Documentos de Académico
Documentos de Profesional
Documentos de Cultura
1. Introduction ........................................................................................................................................................................ 8
4.2. OS ...................................................................................................................................................................................................................................................... 11
22.3. Planning for SCCM 2012 Boundaries and Boundary Groups ................................................................................................................................. 139
The new version of SCCM is out ! You may know this version as SCCM Vnext, SCCM 2016 or SCCM 1511. The product group
explained on their blog that the new version will be simply called SCCM.
SCCM installation is not a walk in the park and the product itself can be complex for inexperienced administrators. Our goal is
to bring it a bit further, explaining concepts and best practice rather than just guide the user through the installation process.
If you're not familiar with SCCM Features, you can visit this Technet article (for 2012) and this Technet article (for 1511) which
covers it all.
If you’re already running SCCM and plans to migrate stop reading this guide. You do not need to do a complete installation,
see our blog post on how to upgrade instead.
I hope this guide brings all the information you need and that you'll appreciate administering it.
Windows 10
Windows 10 servicing
Sideloading apps in Windows 10
Compliance settings for Windows 10
Infrastructure
Console
Mobile device management (MDM) feature parity between Intune stand-alone and Configuration Manager
Mobile Application Management
Data protection for mobile devices
On-premises mobile device management (MDM)
App deployment to Windows 10 devices with on-premises MDM
Certificate provisioning is supported for Windows 10 devices that you manage using on-premises mobile device
management.
Improved workflow for creating mobile device configuration items
Bulk enrollment of Windows 10 devices with on-premises MDM
Wipe and retire for on-premises mobile device management
If you're not running any version of SCCM in your environment, keep reading, this guide is for you !
You can do an inplace-upgrade instead of a complete installation if you're running the following SCCM
versions (Cumulative Update are not mandatory). Consult our SCCM 1511 upgrade guide to do so.
o SCCM 2012 SP1
o SCCM 2012 SP2
o SCCM 2012 R2
o SCCM 2012 R2 SP1
If you're running a Technical Preview on your lab server. Completely uninstall it before doing a fresh install. An
upgrade is not supported from a Technical Preview version
If you're running SCCM 2007 SP2+ a side-by-side migration is still possible but you must first start by a fresh
install on a separate server
If you're running SMS 2003, you seriously need to upgrade your remaining XP computers !
In the first part of this guide about SCCM installation, we will cover hardware requirements, design recommendations and
server prerequisites.
The hardware requirements for a Primary Site server largely depends on the features that are enabled, and how each of the
components is utilized. When the number of clients grows and changes, the server hardware requirements change accordingly.
For the initial deployment, hardware requirements can be estimated for each server by determining:
The overall need for each component (Will you do Operating System Deployment ? How many daily software
deployments ? Is Inventory and reporting is important for your organisation ? Will you manage Internet Client ?)
The number of clients planned to be installed
The load on each of installed SCCM components
In general, medium environments (couple thousand clients) should consider the following recommendations when planning
hardware:
SCCM and SQL Server communicate constantly. We recommend that the main database and SQL Server be installed
on the Primary site server. This is fully debatable and we understand that some organisation try to standardize their
SQL distribution. Performance are simply better using a local installation when configured properly
Neither the SCCM site nor the SQL database should share their disks with other applications
Configure the SQL Server databases and logs to run on a different disk than the disk where the SCCM database is
located.
Another issue to consider when determining hardware requirements for a site servers is the total amount of data that will be
stored in the database. To estimate the required database size for a single site, an approximate figure of 5Mb to 10Mb per
client is typically used.
In our setup, we will install a single Primary Site that has the role of Management Point, Reporting Point, Distribution Point,
PXE Service Point, State Migration Point, Fallback Status Point and Software Update Point. SQL Reporting Services will be used
to provide consolidated reporting for the hierarchy. This role will also be installed on the SCCM Server. Running reports can
have an impact on server CPU and memory utilization, particularly if large poorly structured queries are executed as part of the
report generation.
Consider placing client facing role (Distribution Point, Reporting Point) on separate server in order to reduce load on your
Primary server.
SCCM 1511
SCCM 2012
We strongly recommend that you understand SQL Server before installing SCCM. Talk and have a good relation with your DBA
if you have one in your organisation.
Make sure that your OS is supported, see the SCCM 2012 or SCCM 1511 Technet Documentation
For this guide, our servers runs Windows 2012 R2 with latest security patches.
Disks IOs is the most important aspect of SCCM performance. We recommend to configure the disks following SQL Best
practice. Split the load on different drive. When formatting SQL drives, the cluster size (block size) in NTFS must be 64KB
instead of the default 4K. See the previous recommended reading to achieve this.
Letter Content
C:\ Windows
D:\ SCCM
E:\ SQL Database (64K)
F:\ SQL TempDB (64K)
G:\ SQL Transaction Logs (64K)
SQL TempB Logs
Once your hardware is carefully planned, we can now prepare our environment and server before SCCM Installation.
You need to extend the Active Directory Schema only if you didn't have a previous installation of SCCM in your domain. If you
have already installed either 2007 or 2012 in your environment, you can skip this step as it’s probably already done.
Logon to a server with an account that is
a member of Schema Admins security
group
SCCM does not automatically create the System Management container in Active Directory Domain Services when the schema
is extended. The container must be created one time for each domain that includes a Configuration Manager primary site
server or secondary site server that publishes site information to Active Directory Domain Services.
Create the necessary accounts and group created before installation. You can use different name but i'll refer to these names
throughout the guide.
