Complete SCCM Installation Guide and Configuration

This blog post is a complete revised Step-by-step SCCM Installation Guide. It covers every aspect of the SCCM Installation. ThisblogpostisacompleterevisedStep-by-stepSCCMInstallationGuide.ItcoverseveryaspectoftheSCCMInstallation.FromtheserverprerequisitestotheSQLinstallation,theSccminstallationitselfandallconfigurationandsiteserverinstallation.Followingthisguide,youshouldhaveafunctionalSCCMserverinacoupleofhours.WealreadydidaguideinthepastwhenSCCM1511wasreleasedbutit’swastimefora2020refresh.Sinceourfirstguide,morethan12SCCMversionhasbeenreleased…andtheproductevenchangeditsnametoMicrosoftEndpointManager.(MEMorMEMCM).SCCMinstallationhasneverbeenaneasyprocessandtheproductitselfcanbe complex forinexperiencedadministrators.Withthisblogpost,our goalistobringitabitfurther,explainingconceptsandbestpracticesratherthanjustguidetheuserthroughtheinstallationprocess.Ifyou’renotfamiliarwithSCCMCurrentBranchFeatures,youcanvisitthis MicrosoftDocsarticle whichcoversitall.Ifyou’restillrunningSCCM2012(!)andplanstomigrate,stopreadingthisguide.Youdonotneedtodoacompletenewinstallation.Seeourblogpostonhowtoupgrade toSCCMCurrentBranchinstead.Wehopethisguidebringsalltheinformationyouneedandthatyou’ll appreciateadministeringit.DownloadandownthisSCCMInstallationGuideinasinglePDFfile.ThePDFfileisa162pagesdocumentthatcontainsallinformationstoinstallandconfigureSCCMCurrentBranch.Useourproductspageorusethebuttonbelowtodownloadit.DownloadSCCMCurrentBranchInstallationandConfigurationGuide×ImportantInfoThispostisHUGE,usethistableofcontenttonavigateeasilythroughtheSCCMInstallationguidesections.Part1|DesignRecommendationandInstallationPrerequisitesPart2|SQLInstallationandConfigurationPart3|SCCMInstallationPart4|ApplicationCatalogWebServicePointInstallationPart5|ApplicationCatalogWebsitePointInstallationPart6|AssetIntelligenceSynchronizationPointInstallationPart7|CertificateRegistrationPointInstallationPart8|DistributionPointInstallationPart9|EndpointProtectionPointInstallationPart10|EnrollmentPointInstallationPart11|EnrollmentProxyPointInstallationPart12|FallbackStatusPointInstallationPart13|ManagementPointInstallationPart14|ReportingServicesPointInstallationPart15|SoftwareUpdatePointInstallationPart16|StateMigrationPointInstallationPart17|SystemHealthValidatorPointInstallationPart18|ServiceConnectionPointInstallationPart19|BoundariesConfigurationPart20|ClientSettingsConfigurationPart21|DiscoveryMethodsConfigurationPart22|MaintenanceTaskConfigurationPart23| BackupandRestorePart24|EnableCo-Management(externalpost)Part25|CloudDistributionPoint(externalpost)Part26|CloudManagementGateway(externalpost)Part27|Startyourmodernmanagementjourney(Co-managementandIntune)(externalpost)Part1–DesignRecommendationandInstallationPrerequisitesSCCMHardwareRequirementsInthefirstpart,wewillcoverSCCMinstallationprerequisites mostspecificallyhardwarerequirements,designrecommendations,andserverprerequisites.ThehardwarerequirementsforaPrimarySiteserverlargelydependsonthefeaturesthatareenabled,andhoweachofthecomponentsisutilized.When thenumberofclientsgrowsandchanges,theserverhardwarerequirementschangeaccordingly.Fortheinitialdeployment,hardwarerequirementscanbeestimatedforeachserverbydetermining:Theoverallneedforeachcomponent(WillyoudoOperatingSystemDeployment?Howmanydailysoftwaredeployments?IsInventoryand reportingisimportantforyourorganization?WillyoumanageInternetClient?)ThenumberofclientsplannedtobeinstalledTheloadoneachoftheinstalledSCCMcomponentsIngeneral,mediumenvironments(couplethousandclients)shouldconsiderthefollowingrecommendationswhenplanninghardware:SCCMandSQLServercommunicateconstantly.WerecommendthatthemaindatabaseandSQLServerbe installedonthePrimary siteserver.Thisisfullydebatableandweunderstandthatsomeorganization triestostandardizetheirSQLdistribution.PerformanceissimplybetterusingalocalinstallationwhenconfiguredproperlyNeithertheSCCMsitenortheSQL databaseshouldsharetheirdiskswithotherapplicationsConfiguretheSQLServerdatabasesandlogstorunonadifferentdiskthanthediskwheretheSCCM databaseislocated.Anotherissuetoconsiderwhendetermininghardwarerequirementsforasiteserversisthetotalamountofdatathatwillbestoredin the database.Toestimatetherequireddatabasesizeforasinglesite,anapproximatefigureof5Mbto10Mbperclientistypicallyused.Inoursetup,wewillinstallasinglePrimarySitethathastheroleof ManagementPoint,ReportingPoint,DistributionPoint,PXEServicePoint,StateMigrationPoint,FallbackStatusPointandSoftwareUpdatePoint.SQLReportingServiceswillbeusedtoprovideconsolidatedreportingforthehierarchy.ThisrolewillalsobeinstalledontheSCCMServer.RunningreportscanhaveanimpactonserverCPUandmemoryutilization,particularlyiflargepoorlystructuredqueriesareexecutedaspartofthereportgeneration.Considerplacingclient-facingrole(DistributionPoint,ReportingPoint)onaseparateserverinordertoreduceloadonyourPrimaryserver.Here’sourrecommendedreadingabouthardwarerequirements:SCCMInstallationGuideDesignahierarchyofsitesRecommendedhardwareSupportedconfigurationsPlanforthesitedatabasePlanforsitesystemserversandsitesystemrolesWestronglyrecommendthatyouunderstandSQLServerbeforeinstallingSCCM.TalkandhaveagoodrelationwithyourDBAifyouhaveoneinyour organization.Here’sourrecommendedreading aboutSQL:StorageTop10BestPracticeSQLServerBestPracticesArticleDiskPartitionAlignmentBestPracticesforSQLServerOperatingSystemForthispost, ourserversrunWindows2019withlatestsecuritypatchesMakesurethatyourOSissupported,seetheSCCMCurrentBranchTechnetDocumentationDisksDisksIOsarethemostimportantaspectofSCCMperformance.WerecommendconfiguringthedisksfollowingSQLBestpractice.Splittheloadonadifferentdrives.WhenformattingSQLdrives,theclustersize(blocksize)inNTFSmustbe64KBinsteadofthedefault4K.Seethepreviously recommendedreadingtoachievethis.LetterContentSize  C:\Windows100GBD:\SCCM200GBE:\SQLDatabase(64K)40GBF:\SQLTempDB(64K)40GBG:\SQLTransactionLogs(64K) SQLTempDBLogs40GBPrimarySiteserverprerequisitesOnceyourhardwareiscarefullyplanned,wecannowprepareourenvironmentandserverbeforeSCCMInstallation.ActiveDirectoryschemaextensionYouneedtoextendtheActiveDirectorySchemaonlyifyoudidn’thaveapreviousinstallationofSCCMinyourdomain.IfyouhaveSCCM2007already installedandplaningamigration,skipthisstep.LogontoaserverwithanaccountthatisamemberofSchemaAdminssecuritygroupFromSCCMISOrun.\SMSSETUP\BIN\X64\extadsch.exeCheckschemaextensionresult,openExtadsch.loglocatedintherootofthesystemdriveCreatetheSystemManagementContainerConfigurationManagerdoesnotautomaticallycreatetheSystemManagementcontainerinActiveDirectoryDomainServiceswhentheschemaisextended.ThecontainermustbecreatedonetimeforeachdomainthatincludesaConfigurationManagerprimarysiteserverorsecondarysiteserverthatpublishessiteinformationtoActiveDirectoryDomainServicesStartADSIEdit,gototheSystemcontainerandcreateanewObjectSelectContainerEnterSystemManagementSetsecuritypermissionOpenpropertiesofthecontainerSystemManagementcreatedpreviouslyIntheSecuritytab,addthesiteservercomputeraccountandGranttheFullControlpermissionsClickAdvanced,selectthesiteserver’scomputeraccount,andthenclickEditIntheAppliestolist,selectThisobjectandalldescendantobjectsClickOKandclosetheADSIEditconsoleSCCMAccountsCreatethenecessaryaccountsandgroupscreatedbeforeinstallation.YoucanuseadifferentnamebutI’llrefertothesenamesthroughouttheguide.SQLserverservicesaccount– SCCM-SQLServiceSCCMNetworkAccessAccount–SCCM-NAADomainuseraccountforuseSCCMclientpushinstall –SCCM-ClientPushDomainuseraccountforusewithreportingservicesUser– SCCM-SQLReportingDomainaccountusedtojoinmachinetothedomainduringOSD– SCCM-DomainJoinDomaingroupcontainingallSCCMAdminsGroup–SCCM-AdminsDomaingroupcontainingallSCCMserversinthehierarchyGroup–SCCM-SiteServersNetwork ConfigurationMakesurethattheserverhasafixedIPandthatinternetconnectionisupFirewallConfigurationMakesurethefirewallserviceisONRunthisscriptinanelevatedcommandpromptordertoopenthenecessaryportsneededforSCCM.**Ifyouareusingcustomports,changethevaluesbeforerunningthescript.**@echo=========SQLServerPorts=================== @echoEnablingSQLServerdefaultinstanceport1433 netshadvfirewallfirewalladdrulename="SQLServer"dir=inaction=allowprotocol=TCPlocalport=1433 @echoEnablingDedicatedAdminConnectionport1434 netshadvfirewallfirewalladdrulename="SQLAdminConnection"dir=inaction=allowprotocol=TCPlocalport=1434 @echoEnablingconventionalSQLServerServiceBrokerport4022 netshadvfirewallfirewalladdrulename="SQLServiceBroker"dir=inaction=allowprotocol=TCPlocalport=4022 @echoEnablingTransact-SQLDebugger/RPCport135 netshadvfirewallfirewalladdrulename="SQLDebugger/RPC"dir=inaction=allowprotocol=TCPlocalport=135 @echo=========AnalysisServicesPorts============== @echoEnablingSSASDefaultInstanceport2383 netshadvfirewallfirewalladdrulename="AnalysisServices"dir=inaction=allowprotocol=TCPlocalport=2383 @echoEnablingSQLServerBrowserServiceport2382 netshadvfirewallfirewalladdrulename="SQLBrowser"dir=inaction=allowprotocol=TCPlocalport=2382 @echo=========MiscApplications============== @echoEnablingHTTPport80 netshadvfirewallfirewalladdrulename="HTTP"dir=inaction=allowprotocol=TCPlocalport=80 @echoEnablingSSLport443 netshadvfirewallfirewalladdrulename="SSL"dir=inaction=allowprotocol=TCPlocalport=443 @echoEnablingportforSQLServerBrowserService's'Browse'Button netshadvfirewallfirewalladdrulename="SQLBrowser"dir=inaction=allowprotocol=TCPlocalport=1434 @echoAllowingPingcommand netshadvfirewallfirewalladdrulename="ICMPAllowincomingV4echorequest"protocol=icmpv4:8,anydir=inaction=allowNo_sms_on_drive.smsPlaceafilenameno_sms_on_drive.sms ontherootdriveofeachdriveyoudon’twantSCCMtoputcontenton.WindowsServerFeaturesOnthePrimarysiteserver,thefollowingcomponentsmustbeinstalledbeforeSCCMinstallation.We’llinstallallthesecomponentsusingaPowerShell script..NetFramework3.51SP1.NetFramework4IISRemoteDifferentialCompressionBITSServerExtensionWSUS3.0SP2ReportViewerADKforWindows8.1RolesandfeaturesOntheSiteSevercomputer,openaPowerShellcommandpromptasanadministratorandtypethefollowingcommands.Thiswillinstalltherequired featureswithouthavingtousetheWindows2012GUI.Get-Moduleservermanager Install-WindowsFeatureWeb-Windows-Auth Install-WindowsFeatureWeb-ISAPI-Ext Install-WindowsFeatureWeb-Metabase Install-WindowsFeatureWeb-WMI Install-WindowsFeatureBITS Install-WindowsFeatureRDC Install-WindowsFeatureNET-Framework-Features-source\\yournetwork\yourshare\sxs Install-WindowsFeatureWeb-Asp-Net Install-WindowsFeatureWeb-Asp-Net45 Install-WindowsFeatureNET-HTTP-Activation Install-WindowsFeatureNET-Non-HTTP-ActivEnsurethatallcomponentsareshowingasSUCCESSasanEXITCode.It’snormaltohaveWindowsUpdatewarningsatthispoint.ReportViewerDownloadandinstall–hereADKforWindows10Downloadandinstall–hereSelectthedefaultpathDonotjoinCEIPAccepttheLicenseAgreementInstallthefollowingcomponentsDeploymentToolsWindowsPre-installationEnvironmentUserstateMigrationtool ActiveDirectoryAddthecomputeraccountofall yoursiteserversintheSCCM-SiteServers ADgroupEnsurethatthegrouphasFullControlontheSYSTEMContainerinActiveDirectoryLocalAdminaccountsAddbothSCCMcomputeraccountandtheSCCMAdminaccounttothelocaladministratorgrouponthesiteserver.SCCM-AdminsSCCM-SiteServersSCCMClientIfapplicable,uninstallSCCM2007clientandFEPifpresentontheserverbeforetheinstallation.Iftheclientispresent,the2012SCCMManagementPoint installationwillfail.WindowsUpdatesRunwindowsupdateandpatchyourservertothehighestlevelYourserverisnowreadyfortheSQLinstallation.Part2–SCCMSQL2017InstallationWewillgothroughthecompleteSCCMSQL2017InstallGuidetoinstallandconfigureSQLbeforeinstallingSCCMCurrentBranch1806orhigher.ImportantInfoThispostisourupdatedversionofourSQLinstallguideforversion2017andhigher.IfyouareplanningoninstallinganolderversionofSQL,pleasefollowourpreviousposthereClickthefollowinglinktoseeallsupportedSQLversions.Forourpost,wewillinstallSQL2017locallyonthesameserverwherethePrimarySite willbeinstalled.ExecuteSetup.exefromtheSQLinstallationmedia,selectNewSQLserverstand-aloneinstallationProvidetheproductkeyandclickNextReviewandClickNextCheckUseMicrosoftUpdatetocheckforupdatesandclickNextSelectSQLServerFeatureInstallationImportantInfoNotethatsomestepsinthewizardareautomaticallyskippedwhennoactionisrequired.Forexample,ProductsUpdates,InstallsetupFilesandInstallRulesmightbeskipped.SelecttheDatabaseEnginefeatureandspecifytheSQLinstallationdirectory.Thisisthedirectory fortheprogramfilesandsharedfeaturesSelectDefaultinstanceandensurethatyourinstanceiscreatedontheSQLVolumeSetallservicestorunastheSQLdomainaccountthatyoucreatedpreviouslyandsettheservicesstartuptypetoAutomaticOntheCollation