Professional Documents
Culture Documents
Complete SCCM Installation Guide and Configuration
Complete SCCM Installation Guide and Configuration
This post is HUGE, use this table of content to navigate easily through the SCCM Installation guide sections.
Part 1 | Design Recommendation and Installation Prerequisites
Part 2 | SQL Installation and Configuration
Part 3 | SCCM Installation
Part 4 | Application Catalog Web Service Point Installation
Part 5 | Application Catalog Website Point Installation
Part 6 | Asset Intelligence Synchronization Point Installation
Part 7 | Certificate Registration Point Installation
Part 8 | Distribution Point Installation
Part 9 | Endpoint Protection Point Installation
Part 10 | Enrollment Point Installation
Part 11 | Enrollment Proxy Point Installation
Part 12 | Fallback Status Point Installation
Part 13 | Management Point Installation
Part 14 | Reporting Services Point Installation
Part 15 | Software Update Point Installation
Part 16 | State Migration Point Installation
Part 17 | System Health Validator Point Installation
Part 18 | Service Connection Point Installation
Part 19 | Boundaries Configuration
Part 20 | Client Settings Configuration
Part 21 | Discovery Methods Configuration
Part 22 | Maintenance Task Configuration
Part 23 | Backup and Restore
Part 24 | Enable Co-Management (external post)
Part 25 | Cloud Distribution Point (external post)
Part 26 | Cloud Management Gateway (external post)
Part 27 | Start your modern management journey (Co-management and Intune) (external post)
SCCM INSTALLATION
Design a hierarchy of sites
GUIDE
Recommended hardware
Supported configurations
Plan for the site database
Plan for site system servers and site system roles
We strongly recommend that you understand SQL Server before installing SCCM. Talk and have a good relation with your DBA if
you have one in your organization.
Here’s our recommended reading about SQL :
Storage Top 10 Best Practice
SQL Server Best Practices Article
Disk Partition Alignment Best Practices for SQL Server
DISKS
Disks IOs are the most important aspect of SCCM performance. We recommend configuring the disks following SQL Best
practice. Split the load on a different drives. When formatting SQL drives, the cluster size (block size) in NTFS must be 64KB
instead of the default 4K. See the previously recommended reading to achieve this.
Letter Content Size
C:\ Windows 100GB
D:\ SCCM 200GB
E:\ SQL Database (64K) 40GB
F:\ SQL TempDB (64K) 40GB
G:\ SQL Transaction Logs (64K) 40GB
SQL TempDB Logs
Showing 1 to 5 of 5 entries
Select Container
In the Security tab, add the site server computer account and Grant the Full Control permissions
Click Advanced, select the site server’s computer account, and then click Edit
In the Applies to list, select This object and all descendant objects
Click OK and close the ADSIEdit console
SCCM ACCOUNTS
Create the necessary accounts and groups created before installation. You can use a different name but I’ll refer to these names
throughout the guide.
SQL server services account – SCCM-SQLService
SCCM Network Access Account – SCCM-NAA
Domain user account for use SCCM client push install – SCCM-ClientPush
Domain user account for use with reporting services User – SCCM-SQLReporting
Domain account used to join machine to the domain during OSD – SCCM-DomainJoin
Domain group containing all SCCM Admins Group – SCCM-Admins
Domain group containing all SCCM servers in the hierarchy Group – SCCM-SiteServers
NETWORK C ONFIGURATION
Make sure that the server has a fixed IP and that internet connection is up
FIREWALL CONFIGURATION
Make sure the firewall service is ON
Run this script in an elevated command prompt order to open the necessary ports needed for SCCM.
** If you are using custom ports, change the values before running the script. **
NO_SMS_ON_DRIVE.SMS
Place a file name no_sms_on_drive.sms on the root drive of each drive you don’t want SCCM to put content on.
WINDOWS SERVER FEATURES
On the Primary site server, the following components must be installed before SCCM installation. We’ll install all these
components using a PowerShell script.
.Net Framework 3.51 SP1
.Net Framework 4
IIS
Remote Differential Compression
BITS Server Extension
WSUS 3.0 SP2
Report Viewer
ADK for Windows 8.1
Get-Module servermanager
Install-WindowsFeature Web-Windows-Auth
Install-WindowsFeature Web-ISAPI-Ext
Install-WindowsFeature Web-Metabase
Install-WindowsFeature Web-WMI
Install-WindowsFeature BITS
Install-WindowsFeature RDC
Install-WindowsFeature NET-Framework-Features -source \yournetwork\yourshare\sxs
Install-WindowsFeature Web-Asp-Net
Install-WindowsFeature Web-Asp-Net45
Install-WindowsFeature NET-HTTP-Activation
Install-WindowsFeature NET-Non-HTTP-Activ
Ensure that all components are showing as SUCCESS as an EXIT Code. It’s normal to have Windows Update warnings at this
point.
REPORT VIEWER
Download and install – here
ADK FOR WINDOWS
Download and install – here
10
Select the default path
Do not join CEIP
SCCM CLIENT
If applicable, uninstall SCCM 2007 client and FEP if present on the server before the installation. If the client is present, the
2012 SCCM Management Point installation will fail.
WINDOWS UPDATES
Run windows update and patch your server to the highest level
Your server is now ready for the SQL installation.
Click the following link to see all supported SQL versions. For our post, we will install SQL 2017 locally on the same server where
the Primary Site will be installed.
Execute Setup.exe from the SQL installation media, select New SQL server stand-alone installation
Provide the product key and click Next
Review and Click Next
Check Use Microsoft Update to check for updates and click Next
Select SQL Server Feature Installation
Important Info
Note that some steps in the wizard are automatically skipped when no action is required. For example, Products Updates, Install setup Files
and Install Rules might be skipped.