Description Name
SQL server services account SCCM-SQLService
SCCM Network Access Account SCCM-NAA
Domain user account for use SCCM client push install SCCM-ClientPush
Domain user account for use with reporting services User SCCM-SQLReporting
Domain account used to join machine to the domain during OSD SCCM-DomainJoin
Domain group containing all SCCM Admins Group SCCM-Admins
Domain group containing all SCCM servers in the hierarchy Group SCCM-SiteServers
Make sure that the server has a fix IP and that internet connection is up
Run this script in an elevated command prompt order to open the necessary ports needed for SCCM.
** If you are using custom ports, change the values before running the script. **
@echo ========= SQL Server Ports ===================
@echo Enabling SQLServer default instance port 1433
netsh advfirewall firewall add rule name="SQL Server" dir=in action=allow protocol=TCP localport=1433
@echo Enabling Dedicated Admin Connection port 1434
netsh advfirewall firewall add rule name="SQL Admin Connection" dir=in action=allow protocol=TCP localport=1434
@echo Enabling conventional SQL Server Service Broker port 4022
netsh advfirewall firewall add rule name="SQL Service Broker" dir=in action=allow protocol=TCP localport=4022
@echo Enabling Transact-SQL Debugger/RPC port 135
netsh advfirewall firewall add rule name="SQL Debugger/RPC" dir=in action=allow protocol=TCP localport=135
@echo ========= Analysis Services Ports ==============
@echo Enabling SSAS Default Instance port 2383
netsh advfirewall firewall add rule name="Analysis Services" dir=in action=allow protocol=TCP localport=2383
@echo Enabling SQL Server Browser Service port 2382
netsh advfirewall firewall add rule name="SQL Browser" dir=in action=allow protocol=TCP localport=2382
@echo ========= Misc Applications ==============
@echo Enabling HTTP port 80
netsh advfirewall firewall add rule name="HTTP" dir=in action=allow protocol=TCP localport=80
@echo Enabling SSL port 443
netsh advfirewall firewall add rule name="SSL" dir=in action=allow protocol=TCP localport=443
@echo Enabling port for SQL Server Browser Service's 'Browse' Button
netsh advfirewall firewall add rule name="SQL Browser" dir=in action=allow protocol=TCP localport=1434
@echo Allowing Ping command
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
Place a file name no_sms_on_drive.sms on the root drive of each drive you don’t want SCCM to put content on.
On the Primary site server, the following components must be installed before SCCM installation. We’ll install all these
components using a PowerShell script.
On the Site Sever computer, open a PowerShell command prompt as an administrator and type the following commands. This
will install the required features without having to use the Windows 2012 GUI.
Get-Module servermanager
Install-WindowsFeature Web-Windows-Auth
Install-WindowsFeature Web-ISAPI-Ext
Install-WindowsFeature Web-Metabase
Install-WindowsFeature Web-WMI
Install-WindowsFeature BITS
Install-WindowsFeature RDC
Install-WindowsFeature NET-Framework-Features -source \\yournetwork\yourshare\sxs
Install-WindowsFeature Web-Asp-Net
Install-WindowsFeature Web-Asp-Net45
Install-WindowsFeature NET-HTTP-Activation
Install-WindowsFeature NET-Non-HTTP-Activ
Ensure that all components are showing as Sucess as an Exit Code. It’s normal to have Windows Update warnings at this point.
If you’re planning to use Windows 10 Servicing, you need to consider applying this important WSUS update to your
Windows Server. This hotfix is only available for Windows 2012, if you’re running your Software Update Point on
Windows 2008, consider moving your SUP to a Windows 2012 Server.
Deployment Tools
Windows Pre-installation
Environment
User state Migration tool
Add the computer account of all your site servers in the SCCM-SiteServers AD group
Ensure that the group has Full Control on the SYSTEM Container in Active Directory
Add both SCCM computer account and the SCCM Admin account to the local administrator group on the site server.
SCCM-Admins
SCCM-SiteServers
If applicable, uninstall previous SCCM client and FEP if present on the server before the installation. If the client is present, the
SCCM Management Point installation could fail.
Run windows update and patch your server to the highest level
Click the following link to see SCCM 2012 and 1511 supported SQL versions. For our post, we will install SQL 2014 locally on
the same server where the Primary Site will be installed.
When you configure SQL Server to use the local system account, a Service Principal Name (SPN) for the account is
automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually
register the SPN for the SQL Server service account.
Since we are using a domain account, we must run the Setspn tool on a computer that resides in the domain of the SQL Server.
It must use Domain Administrator credentials to run.
Run both commands to create the SPN, Change the server name and account name in each commands.
To verify the domain user SPN is correctly registered, use the Setspn -L command
setspn –L yourdomain\SQLSA
SCCM setup verifies that SQL Server reserves a minimum of 8 GB of memory for the primary site. To avoid, the warning, we'll
set the SQL Server memory limits to 8GB-12GB (80% of available RAM).
Select Properties
Minimum 8192
Maximum 12288
We always recommend to create the SCCM database before the setup. This is not mandatory, SCCM will create the database
for you during setup but will not create it the optimal way. We strongly recommend to watch the The Top Ten Lessons Learned
in Managing SQL session from MMS2013 which cover it all.
We follow the guide made by MVP, Kent Agerlund to estimate my DB sizing need. Visit his blog post and download the
provided Excel file. Input your values in the blue cells and keep it for the next part. We’ll create the DB using those values using
a script in the next section.
For this guide, we've created a Database for 2000 clients, 2 processors, 2 cores and 16GB RAM.
