SCCM Installation and Configuration Guide.v2 (00000002)

SCCM - INSTALLATION GUIDE
1. Introduction ........................................................................................................................................................................ 8
2. SCCM 1511 New features .............................................................................................................................................. 8
3. Upgrade path ..................................................................................................................................................................... 9
4. Recommendations and requirements ...................................................................................................................... 9
4.1. Hardware Requirements ............................................................................................................................................................................................................. 9
4.2. OS ...................................................................................................................................................................................................................................................... 11
4.3. Disks ................................................................................................................................................................................................................................................. 11
5. Primary Site server prerequisites ..............................................................................................................................11
5.1. Active directory schema extension ..................................................................................................................................................................................... 11
5.2. Create the System Management Container .................................................................................................................................................................... 12
5.3. Set security permission ............................................................................................................................................................................................................ 13
5.4. SCCM Accounts ........................................................................................................................................................................................................................... 14
5.5. Network Configuration ............................................................................................................................................................................................................ 14
5.6. Firewall Configuration............................................................................................................................................................................................................... 14
5.7. No_sms_on_drive.sms ............................................................................................................................................................................................................... 15
5.8. Windows Server Features ........................................................................................................................................................................................................ 15
5.9. Roles and features ...................................................................................................................................................................................................................... 15
5.10. Report Viewer............................................................................................................................................................................................................................... 16
5.11. WSUS Hotfix.................................................................................................................................................................................................................................. 16
5.12. ADK for Windows 10 ................................................................................................................................................................................................................. 16
5.13. Active Directory ........................................................................................................................................................................................................................... 19
5.14. Local Admin accounts ............................................................................................................................................................................................................... 19
5.15. SCCM Client .................................................................................................................................................................................................................................. 19
5.16. Windows Updates ...................................................................................................................................................................................................................... 19
6. SQL Installation and Configuration ..........................................................................................................................19

6.1. SQL 2014 Installation ................................................................................................................................................................................................................ 20
6.2. SPN Creation ................................................................................................................................................................................................................................ 27
6.3. SQL Configuration ...................................................................................................................................................................................................................... 28
6.4. Database Sizing ........................................................................................................................................................................................................................... 28
6.5. Create Database .......................................................................................................................................................................................................................... 29
6.6. Review the Site Database properties.................................................................................................................................................................................. 29
6.7. TempDB sizing ............................................................................................................................................................................................................................. 31
6.8. Review the TempDB properties ............................................................................................................................................................................................ 31
6.9. SQL Communications ............................................................................................................................................................................................................... 32
7. SCCM Installation ...........................................................................................................................................................33
7.1. Prerequisite Check ...................................................................................................................................................................................................................... 33
7.2. SCCM Installation ....................................................................................................................................................................................................................... 34
7.3. Cumulative Updates .................................................................................................................................................................................................................. 46
7.4. CMTrace .......................................................................................................................................................................................................................................... 47
7.5. System Center 2012 R2 Configuration Manager Toolkit ........................................................................................................................................... 47
7.6. System Center 2012 Configuration Manager Support Center ................................................................................................................................ 47
7.7. Extra .................................................................................................................................................................................................................................................. 47
8. Application Catalog web service point ...................................................................................................................48
8.1. Role Description .......................................................................................................................................................................................................................... 48
8.2. Site System Role Placement in Hierarchy ......................................................................................................................................................................... 48
8.3. Prerequisites ................................................................................................................................................................................................................................. 49
8.4. Installation ..................................................................................................................................................................................................................................... 49
8.5. Verification and Logs files ....................................................................................................................................................................................................... 54
8.6. URL Redirection ........................................................................................................................................................................................................................... 54
8.7. Client Settings .............................................................................................................................................................................................................................. 55
9. Asset Intelligence Synchronization Point...............................................................................................................56

9.1. Role description .......................................................................................................................................................................................................................... 56
9.3. AISP Installation........................................................................................................................................................................................................................... 56
9.4. Verification .................................................................................................................................................................................................................................... 60
9.5. Enable Inventory Reporting Classes ................................................................................................................................................................................... 60
9.6. Maintenance Tasks ..................................................................................................................................................................................................................... 62
10. Certificate Registration Point .....................................................................................................................................63
10.2. Prerequisites ................................................................................................................................................................................................................................. 64
10.4. CRP Installation............................................................................................................................................................................................................................ 64
10.6. Configuration Manager Policy Module ............................................................................................................................................................................. 67
10.7. References ..................................................................................................................................................................................................................................... 69
11. Distribution Point ...........................................................................................................................................................69
11.1. Pre-Requisites .............................................................................................................................................................................................................................. 69
11.2. Server Configuration ................................................................................................................................................................................................................. 69
11.3. Local Administrator group ...................................................................................................................................................................................................... 70
11.4. Roles and Features ..................................................................................................................................................................................................................... 70
11.4.1. Remote Differential Compression...................................................................................................................................................................................... 70
11.4.2. IIS .................................................................................................................................................................................................................................................. 71
11.4.3. Windows Deployment Service ............................................................................................................................................................................................ 71
11.4.4. BITS .............................................................................................................................................................................................................................................. 71
11.4.5. Microsoft Visual C++ 2008 Redistributable .................................................................................................................................................................... 71
11.4.6. Powershell 3.0 .......................................................................................................................................................................................................................... 71
11.4.7. Firewall ........................................................................................................................................................................................................................................ 71

11.5. DP site server installation ........................................................................................................................................................................................................ 71
11.6. Verification .................................................................................................................................................................................................................................... 78
11.6.1. Logs ............................................................................................................................................................................................................................................. 78
11.6.2. Windows Explorer ................................................................................................................................................................................................................... 78
11.6.3. Console ...................................................................................................................................................................................................................................... 78
11.7. Replicate content ........................................................................................................................................................................................................................ 79
12. Endpoint Protection Point ...........................................................................................................................................80
12.3. Requirements ............................................................................................................................................................................................................................... 81
12.4. Installation ..................................................................................................................................................................................................................................... 81
12.5. Software Update Point Configuration ............................................................................................................................................................................... 85
12.6. Verification .................................................................................................................................................................................................................................... 85
13. Enrollment Point and Enrollment Proxy Point .....................................................................................................86
13.3. Prerequisites ................................................................................................................................................................................................................................. 87
13.4. Installation ..................................................................................................................................................................................................................................... 88
14. Fallback Status Point .....................................................................................................................................................91
14.3. Installation ..................................................................................................................................................................................................................................... 92
14.5. Configure clients ......................................................................................................................................................................................................................... 95
15. Management Point ........................................................................................................................................................96

15.3. Prerequisites ................................................................................................................................................................................................................................. 97
15.4. Installation ..................................................................................................................................................................................................................................... 97
15.5. Verification and Logs files ..................................................................................................................................................................................................... 100
16. Reporting Point ............................................................................................................................................................ 100
16.1. Prerequisites ............................................................................................................................................................................................................................... 100
16.2. Configure Reporting Services .............................................................................................................................................................................................. 102
16.3. Installation ................................................................................................................................................................................................................................... 104
16.4. Recovery Model ........................................................................................................................................................................................................................ 107
16.5. Verification .................................................................................................................................................................................................................................. 107
17. Software Update Point .............................................................................................................................................. 109
17.1. Role Description ........................................................................................................................................................................................................................ 109
17.2. Site System Role Placement in Hierarchy ....................................................................................................................................................................... 109
17.3. WSUS Installation ..................................................................................................................................................................................................................... 110
17.4. SUP Installation.......................................................................................................................................................................................................................... 113
17.5. Verification .................................................................................................................................................................................................................................. 119
18. State Migration Point ................................................................................................................................................. 119
18.3. Installation ................................................................................................................................................................................................................................... 120
18.5. Create the USMT Package .................................................................................................................................................................................................... 124
19. System Health Validator Point ................................................................................................................................ 126

19.3. Installation ................................................................................................................................................................................................................................... 126
19.5. Configure Client Settings ...................................................................................................................................................................................................... 129
20. Windows Intune Connector (2012 only) ............................................................................................................. 130
20.3. Windows Intune Connector Installation.......................................................................................................................................................................... 130
21. Service Connection Point (1511 only) .................................................................................................................. 133
21.3. Service Connection Point Installation .............................................................................................................................................................................. 133
22. SCCM Configuration................................................................................................................................................... 136
22.1. Accounts ....................................................................................................................................................................................................................................... 136
22.2. Boundaries ................................................................................................................................................................................................................................... 138
22.3. Planning for SCCM 2012 Boundaries and Boundary Groups ................................................................................................................................. 139
22.4. Overlapping Boundaries ........................................................................................................................................................................................................ 139
22.5. Real World Scenario ................................................................................................................................................................................................................ 139
22.6. Create Boundary Group ......................................................................................................................................................................................................... 140
22.7. Create Site Assignement Boundary Group .................................................................................................................................................................... 141
22.8. Create Content Location Boundary Group .................................................................................................................................................................... 142
23. Discovery Methods ..................................................................................................................................................... 144
23.1. Active Directory System Discovery .................................................................................................................................................................................... 144
23.2. Active Directory Group Discovery...................................................................................................................................................................................... 147
23.3. Active Directory User Discovery ......................................................................................................................................................................................... 150

23.4. Active Directory Forest Discovery ...................................................................................................................................................................................... 152
23.5. HeartBeat Discovery ................................................................................................................................................................................................................ 153
23.6. Network Discovery ................................................................................................................................................................................................................... 154
24. Client Settings ............................................................................................................................................................... 154
24.1. How to Create Custom Client Device Settings ............................................................................................................................................................. 155
24.2. Set the Client Settings priority ............................................................................................................................................................................................ 157
24.3. How to deploy ........................................................................................................................................................................................................................... 158
24.4. How to apply .............................................................................................................................................................................................................................. 159
24.5. How to verify .............................................................................................................................................................................................................................. 160

This guide can be used to install SCCM 2012 or SCCM 1511 and further. The requirements and
installation process are practically identical. If a section applies to 1511 only, it will be clearly stated
The new version of SCCM is out ! You may know this version as SCCM Vnext, SCCM 2016 or SCCM 1511. The product group
explained on their blog that the new version will be simply called SCCM.
SCCM installation is not a walk in the park and the product itself can be complex for inexperienced administrators. Our goal is
to bring it a bit further, explaining concepts and best practice rather than just guide the user through the installation process.
If you're not familiar with SCCM Features, you can visit this Technet article (for 2012) and this Technet article (for 1511) which
covers it all.
If you’re already running SCCM and plans to migrate stop reading this guide. You do not need to do a complete installation,
see our blog post on how to upgrade instead.
I hope this guide brings all the information you need and that you'll appreciate administering it.
Windows 10
 Windows 10 servicing
 Sideloading apps in Windows 10
 Compliance settings for Windows 10
Infrastructure
 Preferred management points

 Support for Microsoft Azure virtual machines
 Diagnostics and Usage Data
 Service a server cluster
 Support for SQL Server AlwaysOn for highly available databases
 Integration with Windows Update for Business
Console
 Natively manage Office 365 desktop client update

 Deploy Windows Business Store applications
 Support for multiple Automatic Deployment Rules
 Client deployment status in console monitoring
 Schedule and run the WSUS clean up task from the Configuration Manager console
 Updates and servicing
 Client piloting to preproduction
 Software Center
Operating System Deployment
 Windows 10 in-place upgrade task sequence

