This error can be triggered by several different issues:

1. The Client Firewall is enabled.

Ports needed:

TCP Ports: 8530, 8531, 5723, 51906, 135, 445, 139

UDP Ports: 137, 138. 

These ports are necessary for client installation and basic communication between SCE clients and the SCE server.

2. Automatic Updates Service is disabled on the clients.

3. WSUS URL's are set incorrectly in the registry on the clients.

The WindowsUpdate.log is usually very helpful with WSUS connection issues.  Not to be confused with the Windows Update.log <Note the space between the words>.

To verify the current client WSUS registry settings:

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate - verify that the following settings are there:
WUServer – https://<SCEServer>:8531
WUStatusServer - https://<SCEServer>:8531
AcceptTrustedPublisherCerts – “1”

If the registry keys are incorrect - modify the key

You can force the client to contact the WSUS server by running "wuauclt -detectnow" on the client

4. The SCE Group Policies are not linked to the Default Domain Policy

• Log on as a Domain Administrator on the Domain Controller server (Windows Server 2003 with Service Pack 1)
• Go to Start > Administrator Tools > Active Directory Users and Computer.
• If you would like to set the group policy for the whole domain you can select the domain name “Right Click” and choose “Properties”. If you want to apply the Group Policy to only certain Organizational Units etc you can select the OU and follow the same steps as above.
  Step 4: Choose the Group Policy Tab and then select the Default Domain Policy and click “Edit”
• Group Policy Object Editor will open Navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Domain Profile
• In the Domain Profiles setting choose “Windows Firewall: Allow remote administration exception” and double click.
• Under “Settings” choose “Enabled” option and in the “Allow unsolicited incoming messages from:” text box enter the IP Address or addresses of the Principle Management Server or Management Servers that will manage the agents in that domain or OU as specified by you. Multiple Management Server IP address can be entered by having a comma between each IP Address once completed click “OK”.
• In the Domain Profiles setting choose “Windows Firewall: Allow file and printer sharing exception” and double click.
• Under “Settings” choose “Enabled” option and in the “Allow unsolicited incoming messages from:” text box enter the IP Address or addresses of the Principle Management Server or Management Servers that will manage the agents in that domain or OU as specified by you. Multiple Management Server IP address can be entered by having a comma between each IP Address once completed click “OK”.
• In the Domain Profiles setting choose “Windows Firewall: Define port exceptions” and double click
• Under “Setting” choose “Enabled” option and click “Show” button. Click “Add” in the “Show Contents” dialog and enter “6270:TCP:<IP address of principal management server>:enabled:SCEAgent”

Note: By default Group Policy takes 90 minutes to push down the configuration to the server and client machines.

If you would like a computer to pull down the new group policy configuration you can go to the server machine Open a command window by going to Start > Run > and type cmd.  Once the command window is open you need to type in gpupdate /force.

To verify if the Group Policy configuration has been applied to the server -  Start > Run > and type rsop.msc and scroll to Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\ and see if the IP address exceptions set for remote administration exception and file and printer sharing exceptions were applied to the local machine.

5. The clients are not members of the SCE_Managed_Computers security group.

By default, computers in the "Computers" container are added to this group automatically.  If computers are located in other containers they will need to be added to the group manually.

• Open Active Directory Users and Computers <DSA.MSC>.
• View the OU that one of the computers that is experiencing the issue is located in.
• Open the properties of the Computer.
• Select the "Member Of" tab.
• Add the computer to the SCE_Managed_Computers group.
• Log the client off of the network - log the client back on.
• Restart the OpsMgr Health Service on the client.

6. File and Print sharing is not enabled on the client

>edwalt