To create the database, you can use Kent's script and input your values (as returned previously in the Excel file) OR use the
following one which is really simple:
The Name value will become your Site Code during the SCCM installation. Be sure to select a unique Site Code.
**Change the values of the Filename, Size, MaxSize and FileGrowth. Change the location of the file to your SQL and Logs
drives**
USE master
CREATE DATABASE CM_XXX
ON
( NAME = CM_XXX_1,FILENAME = 'E:\SCCMDB\CM_XXX_1.mdf',SIZE = 7560, MAXSIZE = Unlimited, FILEGROWTH = 2495)
LOG ON
( NAME = XXX_log, FILENAME = 'G:\SCCMLogs\CM_XXX.ldf', SIZE = 4990, MAXSIZE = 4990, FILEGROWTH = 512)
ALTER DATABASE CM_XXX
ADD FILE ( NAME = CM_XXX_2, FILENAME = 'E:\SCCMDB\CM_XXX_2.mdf', SIZE = 7560, MAXSIZE = Unlimited, FILEGROWTH =
2495)
Open SQL Management Studio
If you find out that you made an error, you can safely delete the Database using SQL Management Studio and rerun the script.
Open SQL Management Studio
Run the following scripts to size the TempDB. (using the value returned by the Excel file)
**Change the values of Filename, Size, MaxSize and FileGrowth. Change the location of the file to your TempDB drives**
use master
go
alter database tempdb modify file (name='tempdev', filename='F:\SCCMTempDB\tempDB.MDF', SIZE= 4536, MAXSIZE =
Unlimited, FILEGROWTH = 512)
go
alter database tempdb modify file (name='templog', filename='G:\SCCMLogs\templog.LDF', SIZE= 2268, MAXSIZE = Unlimited,
FILEGROWTH = 512)
go
Open SQL Management Studio
To ensure proper SQL communication, verify that settings are set accordingly in SQL Network configuration
Enable: YES
Listen All : NO
In the IP Addresses tab
Active : YES
Enabled : YES
Active : YES
Enabled : NO
We will now run the prerequisite checker and install a stand-alone Primary site. The installation screenshots are taken from
SCCM 1511. The wizard has 3 more screens than 2012 but the rest is the same.
Before launching the installation, we recommend to launch the Prereqchk tool in order to verify if all components are
configured correctly. The installation wizard will also run this check but if you're missing a requirement, you'll have to go
through the whole installation wizard again after fixing it. We prefer to use the standalone tool.
Browse to .\SMSSETUP\BIN\X64
Refer to this Technet article to see the list of all checks done by the tool.
If you have any warning or error refer to the previous link in order to resolve it, or go thought prerequisites setions of this
guide.
We are finally ready to launch the setup. First, reboot the server. This will make sure that the machine is not in a Reboot
pending state.
Open the SCCM ISO
Run Splash.hta
Select Install
On the Prerequisite
Licences screen, accept the
License Terms and click Next
On the Prerequisite
Downloads screen, specify a
location to download the
prerequisite file.
1511 only
CMTrace will become your best friend when reading log files.
Browse to .\SMSSETUP\TOOLS
Click on CMTrace.exe
This toolkit contains fifteen downloadable tools to help you manage and troubleshoot Microsoft System Center 2012 R2
Configuration Manager. The toolkit also supports SCCM 1511.
System Center 2012 Configuration Manager Support Center helps you to gather information about System Center 2012
Configuration Manager clients so that you can more easily address issues. We have tested this tool on SCCM 1511 and it’s
functional.
You can also refer to our blog post about Useful Resources to help you begin and learn SCCM.
This section will describe how to install a SCCM Application Catalog web service point and the Application Catalog website
point.
The Application Catalog web service point provides software information to the Application Catalog website from the Software
Library.
The Application Catalog website point provides users with a list of available software.
This is not a mandatory site system but you need both the Application Catalog website point and the Application Catalog web
service point if you want to provide your user with a Self-Service application catalog (web portal).
The Application Catalog web service point and the Application Catalog website point are hierarchy-wide options. It’s supported
to install those roles on a stand-alone Primary site or child Primary site. It’s not supported to install it on a Central
Administration site or Seconday site. The Application Catalog web service point must reside in the same forest as the site
database.
If you’re having less than 10,000 users in your company, co-locating the Application Catalog web service and Application
Catalog website roles on the same server should be ok. The web service role connects directly to the SCCM SQL database so
ensure that the network connectivity between the SQL server and the Application Catalog web service servers is robust.
If you have more geographically distributed users, consider deploying additional application catalogs to keep responsiveness
high and user satisfaction up. Use client settings to configure collections of computers to use different Application Catalog
servers.
Read more on how to provide a great application catalog experience to your user in this Technet blog article.
If your client needs HTTPS connections, you must first deploy a web server certificate to the site system. If you need to
allow Internet clients to access the application catalog, you also need to deploy a web server certificate to the Management
Point configured to support Internet clients. When supporting Internet clients, Microsoft recommends that you install the
Application Catalog website point in a perimeter network, and the Application Catalog web service point on the intranet. For
more information about certificates see the following Technet article.
Using Windows Server 2012, the following features must be installed before the role installation:
Features:
Features:
For this section we will be installing both role on our stand-alone Primary site using HTTP connections. If you split the roles
between different machine, do the installation section twice, once for the first site system (selecting Application Catalog web
service point during role selection) and a second time on the other site system (selecting Application Catalog website
point during role selection).