 Windows PE Peer Cache
Mobile Device Management
 Mobile device management (MDM) feature parity between Intune stand-alone and Configuration Manager
 Mobile Application Management
 Data protection for mobile devices
 On-premises mobile device management (MDM)
 App deployment to Windows 10 devices with on-premises MDM
 Certificate provisioning is supported for Windows 10 devices that you manage using on-premises mobile device
management.
 Improved workflow for creating mobile device configuration items
 Bulk enrollment of Windows 10 devices with on-premises MDM
 Wipe and retire for on-premises mobile device management
Depending your actual SCCM version you have different options :
 If you're not running any version of SCCM in your environment, keep reading, this guide is for you !
 You can do an inplace-upgrade instead of a complete installation if you're running the following SCCM
versions (Cumulative Update are not mandatory). Consult our SCCM 1511 upgrade guide to do so.
o SCCM 2012 SP1
o SCCM 2012 SP2
o SCCM 2012 R2
o SCCM 2012 R2 SP1
 If you're running a Technical Preview on your lab server. Completely uninstall it before doing a fresh install. An
upgrade is not supported from a Technical Preview version
 If you're running SCCM 2007 SP2+ a side-by-side migration is still possible but you must first start by a fresh
install on a separate server
 If you're running SMS 2003, you seriously need to upgrade your remaining XP computers !
In the first part of this guide about SCCM installation, we will cover hardware requirements, design recommendations and
server prerequisites.
The hardware requirements for a Primary Site server largely depends on the features that are enabled, and how each of the
components is utilized. When the number of clients grows and changes, the server hardware requirements change accordingly.
For the initial deployment, hardware requirements can be estimated for each server by determining:
 The overall need for each component (Will you do Operating System Deployment ? How many daily software
deployments ? Is Inventory and reporting is important for your organisation ? Will you manage Internet Client ?)
 The number of clients planned to be installed
 The load on each of installed SCCM components
In general, medium environments (couple thousand clients) should consider the following recommendations when planning
hardware:
 SCCM and SQL Server communicate constantly. We recommend that the main database and SQL Server be installed
on the Primary site server. This is fully debatable and we understand that some organisation try to standardize their
SQL distribution. Performance are simply better using a local installation when configured properly
 Neither the SCCM site nor the SQL database should share their disks with other applications
 Configure the SQL Server databases and logs to run on a different disk than the disk where the SCCM database is
located.
Another issue to consider when determining hardware requirements for a site servers is the total amount of data that will be
stored in the database. To estimate the required database size for a single site, an approximate figure of 5Mb to 10Mb per
client is typically used.
In our setup, we will install a single Primary Site that has the role of Management Point, Reporting Point, Distribution Point,
PXE Service Point, State Migration Point, Fallback Status Point and Software Update Point. SQL Reporting Services will be used
to provide consolidated reporting for the hierarchy. This role will also be installed on the SCCM Server. Running reports can
have an impact on server CPU and memory utilization, particularly if large poorly structured queries are executed as part of the
report generation.
Consider placing client facing role (Distribution Point, Reporting Point) on separate server in order to reduce load on your
Primary server.
Here's our recommended reading about hardware requirements :
SCCM 1511
 Design a hierarchy of sites

 Recommended hardware
 Supported configurations
 Plan for the site database
 Plan for site system servers and site system roles
SCCM 2012
 Planning for Hardware Configurations for Configuration Manager

 Planning for Sites and Hierarchies in Configuration Manager
 Supported Configurations for Configuration Manager
 Determine Whether to Install a Central Administration Site
 System Center 2012 Configuration Manager Hardware used for site roles in Microsoft IT
 Configuration Manager 2012 Sizing considerations
We strongly recommend that you understand SQL Server before installing SCCM. Talk and have a good relation with your DBA
if you have one in your organisation.
Here's our recommended reading about SQL :
 Storage Top 10 Best Practice

 SQL Server Best Practices Article
 Disk Partition Alignment Best Practices for SQL Server
Make sure that your OS is supported, see the SCCM 2012 or SCCM 1511 Technet Documentation
For this guide, our servers runs Windows 2012 R2 with latest security patches.
Disks IOs is the most important aspect of SCCM performance. We recommend to configure the disks following SQL Best
practice. Split the load on different drive. When formatting SQL drives, the cluster size (block size) in NTFS must be 64KB
instead of the default 4K. See the previous recommended reading to achieve this.
Letter Content
C:\ Windows
D:\ SCCM
E:\ SQL Database (64K)
F:\ SQL TempDB (64K)
G:\ SQL Transaction Logs (64K)
SQL TempB Logs
Once your hardware is carefully planned, we can now prepare our environment and server before SCCM Installation.
You need to extend the Active Directory Schema only if you didn't have a previous installation of SCCM in your domain. If you
have already installed either 2007 or 2012 in your environment, you can skip this step as it’s probably already done.
Logon to a server with an account that is
a member of Schema Admins security
group
From SCCM ISO :

run .\SMSSETUP\BIN\X64\extadsch.exe
Check schema extension result,

open Extadsch.log located in the root of
the system drive
SCCM does not automatically create the System Management container in Active Directory Domain Services when the schema
is extended. The container must be created one time for each domain that includes a Configuration Manager primary site
server or secondary site server that publishes site information to Active Directory Domain Services.
Start ADSIEdit, go to the System container

and create a new Object
Select Container
Enter System Management
Open properties of the container System

Management created previously
In the Security tab, add the site server
computer account and Grant the Full
Control permissions
Click Advanced, select the site server’s

computer account, and then click Edit
In the Applies to list, select This object and

all descendant objects
Click OK and close the ADSIEdit console
Create the necessary accounts and group created before installation. You can use different name but i'll refer to these names
throughout the guide.
Description Name
SQL server services account SCCM-SQLService
SCCM Network Access Account SCCM-NAA
Domain user account for use SCCM client push install SCCM-ClientPush
Domain user account for use with reporting services User SCCM-SQLReporting
Domain account used to join machine to the domain during OSD SCCM-DomainJoin
Domain group containing all SCCM Admins Group SCCM-Admins
Domain group containing all SCCM servers in the hierarchy Group SCCM-SiteServers
Make sure that the server has a fix IP and that internet connection is up
Make sure the firewall service is ON
Run this script in an elevated command prompt order to open the necessary ports needed for SCCM.
** If you are using custom ports, change the values before running the script. **
@echo ========= SQL Server Ports ===================
@echo Enabling SQLServer default instance port 1433
netsh advfirewall firewall add rule name="SQL Server" dir=in action=allow protocol=TCP localport=1433
@echo Enabling Dedicated Admin Connection port 1434
netsh advfirewall firewall add rule name="SQL Admin Connection" dir=in action=allow protocol=TCP localport=1434
@echo Enabling conventional SQL Server Service Broker port 4022
netsh advfirewall firewall add rule name="SQL Service Broker" dir=in action=allow protocol=TCP localport=4022
@echo Enabling Transact-SQL Debugger/RPC port 135
netsh advfirewall firewall add rule name="SQL Debugger/RPC" dir=in action=allow protocol=TCP localport=135
@echo ========= Analysis Services Ports ==============
@echo Enabling SSAS Default Instance port 2383
netsh advfirewall firewall add rule name="Analysis Services" dir=in action=allow protocol=TCP localport=2383
@echo Enabling SQL Server Browser Service port 2382
netsh advfirewall firewall add rule name="SQL Browser" dir=in action=allow protocol=TCP localport=2382
@echo ========= Misc Applications ==============
@echo Enabling HTTP port 80
netsh advfirewall firewall add rule name="HTTP" dir=in action=allow protocol=TCP localport=80
@echo Enabling SSL port 443
netsh advfirewall firewall add rule name="SSL" dir=in action=allow protocol=TCP localport=443
@echo Enabling port for SQL Server Browser Service's 'Browse' Button
netsh advfirewall firewall add rule name="SQL Browser" dir=in action=allow protocol=TCP localport=1434
@echo Allowing Ping command
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
Place a file name no_sms_on_drive.sms on the root drive of each drive you don’t want SCCM to put content on.
On the Primary site server, the following components must be installed before SCCM installation. We’ll install all these
components using a PowerShell script.
 .Net Framework 3.51 SP1

 .Net Framework 4
 IIS
 Remote Differential Compression
 BITS Server Extension
 Windows Server Update Services
 Report Viewer
 ADK for Windows 8.1 (For 2012)
 ADK for Windows 10 (For 1511)
On the Site Sever computer, open a PowerShell command prompt as an administrator and type the following commands. This
will install the required features without having to use the Windows 2012 GUI.
Get-Module servermanager
Install-WindowsFeature Web-Windows-Auth
Install-WindowsFeature Web-ISAPI-Ext
Install-WindowsFeature Web-Metabase
Install-WindowsFeature Web-WMI
Install-WindowsFeature BITS
Install-WindowsFeature RDC
Install-WindowsFeature NET-Framework-Features -source \\yournetwork\yourshare\sxs
Install-WindowsFeature Web-Asp-Net
Install-WindowsFeature Web-Asp-Net45
Install-WindowsFeature NET-HTTP-Activation
Install-WindowsFeature NET-Non-HTTP-Activ
Ensure that all components are showing as Sucess as an Exit Code. It’s normal to have Windows Update warnings at this point.
 Download and install – here
If you’re planning to use Windows 10 Servicing, you need to consider applying this important WSUS update to your
Windows Server. This hotfix is only available for Windows 2012, if you’re running your Software Update Point on
Windows 2008, consider moving your SUP to a Windows 2012 Server.
 ADK 8.1 for SCCM 2012 : Download and install – here

 ADK 10 for SCCM 1511 : Download and install - here
The documented version is ADK
10 but the process is the same for
ADK 8.1
Select the default path
Do not join CEIP

Accept the License Agreement
Install the following components
 Deployment Tools
 Windows Pre-installation
Environment
 User state Migration tool
 Add the computer account of all your site servers in the SCCM-SiteServers AD group
 Ensure that the group has Full Control on the SYSTEM Container in Active Directory
Add both SCCM computer account and the SCCM Admin account to the local administrator group on the site server.
 SCCM-Admins
 SCCM-SiteServers
If applicable, uninstall previous SCCM client and FEP if present on the server before the installation. If the client is present, the
SCCM Management Point installation could fail.
Run windows update and patch your server to the highest level
Click the following link to see SCCM 2012 and 1511 supported SQL versions. For our post, we will install SQL 2014 locally on
the same server where the Primary Site will be installed.
Execute Setup.exe from the SQL

installation media, select New
Installation
Review and accept the licence Terms
and click Next
Select Enter Product Key and skip

the proposed updates
Check Use Microsoft Update to
check for updates, click Next
Select SQL Server Feature

Installation
Select the Database Engine,
Reporting Services and
Management Tools features and
specify the SQL installation directory.
This is the directory for the program
files and shared features
Select Default instance and ensure

that your instance is created on
the SQL Volume
Set all services to run as the SQL
domain account that you created
previously and set the services start
up type to Automatic
On the Collation tab, set the