Select the Database Engine feature and specify the SQL installation directory. This is the directory for the program files and
shared features
Select Default instance and ensure that your instance is created on the SQL Volume
Set all services to run as the SQL domain account that you created previously and set the services startup type to
Automatic
On the Collation tab, set the Database Engine to use SQL_Latin1_General_CP1_CI_AS
In the Server Configuration tab, set the authentication mode to Windows Authentication and in the SQL Server
Administrators add your SCCM Admins group
In the Data Directories tab set your drive letters correctly for your SQL databases, Logs, TempDB, and backup
On the TempDB, complete the various information based on the Database sizing section below.
Click Install
Complete the installation by clicking Close
INSTALL SQL SERVER MANAGEMENT STUDIO (SSMS)
Back in the SQL Server Installation Center, click on Install SQL Server Management tools.
This will redirect you to the Download page of SQL Server Management Studio. SSMS is no longer tied to the SQL server
installation in terms of version.
SQL CONFIGURATION
SCCM setup verifies that SQL Server reserves a minimum of 8 GB of memory for the primary site. To avoid, the warning, we’ll
set the SQL Server memory limits to 8GB-12GB (80% of available RAM).
Open SQL Server Management Studio
Right click the top SQL Server instance node
Select Properties
In the Memory tab define a limit for the minimum and maximum server memory. Configure and limit the memory to 80% of
your server available RAM. In my case I have 16GB available.
Minimum 8192
Maximum 12288
DATABASE SIZING
We always recommend creating the SCCM database before the setup. This is not mandatory, SCCM will create the database for
you during setup but will not create it the optimal way. We strongly recommend to watch The Top Ten Lessons Learned in
Managing SQL session from MMS2013 which cover it all.
We follow the guide made by MVP, Kent Agerlund to estimate my DB sizing need. Visit his blog post and download the provided
Excel file. Input your values in the blue cells and keep it for the next part. We’ll create the DB using those values using a script in
the next section.
For this blog post, We’ve created a Database for 2000 clients, 2 processors, 2 cores and 16GB RAM.
CREATE DATABASE
To create the database, you can use Kent’s script and input your values (as returned previously in the Excel file) OR use the
following one which is really simple:
The Name value will become your Site Code during the SCCM installation. Be sure to select a unique Site Code.
**Replace all XXX value with your 3 character Site Code**
**Change the values of the Filename, Size, MaxSize and FileGrowth. Change the location of the file to your SQL and Logs
drives**
USE master
CREATE DATABASE CM_XXX
ON
( NAME = CM_XXX_1,FILENAME = ‘E:\SCCMDB\CM_XXX_1.mdf’,SIZE = 7560, MAXSIZE = Unlimited, FILEGROWTH =
2495)
LOG ON
( NAME = XXX_log, FILENAME = ‘G:\SCCMLogs\CM_XXX.ldf’, SIZE = 4990, MAXSIZE = 4990, FILEGROWTH = 512)
ALTER DATABASE CM_XXX
ADD FILE ( NAME = CM_XXX_2, FILENAME = ‘E:\SCCMDB\CM_XXX_2.mdf’, SIZE = 7560, MAXSIZE = Unlimited,
FILEGROWTH = 2495)
Run the following scripts to size the TempDB. (using the value returned by the Excel file)
**Change the values of Filename, Size, MaxSize and FileGrowth. Change the location of the file to your TempDB drives**
use master
go
alter database tempdb modify file (name=’tempdev’, filename=’F:\SCCMTempDB\tempDB.MDF’, SIZE= 4536, MAXSIZE
= Unlimited, FILEGROWTH = 512)
go
alter database tempdb modify file (name=’templog’, filename=’G:\SCCMLogs\templog.LDF’, SIZE= 2268, MAXSIZE =
Unlimited, FILEGROWTH = 512)
go
On the Primary Site Installation screen, select Install the primary site as a stand-alone site. If you have a Central
Administration site, this is where you would join the Primary Site to the existing hierarchy
On the warning, click Yes
On the Database Information screen
Enter your SQL Server Name. In our case the SQL server is the same box as SCCM
Leave the Instance Blank
Enter your Database name. Once again, this must match the previously created Database in part 2
Leave the Service Broker Port to 4022
On the Database Information screen :
Enter the path to the SQL Server data file. Locate this on the SQL Volume
Enter the path to the SQL Server log file. Locate this on the SQL Logs Volume.
I like to use the same directory where I created my database and logs (E:\SCCMDB, G:\SCCMLogs)
On the SMS Provider Settings screen, leave the SMS Provider to the default value which is the local server. Refer to the
following Technet article to read about the SMS Provider.
On the Client Computer Communication Settings screen, select Configure the communication method on each site system
role. This is where you select to have HTTPS or not on your initial Management Point and Distribution Point. This setting can
be changed later
On the Site System Roles screen :
Check Install a Management Point
Check Install a Distribution Point
We will install both MP and DP on the same box so leave the FQDN as is
The Client connection drop-down is unavailable due to our previous selection
On the Usage Data screen, click Next. This new screen basically tells that you accept that you will send some telemetry
data to Microsoft
On the Service Connection Point screen, click Next. This new role enables your deployment to download updates and new
features
On the Settings Summary Screen, review your options and click Next
On the Prerequisite Check screen, you should have no error since you’ve run it before setup, click Next
The installation is in progress. You can count between 15 and 30 minutes depending of your server specifications
You can follow the progress by clicking the View Log button or open the ConfigMgrSetup.log file on the C: drive
Wait for Core setup has completed and close the wizard
We’re still not done yet ! Before opening the SCCM console, we suggest to install the following tools :
CMTRACE
CMTrace will become your best friend when reading log files.
Open the SCCM ISO
Browse to .SMSSETUPTOOLS
Click on CMTrace.exe
Click on YES to set is as your default log viewer
ROLE DESCRIPTION
The Application Catalog web service point provides software information to the Application Catalog website from the Software
Library.
The Application Catalog website point provides users with a list of available software.
This is not a mandatory site system but you need both the Application Catalog website point and the Application Catalog web
service point if you want to provide your user with a Self-Service application catalog (web portal).