Open the SCCM console
Status messages
Internet Explorer
It’s possible to create a DNS entry to redirect it to something easier (ex: http://ApplicationCatalog)
Ensure that the client settings for your clients are set correctly to access the Application Catalog
Go to Administration /
Client Settings
The AISP is used to connects to Microsoft in order to download Asset Intelligence catalog information and upload
uncategorized titles. For more information about planning for Asset Intelligence, see Prerequisites for Asset Intelligence in
Configuration Manager.
This is not a mandatory Site System but we recommend to install the AISP if you are planning to use Asset Intelligence. Read
our blog post on Why should you use Asset Intelligence in SCCM 2012.
The AISP is a hierarchy-wide option. SCCM supports a single instance of this site system role in a hierarchy and only at the top-
level site. Install it on your Central Administration Site or stand-alone Primary Site depending of your design.
Navigate to Administration /
Site Configuration / Servers
and site System Roles
AIUSSetup.log – Information about the installation of the Asset Intelligence catalog synchronization point site system role
installation is
completed
in AIUSSetup.log
Navigate to Assets
and Compliance /
Overview / Asset
Intelligence
In order to have inventory data, first ensure that Hardware Inventory is enabled in your Client Settings.
Navigate to Administration /
Client Settings
On the Hardware
Inventory Tab
Right-click Asset
Intelligence and select Edit
Inventory Classes
Select Enable only the
selected Asset Intelligence
reporting classes
Select SMS_InstalledSoftware,
SMS_ConsoleUsage and
SMS_SystemConsoleUser
This maintenance task checks that the software title that is reported in software inventory is reconciled with the software title in
the Asset Intelligence catalog.
This maintenance task provides the information that is displayed in the Assets and Compliance workspace. When the task
runs, Configuration Manager gathers a count for all inventoried software titles at the primary site.
This section will describe how to install SCCM R2 Certificate Registration Point (CRP).
Using SCCM and Intune, the CRP communicates with a server that runs the Network Device Enrollment Service (NDES) to
provision device certificate requests.
This is not a mandatory Site System but we recommend to install a CRP if you need to provision client certificates to your
devices (like VPN or WIFI).
Before the CRP can be installed, dependencies outside SCCM is required. I won’t cover the prerequisite configuration in details
as they are well documented on this Technet article and it goes beyond SCCM. Here’s an overview of what needs to be done :
On the machine that will receive the CRP role, install the following using Windows server role and features:
IIS
ASP .NET 3.5
ASP .NET 4.5
WCF HTTP Activation
If you are installing CRP on a remote machine from the site server, you will need to add the machine account of site server to
the local administrators group on the CRP machine.
The Certificate Registration Point must not be installed on the same server that runs the Network Device Enrollment Service.
It’s supported to install this role on a Central Administration Site, child Primary Site or stand-alone Primary Site but it’s not
supported on a Secondary Site.
Navigate to Administration /
Site Configuration /
Servers and Site System
Roles
Click on Add
Exemple : https://ndes.syste
mcenterdudes.com/certsrv/
mscep/mscep.dll
Using a browser, verify that you can connect to the URL of the certificate registration point—for
example, https://crp.systemcenterdudes.com/CMCertificateRegistration
HTTP Error 403 is ok. If you have a 404 error or 500 error, look at the logs file before continuing
After the CRP is installed, the system will export the certificate that will be used for NDES plugin to
the certmgr.box folder. It may take up to 1 hour to appear.
Save this .cer file on the NDES server as we will need it in the next section.
Now that the Certificate Registration Point has been installed, we must install a plug-in on the NDES server to establish the
connection with SCCM.
On the server that runs the Network Device Enrollment Service :
Copy the \SMSSETUP\POLICYMODULE\X64 folder from the the Configuration Manager installation media to a
temporary folder
From the temporary folder, run PolicyModuleSetup.exe
Click Next, accept the license terms and click Next
On the Installation Folder page, accept the default installation folder click Next
On the Certificate Registration Point page, specify the URL of the Certificate Registration Point. This is the Virtual
Application Name created during the SCCM role installation
(Example : https://crp.systemcenterdudes.com/CMCertificateRegistration)
Accept the default port of 443, click Next
On the Client Certificate for the Policy Module page, browse to and specify the client authentication certificate.
This is the same certificate you used in the CRP Installation wizard in SCCM
On the Certificate Registration Point Certificate page, click Browse to select the exported certificate file (the one
exported from \inboxes\certmgr.box)
Click Next and complete the wizard
Open the registry editor and browse to HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP
Make sure that the values of EncryptionTemplate, GeneralPurposeTemplate andSignatureTemplate match the
names of the template on your CA
Technet Article
This section explains how to add a new distribution point to an existing SCCM infrastructure. This procedure is for a server
Operating System (2003, 2008 or 2012) but a client OS (7/8) is also supported but does not support PXE and Multicast.
Several distribution points can provide better access to available software, updates, and operation systems. A local DP also
prevents the installation thought the WAN for remote offices.
On the DP, add a group that contains your site system computer account in the Administrators group.
I like to create a SCCM AD system groups that contains all my distribution points.
Click on Groups
Double-click on Administrators
Configuration Manager requires some roles and features to be installed on the server prior to the DP installation.
For Windows Server 2008, 2008 R2, 2012 and 2012R2, WDS is installed and configured automatically when you
configure a distribution point to support PXE or Multicast. For Windows Server 2003, you must install and configure
WDS manually.
11.4.4. BITS
With System Center 2012 Configuration Manager, the distribution point site system role does not require Background
Intelligent Transfer Service (BITS). When BITS is configured on the distribution point computer, BITS on the
distribution point computer is not used to facilitate the download of content by clients that use BITS.
