Remotely Force SCCM Clients to Update Policy & Start SCEP Actions

Successfully Tested On: Microsoft System Center Configuration Manager versions 2012 R2 - 1906, Microsoft Endpoint Configuration Manager versions 1910 - 2203

System Center Configuration Manager has always relied on pull-based client communication for its regular interaction between servers and clients.  This type of technology has many benefits but can be frustrating when dealing with remote or time-sensitive environments.

Beginning with Configuration Manager 2012 SP1, a new infrastructure component was introduced called Client Notification.  Unlike the traditional policy channel, the client notification channel is push-based and provides an almost instant method of communication with clients.

Set Up Client Notification

By default, client notification communicates over TCP on port 10123.  This can be modified in the Configuration Manager Console under Administration > Site Configuration > Sites.  Right-click the appropriate site, select Properties, and go to the Ports tab:

Ensure the firewall on the management point, clients, and any intervening firewalls are set to allow communication over the specified port.  Client notification can also fall back to using HTTP and HTTPS if needed.

Notify Clients to Check for Policies

Once client notification is set up, forcing clients to check for policies is extremely easy.  In the Configuration Manager Console, right-click on a target device collection or device(s) within a collection and select to update either computer or user policies:

NOTE: The client notification options are NOT available under the generic devices node.  You must select either a device collection or devices from within an existing collection in order for the options to appear.

Notify SCEP to Perform Actions

System Center Endpoint Protection can also be controlled remotely through the new client notification channel.  A full scan, quick scan, and definition updates can all be initiated as one-time operations from within the Configuration Manager Console.  These options are found below the regular client notification options in the same right-click contextual menu:

Client Notification Tasks Last One Hour

These push tasks have a validity period of one hour and will expire after that.  For example, if a client is offline when a task is pushed then the initial push will fail to that client.  If the client is brought online within one hour, the notification server will re-push the task to the client.  If the client is brought online after one hour, the task will not be pushed as it will have expired.

Monitor Client Operation Status

The client operation status can be monitored in the Configuration Manager Console under Monitoring > Client Operations.  If the task is successfully delivered to clients, it will be counted in the Success column.