Scanning from Client Push Install issue

[trevoralf]

Hi,  I'm having an odd issue where some clients appear 'invisible' to the scan on the Client Push Install page.  I have a number of clients within an IP range, all with the same firewall, policies etc.  If I scan (simple scan, no software detection) the range then most clients appear, except for a few that just don't appear in the 'Computers found' list for no obvious reason.

I can see from the live firewall logging (while connected to an affected client) that the request from the server is arriving at the machine and is not being blocked.  There is nothing i can find that's different between the majority of clients that are scannable and the odd few that are 'invisible'.  

Please could you let me know if you have any ideas what may be stopping this working?

Thanks.

[trevoralf]

I should also point out that the machines in question don;t have any MB software installed at the moment (hence me trying to scan them via Push-Install)

[djacobson]

Have all the prerequisites for deployment listed in your guide been completed?

Are the clients you are scanning for located on the same subnet/vlan as the server is or a different one?

[trevoralf]

Thanks for the reply Dyllon,  All the clients I've seen this issue on at the moment are on different subnets to the server.  However, plenty of other machines on the same subnet as the ones that's failing are scanning correctly.  I've checked network configs, pinging across the subnets works fine etc. but can't seen anything obvious.

Yesterday I manually installed the client package on one of these machines and it's communicating with the server with no problems, so i have a manual install as a fallback but it would be good to understand what's going on.

[djacobson]

The behavior you are seeing is a new issue, but is happening "by design". Check those machines for certain Windows update KB numbers. These recent updates have restricted using netbios across subnets (and within the same subnet if the server also has the update installed), so these machines will not show up. Our push tool uses netbios name services, the issue cannot be replicated by pinging the target machine and so ping is not a good test to confirm netbios connections.

The updates in question which block netbios across subnets are KB3161949, KB3163017 and KB3163018. There's four options available:

1. Modify (if existing) or create the registry key HKLM\SYSTEM\CurrentControlSet\Services\NetBT|AllowNBToInternet a 32 bit dword with a value of 1.
2. You can also bypass this with a GPO to allow an exception for netbios if you are using Windows Firewall:
3. Use an offline installer package created by the console in Policy -> Create Installation Package to install locally or through GPO/SCCM.
4. Remove the updates from the server and the endpoint temporarily.