SITE SYSTEM ROLE PLACEMENT IN HIERARCHY
The Application Catalog web service point and the Application Catalog website point are hierarchy-wide options. It’s supported
to install those roles on a stand-alone Primary site or child Primary site. It’s not supported to install it on a Central Administration
site or Seconday site. The Application Catalog web service point must reside in the same forest as the site database.
If you’re having less than 10,000 users in your company, co-locating the Application Catalog web service and Application
Catalog website roles on the same server should be ok. The web service role connects directly to the SCCM SQL database so
ensure that the network connectivity between the SQL server and the Application Catalog web service servers is robust.
If you have more geographically distributed users, consider deploying additional application catalogs to keep responsiveness
high and user satisfaction up. Use client settings to configure collections of computers to use different Application Catalog
servers.
Read more on how to provide a great application catalog experience to your user in this Technet blog article.
If your client needs HTTPS connections, you must first deploy a web server certificate to the site system. If you need to allow
Internet clients to access the application catalog, you also need to deploy a web server certificate to the Management Point
configured to support Internet clients. When supporting Internet clients, Microsoft recommends that you install the Application
Catalog website point in a perimeter network, and the Application Catalog web service point on the intranet. For more
information about certificates see the following Technet article.
PREREQUISITES
Using Windows Server 2012, the following features must be installed before the role installation:
Application Catalog web service point
Features:
.NET Framework 3.5 SP1 and 4.0
WCF activation:
HTTP Activation
Non-HTTP Activation
IIS Configuration:
ASP.NET (and automatically selected options)
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
Application Catalog website point
Features:
.NET Framework 4.0
IIS Configuration:
Common HTTP Features
Static Content
Default Document
Application Development
ASP.NET (and automatically selected options)
Security
Windows Authentication
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
Web browser
Verify that the Application Catalog is accessible :
Open a web browser
Browse to http://YourServerName/CMApplicationCatalog
Replace YourServerName with the server name on which you installed the Application Catalog Website Point
Replace CMApplicationCatalog with the name that you give your Application Catalog. (Default is
CMApplicationCatalog)
If everything is set up correctly, you’ll see a web page like this :
URL REDIRECTION
The default URL to access the Application Catalog is not really intuitive for your users.
It’s possible to create a DNS entry to redirect it to something easier (ex: http://ApplicationCatalog) The following Coretech
article describe how to achieve that.
CLIENT SETTINGS
Ensure that the client settings for your clients are set correctly to access the Application Catalog
Open the SCCM Console
Go to Administration / Client Settings
Right-click your client settings and select Properties
On the left pane, select Computer Agent
Click the Set Website button and select your Application Catalog (the name will be automatically populated if your
Application Catalog is installed)
Select Yes on both Add Default Application Catalog website to Internet Explorer trusted site zone and Allow Silverlight
application to run in elevated trust mode
Enter your organisation name in Organisation name displayed in Software Center
That’s it, you’ve installed your SCCM Application Catalog, publish the link to your user and start publishing your applications.
ROLE DESCRIPTION
The AISP is used to connects to Microsoft in order to download Asset Intelligence catalog information and upload
uncategorized titles. For more information about planning for Asset Intelligence, see Prerequisites for Asset Intelligence in
Configuration Manager.
This is not a mandatory Site System but we recommend to install the AISP if you are planning to use Asset Intelligence. Read
our blog post on Why should you use Asset Intelligence in SCCM.
Site System Role Placement in Hierarchy
The AISP is a hierarchy-wide option. SCCM supports a single instance of this site system role in a hierarchy and only at the top-
level site. Install it on your Central Administration Site or stand-alone Primary Site depending of your design.
AISP INSTALLATION
Open the SCCM console
Navigate to Administration / Site Configuration / Servers and site System Roles
Right-click your Site System and click Add Site System Roles
VERIFICATION
Verify that the role installation is completed in AIUSSetup.log
Open the SCCM console
Navigate to Assets and Compliance / Overview / Asset Intelligence
Verify that the Sync is Enabled and Successful
ENABLE INVENTORY REPORTING CLASSES
In order to have inventory data, first ensure that Hardware Inventory is enabled in your Client Settings.
Navigate to Administration / Client Settings
Right-click your Client Settings and choose Properties
On the Hardware Inventory Tab
Ensure that your hardware inventory is Enabled
Once confirmed, enable inventory reporting classes :
Open the SCCM console
Navigate to Assets and Compliance / Asset Intelligence
Right-click Asset Intelligence and select Edit Inventory Classes
ROLE DESCRIPTION
Using SCCM and Intune, the CRP communicates with a server that runs the Network Device Enrollment Service (NDES) to
provision device certificate requests.
This is not a mandatory Site System but we recommend to install a CRP if you need to provision client certificates to your
devices (like VPN or WIFI).
PREREQUISITES
Before the CRP can be installed, dependencies outside SCCM is required. I won’t cover the prerequisite configuration in details
as they are well documented on this Technet article and it goes beyond SCCM. Here’s an overview of what needs to be done :
Install the NDES role on a Windows 2012 R2 Server
Modify the security permissions for the certificate templates that the NDES is using
Deploy a PKI certificate that supports client authentication
Locate and export the Root CA certificate that the client authentication certificate chains to
Increase the IIS default URL size limit
Modify the request-filtering settings in IIS
On the machine that will receive the CRP role, install the following using Windows server role and features:
IIS
ASP .NET 3.5
ASP .NET 4.5
WCF HTTP Activation
If you are installing CRP on a remote machine from the site server, you will need to add the machine account of the site server
to the local administrator’s group on the CRP machine.
Save this .cer file on the NDES server as we will need it in the next section.
REFERENCES
Here are my favourites articles covering the subject :
Technet Article
Configuration Team Blog article
Pieter Wigleven’s installation (Technical Solution Professional at Microsoft)
Peter van der Woude’s key configuration steps
PART 8 – DISTRIBUTION POINT INSTALLATION
In this part, we will describe how to perform an SCCM distribution point installation.
