Nazaudy, a spark in your curious mind

SCCM 2012

Microsoft System Center Configuration Manager (SCCM 2012) is a great tool to manage all kind of devices on your network, let's explore here how to install SCCM 2012, configure it and manage it

Note that SCCM

1. Installation of SCCM - DC modifications

Create a "System Management" container on your DC by visiting ADSI Edit, connect to the default naming context, right-click the CN=System and create a new object > container called "System Management"

SCCM 2012

Still on your DC, open Active Directory  > view Advanced Features > and delegate control to the System | System Management folder, add the server that will be running SCCM (appropriately for this article, I named this server "SCCM"). Choose "create a custom task to delegate" > leave default selection > then select 'General', 'Property-specific' and 'Creation/deletion of specific child objects', and finally select "Full Control"

SCCM Delegate control

One last step (to be done on youre Forest Root DC) is to update/extend its schema, so run on it the "extadsch.exe" found in the installation media of SCCM

SCCM Update AD Schema

 

2. Installation of SCCM - add roles to your SCCM server

Switch to your SCCM server and add these roles to it

  • Web Server (IIS)
    • All the components under ".NET Framework 3.5 Features"
    • All the components under ".NET Framework 4.5 Features"
    • All the components under "Background Intelligent Transfer Service (BITS)"
    • Remote Differential Compression (ensure is selected)
  • For the role services of IIS, select:
    • Security > Windows Authentication
    • Application Development > ASP.NET 3.5 (ensure also ISAPI Extensions is checked)
    • Management Tools > IIS 6 Management Compatibility > ensure all sub-items are selected
    • IIS Management Scripts and Tools (ensure is selected)

Download and install ADK Windows 10 tools , Assessment and Deployment Tools, you can download the offline version from here: https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-offline-install.  Install it using the default settings, that's fine

Add also the WSUS (Windows Service Update ) to your SSCM server, and choose:

Deselect "WID Database" and select "Database" instead, then connect to the SQL database that you'll install in the next step (meaning that you actually need to install the SQL first!)

3. Installation of SCCM - the SQL server

On a different server install a stand-alone version of SQL (I used 2012 SP3) and select

  • Database Engine Services
  • Reporting Services - Native
  • Management Tools (Basic), so that you get Management Studio

Choose "Default instance", ensure that the SQL "collation" is set to "SQL_Latin1_General_CP1_CI_AS"; ensure you do this installation with Domain Credentials! (not local admin account)

 SCCM Server Configuration

Use Windows Authentication, add the current user together with any domain admin user

Still on the SQL server, visit Computer Management > Local Users > Groups and add to the group Administrators the server (on my example is called SCCM) that will be running SCCM, basically the server needs to be an admin of the SQL!

Domain Admins

Do the same thing for hte SQL Server Browser service please

4. Installation of SCCM

Remember that you should have installed the WSUS service!!!

Run the "splash.htm" file on your SCCM server and choose to install a "Configuration Manager central administration site", so that you can pick you the SQL database to where SCCM will be installed. Pickup a local folder on your machine to download the installation files. Specify a 3-characters site code and a site name ("London" for example). Leave the database name as default, as well as the port 4022

5. Configuration of SCCM

Once you got everything installed, open Administration > Hierarchy Configuration >Boundaries and create a new IP Subnet boundary for the machines that you want to manage through SCCM. Also create a "Boundary Group" and associate it with the given IP Subnet

Then visit Discovery Methods and ensure that only 2 x discovery methods are enable, as follows:

  • Heartbeat Discovery
  • Active Directory System Discovery ; for this one add your domain or a specific OU if you'd like SCCM to manage the items on that OU only

To be able to push the client installation to the Windows computers of your network, you'd need to visit Administration > Site Configuration > Sites and edit the settings of your site and find the "Client Installation Setting", and configure it

 SCCM Client Installation

6. Certifications in SCCM

Visit Administraton > Site Configuration > Edit your site and on the section "Client Computer Communication" and ensure you set to use PKI client certificate when available. Your SCCM server should be a member of a domain, and that domain should have a root CA installed, right? well, visit it https://localhost/certsvr and download the CA certificate from there in the *.cer format, then import it into the Trusted Root CA section

SCCM Root CA

Visit Site Configuration > Servers and Site System Roles, and add these two roles to your server:

  • Software Update Point ;so it integrates with WSUS
  • Enrollment point ;so you can enroll iMac computers
  • Enrollment proxy point ;as above

Then edit the role "Management Point" and set it to HTTPS to allow the connection from mobile devices and iMac computers

Visit again the DC where you have the CA installed, and add the "Certificates" snap-in to a MMC console. Once you have added it, visit Personal > Certificates and export the root CA certificate (including the private key) in a *.pfx format.

Create a group in AD called "SSCM IIS Servers" and add the SCCM server as well as the server running IIS for SCCM, on my example both services are running on the same box. Once you have done that follow the steps on this link to create a certificate for your SCCM https://prajwaldesai.com/deploying-web-server-certificate-for-site-systems-that-run-iis/

 

7.Client Settings

Visit Administration > Site Settings > Client Settings and create a new Custom Client Settings for devices so that you override the default settings, add for example "enrollment" and "remote tools" settings so you can enable the RDP. Don't forget to deploy the custom setting to your collection of choice otherwise it won't work.

Edit the default client settings > enrollment and select both option to "YES" to allow the user to register iMacs and Mobile devices

 

To install SCCM on Mac Computers follow this great tutorial: https://prajwaldesai.com/how-to-deploy-client-certificate-for-mac-computers/ Ensure that the correct NTP server is configure on the iMacs, e.g. they should be pointing to your FRDC

This one is handy too: http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/

If you like this article, you might be interested in this other one too: https://www.nazaudy.com/setup-and-configure-a-public-key-infrastructure-pki