How to identify SCCM Client installation blocked by Windows firewall on client side

Article
01/11/2016

When client push installation fails and If you see below lines in your primary site server CCM.log file about connection errors;

CCM.log

======>Begin Processing request: "2097152011", machine name: "WIN81" SMS_CLIENT_CONFIG_MANAGER 10/17/2014 6:59:58 PM 5628 (0x15FC)

Execute query exec [sp_IsMPAvailable] N'P01' SMS_CLIENT_CONFIG_MANAGER 10/17/2014 6:59:58 PM 5628 (0x15FC)

---> Trying each entry in the SMS Client Remote Installation account list SMS_CLIENT_CONFIG_MANAGER 10/17/2014 6:59:58 PM 5628 (0x15FC)

---> Attempting to connect to administrative share '\\WIN81\admin$' using account 'GBS\SCCMAdmin' SMS_CLIENT_CONFIG_MANAGER 10/17/2014 6:59:58 PM 5628 (0x15FC)

---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account GBS\SCCMAdmin (00000035) SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:00:47 PM 5628 (0x15FC)

---> The device WIN81 does not exist on the network. Giving up SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:00:47 PM 5628 (0x15FC)

---> Trying each entry in the SMS Client Remote Installation account list SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:00:47 PM 5628 (0x15FC)

---> Attempting to connect to administrative share '\\Win81.GBS.TR\admin$' using account 'GBS\SCCMAdmin' SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:00:47 PM 5628 (0x15FC)

---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account GBS\SCCMAdmin (00000035) SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:01:42 PM 5628 (0x15FC)

---> The device Win81.GBS.TR does not exist on the network. Giving up SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:01:42 PM 5628 (0x15FC)

---> Trying each entry in the SMS Client Remote Installation account list SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:01:42 PM 5628 (0x15FC)

---> Attempting to connect to administrative share '\\WIN81\admin$' using account 'GBS\SCCMAdmin' SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:01:42 PM 5628 (0x15FC)

---> WNetAddConnection2 failed (LOGON32_LOGON_NEW_CREDENTIALS) using account GBS\SCCMAdmin (00000035) SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:02:37 PM 5628 (0x15FC)

---> The device WIN81 does not exist on the network. Giving up SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:02:37 PM 5628 (0x15FC)

---> ERROR: Unable to access target machine for request: "2097152011", machine name: "WIN81", access denied or invalid network path. SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:02:37 PM 5628 (0x15FC)

STATMSG: ID=3015 SEV=W LEV=M SOURCE="SMS Server" COMP="SMS_CLIENT_CONFIG_MANAGER" SYS=SCCM2012R2PRI.GBS.TR SITE=P01 PID=284 TID=5628 GMTDATE=Fri Oct 17 16:02:37.903 2014 ISTR0="WIN81" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:02:37 PM 5628 (0x15FC)

Execute query exec [sp_CP_SetLastErrorCode] 2097152011, 53 SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:02:37 PM 5628 (0x15FC)

Stored request "2097152011", machine name "WIN81", in queue "Retry". SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:02:37 PM 5628 (0x15FC)

Execute query exec [sp_CP_SetPushRequestMachineStatus] 2097152011, 2 SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:02:37 PM 5628 (0x15FC)

Execute query exec [sp_CP_SetLatest] 2097152011, N'10/17/2014 16:02:37', 1 SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:02:37 PM 5628 (0x15FC)

<======End request: "2097152011", machine name: "WIN81". SMS_CLIENT_CONFIG_MANAGER 10/17/2014 7:02:37 PM 5628 (0x15FC)

Check the Pfirewall.log from client side Filtered by primary site server IP 192.168.1.4.;

Pfirewall.log

2014-10-17 18:58:51 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 18:58:51 DROP UDP 192.168.1.4 224.0.0.252 62410 5355 50 - - - - - - - RECEIVE

2014-10-17 18:58:51 DROP UDP 192.168.1.4 224.0.0.252 50154 5355 50 - - - - - - - RECEIVE

2014-10-17 18:58:51 DROP UDP 192.168.1.4 224.0.0.252 62410 5355 50 - - - - - - - RECEIVE

2014-10-17 18:58:51 DROP UDP 192.168.1.4 224.0.0.252 50154 5355 50 - - - - - - - RECEIVE

2014-10-17 18:58:52 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 18:59:08 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 18:59:08 DROP UDP 192.168.1.4 224.0.0.252 65327 5355 50 - - - - - - - RECEIVE