I saw a lot of posts recently on the Technet forum which leads me to think that there’s a lack of documentation explaining this.
INTRODUCTION
Several distribution points can provide better access to available software, updates, and operation systems. A local Distribution
Point also prevents the installation thought the WAN.
PRE-REQUISITES
Functional SCCM hierarchy
SCCM Admin console access
RDP access on the Distribution Point server
The required level of security in the SCCM console
BITS
The distribution point site system role does not require Background Intelligent Transfer Service (BITS). When BITS is configured
on the distribution point computer, BITS on the distribution point computer is not used to facilitate the download of content by
clients that use BITS
FIREWALL
Ensure that your firewall is set correctly. 2 ports need to be opened.
VERIFICATION
LOGS
You can track the installation progress in 2 logs:
Distmgr.log on the site server
Smsdpprov.log on the distribution point. (InstallationDrive\SMS_DP$\SMS\Logs)
WINDOWS EXPLORER
At this point, you will the SCCM file structure created on the site server.
CONSOLE
You can also track the installation progress in the SCCM console under Monitoring / Distribution Status / Distribution Point
Configuration Status
Click on your DP
Click the detail tab on the bottom
Check for green check mark on all components
Note: Error on the IIS Virtual directory is normal at the start of the process. SCCM is making a check as if IIS is installed at the
start of the process even if you tell SCCM to enable you IIS for you. That results in errors but be patient and the installation
should succeed anyway
Verify the status of your new DP in Administration / System Status / Site Status
REPLICATE CONTENT
You can now replicate your content to your newly created DP. Replicate manually all your content or add your DP in an existing
DP group.
Replicate a package or Application to your newly created site system
Verify that the content is well replicated in the SCCM Console. (or check distmgr.log)
That’s it ! You’re done creating your DP.
ROLE DESCRIPTION
The Endpoint Protection Point provides the default settings for all antimalware policies and installs the Endpoint Protection
client on the Site System server to provide a data source from which the SCCM database resolves malware IDs to names. When
you install this Site System Role, you must accept the license terms for System Center 2012 R2 Endpoint Protection.
This is not a mandatory Site System but you need to install a EPP if you’re planning to use SCCM as your anti-virus
management solution (using Endpoint Protection).
EPP I NSTALLATION
Open the SCCM console
Navigate to Administration / Site Configuration / Servers and Site System Roles
Right-click your Site System and click Add Site System Roles
On the General tab, click Next
On the Proxy tab, click Next
On the Site System Role tab, select Endpoint Protection Point, click Next
Accept the License Terms and click Next
Select Do not join MAPS, click NEXT
• On the Summary tab, review your settings and click Next
Wait for the setup to complete and click Close
SUP CONFIGURATION
After the installation, you must add Endpoint Protection definition files in your Software Update Point.
Open the SCCM console
Navigate to Administration / Site Configuration / Servers and Site System Roles
Click the Configure Site Components button and select Software Update Point
On the Product tabs, check Forefront Endpoint Protection 2010 and click Ok
VERIFICATION
ConfigMgrInstallationPath\Logs\EPSetup.log – Detailed EP Installation status
ROLE DESCRIPTION
The Enrollment Point uses PKI certificates for Configuration Manager to enroll mobile devices, Mac computers and to provision
Intel AMT-based computers.
The Enrollment Proxy Point manages Configuration Manager enrollment requests from mobile devices and Mac computers.
This is not a mandatory site system but you need both Enrollment Point and Enrollment Proxy Point if you want to enroll legacy
mobile devices, Mac computers and to provision Intel AMT-based computers. Since modern mobile devices are
mostly managed using Windows Intune, this post will focus mainly on Mac computer enrollment.
SITE SYSTEM ROLE PLACEMENT IN HIERARCHY
The SCCM Enrollment Point and Enrollment Proxy Point are site-wide options. It’s supported to install those roles on a stand-
alone or child Primary site. It’s not supported to install it on a Central Administration site or Secondary site.
You must install an SCCM Enrollment Point in the user’s forest so that the user can be authenticated if a user enrolls mobile
devices by using SCCM and their Active Directory account is in a forest that is untrusted by the site server’s forest.
When you support mobile devices on the Internet, as a security best practice, install the Enrollment Proxy Point in a perimeter
network and the Enrollment Point on the intranet.
PREREQUISITES
Beginning with System Center 2012 Configuration Manager SP2, the computer that hosts the SCCM Enrollment Point
or Enrollment Proxy Point site system role must have a minimum of 5% of the computers available memory free to enable the
site system role to process requests. When those site system role are co-located with another site system role that has this
same requirement, this memory requirement for the computer does not increase, but remains at a minimum of 5%.
Using Windows Server 2012, the following features must be installed before the role installation:
Enrollment Point
Features:
.NET Framework 3.5
.NET Framework 4.5
HTTP Activation (and automatically selected options)
ASP.NET 4.5
Common HTTP Features
Default Document
Application Development
ASP.NET 3.5 (and automatically selected options)
.NET Extensibility 3.5
ASP.NET 4.5 (and automatically selected options)
.NET Extensibility 4.5
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
Enrollment Proxy Point
Features:
.NET Framework 3.5
.NET Framework 4.5
HTTP Activation (and automatically selected options)
ASP.NET 4.5
IIS Configuration:
Common HTTP Features
Default Document
Static Content
Application Development
ASP.NET 3.5 (and automatically selected options)
ASP.NET 4.5 (and automatically selected options)
.NET Extensibility 3.5
.NET Extensibility 4.5
Security
Windows Authentication
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
SCCM ENROLLMENT POINT INSTALLATION
For this post we will be installing both roles on a stand-alone Primary site using HTTPS connections. If you split the roles
between different machine, do the installation section twice, once for the first site system (selecting Enrollment Point during
role selection)and a second time on the other site system (selecting Enrollment Proxy Point during role selection).
