Building an SCCM Technical Preview lab

In this modern age of desktop management the rate of change in the management tools is more frequent than ever before.

In order to stay ahead of the curve with SCCM I find it essential to always have an SCCM site stood up using the Technical Preview release I order to test the new features that Microsoft release on a regular basis.

In this post I am going to walk you through the process I follow whenever I need to standup a new SCCM Technical Preview site.

Install SQL

Firstly I need to install SQL on the allocated server. The highest version currently supported by SCCM is SQL 2017, so this is what I will be installing following the process below:

Mount the SQL ISO file and execute setup.exe

Select to install a new stand-alone installation

Choose to install SQL in Evaluation, or enter a product key if you wish to use this environment for more than 180 days

Review and accept the license terms if agreeable

Because I want to ensure we have the latest hotfixes and security updates, select to use Microsoft Update

I can see a warning telling me that the Windows firewall does not have the SQL ports enabled for remote access. In this scenario this is acceptable as all SQL traffic will be hosted on this single server

The only feature is required for SCCM is the ‘Database Engine Services’ so I select this

Leave the instance configuration as the default configuration

In the Server Configuration section I need to change the SQL Server Database Engine to run using the local SYSTEM account, all other options can left as per the default configuration (be aware that the SQL Collation is a critical dependency for SCCM. In SQL 2017 the default collation is the required value of SQL_Latin1_General_CP1_CI_AS but previous versions of SQL had a different default collation so double check this and modify if appropriate)

Add any SQL Server Administrators that are required. I also like to change the default Data Directories to a drive other than C as this is SQL best practise, although probably in a small test environment this is probably not as important

I can now review the options I have chosen through the wizard and click Install

And eventually the installation will complete

Preparing the Server

I can now start to install and configure the various components that SCCM features rely upon for functionality. My preferred method for performing these tasks is the awesome ConfigMgr Prerequisites Tool written by Nickolaj Andersen and available for download at the Microsoft TechNet gallery https://gallery.technet.microsoft.com/ConfigMgr-2012-R2-e52919cd

Firstly launch the tool select to install the prerequisites for a Primary site

Now because I am going to be installing the Management Point and Distribution Points on the same server we need to navigate to Roles and select Management Point then Install

Then the same for the Distribution Point role

Now I need to install the Windows ADK. To do this navigate to ADK and click on load. This will query the Microsoft download servers and determine what the latest version of ADK is available for download

As you can see Windows 10 1903 is the latest available at the time of writing. Select this and click Install

Then because Microsoft have now split the main ADK and the WinPE components into two seperate downloads I will also need to select the option with ‘WinPE add-on’ and click Install

Now I need to install WSUS on the server so I can performing testing of the Software Updates component of SCCM so I navigate to WSUS, leave the option as SQL Server and click

Now that the WSUS installation is complete I need to complete the post-installation options of WSUS. To do this navigate to Post-Install and click configure. I will need to manually create the folder for WSUS content outside of the tool and input ‘localhost’ for the server name

Now I need to change the SQL memory configuration, in order to do this I need to provide the tool with the location of the SQL instance where we will be installing SCCM. To do this I need to navigate to Settings enter ‘localhost’ for the server name and click connect

I can now navigate to SQL Server, leave the default database memory configuration of 8GB and click configure

I have now completed all of the pre-requisites for SCCM so I can now proceed to installing SCCM

Installing SCCM

Firstly it is necessary to download the latest Technical Preview build from the Evaluation Center and extract the contents. At this time the latest build available for download is 1907 which we will later upgrade to 1909 through the In-Console upgrade process

https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview

After having extracted the files for the latest Technical Preview it is necessary to navigate to the following location C:\SC_Configmgr_SCEP_TechPreview1907\SMSSETUP\BIN\X64 and then run setup.exe

Leave the default to install a Configuration Manager primary site

Accept the three EULAs

Select a location to download the SCCM pre-requisite files

Select any additional languages for the server

And then select any additional languages for the client

Enter a three character site code, a site name and a location to install SCCM

Then modify any SQL settings as necessary. (For the options we have chosen so far in this tutorial this is not necessary)

Modify the SQL file locations if necessary

And select the SMS provider server name

Select to only use HTTP for client-server communications

Leave the selection to install the Management Point and Distribution Point on this server

Accept to send usage data to Microsoft (this is non-optional in Technical Preview)

Install the Service Connection Point on the local server

Review and confirm the options we have selected

The setup wizard now performs a pre-requisite check and I can see the following screen indicating that I am ready to click Begin Install

The installation will then commence and eventually will complete

This completes the initial installation of SCCM

Updating SCCM

Now I have our SCCM Technical Preview site up and running I want to upgrade it to the latest version so I can see all of the cool new features that Microsoft are working on.

