Q. How can I enable the firewall exceptions for deploying the System Center Configuration Manager (SCCM) 2007 client using Group Policy?

A. To deploy the SCCM 2007 client by pushing the client from SCCM, you need the File and Printer Sharing and Windows Management Instrumentation (WMI) firewall exceptions on the clients. Additionally, clients need HTTP/HTTPS exceptions for communication to the SCCM site systems and TCP ports 2701, 2702, and 135 for remote control. Microsoft has a full list available.

The easiest way to create these exceptions is to define a Group Policy Object (GPO), as I'll describe here.

  1. Create a new GPO.
  2. Navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security , Inbound Rules.
  3. Select New Rule.
  4. Select Predefined then File and Printer Sharing and then click Next.
    SCCM Firewall GPO
  5. Select all the rules and click Next.
  6. Select Allow the connection then click Finish
  7. Repeat the above steps for WMI, World Wide Web Services (HTTP Traffic-In), and World Wide Web Services (HTTPS Traffic-In).
  8. For remote control, you need to create a Port rule specifying protocol type TCP and ports 2701, 2702, and 135.

Apply this GPO to your SCCM client computers. Once group policy has refreshed, you should be able to push the SCCM client (providing you've correctly configured SCCM).

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.