Open the SCCM console
Navigate to Administration / Site Configuration / Servers and Site System Roles
Right click your Site System and click Add Site System Roles
On the General tab, click Next
On the Proxy tab, click Next
On the Site System Role tab, select Enrollment Point and Enrollment Proxy Point, click Next
On the Enrollment Point tab
In the IIS Website and Virtualapplication name fields,leave both to the default values
This is the names that you’ll see in IIS after the installation
Enter the port number you want to use. The HTTPS setting is automatically selected and requires a PKI certificate on the
server for server authentication to the Enrollment Proxy Point and for encryption of data over SSL. For more information
about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.
On the Enrollment Proxy Point tab,
The Enrollment point will be populated by default and can’t be changed
Keep the Website name to it’s default value
Enter the port and protocol that you want to use
The Virtual application name can’t be changed. This will be used for client installation
(https://servername/EnrollmentServer)
On the Summary tab, review your settings, click Next and complete the wizard
VERIFICATION
Logs
AND LOGS FILES
You can verify the role installation in the following logs:
ConfigMgrInstallationPath\Logs\enrollsrvMSI.log and enrollmentservice.log – Records details of about
the Enrollment Point installation
ConfigMgrInstallationPath\Logs\enrollwebMSI.log – Records details of about the Enrollment Proxy Point installation
ConfigMgrInstallationPath\Logs\enrollmentweb.log – Records communication between mobile devices and the Enrollment
Proxy Point
That’s it, you’ve installed your SCCM Enrollment Point, follow this Technet Guide if you want to proceed to next steps for Mac
computers enrollment
ROLE DESCRIPTION
The FSP helps monitor client installation and identify unmanaged clients that cannot communicate with their management
point.
This is not a mandatory Site System but we recommend to install a FSP for better client management and monitoring. This is
the Site System that receive State Message related to client installation, client site assignment, and clients unable to
communicate with their HTTPS Management Point.
If the FSP is not configured properly you’ll end up having A fallback status point has not been specified errors in your logs.
FSP INSTALLATION
Open the SCCM console
Navigate to Administration / Site Configuration / Servers and Site System Roles
Right click your Site System and click Add Site System Roles
On the General tab, click Next
On the Proxy tab, click Next
On the Site System Role tab, select Fallback Status Point, click Next
On the Fallback Status Point tab, specify the number of state messages to process. We recommend to leave the default
value, click Next
On the Summary tab, review your setting and click Next
Wait for the setup to complete and close the wizard
Fspmgr.log – Verify whether clients are successfully sending state messages to the FSP
You can also check if reports that depend on the FSP are populated with data. See the full list of reports that rely on the
FSP here.
CONFIGURE CLIENTS
Use the FSP client properties to point your clients to your newly created FSP
Navigate to Administration / Site Configuration / Site
Click the Client Installation Setting icon on the ribbon
Select Client Push Installation
On the Installation Properties tab
Enter your server FQDN in the FSP properties
ROLE DESCRIPTION
Every SCCM hierarchy must have a Management Point to enable client communication. The Management Point is the primary
point of contact between Configuration Manager clients and the site server. Management Points can provide clients with
installation prerequisites, configuration details, advertisements and software distribution package source file locations.
Additionally, Management Points receive inventory data, software metering information and state messages from clients.
Multiple Management Points are used for load-balancing traffic and for clients to continue receiving their policy after
Management Point failure. Read about SCCM High-Availability options in this Technet article.
Prior to SCCM 2012 R2 SP1, it was not possible to assign client directly to a specific Management Point. It’s now possible using
the new Preferred Management Point feature. Read about how clients choose their Management Point in this Technet article.
PREREQUISITES
On Windows 2012, the following features must be installed before the Management Point Installation:
Features:
.NET Framework 4.5
BITS Server Extensions or Background Intelligent Transfer Services (BITS)
IIS Configuration:
Application Development
ISAPI Extensions
Security
Windows Authentication
IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
REQUIREMENTS
Before you can install the reporting services point role you must configure SQL correctly.
We’ll be using SQL 2012 on this post. We are assuming that SQL is already installed and that your SCCM site is up and healthy.
During the initial SQL installation, you must select Reporting Services.
If you have installed SQL Server, but have not installed Reporting Services follow the following steps. If Reporting Services is
already installed, skip to the “Configure Reporting Services” section.
Launch the SQL Server 2012 installation from the media.
Click the Installation link on the left to view the Installation options.
Click the top link, New SQL Server stand-alone installation or add features to an existing installation.
Follow the SQL Server Setup wizard until you get to the Installation Type screen.
Select Add features to an existing instance of SQL Server 2012.
Click Next to move to the Feature Selection page.
Continue through the wizard and reboot the computer at the end of the installation if instructed to do so.
CONFIGURE REPORTING SERVICES
Before configuring the reporting point, some configuration needs to be made on the SQL side. The virtual instance needs to be
created for SCCM to connect and store its reports.
If you installed Reporting Services during the installation of the SQL Server instance, SSRS will be configured automatically for
you. If you install SSRS later, then you will have to go back and configure it as a subsequent step.
To configure, Open Reporting Services Configuration Manager
Click Start > All Programs > Microsoft SQL Server > Configuration Tools > Reporting Services Configuration Manager
This wizard creates two databases: ReportServer, used to store report definitions and security, and ReportServerTempDB
which is used as scratch space when preparing reports.
Click the Web Service URL tab
Click Apply
This step sets up the SSRS web service. The web service is the program that runs in the background that communicates
between the web page, which you will set up next, and the databases.
Select the Report Manager URL
Accept the default settings and click Apply.
If the Apply button was already grayed out, this means the SSRS was already configured. This step sets up the Report Manager
web site where you will publish reports
Exit Reporting Service Configuration Manager.
CONSOLE
Open Monitor/Reporting/Reports node. Verify that your reports are listed
WEB BROWSER
Open Internet Explorer, navigate to http://yourservername/Reports
If everything went well, you’ll have a folder Config_SiteCode containing your reports
SQL
If you check your SQL instance, you’ll see the 2 new database which were created by the installation.
