System Center Configuration Manager (SCCM) Installation Guide

Deploying software and patching systems was always a challenge for system administrators because of the lack of automation, control and reporting. WSUS solves some of these issues but as you probably know, it has some limitations which do not suit well in medium to large environments. Off course, we ca use scripting with WSUS to make it work even better, but what about the advanced reporting and software deployment? To overcome all these limitations and improve the work for system administrators, Microsoft created Endpoint Configuration Manager (MECM), formerly System Center Configuration Manager or SCCM for short. Using MECM we are not just deploying software and patching systems, but also create baselines, deploy certificates on endpoint devices, install Windows OSs and some other very useful and nice stuff.

In this article I am going to use the names SCCM and MECM interchangeably since it points to the same product, just different branding, but SCCM is mostly used because of the popularity in the industry.

SCCM it’s a very complicated service when you deploy it in large environments since it has multiple parts which I am going to treat in some future series articles. Right now, let’s start small then expand. The first part of SCCM is the installation, which is not just clicking the Next button of the wizard but doing things like extending the Schema, creating entries in the Active Directory Configuration partition and some other security tasks that I am going to show in this article. Since there are a lot of software prerequisites for SCCM, I really like taking care of them one-by-one since the installation wizard shows us the ones that are missing/needed.

For this article we are going to deploy SCCM with a single Primary Site System role which is one server doing it all. There are multiple Site System server roles in SCCM and I am going to explain them in the series that will come up, since these are more like design things.

 

1. Installing the SCCM prerequisites

For this lab I have three machines: the Domain Controller, the SCCM (build 2002) machine with 6GB of RAM, two vCPUs and a second disk for hosting the software/patches. The third machine is a SQL Server 2019 VM with Reporting Services installed for the SCCM database having 12 GB of RAM and two vCPUs. All the VMs are running Windows Server 2019 with the latest updates installed and joined to an Active Directory domain. Again, you will have to size your machines accordingly once you go into production, and as an idea, you can take a look at this Technet article. When it comes to the firewall configuration, I am going to allow everything between the mentioned machines since this is a large subject and it requires it’s own topic.

As it comes to hardware requirements it all depends how large the SCCM infrastructure is and how many clients it will manage. Microsoft posted some recommendations which are huge, but I find SCCM working for way less. Depending on the number of endpoints you have in your infrastructure you can start small and increase the resources as you go; virtualization makes it very easy.

SCCM has a lot of software requirements and if we do one or two new deployments in a year, we are not going to remember them. A better approach that I like to use is to let SCCM tell me what prerequisite should I install, and this way I know that everything it needs it’s in the system and configured for the deployment.

 

1.1 Running the SCCM prerequisites checker

The first thing that I like to do in order to see what’s needed for the SCCM installation, is to launch the SCCM Prerequisites Checker from the installation ISO.

On the SCCM server, mount the downloaded SCCM ISO then open a command prompt and browse to Configuration Manager installation media > SMSSETUP > BIN > X64. Here, type the bellow command line to launch the Prerequisites Checker on the server so we can see what prerequisites are missing and what configurations we need to fix. Off course you will need to replace the server names with your own, like the SQL server name and the SCCM one; and don’t freak out about the errors and warnings presented in the wizard, because remember…this is a clean servers with nothing on it, so it is expected.

prereqchk.exe /pri /sql <SQL server FQDN> /sdk <SCCM (local server) FQDN> /mp <SCCM (local server) FQDN> /dp <SCCM (local server) FQDN>

Running the SCCM command line prerequisite checker

The operation will take a few minutes to complete, and once it is done, we will have all the missing software and miss-configurations in a nice colored list. The next thing is to go over all the prerequisites one-by-one until the list it’s empty on the next prerequisites check. The Prerequisites Checker also creates a log file on the root of the C drive if you want more details about what it finds.