For Configuration Manager SP1+, vcredist_x64.exe is installed automatically when you configure a distribution point
to support PXE.
11.4.7. Firewall
Ensure that your firewall is configured correctly. 2 ports needs to be opened.
Reboot your server to avoid case where your server is in Reboot pending State which will result in unexpected reboot during
distribution point installation.
Now that the Distribution point server is ready to receive a new role, we need to add the server to the site server list.
In the Configuration Manager
console, click Administration
In
the Administration workspace,
expand Site Configuration,
and then right click Servers
and Site System Roles
Click Next
Do not specify a proxy server
Select HTTP
11.6.1. Logs
You can track the installation progress in 2 logs:
11.6.3. Console
Click on your DP
You can now replicate your content to your newly created DP. Replicate manually or add your DP in an existing DP group.
The Endpoint Protection Point provides the default settings for all antimalware policies and installs the Endpoint Protection
client on the Site System server to provide a data source from which the SCCM database resolves malware IDs to names. When
you install this Site System Role, you must accept the license terms for System Center 2012 R2 Endpoint Protection.
This is not a mandatory Site System but you need to install a EPP if you’re planning to use SCCM as your anti-virus
management solution (using Endpoint Protection).
This Site System is a hierarchy-wide option. SCCM supports a single instance of this site system role in a hierarchy and only at
the top-level site in the hierarchy. It’s supported to install this role on a Central Administration Site or stand-alone Primary Site.
Before installing the EP role, you must have a Software Update Point installed and configured.
Navigate to Administration /
Site Configuration /
Servers and Site System
Roles
Next
On the Summary tab, review
your settings and click Next
Navigate to Administration /
Site Configuration / Servers
and Site System Roles
This section will describe how to install an Enrollment Point and Enrollment Proxy Point site system roles.
The Enrollment Point uses PKI certificates for Configuration Manager to enroll mobile devices, Mac computers and to provision
Intel AMT-based computers.
The Enrollment Proxy Point manages Configuration Manager enrollment requests from mobile devices and Mac computers.
This is not a mandatory site system but you need both Enrollment Point and Enrollment Proxy Point if you want to enroll
legacy mobile devices, Mac computers and to provision Intel AMT-based computers. Since modern mobile devices are
mostly managed using Windows Intune, this post will focus mainly on Mac computers enrollment.
The SCCM 2012 Enrollment Point and Enrollment Proxy Point are site-wide options. It’s supported to install those roles on a
stand-alone or child Primary site. It’s not supported to install it on a Central Administration site or Secondary site.
You must install an SCCM Enrollment Point in the user’s forest so that the user can be authenticated if a user enrolls mobile
devices by using SCCM and their Active Directory account is in a forest that is untrusted by the site server’s forest.
When you support mobile devices on the Internet, as a security best practice, install the Enrollment Proxy Point in a perimeter
network and the Enrollment Point on the intranet.
Beginning with System Center 2012 Configuration Manager SP2, the computer that hosts the SCCM 2012 Enrollment Point
or Enrollment Proxy Point site system role must have a minimum of 5% of the computers available memory free to enable the
site system role to process requests. When those site system role are co-located with another site system role that has this
same requirement, this memory requirement for the computer does not increase, but remains at a minimum of 5%.
Using Windows Server 2012, the following features must be installed before the role installation:
Enrollment Point
Features:
Features:
IIS Configuration:
For this section we will be installing both roles on a stand-alone Primary site using HTTPS connections. If you split the roles
between different machine, do the installation section twice, once for the first site system (selecting Enrollment Point during
role selection) and a second time on the other site system (selecting Enrollment Proxy Point during role selection).
Open the SCCM console
Navigate to Administration /
Site Configuration /
Servers and Site System
Roles
In the IIS
Website and Virtual applicati
on name fields, leave both to
the default values
Logs
Follow this Technet Guide if you want to proceed to next steps for Mac computers enrollment.
The FSP helps monitor client installation and identify unmanaged clients that cannot communicate with their management
point.
This is not a mandatory Site System but we recommend to install a FSP for better client management and monitoring. This is
the Site System that receive State Message related to client installation, client site assignment, and clients unable to
communicate with their HTTPS Management Point.
If the FSP is not configured properly you’ll end up having A fallback status point has not been specified errors in your logs.
This Site System is a hierarchy-wide option. It’s supported to install this role on a child Primary Site or stand-alone Primary Site
but it’s not supported on a Central Administration site nor Secondary Site.
Navigate to Administration /
Site Configuration /
Servers and Site System
Roles
Fspmgr.log – Verify whether clients are successfully sending state messages to the FSP
You can also check if reports that depend on the FSP are populated with data. See the full list of reports that rely on
the FSP here.
Use the FSP client properties to point your clients to your newly created FSP
Navigate to Administration / Site
Configuration / Site
On the Installation
Properties tab
Every SCCM hierarchy must have a Management Point to enable client communication. The Management Point is the primary
point of contact between Configuration Manager clients and the site server. Management Points can provide clients with
installation prerequisites, configuration details, advertisements and software distribution package source file locations.
Additionally, Management Points receive inventory data, software metering information and state messages from clients.
Multiple Management Points are used for load-balancing traffic and for clients to continue receiving their policy after
Management Point failure. Read about SCCM High-Availability options in this Technet article.
Prior to SCCM 2012 R2 SP1, it was not possible to assign client directly to a specific Management Point. It’s now possible using
the new Preferred Management Point feature. If you don’t have SCCM 2012 R2 SP1 yet, be advise that adding a new
Management Point in a remote office won’t automatically make your clients communicate to this particular MP. Read about
how clients choose their Management Point in this Technet article.