Database Engine to
use SQL_Latin1_General_CP1_CI_AS
In the Server Configuration tab, set
the authentication mode to Windows
Authentication and in the SQL
Server Administrators add
your SCCM Admins group
In the Data Directories tab set your

drive letters correctly for your SQL
databases, Logs,
TempDB, and backup
In Reporting Services
Configuration, select Install only
Review your choices and click Install

Installation is in progress
Complete the installation by

clicking Close
When you configure SQL Server to use the local system account, a Service Principal Name (SPN) for the account is
automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually
register the SPN for the SQL Server service account.
Since we are using a domain account, we must run the Setspn tool on a computer that resides in the domain of the SQL Server.
It must use Domain Administrator credentials to run.
Run both commands to create the SPN, Change the server name and account name in each commands.
 setspn -S MSSQLSvc/yourservername:1433 yourdomain\SQLSA

 setspn -S MSSQLSvc/yourserver.fullfqdn.com:1433 yourdomain\SQLSA
To verify the domain user SPN is correctly registered, use the Setspn -L command
 setspn –L yourdomain\SQLSA
SCCM setup verifies that SQL Server reserves a minimum of 8 GB of memory for the primary site. To avoid, the warning, we'll
set the SQL Server memory limits to 8GB-12GB (80% of available RAM).
Open SQL Server Management

Studio
Right click the top SQL Server instance

node
Select Properties
In the Memory tab define a limit for

the minimum and maximum server
memory. Configure and limit the
memory to 80% of your server
available RAM. In our case we have
16GB available.
Minimum 8192
Maximum 12288
We always recommend to create the SCCM database before the setup. This is not mandatory, SCCM will create the database
for you during setup but will not create it the optimal way. We strongly recommend to watch the The Top Ten Lessons Learned
in Managing SQL session from MMS2013 which cover it all.
We follow the guide made by MVP, Kent Agerlund to estimate my DB sizing need. Visit his blog post and download the
provided Excel file. Input your values in the blue cells and keep it for the next part. We’ll create the DB using those values using
a script in the next section.
For this guide, we've created a Database for 2000 clients, 2 processors, 2 cores and 16GB RAM.
To create the database, you can use Kent's script and input your values (as returned previously in the Excel file) OR use the
following one which is really simple:
The Name value will become your Site Code during the SCCM installation. Be sure to select a unique Site Code.
**Replace all XXX value with your 3 character Site Code**
**Change the values of the Filename, Size, MaxSize and FileGrowth. Change the location of the file to your SQL and Logs
drives**
USE master
CREATE DATABASE CM_XXX
ON
( NAME = CM_XXX_1,FILENAME = 'E:\SCCMDB\CM_XXX_1.mdf',SIZE = 7560, MAXSIZE = Unlimited, FILEGROWTH = 2495)
LOG ON
( NAME = XXX_log, FILENAME = 'G:\SCCMLogs\CM_XXX.ldf', SIZE = 4990, MAXSIZE = 4990, FILEGROWTH = 512)
ALTER DATABASE CM_XXX
ADD FILE ( NAME = CM_XXX_2, FILENAME = 'E:\SCCMDB\CM_XXX_2.mdf', SIZE = 7560, MAXSIZE = Unlimited, FILEGROWTH =
2495)
Open SQL Management Studio
Right click your DB, select Properties
In the General tab, verify that the SQL

collation name
is SQL_Latin1_General_CP1_CI_AS
In the File tab, verify that your

database files has been created with
the script value
Verify that the file is located on

your SQL Volume
Change the database owner to SA. By

default the owner will be the account
which created the database.
If you find out that you made an error, you can safely delete the Database using SQL Management Studio and rerun the script.
Right click your DB, select Delete
Run the following scripts to size the TempDB. (using the value returned by the Excel file)
**Change the values of Filename, Size, MaxSize and FileGrowth. Change the location of the file to your TempDB drives**
use master
go
alter database tempdb modify file (name='tempdev', filename='F:\SCCMTempDB\tempDB.MDF', SIZE= 4536, MAXSIZE =
Unlimited, FILEGROWTH = 512)
go
alter database tempdb modify file (name='templog', filename='G:\SCCMLogs\templog.LDF', SIZE= 2268, MAXSIZE = Unlimited,
FILEGROWTH = 512)
go
In System Database, Right click

the TempDB, select Properties
In the File Tab, verify that your

database files has been created
with the script value
Ensure that the TempDB and log

are on the TempDB volume
To ensure proper SQL communication, verify that settings are set accordingly in SQL Network configuration
Open SQL Server Configuration Manager
Go to SQL Server Network Configuration

/ Protocols for MSSQLServer
On the Right Pane, right-click TCP/IP and

select Properties
In the Protocol tab
 Enable: YES
 Listen All : NO
In the IP Addresses tab
IP1 (which should have your Server IP)
 Active : YES
 Enabled : YES
All other IP and IP ALL
 Active : YES
 Enabled : NO
TCP Dynamic Ports : Blank value
TCP Port : 1433
Once modification has been made, restart the SQL

Server Service.
We will now run the prerequisite checker and install a stand-alone Primary site. The installation screenshots are taken from
SCCM 1511. The wizard has 3 more screens than 2012 but the rest is the same.
Before launching the installation, we recommend to launch the Prereqchk tool in order to verify if all components are
configured correctly. The installation wizard will also run this check but if you're missing a requirement, you'll have to go
through the whole installation wizard again after fixing it. We prefer to use the standalone tool.
To start the tool :

Open an Administrator command
prompt
Browse to .\SMSSETUP\BIN\X64
Run the following

command : prereqchk.exe
/AdminUI
If you follow the guide correctly

you'll have this result :
Refer to this Technet article to see the list of all checks done by the tool.
If you have any warning or error refer to the previous link in order to resolve it, or go thought prerequisites setions of this
guide.
We are finally ready to launch the setup. First, reboot the server. This will make sure that the machine is not in a Reboot
pending state.
Open the SCCM ISO
Run Splash.hta
Select Install
On the first screen, click Next

On the Getting Started screen,
Select Install a Configuration
Manager Primary Site and
click Next
On the Product Key screen, enter

it and click Next
On the Microsoft Software
License Terms screen, accept the
License Terms and click Next
On the Prerequisite
Licences screen, accept the
License Terms and click Next
On the Prerequisite
Downloads screen, specify a
location to download the
prerequisite file.
This folder can be deleted after

setup
On the Server Language
Selection screen, select the
language you want to display in
the SCCM Console and Reports.
You can modify language later by

running setup again and select
the Site Maintenance option
On the Client Language

Selection screen, select
the Client language to support.
You can modify languages later by

running setup again and select
the Site Maintenance option
On the Site and Installation
Settings screen, enter your Site
Code.
Use the same Site Code as you

specified when creating your
Database
Note : Site codes cannot be used

more than one time in a
Configuration Manager hierarchy
for a central administration site or
primary sites. If you reuse a site
code, you run the risk of having
object ID conflicts in your
Configuration Manager hierarchy.
This applies also if you're doing a
migration from an earlier version.
Enter your Site Name. This name

will appear in the console so
choose accordingly
On the Primary Site

Installation screen, select Install
the primary site as a stand-
alone site.
If you have a Central

Administration site, this is where
you would join the Primary Site to
the existing hierarchy
On the Database
Information screen
Enter your SQL Server Name. In

our case the SQL server is the
same box as SCCM
Leave the Instance Blank
Enter your Database name. Once

again, this must match the
previously created
Database in part 2
Leave the Service Broker Port

to 4022
On the Database
Information screen :
Enter the path to the SQL Server

data file. Locate this on the SQL
Volume
Enter the path to the SQL Server

log file. Locate this on the SQL
Logs Volume.
We like to use the same directory

where we created my database
and logs (E:\SCCMDB,
G:\SCCMLogs)
On the SMS Provider

Settings screen, leave the SMS
Provider to the default value
which is the local server. Refer to
the following Technet article to
read about the SMS Provider.
On the Client Computer
Communication Settings screen,
select Configure the
communication method on each
site system role. This is where
you select to have HTTPS or not
on your initial Management Point
and Distribution Point. This
settings can be change later
On the Site System Roles screen :
Check Install a Management

Point
Check Install a Distribution

Point
We will install both MP and DP on

the same box so leave the FQDN
as is
The Client connection drop-down

is unavailable due to our previous
selection
1511 only
On the Usage Data screen,

click Next. This new screen
basically tells that you accept that
you will send some telemetry data
to Microsoft
1511 only
On the Service Connection

Point screen, click Next. This new
role enables your deployment to
download updates and new
features
On the Settings Summary screen,
review your selection and click
Next
Here's our Prerequisite

Check screen again. You should
have no error since you've run it
before setup
The installation is in progress. You
can count between 15 and 30
minutes depending of your server
specifications.
You can follow the progress by

clicking the View Log button or
open
the ConfigMgrSetup.log file on
the C:\ drive
Wait for Core setup has

completed and close the wizard
After the setup, we recommend to install the latest Cumulative Update.

 There’s no cumulative updates for 1511
 For 2012 R2 SP1, the lastest Cumulative Update is CU2. Follow our installation guide to apply it
CMTrace will become your best friend when reading log files.
Open the SCCM ISO
Browse to .\SMSSETUP\TOOLS
Click on CMTrace.exe
Click on YES to set is as your default

log viewer
Additionally you can read our blog post :
How to use CMTrace like a Pro Part 1
How to use CMTrace like a Pro Part 2
This toolkit contains fifteen downloadable tools to help you manage and troubleshoot Microsoft System Center 2012 R2
Configuration Manager. The toolkit also supports SCCM 1511.
Download and install it here
System Center 2012 Configuration Manager Support Center helps you to gather information about System Center 2012
Configuration Manager clients so that you can more easily address issues. We have tested this tool on SCCM 1511 and it’s
functional.
Download and install it here
You can also refer to our blog post about Useful Resources to help you begin and learn SCCM.
This section will describe how to install a SCCM Application Catalog web service point and the Application Catalog website
point.
The Application Catalog web service point provides software information to the Application Catalog website from the Software
Library.
The Application Catalog website point provides users with a list of available software.
This is not a mandatory site system but you need both the Application Catalog website point and the Application Catalog web
service point if you want to provide your user with a Self-Service application catalog (web portal).
The Application Catalog web service point and the Application Catalog website point are hierarchy-wide options. It’s supported
to install those roles on a stand-alone Primary site or child Primary site. It’s not supported to install it on a Central
Administration site or Seconday site. The Application Catalog web service point must reside in the same forest as the site
database.
If you’re having less than 10,000 users in your company, co-locating the Application Catalog web service and Application
Catalog website roles on the same server should be ok. The web service role connects directly to the SCCM SQL database so
ensure that the network connectivity between the SQL server and the Application Catalog web service servers is robust.
If you have more geographically distributed users, consider deploying additional application catalogs to keep responsiveness
high and user satisfaction up. Use client settings to configure collections of computers to use different Application Catalog
servers.
Read more on how to provide a great application catalog experience to your user in this Technet blog article.
If your client needs HTTPS connections, you must first deploy a web server certificate to the site system. If you need to
allow Internet clients to access the application catalog, you also need to deploy a web server certificate to the Management
Point configured to support Internet clients. When supporting Internet clients, Microsoft recommends that you install the
Application Catalog website point in a perimeter network, and the Application Catalog web service point on the intranet. For
more information about certificates see the following Technet article.
Using Windows Server 2012, the following features must be installed before the role installation:
Application Catalog web service point
Features:
 .NET Framework 3.5 SP1 and 4.0