Open SQL Management Studio
Locate ReportServer and ReportServerTempDB
Happy reporting! 🙂
WSUS INSTALLATION
Perform the following on the server that will host the SUP role.
Open Server Manager / Add Roles and Features
Select the Windows Server Update Services Role, click Next
Select WSUS Services and Database, click Next
Launch Windows Server Update Services from the Start Menu. You will be prompt with the following window :
On the DB instance, enter your server name
On Content directory path, use a drive with enough drive space. This is where your WSUS will store updates
ROLE DESCRIPTION
The State Migration Point stores user state data when a computer is migrated to a new operating system.
This is not a mandatory Site System but you need a State Migration Point if you plan to use the User State steps in your Task
Sequence. These steps integrate with User State Migration Tools (USMT) to backup your user data before applying a new
operating system to a computer.
SITE SYSTEM ROLE PLACEMENT IN HIERARCHY
The State Migration Point is a site-wide option. It’s supported to install this role on a child Primary Site, stand-alone Primary Site
or Seconday Site. It’s not supported to install it on a Central Administration site.
The State Migration Point can be installed on the site server computer or on a remote computer. It can be co-located on a
server that has the distribution point role.
ROLE DESCRIPTION
The System Health Validator Point validates Configuration Manager Network Access Protection (NAP) policies.
This is not a mandatory site system but you need a System Health Validator Point if you plan to use NAP evaluation in your
software update deployments. This site system integrates with an existing NAP server in your infrastructure.
Create the boundary, in our example we’ll create 4 different boundary for my 4 locations using their Active Directory Sites
Tip : If you have multiples Active Directory Sites, IP Ranges or Subnets, you can enable Active Directory Forest Discovery
which can create them automatically
CREATE BOUNDARY GROUP
Now, we’ll create a Site Assignment Boundary Group and add all those AD Site. That way, all my clients for my 4 locations will
be assigned to my Montreal Primary Site.
For Content Location, we want clients to get their content locally at their respective location. We will create 4 Content Boundary
groups, add only their AD Site Boundary and assign their local Distribution Point.
Name Boundary Site System
MTL - Content Location MTL DPMTL01
NY - Content Location NY DPNY01
CHI - Content Location CHI DPCHI01
LA - Content Location LA DPLA01
Here’s how to make this happen in SCCM :
Open the SCCM Console
Go to Administration / Hierarchy Configuration / Boundary Groups
Right-click Boundary Groups and select Create Boundary Groups
CREATE SITE ASSIGNEMENT BOUNDARY GROUP
We’ll start by creating a group for Site Assignment : SA – MTL
Click the Add bouton on the bottom
On the Add Boundaries screen, select all boundaries. This will direct all my clients to the Primary Site located in Montreal
for Site Assignment
On the References tab, check the Use this boundary group for site assignment box
Select your assigned site. In my case : MTL
Click Ok
CREATE CONTENT LOCATION BOUNDARY GROUP
Right-click Boundary Groups and select Create Boundary Groups
We’ll name our group Content Location – MTL
Click on Add
Select only the MTL boundary
You can see each client settings priority and if they are deployed in the same section
HOW TO DEPLOY A CLIENT SETTINGS
Now that your client settings are created, you need to deploy it to a collection. This new client settings will apply to only this
collection and depending on the priority, will override the settings.
Select the custom client settings that you have just created
On the top ribbon, click Deploy
In the Select Collection dialog box, select the collection that contains the devices to be configured with the custom
settings, and then click Ok
You can verify the selected collection if you click the Deployments tab on the bottom of the console
HOW TO APPLY
Client computers will apply your custom settings when they download their next client policy. You can trigger it manually to
speed up the process.
On the Polling Schedule tab, select the frequency on which you want the discovery to happen
A 7-day cycle with a 5 minutes delta interval is usually fine in most environment
On the Active Directory Attribute tab, you can select custom attributes to include during discovery
This is useful if you have custom data in Active Directory that you want to use in SCCM
On the Options tab, you can select to discover only accounts that have logged or updated their passwords since a specific
number of days
This is useful if your Active Directory isn’t clean. Use this to discover only good records
ACTIVE DIRECTORY GROUP DISCOVERY
Discovers groups from specified locations in Active Directory. The discovery process discovers local, global or universal
security groups. When you configure the Group discovery you have the option to discover the membership of distribution
groups. With the Active Directory Group Discovery, you can also discover the computers that have logged in to the domain in a
given period of time. Once discovered, you can use group information for example to create deployment based on Active
Directory groups.
Be careful when configuring this method: If you discover a group that contains a computer object that is NOT discovered in
Active Directory System Discovery, the computer will be discovered. If the automatic client push is enabled, this could lead to
unwanted clients’ computers.
To discover resources using this method:
Open the SCCM Console
Go to Administration / Hierarchy Configuration / Discovery Methods
Right-Click Active Directory Group Discovery and select Properties
On the General tab, you can enable the method by checking Enable Active Directory Group Discovery
Click on the Add button on the bottom to add a certain location or a specific group.
Remember : If you discover a group that contains a computer object that is NOT discovered in Active Directory System
Discovery, the computer will be discovered.
On the Polling Schedule tab, select the frequency on which you want the discovery to happen
A 7-day cycle with a 5 minutes delta interval is usually fine in most environment
On the Options tab, you can select to discover only accounts that have logged or updated their passwords since a specific
number of days
This is useful if your Active Directory isn’t clean. Use this to discover only good records
ACTIVE DIRECTORY USER DISCOVERY
The discovery process discovers user accounts from specified locations in Active Directory. You also have the option to fetch
custom Active Directory Attributes. This is useful if your organization store custom information in AD about your users. Once
discovered, you can use group information for example to create user-based deployment.
To discover resources using this method:
Open the SCCM Console
Go to Administration / Hierarchy Configuration / Discovery Methods
Right-Click Active Directory User Discovery and select Properties
On the General tab, you can enable the method by checking Enable Active Directory User Discovery
Click on the Star icon and select the Active Directory container that you want to include in the discovery process
On the Polling Schedule tab, select the frequency on which you want the discovery to happen
A 7-day cycle with a 5 minutes delta interval is usually fine in most environment.
