@lists.myitforum.com <mailto:mssms@lists.myitforum.com> 
Subject: [mssms] RE: SCEP 2012 policy reset/force download

 

I wish I had an easier way. 

It wasn't a use case I got to test during the SP1 TAP though, maybe someone
else will respond.

 

Specifying the policy file, you can even install on machines without the
configmgr agent on them, you just cant manage it without the configmgr agent
being present.

 

Christopher Catlett

Consultant | Detroit



 

Sogeti USA

Office 248-876-9738 |Fax 877.406.9647 

26957 Northwestern Highway, Suite 130, Southfield, MI 48033-8456

 <http://www.us.sogeti.com/> www.us.sogeti.com

 

From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] On Behalf Of Mote, Todd
Sent: Monday, October 07, 2013 11:53 AM
To: mssms@lists.myitforum.com <mailto:mssms@lists.myitforum.com> 
Subject: [mssms] RE: SCEP 2012 policy reset/force download

 

Yea, thought I would end up there, just didn't know if there was something
to be done as an inbetween, like renamaing a folder and restarting services
or something.

 

I hadn't considered applying the policy explicitly though, so thanks for
that.

 

Todd

 

From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] On Behalf Of
christopher.catl...@us.sogeti.com <mailto:christopher.catl...@us.sogeti.com>

Sent: Monday, October 7, 2013 10:16 AM
To: mssms@lists.myitforum.com <mailto:mssms@lists.myitforum.com> 
Subject: [mssms] RE: SCEP 2012 policy reset/force download

 

Worst case you can uninstall scep and repush it.

 

I would export the policy you want it to have, then run the below, to
reinstall scep over itself.

 

SCEPInstall.exe /policy <policy_path_and_name>.xml

 

Christopher Catlett

Consultant | Detroit



 

Sogeti USA

Office 248-876-9738 |Fax 877.406.9647 

26957 Northwestern Highway, Suite 130, Southfield, MI 48033-8456

 <http://www.us.sogeti.com/> www.us.sogeti.com

 

From: listsad...@lists.myitforum.com <mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] On Behalf Of Mote, Todd
Sent: Monday, October 07, 2013 9:51 AM
To: 'mssms@lists.myitforum.com <mailto:mssms@lists.myitforum.com> '
Subject: [mssms] SCEP 2012 policy reset/force download

 

I have a client that is not getting/downloading a changed SCEP policy.  How
do you force it to redownload and apply the new one?  Everything else seems
to be working fine.  The clue that it's not getting the right one, because I
can't look to see the name of the policy anymore since SP1, is that the old
definition update location lists windows update erroneously, and
windowsupdate.log keeps trying to get to windows update to update
definitions.  This client was getting the wrong delivery location from the
policy that was applied to it, and I've fixed that, but now the client won't
get the new policy and still tries to get to windows update.  The client is
on RFC 1918 space and can't reach windows update.

 

How can I look at the combined policy or remove and initiate a new download?

 

Todd

 

 

 

 

 

 

 

<<image001.jpg>>

smime.p7s
Description: S/MIME cryptographic signature