 WCF activation:
o HTTP Activation
o Non-HTTP Activation
 IIS Configuration:
o ASP.NET (and automatically selected options)
o IIS 6 Management Compatibility
o IIS 6 Metabase Compatibility
Application Catalog website point
Features:
 .NET Framework 4.0

 IIS Configuration:
 Common HTTP Features
o Static Content
o Default Document
 Application Development
o ASP.NET (and automatically selected options)
 Security
o Windows Authentication
 IIS 6 Management Compatibility
o IIS 6 Metabase Compatibility
For this section we will be installing both role on our stand-alone Primary site using HTTP connections. If you split the roles
between different machine, do the installation section twice, once for the first site system (selecting Application Catalog web
service point during role selection) and a second time on the other site system (selecting Application Catalog website
point during role selection).
Open the SCCM console
Navigate to Administration / Site

Configuration / Servers and Site
System Roles
Right click your Site System and

click Add Site System Roles
On the General tab, click Next
On the Proxy tab, click Next

On the Site System Role tab,
select Application Catalog web
service point and Application
Catalog website
point, click Next
On the Application Catalog Web

Service Point
In the IIS Website and Web

application name fields, leave
both to the default values
This is just the name that you’ll

see in IIS after the installation (see
next screenshot). It has nothing to
do with your user facing portal
Enter the port and protocol that

you want to use
On the Application Catalog
WebSite Point
In the IIS Website keep the

default value
In Web application name, enter

the name that you want for your
Application Catalog. This is the
URL that will be published to your
users
Enter the port and protocol that

you want to use
On the Application Catalog
Customizations tab, enter your
organisation name and the
desired color for your website
On the Summary tab, review your

settings, click Next and complete
the wizard
Logs
You can verify the role installation in the following logs:
 ConfigMgrInstallationPath\Logs\SMSAWEBSVCSetup.log and awebsvcMSI.log – Records details of about

the Application Catalog Web Service Point installation
 ConfigMgrInstallationPath\Logs\SMSPORTALWEBSetup.log and portlwebMSI.log – Records details of
about the Application Catalog Website Point installation
Status messages
 Open the SCCM Console

 Go to Monitoring / System Status / Component Status
 See status of the components SMS_PORTALWEB_CONTROL_MANAGER and
SMS_AWEBSVC_CONTROL_MANAGER
Internet Explorer
Verify that the Application Catalog is accessible :
 Open Internet Explorer

 Browse to http://YourServerName/CMApplicationCatalog
 Replace YourServerName with the server name on which you installed the Application Catalog Website Point
 Replace CMApplicationCatalog with the name that you give your Application Catalog. (Default
is CMApplicationCatalog)
If everything is setup correctly, you’ll see a web page like this :

The default URL to access the Application Catalog is not really intuitive for your users.
It’s possible to create a DNS entry to redirect it to something easier (ex: http://ApplicationCatalog)
The following Coretech article describe how to achieve that.
Ensure that the client settings for your clients are set correctly to access the Application Catalog
Open the SCCM Console
Go to Administration /
Client Settings
Right-click your client

settings and
select Properties
On the left pane,

select Computer Agent
Click the Set Website button

and select your Application
Catalog (the name will be
automatically populated if
your Application Catalog is
installed)
Select Yes on both Add

Default Application
Catalog website to Internet
Explorer trusted site
zone and Allow Silverlight
application to run in
elevated trust mode
Enter your organisation

name in Organisation name
displayed in Software
Center
This section will describe the Asset Intelligence Synchronization Point (AISP) installation.
The AISP is used to connects to Microsoft in order to download Asset Intelligence catalog information and upload
uncategorized titles. For more information about planning for Asset Intelligence, see Prerequisites for Asset Intelligence in
Configuration Manager.
This is not a mandatory Site System but we recommend to install the AISP if you are planning to use Asset Intelligence. Read
our blog post on Why should you use Asset Intelligence in SCCM 2012.
The AISP is a hierarchy-wide option. SCCM supports a single instance of this site system role in a hierarchy and only at the top-
level site. Install it on your Central Administration Site or stand-alone Primary Site depending of your design.
Navigate to Administration /
Site Configuration / Servers
and site System Roles
Right click your Site

System and click Add Site
System Roles
On the Proxy tab, enter you

Proxy server information if
needed and click Next
On the Site System Role
Selection tab, select Asset
Intelligence Synchronization
Point, click Next
On the Certificate page,

click Next
By default, the Use this Asset

Intelligence Synchronization
Point setting is selected and
cannot be configured on this
page. System Center Online
accepts network traffic only
over TCP port 443, therefore
the SSL port number setting
cannot be configured on this
page of the wizard
You can specify a path to the

System Center Online
authentication certificate (.pfx)
file. Typically, you do not
specify a path for the
certificate because the
connection certificate is
automatically provisioned
during site role installation
Specify the desired

catalog Synchronization
Schedule, click Next
On the Summary tab, review

your setting and click Next
Wait for the setup to complete

and close the wizard
Logs
AIUSSetup.log – Information about the installation of the Asset Intelligence catalog synchronization point site system role
AIUpdateSvc.log – Information about the Asset Intelligence catalog synchronization service
Aikbmgr.log – Information about the Asset Intelligence catalog manager service
Verify that the role
installation is
completed
in AIUSSetup.log
Open the SCCM

console
Navigate to Assets
and Compliance /
Overview / Asset
Intelligence
Verify that the Sync

is Enabled and Succe
ssful
In order to have inventory data, first ensure that Hardware Inventory is enabled in your Client Settings.
Client Settings
Right-click your Client Settings

and choose Properties
On the Hardware
Inventory Tab
Ensure that your hardware

inventory is Enabled
Once confirmed, enable

inventory reporting classes :
Navigate to Assets and

Compliance / Asset
Intelligence
Right-click Asset
Intelligence and select Edit
Inventory Classes
Select Enable only the
selected Asset Intelligence
reporting classes
Select SMS_InstalledSoftware,
SMS_ConsoleUsage and
SMS_SystemConsoleUser
See the following Technet

article to see dependencies
between hardware
and reporting class
On the warning, click Yes
2 maintenance tasks are available for Asset Intelligence :
Check Application Title with Inventory Information
This maintenance task checks that the software title that is reported in software inventory is reconciled with the software title in
the Asset Intelligence catalog.
Summarize Installed Software Data
This maintenance task provides the information that is displayed in the Assets and Compliance workspace. When the task
runs, Configuration Manager gathers a count for all inventoried software titles at the primary site.
To set the maintenance tasks :

Site Configuration / Sites
Select Site Maintenance on

the top ribbon
Select the desired schedule for

both tasks
This section will describe how to install SCCM R2 Certificate Registration Point (CRP).
Using SCCM and Intune, the CRP communicates with a server that runs the Network Device Enrollment Service (NDES) to
provision device certificate requests.
This is not a mandatory Site System but we recommend to install a CRP if you need to provision client certificates to your
devices (like VPN or WIFI).
Before the CRP can be installed, dependencies outside SCCM is required. I won’t cover the prerequisite configuration in details
as they are well documented on this Technet article and it goes beyond SCCM. Here’s an overview of what needs to be done :
 Install the NDES role on a Windows 2012 R2 Server

 Modify the security permissions for the certificate templates that the NDES is using
 Deploy a PKI certificate that supports client authentication
 Locate and export the Root CA certificate that the client authentication certificate chains to
 Increase the IIS default URL size limit
 Modify the request-filtering settings in IIS
On the machine that will receive the CRP role, install the following using Windows server role and features:
 IIS
 ASP .NET 3.5
 ASP .NET 4.5
 WCF HTTP Activation
If you are installing CRP on a remote machine from the site server, you will need to add the machine account of site server to
the local administrators group on the CRP machine.
The Certificate Registration Point must not be installed on the same server that runs the Network Device Enrollment Service.
It’s supported to install this role on a Central Administration Site, child Primary Site or stand-alone Primary Site but it’s not
supported on a Secondary Site.
Site Configuration /
Servers and Site System
Roles

System Roles
On the General tab,

click Next

select Certificate
Registration
Point, click Next
On the Certificate
Registration Point
Properties, leave the default
website name and virtual
application name. Take note
of your Virtual Application
Name, you will need it later.
Click on Add
Enter the URL of your NDES

server
This URL will be part of the

profile send to the devices.
The device will needs to
access this URL from the
internet
Exemple : https://ndes.syste
mcenterdudes.com/certsrv/
mscep/mscep.dll
Enter the path to your

exported Root CA Certificate
(.cer file)
Once completed, click

on Next, review
the Summary and close the
wizard
 ConfigMgrInstallationPath\Logs\crpmsi.log – Detailed CRP Installation status
Using a browser, verify that you can connect to the URL of the certificate registration point—for
example, https://crp.systemcenterdudes.com/CMCertificateRegistration
HTTP Error 403 is ok. If you have a 404 error or 500 error, look at the logs file before continuing
 After the CRP is installed, the system will export the certificate that will be used for NDES plugin to
the certmgr.box folder. It may take up to 1 hour to appear.
 Save this .cer file on the NDES server as we will need it in the next section.
Now that the Certificate Registration Point has been installed, we must install a plug-in on the NDES server to establish the
connection with SCCM.
On the server that runs the Network Device Enrollment Service :
 Copy the \SMSSETUP\POLICYMODULE\X64 folder from the the Configuration Manager installation media to a
temporary folder
 From the temporary folder, run PolicyModuleSetup.exe
 Click Next, accept the license terms and click Next
 On the Installation Folder page, accept the default installation folder click Next
 On the Certificate Registration Point page, specify the URL of the Certificate Registration Point. This is the Virtual
Application Name created during the SCCM role installation
(Example : https://crp.systemcenterdudes.com/CMCertificateRegistration)
 Accept the default port of 443, click Next
 On the Client Certificate for the Policy Module page, browse to and specify the client authentication certificate.
This is the same certificate you used in the CRP Installation wizard in SCCM
 On the Certificate Registration Point Certificate page, click Browse to select the exported certificate file (the one
exported from \inboxes\certmgr.box)
 Click Next and complete the wizard
 Open the registry editor and browse to HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP
 Make sure that the values of EncryptionTemplate, GeneralPurposeTemplate andSignatureTemplate match the
names of the template on your CA
 Open Internet Explorer on the NDES server and browse to

https://ndes.systemcenterdudes.com/certsrv/mscep/mscep.dll, you will no longer see the web page but instead you
should see an error 403, this is expected
Once all the above has been configured and verified, you are ready to create your certificate profile in SCCM.
Here’s my favorites articles covering the subject :
 Technet Article
 Configuration Team Blog article
 Pieter Wigleven’s installation (Technical Solution Professional at Microsoft)
 Peter van der Woude’s key configuration steps
This section explains how to add a new distribution point to an existing SCCM infrastructure. This procedure is for a server
Operating System (2003, 2008 or 2012) but a client OS (7/8) is also supported but does not support PXE and Multicast.
Several distribution points can provide better access to available software, updates, and operation systems. A local DP also
prevents the installation thought the WAN for remote offices.
 Functional SCCM 2012 hierarchy