tab,settheDatabaseEnginetouseSQL_Latin1_General_CP1_CI_ASIntheServerConfigurationtab,settheauthenticationmodetoWindowsAuthenticationandintheSQLServerAdministratorsaddyourSCCMAdminsgroupIntheDataDirectoriestabsetyourdriveletterscorrectlyforyourSQLdatabases,Logs,TempDB,andbackupOntheTempDB,completethevariousinformationbasedontheDatabasesizingsectionbelow.ClickInstallCompletetheinstallationbyclickingCloseInstallSQLServerManagementStudio(SSMS)BackintheSQLServerInstallationCenter,clickonInstallSQLServerManagementtools.ThiswillredirectyoutotheDownloadpageofSQLServerManagementStudio.SSMSisnolongertiedtotheSQLserverinstallationintermsofversion.Adjusttheinstallationpathifneed,thenclickInstallInstallSQLReportingServicesBackintheSQLServerInstallationCenter,clickonInstallSQLReportingServices.TheSQLreportingservicesisjustliketheManagementconsole,itrequiresaseparatedownloadClickonInstallReportingServicesProvidetheProductkeyAcceptLicensetermsClickNextSelecttheinstallationpath,clickInstallArebootisrequiredaftertheinstallationApplySQL2017CU2orhigherAtthetimeofthiswriting,thelatestSQLCumulativeUpdateisCU17.WewillinstallitinordertohaveanupdatedSQLInstallation.NotethatCU2istheminimumrequirementDownloadandexecuteSQL2017CU17AcceptthelicensetermsandclickNextLeavedefaultvalues,clickNextWaitforCheckFileinUseandclickNextClickUpdateUpdatecompleted,mightrequirearebootSPNCreationWhenyouconfigureSQLServertousethelocalsystemaccount,aServicePrincipalName(SPN)fortheaccountisautomaticallycreatedinActiveDirectoryDomainServices.Whenthelocalsystemaccountisnotinuse,youmustmanuallyregistertheSPNfortheSQLServerserviceaccount.Sinceweareusingadomainaccount,wemustruntheSetspntoolonacomputerthatresidesinthedomainoftheSQLServer.ItmustuseDomainAdministratorcredentialstorun.RunbothcommandstocreatetheSPN,Change theservernameandaccountnameineachcommands.setspn-AMSSQLSvc/yourservername:1433yourdomain\SQLSAsetspn-AMSSQLSvc/yourserver.fullfqdn.com:1433yourdomain\SQLSAToverifythedomainuserSPNiscorrectlyregistered,usetheSetspn-Lcommandsetspn–Lyourdomain\SQLSASQLConfigurationSCCMsetup verifiesthatSQL Serverreservesaminimumof8 GBofmemoryfortheprimarysite.Toavoid,thewarning,we’llsetthe SQLServermemorylimitsto8GB-12GB(80%ofavailableRAM).OpenSQLServerManagementStudioRightclick thetopSQLServerinstancenodeSelect PropertiesIntheMemory tabdefinealimitfortheminimumandmaximumservermemory. Configureandlimitthememoryto80%of yourserveravailableRAM.InmycaseIhave16GBavailable. Minimum8192 Maximum12288 DatabaseSizingWe alwaysrecommendcreatingtheSCCMdatabasebeforethesetup.Thisisnotmandatory,SCCMwillcreatethedatabaseforyouduringsetupbutwillnotcreateittheoptimalway.Westronglyrecommendtowatch TheTopTenLessonsLearnedinManagingSQL sessionfromMMS2013whichcoveritall.We followtheguidemadebyMVP,KentAgerlund toestimatemyDBsizingneed.Visithisblog postanddownloadtheprovidedExcelfile.Inputyourvaluesinthebluecellsandkeepitforthenextpart. We’llcreatetheDBusingthose valuesusingascriptinthenextsection.Forthisblogpost,We’vecreatedaDatabasefor2000clients,2processors,2coresand16GBRAM.CreateDatabaseTocreatethedatabase,youcanuseKent’sscriptandinputyourvalues(asreturnedpreviouslyintheExcelfile)OR  usethefollowingonewhichisreallysimple:TheName valuewillbecomeyourSiteCodeduringtheSCCMinstallation.BesuretoselectauniqueSiteCode.**ReplaceallXXXvaluewithyour3characterSiteCode****Changethevaluesof theFilename,Size,MaxSizeandFileGrowth.ChangethelocationofthefiletoyourSQLandLogsdrives**USEmaster CREATEDATABASECM_XXX ON (NAME=CM_XXX_1,FILENAME='E:\SCCMDB\CM_XXX_1.mdf',SIZE=7560,MAXSIZE=Unlimited,FILEGROWTH=2495) LOGON (NAME=XXX_log,FILENAME='G:\SCCMLogs\CM_XXX.ldf',SIZE=4990,MAXSIZE=4990,FILEGROWTH=512) ALTERDATABASECM_XXX ADDFILE(NAME=CM_XXX_2,FILENAME='E:\SCCMDB\CM_XXX_2.mdf',SIZE=7560,MAXSIZE=Unlimited,FILEGROWTH=2495)ReviewtheSiteDatabase propertiesOpen SQL ManagementStudioRight-clickyourDB,SelectPropertiesIntheGeneraltab,verifythattheSQLcollationnameisSQL_Latin1_General_CP1_CI_ASIntheFiletab,verifythatyourdatabasefileshasbeencreatedwiththescriptvalueVerifythatthefileislocated onyourSQLVolumeChangethedatabaseownertoSA. Bydefaulttheownerwillbetheaccountthatcreatedthedatabase.Ifyoufindoutthatyoumadeanerror,youcansafelydeletetheDatabaseusingSQLManagementStudioandrerunthescript.Open SQL ManagementStudioRight-clickyourDB,Select DeleteTempDBsizingImportantInfoThissectionislefthereforreferencetohelpconfiguretheTempDBintheinstallationwizard.RunthefollowingscriptstosizetheTempDB. (usingthevaluereturnedbytheExcelfile)**ChangethevaluesofFilename,Size,MaxSizeandFileGrowth.ChangethelocationofthefiletoyourTempDBdrives**usemaster go alterdatabasetempdbmodifyfile(name='tempdev',filename='F:\SCCMTempDB\tempDB.MDF',SIZE=4536,MAXSIZE=Unlimited,FILEGROWTH=512) go alterdatabasetempdbmodifyfile(name='templog',filename='G:\SCCMLogs\templog.LDF',SIZE=2268,MAXSIZE=Unlimited,FILEGROWTH=512) goReviewtheTempDB propertiesOpen SQL ManagementStudioIn SystemDatabase, RightclicktheTempDB,selectPropertiesIntheFileTab, verifythatyourdatabasefileshasbeencreatedwiththescriptvalueEnsurethattheTempDBandlogareonthe TempDB volumeSQLCommunicationsToensureproperSQLcommunication,verify thatsettingsaresetaccordinglyinSQLNetworkconfigurationOpenSQLServerConfigurationManagerGotoSQLServerNetworkConfiguration/ Protocolsfor MSSQLServerOntheRightPane,right-click TCP/IPandselectPropertiesIntheProtocol tab Enable:YES ListenAll:NO IntheIPAddressestabIP1(whichshouldhaveyourServerIP) Active:YES Enabled:YES AllotherIPandIPALL Active:YES Enabled:NO TCPDynamicPorts:Blankvalue TCPPort:1433 Oncethemodificationhasbeenmade,restarttheSQLServerService.TheserverisnowreadyfortheSCCMinstallation.WewillnowruntheprerequisitecheckerandproceedtothecompleteSCCMInstallation.Wewillinstall astand-alonePrimarysite.Part3–SCCMCurrentBranchInstallationPrerequisiteCheckBeforelaunchingtheSCCMinstallation,we recommendlaunchingthePrereqchktoolinordertoverifyifallcomponentsareconfiguredcorrectly.TheSCCM installationwizardwillalsorunthis checkbutifyou’remissingarequirement,you’llhavetogothroughthewholeinstallationwizardagainafterfixingit. We prefertousethestandalonetoolbeforerunningthesetup.Tostarttheprerequisitechecktool:OpenanAdministratorcommandpromptBrowseto.\SMSSETUP\BIN\X64Runthefollowingcommand:Prereqchk.exe/AdminUIIfyoufollowtheprerequisiteguidecorrectlyyou’llhavethisresult:Referto thisTechnetarticletoseethelistof allchecksdonebythetool.Ifyouhaveanywarningorerrorrefertothis Technetarticle inorderto resolveit,orgothoughtpart1andpart2 ofthisguide.NewSCCMInstallationWe arefinallyreadytolaunchthesetup.First,reboottheserver.ThiswillmakesurethatthemachineisnotinaRebootpendingstate.MountandopentheSCCMISOthatwaspreviouslydownloadedfromthe MicrosoftVolumeLicensingSiteRunSplash.htaSelectInstallOnthefirstscreen,ClickNextOntheGettingStartedscreen,SelectInstallaConfigurationManagerPrimarySiteandclickNextOntheProductKey screen,enterit andclickNextOntheMicrosoftSoftwareLicenseTerms screen,acceptthetermsandclickNextOntheProductLicenseTermsscreen,accepttheLicenseTermsandclickNextOnthePrerequisiteDownloads screen,specifyalocationtodownloadtheprerequisitefile.ThisfoldercanbedeletedaftersetupOntheServerLanguageSelection screen,selectthelanguageyouwanttodisplayintheSCCMConsoleandReports. Youcanmodify languagelaterbyrunningsetupagainandselecttheSiteMaintenanceoptionOnthe Client LanguageSelection screen,selecttheClientlanguagetosupport. Youcanmodify languageslaterbyrunningsetupagainandselecttheSiteMaintenanceoptionOntheSiteandInstallationSettings screen,enteryourSiteCode.UsethesameSiteCodeasyouspecifiedwhencreatingyourDatabaseNote:SitecodescannotbeusedmorethanonetimeinaConfigurationManagerhierarchyforacentraladministrationsiteorprimarysites.Ifyoureuseasitecode,youruntheriskofhavingobjectIDconflictsinyourConfigurationManagerhierarchy.Thisappliesalsoifyou’redoingamigrationfromanearlierversion. EnteryourSiteName. ThisnamewillappearintheconsolesochooseaccordinglyOnthePrimarySiteInstallation screen,select Installtheprimarysiteasastand-alonesite. Ifyouhave aCentralAdministrationsite,thisiswhereyouwouldjointhePrimarySite totheexistinghierarchyOnthewarning,clickYesOntheDatabaseInformationscreenEnteryourSQLServerName.InourcasetheSQLserveristhesameboxasSCCMLeavetheInstanceBlankEnteryourDatabasename.Onceagain,thismustmatchthepreviouslycreatedDatabase inpart2LeavetheServiceBrokerPortto4022OntheDatabaseInformationscreen:EnterthepathtotheSQLServerdatafile.Locate thisontheSQLVolume EnterthepathtotheSQLServerlog file.Locate thisontheSQLLogsVolume.IliketousethesamedirectorywhereIcreatedmydatabaseandlogs(E:\SCCMDB,G:\SCCMLogs) OntheSMSProviderSettingsscreen,leavetheSMSProvidertothedefaultvaluewhichisthelocal server.RefertothefollowingTechnetarticletoreadabouttheSMSProvider.Onthe ClientComputerCommunicationSettingsscreen,selectConfigurethecommunicationmethodoneachsitesystemrole. ThisiswhereyouselecttohaveHTTPSornotonyourinitialManagementPointandDistributionPoint.ThissettingcanbechangedlaterOntheSiteSystemRoles screen:CheckInstallaManagementPointCheckInstallaDistributionPointWewillinstallbothMPandDPonthesameboxsoleavetheFQDNasisTheClientconnectiondrop-downisunavailableduetoourpreviousselection OntheUsageDatascreen,clickNext. ThisnewscreenbasicallytellsthatyouacceptthatyouwillsendsometelemetrydatatoMicrosoftOntheServiceConnectionPointscreen,clickNext. Thisnewrole enablesyourdeploymenttodownloadupdatesandnewfeaturesOntheSettingsSummaryScreen,reviewyouroptionsandclickNextOnthe PrerequisiteCheckscreen,youshouldhavenoerrorsinceyou’verunitbeforesetup,clickNextTheinstallationisinprogress.Youcancountbetween15and30minutesdependingofyourserverspecificationsYoucanfollowtheprogressbyclickingtheViewLogbuttonoropenthe ConfigMgrSetup.logfileontheC:driveWaitforCoresetuphascompletedandclosethewizardWe’restillnotdoneyet!BeforeopeningtheSCCMconsole,we suggesttoinstallthefollowingtools:CMTraceCMTracewillbecomeyourbestfriendwhenreadinglogfiles.OpentheSCCMISOBrowseto.SMSSETUPTOOLSClickonCMTrace.exeClickonYEStosetisasyourdefaultlogviewerAdditionally,youcanread ourblogpost :HowtouseCMTracelikeaProPart1HowtouseCMTracelikeaProPart2SystemCenter2012R2ConfigurationManagerToolkitTheSCCM2012R2toolkitiscompatiblewithSCCMCurrentBranchandcontainsfifteendownloadabletoolstohelpyoumanageandtroubleshootSCCM.DownloadandinstallithereSCCMCurrentBranchInstallationExtraInformationYoucanalsorefertoourblogpost aboutUsefulResources tohelpyoubeginwithSCCM.IfyouneedfurtherhelptounderstandandconfigurevariousSCCMsitecomponents,consultour Step-by-StepSCCM1511InstallationGuide blogseries.Itcoversallyouneedtoknow.SCCMCurrentBranchUpgradeThefirsttaskweliketodoafteranewSCCMinstallationistoupgradeittothelatestversion.Ifyou’renotfamiliarwiththis,MicrosoftreleasesaBaselineversionthatyoucaninstallfromscratchandthen,youmustupgradetothelatestversion.Wehaveabunchofguidesforeachversion.Forreference,atthetimeofthisblogpost,thebaselineis1902andthelatestversionisSCCM1910.Justfollowourlatestupgradeguideandyou’llbeatthelatestavailableversion.SCCMCurrentBranchConfigurationThenextsectionswillbeforconfiguringthevarioussiteserverrolesinyournewlyinstalledSCCMserver.Roleinstallationorderisnotimportant,youcaninstallrolesindependentlyofothers.Part4–ApplicationCatalogwebservicepointThispartwilldescribehowtoinstalltheSCCMApplicationCatalogwebservicepointandthe ApplicationCatalogwebsitepoint.Bothoftheserolesarenowunsupported.Wedonotrecommendaddingthisroletoyourhierarchy.Theapplicationcatalogue’sSilverlightuserexperienceisn’tsupportedasofcurrentbranchversion1806.Startinginversion1906,updatedclientsautomaticallyusethemanagementpointforuser-availableapplicationdeployments.Youalsocan’tinstallnewapplicationcatalogueroles.Supportendsfortheapplicationcatalogueroleswithversion1910.RoleDescriptionThe ApplicationCatalogwebservicepointprovidessoftwareinformationtotheApplicationCatalogwebsitefromtheSoftwareLibrary.The ApplicationCatalogwebsitepointprovidesuserswithalistofavailablesoftware.Thisisnotamandatorysitesystem butyouneedboththeApplicationCatalogwebsitepointandtheApplicationCatalogwebservicepointifyou wanttoprovideyouruserwitha Self-Serviceapplication catalog(webportal).SiteSystemRolePlacementinHierarchyTheApplicationCatalogwebservicepointandthe ApplicationCatalogwebsitepoint arehierarchy-wideoptions.It’ssupportedtoinstallthose rolesonastand-alonePrimarysite or childPrimarysite.It’snotsupportedtoinstallitonaCentralAdministrationsiteorSecondaysite.  