Prerequisite checker window listing all the requirements for the SCCM installation

1.2 Extending the AD schema for SCCM

This is the first task in the list and it’s not mandatory, but it’s recommended so we can benefit from all the SCCM features. By extending the Active Directory schema we are simplifying the deployment and configuration of clients and also let them locate resources (content servers) more efficiently.

In order to extend the AD schema we need to mount the SCCM ISO on a domain controller, open the command prompt and browse to Configuration Manager installation media > SMSSETUP > BIN > X64. From this path just type extadsch.exe and press Enter. In a few seconds the process of schema extension will be done.

To extend the Schema, the account used will need to be part of the Schema Admins security group

Extending the Active Directory schema for SCCM

The command also creates a log file –ExADSch.log– on the root of the C drive if we want to see what classes and attributes it adds to the schema.

The log file after extending the Active Directory schema

1.3 Creating the System Management Container

Since we are on the domain controller, we will go a little bit out of order from the SCCM prerequisites check list so we don’t have to come back later on. What we are trying to resolve here is the Verify site server permissions to publish to Active Directory warning. This is also not mandatory, but highly recommended to do so Configuration Manager can publish data like Management Points (MP) and Boundary details in order for clients to select the best one possible.

On one of the domain controllers, open the ADSI Editor console, right-click the ADSI Edit node and choose Connect to.

Connecting to the default naming context using the ADSI Editor console for further configuration

On the Connection Settings window that pops-up, just leave the defaults and hit OK.

Connecting to the default naming context using the ADSI Editor console for further configuration

Expand the Default naming context then the domain name. Right-click CN=System and choose New > Object.

Opening the ADSI Create Object wizard

From the Create Object wizard that opens up, select container and click Next.

Choosing to create a new container in the naming context

In the Value box type System Management then continue the wizard.

Naming the new container

Click Finish to close the wizard.

Finishing the wizard and creating the container

Now that our container is created, we need to set up the proper security permissions so SCCM can publish the necessary data in it. Right-click the System Management container and choose Properties.

Opening the properties for our new container in order to set-up the proper permissions for SCCM

From the Security tab hit the Add button and search for the SCCM server.

Adding the SCCM server to the ACL of the container

Once the SCCM server is in the Access Control List (ACL) give it full permissions on the System Management container by clicking the Full control box.

Providing full permissions to the SCCM computer object on the container

Click the Advanced button. From the Advanced Security Settings window that opens up, select our SCCM server then hit Edit.

Opening the advanced permissions entries for the container

From the Applies to drop-down box select This object and all descendant objects. Click OK on all properties windows to close them and save the changes.

Providing full permissions to the SCCM computer object on the container and all contained objects

1.4 Creating the SQL Server service account

Still on the domain controller, open Active Directory Users and Computers (ADUC) and create a simple user account which later on we are going to use it a service account for our SQL Server instance. Make sure you set the password for the account to never expire.

Creating the user account in AD to be used as a SQL Server service

1.5 Configuring the SQL Server

SCCM supports a wide majority of SQL Server versions, and since we are using SQL 2019 for this SCCM instance, we need to have at least CU5 installed on our SQL server. More details can be found in this Technet article.

SQL Server Version Edition Min Cumulative Update
SQL Server 2019 Standard, Enterprise CU5
SQL Server 2017 Standard, Enterprise CU2
SQL Server 2016 SP2 Standard, Enterprise Not CU Required
SQL Server 2016 Standard, Enterprise Not CU Required
SQL Server 2014 SP3 Standard, Enterprise No CU Required
SQL Server 2012 SP3 Standard, Enterprise No CU Required
1.5.1 Adding the service account and SCCM host to the local Administrators group

Presuming you already have your SQL Server and the SQL Server Reporting Services installed, we can move forward with our SCCM setup by login into our SQL host and open the Local Users and Groups console (lusrmgr.msc). Once the console opens, click the Groups folder, and open the Administrators group properties.

Opening the properties of the local Administrators group on the SQL server to add the service account to it

Click the Add button and search for the service account that we created in section 1.4.