The Management Point is a site-wide option. It’s supported to install this role on a stand-alone Primary site, child Primary site
or Seconday site. It’s not supported to install a Management Point on a Central Administration site.
By default, when you install a Secondary site, a Management Point is installed on the Secondary site server. Secondary sites do
not support more than one Management Point and this Management Point cannot support mobile devices that are enrolled by
Configuration Manager.
Features:
IIS Configuration:
Application Development
ISAPI Extensions
Security
Windows Authentication
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
Navigate to Administration /
Site Configuration /
Servers and Site System
Roles
Click Next
This role can be installed on a remote machine, the process is the same but the logs location is different.
Before you can install the reporting services point role you must configure SQL correctly.
We’ll be using SQL 2012 on this post, the steps are the same on SQL 2014. We are assuming that SQL is already installed and
that your SCCM site is up and healthy.
During the initial SQL installation, you must select Reporting Services.
If you have installed SQL Server, but have not installed Reporting Services follow the following steps. If Reporting Services is
already installed, skip to the Configure Reporting Services section.
At the Reporting
Services Configuration page
Before configuring the reporting point, some configuration needs to be made on the SQL side. The virtual instance needs to be
created for SCCM to connect and store its reports.
If you installed Reporting Services during the installation of the SQL Server instance, SSRS will be configured automatically for
you. If you install SSRS later, then you will have to go back and configure it as a subsequent step.
To configure, Open Reporting
Services Configuration
Manager
Click Apply
Navigate
to Administration / Site /
Configuration / Servers
and site System Roles
On
the General tab, click Next
On
the Proxy tab, Click Next
Click Verify
Click Next
Using the simple recovery model improves performance and saves your server hard drive and possibly large transaction log file.
Click OK
Log
Check for the following logs for reporting point installation status. Both logs are under the SCCM logs file locations.
Srspsetup.log
Srsrpmsi.log
If your reporting point is installed on a remote server look for the logs in :
Drive:\SMS\Logs\
SCCM Console
Web Browser
If everything went well, you’ll have a folder Config_SiteCode containing your reports
SQL
If you check your SQL instance, you’ll see the 2 new database which were created by the installation.
The SUP integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager
clients.
This is not a mandatory Site System but your need to install a SUP if you’re planning to use SCCM as your patch management
platform.
SCCM 2012 SP1 (and thus R2) integrates new features to the Software Update Point that are well documented in this Technet
Article.
This Site System is a site-wide option. It’s supported to install this role on a Central Administration Site, child Primary Site,
stand-alone Primary Site and Secondary Site.
When your hierarchy contains a
Central Administration Site,
install a SUP and synchronizes
with Windows Server Update
Services (WSUS) before you
install a SUP at any child Primary
Site.
Perform the following on the server that will host the SUP role.
Open Server Manager / Add
Roles and Features
Select WSUS
Services and Database,
click Next
Launch Windows Server
Update Services from the
Start Menu. You will be
prompt with the following
window :
On the DB instance,
enter your server name
Change Owner to SA
Navigate to Administration /
Site Configuration /
Servers and Site System Roles
On the Synchronization
Schedule tab, check the Enable
synchronization on a
schedule check box and select
your desired schedule. 1 day is
usually enough but it can be
lowered if you’re synchronizing
Endpoint Protection definition
files, click Next
On the Supersedence
Rules tab, select Immediately
expire a superseded software
update, click Next
Full description on
this Microsoft Support Article
On the Products tabs, select the
products that you want to
manage using SCCM, click Next
ConfigMgrSetup\Logs\SUPSetup.log -Provides information about the software update point installation. When the
software update point installation completes, Installation was successful is written to this log file
ConfigMgrSetup\Logs\WCM.log – Provides information about the software update point configuration and
connecting to the WSUS server for subscribed update categories, classifications, and languages
ConfigMgrSetup\Logs\WSUSCtrl.log – Provides information about the configuration, database connectivity, and
health of the WSUS server for the site
ConfigMgrSetup\Logs\Wsyncmgr.log – Provides information about the software updates synchronization process
Bonus link : I suggest that you read the excellent article written by Kent Agerlund on how to avoid what he calls the House
of Cards
This section will describe how to install a State Migration Point (SMP).
The State Migration Point stores user state data when a computer is migrated to a new operating system.
This is not a mandatory Site System but you need a State Migration Point if you plan to use the User State steps in your Task
Sequence. These steps integrates with User State Migration Tools (USMT) to backup your user data before applying a new
operating system to a computer.
The State Migration Point is a site-wide option. It’s supported to install this role on a child Primary Site, stand-alone Primary
Site or Seconday Site. It’s not supported to install it on a Central Administration site.
Beginning with SCCM 2012 R2, the State Migration Point can be installed on the site server computer or on a remote computer.
It can be co-located on a server that have the distribution point role.
Open the SCCM console
To store the user state data on a State Migration Point, you must create a package that contains the USMT source files. This
package is specified when you add the Capture User State step to your task sequence.
On your SCCM Server where
you installed Windows
Deployment Toolkit, browse
to : C:\Program Files
(x86)\Windows
Kits\8.1\Assessment and
Deployment Kit\User State
Migration Tool
Go to Software Library /
Application Management /
Packages
Click Next
On the Program Type tab,
select Do not create a
program and click Next
The State Migration Point and the USMT package are now ready for use in an OSD Task Sequence using the Capture User
State and Restore User State steps.