On the Active Directory Attribute tab, you can select custom attributes to include during discovery
This is useful if you have custom data in Active Directory that you want to use in SCCM
ACTIVE DIRECTORY FOREST DISCOVERY
Discovers Active Directory sites and subnets, and creates Configuration Manager boundaries for each site and subnet from the
forests which have been configured for discovery. Using this discovery method you can automatically create the Active
Directory or IP subnet boundaries that are within the discovered Active Directory Forests. This is very useful if you have multiple
AD Site and Subnet, instead of creating them manually, use this method to do the job for you.
To discover resources using this method:
Open the SCCM Console
Go to Administration / Hierarchy Configuration / Discovery Methods
Right-Click Active Directory Forest Discovery and select Properties
On the General tab, you can enable the method by checking Enable Active Directory Forest Discovery
Select the desired options
HEARTBEAT DISCOVERY
Heartbeat Discovery runs on every client and to update their discovery records in the database. The records (Discovery Data
Records) are sent to the Management Point in a specified duration of time. Heartbeat Discovery can force the discovery of a
computer as a new resource record, or can repopulate the database record of a computer that was deleted from the database.
HeartBeat Discovery is enabled by default and is scheduled to run every 7 days.
To discover resources using this method:
Open the SCCM Console
Go to Administration / Hierarchy Configuration / Discovery Methods
Right-Click Heartbeat Discovery and select Properties
On the General tab, you can enable the method by checking Enable Heartbeat Discovery
Make sure that this setting is enabled and that the schedule run less frequently than the Clear Install Flag maintenance
task.
NETWORK DISCOVERY
The Network Discovery searches your network infrastructure for network devices that have an IP address. It can search the
domains, SNMP devices and DHCP servers to find the resources. It also discovers devices that might not be found by other
discovery methods. This includes printers, routers, and bridges.
We won’t go into detail of this discovery method as it’s old and depreciated methods. We never saw any customers using this
method in production.
SQL BACKUP
It’s also possible to backup your SCCM server using SQL Maintenance task. The biggest advantage of this method is that it
offers compression. Please read this blog post if you prefer this method. Be aware that this backup method doesn’t backup the
CD.Latest folder which is important. You could also have both backup methods enabled if needed.
MORE SCCM RESSOURCES
System Center Dudes offers numerous configurations guides and custom reports to ease your Configuration Manager day-to-
day operations.
Consult our product page to see the complete list.
That conclude this SCCM Installation Guide, we hope that it was hepful. Feel free to leave your comment in the section below.
Fiernaq
10.08.2021 AT 8:28 AM
Log in to ReplyThe link for the Report Viewer is to a French version of a page that no longer exists. I was able to find
Report Viewer runtimes for 2012 and 2015 – is 2015 the latest version available? And does it work with SQL
2019 and current branch ConfigMgr?
Chongmun
07.16.2021 AT 2:27 AM
Log in to Replyvery helpful.
Thank You.
Annaei
05.31.2021 AT 4:26 AM
Log in to ReplyGood afternoon, I have a problem, I want to install microsoft updates. but in “obligatory” it is noted 0,
percentage conforms 79 … but it is not correct. When I finish my deployment package, they do not deploy
because not “mandatory” . how can i solve this problem?
haverland389
05.27.2021 AT 7:37 AM
Log in to ReplyWhy on the Prereqchk are you using AdminUI? Isn’t that switch only for checking if the computer can have
the management console installed? Shouldn’t the Local switch be used to check that the server is ready to
have MECM installed?
Alan_Peery
05.19.2021 AT 7:44 AM
Log in to ReplyHi, the Microsoft page https://docs.microsoft.com/en-us/mem/configmgr/core/understand/product-and-
licensing-faq#bkmk_sql indicates that Config Manager “includes SQL Server Technology”, meaning no license
and no SQL Server CALs required so long as you don’t use it for other things.
How are we supposed to install in this case — and what license should we be indicating when we get to the
database portion of the installation?
Jonathan Lefebvre
05.26.2021 AT 2:32 PM
Log in to ReplyHi,
you can use the one from your volume licensing. When you’ll have a true up with Microsoft, that license
should be free to use along your licensing for SCCM.
thanks
Jonathan
saad9837
04.22.2021 AT 2:29 AM
Log in to ReplyHi
Its quite informative sites with step by step guide. However i need some guidance on how to Uninstall Azure
Information Protection Old Client (AIP) via SCCM. Any step by step guide or commands??
mitchawkes
01.26.2021 AT 12:14 PM
Log in to ReplyHello all,
Good job for this guide ! Personally I would have made several posts by topic, because the guide is really very
long …
Some additions or article ideas would be to make a post on how to switch from a SCCM R2 version to the
current branch by a backup / restore, when the operating system is obsolete (side by side) or also: Which
version of Windows Server 201x, choose for SCCM CB (semi-annual channel or not)? Another cool article
would be: How to move the SCCM database to a remote SQL server? And finally, when should you put several
SMS providers depending on the number of consoles that will be used? The notion of “Active / Passive” site in
SCCM … Well the idea is not to redo the Microsoft site, but hey …
Regards
Mitchawkes
maelstrm
12.02.2020 AT 4:26 PM
Log in to ReplyIve had this issue before on other guides. When using Windows ADK 8.1, I get errors on the pre-check.
Windows 8 usually worked but its no longer available. Any tips ?
Jonathan Lefebvre
12.02.2020 AT 5:11 PM
Log in to ReplyHi Maelstrm,
ADK 8.1 is long gone for support under ConfigMgr.