 SCCM 2012 Admin console access
 RDP access on the DP server
 The required level of security in the SCCM console
To prevent package from replication on the wrong drive
 Logon locally on the target machine with remote desktop

 Create an empty file called NO_SMS_ON_DRIVE.SMS on the root of each drive where SCCM should NOT write. (If any)
On the DP, add a group that contains your site system computer account in the Administrators group.
I like to create a SCCM AD system groups that contains all my distribution points.
Open Server Manager
Expand Local Users and Groups
Click on Groups
Double-click on Administrators
Add the security groups that

contain the SCCM Primary Server
computer account in the
Administrators group
Configuration Manager requires some roles and features to be installed on the server prior to the DP installation.
11.4.1. Remote Differential Compression
Open Server Manager, on the

Features node, start the Add
Features Wizard
On the Select Features page,

select Remote Differential
Compression
11.4.2. IIS
IIS needs to be installed on the server but it will automatically be installed using the site installation wizard.
11.4.3. Windows Deployment Service
For Windows Server 2008, 2008 R2, 2012 and 2012R2, WDS is installed and configured automatically when you
configure a distribution point to support PXE or Multicast. For Windows Server 2003, you must install and configure
WDS manually.
11.4.4. BITS
With System Center 2012 Configuration Manager, the distribution point site system role does not require Background
Intelligent Transfer Service (BITS). When BITS is configured on the distribution point computer, BITS on the
distribution point computer is not used to facilitate the download of content by clients that use BITS.
11.4.5. Microsoft Visual C++ 2008 Redistributable

You can run the Microsoft Visual C++ 2008 Redistributable Setup from the Configuration Manager installation at:
<ConfigMgrInstallationFolder>\Client\x64\vcredist_x64.exe
For Configuration Manager SP1+, vcredist_x64.exe is installed automatically when you configure a distribution point
to support PXE.
11.4.6. Powershell 3.0

For Windows 2012 only, you need to enable Powershell 3.0 (or further) before installing the distribution point.
11.4.7. Firewall
Ensure that your firewall is configured correctly. 2 ports needs to be opened.
Description UDP TCP

Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
Reboot your server to avoid case where your server is in Reboot pending State which will result in unexpected reboot during
distribution point installation.
Now that the Distribution point server is ready to receive a new role, we need to add the server to the site server list.
In the Configuration Manager
console, click Administration
In
the Administration workspace,
expand Site Configuration,
and then right click Servers
and Site System Roles
Select Create Site System

Server. The Create Site System
Server Wizard opens
On the General page, specify

the general settings for the site
system server
Select the Site Code
Click Next
Do not specify a proxy server
Select Distribution point in the

role selection screen
Check Install and configure IIS
if required by Configuration
Manager
Add a description if needed
Select HTTP
Select Create self-signed

certificate
Set drive configuration to your

needs
This is where the

SCCMContentLib will be created.
Select a drive with enough
storage space.
We do not need our DP to be a
Pull DP, so do not enable the
check box
As we are not deploying this DP

for OSD, do not enable PXE
support
As we are not deploying this DP
for OSD, do not enable
multicast
Configure content validation to

a schedule that fits your
environment.
I suggest to put a non-business

hour since this task can take
some process on your server.
Add the boundary group of the
site your deploying
Uncheck the Allow fallback

source location for content
Review the summary page and

complete the installation
WARNING Your remote server may reboot if there’s a missing requirement

At this point, the major part of installation a distribution point server is completed.
11.6.1. Logs
You can track the installation progress in 2 logs:
 Distmgr.log on the site server

 Smsdpprov.log on the distribution point (InstallationDrive\SMS_DP$\SMS\Logs)
11.6.2. Windows Explorer

Once the process starts, you will the SCCM file structure created on the distribution point.
11.6.3. Console
You can also track the installation

progress in the SCCM console
under Monitoring / Distribution
Status / Distribution Point
Configuration Status
Click on your DP
Click the Detail tab on the

bottom
Check for green check mark on

all component
Note: Error on the IIS Virtual directory is normal at the start of the process. SCCM is making a check as if IIS is installed
at the start of the process even if you tell SCCM to enable you IIS for you. That results in errors but be patient and the
installation should succeed anyway.
Verify the status of your new DP in

Administration / System Status / Site
Status
You can now replicate your content to your newly created DP. Replicate manually or add your DP in an existing DP group.
Replicate a package or Application to your

newly created site system
Verify that the content is well replicated in
the SCCM Console
The Endpoint Protection Point provides the default settings for all antimalware policies and installs the Endpoint Protection
client on the Site System server to provide a data source from which the SCCM database resolves malware IDs to names. When
you install this Site System Role, you must accept the license terms for System Center 2012 R2 Endpoint Protection.
This is not a mandatory Site System but you need to install a EPP if you’re planning to use SCCM as your anti-virus
management solution (using Endpoint Protection).
This Site System is a hierarchy-wide option. SCCM supports a single instance of this site system role in a hierarchy and only at
the top-level site in the hierarchy. It’s supported to install this role on a Central Administration Site or stand-alone Primary Site.
Before installing the EP role, you must have a Software Update Point installed and configured.
Roles

System Roles


select Endpoint Protection
Point, click Next
Accept the License Terms and
click Next
Select Do not join MAPS, click
Next
your settings and click Next
and click Close

After the installation, you must add Endpoint Protection definition files in your Software Update Point.
Site Configuration / Servers
and Site System Roles
Click the Configure Site

Components button and
select Software Update Point
On the Product tabs,

check Forefront Endpoint
Protection 2010 and click Ok
 ConfigMgrInstallationPath\Logs\EPSetup.log – Detailed EP Installation status

 ConfigMgrInstallationPath\Logs\Wsyncmgr.log – SUP Synchronization status
This section will describe how to install an Enrollment Point and Enrollment Proxy Point site system roles.
The Enrollment Point uses PKI certificates for Configuration Manager to enroll mobile devices, Mac computers and to provision
Intel AMT-based computers.
The Enrollment Proxy Point manages Configuration Manager enrollment requests from mobile devices and Mac computers.
This is not a mandatory site system but you need both Enrollment Point and Enrollment Proxy Point if you want to enroll
legacy mobile devices, Mac computers and to provision Intel AMT-based computers. Since modern mobile devices are
mostly managed using Windows Intune, this post will focus mainly on Mac computers enrollment.
The SCCM 2012 Enrollment Point and Enrollment Proxy Point are site-wide options. It’s supported to install those roles on a
stand-alone or child Primary site. It’s not supported to install it on a Central Administration site or Secondary site.
You must install an SCCM Enrollment Point in the user’s forest so that the user can be authenticated if a user enrolls mobile
devices by using SCCM and their Active Directory account is in a forest that is untrusted by the site server’s forest.
When you support mobile devices on the Internet, as a security best practice, install the Enrollment Proxy Point in a perimeter
network and the Enrollment Point on the intranet.
Beginning with System Center 2012 Configuration Manager SP2, the computer that hosts the SCCM 2012 Enrollment Point
or Enrollment Proxy Point site system role must have a minimum of 5% of the computers available memory free to enable the
site system role to process requests. When those site system role are co-located with another site system role that has this
same requirement, this memory requirement for the computer does not increase, but remains at a minimum of 5%.
Using Windows Server 2012, the following features must be installed before the role installation:
Enrollment Point
Features:
 .NET Framework 3.5

 HTTP Activation (and automatically selected options)
 ASP.NET 4.5
 Common HTTP Features
 Default Document
 Application Development
 ASP.NET 3.5 (and automatically selected options)
 .NET Extensibility 3.5
 IIS 6 Management Compatibility
 IIS 6 Metabase Compatibility
Enrollment Proxy Point
Features:

 HTTP Activation (and automatically selected options)
 ASP.NET 4.5
IIS Configuration:
 Common HTTP Features

 Default Document
 Static Content
 Security
 Windows Authentication
For this section we will be installing both roles on a stand-alone Primary site using HTTPS connections. If you split the roles
between different machine, do the installation section twice, once for the first site system (selecting Enrollment Point during
role selection) and a second time on the other site system (selecting Enrollment Proxy Point during role selection).
Roles

System Roles


select Enrollment
Point and Enrollment Proxy
Point, click Next
On the Enrollment Point tab
In the IIS
Website and Virtual applicati
on name fields, leave both to
the default values
This is the names that you’ll

see in IIS after the installation
Enter the port number you

want to use. The HTTPS setting
is automatically selected and
requires a PKI certificate on
the server for server
authentication to the
Enrollment Proxy Point and for
encryption of data over SSL.
For more information about
the certificate requirements,
see PKI Certificate
Requirements for
On the Enrollment Proxy

Point tab,
The Enrollment point will be

populated by default and can’t
be changed
Keep the Website name to it’s

default value
Enter the port and protocol

that you want to use
The Virtual application

name can’t be changed. This
will be used for client
installation
(https://servername/Enrollme
ntServer)
your settings, click Next and
complete the wizard
Logs
You can verify the role installation in the following logs:
 ConfigMgrInstallationPath\Logs\enrollsrvMSI.log and enrollmentservice.log – Records details of about
the Enrollment Point installation
 ConfigMgrInstallationPath\Logs\enrollwebMSI.log – Records details of about the Enrollment Proxy Point installation
 ConfigMgrInstallationPath\Logs\enrollmentweb.log – Records communication between mobile devices and the
Enrollment Proxy Point
Follow this Technet Guide if you want to proceed to next steps for Mac computers enrollment.
The FSP helps monitor client installation and identify unmanaged clients that cannot communicate with their management
point.
This is not a mandatory Site System but we recommend to install a FSP for better client management and monitoring. This is
the Site System that receive State Message related to client installation, client site assignment, and clients unable to
communicate with their HTTPS Management Point.
If the FSP is not configured properly you’ll end up having A fallback status point has not been specified errors in your logs.
This Site System is a hierarchy-wide option. It’s supported to install this role on a child Primary Site or stand-alone Primary Site
but it’s not supported on a Central Administration site nor Secondary Site.
Roles

System Roles


select Fallback Status
Point, click Next
On the Fallback Status
Point tab, specify the number
of state messages to process.
We recommend to leave the
default value, click Next
your setting and click Next

and close the wizard
 Smsfspsetup.log – Detailed FSP Installation status
 Fspmgr.log – Verify whether clients are successfully sending state messages to the FSP
 You can also check if reports that depend on the FSP are populated with data. See the full list of reports that rely on
the FSP here.
Use the FSP client properties to point your clients to your newly created FSP
Configuration / Site
Click the Client Installation

Setting icon on the ribbon
Select Client Push Installation
On the Installation
Properties tab
Enter your server FQDN in

the FSP properties
This section will describe how to install a Management Point (MP).
Every SCCM hierarchy must have a Management Point to enable client communication. The Management Point is the primary
point of contact between Configuration Manager clients and the site server. Management Points can provide clients with
installation prerequisites, configuration details, advertisements and software distribution package source file locations.
Additionally, Management Points receive inventory data, software metering information and state messages from clients.
Multiple Management Points are used for load-balancing traffic and for clients to continue receiving their policy after
Management Point failure. Read about SCCM High-Availability options in this Technet article.
Prior to SCCM 2012 R2 SP1, it was not possible to assign client directly to a specific Management Point. It’s now possible using
the new Preferred Management Point feature. If you don’t have SCCM 2012 R2 SP1 yet, be advise that adding a new
Management Point in a remote office won’t automatically make your clients communicate to this particular MP. Read about
how clients choose their Management Point in this Technet article.
The Management Point is a site-wide option. It’s supported to install this role on a stand-alone Primary site, child Primary site
or Seconday site. It’s not supported to install a Management Point on a Central Administration site.
Each primary site can support up to 10 Management Points.
By default, when you install a Secondary site, a Management Point is installed on the Secondary site server. Secondary sites do
not support more than one Management Point and this Management Point cannot support mobile devices that are enrolled by
See the full Supported Configuration in the following Technet article.