TheApplicationCatalogwebservicepointmustresideinthesameforestasthesitedatabase.Ifyou’rehaving lessthan10,000usersinyourcompany,co-locatingtheApplicationCatalogwebserviceandApplicationCatalogwebsiterolesonthesameservershould beok.ThewebserviceroleconnectsdirectlytotheSCCMSQL databasesoensurethatthenetworkconnectivitybetweentheSQLserverandtheApplicationCatalogwebserviceserversisrobust.Ifyouhavemoregeographicallydistributedusers,considerdeployingadditionalapplicationcatalogstokeepresponsivenesshighandusersatisfactionup.UseclientsettingstoconfigurecollectionsofcomputerstousedifferentApplicationCatalogservers.Readmoreonhowtoprovidea greatapplicationcatalogexperiencetoyouruserinthisTechnetblogarticle.Ifyourclientneeds HTTPSconnections,youmustfirstdeployawebservercertificatetothesitesystem.IfyouneedtoallowInternetclientstoaccesstheapplicationcatalog,youalsoneedtodeployawebservercertificatetotheManagementPointconfiguredtosupportInternetclients.WhensupportingInternetclients,MicrosoftrecommendsthatyouinstalltheApplicationCatalogwebsitepointinaperimeternetwork,andtheApplicationCatalogwebservicepointontheintranet. FormoreinformationaboutcertificatesseethefollowingTechnetarticle.PrerequisitesUsing WindowsServer2012,thefollowingfeaturesmustbeinstalledbeforetheroleinstallation:ApplicationCatalogwebservicepointFeatures:.NETFramework3.5SP1and4.0WCFactivation:HTTPActivationNon-HTTPActivationIISConfiguration:ASP.NET(andautomaticallyselectedoptions)IIS6ManagementCompatibilityIIS6MetabaseCompatibility ApplicationCatalogwebsitepointFeatures:.NETFramework4.0IISConfiguration:CommonHTTPFeaturesStaticContentDefaultDocument ApplicationDevelopmentASP.NET(andautomaticallyselectedoptions) SecurityWindowsAuthentication IIS6ManagementCompatibilityIIS6MetabaseCompatibility SCCM ApplicationCatalogInstallationFor thispost,wewillbeinstallingbothrolesonourstand-alonePrimarysiteusingHTTPconnections.Ifyousplittherolesbetweendifferentmachines,dotheinstallation section twice,onceforthefirstsitesystem(selecting ApplicationCatalogwebservicepointduringroleselection)andasecondtimeontheothersitesystem(selecting ApplicationCatalogwebsitepointduringroleselection).OpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesRight-clickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,clickNextOntheSiteSystemRoletab,selectApplicationCatalogwebservicepointand ApplicationCatalogwebsitepoint, clickNextOntheApplicationCatalogWebServicePointIn theIISWebsiteandWebapplicationname fields,leavebothtothedefaultvaluesThisisjustthenamethatyou’llseeinIISaftertheinstallation(seenextscreenshot).Ithasnothingtodowith youruserfacingportalEnterthe portandprotocolthatyouwanttouse OntheApplicationCatalogWebSite PointIn theIISWebsite keepthedefaultvalueInWebapplicationname, enterthenamethatyouwantforyourApplicationCatalog.ThisistheURLthatwillbepublishedtoyourusersEnterthe portandprotocolthatyouwanttouse OntheApplicationCatalogCustomizations tab,enteryourorganizationnameandthedesiredcolourforyourwebsiteOntheSummarytab,reviewyoursettings,clickNextandcompletethewizardVerificationandLogsfilesYoucanverifytheroleinstallationinthefollowinglogs:ConfigMgrInstallationPath\Logs\SMSAWEBSVCSetup.logand awebsvcMSI.log–RecordsdetailsofabouttheApplicationCatalogWebService PointinstallationConfigMgrInstallationPath\Logs\SMSPORTALWEBSetup.logandportlwebMSI.log – Recordsdetailsofabout theApplicationCatalogWebsitePointinstallationIntheconsole:OpentheSCCMConsoleGoto Monitoring/SystemStatus/ComponentStatusSeestatusof thecomponentsSMS_PORTALWEB_CONTROL_MANAGERandSMS_AWEBSVC_CONTROL_MANAGERWebbrowserVerifythattheApplicationCatalogisaccessible:OpenawebbrowserBrowseto http://YourServerName/CMApplicationCatalogReplaceYourServerNamewiththeservernameonwhichyouinstalledtheApplicationCatalogWebsitePointReplaceCMApplicationCatalogwiththenamethatyougiveyourApplicationCatalog.(DefaultisCMApplicationCatalog)Ifeverythingissetupcorrectly,you’llseeawebpagelikethis:URLRedirectionThedefaultURLtoaccesstheApplicationCatalogisnotreallyintuitiveforyourusers.It’spossibletocreateaDNSentrytoredirectittosomethingeasier(ex:http://ApplicationCatalog) ThefollowingCoretecharticledescribehowtoachievethat.ClientSettingsEnsurethattheclientsettingsforyourclientsaresetcorrectlytoaccesstheApplicationCatalogOpentheSCCMConsoleGoto Administration/ClientSettingsRight-click yourclientsettingsandselectPropertiesOntheleftpane,selectComputerAgentClicktheSetWebsitebuttonandselectyourApplicationCatalog(thenamewillbeautomaticallypopulatedifyourApplicationCatalogisinstalled)SelectYesonbothAddDefaultApplicationCatalogwebsitetoInternetExplorertrustedsitezoneandAllowSilverlightapplicationtoruninelevatedtrustmodeEnteryourorganisationnameinOrganisationnamedisplayedinSoftwareCenterThat’sit,you’veinstalledyourSCCMApplicationCatalog,publishthelinktoyouruserandstartpublishingyourapplications.Part6–AssetIntelligenceSynchronizationPointThispartwilldescribethe AssetIntelligenceSynchronizationPoint (AISP).RoledescriptionTheAISP isusedtoconnectstoMicrosoftinorderto downloadAssetIntelligencecataloginformationanduploaduncategorizedtitles.FormoreinformationaboutplanningforAssetIntelligence,seePrerequisitesforAssetIntelligenceinConfigurationManager.ThisisnotamandatorySiteSystembutwerecommendtoinstalltheAISPifyouareplanningtouseAssetIntelligence.Readourblogposton WhyshouldyouuseAssetIntelligenceinSCCM.SiteSystemRolePlacementinHierarchyThe AISPisahierarchy-wideoption.SCCM supportsasingleinstanceofthissitesystemroleinahierarchyandonlyatthetop-levelsite.Installitonyour CentralAdministrationSiteorstand-alone PrimarySitedependingofyourdesign.AISPInstallationOpentheSCCMconsoleNavigatetoAdministration/SiteConfiguration/ServersandsiteSystemRolesRight-clickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,enteryourProxyserverinformationifneededand clickNextOntheSiteSystemRoleSelectiontab,selectAssetIntelligenceSynchronizationPoint,clickNextOntheCertificatepage,clickNextBydefault,theUsethisAssetIntelligenceSynchronizationPointsettingisselectedandcannotbeconfiguredonthispage.SystemCenterOnlineacceptsnetworktrafficonlyoverTCPport443,thereforetheSSLportnumbersettingcannotbeconfiguredonthispageofthewizardYou canspecifyapathtotheSystemCenterOnlineauthenticationcertificate(.pfx)file.Typically,youdonotspecifyapathforthecertificatebecausetheconnectioncertificateisautomaticallyprovisionedduringsiteroleinstallation Specifythedesiredcatalog SynchronizationSchedule,clickNextOntheSummarytab,reviewyoursettingandclickNextWaitforthesetuptocompleteandclosethewizardAISPLogsAIUSSetup.log–InformationabouttheinstallationoftheAssetIntelligencecatalogsynchronizationpointsitesystemroleAIUpdateSvc.log–InformationabouttheAssetIntelligencecatalogsynchronizationserviceAikbmgr.log–InformationabouttheAssetIntelligencecatalogmanagerserviceVerificationVerifythattheroleinstallationiscompletedinAIUSSetup.logOpentheSCCMconsoleNavigateto AssetsandCompliance/Overview/AssetIntelligenceVerifythattheSyncisEnabledand SuccessfulEnableInventoryReportingClassesInordertohaveinventorydata,firstensurethatHardwareInventoryisenabledinyourClientSettings.NavigatetoAdministration/ClientSettingsRight-clickyourClientSettingsandchoosePropertiesOntheHardwareInventoryTabEnsurethatyourhardwareinventoryisEnabledOnceconfirmed,enableinventoryreportingclasses:OpentheSCCMconsoleNavigateto AssetsandCompliance/AssetIntelligenceRight-clickAssetIntelligenceandselectEditInventoryClassesSelectEnableonlytheselectedAssetIntelligencereportingclassesSelectSMS_InstalledSoftware,SMS_ConsoleUsageandSMS_SystemConsoleUserSeethefollowingTechnetarticletoseedependenciesbetweenhardwareand reportingclass Onthewarning,clickYesMaintenanceTasks2maintenancetasksareavailableforAssetIntelligence:CheckApplicationTitlewithInventoryInformationThismaintenancetaskchecksthatthesoftwaretitlethatisreportedinsoftwareinventoryisreconciledwiththesoftwaretitleintheAssetIntelligencecatalog. SummarizeInstalledSoftwareDataThismaintenancetaskprovidestheinformationthatisdisplayedintheAssetsandComplianceworkspace. Whenthetaskruns,ConfigurationManagergathersacountforallinventoriedsoftwaretitlesattheprimarysite. Tosetthemaintenancetasks:Navigateto Administration/SiteConfiguration/SitesSelectSiteMaintenanceonthetopribbonSelectthedesiredscheduleforbothtasksYou’renowdoneinstallingtheAISP.Part7–CertificateRegistrationPointWewilldescribehowtoinstallSCCMCertificateRegistrationPoint (CRP).RoleDescriptionUsingSCCMandIntune,theCRP communicateswithaserverthatrunstheNetworkDeviceEnrollmentService(NDES)toprovision devicecertificaterequests.ThisisnotamandatorySiteSystembutwerecommendtoinstallaCRPifyouneedtoprovisionclientcertificatestoyourdevices(likeVPNorWIFI).PrerequisitesBeforetheCRPcanbeinstalled,dependenciesoutsideSCCMisrequired.Iwon’tcovertheprerequisiteconfigurationindetailsastheyarewelldocumentedonthisTechnetarticleanditgoesbeyondSCCM.Here’sanoverviewofwhatneedstobedone:InstalltheNDESroleonaWindows2012R2ServerModifythesecuritypermissionsforthecertificatetemplatesthattheNDES isusingDeployaPKIcertificatethatsupportsclientauthenticationLocateandexporttheRootCAcertificatethattheclientauthenticationcertificatechainstoIncreasetheIISdefaultURLsizelimitModifytherequest-filteringsettingsinIISOnthemachinethatwillreceivetheCRProle,installthefollowingusingWindowsserverroleandfeatures:IISASP.NET3.5ASP.NET4.5WCFHTTPActivationIfyouareinstallingCRPon aremotemachinefromthesiteserver,youwillneedtoaddthemachineaccountofthesiteservertothelocaladministrator’sgroupontheCRPmachine.SiteSystemRolePlacementinHierarchyTheCertificateRegistrationPointmustnotbeinstalledonthesameserverthatrunstheNetworkDeviceEnrollmentService.It’ssupportedtoinstallthisrole onaCentralAdministrationSite,childPrimarySiteorstand-alonePrimarySitebutit’snotsupportedonaSecondarySite.CRP InstallationOpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesRightclickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,clickNextOntheSiteSystemRoletab,selectCertificateRegistrationPoint,clickNextOntheCertificateRegistrationPointProperties,leavethedefaultwebsitenameandvirtualapplicationname.TakenoteofyourVirtualApplicationName,youwillneeditlater.ClickonAddEntertheURLofyourNDESserverThisURLwillbepartoftheprofilesendtothedevices.Thedevicewill needstoaccessthisURLfromtheinternetExemple:https://ndes.systemcenterdudes.com/certsrv/mscep/mscep.dll EnterthepathtoyourexportedRootCACertificate(.cerfile)Oncecompleted,clickonNext,reviewtheSummaryandclosethewizardVerificationandLogsfilesConfigMgrInstallationPath\Logs\crpmsi.log –Detailed CRP InstallationstatusUsingabrowser,verifythatyoucanconnecttotheURLofthecertificateregistrationpoint—forexample,https://crp.systemcenterdudes.com/CMCertificateRegistrationHTTPError403isok.Ifyouhavea404erroror500error,lookatthelogsfilebeforecontinuing AftertheCRPisinstalled,thesystemwillexportthecertificatethatwillbeusedforNDESplugintothecertmgr.boxfolder.Itmaytakeupto1hourtoappear.Savethis.cerfileontheNDESserveraswewillneeditinthenextsection.ConfigurationManagerPolicyModuleNowthattheCertificateRegistrationPointhasbeeninstalled,wemustinstallaplug-inontheNDESservertoestablishtheconnectionwithSCCM.OntheserverthatrunstheNetworkDeviceEnrollmentService:Copythe\SMSSETUP\POLICYMODULE\X64folderfromthetheConfigurationManagerinstallationmediatoatemporaryfolderFromthetemporaryfolder,runPolicyModuleSetup.exeClickNext,acceptthelicensetermsandclickNextOntheInstallationFolderpage,acceptthedefaultinstallationfolderclickNextOntheCertificateRegistrationPointpage,specifytheURLoftheCertificateRegistrationPoint.ThisistheVirtualApplicationNamecreatedduringtheSCCMroleinstallation(Example: https://crp.systemcenterdudes.com/CMCertificateRegistration)Acceptthedefaultportof443,clickNextOntheClientCertificateforthePolicyModulepage,browsetoandspecifytheclientauthenticationcertificate.ThisisthesamecertificateyouusedintheCRPInstallationwizardinSCCMOntheCertificateRegistrationPointCertificatepage,clickBrowsetoselecttheexportedcertificatefile(theoneexportedfrom \inboxes\certmgr.box)ClickNextandcompletethewizardOpentheregistryeditorandbrowsetoHKLM\SOFTWARE\Microsoft\Cryptography\MSCEPMakesurethatthevaluesofEncryptionTemplate,GeneralPurposeTemplateandSignatureTemplatematchthenamesofthetemplateonyourCAOpenInternetExplorerontheNDESserverandbrowsetohttps://ndes.systemcenterdudes.com/certsrv/mscep/mscep.dll,youwill nolongerseethewebpagebutinsteadyoushouldseeanerror 403,thisisexpectedOncealltheabovehasbeenconfiguredandverified,youarereadytocreateyourcertificateprofileinSCCM.ReferencesHerearemyfavouritesarticlescoveringthesubject:TechnetArticleConfigurationTeamBlogarticlePieterWigleven’sinstallation(TechnicalSolutionProfessionalatMicrosoft)PetervanderWoude’skeyconfigurationstepsPart8–DistributionPointInstallationInthispart,wewilldescribehowtoperform anSCCMdistributionpointinstallation.IsawalotofpostsrecentlyontheTechnetforumwhichleadsmetothinkthatthere’salackofdocumentationexplainingthis.IntroductionSeveraldistributionpointscanprovidebetteraccesstoavailablesoftware,updates,andoperationsystems.AlocalDistributionPointalsopreventstheinstallationthoughttheWAN.Pre-RequisitesFunctionalSCCMhierarchySCCMAdminconsoleaccessRDPaccessontheDistributionPoint serverTherequiredlevelofsecurityintheSCCMconsoleDistributionpointserverconfigurationPreventpackagefromreplicationonthewrongdriveLogonlocallyonthetargetmachinewithremotedesktopCreateanemptyfilecalledNO_SMS_ON_DRIVE.SMSontherootofeachdrivewhereSCCMshouldNOT write.