Part 7: Software Update Point & SCUP (With HTTPS)

If you’re looking to manage patches with SCCM, and lets face it why wouldn’t you be, then you’ll need to install the software update point role. In this post we’ll install and configure everything you need to get started including the System Center Update Publisher which allows you to deploy non Microsoft updates via SCCM.

In Part 3: Prep & Pre-reqs we installed WSUS, lets get to configuring everything.

Continue reading


Part 6: Upgrading SCCM Current Branch

Now that you have ConfigMgr setup it’s time to upgrade it to the latest version. This is a relatively straight forward process and applies to all versions of current branch from 1511 onward. In the last post I installed 1606 so that’s what we’ll be using.

NB: You must have the Service Connection point installed and configured to upgrade.

At a glance:

  1. Confirm no operational issues with SCCM sites
  2. Review new SCCM version requirements, 1702 for example removes support for 2008 server. So you will need to upgrade these sites to 2012 or 2016 before upgrading.
  3. Patch, patch, patch!
  4. Uninstall any deprecated SCCM Sites system roles before upgrading
  5. Disable DB replicas on all primary sites (if you’re using them)
  6. Disable maintenance tasks
  7. Run Pre-req check for update
  8. Backup DBs (CAS and Primary)
  9. Test DB Backups
  10. Backup any custom .mof files
  11. Restart all Site Systems
  12. Upgrade
  13. Deploy new SCCM Admin Console
  14. Reconfigure DB Replicas
  15. Upgrade Clients
  16. Reconfigure clients

Continue reading

Part 5: Installing SCCM 1606

So far in the series we’ve run up all the infrastructure required and configured all prerequisites for SCCM. So lets set that up now….

  1. Download SCCM 1606 here.
  2. Run pre-req check tool –  M:\SMSSETUP\BIN\X64\Prereqchk.exe /AdminUI
  3. Run splash.hta
  4. Click Install
  5. Click Next
  6. Select Install a Configuration Manager Primary Site and click next.
  7. Enter a serial key if you have one otherwise select eval.
  8. Accept the terms and click next
  9. Select a download location and click next
  10. Select language and click next
  11. Select supported languages and click next, i like to check support for all languages on mobile devices.
  12. Set site code, site name an installation folder which should be the SCCM volume you created earlier.
    1. Site Code – P01
    2. Site name – Primary site 1
    3. Installation folder – D:\Program Files…..
  13. As this is the first primary site select install standalone primary site
  14. Define SQL server details, my SQL instance is local.
  15. Confirm locations are correct and click next
  16. Specify the FQDN and click next
  17. Select configure manually, we’ll setup HTTPS communication later.
  18. Specify server name and click next.
  19. Review usage data and click next
  20. Check install service connector and click next
  21. Review install summary and click next
  22. Confirm all pre-reqs have been met and click Begin install
  23. Confirm all features installed successfully
  24. You’re done for now!


Part 4: Installing SQL 2016

In the previous posts we’ve setup the lab and done the prep work for the SCCM Primary site. In my lab I’m installing SQL on the same server as the Primary Site server (SCCM-P01). There’s a fair bit of healthy debate as to whether it’s better to co-host or have a dedicated standalone SQL server. I’ve done both and can say that in my experience any performance improvement is negligible for the size environments I’ve seen it in.

So let’s get to it, jump on the server you’re going to install SQL on.

  1. Download SQL Server Standard, I’m using 2016. You can use any of the versions listed here.
  2. Run Setup.exe
  3. Click New Installation
  4. Enter product key details and click next.
  5. Accept license terms and click next
  6. Check use microsoft update and click next
  7. Check all updates and click next
  8. Review pre-req check and click next
  9. Check database engine services and reporting services  and change the feature installation directory to the SQL directory, mines ‘E:\’
  10. Specify an instance, I’m using the default.
  11. Set all services to start with the service account created for SQL earlier ‘SA_SCCM_SQL’ and automatic except the SQL Server Browser
  12. Select the collation tab and set it to ‘SQL_Latin1_General_CP1_CI_AS’. This is critical and if it’s configured incorrectly it can lead to a failed installation, unsupported by Microsoft and may prevent updates installing for SCCM.
  13. Add SCCM Server Admins to administrators list
  14. Under Data Directories tab change the locations to the below directories.
  15. Under the TempDB tab change the data directory for the TempDB to your tempDB volume and the log.
  16. On Reporting Services select install only
  17. Click Install
  18. Confirm all components installed successfully
  19. Set SPN by running the following commands:
    setspn -A MSSQLSvc/SCCM-P01:1433 LAB\SA_SCCM_SQL
    setspn -A MSSQLSvc/SCCM-P01.lab.local:1433 LAB\SA_SCCM_SQL