Clicking the Add button on the Administrators group Properties window to search for the service account

Add the account to the Administrators group then click Apply to save the changes. Don’t close the Administrators Properties window yet!

Searching for the service account

Click the Add button again, and this time we need to add the SCCM computer account as a member of the local Administrators group on our SQL server. Click OK when done.

Searching for the SCCM computer object to be added to the local Administrators group

1.5.2 Configuring the SQL service running account

Now we need to set our SQL service to use the domain service account, and for that, we are going to use the SQL Server Configuration Manager console that can be found in the Start menu. Once the console opens and we click the SQL Server Services object, we can see on the right-hand side that our SQL  Service is running under a local account. To change that, right-click the SQL Server service and choose Properties.

Opening the properties of the SQL server service in order to change the account under which is running

From the Log On tab, click the Browse button.

Opening the search dialog box to search for the Active Directory account

Here we need to add our SQL service account created in section 1.4. To be able to add the account we need to select our domain using the Locations button then search for the account. Click OK when done.

Searching for the SQL service account to be added as logo on account to the service

Back on the SQL Server service Properties window, we need to provide the service account password in the two password boxes then hit OK. Choose Yes on the warning that pops-up to restart the SQL service and apply the changes.

Restarting the SQL service for the changes to take effect

And there you have it, our SQL Server service is now running under a domain service account, which is what SCCM wants for us.

View of the SQL service running under a domain account

1.5.3 Setting up memory usage for the SQL instance

We still have one more to go on the SQL Server configuration side, and that is setting up a minimum and maximum memory for the instance to use. For this, we are going to use SQL Management Studio. Once we log in, we need to right-click the server name and choose Properties.

Opening the SQL server instance properties

On the Properties window, click the Memory page then on the right-hand side set a minimum value of 8GB of RAM -which is what SCCM requires- and as a maximum value set it close to what your SQL system has. Since I have 12 GB of RAM on this host, I will set the maximum value to 9 GB and leave something for the system. Click OK when done.

Setting up the minimum and maximum memory the SQL instance can use

1.6 Installing missing features on the SCCM server

The next prerequisite will be WSUS, which is also not mandatory but since we are deploying a single Primary Site which is also our Management Point and Distribution Point site, we need this role. Also, by opening the Add Roles and Features Wizard, it will be a good time to install the rest of the missing features and roles for SCCM not just WSUS.

On the SCCM server open Server Manager and click Manage > Add Roles and Features.

Opening the Add Roles and Features Wizard to install IIS, WSUS, .NET Framework roles

Once at the Select server roles screen, tick the Web Server (IIS) and Windows Server Update Services boxes then click Next.

Selecting IIS and WSUS roles for installation

On the next screen of the wizard select .NET Framework 3.5 Features and all sub-features, Background Intelligent Transfer Service (BITS), Remote Differential Compression and click Next.

Selecting .NET Framework 3.5 and all its roles features for installation

In the IIS Role Services page, scroll down at the bottom, expand Management Tools > IIS 6 Management Compatibility then tick the IIS 6 WMI Compatibility box.

Installing the IIS 6 WMI Compatibility role services for IIS

Since we already have a SQL server deployed, we can use it to store our WSUS database. On the WSUS Role services screen select the SQL Server Connectivity option and continue the Add Roles and Features Wizard.

Choosing the option to use a dedicated SQL server for the WSUS database

Here we tell WSUS where to store the updates. This is a bit misleading in this case since updates will be stored on the so called SCCM Distribution Point, but we need to set this up so we can continue the wizard.

Providing the path for the WSUS updates store location

On the next screen of the wizard we configure the SQL server for our WSUS instance.

Providing the SQL server name where WSUS will create its database

One other thing that I like to do is to provide a custom path for the .NET Framework 3.5 source files. It is way faster than letting the wizard connect to Microsoft’s update site.

Mount the Windows Server 2019 ISO then click Specify and alternate source path link from the bottom of the wizard.