(Ifany)LocalAdministratorgroupOntheDP,addagroupthatcontainsyoursitesystemcomputeraccountintheAdministratorsgroup.IliketocreateaSCCMsystemgroupsthatcontainallmydistributionpoints.OpenServerManagerExpandLocalUsersandGroupsClickonGroupsDouble-clickon“Administrators”AddthesecuritygroupsthatcontaintheSCCMcomputeraccountWindowsServerconfiguration–RolesandFeaturesConfigurationManagerrequiressomerolesandfeaturestobeinstalledontheserverpriortotheDPinstallationRemoteDifferentialCompressionOpenServerManager,onthe Features node,startsthe AddFeaturesWizard.Onthe SelectFeatures page,select RemoteDifferentialCompressionIISIISneedstobeinstalledontheserverbutitwillautomaticallybeinstalledusingthesiteinstallationwizard.Makesurethattheserolesareinstalledonyourserverpriortotheinstallation:IISWMICompatibilitytoolIISScriptingToolWindowsDeploymentServiceForWindows Server2012+,WDSisinstalledandconfiguredautomaticallywhenyouconfigureadistributionpointtosupportPXEorMulticast.ForWindows Server2003,youmustinstallandconfigureWDSmanually.BITSThedistributionpointsitesystemroledoesnotrequireBackgroundIntelligentTransferService(BITS).WhenBITSisconfiguredonthedistributionpointcomputer,BITSonthedistributionpointcomputerisnotusedtofacilitatethedownloadofcontentbyclientsthatuseBITSMicrosoftVisualC++ 2008RedistributableYoucanruntheMicrosoftVisualC++ 2008RedistributableSetupfromtheConfigurationManagerinstallationat:\Client\x64\vcredist_x64.exeForConfigurationManager SP1,vcredist_x64.exeisinstalledautomaticallywhenyouconfigureadistributionpointtosupportPXE.Powershell3.0ForWindows2012only,youneedtoenablePowershell3.0(orfurther)beforeinstallingthedistributionpoint.FirewallEnsurethatyourfirewallissetcorrectly.2portsneedtobeopened.DistributionPointsiteserverinstallationRebootyourservertoavoidthecasewhereyourserverisin“RebootpendingState”whichwillresultinunexpectedrebootduringdistributionpointinstallation.NowthattheDistributionpointserverisreadytoreceiveanewrole,weneedtoaddtheservertothesiteserverlistAddnewdistributionpointservertotheSCCMconsole–SiteSystemIntheConfigurationManagerconsole,clickAdministrationIntheAdministrationworkspace,expandSiteConfiguration,andthenrightclickServersandSiteSystemRoles.SelectCreateSiteSystemServer.TheCreateSiteSystemServerWizardopens.OntheGeneralpage,specifytheName forthesitesystemserverSelecttheSiteCodeandClickNextDonotspecifyaproxyserver,clickNextSelectDistributionpointintheroleselectionscreen,click NextCheckInstallandconfigureIISifrequiredbyCMAddadescriptionifneededSelectHTTPSelectCreateself-signedcertificate,click NextSetdriveconfigurationtoyourneeds.ThisiswheretheSCCMContentLibwillbecreatedsoselectadrivewithenoughstoragespace,click NextDonotconfigureapulldistributionpoint,click NextDonotconfigurePXEfornow,click NextDonotenablemulticastfornow,click NextEnable contentvalidationtooccurwhereitfitsyourenvironment,click NextAddtheboundarygroupthatneedstobeassociatedwiththisDPand UnchecktheAllowfallbacksourcelocationforcontent,click NextReviewthesummarypageandcompletetheinstallation,click NextWARNINGYourremoteservermayrebootifthere’samissingrequirementAtthispoint,themajorpartofinstallationadistributionpointserveriscompleted.VerificationLogsYoucantracktheinstallationprogressin2logs:Distmgr.logonthesiteserverSmsdpprov.logonthedistributionpoint.(InstallationDrive\SMS_DP$\SMS\Logs)WindowsExplorerAtthispoint,youwilltheSCCMfilestructurecreatedonthesiteserver.ConsoleYoucanalsotracktheinstallationprogressintheSCCMconsoleunderMonitoring/DistributionStatus/DistributionPointConfigurationStatusClickonyourDPClickthedetailtabonthebottomCheckforgreencheckmarkonallcomponentsNote:ErrorontheIISVirtualdirectoryisnormalatthestartoftheprocess.SCCMismakingacheckasifIISisinstalledatthestartoftheprocessevenifyoutellSCCMtoenableyouIISforyou.ThatresultsinerrorsbutbepatientandtheinstallationshouldsucceedanywayVerifythestatusofyournewDPinAdministration/SystemStatus/SiteStatusReplicatecontentYoucannowreplicateyourcontenttoyournewlycreatedDP.ReplicatemanuallyallyourcontentoraddyourDPinanexistingDPgroup.ReplicateapackageorApplicationtoyournewlycreatedsitesystemVerifythatthecontentiswellreplicatedintheSCCMConsole.(orcheckdistmgr.log)That’sit!You’redonecreatingyourDP.DistributionPointMonitoringIfyouhavemultipleDistributionPoints,Isuggestyoureadourposton 8waystomonitoryourdistributionpoints. ThispostexplainsindetailthevariousoptionstomakesurethatyourDPishealthy.YoucanalsocheckourcustomreportaboutDistributionPointMonitoring todisplayallyourDPstatususingasingleclick.Part9–EndpointprotectionpointInthispart,wewilldescribehowtoinstallSCCMEndpointProtectionPoint (EPP).RoleDescriptionTheEndpointProtectionPointprovidesthedefaultsettingsforallantimalwarepoliciesandinstallstheEndpointProtectionclientontheSiteSystem servertoprovideadatasourcefromwhichtheSCCM databaseresolvesmalwareIDstonames.WhenyouinstallthisSiteSystemRole,youmustacceptthelicensetermsforSystemCenter2012R2EndpointProtection.ThisisnotamandatorySiteSystembutyouneed toinstallaEPP ifyou’replanningtouseSCCMas youranti-virusmanagementsolution(usingEndpointProtection).SiteSystemRolePlacementinHierarchyThisSiteSystemisahierarchy-wideoption.SCCM supportsasingleinstanceofthissitesystemroleinahierarchyandonlyatthetop-levelsiteinthehierarchy. It’ssupportedtoinstallthisrole onaCentralAdministrationSiteorstand-alonePrimarySite.RequirementsBeforeinstallingthe EP role,youmusthaveaSoftwareUpdatePointinstalledandconfigured.EPP InstallationOpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesRight-clickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,clickNextOntheSiteSystemRoletab,selectEndpointProtectionPoint,clickNextAccepttheLicenseTermsandclickNextSelectDonotjoinMAPS,clickNEXT•OntheSummarytab,reviewyoursettingsandclickNextWaitforthesetuptocompleteandclickCloseSUPConfigurationAftertheinstallation,youmustaddEndpointProtectiondefinitionfilesinyour SoftwareUpdatePoint.OpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesClicktheConfigureSiteComponentsbuttonandselectSoftwareUpdatePointOntheProducttabs,checkForefrontEndpointProtection2010andclickOkVerificationConfigMgrInstallationPath\Logs\EPSetup.log–Detailed EP InstallationstatusConfigMgrInstallationPath\Logs\Wsyncmgr.log–SUPSynchronizationstatusYouarenowreadytomanageEndPointProtectionusingSCCM.Wehaveacompleteguidetomanagingendpointprotection.Youcandownloaditfromourproductpage.Part10–EnrollmentPointInstallationWewilldescribehowtoinstallSCCMCurrentBranch EnrollmentPointandEnrollmentProxyPointsitesystemroles.RoleDescriptionTheEnrollmentPointusesPKIcertificatesforConfigurationManagertoenrollmobiledevices,MaccomputersandtoprovisionIntelAMT-basedcomputers.TheEnrollmentProxyPointmanagesConfigurationManagerenrollmentrequestsfrommobiledevicesandMaccomputers.Thisisnotamandatorysitesystem butyouneedbothEnrollmentPointandEnrollmentProxyPointifyou wantto enrolllegacymobiledevices,MaccomputersandtoprovisionIntelAMT-basedcomputers.Sincemodernmobiledevicesaremostly managedusingWindowsIntune,thispostwillfocusmainlyonMaccomputerenrollment.SiteSystemRolePlacementinHierarchyTheSCCMEnrollmentPointandEnrollmentProxyPointaresite-wideoptions.It’ssupportedtoinstallthose rolesonastand-aloneor childPrimarysite.It’snotsupportedtoinstallitonaCentralAdministrationsiteorSecondarysite.YoumustinstallanSCCMEnrollmentPointintheuser’sforestsothattheusercanbeauthenticatedifauserenrollsmobiledevicesbyusingSCCM andtheirActiveDirectoryaccountisinaforestthatisuntrustedbythesiteserver’sforest.WhenyousupportmobiledevicesontheInternet,asasecuritybestpractice,installtheEnrollmentProxyPointinaperimeternetworkandtheEnrollmentPointontheintranet.PrerequisitesBeginningwithSystem Center 2012Configuration Manager SP2,thecomputerthathoststheSCCMEnrollmentPointor EnrollmentProxyPoint sitesystemrolemusthaveaminimumof5%ofthecomputersavailablememoryfreetoenablethesitesystemroletoprocessrequests.Whenthose sitesystemroleareco-locatedwithanothersitesystemrolethathasthissamerequirement,thismemoryrequirementforthecomputerdoesnotincrease,butremainsataminimumof5%.Using WindowsServer2012,thefollowingfeaturesmustbeinstalledbeforetheroleinstallation:EnrollmentPointFeatures:.NETFramework3.5.NETFramework4.5HTTPActivation(andautomaticallyselectedoptions)ASP.NET4.5 CommonHTTPFeaturesDefaultDocumentApplicationDevelopmentASP.NET3.5(andautomaticallyselectedoptions).NETExtensibility3.5ASP.NET4.5(andautomaticallyselectedoptions).NETExtensibility4.5 IIS6ManagementCompatibilityIIS6MetabaseCompatibility EnrollmentProxyPointFeatures:.NETFramework3.5.NETFramework4.5HTTPActivation(andautomaticallyselectedoptions)ASP.NET4.5 IISConfiguration:CommonHTTPFeaturesDefaultDocumentStaticContent ApplicationDevelopmentASP.NET3.5(andautomaticallyselectedoptions)ASP.NET4.5(andautomaticallyselectedoptions).NETExtensibility3.5.NETExtensibility4.5 SecurityWindowsAuthentication IIS6ManagementCompatibilityIIS6MetabaseCompatibility SCCM EnrollmentPoint InstallationFor thispostwewillbeinstallingbothrolesona stand-alonePrimarysiteusingHTTPSconnections.Ifyousplittherolesbetweendifferentmachine,dotheinstallation section twice,onceforthefirstsitesystem(selecting EnrollmentPoint duringroleselection)andasecondtimeontheothersitesystem(selecting EnrollmentProxyPoint duringroleselection).OpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesRightclickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,clickNextOntheSiteSystemRoletab,selectEnrollmentPointandEnrollmentProxyPoint, clickNextOntheEnrollmentPointtabIn theIISWebsiteandVirtual applicationname fields,leavebothtothedefaultvaluesThisisthenamesthatyou’llseeinIISaftertheinstallation Enterthe portnumberyouwanttouse.TheHTTPSsettingisautomaticallyselectedandrequiresaPKIcertificateontheserverforserverauthenticationtotheEnrollmentProxyPointandforencryptionofdataoverSSL.Formoreinformationaboutthecertificaterequirements,seePKICertificateRequirementsforConfigurationManager. OntheEnrollmentProxyPoint tab,TheEnrollmentpoint willbepopulatedbydefaultandcan’tbechangedKeeptheWebsitenametoit’sdefaultvalueEnterthe portandprotocolthatyouwanttouseTheVirtualapplicationnamecan’tbechanged.Thiswillbeusedforclientinstallation(https://servername/EnrollmentServer) OntheSummarytab,reviewyoursettings,clickNextandcompletethewizardVerificationandLogsfilesLogsYoucanverifytheroleinstallationinthefollowinglogs:ConfigMgrInstallationPath\Logs\enrollsrvMSI.log andenrollmentservice.log –Recordsdetailsofaboutthe Enrollment PointinstallationConfigMgrInstallationPath\Logs\enrollwebMSI.log – Recordsdetailsofabout theEnrollmentProxyPoint installationConfigMgrInstallationPath\Logs\enrollmentweb.log– RecordscommunicationbetweenmobiledevicesandtheEnrollmentProxyPointThat’sit,you’veinstalledyourSCCMEnrollmentPoint,followthisTechnetGuideifyouwanttoproceedtonextstepsforMaccomputersenrollmentPart12–FallbackStatusPointWewilldescribehowtoinstallSCCMFallbackStatusPoint (FSP).RoleDescriptionTheFSP helpsmonitorclientinstallationandidentifyunmanagedclientsthatcannotcommunicatewiththeirmanagementpoint.ThisisnotamandatorySiteSystembutwerecommendtoinstalla FSP forbetterclientmanagementandmonitoring.ThisistheSiteSystemthatreceiveStateMessagerelatedtoclientinstallation,clientsiteassignment,andclientsunabletocommunicatewiththeirHTTPSManagementPoint.IftheFSPisnotconfiguredproperlyyou’llenduphaving A fallbackstatuspointhasnotbeenspecifiederrorsinyourlogs.SiteSystemRolePlacementinHierarchyThisSiteSystemisahierarchy-wideoption.It’ssupportedtoinstallthisrole ona childPrimarySiteorstand-alonePrimarySitebutit’snotsupportedonaCentralAdministrationsitenorSecondarySite.FSPInstallationOpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesRightclickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,clickNextOntheSiteSystemRoletab,selectFallbackStatusPoint,clickNextOntheFallbackStatusPointtab,specifythenumberofstatemessagestoprocess.Werecommendtoleavethedefaultvalue,clickNextOntheSummarytab,reviewyoursettingandclickNextWaitforthesetuptocompleteandclosethewizardVerificationandLogsfilesSmsfspsetup.log–DetailedFSPInstallationstatusFspmgr.log–VerifywhetherclientsaresuccessfullysendingstatemessagestotheFSPYoucanalsocheckifreportsthatdependontheFSP arepopulatedwithdata.SeethefulllistofreportsthatrelyontheFSP here.ConfigureclientsUsetheFSPclientpropertiestopointyourclientstoyournewlycreatedFSPNavigatetoAdministration /SiteConfiguration/SiteClicktheClientInstallationSettingiconontheribbonSelectClientPush InstallationOntheInstallationPropertiestabEnteryourserverFQDNintheFSPpropertiesPart13–ManagementPointInstallationWewilldescribehowtoinstallanSCCMManagementPoint (MP).RoleDescriptionEverySCCMhierarchy musthaveaManagementPointtoenableclientcommunication.TheManagementPointistheprimarypointofcontactbetweenConfigurationManagerclientsandthesiteserver.ManagementPointscanprovideclientswithinstallationprerequisites,configurationdetails,advertisementsandsoftwaredistributionpackagesourcefilelocations.Additionally,ManagementPointsreceiveinventorydata,softwaremeteringinformationandstatemessagesfromclients.MultipleManagementPointsare used for load-balancingtrafficandfor clientstocontinuereceivingtheirpolicyafterManagementPointfailure.ReadaboutSCCMHigh-AvailabilityoptionsinthisTechnetarticle.PriortoSCCM2012R2SP1,itwasnotpossibletoassignclientdirectlytoaspecificManagementPoint.It’snowpossibleusingthenewPreferredManagementPointfeature.ReadabouthowclientschoosetheirManagementPointinthisTechnetarticle.SiteSystemRolePlacementinHierarchyTheManagementPointisasite-wideoption.It’ssupportedtoinstallthisrole onastand-alonePrimarysite,childPrimarysiteorSecondaysite.It’snotsupportedtoinstallaManagementPoint onaCentralAdministration site.Eachprimarysitecansupportupto10ManagementPoints.Bydefault,whenyouinstallaSecondarysite,aManagementPointis installedontheSecondarysiteserver. SecondarysitesdonotsupportmorethanoneManagementPointandthisManagementPointcannotsupportmobiledevicesthatareenrolledbyConfigurationManager.SeethefullSupportedConfigurationinthefollowingTechnetarticle.PrerequisitesOnWindows2012,thefollowingfeaturesmustbeinstalledbeforetheManagementPointInstallation:Features:.NETFramework4.5BITSServerExtensions orBackgroundIntelligentTransferServices(BITS)IISConfiguration:ApplicationDevelopmentISAPIExtensions SecurityWindowsAuthentication IIS6ManagementCompatibilityIIS6MetabaseCompatibilityIIS6WMICompatibility SCCMManagementPointInstallationOpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesRightclickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,clickNextOntheSiteSystemRoletab,selectManagementPoint,clickNextOntheManagementPointtabSelectthedesiredclientconnectionsmethods.HTTPSrequiredtohaveavalidPKIcertificateforclientauthenticationClickNextOnthe ManagementPointDatabase tab,specifyifyouwanttousethesitedatabaseoradatabasereplica.ReadaboutdatabasereplicahereSpecifyifyouwanttousethecomputeraccountoftheManagementPointtoconnecttothedatabaseoraspecifiedaccountOntheSummarytab,reviewyoursettings,clickNextandcompletethewizardVerificationandLogsfilesYoucanverifytheinstallationinthefollowinglogs:ConfigMgrInstallationPath\Logs\mpMSI.log –RecordsdetailsofaboutthemanagementpointinstallationConfigMgrInstallationPath\Logs\MPSetup.log.log– RecordsthemanagementpointinstallationwrapperprocessPart14–ReportingPointInstallationWewilldescribehowtoinstallaSCCMCurrentBranchreportingservicespoint.Thisrolecanbeinstalledonaremotemachine,theprocessisthesamebutthelocationofthelogsisdifferent.RequirementsBeforeyoucaninstallthereportingservicespointroleyoumustconfigureSQLcorrectly.We’llbeusingSQL2012onthispost.WeareassumingthatSQLisalreadyinstalledandthatyourSCCMsiteisupandhealthy.DuringtheinitialSQLinstallation,youmustselectReportingServices.IfyouhaveinstalledSQLServer,buthavenotinstalled ReportingServicesfollowthefollowingsteps.IfReportingServicesisalreadyinstalled,skiptothe“ConfigureReportingServices” section.Launch theSQLServer2012installationfromthemedia.ClicktheInstallationlinkonthelefttoviewtheInstallationoptions.Clickthetoplink,NewSQLServerstand-aloneinstallationoraddfeaturestoanexistinginstallation.FollowtheSQLServerSetupwizarduntilyougettotheInstallationTypescreen.SelectAddfeaturestoanexistinginstanceofSQLServer2012.ClickNexttomovetotheFeatureSelectionpage.SelectReportingServices–NativeAttheReportingServices ConfigurationpageSelectInstallOnlyContinuethroughthewizardandrebootthecomputerattheendoftheinstallationifinstructedtodoso.ConfigureReportingServicesBeforeconfiguringthereportingpoint,someconfigurationneedstobemadeontheSQLside.ThevirtualinstanceneedstobecreatedforSCCMtoconnectandstoreitsreports.IfyouinstalledReportingServicesduringtheinstallationoftheSQLServerinstance,SSRSwillbeconfiguredautomaticallyforyou.IfyouinstallSSRSlater,thenyouwillhavetogobackandconfigureitasasubsequentstep.Toconfigure,OpenReportingServicesConfigurationManagerClickStart>AllPrograms>MicrosoftSQLServer>ConfigurationTools>ReportingServicesConfigurationManagerClickConnect toconnecttotheSQLinstanceOntheleft-handsideoftheReportingServicesConfigurationManager,clickDatabase.ClicktheChangeDatabasebuttonSelectCreateanewreportserverdatabaseandclickNextThiswizardcreatestwodatabases:ReportServer,usedtostorereportdefinitionsandsecurity,and ReportServerTempDBwhichisusedasscratchspacewhenpreparingreports.ClicktheWebServiceURLtabClickApplyThisstepsetsuptheSSRSwebservice.Thewebserviceistheprogramthatrunsinthebackgroundthatcommunicatesbetweenthewebpage,whichyouwillsetupnext,andthedatabases.SelecttheReportManagerURLAcceptthedefaultsettingsandclickApply.IftheApplybuttonwasalreadygrayedout,thismeanstheSSRSwasalreadyconfigured.ThisstepsetsuptheReportManagerwebsitewhereyouwillpublishreportsExitReportingServiceConfigurationManager.AddReportingServicesPointroleinSCCMOpentheSCCMconsoleNavigatetoAdministration/Site/Configuration/ServersandSiteSystemRolesRight-clickonyourSiteServerandclickAddsystemRolesOntheGeneraltab, click NextOntheProxytab, ClickNextOntheSiteSystemRole,selectReportingServicesPoint,Click NextOnRetheportingServicessettingtabClickVerifyAtthebottom,Addanaccounttouseforthereportingpoint.ThisaccountneedstohaveaccesstotheSCCMDBClickNextWaitfortheprocesstocompleteandclosethewizardRecoveryModelUsingthesimplerecoverymodelimprovesperformanceandsavesyourserverharddriveandpossiblyalargetransactionlogfile.TochangetheRecoveryModeloftheReportingDBtoSimpleOpenSQLManagementStudioRight-clickontheReportServerdatabaseandselectPropertiesGototheOptionspageUnderRecoverymodelselect SimpleClickOKVerificationLogsCheckforthefollowinglogsforreportingpointinstallationstatus.BothlogsareundertheSCCMlogsfilelocations.Srspsetup.logSrsrpmsi.logIfyourreportingpointisinstalledonaremoteserverlookforthelogsin:Drive:\SMS\Logs\ConsoleOpenMonitor/Reporting/Reports node.VerifythatyourreportsarelistedWebBrowserOpenInternetExplorer,navigatetohttp://yourservername/ReportsIfeverythingwentwell,you’llhaveafolderConfig_SiteCodecontainingyourreportsSQLIfyoucheckyourSQLinstance,you’llseethe2newdatabasewhichwerecreatedbytheinstallation.OpenSQLManagementStudioLocateReportServerandReportServerTempDBHappyreporting!🙂Part15–SoftwareUpdatePointInstallationWewilldescribehowtoinstallSCCMCurrentBranch SoftwareUpdatePoint (SUP).RoleDescriptionTheSUP integrateswithWindowsServerUpdateServices(WSUS)toprovidesoftwareupdatestoConfigurationManagerclients.ThisisnotamandatorySiteSystembutyourneedtoinstallaSUPifyou’replanningtouseSCCMasyourpatchmanagementplatform.SiteSystemRolePlacementinHierarchyThisSiteSystemisasite-wideoption.It’ssupportedtoinstallthisrole onaCentralAdministrationSite,childPrimarySite,stand-alonePrimarySiteandSecondarySite.WhenyourhierarchycontainsaCentralAdministrationSite,installaSoftwareUpdatePoint and synchronizeswithWindowsServerUpdateServices(WSUS)beforeyouinstallaSUP atanychild’sPrimarySite.WhenyouinstallaSoftwareUpdatePoint atachildPrimarySite,configureittosynchronizewiththeSUP atthe CentralAdministrationSite.ConsiderinstallingaSUP inSecondarySite whendatatransferacrossthenetworkisslow.×RemoteWSUSWarningTheWSUSAdministrationConsoleisrequiredontheConfigurationManagersiteserverwhenthesoftwareupdatepointisonaremotesitesystemserverandWSUSisnotalreadyinstalledonthesiteserver. TheWSUSversiononthesiteservermustbethesameastheWSUSversionrunningonthesoftwareupdatepoints.WhenusingWSUS3.0(onserver2008,itwaspossibletoinstalltheconsoleonly).Thishaschangedwith2012and2016.OnewaytodoitistoaddtheWindowsSoftwareUpdateServices roleanddeselecting DatabaseandWIDDatabase. Theproblemisthatwill stillcausesometroublewiththepost-installtask.Therecommendedwaytodoit: StartPowerShellConsole(asAdministrator) Run: Install-WindowsFeature-NameUpdateServices-UiThiswillinstalltheconsoleonlyandnotrunapost-installtask.WSUS InstallationPerformthefollowingontheserverthatwillhosttheSUProle.OpenServerManager/AddRolesandFeaturesSelectthe WindowsServerUpdateServices Role,clickNextSelectWSUSServicesandDatabase, clickNextLaunchWindowsServerUpdateServices fromtheStartMenu.Youwillbepromptwith thefollowingwindow:OntheDBinstance,enter yourservernameOnContentdirectorypath,use adrivewithenoughdrivespace.ThisiswhereyourWSUSwillstoreupdatesWhentheWSUSConfigurationWizardstarts,clickCancelOpenSQLManagementStudioUnderDatabases,Right-clickSUSDB,selectPropertiesandclickFilesChangeOwnertoSAChangetheAutogrowth valueto512MB,clickOk andcloseSQLMSSoftwareUpdatePoint InstallationOpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesRight-clickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,clickNextOntheSiteSystemRoletab,selectSoftwareUpdatePoint,clickNextOntheSoftwareUpdatePointtab,selectWSUSisconfiguredtouseports8530and8531, clickNextOntheProxyandAccountSettingstab,specifyyourcredentialsif necessary,clickNextOntheSynchronizationSourcetab,specifyifyouwanttosynchronizefromMicrosoftUpdateoranupstreamsource.RefertotheSiteSystemPlacementsectionifyou’reunsure.Forastand-alonePrimarySite,selectSynchronizefromMicrosoftUpdate, clickNextOntheSynchronizationScheduletab,checktheEnablesynchronizationonaschedule checkboxandselectyourdesiredschedule.1dayisusually enough butitcanbeloweredifyou’resynchronizingEndpointProtection definitionfiles,clickNextOntheSupersedenceRulestab,selectImmediatelyexpireasupersededsoftwareupdate, clickNextOntheClassificationstab,selectyourorganizationneeds,clickNextFulldescriptiononthisMicrosoftSupportArticleOntheProductstabs,selecttheproductsthatyouwanttomanageusingSCCM,clickNextOntheLanguagestab,selectthedesiredlanguage,clickNextOntheSummary tab, reviewyoursettings,clickNext, waitforthesetuptocompleteandclickCloseVerificationConfigMgrSetup\Logs\SUPSetup.log-Providesinformationaboutthesoftwareupdatepointinstallation.Whenthesoftwareupdatepointinstallationcompletes,InstallationwassuccessfuliswrittentothislogfileConfigMgrSetup\Logs\WCM.log– ProvidesinformationaboutthesoftwareupdatepointconfigurationandconnectingtotheWSUSserverforsubscribedupdatecategories,classifications,andlanguagesConfigMgrSetup\Logs\WSUSCtrl.log– Providesinformationabouttheconfiguration,databaseconnectivity,andhealthoftheWSUSserverforthesiteConfigMgrSetup\Logs\Wsyncmgr.log– ProvidesinformationaboutthesoftwareupdatessynchronizationprocessBonuslink:Isuggestthatyoureadtheexcellentarticlewrittenby KentAgerlundonhowtoavoidwhathecallsthe HouseofCardsPart16–StateMigrationPoint InstallationWewilldescribehowtoinstallSCCMCurrentBranch StateMigrationPoint(SMP).RoleDescriptionTheStateMigrationPoint storesuserstatedatawhenacomputerismigratedtoanewoperatingsystem.ThisisnotamandatorySiteSystem butyouneeda StateMigrationPoint ifyouplantousetheUserStatesteps inyourTaskSequence.ThesestepsintegratewithUserStateMigrationTools(USMT)tobackupyouruserdatabeforeapplyinganewoperatingsystemtoacomputer.SiteSystemRolePlacementinHierarchyTheStateMigrationPoint isasite-wideoption.It’ssupportedtoinstallthisrole ona childPrimarySite,stand-alonePrimarySiteorSecondaySite.It’snotsupportedtoinstallitonaCentralAdministrationsite.TheStateMigrationPointcanbeinstalledonthesiteservercomputeroronaremotecomputer.Itcanbeco-locatedonaserverthathasthe distributionpointrole.SCCMStateMigrationPoint InstallationOpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesRight-clickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,clickNextOntheSiteSystemRoletab,selectStateMigration Point,clickNextOntheStateMigrationPointtabClickthestaricon,specifythefolderwhereyouwantthedatatobestoredandhowmuchspacemustbereservedonthedriveSpecifythe DeletionPolicy. Thisisthedelaytokeepthedataafterasuccessfulrestore.EnableRestore-Onlymodeifneeded.UsethissettingifyouwantyourSMPtobeinread-onlymode.ThisisusefulifyoureplaceordecommissionanexistingSMP OntheBoundaryGroupstab,addtheboundarygroupthatcanaccesstheStatemigrationPoint.IfyouaddtheroleonasitesystemthatalreadyhastheDistributionPointrole,theboundarygroupofthisDPwillalreadybelistedOntheSummarytab,reviewyoursettings,clickNextandcompletethewizardVerificationandLogsfilesYoucanverifytheinstallationinthefollowinglogs:ConfigMgrInstallationPath\Logs\Smssmpsetup.log–Detailed StateMigrationPoint InstallationstatusConfigMgrInstallationPath\Logs\Smpmsi.log–ProvidesinformationabouttheStateMigrationPointIfyouhaveanyerrorintheinstallationprocessrefertothispostthatexplainsthepermissionneededfortheSMPtoinstallcorrectly.CreatetheUSMTPackageTostoretheuserstatedataonaStateMigrationPoint,youmustcreateapackagethatcontainstheUSMTsourcefiles.ThispackageisspecifiedwhenyouaddtheCaptureUserStatesteptoyourtasksequence.OnyourSCCMServerwhereyouinstalledWindowsDeploymentToolkit,browseto:C:\ProgramFiles(x86)\WindowsKits\8.1\AssessmentandDeploymentKit\UserStateMigrationToolIfyoudon’thavethisfolder,it’sbecauseyouhaven’tinstalledtheUSMT (includedinWindowsADK)duringyourSCCMInstallation Copythefoldercontentin yourContentLibrary(InmyexampleD:\Sources\OSD\USMT)OpentheSCCMConsoleGotoSoftwareLibrary/ApplicationManagement/PackagesRight-clickPackagesandselectCreateanewpackageEntertheName,Manufacturer,LanguageChecktheThispackagecontainssourcefilescheck-boxandspecifyyoursourcefolder(D:\Sources\OSD\USMT)ClickNextOntheProgramTypetab,select Donotcreateaprogram andclick NextCompletetheCreatePackagewizardTheStateMigrationPointandtheUSMTpackagearenowreadyforuseinanOSDTaskSequenceusingtheCaptureUserState andRestoreUserState steps.Part17–SystemHealthValidatorPointWewilldescribehowtoinstallSCCMCurrentBranch SystemHealthValidatorPoint (SHVP).RoleDescriptionThe SystemHealthValidatorPoint validatesConfigurationManagerNetworkAccessProtection(NAP)policies.Thisisnotamandatorysitesystem butyouneedaSystemHealthValidatorPointifyouplantouseNAP evaluationinyoursoftwareupdatedeployments.Thissitesystem integrateswith anexistingNAPserverinyourinfrastructure.SiteSystemRolePlacementinHierarchyTheSystemHealthValidatorPointisahierarchy-wideoption.It’ssupportedtoinstallthisrole onaCentralAdministrationsite,stand-alonePrimarysite,childPrimarysite.It’snotsupportedtoinstallitonaSecondaysite. TheSystemHealthValidatorPoint mustbeinstalledonaNAPhealthpolicyserver.SCCMSystemHealthValidatorPointInstallationOpentheSCCMconsoleNavigatetoAdministration /SiteConfiguration/ServersandSiteSystemRolesRightclickyourSiteSystem andclickAddSiteSystemRolesOntheGeneraltab,clickNextOntheProxytab,clickNextOntheSiteSystemRoletab,selectSystemHealthValidatorPoint,clickNextOnthe SystemHealthValidatortab,clickNextTherearenopropertiestoconfigureforthissitesystemrole OntheSummarytab,reviewyoursettings,clickNextandcompletethewizardVerificationandLogsfilesYoucanverifytheinstallationinthefollowinglogs:ConfigMgrInstallationPath\Logs\SMSSHVSetup.log –Detailed SystemHealthValidatorPoint installationstatusConfigureClientSettingsInordertoenableNetworkAccessProtectiononyourclients,youmustconfigureyourclientsettings:OpentheSCCMconsoleBrowseto Administration/ClientSettingsCreateanewclientsettings,selectNetworkAccessProtectionontheleftandchooseYesunderEnableNetworkAccessProtectiononclientsSelectthedesiredNAPre-evaluationscheduleandclickOkIncaseyou’reusedtoNAPinSCCM2007andlookingforaNetworkAccessProtectionnodeintheconsole,the2012versionofNAPisslightlydifferent.FromTechnet:TheNewPoliciesWizardisnolongeravailabletocreateaNAPpolicyforsoftwareupdates:The