  20. SQL 2016 doesn’t install management studio as part of the install so you need to download and install manually. You can download it here.
  21. Click Install
  22. Click Close
  23. Configure Memory allocation
  24. Open SQL Server Management Studio (with an account that has admin rights to your SQL instance)
  25. Right click the server in object explorer and select properties
  26. Select memory and change the minimum to 8192 and the maximum to 12288 (should be 80% of the servers memory)
  27. Open SQL Server Configuration Manager
  28. Browse SQL Server Network Configuration>Protocols for instance and right click TCP/IP>Properties
  29. Configure protocol as per the below
  30. Select IP Addresses tab
  31. Under IP1 set to the below settings
  32. All other IP entries and IP All should be configured as per the below
  33. Dynamic ports should be configured as per the below
  34. Restart the SQL Server Service
  35. Ready for ConfigMgr!

Part 3: Prep & Pre-reqs

In this post I’m going to setup all the prerequisites for SCCM and SQL. I’ll cover off on the install of SQL and configMgr in following articles though.

  1. Create a new Virtual Machine with the below
    • Name: SCCM-P01
    • Generation: 2
    • Startup Memory: 1024
    • Use Dynamic memory for this VM: Yes
    • Connection: vNet External
  2. I’ve allocated 8vCPUs to my SCCM VM.
  3. Add the following disks to the VM:
    • D:\ – SCCM (200GB)
    • E:\ – SQL Databases (50GB)
    • F:\ – SQL TempDB (50GB)
    • G:\ – SQL Logs (50GB)
  4. Install Windows Server 2016 Standard
  5. Set a static IP address, mines
  6. Give your server a name, mines SCCM-P01
  7. Join the lab domain
  8. Initialize all of the extra Hard Drives and format the SQL volumes with 64K allocation unit size
  9. Create the following Service Accounts
    • SA_SCCM_SQLReporting
    • SA_SCCM_NetworkAccess
    • SA_SCCM_Client
    • SA_SCCM_DomainJoin
  10. Create the following groups in AD
    • SCCM Server Admins
    • SCCM Servers
  11. Add your server to the newly created AD group ‘SCCM Servers’
  12. Delegate Full Control to the SYSTEM Container in Active Directory for the group ‘SCCM Servers’.
  13. Create a GPO for your SCCM server, mines in lab.local\Member Servers\SCCM
  14. Create the following Inbound Firewall rules in the GPO, Computer Configuration>Policies>Windows Settings>Security Settings> Windows Firewall with Advanced Security>Inbound.
    • Port (TCP) – 1433
    • Port (TCP) – 1434
    • Port (TCP) – 4022
    • Port (TCP) – 135
    • Port (TCP) – 2383
    • Port (TCP) – 2382
    • Port (TCP) – 80
    • Port (TCP) – 443
    • Port (TCP) – 1434
  15. Create a new file in sysvol called ‘No_sms_on_drive.sms’ and copy the file using GP Preferences to C:\ with the SCCM GPO.
  16. Extend AD Schema on DC01
    1. Login with an account with Schema Admins rights.
    2. Mount ConfigMgr ISO on
    3. Open PoerWhell as an adminstrator and run  .\SMSSETUP\BIN\X64\extadsch.exe
    4. Open log C:\Extadsch.log and confirm the schema has been successfully extended.
  17. Create System Management Container.
    1. Open ADSI Edit
    2. Right Click System container>New>Object
    3. Select Container and click Next.
    4. Enter ‘System Management’ exactly and click next.
    5. Right click on System Management Container and select Properties and then select the Security tab.
    6. Add your Primary SCCM Server and delgate full control.
    7. Click Advanced
    8. Select the site server and click Edit.
    9. Under applies to select This object and all descendant objects.
  18. On you SCCM Primary Site Server open PowerShell and run the following commands to install the prerequisite roles and features.
    Install-WindowsFeature Web-Windows-Auth
    Install-WindowsFeature Web-ISAPI-Ext
    Install-WindowsFeature Web-Metabase
    Install-WindowsFeature Web-WMI
    Install-WindowsFeature BITS
    Install-WindowsFeature RDC
    Install-WindowsFeature NET-Framework-Features -source \\yournetwork\yourshare\sxs
    Install-WindowsFeature Web-Asp-Net
    Install-WindowsFeature Web-Asp-Net45
    Install-WindowsFeature NET-HTTP-Activation
    Install-WindowsFeature NET-Non-HTTP-Activ