On Windows 2012, the following features must be installed before the Management Point Installation:
Features:
 BITS Server Extensions or Background Intelligent Transfer Services (BITS)
IIS Configuration:
 ISAPI Extensions
 Security
 Windows Authentication
 IIS 6 WMI Compatibility
Roles

System Roles


select Management
Point, click Next
On the Management
Point tab
Select the desired client

connections methods. HTTPS
required to have a valid PKI
certificate for client
authentication
Click Next
On the Management Point

Database tab, specify if you
want to use the site database
or a database replica. Read
about database replica here
Specify if you want to use the

computer account of the
Management Point to connect
to the database or a specified
account
complete the wizard
You can verify the installation in the following logs:
 ConfigMgrInstallationPath\Logs\mpMSI.log – Records details of about the management point installation

 ConfigMgrInstallationPath\Logs\MPSetup.log.log – Records the management point installation wrapper process
This section describe how to install a reporting services point.
This role can be installed on a remote machine, the process is the same but the logs location is different.
Before you can install the reporting services point role you must configure SQL correctly.
We’ll be using SQL 2012 on this post, the steps are the same on SQL 2014. We are assuming that SQL is already installed and
that your SCCM site is up and healthy.
During the initial SQL installation, you must select Reporting Services.
If you have installed SQL Server, but have not installed Reporting Services follow the following steps. If Reporting Services is
already installed, skip to the Configure Reporting Services section.
Launch the SQL Server 2012

installation from the media.
Click the Installation link on

the left to view the Installation
options.
Click the top link, New SQL

Server stand-alone
installation or add features
to an existing installation.
Follow the SQL Server Setup

wizard until you get to
the Installation Type screen.
Select Add features to an

existing instance of SQL
Server 2012.
Select Reporting Services –
Native
At the Reporting
Services Configuration page
Select Install Only
Continue through the wizard

and reboot the computer at
the end of the installation if
instructed to do so.
Before configuring the reporting point, some configuration needs to be made on the SQL side. The virtual instance needs to be
created for SCCM to connect and store its reports.
If you installed Reporting Services during the installation of the SQL Server instance, SSRS will be configured automatically for
you. If you install SSRS later, then you will have to go back and configure it as a subsequent step.
To configure, Open Reporting
Services Configuration
Manager
Click Start / All Programs /

Microsoft SQL Server 2012 /
Configuration Tools /
Reporting Services
Configuration Manager
Click Connect to connect to the

SQL instance
On the left-hand side of the

Reporting Services
Configuration Manager,
click Database.
Click the Change

Database button
Select Create a new report

server database and click Next
This wizard creates two

databases: ReportServer, used
to store report definitions and
security
and ReportServerTempDB
which is used as scratch space
when preparing reports.
Click the Web Service URL tab
Click Apply
This step sets up the SSRS web

service. The web service is the
program that runs in the
background that communicates
between the web page, which
you will set up next, and the
databases.
Select the Report Manager URL
Accept the default settings and

click Apply
If the Apply button was already

grayed out, this means the SSRS
was already configured. This
step sets up the Report Manager
web site where you will publish
reports
Exit Reporting Service

Navigate
to Administration / Site /
Configuration / Servers
and site System Roles
Right click on your Site

Server and click Add
system Roles
On
the General tab, click Next
On
the Proxy tab, Click Next
On the Site System Role,

select Reporting Services
Point, Click Next
On Reporting Services
setting tab
Click Verify
At the bottom, Add an

account to use for the
reporting point. This
account needs to have
access to the SCCM DB
Click Next
Wait for the process to

complete and close the
wizard
Using the simple recovery model improves performance and saves your server hard drive and possibly large transaction log file.
To change the Recovery Model of the ReportingDB to Simple
Open SQL Management

Studio
Right click on the ReportServer

database and
select Properties
Go to the Options page
Under Recovery model

select Simple
Click OK
Log
Check for the following logs for reporting point installation status. Both logs are under the SCCM logs file locations.
 Srspsetup.log
 Srsrpmsi.log
If your reporting point is installed on a remote server look for the logs in :
Drive:\SMS\Logs\
SCCM Console
Open Monitor/Reporting/Reports node. Verify that your reports are listed
Web Browser
Open Internet Explorer, navigate to http://yourservername/Reports
If everything went well, you’ll have a folder Config_SiteCode containing your reports
SQL
If you check your SQL instance, you’ll see the 2 new database which were created by the installation.
Locate ReportServer and Repor

tServerTempDB
This section will describe how to install a Software Update Point (SUP).
See the important prerequisite on section 5.11.
The SUP integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager
clients.
This is not a mandatory Site System but your need to install a SUP if you’re planning to use SCCM as your patch management
platform.
SCCM 2012 SP1 (and thus R2) integrates new features to the Software Update Point that are well documented in this Technet
Article.
This Site System is a site-wide option. It’s supported to install this role on a Central Administration Site, child Primary Site,
stand-alone Primary Site and Secondary Site.
When your hierarchy contains a
Central Administration Site,
install a SUP and synchronizes
with Windows Server Update
Services (WSUS) before you
install a SUP at any child Primary
Site.
When you install a SUP at a child

Primary Site, configure it to
synchronize with the SUP at
the Central Administration Site.
Consider installing a SUP in

Seconday Site when data
transfer across the network is
slow.
Perform the following on the server that will host the SUP role.
Open Server Manager / Add
Roles and Features
Select the Windows Server

Update Services Role,
click Next
Select WSUS
Services and Database,
click Next
Launch Windows Server
Update Services from the
Start Menu. You will be
prompt with the following
window :
On the DB instance,
enter your server name
On Content directory path,

use a drive with enough drive
space. This is where your
WSUS will store updates
When the WSUS

Configuration Wizard starts,
click Cancel
Open SQL Management
Studio
Under Databases, Right-

click SUSDB, select Properties
, and click Files
Change Owner to SA
Change the Autogrowth value

to 512MB, click Ok and close
SQL MS
Servers and Site System Roles

System Roles


select Software Update
Point, click Next
On the Software Update Point
tab, select WSUS is configured
to use ports 8530 and
8531, click Next
On the Proxy and Account

Settings tab, specify your
credentials if necessary,
click Next
On the Synchronization
Source tab, specify if you want
to synchronize from Microsoft
Update or an upstream source.
Refer to the Site System
Placement section if you’re
unsure. For a stand-alone
Primary Site, select Synchronize
from Microsoft
Update, click Next
On the Synchronization
Schedule tab, check the Enable
synchronization on a
schedule check box and select
your desired schedule. 1 day is
usually enough but it can be
lowered if you’re synchronizing
Endpoint Protection definition
files, click Next
On the Supersedence
Rules tab, select Immediately
expire a superseded software
update, click Next
On the Classifications tab,

select your organisation needs,
click Next
Full description on
this Microsoft Support Article
On the Products tabs, select the
products that you want to
manage using SCCM, click Next
On the Languages tab, select

the desired Language,
click Next
your settings, click Next, wait
for the setup to complete and
click Close
 ConfigMgrSetup\Logs\SUPSetup.log -Provides information about the software update point installation. When the
software update point installation completes, Installation was successful is written to this log file
 ConfigMgrSetup\Logs\WCM.log – Provides information about the software update point configuration and
connecting to the WSUS server for subscribed update categories, classifications, and languages
 ConfigMgrSetup\Logs\WSUSCtrl.log – Provides information about the configuration, database connectivity, and
health of the WSUS server for the site
 ConfigMgrSetup\Logs\Wsyncmgr.log – Provides information about the software updates synchronization process
Bonus link : I suggest that you read the excellent article written by Kent Agerlund on how to avoid what he calls the House
of Cards
This section will describe how to install a State Migration Point (SMP).
The State Migration Point stores user state data when a computer is migrated to a new operating system.
This is not a mandatory Site System but you need a State Migration Point if you plan to use the User State steps in your Task
Sequence. These steps integrates with User State Migration Tools (USMT) to backup your user data before applying a new
operating system to a computer.
The State Migration Point is a site-wide option. It’s supported to install this role on a child Primary Site, stand-alone Primary
Site or Seconday Site. It’s not supported to install it on a Central Administration site.
Beginning with SCCM 2012 R2, the State Migration Point can be installed on the site server computer or on a remote computer.
It can be co-located on a server that have the distribution point role.

Configuration / Servers and Site
System Roles
Right click your Site System and

click Add Site System Roles

select State
Migration Point, click Next
On the State Migration Point tab
Click the star icon, specify the folder

where you want the data to be stored
and how much space must be
reserved on the drive
Specify the Deletion Policy. This is

the delay to keep the data after a
successful restore.
Enable Restore-Only mode if

needed. Use this setting if you want
your SMP to be in read-only mode.
This is useful if you replace or
decommission an existing SMP
On the Boundary Groups tab, add
the boundary group that can access
the State migration Point. If you add
the role on a site system that already
has the Distribution Point role, the
boundary group of this DP will
already be listed
On the Summary tab, review your
settings, click Next and complete the
wizard
 ConfigMgrInstallationPath\Logs\Smssmpsetup.log – Detailed State Migration Point Installation status

 ConfigMgrInstallationPath\Logs\Smpmsi.log – Provides information about the State Migration Point
To store the user state data on a State Migration Point, you must create a package that contains the USMT source files. This
package is specified when you add the Capture User State step to your task sequence.
On your SCCM Server where
you installed Windows
Deployment Toolkit, browse
to : C:\Program Files
(x86)\Windows
Kits\8.1\Assessment and
Deployment Kit\User State
Migration Tool
If you don’t have this folder,

it’s because you haven’t
installed the USMT (included
in Windows ADK) during
your SCCM Installation
Copy the folder content

in your Content Library (In my
example D:\Sources\OSD\US
MT)
Go to Software Library /
Application Management /
Packages
Right-click Packages and

select Create a new package
Enter the Name,

Manufacturer, Language
Check the This package

contains source files check-
box and specify your source
folder
(D:\Sources\OSD\USMT)
Click Next
On the Program Type tab,
select Do not create a
program and click Next
Complete the Create Package

wizard
The State Migration Point and the USMT package are now ready for use in an OSD Task Sequence using the Capture User
State and Restore User State steps.
This section will describe how to install a System Health Validator Point (SHVP).
The System Health Validator Point validates Configuration Manager Network Access Protection (NAP) policies.
This is not a mandatory site system but you need a System Health Validator Point if you plan to use NAP evaluation in your
software update deployments. This site system integrates with an existing NAP server in your infrastructure.
The System Health Validator Point is a hierarchy-wide option. It’s supported to install this role on a Central Administration site,
stand-alone Primary site, child Primary site. It’s not supported to install it on a Seconday site. The System Health Validator
Point must be installed on a NAP health policy server.
Roles

