Client Push requirements

Client Push is a feature that is responsible for fixing defective SCCM clients that are on the domain, but not reporting directly to its assigned site. Additionally, machines that have never received the SCCM client will have it installed.

There are several prerequisites to meet before you can successfully push a client to a remote computer:

One of the specified client push installation accounts must be a member of the local administrators group on the destination computer. Alternatively, you can grant the machine account of the SCCM server to as a local admin

The computer must have the ADMIN$ share enabled.
The computer must be found by the site server and vice versa, using DNS name resolution.
Client Push Installation Firewall Exceptions –
In order to successfully use client push to install client, you must add the following as exceptions to the Windows Firewall or any other firewall between the site server and the client machine:

 File and Printer Sharing
 Windows Management Instrumentation (WMI)

Ports:
UDP TCP
Server Message Block (SMB) between the site server and client computer. — 445

RPC endpoint mapper between the site server and the client computer. 135 135

RPC dynamic ports between the site server and the client computer. — DYNAMIC

Hypertext Transfer Protocol (HTTP) from the client computer to a mixed mode management point. — 80 (See note 1, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a native mode management point. — 443 (See note 1, Alternate Port Available)

In the client push installation method, the server makes an initial connection to the admin$ share on the prospective client computer using Windows file-sharing protocols. Administrative access to the client is required to connect to the admin$ share.

The site server uses these connections to copy the required setup files to the client and then installs and starts the ccmsetup service.