This section will describe how to install a System Health Validator Point (SHVP).
The System Health Validator Point validates Configuration Manager Network Access Protection (NAP) policies.
This is not a mandatory site system but you need a System Health Validator Point if you plan to use NAP evaluation in your
software update deployments. This site system integrates with an existing NAP server in your infrastructure.
The System Health Validator Point is a hierarchy-wide option. It’s supported to install this role on a Central Administration site,
stand-alone Primary site, child Primary site. It’s not supported to install it on a Seconday site. The System Health Validator
Point must be installed on a NAP health policy server.
Open the SCCM console
Navigate to Administration /
Site Configuration /
Servers and Site System
Roles
In order to enable Network Access Protection on your clients, you must configure your client settings :
Open the SCCM console
Browse to Administration /
Client Settings
In case you’re used to NAP in SCCM 2007 and looking for a Network Access Protection node in the console, the 2012 version
of NAP is slightly different.
From Technet : The New Policies Wizard is no longer available to create a NAP policy for software updates: The Network Access
Protection node in the Configuration Manager console and the New Policies Wizard are no longer available in System Center
2012 Configuration Manager. To create a NAP policy for software updates, you must select Enable NAP evaluation on the NAP
Evaluation tab in software update properties.
This section will describe how to install the Windows Intune Connector (WIC) role. In SCCM 1511 this role has been replaced
by the Service Connection Point.
The WIC is used to sends settings and software deployment information to Micosoft Intune and retrieves inventory messages
from mobile devices. The Intune service acts as a gateway that communicates with mobile devices. This role is mandatory if
you’re planning to manage mobile devices using SCCM with Intune integration.
Important : Before you can add the WIC, you must create a Windows Intune subscription and add it to SCCM.
The WIC is a hierarchy-wide option. SCCM supports a single instance of this site system role in a hierarchy and only at the top-
level site. Install it on your Central Administration Site or stand-alone Primary Site depending of your design.
Go to Administration / Site
Configuration / Servers and
Site System Roles
Sitecomp.log – Information about role installation and that the Windows Intune connector was created successfully
The service connection point is a site system role that serves several important functions for the hierarchy.
Manage mobile devices with Microsoft Intune – This role replaces the Microsoft Intune connector used by
previous versions of SCCM, and can be configured with your Intune subscription details.
Manage mobile devices with on-premises MDM – This role provides support for on-premises devices you
manage that do not connect to the Internet
Upload usage data from your Configuration Manager infrastructure – You can control the level or amount of
detail you upload
Download updates that apply to your Configuration Manager infrastructure - Only relevant updates for your
infrastructure are made available, based on usage data you upload.
The site system role can only be installed at the top-tier site of your hierarchy (A central administration site or the
stand-alone primary site).
The SCCM installation wizard will ask to install the Service Connection Point. If you select to skip the role installation, you can
manually add it to SCCM using the following steps.
Go to Administration / Site
Configuration / Servers and
Site System Roles
ConnectorSetup.log – Information about role installation and that the Service Connection Point was created
successfully
Some accounts needs to be entered in the console before installing clients and deploying operating systems. You can refer to
the 5.4 section where we created those accounts.
From Technet :
In System Center 2012 Configuration Manager, a boundary is a network location on the intranet that can contain one or more
devices that you want to manage. Boundaries can be an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range,
and the hierarchy can include any combination of these boundary types. To use a boundary, you must add the boundary to one or
more boundary groups. Boundary groups are collections of boundaries. By using boundary groups, clients on the intranet can find
an assigned site and locate content when they have to install software, such as applications, software updates, and operating
system images.
A boundary does not enable clients to be managed at the network location. To manage a client, the boundary must be a member
of a boundary group. Simple Boundaries on do nothing, they must be added to one or more boundary groups in order to work.
A boundary groups is self-explanatory, it’s a group of boundary used for for site assignment and for content location.
Beginning with SCCM 2012 R2 SP1, a boundary group can direct your clients to their Distribution Points for content, State
Migration Point and Preferred Management Point. Prior to R2 SP1, Content location is used by client to identify available
Distribution Points or State Migration Point based on the client network location.
To resume :
If you’re unsure of which type of boundary to use you can read Jason Sandys excellent post about why you shouldn’t use IP
Subnet boundaries.
When designing your boundary strategy, we recommend you use boundaries that are based on Active Directory sites before
using other boundary types. Where boundaries based on Active Directory sites are not an option, then use IP subnet or IPv6
boundaries. If none of these options are available to you, then leverage IP address range boundaries. This is because the site
evaluates boundary members periodically, and the query required to assess members of an IP address range requires a
substantially larger use of SQL Server resources than queries that assess members of other boundary types
It’s also recommended to split your Site Assignment and Content location group
When a client requests content, and the client network location belongs to multiple boundary groups, Configuration Manager
sends the client a list of all Distribution Points that have the content.
This behavior enables the client to select the nearest server from which to transfer the content or state migration information.
In our various SCCM installations, our clients are often confused about this topic. Let’s make an example to help you
understand :
BOUNDARY TYPE
Go to Administration /
Hierarchy Configuration /
Boundary
Now, we’ll create a Site Assignment Boundary Group and add all those AD Site. That way, all my clients for my 4 locations will be
assigned to my Montreal Primary Site.
For Content Location, we want clients to get their content locally at their respective location. We will create 4 Content Boundary
groups, add only their AD Site Boundary and assign their local Distribution Point.