  19. Install Windows Update Service
  20. Install Windows ADK
    1. Download ADK from here
    2. Run ADKsetup.exe
    3. Change installation directory to your SCCM volume and click next.
    4. Select the below features and click Install.
    5. Once completed restart your server.

Part 2: Certificate Authority (Server 2016)

Next step is to run up a CA this is optional, some reasons why you might want a CA for SCCM:

  • HTTPS – You need all SCCM communication to be encrypted
  • TDE – You need to encrypt your databases, MBAM for example
  • MDM – You want mobile devices to use certificates to authenticate instead of requiring credentials for company resources like mail and Wi-Fi.

In my lab I’m going to implement a two tier Certificate Authority, an Offline RootCA and a subordinate CA which will be co-hosted on my primary Domain Controller (DC01). For some more details on planning production CA architecture see Securing PKI: Planning a CA Hierarchy.

  1. Create a new Virtual Machine with the below config:
    Name: RootCA
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
    Note: This server MUST NOT be joined to your domain.
  3. Set a static IP address, mines
  1. Give your server a name, mines RootCA.
  2. In Server Manger click Manage> Add roles and Features
  3. Under Server Roles tick Active Directory Certificate Services and click Next.
  4. Click Next until you get to Role Services.
  5. Select Certificate authority and click Next.
  6. Click Install
  7. Under Server Manager click the flag> Configure Active Directory Certificate Services.
  8. Make sure you’re using the administrator account.
  9. Select Certificate Authority and click Next.
  10. Select Standalone CA and click Next.
  11. Select RootCA and click Next.
  12. Select create a new private key and click next.
  13. Leave the default cryptography and click next. You’ll be fine as long as it’s not SHA-1
  14. Change the common name, i’m using RootCA and click next.
  15. Increase validity period to 20 years and click next.
  16. Leave the certificate database in the default location and click next.
  17. Click Configure
  18. Confirm configuration successful.
  19. Open Regedit and increase the REG_DWORD ‘ValidityPeriodUnits’ to ’20’, located here:
  20. Open PowerShell and run the following commands:
    certutil –setreg caDSConfigDN CN=Configuration,DC=lab,DC=local
    certutil -setreg caDSDomainDN “DC=lab,DC=local”
  21. Launch Certificate Authority from Server Manager
  22. Right Click RootCA>Properties
  23. Browse to the Extensions tab.
  24. Add a new CRL Distribution Point extension – http://DC01/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl and select the following:
  25. Select ‘C:\Windows…’ CRL Distribution Point and select Publish CRLs to this location only.
  26. Under Select extension change to AIA.
  27. Add a new AIA – http://DC01/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt and select the following:
  28. In Certificate Authority right click Revoked Certificates>Properties
  29. Change CRL interval to 20 years
  30. In Certificate Authority right click Revoked Certificates>All Tasks>Publish
  31. Click Next.
  32. Copy files in C:\Windows\System32\CertSrv\CertEnroll ->  \\DC01\C$\Windows\System32\CertSrv\CertEnroll
  33. Now Jump on DC01 and install Certificate Authority
  34. Under Role Services, select Certificate Authority and Web Enrollment point.
  35. Install the roles and features.
  36. Under Server Manager click the flag> Configure Active Directory Certificate Services.
  37. Make sure your using an account with Enterprise Administrator rights and click Next.
  38. Select Certification Authority and Certification Authority Web Enrollment point and click next.
  39. Select Enterprise CA and click next.
  40. Select Subordinate CA and click next.
  41. Select create a new Private Key and click Next.
  42. Leave the default cryptography and click next.
  43. Give the subordinate CA a common name, mines SubCA.
  44. Save a certificate request to the local machine.
  45. Finish the Installation with the remaining defaults.
  46. Copy the certificate back to RootCA
  47. On RootCA open Certificate Authority and right click on RootCA>All Tasks>Submit new request.
  48. Browse to the req file.
  49. Select Pending requests and right click on the pending request>All tasks>Issue
  50. Select Issued Certificates and open the certificate just issues
  51. Click Copy file
  52. Select Cryptographic Message Syntax Standard and tick Include all certificates in the certification path if possible.
  53. Export file to C:\SubCA.p7b
  54. Copy the file back to Dc01
  55. On DC01 Open Certificate Authority>All Tasks Install CA Certificate and browse to the SubCA.p7b
  56. Click Ok to the warning.
  57. Start the CA service, you should get a green tick as per below.
  58. Export Certificates and deploy via Group Policy.