To do this I first need to launch the SCCM console and navigate to Administration > Upgrades and Servicing and I should see the latest technical preview version listed as ready to install. CLick on the Install Upgrade Pack in the ribbon bar

Note – It may take a while for the latest update to show in the console and the status to be Ready to Install. This is because the Service Connector Point may take some time to communicate with Microsoft and download the update. Clicking on the ‘Check for Updates‘ button will force to process to initiate immediately

I can then see the types of updates that are included in the Upgrade Pack, click

Select any features I want to enable and click Next. I can always enable these features later if not selected now

I can then select if I want to upgrade my clients with or without validating on a test collection

Enabling TLS v1.2 support in SCCM

Hi All,

I have recently been working with a customer who had a requirement to disable TLS v1.0 and TLS v1.1 due to the two protocols going End Of Life and now being considered an insecure protocol for communication between servers. This therefore mandates the requirement to use TLS v1.2 in their SCCM environment.

To be clear on our objectives before beginning, TLS is a security protocol for network communication between server that is utilised by SQL. This particular customer has their SCCM SQL database hosted on a remote server to the SCCM Primary site server so it is necessary for TLS to be utilised for communication. If the SQL database was hosted on the same server as the SCCM Primary Site Server then this process would not be necessary as there would be no SQL traffic traversing the network, and therefore TLS would not be required.

Note: The following testing was performed with SCCM 1802, Server 2016 and SQL 2016.

Confirm existing state

Firstly, I just want to demonstrate that the existing SCCM Primary site is communicating with the SQL server without any issues.

To verify this I can check the smsexec.log file on the Primary Site server and confirm there are no errors or warnings present.

Untitled

Disabling TLS v1.0 and TLS v1.1

Now we have confirmed that the existing environment has no pre-existing issues, the first stage in our process will be to disable TLS 1.0 & 1.1 on our Primary Site Server and the SQL server. This will ensure that all communication will be forced to TLS 1.2.

To perform this we will RDP to each of our servers and open the registry editor to the following location:

‘HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols’

Untitled

We can see here that there are existing keys for SSL 2.0 and SSL 3.0 but not for TLS 1.0 or TLS 1.1 so we need to create them shown below. In each of the new folders there should be a new DWORD key created named ‘Enabled’ and the value set to 0 (i.e. Disabling the protocol).

Note: I will not screenshot every registry setting for both servers and this will be repetitive, but trust me I have created all of them on both servers!

Untitled-2

I then restarted the SMS_EXECUTIVE service on the SCCM Primary Site server

Untitled-3.png

And checking again in the smsexec.log file shows that the Primary Site server is now no longer able to communicate with the SQL server

Untitled-4.png

This then verifies that TLS 1.0 and 1.1 are now disabled and that SCCM is not currently able to use TLS 1.2 to communicate with the SQL server. So lets go about fixing that…

 

Enabling TLS 1.2 support

The SCCM Primary Site does not communicate directly with the SQL server. It uses a locally installed SQL Native Client to perform this communication which is actually installed as a part of the SCCM Primary Site installation process when the SQL server is remotely hosted.

We can see in our log file above that the ‘SQL Server Native Client 11.0’ is the driver being called by SCCM and when checking the installed programs list on the Primary Site server we can see that there is a program named ‘Microsoft SQL Server 2012 Native Client’ and the version is 11.0.2100.60. This is the driver that SCCM is using to communicate with the SQL server despite our SQL server actually running SQL 2016.

Upon checking the following Microsoft article it is apparent that the currently installed version of the Native Client does not support TLS 1.2, and therefore we will need to upgrade the client.

https://support.microsoft.com/en-au/help/3135244/tls-1-2-support-for-microsoft-sql-server

Firstly we will Uninstall the existing SQL Native Client by simply using the Windows uninstall process.

Untitled-5

We then need to install the latest version of the SQL Native Client. This can be downloaded from the following location. The file required is ‘sqlncli.msi’

https://www.microsoft.com/en-us/download/details.aspx?id=52676

I simply installed this MSI using all of the default options so I won’t screenshot each individual step, but we can see that once the installation is complete it still registers in Programs and Features as ‘Microsoft SQL Server 2012 Native Client’, but crucially now the version has been increased to 11.3.6518.0 which is above the minimum version required for TLS 1.2 support.

Untitled-6

Again, another restart of the SMS_EXECUTIVE service will force SCCM to start using the new version of the client.