Confirmation screen with all the roles and features waiting to be installed

In the Path box type <Windows Server installation media> > sources > sxs and click OK.

Providing a local source for the .NET Framework 3.5 installation files

Click the Install button and let the wizard install all the features and roles we selected. After a few minutes everything should be set up. One important thing is NOT to launch the post-installations tasks of WSUS. The role is configure from SCCM after we finish it’s installation, so just hit Close here.

Result screen showing that all our roles and features were successfully installed

1.7 Installing Windows ADK

Another SCCM prerequisite that we need to take care of, is the Windows Assessment and Deployment Kit (Windows ADK) which is mandatory as we can see in the prerequisites checker tool. Go and download the latest version of ADK from Microsoft’s website but make sure you download both components of ADK since the Windows PE add-on and ADK were separated starting with version 1809.

View of the ADK web-page showing which packages need to be downloaded

Once both packages were downloaded, let’s run the installation of ADK first by executing adksetup.exe. Right from the start we are given the option to change the installation path of the software, but most of the times the default one will work just fine. Click Next.

Choosing the installation location path of ADK

In the Select the features you want to install screen all we need are the Deployment Tools and the User State Migration Tool options. Select just the two then hit Install.

Selecting the ADK features to install

Now let’s go to our Windows PE ADK add-on and run the adkwinpesetup.exe to start the installation wizard. The installer automatically find where our ADK software was installed and it will set itself up to the same installation path with no possibility to change it. Click Next.

Choosing the installation location path of WinPE ADK

In the features screen, all we have is one option. Click the Install button to begin the ADK Windows PE add-on.

Selecting the WinPE ADK features to install

1.8 Installing the SQL Native client

This requirement it’s an easy and fast one. All we need to do, is go and download the SQL Native client installer and run it.

Installing the SQL server native client

1.9 Re-run the Prerequisite Check

Now let’s take a look and see if we have any more warnings or errors in the prerequisite checker. If we click click the Run Check button again, after a few minutes we should have a green check mark and a message saying that we have passed all the prerequisites. If you have some warning or errors, I recommend you treat them first then continue with the deployment.

Re-running the SCCM prerequisite checker to verify for any missing prirequisites

2. Installing System Center Configuration Manager

After a long road of installing and configuring the prerequisites for our SCCM instance, we are finally at the point of deploying it. So go and download the installation media if you don’t have it already, mount the ISO then launch the installer. Once we launch the installer, all we have to do is click the Install button to open the SCCM installation wizard.

Opening the SCCM Setup Wizard

On the Before You Begin page just click the Next button since all the prerequisites are already set up.

The Before You Begin screen of the SCCM Setup Wizard informing us about some of the prerequisites needed

In the next wizard screen we have a few options to choose from on how we want to install SCCM, but since we are deploying just a single primary site, we will go with the default option Install a Configuration Manager primary site. Since I am not a fan of a typical installation, and because we have a dedicated SQL Server for this SCCM instance, we are NOT going to tick the box Use typical installation options for a stand-alone primary site. The second radio button Install a Configuration Manager central administration site, it’s there in case we have a large environment with multiple primary sites. This way we centralize them with an administration site. Click Next to continue the wizard.

Selecting to install a Configuration Manager primary site using manual configuration and a dedicated SQL server

Type the product key and set the expiration of your software assurance then hit Next. If you want to evaluate the product just select the first radio button Install the evaluation edition of this product.

Providing the SCCM license key and the expiration of the license assurance

Accept the license agreements and continue the wizard.

Accepting the license terms

This is where the wizard needs to download some prerequisite files from Microsoft that are needed for the installation, but we also have the choice to use previously downloaded files. Since this is our first deployment, we don’t have those files and we need to download them, so select the option Download required files and then, by using the Browse button, provide a directory to store the files.

Folder path to download the SCCM prerequisite packages

In the Server Language Selection page we have the option to install additional languages for our SCCM server which will change the language on the console and reports.