2014-10-17 18:59:08 DROP UDP 192.168.1.4 224.0.0.252 54608 5355 50 - - - - - - - RECEIVE

2014-10-17 18:59:09 DROP UDP 192.168.1.4 224.0.0.252 65327 5355 50 - - - - - - - RECEIVE

2014-10-17 18:59:09 DROP UDP 192.168.1.4 224.0.0.252 54608 5355 50 - - - - - - - RECEIVE

2014-10-17 18:59:09 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 18:59:10 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 18:59:24 DROP UDP 192.168.1.4 192.168.1.255 138 138 229 - - - - - - - RECEIVE

2014-10-17 18:59:58 DROP TCP 192.168.1.4 192.168.1.182 54372 445 52 S 752622963 0 8192 - - - RECEIVE

2014-10-17 18:59:59 ALLOW UDP 192.168.1.182 192.168.1.4 137 137 0 - - - - - - - SEND

2014-10-17 18:59:59 DROP TCP 192.168.1.4 192.168.1.182 54373 139 52 S 2880472433 0 8192 - - - RECEIVE

2014-10-17 19:00:01 DROP TCP 192.168.1.4 192.168.1.182 54372 445 52 S 752622963 0 8192 - - - RECEIVE

2014-10-17 19:00:02 DROP TCP 192.168.1.4 192.168.1.182 54373 139 52 S 2880472433 0 8192 - - - RECEIVE

2014-10-17 19:00:07 DROP TCP 192.168.1.4 192.168.1.182 54372 445 48 S 752622963 0 8192 - - - RECEIVE

2014-10-17 19:00:08 DROP TCP 192.168.1.4 192.168.1.182 54373 139 48 S 2880472433 0 8192 - - - RECEIVE

2014-10-17 19:00:10 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:00:10 DROP UDP 192.168.1.4 224.0.0.252 52615 5355 50 - - - - - - - RECEIVE

2014-10-17 19:00:10 DROP UDP 192.168.1.4 224.0.0.252 59239 5355 50 - - - - - - - RECEIVE

2014-10-17 19:00:11 DROP UDP 192.168.1.4 224.0.0.252 52615 5355 50 - - - - - - - RECEIVE

2014-10-17 19:00:11 DROP UDP 192.168.1.4 224.0.0.252 59239 5355 50 - - - - - - - RECEIVE

2014-10-17 19:00:11 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:00:12 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:00:20 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:00:21 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:00:22 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:00:24 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:00:26 DROP TCP 192.168.1.4 192.168.1.182 54378 139 52 S 3514695956 0 8192 - - - RECEIVE

2014-10-17 19:00:28 ALLOW TCP 192.168.1.182 192.168.1.4 59721 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:28 ALLOW TCP 192.168.1.182 192.168.1.4 59722 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:28 ALLOW TCP 192.168.1.182 192.168.1.4 59723 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:29 DROP TCP 192.168.1.4 192.168.1.182 54378 139 52 S 3514695956 0 8192 - - - RECEIVE

2014-10-17 19:00:31 ALLOW TCP 192.168.1.182 192.168.1.4 59724 80 0 - 0 0 0 - - - SEND

2014-10-17 19:00:34 ALLOW TCP 192.168.1.182 192.168.1.4 59725 80 0 - 0 0 0 - - - SEND

2014-10-17 19:00:34 ALLOW TCP 192.168.1.182 192.168.1.4 59726 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:34 ALLOW TCP 192.168.1.182 192.168.1.4 59727 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:34 ALLOW TCP 192.168.1.182 192.168.1.4 59728 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:34 ALLOW TCP 192.168.1.182 192.168.1.4 59729 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:35 DROP TCP 192.168.1.4 192.168.1.182 54378 139 48 S 3514695956 0 8192 - - - RECEIVE

2014-10-17 19:00:36 ALLOW TCP 192.168.1.182 192.168.1.4 59730 80 0 - 0 0 0 - - - SEND

2014-10-17 19:00:36 ALLOW TCP 192.168.1.182 192.168.1.4 59731 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:36 ALLOW TCP 192.168.1.182 192.168.1.4 59732 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:43 ALLOW TCP 192.168.1.182 192.168.1.4 59733 445 0 - 0 0 0 - - - SEND

