Rauno, You can't install the MBAM web roles on the same server as your ConfigMgr web roles (MP/DP/AppCatalog). When you installed MBAM, it had you create a new SPN<http://technet.microsoft.com/en-us/library/dn645331.aspx> which is now causing Kerberos to fail for the ConfigMgr roles.
If you check the System event log on the unapproved client, you should see errors from Security-Kerberos with event ID 4. It is expecting the Management Point to authenticate with Kerberos as computerobject$, but when you install MBAM you change that identity to a domain user such as contoso\mbamapppooluser. When Kerberos fails, the domain/forest ends up not being validated . Because the default setting says to only automatically approve trusted domains, these clients show up as unapproved. You'll need to move the MBAM web roles to a different small virtual server and fix the SPN for the ConfigMgr box. I hope that helps, Nash Nash Pherson Microsoft MVP, Enterprise Client Managment Senior Systems Consultant Now Micro [email protected]<mailto:[email protected]> Desk: 651-796-1168 Cell: 507-304-0946 [cid:[email protected]] <http://www.nowmicro.com/> -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rauno Summanen Sent: Wednesday, December 3, 2014 1:40 AM To: [email protected] Subject: [mssms] CM2012 R2 CU1 Clients assigned but not approved Hi, I have CM 2012 R2 CU1 single site system. After the installation of MBAM 2.5 with SCCM integration I got this issue of CM clients assigning to site correctly after the OS installation, but they are not approved automatically. I have "Automatically approve computers in trusted domains" checked for that site. And clients are members of the same domain as CM server. When I manually approve clients everything starts working smoothly. I heard some rumours of MBAM 2.5 CM integration breaking the CM Application Catalog, but this is different... or is It? Any hints to push me to the right direction? /Rane