System Roles

select System Health
Validator Point, click Next
On the System Health

Validator tab, click Next
There are no properties to

configure for this site system
role
complete the wizard
 ConfigMgrInstallationPath\Logs\SMSSHVSetup.log – Detailed System Health Validator Point installation status
In order to enable Network Access Protection on your clients, you must configure your client settings :
Browse to Administration /
Client Settings
Create a new client settings,

select Network Access
Protection on the left and
choose Yes under Enable
Network Access Protection on
clients
Select the desired NAP re-

evaluation schedule and click Ok
In case you’re used to NAP in SCCM 2007 and looking for a Network Access Protection node in the console, the 2012 version
of NAP is slightly different.
From Technet : The New Policies Wizard is no longer available to create a NAP policy for software updates: The Network Access
Protection node in the Configuration Manager console and the New Policies Wizard are no longer available in System Center
2012 Configuration Manager. To create a NAP policy for software updates, you must select Enable NAP evaluation on the NAP
Evaluation tab in software update properties.
This section will describe how to install the Windows Intune Connector (WIC) role. In SCCM 1511 this role has been replaced
by the Service Connection Point.
The WIC is used to sends settings and software deployment information to Micosoft Intune and retrieves inventory messages
from mobile devices. The Intune service acts as a gateway that communicates with mobile devices. This role is mandatory if
you’re planning to manage mobile devices using SCCM with Intune integration.
Important : Before you can add the WIC, you must create a Windows Intune subscription and add it to SCCM.
The WIC is a hierarchy-wide option. SCCM supports a single instance of this site system role in a hierarchy and only at the top-
level site. Install it on your Central Administration Site or stand-alone Primary Site depending of your design.
Go to Administration / Site
Configuration / Servers and
Site System Roles
Right click the Site System you

wish to add the role
Click Add Site System Role in

the Ribbon


select Windows Intune
Connector and click Next
On the Summary screen, wait

close the wizard
 Sitecomp.log – Information about role installation and that the Windows Intune connector was created successfully
The service connection point is a site system role that serves several important functions for the hierarchy.
It might affect how you configure this site system role:
 Manage mobile devices with Microsoft Intune – This role replaces the Microsoft Intune connector used by
previous versions of SCCM, and can be configured with your Intune subscription details.
 Manage mobile devices with on-premises MDM – This role provides support for on-premises devices you
manage that do not connect to the Internet
 Upload usage data from your Configuration Manager infrastructure – You can control the level or amount of
detail you upload
 Download updates that apply to your Configuration Manager infrastructure - Only relevant updates for your
infrastructure are made available, based on usage data you upload.
Each hierarchy supports a single instance of this role.
The site system role can only be installed at the top-tier site of your hierarchy (A central administration site or the
stand-alone primary site).
The SCCM installation wizard will ask to install the Service Connection Point. If you select to skip the role installation, you can
manually add it to SCCM using the following steps.
Go to Administration / Site
Configuration / Servers and
Site System Roles
Right click the Site System you

wish to add the role
Click Add Site System Role in

the Ribbon

select Service Connection
Point and click Next
On the Servicbe Connection
Mode, select the desired
option and click Next
On the Summary screen, wait

close the wizard
 ConnectorSetup.log – Information about role installation and that the Service Connection Point was created
successfully
In this part of the guide, we will configure various SCCM components.
Some accounts needs to be entered in the console before installing clients and deploying operating systems. You can refer to
the 5.4 section where we created those accounts.
Network Access Account

In the SCCM console
Go to Administration / Site Configuration / Sites
On the top ribbon click Configure Site Components /

Software Distribution
In the Software Distribution Component Properties

screen, enter your Network Access account that you will
use for this component
Client Push Installation account
In the SCCM console
Go to Administration / Site Configuration / Sites
On the top ribbon click Client Installation Settings /

Client Push Installation
In the Client Push Installation Properties, enter your
client push account that you will use for this component
In this section we will configure SCCM boundaries.
First, let’s define what a boundary in SCCM is :
From Technet :
In System Center 2012 Configuration Manager, a boundary is a network location on the intranet that can contain one or more
devices that you want to manage. Boundaries can be an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range,
and the hierarchy can include any combination of these boundary types. To use a boundary, you must add the boundary to one or
more boundary groups. Boundary groups are collections of boundaries. By using boundary groups, clients on the intranet can find
an assigned site and locate content when they have to install software, such as applications, software updates, and operating
system images.
A boundary does not enable clients to be managed at the network location. To manage a client, the boundary must be a member
of a boundary group. Simple Boundaries on do nothing, they must be added to one or more boundary groups in order to work.
A boundary groups is self-explanatory, it’s a group of boundary used for for site assignment and for content location.
Beginning with SCCM 2012 R2 SP1, a boundary group can direct your clients to their Distribution Points for content, State
Migration Point and Preferred Management Point. Prior to R2 SP1, Content location is used by client to identify available
Distribution Points or State Migration Point based on the client network location.
To resume :
 Site Assignment boundary group associate a resource to a site

 Content Location boundary group is used to retrieve its deployment content (applications, packages, images, etc)
Before designing your strategy choose wisely on which bounday type to use.
If you’re unsure of which type of boundary to use you can read Jason Sandys excellent post about why you shouldn’t use IP
Subnet boundaries.
Microsoft recommends the following :
 When designing your boundary strategy, we recommend you use boundaries that are based on Active Directory sites before
using other boundary types. Where boundaries based on Active Directory sites are not an option, then use IP subnet or IPv6
boundaries. If none of these options are available to you, then leverage IP address range boundaries. This is because the site
evaluates boundary members periodically, and the query required to assess members of an IP address range requires a
substantially larger use of SQL Server resources than queries that assess members of other boundary types
 It’s also recommended to split your Site Assignment and Content location group
SCCM 2012 supports overlapping boundary configurations for content location.
When a client requests content, and the client network location belongs to multiple boundary groups, Configuration Manager
sends the client a list of all Distribution Points that have the content.
This behavior enables the client to select the nearest server from which to transfer the content or state migration information.
In our various SCCM installations, our clients are often confused about this topic. Let’s make an example to help you
understand :
 Contoso has 1000 clients

 1 Primary Site (Montreal)
 3 remote offices with their local Distribution Point (New York, Chicago, Los Angeles)
 Active Directory Site are based on their site subnets (MTL,NY,CHI,LA)
In that scenario, we need to create 4 Boundary, 1 for each office :
BOUNDARY TYPE
MTL Active Directory Site
NY Active Directory Site
CHI Active Directory Site
LA Active Directory Site

Hierarchy Configuration /
Boundary
Right-click Boundaries and

select Create Boundary
Create the boundary
In our example we’ll create 4

different boundary for my 4
locations using their Active
Directory Sites
Tip : If you have multiples Active
Directory Sites, IP Ranges or
Subnets, you can enable Active
Directory Forest Discovery which
can create them automatically
Now, we’ll create a Site Assignment Boundary Group and add all those AD Site. That way, all my clients for my 4 locations will be
assigned to my Montreal Primary Site.
For Content Location, we want clients to get their content locally at their respective location. We will create 4 Content Boundary
groups, add only their AD Site Boundary and assign their local Distribution Point.
NAME BOUNDARY SITE SYSTEM
MTL - Content Location MTL DPMTL01

NAME BOUNDARY SITE SYSTEM
NY - Content Location NY DPNY01
CHI - Content Location CHI DPCHI01
LA - Content Location LA DPLA01
Here’s how to make this happen in SCCM :
Boundary Groups
Right-click Boundary
Groups and
Select Create Boundary Groups
We’ll start by creating a group for Site

Assignment : SA – MTL
Click the Add bouton on the bottom

On the Add Boudaries screen, select
all boundaries.
This will direct all my clients to the

Primary Site located in Montreal for
Site Assignment
On the References tab, check the Use
this boundary group for site
assignment box
Select your assigned site. In our

case : MTL
Click Ok
Right-click Boundary
Groups and select Create
Boundary Groups
We’ll name our group Content

Location – MTL
Click on Add
Select only the MTL boundary

The MTL boundary will be
listed
On the References tab,

uncheck the Use this boundary
group for site assignment box
Click on Add at the bottom
Select the Site System that host

the Distribution Point role for
the Montreal site.
For our example DPMTL01
Click Ok
Repeat the steps for the other sites (New York, Chicago, Los Angeles).
Once completed our clients are assigned to their local respective Site Systems.
This is a simple but typical scenario. You can have multiples boundaries and Site System in your Boundary Groups if needed.
This blog article will explain SCCM discovery methods and how to configure it.
Here's the official discovery methods definition from Technet :
SCCM discovery methods identifies computer and user resources that you can manage by using Configuration Manager. It can
also discover the network infrastructure in your environment. Discovery creates a discovery data record (DDR) for each discovered
object and stores this information in the Configuration Manager database.
When discovery of a resource is successful, discovery puts information about the resource in a file that is referred to as a discovery
data record (DDR). DDRs are in turn processed by site servers and entered into the Configuration Manager database where they
are then replicated by database-replication with all sites. The replication makes discovery data available at each site in the
hierarchy, regardless of where it was discovered or processed.
You can use discovery information to create custom queries and collections that logically group resources for management tasks
such as the assignment of custom client settings and software deployments. Computers must be discovered before you can use
client push installation to install the Configuration Manager client on devices.
In simple words, it means that SCCM need to discover device before it can manage them. It's not mandatory to discover
computers, if you mannually install the client, it will appear in the console and it can be managed. The problem is that if you
have thousand computers, it can be a fastidious process. By using Active Directory System Discovery, all your computers will be
shown in the console, from there you can choose to install the client using various SCCM methods. Of course if you need
information about your user and groups, you need to configure User and Group discovery, it's the only way to bring this
information in SCCM.
There are 5 Types of Discovery Methods that can be configured. Each one targets a specific object type (Computers, Users,
Groups, Active Directory) :
Discovers computers in your organization from specified locations in Active Directory. In order to push the SCCM client to the
computers, the resources must be discovered first. You can specify to discover only computers that have logged on to the
domain in a given period of time. This option is useful to exclude obsolete computer accounts from Active Directory. You also
have the option to fetch custom Active Directory Attributes. This is useful if your organisation store custom information in AD.
To discover resources using this methods :
Go to Administration / Hierarchy
Configuration / Discovery
Methods
Right-Click Active Directory

System Discovery and select
Properties
On the General tab, you can enable
the method by checking the Enable
Active Directory System
Discovery
Click on the Star icon and select

the Active Directory container that
you want to include in the
discovery process
In the Active Directory Container

screen, enter the path of the
location you want to discover.
On the bottom pane, you can

specify a discovery account.
On the Poling Schedule tab, select
the frequency on which you want
the discovery to happen.
A 7 day cycle with a 5 minutes delta

interval is usually fine in most
environment.
On te Active Directory Attribute

tab, you can select custom
attributes to include during
discovery.
This is useful if you have custom

data in Active Directory that you
want to use in SCCM.
On the Options tab, you can select
to discover only accounts that have
logged or updated their passwords
since a specific number of days.
This is useful if your Active