2014-10-17 19:00:47 DROP TCP 192.168.1.4 192.168.1.182 54381 445 52 S 4201564353 0 8192 - - - RECEIVE

2014-10-17 19:00:48 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:00:49 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:00:50 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:00:50 DROP TCP 192.168.1.4 192.168.1.182 54381 445 52 S 4201564353 0 8192 - - - RECEIVE

2014-10-17 19:00:50 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:00:52 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:00:54 DROP TCP 192.168.1.4 192.168.1.182 54382 139 52 S 3215771702 0 8192 - - - RECEIVE

2014-10-17 19:00:56 DROP TCP 192.168.1.4 192.168.1.182 54381 445 48 S 4201564353 0 8192 - - - RECEIVE

2014-10-17 19:00:57 DROP TCP 192.168.1.4 192.168.1.182 54382 139 52 S 3215771702 0 8192 - - - RECEIVE

2014-10-17 19:01:03 DROP TCP 192.168.1.4 192.168.1.182 54382 139 48 S 3215771702 0 8192 - - - RECEIVE

2014-10-17 19:01:15 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:01:16 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:01:17 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:01:19 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:01:21 DROP TCP 192.168.1.4 192.168.1.182 54383 139 52 S 3810785355 0 8192 - - - RECEIVE

2014-10-17 19:01:24 DROP TCP 192.168.1.4 192.168.1.182 54383 139 52 S 3810785355 0 8192 - - - RECEIVE

2014-10-17 19:01:30 DROP TCP 192.168.1.4 192.168.1.182 54383 139 48 S 3810785355 0 8192 - - - RECEIVE

2014-10-17 19:01:34 ALLOW TCP 192.168.1.182 192.168.1.4 59735 445 0 - 0 0 0 - - - SEND

2014-10-17 19:01:34 ALLOW TCP 192.168.1.182 192.168.1.4 59736 445 0 - 0 0 0 - - - SEND

2014-10-17 19:01:34 ALLOW TCP 192.168.1.182 192.168.1.4 59737 445 0 - 0 0 0 - - - SEND

2014-10-17 19:01:42 DROP TCP 192.168.1.4 192.168.1.182 54384 445 52 S 904320555 0 8192 - - - RECEIVE

2014-10-17 19:01:43 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:01:44 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:01:45 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:01:45 DROP TCP 192.168.1.4 192.168.1.182 54384 445 52 S 904320555 0 8192 - - - RECEIVE

2014-10-17 19:01:46 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:01:47 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:01:49 DROP TCP 192.168.1.4 192.168.1.182 54385 139 52 S 1549587116 0 8192 - - - RECEIVE

2014-10-17 19:01:51 DROP TCP 192.168.1.4 192.168.1.182 54384 445 48 S 904320555 0 8192 - - - RECEIVE

2014-10-17 19:01:52 DROP TCP 192.168.1.4 192.168.1.182 54385 139 52 S 1549587116 0 8192 - - - RECEIVE

2014-10-17 19:01:58 DROP TCP 192.168.1.4 192.168.1.182 54385 139 48 S 1549587116 0 8192 - - - RECEIVE

2014-10-17 19:02:10 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:02:11 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:02:12 DROP UDP 192.168.1.4 192.168.1.255 137 137 78 - - - - - - - RECEIVE

2014-10-17 19:02:13 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:02:14 DROP ICMP 192.168.1.4 192.168.1.182 - - 60 - - - - 8 0 - RECEIVE

2014-10-17 19:02:16 DROP TCP 192.168.1.4 192.168.1.182 54387 139 52 S 320556715 0 8192 - - - RECEIVE

2014-10-17 19:02:19 DROP TCP 192.168.1.4 192.168.1.182 54387 139 52 S 320556715 0 8192 - - - RECEIVE

2014-10-17 19:02:25 DROP TCP 192.168.1.4 192.168.1.182 54387 139 48 S 320556715 0 8192 - - - RECEIVE

As you see packages dropped on client side firewall. You need to define exceptions on client side Windows Firewall for ;

Outbound and inbound: File and Printer Sharing
Inbound: Windows Management Instrumentation (WMI)

https://technet.microsoft.com/en-us/library/gg682180.aspx

Dynamic port range for RPC defined in https://support.microsoft.com/en-us/kb/832017

Start port: 49152 -End port: 65536

Ozan Yilmaz

Support Engineer

How to identify SCCM Client installation blocked by Windows firewall on client side

Additional resources