Untitled-3

And we can see in the smsexec.log file that the Primary Site is now able to successfully communicate with the SQL server.

Untitled-7

And launching the console, it successfully connects to the SCCM site

Untitled-8

At this stage I am happy to say that we have successfully upgraded our SCCM site to be fully TLS 1.2 compliant.

Obviously this process has been performed on the Primary Site server only. If we had either a Central Administration Site or any Secondary Sites in the hierarchy this process would need to be repeated for these sites too

Please feel free to leave me a comment below

Thank you for reading

Decommission SCCM Distribution Point

Hi all, as discussed in my previous blog post I have been tasked with replacing a clients Distribution Point servers. In that blog post I explained the process for commissioning the new DP servers and in the this post I will document the process for decommissioning the old DP servers.

Fortunately the process is decommissioning old Distribution Point servers is simple. All we need to do is to remove the server from SCCM and then shutdown the server, so lets go through the steps

  • Locate the server in SCCM console– Open the SCCM console and navigate to Administration -> Site Configuration -> Servers and Site Systems. Left click on the server you want to delete and confirm in the Site System Roles pane that the system only has the Distribution point and Site system roles (in this example we are going to be deleting the server sccmdp.testlab.com) untitled

 

  • Delete the server from SCCM – Right click on the server to be removed and chose the ‘Delete’ option. You will then receive a confirmation dialogue, simply click yes to confirm the deletion
  • untitled2

 

  • Confirm deletion – You will now see that the old server no longer exists in the SCCM console Untitled3.png

 

At this stage I would wait at least one hour before continuing, this will allow for all downloads already in progress to complete and clients should no longer receive this Distribution Point as an available location for downloading content

  • Shutdown Server – Simply shutdown the Operating System by click on the Start button and choosing the option to shut down untitled4

Complete – it really is that simple!

Commission new SCCM Distribution Point server

Hi all, in today’s post I am going to explain a task that one of my customers asked me to undertake on their behalf. They currently have multiple dedicated Distribution Points in their existing SCCM environment running Windows Server 2008 R2 and wish to migrate these servers to Windows Server 2016 servers.

In this guide we will be using the latest version of SCCM, at the time of writing this is SCCM Current Branch – Build 1610.

At a high level the steps we will be performing are:

  1. Preparing the server
  2. Adding the new server to the SCCM console
  3. Verify Installation
  4. Assign and obtain content from new Distribution Point

Note: It is possible to perform an in-place upgrade of the OS on a DP, but in this guide we will be standing up a new DP server. In a separate blog post I will explain the process for decommissioning the old DP’s which would need to be performed to complete my task.

1. Preparing the new server:

  1. Install the Operating System – In this guide we will be using Windows Server 2016, but the process will be the same for other Server OS’s
  2. Ensure the new server is named appropriately – it is not possible to use the same host name so make sure you give the new server a new name. Note: In this guide we will name our new server SCCMDPcapture
  3. Assign a second disk to the server – This step isn’t essential but it is considered good practice to keep the Windows installation and the SCCM Content Library on separate partitions at least to ensure no possible conflicts. In this guide we will assign the new disk the letter Dcapture2
  4. Domain join the new server – it is not essential for the server to be joined to the same domain at the SCCM site server but there must be a trust relationship between the 2 domains if not. In this guide we will use the domain testlab.comcapture3
  5. Install latest updates on Server – As always, I would recommend taking this opportunity to ensure the new server is fully patched per your organizations patching policy                                                   capture4
  6. Install the Distribution Point pre-requisites – Using Server Manager, install the required Roles and Features for the distribution Point role. These are as follows (as documented on Microsoft TechNet here )untitleduntitled2untitled3untitled4
  7. Add the SCCM site server to local admins – The SCCM site server account needs to be added to the local administrators group on the new server, this can ether be the account itself or a group containing the site serveruntitled5
  8. Create NO_SMS_ON_DRIVE.SMS file – Later in this guide we will provide a drive letter for SCCM to use to create the Content Library, however if this drive then becomes full then the library will start using available space on the server other drives. It is not desirable for the Content Library to spill onto the same drive as the Operating System so to prevent this a file should be created in the root of C: named NO_SMS_ON_DRIVE.SMS with no content (more information on this process can be found on the TechNet site here)

OK, so we have now prepared our server and are now ready to add the SCCM Distribution Point role