Directory isn’t clean. Use this to
discover only good records.
Discovers groups from specified locations in Active Directory. The discovery process discovers local, global or universal security
groups. When you configure the Group discovery you have the option to discover the membership of distribution groups. With
the Active Directory Group Discovery you can also discover the computers that have logged in to the domain in a given period
of time. Once discovered, you can use group information for exemple to create deployment based on Active Directory groups.
Be careful when configuring this method : If you discover a group that contain a computer object that is NOT discovered in
Active Directory System Discovery, the computer will be discovered. If automatic client push is enabled, this could lead to
unwanted clients computers.
Methods

Group Discovery and select
Properties
Active Directory Group Discovery
Click on the Add button on the

bottom to add a certain location or
a specific group.
Remember : If you discover a group

that contain a computer object that
is NOT discovered in Active
Directory System Discovery, the
computer will be discovered.
In the Add Groups screen, enter

the options you want to use.
On the bottom pane, you can

specify a discovery account.
On the Poling Schedule tab, select
the frequency on which you want
the discovery to happen.
A 7 day cycle with a 5 minutes delta

interval is usually fine in most
environment.
On the Options tab, you can select

to discover only accounts that have
logged or updated their passwords
since a specific number of days.
This is useful if your Active

Directory isn’t clean. Use this to
discover only good records.
Discovery process discovers user accounts from specified locations in Active Directory. You also have the option to fetch
custom Active Directory Attributes. This is useful if your organisation store custom information in AD about your users. Once
discovered, you can use group information for exemple to create user based deployment.
Open the SCCM

Console
Go to Administration
/ Hierarchy
Configuration /
Discovery Methods
Right-Click Active
Directory User
Discovery and select
Properties
On the General tab,

you can enable the
method by checking
the Enable Active
Directory User
Discovery
Click on the Star icon

and select the Active
Directory container
that you want to
include in the
discovery process
In the Active
Directory Container
screen, enter the path
of the location you
want to discover.
On the bottom pane,

you can specify a
discovery account.
On the Poling
Schedule tab, select
the frequency on
which you want the
discovery to happen.
A 7 day cycle with a 5

minutes delta interval
is usually fine in most
environment.
On te Active
Directory Attribute
tab, you can select
custom attributes to
include during
discovery.
This is useful if you

have custom data in
Active Directory that
you want to use in
SCCM.
Discovers Active Directory sites and subnets, and creates Configuration Manager boundaries for each site and subnet from the
forests which have been configured for discovery. Using this discovery method you can automatically create the Active
Directory or IP subnet boundaries that are within the discovered Active Directory Forests. This is very useful if you have
multiple AD Site and Subnet, instead of creating them manualy, use this method to do the job for you.
Discovery Methods

Forest Discovery and select
Properties
On the General tab, you can
enable the method by
checking the Enable Active
Directory Forest Discovery
Select the desired options
HeartBeat Discovery runs on every client and to update their discovery records in the database. The records (Discovery Data
Records) are sent to the Management Point in specified duration of time. Heartbeat Discovery can force discovery of a
computer as a new resource record, or can repopulate the database record of a computer that was deleted from the database.
HeartBeat Discovery is enabled by default and is scheduled to run every 7 days.
Methods
Right-Click Heartbeat Discovery

and select Properties
Heartbeat Discovery
Make sure that this setting is enabled

and that the schedule run less
frequently than the Clear Install Flag
maintenance task.
The Network Discovery searches your network infrastructure for network devices that have an IP address. It can search the
domains, SNMP devices and DHCP servers to find the resources. It also discovers devices that might not be found by other
discovery methods. This includes printers, routers, and bridges.
We won’t go into detail of this discovery methods as it’s old and depreciated methods. We never saw any customers using this
method in production.
This section will explain how to create a custom SCCM client settings and how to deploy it.
Client settings are used to configure your deployed agents. This is where you decide any configuration like :
 Enabling hardware inventory agent

 Enabling power settings options
 Set scan schedules
 BITS throttling
 Ect..
In previous versions of SCCM, client settings were specific to the site. You had 1 client settings that applied to all your
hierarchy. In SCCM 2012+ you can specify clients settings at the collection level. You can have different settings for specific
collections, overlapping settings are set using a priority setting.
When you modify the Default Client Settings, the settings are applied to all clients in the hierarchy automatically. You do not
need to deploy the Default Client Settings to apply it. By default it has a 10000 priority value (This is the lower priority). All
others custom client settings can have a priority value of 1 to 9999 which will always override the Default Client Settings. (The
higher Priority is 1).
We won’t explain each client settings and their descriptions. The Technet documentation is pretty clear and many of the client
settings are self-explanatory. We cannot make any recommendation either as each environment has its own needs and
limitations. If you have any questions concerning a specific setting, use the comment section and we’ll try to help you so you
can make the right decision for your organisation.
When you deploy a custom client settings, they override the Default Client Settings.
Before you begin, ensure that you created a collection that contains the devices that requires these custom client settings.
For our guide, we will set the Client Policy polling interval to 15 minutes.
Go to Administration / Client
Settings
On the top ribbon, click Create

Custom Client Device Settings
In the Create Custom Device
Settings page, specify a name for
the custom settings and description
Select one or more of the available

settings.
We will select Client Policy
On the left pane, Client Policy will

be displayed, click on it
We will set the Client Policy

polling interval to 15 minutes
Click Ok
Your newly created setting will be

displayed in the console
When you create a new client settings, it automatically take the next available priority. (Beginning with 1) Before deploying it,
make sure that your priority is well set for your needs. A higher priority (1) will override any settings with a lower priority.
(9999). Don’t get confused 1 is higher !
To change the priority number :

On the top ribbon, select your
client settings and click Increase
Priority or Decrease Priority
You can see each client

settings priority and if they are
deployed in the same section
Now that your client settings is created, you need to deploy it to a collection. This new client settings will apply to only this
collection and depending of the priority, will override the settings.

Select the custom client settings that
you have just created
On the top ribbon, click Deploy
In the Select Collection dialog box,

select the collection that contains the
devices to be configured with the
custom settings, and then click Ok
You can verify the selected collection if

you click the Deployments tab on the
bottom of the console
Client computers will apply your custom settings when they download their next client policy. You can trigger it manually to
speed up the process.
Manually on the client

In Control Panel, click
on the Configuration Manager icon
In the Action tab, select Machine Policy

Retrieval & Evaluation Cycle
Click Run now
Using the SCCM Console
To initiate client policy retrieval by using client notification (Configuration Manager SP1+ only)
In the SCCM console
Go to Assets and Compliance / Device

Collections
Select the device collection containing

the computers that you want to
download policy
Right click a single device or the whole

collection and select Client
Notification and then Download
Computer Policy
It’s possible to see which client settings are applied to a specific client. You must use the Resultant Client Settings function in
the SCCM console. We already cover this in a previous blog post.

SCCM Installation and Configuration Guide.v2 (00000002)

Cargado por

Información del documento

Descripción original:

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

SCCM Installation and Configuration Guide.v2 (00000002)

Cargado por

Copyright:

Formatos disponibles

SCCM - INSTALLATION GUIDE

2. SCCM 1511 New features .............................................................................................................................................. 8

3. Upgrade path ..................................................................................................................................................................... 9

4. Recommendations and requirements ...................................................................................................................... 9

4.1. Hardware Requirements ............................................................................................................................................................................................................. 9

4.3. Disks ................................................................................................................................................................................................................................................. 11

5. Primary Site server prerequisites ..............................................................................................................................11

5.1. Active directory schema extension ..................................................................................................................................................................................... 11

5.2. Create the System Management Container .................................................................................................................................................................... 12

5.3. Set security permission ............................................................................................................................................................................................................ 13

5.4. SCCM Accounts ........................................................................................................................................................................................................................... 14

5.5. Network Configuration ............................................................................................................................................................................................................ 14

5.6. Firewall Configuration............................................................................................................................................................................................................... 14

5.7. No_sms_on_drive.sms ............................................................................................................................................................................................................... 15

5.8. Windows Server Features ........................................................................................................................................................................................................ 15

5.9. Roles and features ...................................................................................................................................................................................................................... 15

5.10. Report Viewer............................................................................................................................................................................................................................... 16

5.11. WSUS Hotfix.................................................................................................................................................................................................................................. 16

5.12. ADK for Windows 10 ................................................................................................................................................................................................................. 16

5.13. Active Directory ........................................................................................................................................................................................................................... 19

5.14. Local Admin accounts ............................................................................................................................................................................................................... 19

5.15. SCCM Client .................................................................................................................................................................................................................................. 19

5.16. Windows Updates ...................................................................................................................................................................................................................... 19

6. SQL Installation and Configuration ..........................................................................................................................19

6.2. SPN Creation ................................................................................................................................................................................................................................ 27

6.3. SQL Configuration ...................................................................................................................................................................................................................... 28

6.4. Database Sizing ........................................................................................................................................................................................................................... 28

6.5. Create Database .......................................................................................................................................................................................................................... 29

6.6. Review the Site Database properties.................................................................................................................................................................................. 29

6.7. TempDB sizing ............................................................................................................................................................................................................................. 31

6.8. Review the TempDB properties ............................................................................................................................................................................................ 31

6.9. SQL Communications ............................................................................................................................................................................................................... 32

7. SCCM Installation ...........................................................................................................................................................33

7.1. Prerequisite Check ...................................................................................................................................................................................................................... 33

7.2. SCCM Installation ....................................................................................................................................................................................................................... 34

7.3. Cumulative Updates .................................................................................................................................................................................................................. 46

7.4. CMTrace .......................................................................................................................................................................................................................................... 47

7.5. System Center 2012 R2 Configuration Manager Toolkit ........................................................................................................................................... 47

7.6. System Center 2012 Configuration Manager Support Center ................................................................................................................................ 47

7.7. Extra .................................................................................................................................................................................................................................................. 47

8. Application Catalog web service point ...................................................................................................................48

8.1. Role Description .......................................................................................................................................................................................................................... 48

8.2. Site System Role Placement in Hierarchy ......................................................................................................................................................................... 48

8.3. Prerequisites ................................................................................................................................................................................................................................. 49

8.4. Installation ..................................................................................................................................................................................................................................... 49

8.5. Verification and Logs files ....................................................................................................................................................................................................... 54

8.6. URL Redirection ........................................................................................................................................................................................................................... 54

8.7. Client Settings .............................................................................................................................................................................................................................. 55

9. Asset Intelligence Synchronization Point...............................................................................................................56

9.2. Site System Role Placement in Hierarchy ......................................................................................................................................................................... 56

9.3. AISP Installation........................................................................................................................................................................................................................... 56

9.4. Verification .................................................................................................................................................................................................................................... 60

9.5. Enable Inventory Reporting Classes ................................................................................................................................................................................... 60

9.6. Maintenance Tasks ..................................................................................................................................................................................................................... 62

10. Certificate Registration Point .....................................................................................................................................63

10.1. Role Description .......................................................................................................................................................................................................................... 63

10.2. Prerequisites ................................................................................................................................................................................................................................. 64

10.3. Site System Role Placement in Hierarchy ......................................................................................................................................................................... 64

10.4. CRP Installation............................................................................................................................................................................................................................ 64

10.5. Verification and Logs files ....................................................................................................................................................................................................... 67

10.6. Configuration Manager Policy Module ............................................................................................................................................................................. 67

10.7. References ..................................................................................................................................................................................................................................... 69

11. Distribution Point ...........................................................................................................................................................69