NetworkAccessProtectionnodeintheConfigurationManagerconsoleandtheNewPoliciesWizardarenolongeravailableinSystemCenter2012ConfigurationManager.TocreateaNAPpolicyforsoftwareupdates,youmustselectEnableNAPevaluationontheNAPEvaluationtabinsoftwareupdateproperties.Part18–ServiceConnectionPointInstallationWewilldescribehowtoperformanSCCMServiceConnectionPointInstallation.TheServiceConnectionPointisanewsitesystemrolethatservesseveralimportantfunctionsfortheSCCMhierarchy.Itmightaffecthowyouconfigurethissitesystemrole:ManagemobiledeviceswithMicrosoftIntune–ThisrolereplacestheWindows IntuneconnectorusedbypreviousversionsofSCCM,andcanbeconfiguredwithyourIntunesubscriptiondetailsManagemobiledeviceswithon-premisesMDM–Thisroleprovidessupportforon-premisesdevicesyoumanagethatdonotconnecttotheInternetUploadusagedatafromyourConfigurationManagerinfrastructure–YoucancontroltheleveloramountofdetailyouuploadDownloadupdatesthatapplytoyourConfigurationManagerinfrastructure–Onlyrelevantupdatesforyourinfrastructurearemadeavailable,basedonusagedatayouuploadSiteSystemRolePlacementinHierarchyEachhierarchysupportsasingleinstanceofthisrole. Thesitesystemrolecanonlybeinstalledatthetop-tiersiteofyourhierarchy(OnaCentralAdministrationSiteora stand-alonePrimarySite).SCCMServiceConnectionPointInstallationTheSCCM1511 installationorupgrade wizardwillasktoinstalltheServiceConnectionPoint.Ifyouselecttoskiptheroleinstallation,youcanmanuallyaddittoSCCMusingthefollowingsteps.Goto Administration/ SiteConfiguration/ServersandSiteSystemRolesRight-clicktheSiteSystem youwishtoaddtheroleClick AddSiteSystemRole intheRibbonOnthe General tab,click NextOnthe Proxy tab,click NextOnthe SiteSystemRole tab,select ServiceConnectionPoint andclick NextOntheServiceConnectionMode,selectthedesiredoption:InOnlinemode,theServiceConnectionPointautomaticallydownloadsupdatesthatareavailableforyourcurrentinfrastructureandproductversion,makingthemavailableintheSCCM consoleInOfflinemode,theServiceConnectionPointdoesnotconnecttotheMicrosoftcloudserviceandyoumustmanuallyusetheserviceconnectiontoolwhenyourServiceConnectionPointisinOfflinemodetoimportavailableupdates Onthe Summary screen,waitforthesetuptocompleteandclosethewizardVerificationandLogsfilesConnectorSetup.log–Informationaboutroleinstallation and thattheServiceConnectionPointwascreatedsuccessfullyNowthatalloursiteserversareinstalled,wearenowreadytoconfigurethevariousaspectofSCCM.Part19–PlanandConfigureBoundariesWewillstartourconfigurationwiththeSCCMboundaries.First,let’sdefinewhataboundaryinSCCMis:FromTechnet :InMEMCM/SCCM,aboundaryisanetworklocationontheintranetthatcancontainoneormoredevicesthatyouwanttomanage.BoundariescanbeanIPsubnet,ActiveDirectorysitename,IPv6Prefix,oranIPaddressrange,andthehierarchycanincludeanycombinationoftheseboundarytypes.Touseaboundary,youmustaddtheboundarytooneormoreboundarygroups.Boundarygroupsarecollectionsofboundaries.Byusingboundarygroups,clientsontheintranetcanfindanassignedsiteandlocatecontentwhentheyhavetoinstallsoftware,suchasapplications,softwareupdates,andoperatingsystemimages.Aboundarydoesnotenableclientstobemanagedatthenetworklocation.Tomanageaclient,theboundarymustbeamemberofaboundarygroup.SimpleBoundariesondonothing,theymustbeaddedtooneormoreboundarygroupsinordertowork.Aboundarygroupisself-explanatory,it’sagroupofboundariesusedforsiteassignmentandforcontentlocation.BeginningwithSCCM2012R2SP1, a boundarygroupcandirectyourclientstotheirDistributionPointsforcontent,StateMigrationPoint,PreferredManagementPointandSoftwareUpdatePoint.PriortoR2SP1,ContentlocationisusedbyclienttoidentifyavailableDistributionPointsorStateMigrationPointbasedontheclientnetworklocation.Toresume:SiteAssignmentboundarygroupassociatearesourcetoasiteContentLocationboundarygroupisusedtoretrieveitsdeploymentcontent(applications,packages,images,etc)PlanningforSCCMBoundariesandBoundaryGroupsBeforedesigningyourstrategychoosewiselyonwhichboundarytypetouse.Ifyou’reunsureofwhichtypeofboundarytouseyoucanreadJasonSandys excellentpost aboutwhyyoushouldn’tuseIPSubnetboundaries.Microsoftrecommendsthefollowing:Whendesigningyourboundarystrategy,werecommendyouuseboundariesthatarebasedonActiveDirectorysitesbeforeusingotherboundarytypes.WhereboundariesbasedonActiveDirectorysitesarenotanoption,thenuseIPsubnetorIPv6boundaries.Ifnoneoftheseoptionsareavailabletoyou,thenleverageIPaddressrangeboundaries.Thisisbecausethesiteevaluatesboundarymembersperiodically,andthequeryrequiredtoassessmembersofanIPaddressrangerequiresasubstantiallylargeruseofSQLServerresourcesthanqueriesthatassessmembersofotherboundarytypesIt’salsorecommendedtosplityourSiteAssignmentandContentlocationgroupOverlappingBoundariesSCCMCurrentBranchsupportsoverlappingboundaryconfigurationsforcontentlocation.Whenaclientrequestscontent,andtheclientnetworklocationbelongstomultipleboundarygroups,ConfigurationManagersendstheclientalistofallDistributionPointsthathavethecontent.Thisbehaviorenablestheclienttoselectthenearestserverfromwhichtotransferthecontentorstatemigrationinformation.RealWorldScenarioInourvariousSCCMinstallations,ourclientsareoftenconfusedaboutthistopic.Let’smakeanexampletohelpyouunderstand:Contosohas1000clients1PrimarySite(Montreal)3remoteofficeswiththeirlocalDistributionPoint(NewYork,Chicago,LosAngeles)ActiveDirectorySitearebasedontheirsitesubnets(MTL,NY,CHI,LA)Inthatscenario,weneedtocreate4 Boundary,1foreachoffice:BoundaryTypeMTLActiveDirectorySiteNYActiveDirectorySiteCHIActiveDirectorySiteLAActiveDirectorySiteOpentheSCCMConsoleGotoAdministration/HierarchyConfiguration/BoundaryRight-clickBoundariesandselect CreateBoundaryCreatetheboundary,inourexamplewe’llcreate4differentboundaryformy4locationsusingtheirActiveDirectorySitesTip:IfyouhavemultiplesActiveDirectorySites,IPRangesorSubnets,youcanenableActiveDirectoryForestDiscoverywhichcancreatethemautomatically Create BoundaryGroupNow,we’llcreateaSiteAssignmentBoundaryGroupandaddallthoseADSite.Thatway,allmyclientsformy4locationswillbeassignedtomyMontrealPrimarySite. ForContentLocation,wewantclientstogettheircontentlocallyattheirrespectivelocation.Wewill create4ContentBoundarygroups,addonlytheirADSiteBoundaryand assigntheirlocalDistributionPoint.NameBoundarySiteSystemMTL-ContentLocationMTLDPMTL01NY-ContentLocationNYDPNY01CHI-ContentLocationCHIDPCHI01LA-ContentLocationLADPLA01Here’showtomakethishappeninSCCM:OpentheSCCMConsoleGotoAdministration/HierarchyConfiguration/BoundaryGroupsRight-clickBoundaryGroups andselect CreateBoundaryGroupsCreate SiteAssignement BoundaryGroupWe’llstartbycreatingagroupforSiteAssignment:SA–MTLClicktheAddboutononthebottomOntheAddBoundariesscreen,selectallboundaries.Thiswilldirectallmyclients tothePrimarySitelocatedinMontrealforSiteAssignmentOntheReferencestab,checktheUsethisboundarygroupforsiteassignmentboxSelectyourassignedsite.Inmycase:MTLClickOkCreateContentLocationBoundaryGroupRight-clickBoundaryGroups andselect CreateBoundaryGroupsWe’ll nameourgroupContentLocation–MTLClickonAddSelectonlytheMTLboundaryTheMTLboundarywillbelistedOntheReferencestab,unchecktheUsethisboundarygroupforsiteassignmentboxClickonAddatthebottomSelecttheSiteSystemthathosttheDistributionPointrolefortheMontrealsite.ForourexampleDPMTL01ClickOkRepeatthestepsfortheothersites(NewYork,Chicago,LosAngeles)OncecompletedourclientsareassignedtotheirlocalrespectiveSiteSystemsThisisasimplebuttypicalscenario.YoucanhavemultiplesboundariesandSiteSysteminyourBoundaryGroupsifneeded.Part20–ConfigureClientSettingsThispartwillexplainhowtocreateacustomSCCMclientsettingsandhowtodeployit.Clientsettingsareusedtoconfigureyourdeployedagents.Thisiswhereyoudecideanyconfigurationlike:EnablinghardwareinventoryagentEnablingpowersettingsoptionsEnablecloudservicesSetscanschedulesBITSthrottlingEct..InpreviousversionsofSCCM,clientsettingswerespecifictothesite.Youhad1clientsettingsthatappliedtoallyourhierarchy. InSCCMyoucanspecifyclientssettingatthecollectionlevel.Youcanhavedifferentsettingsforspecificcollections,overlappingsettingsaresetusing aprioritysetting.WhenyoumodifytheDefaultClientSettings,thesettingsareappliedtoallclientsinthehierarchyautomatically.YoudonotneedtodeploytheDefaultClientSettingstoapplyit.Bydefault,ithasa10000priorityvalue(Thisisthelowerpriority).Allothercustomclientsettingscanhaveapriorityvalue of1to9999whichwillalwaysoverridetheDefaultClientSettings.(ThehigherPriorityis1).Wewon’texplaineachclient’ssettingsandtheirdescriptions.TheTechnetdocumentationisprettyclearandmanyoftheclientsettingsareself-explanatory.Wecannotmakeanyrecommendationseitheraseachenvironmenthasitsownneedsandlimitations.Ifyouhaveanyquestionsconcerningaspecificsetting,usethecommentsectionand we’lltrytohelpyousoyoucanmaketherightdecisionforyourorganization.HowtoCreateCustomClientDeviceSettingsWhenyoudeployacustomclientsettings,theyoverridetheDefaultClientSettings.Beforeyoubegin,ensurethatyoucreatedacollection thatcontainsthedevicesthatrequirethesecustomclientsettings.Forourblogpost, wewillsettheClientPolicypollingintervalto15minutes.OpentheSCCMconsoleGotoAdministration / ClientSettingsOnthetopribbon,clickCreateCustomClientDeviceSettingsIntheCreateCustomDeviceSettingspage,specifyanameforthecustomsettingsanddescriptionSelectoneormoreoftheavailablesettings.WewillselectClientPolicyOntheleftpane,ClientPolicywillbedisplayed,clickonitWewillsettheClientPolicypollingintervalto15minutesClickOkYournewlycreatedsettingwillbedisplayedintheconsoleSettheClientSettingspriorityWhenyoucreateanewclientsetting,itautomaticallytakesthenextavailablepriority.(Beginningwith1)Beforedeployingit,makesurethatyourpriorityiswellsetforyourneeds.Ahigher priority(1)willoverrideanysettingswithalower priority.(9999).Don’tgetconfused1ishigher!Tochangetheprioritynumber:Onthetopribbon,selectyourclientsettingsandclickIncreasePriorityorDecreasePriorityYoucanseeeachclientsettings priorityandiftheyaredeployedinthesamesectionHowtodeployaclientsettingsNowthatyourclientsettingsarecreated,youneedtodeployittoacollection.Thisnewclientsettingswillapplytoonlythiscollectionanddependingonthepriority,willoverridethesettings.SelectthecustomclientsettingsthatyouhavejustcreatedOnthetopribbon,clickDeployIntheSelectCollectiondialogbox,selectthecollectionthatcontainsthedevices tobeconfiguredwiththecustomsettings,andthenclickOkYoucanverifytheselectedcollectionifyouclicktheDeploymentstabonthebottomoftheconsoleHowtoapplyClientcomputerswillapplyyourcustomsettingswhentheydownloadtheirnextclientpolicy.Youcantriggeritmanuallytospeeduptheprocess.ManuallyontheclientInControlPanel,clickon theConfigurationManagericonIntheActiontab,selectMachinePolicyRetrieval&EvaluationCycleClickRunnowUsing theSCCMConsoleToinitiateclientpolicyretrievalbyusingclientnotification(ConfigurationManagerSP1+only)IntheSCCM consoleGotoAssetsandCompliance/DeviceCollectionsSelectthedevicecollectioncontainingthecomputersthatyouwanttodownloadpolicyRight-clickasingledeviceorthewholecollectionandselect ClientNotification andthenDownloadComputerPolicyHowtoverifyyourClientSettingsIt’spossibletoseewhichclientsettingsareappliedtoaspecificclient. Youmustusethe ResultantClientSettings functionintheSCCMconsole.Wealreadycoverthisinapreviousarticle.Part21–ConfigureDiscoveryMethodsAfteryou completedyourSCCMinstallation,youcertainly wanttostartmanagingsomesystems.Theeffectivewaytoadd theminSCCM is toconfigureSCCMdiscoverymethods.Thisblogarticlewillexplainthevariousdiscoverymethodsandwilldescribehowtoconfigureit.WhatisSCCMDiscoveryMethodsHere’stheofficialdiscoverymethodsdefinitionfromTechnet:SCCMdiscoverymethodsidentifiescomputeranduserresourcesthatyoucanmanagebyusingConfigurationManager.Itcanalsodiscoverthenetworkinfrastructureinyourenvironment.Discoverycreatesadiscoverydatarecord(DDR)foreachdiscoveredobjectandstoresthisinformationintheConfigurationManagerdatabase. Whendiscoveryofaresourceissuccessful,discoveryputsinformationabouttheresourceinafilethatisreferredtoasadiscoverydatarecord(DDR).DDRsareinturnprocessedbysiteserversandenteredintotheConfigurationManagerdatabasewheretheyarethenreplicatedbydatabase-replicationwithallsites.Thereplicationmakesdiscoverydataavailableateachsiteinthehierarchy,regardlessofwhereitwasdiscoveredorprocessed. Youcanusediscoveryinformationtocreatecustomqueriesandcollectionsthatlogicallygroupresourcesformanagementtaskssuchastheassignmentofcustomclientsettingsandsoftwaredeployments.ComputersmustbediscoveredbeforeyoucanuseclientpushinstallationtoinstalltheConfigurationManagerclientondevices.Insimplewords,itmeansthatSCCMneedstodiscoveradevicebeforeitcanmanagethem.It’snotmandatorytodiscovercomputers,ifyoumanuallyinstalltheclient,itwillappearintheconsoleanditcanbemanaged.Theproblemisthatifyouhaveathousandcomputers,itcanbeafastidiousprocess.ByusingActiveDirectorySystemDiscovery,allyourcomputerswillbeshownontheconsole,fromthereyoucanchoosetoinstalltheclientusingvariousSCCMmethods.Ofcourse,ifyouneedinformationaboutyourusersandgroups,youneedtoconfigureUserandGroupdiscovery,it’stheonlywaytobringthisinformationinSCCM.Thereare5TypesofDiscoveryMethodsthatcanbeconfigured.Eachonetargetsaspecificobjecttype(Computers,Users,Groups,ActiveDirectory):ActiveDirectorySystemDiscoveryDiscoverscomputersinyourorganizationfromspecifiedlocationsinActiveDirectory.InordertopushtheSCCMclienttothecomputers,theresourcesmustbediscoveredfirst.Youcanspecifytodiscoveronlycomputersthathaveloggedontothedomaininagivenperiodoftime.ThisoptionisusefultoexcludeobsoletecomputeraccountsfromActiveDirectory.YoualsohavetheoptiontofetchcustomActiveDirectoryAttributes.ThisisusefulifyourorganizationstorecustominformationinAD.Youcanreadour blogpost concerning