Selecting the languages the SCCM server should run

This wizard screen is similar with the previous one, but this time the installed language(s) will apply to the SCCM clients/agents. Make your selection then click Next.

Selecting the languages the SCCM client should run

Here we have an important box, and that’s the side code box which uniquely identifies this configuration manager site in the hierarchy. That’s true, we don’t have much of a hierarchy right now with only one server, but the site code still needs to be present and unique. The side code can have only letters from A to Z and numbers from 0 (zero) to 9 and cannot use the following names since they are reserved for Configuration Manager: AUX, CON, NUL, PRN, SMS, ENV. Make sure you give it a thought about what site code you want to type in because it cannot be changed after the installation is done. Type a three letter/number code then move to the Site name box and give this site a name -which will be displayed in the SCCM console-.

Providing the SCCM side code and site name

Since this is our first site, and we also don’t have an administration site to join it to, we need to choose the second option Install the primary site as a stand-alone site then continue the wizard. Click Yes on the warring that pops-up.

Selecting the option to install the site as a primary stand-alone.

We are now given the option to type in our remote SQL server name, instance and SCCM database. Type your values then click Next.

Providing the remote SQL server name and database name to be created

In the Database information screen we have the option to change the default SCCM database and log files location on the remote SQL server. If you have a dedicated volume for your databases on the SQL server, type the new path here.

Providing the path for the SQL server database and log files

All we have to do here is click Next since we want the SMS provider to be installed on the SCCM server.

Typing in the SCCM provider server, which in our case is the SCCM server

Because we want our clients/agents to be able to communicate with our primary site server, we need to choose the second option here Configure the communication method on each site site role and click Next. Going with HTTPS it’s a little bit complicated and involves deploying certificates to clients and changing some configurations in the SCCM site server(s) that are not always friendly. I will threat this subject in a future article of these SCCM series.

Selecting the communication method with the clients. For the first server this has to be HTTPS until a PKI environment is configured

In the Site System Roles screen we have the options to install the management and distribution points on this server or on a different one. Since we want to start small and grow as our infrastructure grows, we are going to install these two site roles on this server. These can be moved later on to a different site server if needed.

Providing a management point and distribution point which in this case is the SCCM server

In this wizard screen we have no option to configure so click Next to continue.

Diagnostic and Usage Data screen

In order to keep SCCM updated with the latest builds and features, we need to connect to the Microsoft cloud. We can do this here in the wizard or later on after the installation completes. For the sake of this example I will just leave the default option so the wizard can configure the connection.

Connecting to the Microsoft s cloud service in order to get new SCCM updates and releases

And here is a summary of all our configuration trough the wizard. Click Next and let the wizard have another prerequisite check.

Summary screen of the SCCM Setup Wizard

Since we already installed and configured all of the prerequisites for this site system installation, we should have an empty list with no errors or warnings. If that’s not the case, please review and fix the errors/warnings before continuing. You can also ask for help in the comments area.

Click the Begin Install button to start the SCCM installation.

SCCM prerequisites checker passing all the prerequisites

Once the installation starts, the wizard will show all the steps that is doing. We also have a log view button just in case we need more details about the deployment.

View of the SCCM installation progress

Depending on the system, the installation can take anywhere between 40 and 90 minutes and in the end we should have a nice success message. If everything is green, the installation was a success.

View of the SCCM installation completed successfully

And from the Start menu we can open the console and view our first SCCM Primary site system.

View of the SCCM console

 

Summary

In this article we have successfully installed our first SCCM Primary site which was not that easy if you are just starting to learn the product. Beside the multitude of software prerequisites we also had to do a lot of configurations. The thing that helps with all of this is the prerequisite checker, which I encourage you to use. Let me know in the comments area how your installation worked.

Want content like this delivered right to your

email inbox?


Leave a Reply

Your email address will not be published. Required fields are marked *

*

css.php