2. Adding the new Distribution Point to SCCM console

  1. Open the SCCM console – Open the SCCM console from any server and ensure that you logon using an account that has permissions to create new site servers (‘Full Administrator’ will have this ability)
  2. Navigate to Servers and Site System Roles – Once in the SCCM console then navigate to Administration -> Site Configuration -> Servers and Site System Rolesuntitled6
  3. Create Site System Server – From the ribbon bar select ‘Create Site System Server’ and enter the FQDN of our new Distribution Point Server. Also, select the required site for the Distribution Point to reside untitled6
  4. Specify Internet proxy server – Our Distribution Point server will not be contacting the Internet directly so there is no need to specify a proxy server here untitled7
  5. Specify roles for this server – Here is where we specify the role we will be adding to our new server, obviously we want to chose Distribution Point untitled8
  6. Specify distribution point settings – In the page I recommend selecting the ‘Install and configure IIS if required by Configuration Manager’ option as this will verify that ISS is configured correctly for the role. Configure any other settings as required in your environment untitled9
  7. Specify drive settings for this distribution point – On this page we need to change our ‘Primary content library location’ and ‘Primary package share location’ to the D drive, this ensures that both package types will be created on the D drive initially. Unfortunately it is not possible to disable the Secondary locations so SCCM will attempt to use another drive once the Primary location drive gets below the 50Mb specified but the NO_SMS_ON_DRIVE.SMS file we created earlier stops this from consuming space on the C drive and filling the OS drive untitled10
  8. Specify settings to configure a pull distribution point – We will not be using a pull Distribution Point in this guide so leave this option disabled untitled11
  9. Specify settings to install operating systems by using PXE boot – In this guide we will not be configuring PXE booting for out new Distribution Point. This can be configured later if required untitled12
  10. Specify multicast settings for operating system deployment – In this guide we will not be configuring multicast for out new Distribution Point. This can be configured later if required untitled13
  11. Specify the content validation settings – On this page we are going to enable the content validation feature but leave the default schedule of every Saturday at 12am. This will ensure that the content on the DP’s is validated on a regular basis untitled14
  12. Specify the boundary groups to associate with this site system – This page allows for assigning this new Distribution Point to a specific Boundary Group meaning only clients in the Boundary group can obtain content from the Distribution Point. If a Boundary Group is not specified then the content is available to all clients regardless of their Boundary Group. We will use the default Boundary group untitled15
  13. Complete wizard – The summary and progress pages are then displayed. Simply skip through these

We have now completed the installation of our new Distribution Point so we are in a position to proceed with verifying the installation and ensuring content can be assigned to it successfully

3. Verify Installation

Now that we have installed our new Distribution Point we need to ensure that the installation was successfully and content can be assigned

  1. Check Distribution Point Status – in the SCCM console browse to Monitoring -> Distribution Status -> Distribution Point Configuration Status. Our new Distribution Point should now show in the list and have a green tickuntitled16

Note: In my lab the Distribution Point initially displayed with a red cross. This was because SCCM tries to distribute the 4 SCCM client packages to all DP’s in the hierarchy. Unfortunately, the site server attempts this before the installation of the DP role is complete so initially the packages failed. SCCM does automatically attempt to retry failed packages every 30 mins, and the client packages succeeded on the first retry

2. Check file structure on the Distribution Point – On our new Distribution you should now see a folder structure on the D drive as below

  1. untitled17

After performing these check I am happy that the DP installation has been verified and is ready for use

 

4. Assign and obtain content from new Distribution Point

Now we have created the new Distribution Point we need to verify that clients can use it as a download location to ensure it is operational. To do this we will assign an application to the DP and then check the download logs from a client to ensure it is using our new DP as the source location

  1. Assign content to Distribution Point – Using the SCCM console I am going to distribute the content of an existing Application to my new DP. To do this, navigate to Software Library -> Application Management -> Applications, select the desired application and click Distribute Content from the ribbon bar. You will then need to complete the wizard, ensuring to select the new Distribution Point on the ‘Specify the content destination’ page untitled18
  2. Verifying content distribution – I can first see that the content is being processed as the pie chart shows yellow for my only Distribution Point Untitled19.png
  3. Eventually the status will change to success and the pie chat will show as green, this may take some time for larger applications Untitled20.png
  4. Verify using log file (optional) – I can also verify the successful distribution of the application source files from the distmgr.log file on the SCCM site server. This is not necessary if the distribution is successful but if errors are encountered this is the log file that will assist with diagnosing the issue Untitled21.png
  5. Download content from client – Now we know the content is available on our new Distribution Point we can start a client download by manually executing the application on a workstation and checking the DataTransferService.log file to ensure the new DP is being used as the source location untitled22

This now proves that the new DP is serving content to clients successfully so we can continue to assign any additional content to the Distribution Point and be sure that clients will be able to access the content successfully.