See our post on how to update it.
https://systemcenterdudes.com/how-to-update-windows-adk-on-a-sccm-server/
thanks
Jonathan
sir_timbit
10.16.2020 AT 10:42 AM
Log in to ReplyRe: The Endpoint Protection section, for the Products tab, the “Forefront Endpoint Protection 2010” is no
longer listed in more recent builds of SCCM. I am just setting up EPP on a new install of SCCM and see “System
Center Endpoint Protection” is already checked. Is that all that is needed? If you scroll through the list of other
products, there is also “Microsoft Defender Antivirus”. Does that also need to be selected?
Jonathan Lefebvre
11.02.2020 AT 9:05 AM
Log in to ReplyHi Sir_timbit,
thanks for pointing this. I’ll update the screenshot.
Yes Microsoft Defender Antivirus should do it.
Jonathan
Daniel Schindler
10.02.2020 AT 4:09 PM
Log in to ReplyGuide is ok, but I have seen better ones. Why are screenshots from ealier versions like SCCM 2012 are
shown here.
It is confusing. I also agree to sir_timbit comment.
Jonathan Lefebvre
11.02.2020 AT 8:59 AM
Log in to ReplyHi Daniel,
thanks for your comment, we’ll look into it for some old screenshots.
Likely displaying SCCM 2012, but everything else hasn’t changed
Jonathan
sir_timbit
09.22.2020 AT 5:44 PM
Log in to ReplyThanks for a very detailed guide! Can you please clarify the drive installation steps though. At the
beginning, you listed 5 recommended partitions:
c:\ for Windows OS
d:\ for SCCM
e:\ for SQL Database
f:\ for SQL TempDB
g:\ for SQL transaction logs and SQL TempDB logs
But the install steps you have further down in the guide don’t quite match that setup? Not sure I understand.
1) Under “Feature Selection”, the initial install of SQL database engine services goes to drive D (SCCM) instead
of the default C:\Program Files… Is that just to keep SQL install/program files separate from the OS?
2) Under “Database Engine Configuration”, shouldn’t the database log directory be set to G:\ and not F:\ ?
3) Under “Database Engine Configuration / TempDB tab”, the guide shows the TempDB being installed at
E:\SQL_database and logs at f:\SQL-Logs. Shouldn’t these be at F:\SQL_database for the temp SQL-database,
and G:\SQL_logs for the log directory?
Thanks again,
Sir_Timbit
rhytepadar
09.02.2020 AT 7:06 AM
Log in to ReplyHi Guys!
I really like this guide. But I am looking for infos about how to add new server or move to new server your sccm
enviroment. Any suggestion where to start it?
Our current version is 1902 and have to move on, but also have to install the new system on a new VM, the old
one is very junky now.
Thanks, Arpad
Jonathan Lefebvre
09.15.2020 AT 4:59 PM
Log in to ReplyHi Rhytepadar,
is this what you are looking for?
https://systemcenterdudes.com/sccm-migration-to-new-operating-system-guide/
thanks
Jonathan
rishibp
07.11.2020 AT 11:08 AM
Log in to ReplyHi
i have different drives setup as suggested earlier on site server:
C : OS = 150
E: SCCM = 200 GB
F: SQL Database =100 GB
G: SQL TempDB = 50 GB
H: SQL Logs = 50 GB
How can i setup
-root and shared feature directories on “Features Selection “Tab,
-data directories and temp db directories on “Database Engine Configuration” Tab
Bo
07.02.2020 AT 4:41 AM
Log in to ReplyAre there any plans to update this for 2002 taking SQL server 2019 into consideration?
Jonathan Lefebvre
11.02.2020 AT 8:49 AM
Log in to ReplyHi Bo,
yes we are working on the guide including SQL server 2019, since it’s been officially supported for latest
MEMCM
thanks
Jonathan
jorgesbatista
05.10.2020 AT 10:05 AM
Log in to ReplyBrilliant Guide!
What would you recommend, setting Minimum & Maximum or Only the Maximum value?
Let’s say, I have 18GB RAM
Minimum 0
Maximum 10240
I will leave 8GB for the OS
Thoughts?
Regards,
jorge batista
situationistapp
04.25.2020 AT 11:34 AM
Log in to ReplyThanks for the detailed installation guide with images. It helps a lot.
Joshua Shipman
04.23.2020 AT 2:33 PM
Log in to Replythe report viewer and ADK links are to older versions. Was that intentional?
sidemory
04.06.2020 AT 8:31 AM
Log in to ReplyExcellent guide!! Thank you!! Do you guys have a guide on moving a single server SCCM configuration to
new hardware?
Jonathan Lefebvre
11.02.2020 AT 8:57 AM
Log in to ReplyHi SideMory,
Is that what you are looking for?
https://systemcenterdudes.com/sccm-migration-to-new-operating-system-guide/#comment-1089627
Jonathan
Shanish
03.20.2020 AT 10:53 PM
Log in to ReplyExcellent Guide, i love https://systemcenterdudes.com/ and i became a member of this site because of this
guide.
Claus Wessel
03.15.2020 AT 3:01 PM
Log in to ReplyWhat if SCCM must be installed in its own dedicated SQL Instance? Makes it a bit more tricky
Chris
02.23.2020 AT 6:29 PM
Log in to ReplyThanks for the excellent guide, FYI WSUS is missing from the powershell script in add Features.
Doug
02.10.2020 AT 2:14 PM
Log in to ReplyFantastic guide! Thank you for compiling all of this information together.
LEAVE A REPLY
You must be logged in to post a comment.
ONLINE STORE
We develop the best SCCM/MEMCM Guides, Reports, and PowerBi Dashboards. Check them out!
PARTNERS
TEAM MEMBERS
LATEST POSTS
Step-by-Step SCCM 2211 Upgrade Guide
by Benoit Lecours
December 7, 2022
How to Setup Microsoft Intune tenant
by Benoit Lecours
November 2, 2022
Deploy Windows 10 22H2 using SCCM
by Benoit Lecours
October 27, 2022
SCCM Client Installation Error Codes
by Benoit Lecours
October 27, 2022
How to use SCCM Dynamic Queries in your Deployment Collections
by Benoit Lecours
October 26, 2022