thistopic.OpentheSCCMConsoleGotoAdministration/HierarchyConfiguration/DiscoveryMethodsRight-ClickActiveDirectorySystemDiscoveryandselectPropertiesOntheGeneraltab,youcanenablethemethodbycheckingEnableActiveDirectorySystemDiscoveryClickontheStariconandselecttheActiveDirectorycontainerthatyouwanttoincludeinthediscoveryprocessOnthePollingScheduletab,selectthefrequencyonwhichyouwantthediscoverytohappenA7-daycyclewitha5minutesdeltaintervalisusuallyfineinmostenvironmentOntheActiveDirectoryAttributetab,youcanselectcustomattributestoincludeduringdiscoveryThisisusefulifyouhavecustomdatainActiveDirectorythatyouwanttouseinSCCM OntheOptionstab,youcanselecttodiscoveronlyaccountsthathaveloggedorupdatedtheirpasswordssinceaspecificnumberofdaysThisisusefulifyourActiveDirectoryisn’tclean.Usethistodiscoveronlygoodrecords ActiveDirectoryGroupDiscoveryDiscoversgroupsfromspecifiedlocationsinActiveDirectory.Thediscoveryprocessdiscoverslocal,globaloruniversalsecuritygroups.WhenyouconfiguretheGroupdiscoveryyouhavetheoptiontodiscoverthemembershipofdistributiongroups.WiththeActiveDirectoryGroupDiscovery,youcanalsodiscoverthecomputersthathaveloggedintothedomaininagivenperiodoftime.Oncediscovered,youcanusegroupinformationforexampletocreatedeploymentbasedonActiveDirectorygroups.Becarefulwhenconfiguringthismethod:IfyoudiscoveragroupthatcontainsacomputerobjectthatisNOTdiscoveredinActiveDirectorySystemDiscovery,thecomputerwillbediscovered.Iftheautomaticclientpushisenabled,thiscouldleadtounwantedclients’computers.Todiscoverresourcesusingthismethod:OpentheSCCMConsoleGotoAdministration/HierarchyConfiguration/DiscoveryMethodsRight-ClickActiveDirectoryGroupDiscoveryandselectPropertiesOntheGeneraltab,youcanenablethemethodbycheckingEnableActiveDirectoryGroupDiscoveryClickontheAddbuttononthebottomtoaddacertainlocationoraspecificgroup.Remember:IfyoudiscoveragroupthatcontainsacomputerobjectthatisNOTdiscoveredinActiveDirectorySystemDiscovery,thecomputerwillbediscovered.OnthePollingScheduletab,selectthefrequencyonwhichyouwantthediscoverytohappenA7-daycyclewitha5minutesdeltaintervalisusuallyfineinmostenvironmentOntheOptionstab,youcanselecttodiscoveronlyaccountsthathaveloggedorupdatedtheirpasswordssinceaspecificnumberofdaysThisisusefulifyourActiveDirectoryisn’tclean.Usethistodiscoveronlygoodrecords ActiveDirectoryUserDiscoveryThediscoveryprocessdiscoversuseraccountsfromspecifiedlocationsinActiveDirectory.YoualsohavetheoptiontofetchcustomActiveDirectoryAttributes.ThisisusefulifyourorganizationstorecustominformationinADaboutyourusers.Oncediscovered,youcanusegroupinformationforexampletocreateuser-baseddeployment.Todiscoverresourcesusingthismethod:OpentheSCCMConsoleGotoAdministration/HierarchyConfiguration/DiscoveryMethodsRight-ClickActiveDirectoryUserDiscoveryandselectPropertiesOntheGeneraltab,youcanenablethemethodbycheckingEnableActiveDirectoryUserDiscoveryClickontheStariconandselecttheActiveDirectorycontainerthatyouwanttoincludeinthediscoveryprocessOnthePollingScheduletab,selectthefrequencyonwhichyouwantthediscoverytohappenA7-daycyclewitha5minutesdeltaintervalisusuallyfineinmostenvironment.OntheActiveDirectoryAttributetab,youcanselectcustomattributestoincludeduringdiscoveryThisisusefulifyouhavecustomdatainActiveDirectorythatyouwanttouseinSCCM ActiveDirectoryForestDiscoveryDiscoversActiveDirectorysitesandsubnets,andcreatesConfigurationManagerboundariesforeachsiteandsubnetfromtheforestswhichhavebeenconfiguredfordiscovery.UsingthisdiscoverymethodyoucanautomaticallycreatetheActiveDirectoryorIPsubnetboundariesthatarewithinthediscoveredActiveDirectoryForests.ThisisveryusefulifyouhavemultipleADSiteandSubnet,insteadofcreatingthemmanually,usethismethodtodothejobforyou.Todiscoverresourcesusingthismethod:OpentheSCCMConsoleGotoAdministration/HierarchyConfiguration/DiscoveryMethodsRight-ClickActiveDirectoryForestDiscoveryandselectPropertiesOntheGeneraltab,youcanenablethemethodbycheckingEnableActiveDirectoryForestDiscoverySelectthedesiredoptionsHeartBeatDiscoveryHeartbeatDiscoveryrunsoneveryclientandtoupdatetheirdiscoveryrecordsinthedatabase.Therecords(DiscoveryDataRecords)aresenttotheManagementPointinaspecifieddurationoftime.HeartbeatDiscoverycanforcethediscoveryofacomputerasanewresourcerecord,orcanrepopulatethedatabaserecordofacomputerthatwasdeletedfromthedatabase.HeartBeatDiscoveryisenabledbydefaultandisscheduledtorunevery7days.Todiscoverresourcesusingthismethod:OpentheSCCMConsoleGotoAdministration/HierarchyConfiguration/DiscoveryMethodsRight-ClickHeartbeatDiscoveryandselectPropertiesOntheGeneraltab,youcanenablethemethodbycheckingEnableHeartbeatDiscoveryMakesurethatthissettingisenabledandthattheschedulerunlessfrequentlythantheClearInstallFlagmaintenancetask. NetworkDiscoveryTheNetworkDiscoverysearchesyournetworkinfrastructurefornetworkdevicesthathaveanIPaddress.Itcansearchthedomains,SNMPdevicesandDHCPserverstofindtheresources.Italsodiscoversdevicesthatmightnotbefoundbyotherdiscoverymethods.Thisincludesprinters,routers,andbridges.Wewon’tgointodetailofthisdiscoverymethodasit’soldanddepreciatedmethods.Weneversawanycustomersusingthismethodinproduction.Part22–ConfigureMaintenanceTasksEach ConfigurationManagersitesupportsmaintenancetasksthathelpmaintainthe operationalefficiencyofthesitedatabase.Bydefault,severalmaintenance tasksareenabledineachsite,andalltaskssupportindependentschedules. Maintenancetasksaresetupindividuallyforeachsiteandapplytothe databaseatthatsite.However,sometasks,like DeleteAgedDiscoveryData, affectinformationthatisavailableinallsitesinahierarchy.To setupmaintenancetasksforConfigurationManager:Goto Administration / SiteConfiguration /SitesOnthe Home tab,inthe Settings group,choose SiteMaintenanceTosetupthetask,choose Edit,ensurethe Enablethistask checkboxischeckedandsetupascheduleforwhenthetaskruns.Toenableordisablethetaskwithout editingthetaskproperties,choosethe Enable or Disable button. Thebuttonlabelchangesdependingonthecurrentconfigurationofthetask.Whenyouarefinishedconfiguringthe maintenancetasks,choose OK tofinishtheprocedure.Thistopiclists detailsforeachoftheSCCMsitemaintenancetasks:BackupSiteServer:Usethistasktopreparefortherecoveryofcriticaldata.YoucancreateabackupofyourcriticalinformationtorestoreasiteandtheConfigurationManagerdatabase.Formoreinformation,see ournextsectionthatcoversit.CheckApplicationTitlewithInventoryInformation:Usethistasktomaintainconsistencybetweensoftwaretitlesthat arereportedinthesoftwareinventoryandsoftwaretitlesintheAssetIntelligence catalog.Centraladministrationsite:EnabledClearInstallFlag:Usethistask toremovetheinstalledflagforclientsthatdon’tsubmitaHeartbeat Discoveryrecordduringthe ClientRediscovery period.Theinstalledflagpreventsautomaticclientpush installationtoacomputerthatmighthaveanactiveConfigurationManager client.DeleteAgedApplicationRequestData:Usethistasktodeleteagedapplicationrequestsfromthe database.DeleteAgedClientDownloadHistory:Usethistasktodeletehistoricaldataaboutthedownloadsource usedbyclients.DeleteAgedClientOperations: Usethistasktodeleteallageddataforclientoperationsfromthesite database.Forexample,thisincludesdataforagedorexpiredclient notifications(likedownloadrequestsformachineoruserpolicy),andfor EndpointProtection(likerequestsbyanadministrativeuserforclientstorun ascanordownloadupdateddefinitions).DeleteAgedClientPresenceHistory:Usethistasktodeletehistoryinformationabouttheonline statusofclients(recordedbyclientnotification)thatisolderthanthe specifiedtime.DeleteAgedCloudManagementGatewayTrafficData:Usethistasktodeleteallageddataaboutthetrafficthatpassesthroughthe cloudmanagementgateway fromthesitedatabase.Forexample,thisincludesdataaboutthenumberofrequests,totalrequestbytes,totalresponsebytes,numberoffailedrequests,andamaximumnumberofconcurrentrequests.DeleteAgedCollectedFiles:Use thistasktodeleteagedinformationaboutcollectedfilesfromthedatabase. Thistaskalsodeletesthecollectedfilesfromthesiteserverfolder structureattheselectedsite.Bydefault,thefivemost-recentcopiesof collectedfilesarestoredonthesiteserverinthe Inboxes\sinv.box\FileCol directory.DeleteAgedComputerAssociationData:UsethistasktodeleteagedOperatingSystemDeploymentcomputer associationdatafromthedatabase.Thisinformationisusedaspartof completinguserstaterestores.DeleteAgedDeleteDetectionData: Usethistasktodeleteageddatafromthedatabasethathasbeencreatedby ExtractionViews.Bydefault,ExtractionViewsaredisabled.Youonlyenable thembyusingtheConfigurationManagerSDK.UnlessExtractionViewsare enabled,thereisnodataforthistasktodelete.DeleteAgedDeviceWipeRecord: Usethistasktodeleteageddataaboutmobiledevicewipeactionsfromthe database.DeleteAgedDevicesManagedbytheExchangeServerConnector:Usethistasktodeleteageddataaboutmobiledevicesthatare managedbyusingtheExchangeServerconnector.Thisdataisdeletedaccording totheintervalthatisconfiguredforthe Ignoremobile devicesthatareinactiveformorethan(days) option onthe Discovery taboftheExchange Serverconnectorproperties.DeleteAgedDiscoveryData:Use thistasktodeleteageddiscoverydatafromthedatabase.Thisdatacan includerecordsthatresultfromheartbeatdiscovery,networkdiscovery,and ActiveDirectoryDomainServicesdiscoverymethods(System,User,andGroup). Thistaskwillalsoremoveageddevicesmarkedasdecommissioned.Whenthis taskrunsatasite,dataassociatedwiththatsiteisdeleted,andthosechanges replicatetoothersites.DeleteAgedDistributionPointUsageData:Usethistasktodeletefromthedatabaseageddatafor distributionpointsthathasbeenstoredlongerthanaspecifiedtime.DeleteAgedEndpointProtectionHealthStatusHistoryData:UsethistasktodeleteagedstatusinformationforEndpoint Protectionfromthedatabase.DeleteAgedEnrolledDevices: Beginningwiththeupdatefor1602,thistaskisdisabledbydefault.Youcan usethistasktodeletefromthesitedatabasetheageddataaboutmobile devicesthathaven’treportedanyinformationtothesiteforaspecifiedtime.DeleteAgedInventoryHistory: Usethistasktodeleteinventorydatathathasbeenstoredlongerthana specifiedtimefromthedatabase.DeleteAgedLogData:Usethis tasktodeleteagedlogdatathatisusedfortroubleshootingfromthe database.Thisdataisn’trelatedtoConfigurationManagercomponent operations.DeleteAgedNotificationTaskHistory:Usethistasktodeleteinformationaboutclientnotification tasksfromthesitedatabasewhenithasn’tbeenupdatedforaspecifiedtime.DeleteAgedReplicationSummaryData:Usethistasktodeleteagedreplicationsummarydatafromthe sitedatabasewhenithasn’tbeenupdatedforaspecifiedtime.DeleteAgedPasscodeRecords:Use thistaskatthetop-levelsiteofyourhierarchytodeleteagedPasscodeReset dataforAndroidandWindowsPhonedevices.PasscodeResetdataisencrypted, butdoesincludethePINfordevices.Bydefault,thistaskisenabledand deletesdatathatisolderthanoneday.DeleteAgedReplicationTrackingData:Usethistasktodeleteageddataaboutdatabasereplication betweenConfigurationManagersitesfromthedatabase.Whenyouchangethe configurationofthismaintenancetask,theconfigurationappliestoeachapplicable siteinthehierarchy.DeleteAgedSoftwareMeteringData:Usethistasktodeleteageddataforsoftwaremeteringthathas beenstoredlongerthanaspecifiedtimefromthedatabase.DeleteAgedSoftwareMeteringSummaryData:Usethistasktodeleteagedsummarydataforsoftwaremetering thathasbeenstoredlongerthanaspecifiedtimefromthedatabase.DeleteAgedStatusMessages:Use thistasktodeleteagedstatusmessagedataasconfiguredinstatusfilter rulesfromthedatabase.DeleteAgedThreatData:Usethis tasktodeleteagedEndpointProtectionthreatdatathathasbeenstoredlonger thanaspecifiedtimefromthedatabase.DeleteAgedUnknownComputers: Usethistasktodeleteinformationaboutunknowncomputersfromthesitedatabase whenithasn’tbeenupdatedforaspecifiedtime.DeleteAgedUserDeviceAffinityData:UsethistasktodeleteagedUserDeviceAffinitydatafromthedatabase.DeleteAgedCMPivotResults:UsethistasktodeletefromthesitedatabaseagedinformationfromclientsinCMPivotqueries.DeleteAgedCloudManagementGatewayTrafficData:Usethistasktodeletefromthesitedatabaseallageddataaboutthetrafficthatpassesthroughthe cloudmanagementgateway.Thisdataincludes:ThenumberofrequestsTotalrequestbytesTotalresponsebytesNumberoffailedrequestsMaximumnumberofconcurrentrequestsDeleteExpiredMDMBulkEnrollPackageRecords:UsethistasktodeleteoldBulkEnrollmentcertificatesand correspondingprofilesaftertheenrollmentcertificatehasexpired.DeleteInactiveClientDiscoveryData:Usethistasktodeletediscoverydataforinactiveclientsfrom thedatabase.Clientsaremarkedasinactivewhentheclientisflaggedas obsoleteandbyconfigurationsthataremadeforclientstatus.Thistaskoperatesonlyonresourcesthat areConfigurationManagerclients.It’sdifferentthanthe DeleteAged DiscoveryData task,whichdeletesany ageddiscoverydatarecord.Whenthistaskrunsatasite,itremovesthedata fromthedatabaseatallsitesinahierarchy.Whenit’senabled,configurethistaskto runatanintervalgreaterthanthe HeartbeatDiscovery schedule.ThisenablesactiveclientstosendaHeartbeatDiscovery recordtomarktheirclientrecordasactivesothistaskdoesn’tdeletethem.DeleteObsoleteAlerts:Usethis tasktodeleteexpiredalertsthathavebeenstoredlongerthanaspecified timefromthedatabase.DeleteObsoleteClientDiscoveryData:Usethistasktodeleteobsoleteclientrecordsfromthedatabase. Arecordthatismarkedasobsoletehasusuallybeenreplacedbyanewerrecord forthesameclient.Thenewerrecordbecomestheclient’scurrentrecord.DeleteObsoleteForestDiscoverySitesandSubnets:UsethistasktodeletedataaboutActiveDirectorysites, subnets,anddomainsthathaven’tbeendiscoveredbytheActiveDirectory