Go to Administration /
Hierarchy Configuration /
Boundary Groups
Right-click Boundary
Groups and
Select Create Boundary Groups
Click Ok
Right-click Boundary
Groups and select Create
Boundary Groups
Click on Add
Click Ok
Repeat the steps for the other sites (New York, Chicago, Los Angeles).
Once completed our clients are assigned to their local respective Site Systems.
This is a simple but typical scenario. You can have multiples boundaries and Site System in your Boundary Groups if needed.
This blog article will explain SCCM discovery methods and how to configure it.
SCCM discovery methods identifies computer and user resources that you can manage by using Configuration Manager. It can
also discover the network infrastructure in your environment. Discovery creates a discovery data record (DDR) for each discovered
object and stores this information in the Configuration Manager database.
When discovery of a resource is successful, discovery puts information about the resource in a file that is referred to as a discovery
data record (DDR). DDRs are in turn processed by site servers and entered into the Configuration Manager database where they
are then replicated by database-replication with all sites. The replication makes discovery data available at each site in the
hierarchy, regardless of where it was discovered or processed.
You can use discovery information to create custom queries and collections that logically group resources for management tasks
such as the assignment of custom client settings and software deployments. Computers must be discovered before you can use
client push installation to install the Configuration Manager client on devices.
In simple words, it means that SCCM need to discover device before it can manage them. It's not mandatory to discover
computers, if you mannually install the client, it will appear in the console and it can be managed. The problem is that if you
have thousand computers, it can be a fastidious process. By using Active Directory System Discovery, all your computers will be
shown in the console, from there you can choose to install the client using various SCCM methods. Of course if you need
information about your user and groups, you need to configure User and Group discovery, it's the only way to bring this
information in SCCM.
There are 5 Types of Discovery Methods that can be configured. Each one targets a specific object type (Computers, Users,
Groups, Active Directory) :
Discovers computers in your organization from specified locations in Active Directory. In order to push the SCCM client to the
computers, the resources must be discovered first. You can specify to discover only computers that have logged on to the
domain in a given period of time. This option is useful to exclude obsolete computer accounts from Active Directory. You also
have the option to fetch custom Active Directory Attributes. This is useful if your organisation store custom information in AD.
Go to Administration / Hierarchy
Configuration / Discovery
Methods
Discovers groups from specified locations in Active Directory. The discovery process discovers local, global or universal security
groups. When you configure the Group discovery you have the option to discover the membership of distribution groups. With
the Active Directory Group Discovery you can also discover the computers that have logged in to the domain in a given period
of time. Once discovered, you can use group information for exemple to create deployment based on Active Directory groups.
Be careful when configuring this method : If you discover a group that contain a computer object that is NOT discovered in
Active Directory System Discovery, the computer will be discovered. If automatic client push is enabled, this could lead to
unwanted clients computers.
Go to Administration / Hierarchy
Configuration / Discovery
Methods
Go to Administration
/ Hierarchy
Configuration /
Discovery Methods
Right-Click Active
Directory User
Discovery and select
Properties
On the Poling
Schedule tab, select
the frequency on
which you want the
discovery to happen.
Discovers Active Directory sites and subnets, and creates Configuration Manager boundaries for each site and subnet from the
forests which have been configured for discovery. Using this discovery method you can automatically create the Active
Directory or IP subnet boundaries that are within the discovered Active Directory Forests. This is very useful if you have
multiple AD Site and Subnet, instead of creating them manualy, use this method to do the job for you.
Go to Administration /
Hierarchy Configuration /
Discovery Methods
HeartBeat Discovery runs on every client and to update their discovery records in the database. The records (Discovery Data
Records) are sent to the Management Point in specified duration of time. Heartbeat Discovery can force discovery of a
computer as a new resource record, or can repopulate the database record of a computer that was deleted from the database.
Go to Administration / Hierarchy
Configuration / Discovery
Methods
The Network Discovery searches your network infrastructure for network devices that have an IP address. It can search the
domains, SNMP devices and DHCP servers to find the resources. It also discovers devices that might not be found by other
discovery methods. This includes printers, routers, and bridges.
We won’t go into detail of this discovery methods as it’s old and depreciated methods. We never saw any customers using this
method in production.
This section will explain how to create a custom SCCM client settings and how to deploy it.
Client settings are used to configure your deployed agents. This is where you decide any configuration like :
When you modify the Default Client Settings, the settings are applied to all clients in the hierarchy automatically. You do not
need to deploy the Default Client Settings to apply it. By default it has a 10000 priority value (This is the lower priority). All
others custom client settings can have a priority value of 1 to 9999 which will always override the Default Client Settings. (The
higher Priority is 1).
We won’t explain each client settings and their descriptions. The Technet documentation is pretty clear and many of the client
settings are self-explanatory. We cannot make any recommendation either as each environment has its own needs and
limitations. If you have any questions concerning a specific setting, use the comment section and we’ll try to help you so you
can make the right decision for your organisation.
When you deploy a custom client settings, they override the Default Client Settings.
Before you begin, ensure that you created a collection that contains the devices that requires these custom client settings.
For our guide, we will set the Client Policy polling interval to 15 minutes.
Go to Administration / Client
Settings
When you create a new client settings, it automatically take the next available priority. (Beginning with 1) Before deploying it,
make sure that your priority is well set for your needs. A higher priority (1) will override any settings with a lower priority.
Now that your client settings is created, you need to deploy it to a collection. This new client settings will apply to only this
Client computers will apply your custom settings when they download their next client policy. You can trigger it manually to
To initiate client policy retrieval by using client notification (Configuration Manager SP1+ only)
It’s possible to see which client settings are applied to a specific client. You must use the Resultant Client Settings function in