Part 1: Hyper-V, Networks, DC, DNS

This post will really only be applicable where you are running this up at home or a lab. Please don’t use this as guidance on building a production domain…

Some details on my hypervisor spec –

CPU – Intel Xeon E5-1650 @ 3.5GHz
RAM – 64GB
C:\ – 256GB SSD
V:\ – 1TB SSD


  1. Install Windows Server 2016 Datacenter, media can be downloaded here.
  2. Set a static IP address, mines as it’s sitting on my home network.
  3. Give your server a name, mines HV01 as in hypervisor 1.
  4. Install Hyper-v, open PowerShell and run the below:
    Install-WindowsFeature –Name Hyper-V -IncludeManagementTools -Restart


  5. Open Hyper-V Manager
  6. Open Hyper-V Settings
  7. Change Virtual Hard Disks to ‘V:\Hyper-V\Virtual Hard Disks’
  8. Change Virtual Machines to ‘V:\Hyper-V\Virtual Machines’
  9. Open Virtual Switch Manager
  10. Select New virtual network switch, external and click Create Virtual Switch
  11. Give it a name and select external network.
  12. Install data deduplication, open PowerShell and run the below:
    Import-Module ServerManager
    Add-WindowsFeature -name FS-Data-Deduplication


  13. In Server Manager browse to File and Storage Services>Volumes
  14. Right click on the volume you’re storing your VM’s on, ‘V:’ in my case and select ‘Configure data deduplication’.
  15. Change Data Deduplication to Virtual Desktop Infrastructure and then click Set Deduplication Schedule.
  16. Configure an appropriate schedule, mines pretty aggressive because it’s a lab and I’m not fussed when it runs.
  17. Install all Windows Updates

Domain Controller 1

  1. Create a new Virtual Machine with the below
    Name: DC01
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
  3. Set a static IP address, mines
  4. Give your server a name, mines DC01 as in Domain Controller 1
  5. Install Active Directory Domain Services, DNS, open PowerShell and run the below:
    Install-windowsfeature AD-Domain-Services
    Install-Windowsfeature DNS


  6. In Server Manager click on the flag and run Promote this server to a domain controller.
  7. Select Add a new forest and enter a domain name and click Next.
  8. Enter a password and click Next.
  9. Click Next.
  10. Set an NetBIOS name and click next.
  11. Configure locations, I’m using the defaults.
  12. Review options and click Next.
  13. Review pre-requisite check and click install.
  14. Server will be restarted
  15. Launch DNS from Server Manager
  16. Select DC01>Forwarders>Edit
  17. Enter Google or another external DNS server, I’m using then hit enter.
  18. Confirm you can resolve your new domain with nslookup.

Domain Controller 2

  1. Create a new Virtual Machine with the below
    Name: DC02
    Generation: 2
    Startup Memory: 1024
    Use Dynamic memory for this VM: Yes
    Connection: vNet External
  2. Install Windows Server 2016 Standard
  3. Set a static IP address, mines
  4. Give your server a name, mines DC02 as in Domain Controller 2
  5. Join the server to your newly created domain
  6. Install Active Directory Domain Services, DNS, open PowerShell and run the below:
    Install-windowsfeature AD-Domain-Services
    Install-Windowsfeature DNS


  7. In Server Manager click on the flag and run Promote this server to a domain controller.
  8. Select Add a domain controller to an existing domain, enter your domain name and click Next.
  9. Enter a password and click next.
  10. Click Next
  11. Click Next
  12. Set paths and click Next
  13. Review config and click next.
  14. Confirm pre-reqs are met and click install.
  15. Confirm you can resolve your new domain with nslookup.

Windows Server 2012 Hyper-V Best Practices (In Easy Checklist Form)