ForestDiscoverymethodinthelast30days.Thisremovesthediscoverydata, butdoesn’taffectboundariesthatarecreatedfromthisdiscoverydataDeleteOrphanedClientDeploymentStateRecords:Usethistasktoperiodicallypurgethetablethatcontainsclient deploymentstateinformation.Thistaskwillcleanuprecordsassociatedwith obsoleteordecommissioneddevices.DeleteUnusedApplicationRevisions:Usethistasktodeleteapplicationrevisionsthatarenolonger referenced.EvaluateCollectionMembers:You configuretheCollectionMembershipEvaluationasasitecomponent.MonitorKeys:Usethistaskto monitortheintegrityoftheConfigurationManagerdatabaseprimarykeys.A primarykeyisacolumn(oracombinationofcolumns)thatuniquelyidentifies onerowanddistinguishesitfromanyotherrowinaMicrosoftSQLServer databasetable.RebuildIndexes:Usethistaskto rebuildtheConfigurationManagerdatabaseindexes.Anindexisadatabase structurethatiscreatedonadatabasetabletospeedupdataretrieval.For example,searchinganindexedcolumnisoftenmuchfasterthansearchinga columnthatisn’tindexed.SummarizeInstalledSoftwareData: Usethistasktosummarizethedataforinstalledsoftwarefrommultiple recordsintoonegeneralrecord.Datasummarizationcancompresstheamountof datathatisstoredintheConfigurationManagerdatabase.SummarizeSoftwareMeteringFileUsageData:Usethistasktosummarizethedatafrommultiplerecordsfor softwaremeteringfileusageintoonegeneralrecord.Datasummarizationcan compresstheamountofdatathatisstoredintheConfigurationManager database.SummarizeSoftwareMeteringMonthlyUsageData:Usethistasktosummarizethedatafrommultiplerecordsfor softwaremeteringmonthlyusageintoonegeneralrecord.Datasummarizationcan compresstheamountofdatathatisstoredintheConfigurationManager database.UpdateApplicationAvailableTargeting:UsethistasktohaveConfigurationManagerrecalculatethe mappingofpolicyandapplicationdeploymentstoresourcesincollections.When youdeploypolicyorapplicationstoacollection,ConfigurationManager createsaninitialmappingbetweentheobjectsthatyoudeployandthe collectionmembers.Thesemappingsarestoredinatablefor quickreference.Whenacollectionsmembershipchanges,thesestoredmappings areupdatedtoreflectthosechanges.However,it’spossibleforthesemappings tofalloutofsync.Forexample,ifthesitefailstoproperlyprocessa notificationfile,thatchangemightnotbereflectedinachangetothe mappings.Thistaskrefreshesthatmappingbasedoncurrentcollection membership.UpdateApplicationCatalogTables:UsethistasktosynchronizetheApplicationCatalogwebsitedatabasecachewiththelatestapplicationinformation.Whenyouchangetheconfigurationofthismaintenancetask,theconfigurationappliestoallprimarysitesinthehierarchy.Part23–BackupyourServerafterSCCMInstallationInthelastpartofthisSCCMInstallationGuide,wewillsetupautomationbackupforConfigurationManagersitesbyschedulingthepredefinedBackupSiteServermaintenancetask.Thistaskhasthefollowingfeatures:RunsonascheduleBacksupthesitedatabaseBacksupspecificregistrykeysBacksupspecificfoldersandfilesBacksupthe CD.LatestfolderPlantorunthedefaultsitebackuptaskat aminimumofeveryfivedays.ThisscheduleisbecauseConfigurationManager usesa SQLServerchangetrackingretentionperiod offivedays.Tosimplifythebackupprocess,youcan createan AfterBackup.bat file.This scriptautomaticallyrunspost-backupactionsafterthebackuptaskcompletes successfully.UsetheAfterBackup.batfiletoarchivethebackupsnapshottoa securelocation.YoucanalsousetheAfterBackup.batfiletocopyfilesto yourbackupfolder,ortostartotherbackuptasks.Sitebackupstatusinformationiswritten tothe Smsbkup.log file.Thisfile iscreatedinthedestinationfolderthatyouspecifyinthepropertiesofthe BackupSiteServermaintenancetask.ToenablethesitebackupmaintenancetaskGotothe Administration workspace,expand SiteConfigurationClick SiteMaintenanceTasks intheribbon.Selectthe BackupSiteServer task,andclick Edit.Selecttheoptionto Enablethistask.Click SetPaths tospecifythebackupdestination.Youhavethefollowingoptions:Localdriveonsiteserverforsitedataanddatabase:Specifiesthatthetaskstoresthebackupfilesforthesiteandsitedatabaseinthespecifiedpathonthelocaldiskdriveofthesiteserver.Createthelocalfolderbeforethebackuptaskruns.TheLocalSystemaccountonthesiteservermusthaveWrite NTFSfilepermissionstothelocalfolderforthesiteserverbackup.TheLocalSystemaccountonthecomputerthat’srunningSQLServermusthave Write NTFSpermissionstothefolderforthesitedatabasebackup.Networkpath(UNCname)forsitedataanddatabase:Specifiesthatthetaskstoresthebackupfilesforthesiteandsitedatabaseinthespecifiednetworkpath.Createthesharebeforethebackuptaskruns.Thecomputeraccountofthesiteservermusthave Write NTFSandsharepermissionstothesharednetworkfolder.IfSQLServerisinstalledonanothercomputer,thecomputeraccountoftheSQLServermusthavethesamepermissions.LocaldrivesonsiteserverandSQLServer:Specifiesthatthetaskstoresthebackupfilesforthesiteinthespecifiedpathonthelocaldriveofthesiteserver.Thetaskstoresthebackupfilesforthesitedatabaseinthespecifiedpathonthelocaldriveofthesitedatabaseserver.Createthelocalfoldersbeforethebackuptaskruns.Thecomputeraccountofthesiteservermusthave Write NTFSpermissionstothefolderthatyoucreateonthesiteserver.ThecomputeraccountoftheSQLServermusthave Write NTFSpermissionstothefolderthatyoucreateonthesitedatabaseserver.Thisoptionisavailableonlywhenthesitedatabaseisn’tinstalledonthesiteserver.VerifythattheBackupSiteServermaintenancetaskis runningCheckthetimestamponthefiles inthebackupdestinationfolderthatthetaskcreated.Verifythatthe timestampupdatestothetimewhenthetaskwaslastscheduledtorun.Gotothe Component Status nodeofthe Monitoring workspace.Reviewthestatusmessagesfor SMS_SITE_BACKUP.Whensitebackupcompletessuccessfully,youseemessageID 5035.Thismessageindicatesthatthesitebackupcompletedwithoutany errors.Whenyouconfigurethebackup tasktocreateanalertwhenitfails,lookforbackupfailurealertsin the Alerts nodeofthe Monitoring workspace.OpenWindowsExploreronthesiteserverandbrowseto \Logs.Review Smsbkup.log for warningsanderrors.Whensitebackupcompletessuccessfully,thelog shows Backup completed with messageID STATMSG:ID=5035.SQLBackupIt’salsopossibletobackupyourSCCMserverusingSQLMaintenancetask.Thebiggestadvantageofthismethodisthatitofferscompression.Pleasereadthisblogpostifyoupreferthismethod.Beawarethatthisbackupmethoddoesn’tbackuptheCD.Latestfolderwhichisimportant.Youcouldalsohavebothbackupmethodsenabledifneeded.MoreSCCMRessourcesSystemCenterDudesoffersnumerous configurationsguidesandcustomreportstoeaseyourConfigurationManager day-to-dayoperations.Consultourproductpagetoseethecompletelist.ThatconcludethisSCCMInstallationGuide,wehopethatitwashepful.Feelfreetoleaveyourcommentinthesectionbelow. 32Commentson“CompleteSCCMInstallationGuideandConfiguration” LogintoReplyThelinkfortheReportVieweristoaFrenchversionofapagethatnolongerexists.IwasabletofindReportViewerruntimesfor2012and2015–is2015thelatestversionavailable?AnddoesitworkwithSQL2019andcurrentbranchConfigMgr? LogintoReplyveryhelpful. ThankYou. LogintoReplyGoodafternoon,Ihaveaproblem,Iwanttoinstallmicrosoftupdates.butin“obligatory”itisnoted0,percentageconforms79…butitisnotcorrect.WhenIfinishmydeploymentpackage,theydonotdeploybecausenot“mandatory”.howcanisolvethisproblem? LogintoReplyWhyonthePrereqchkareyouusingAdminUI?Isn’tthatswitchonlyforcheckingifthecomputercanhavethemanagementconsoleinstalled?Shouldn’ttheLocalswitchbeusedtocheckthattheserverisreadytohaveMECMinstalled? LogintoReplyHi,theMicrosoftpagehttps://docs.microsoft.com/en-us/mem/configmgr/core/understand/product-and-licensing-faq#bkmk_sqlindicatesthatConfigManager“includesSQLServerTechnology”,meaningnolicenseandnoSQLServerCALsrequiredsolongasyoudon’tuseitforotherthings.Howarewesupposedtoinstallinthiscase—andwhatlicenseshouldwebeindicatingwhenwegettothedatabaseportionoftheinstallation? LogintoReplyHi,youcanusetheonefromyourvolumelicensing.Whenyou’llhaveatrueupwithMicrosoft,thatlicenseshouldbefreetousealongyourlicensingforSCCM.thanks Jonathan LogintoReplyHiItsquiteinformativesiteswithstepbystepguide.HoweverineedsomeguidanceonhowtoUninstallAzureInformationProtectionOldClient(AIP)viaSCCM.Anystepbystepguideorcommands?? LogintoReplyHelloall,Goodjobforthisguide!PersonallyIwouldhavemadeseveralpostsbytopic,becausetheguideisreallyverylong… SomeadditionsorarticleideaswouldbetomakeapostonhowtoswitchfromaSCCMR2versiontothecurrentbranchbyabackup/restore,whentheoperatingsystemisobsolete(sidebyside)oralso:WhichversionofWindowsServer201x,chooseforSCCMCB(semi-annualchannelornot)?Anothercoolarticlewouldbe:HowtomovetheSCCMdatabasetoaremoteSQLserver?Andfinally,whenshouldyouputseveralSMSprovidersdependingonthenumberofconsolesthatwillbeused?Thenotionof“Active/Passive”siteinSCCM…WelltheideaisnottoredotheMicrosoftsite,buthey…RegardsMitchawkes LogintoReplyIvehadthisissuebeforeonotherguides.WhenusingWindowsADK8.1,Igeterrorsonthepre-check.Windows8usuallyworkedbutitsnolongeravailable.Anytips? LogintoReplyHiMaelstrm,ADK8.1islonggoneforsupportunderConfigMgr. Seeourpostonhowtoupdateit. https://systemcenterdudes.com/how-to-update-windows-adk-on-a-sccm-server/thanks Jonathan LogintoReplyRe:TheEndpointProtectionsection,fortheProductstab,the“ForefrontEndpointProtection2010”isnolongerlistedinmorerecentbuildsofSCCM.IamjustsettingupEPPonanewinstallofSCCMandsee“SystemCenterEndpointProtection”isalreadychecked.Isthatallthatisneeded?Ifyouscrollthroughthelistofotherproducts,thereisalso“MicrosoftDefenderAntivirus”.Doesthatalsoneedtobeselected? LogintoReplyHiSir_timbit,thanksforpointingthis.I’llupdatethescreenshot. YesMicrosoftDefenderAntivirusshoulddoit.Jonathan LogintoReplyGuideisok,butIhaveseenbetterones.WhyarescreenshotsfromealierversionslikeSCCM2012areshownhere. Itisconfusing.Ialsoagreetosir_timbitcomment. LogintoReplyHiDaniel,thanksforyourcomment,we’lllookintoitforsomeoldscreenshots. LikelydisplayingSCCM2012,buteverythingelsehasn’tchangedJonathan LogintoReplyThanksforaverydetailedguide!Canyoupleaseclarifythedriveinstallationstepsthough.Atthebeginning,youlisted5recommendedpartitions: c:\forWindowsOS d:\forSCCM e:\forSQLDatabase f:\forSQLTempDB g:\forSQLtransactionlogsandSQLTempDBlogsButtheinstallstepsyouhavefurtherdownintheguidedon’tquitematchthatsetup?NotsureIunderstand.1)Under“FeatureSelection”,theinitialinstallofSQLdatabaseengineservicesgoestodriveD(SCCM)insteadofthedefaultC:\ProgramFiles…IsthatjusttokeepSQLinstall/programfilesseparatefromtheOS?2)Under“DatabaseEngineConfiguration”,shouldn’tthedatabaselogdirectorybesettoG:\andnotF:\?3)Under“DatabaseEngineConfiguration/TempDBtab”,theguideshowstheTempDBbeinginstalledatE:\SQL_databaseandlogsatf:\SQL-Logs.Shouldn’tthesebeatF:\SQL_databaseforthetempSQL-database,andG:\SQL_logsforthelogdirectory?Thanksagain, Sir_Timbit LogintoReplyHiGuys!Ireallylikethisguide.ButIamlookingforinfosabouthowtoaddnewserverormovetonewserveryoursccmenviroment.Anysuggestionwheretostartit? Ourcurrentversionis1902andhavetomoveon,butalsohavetoinstallthenewsystemonanewVM,theoldoneisveryjunkynow.Thanks,Arpad LogintoReplyHiRhytepadar, isthiswhatyouarelookingfor? https://systemcenterdudes.com/sccm-migration-to-new-operating-system-guide/thanks Jonathan LogintoReplyHi ihavedifferentdrivessetupassuggestedearlieronsiteserver: C:OS=150 E:SCCM=200GB F:SQLDatabase=100GB G:SQLTempDB=50GB H:SQLLogs=50GB Howcanisetup -rootandsharedfeaturedirectorieson“FeaturesSelection“Tab, -datadirectoriesandtempdbdirectorieson“DatabaseEngineConfiguration”Tab LogintoReplyArethereanyplanstoupdatethisfor2002takingSQLserver2019intoconsideration? LogintoReplyHiBo,yesweareworkingontheguideincludingSQLserver2019,sinceit’sbeenofficiallysupportedforlatestMEMCMthanks Jonathan Pingback:MicrosoftOSDeploymentLayers–TechMike Pingback:CompleteSCCMInstallationGuideandConfiguration LogintoReplyBrilliantGuide!Whatwouldyourecommend,settingMinimum&MaximumorOnlytheMaximumvalue?Let’ssay,Ihave18GBRAM Minimum0 Maximum10240 Iwillleave8GBfortheOSThoughts?Regards, jorgebatista LogintoReplyThanksforthedetailedinstallationguidewithimages.Ithelpsalot. LogintoReplythereportviewerandADKlinksaretoolderversions.Wasthatintentional? LogintoReplyExcellentguide!!Thankyou!!DoyouguyshaveaguideonmovingasingleserverSCCMconfigurationtonewhardware? LogintoReplyHiSideMory,Isthatwhatyouarelookingfor? https://systemcenterdudes.com/sccm-migration-to-new-operating-system-guide/#comment-1089627Jonathan LogintoReplyHieveryone,hereeverypersonissharingthesekindsofknow-how,thereforeit’snice toreadthiswebsite,andIusedtovisitthiswebsitedaily. LogintoReplyExcellentGuide,ilovehttps://systemcenterdudes.com/andibecameamemberofthissitebecauseofthisguide. LogintoReplyWhatifSCCMmustbeinstalledinitsowndedicatedSQLInstance?Makesitabitmoretricky LogintoReplyThanksfortheexcellentguide,FYIWSUSismissingfromthepowershellscriptinaddFeatures. LogintoReplyFantasticguide!Thankyouforcompilingallofthisinformationtogether. LeaveaReplyCancelreplyYoumustbeloggedintopostacomment.OnlineStoreWedevelopthebestSCCM/MEMCMGuides,Reports,andPowerBiDashboards.Checkthemout!PartnersTeamMembersLatestPostsStep-by-StepSCCM2203UpgradeGuidebyBenoitLecoursApril8,2022 HowtomoveSCCMMoveContentLibrarytoanotherdrivebyJonathanLefebvreApril5,2022 PopularSCCMTipsandTricksbyBenoitLecoursMarch31,2022 SCCMreportsubscriptionssrsdoesnotlistEmailinDropDownMenubyBenoitLecoursMarch28,2022 SCCMPowerShellScripttoDeleteUnusedCollectionbyBenoitLecoursMarch28,2022 TypeandPress“enter”toSearch Weusecookiestoensurethatwegiveyouthebestexperienceonourwebsite.Ifyoucontinuetousethissitewewillassumethatyouareacceptingit.AcceptPrivacypolicy