Are there instructions for SCCM?

This article details SCCM instructions.

Table of Contents:

Installing the Admin Console

Adding the required Certificate to a managed endpoint

Turning on auto discovery/Adding Computers.

Installing the Client to an endpoint

Configure your User Application Catalog

Adding a Computer to a Collection

Special considerations when creating an application.

Deploying an MSI

Deploying an .EXE

Removing Inactive Clients

Running a Report

Subscribe to a Report

How to configure a State Migration Point

How to use the prerequisite checker

How to setup Automatic Deployment Rules

 

NOTE: Prior to managing your endpoints, you will need to apply the appropriate GPO to the OU your machines are in to ensure that the appropriate certificates are installed.

 

Installing the Admin Console

1.  Navigate to https://uofi.app.box.com/v/sccmcb and download the console folder.

2.  Double-click on "ConsoleSetup.exe" to start the installer

3.  Click "next"


4.  Enter the site-server name and click next.


5.  Select the path where you would like the client installed or click "next" to accept the default 


6.   Click "install" to start installation.


7.  Click "Finish" to complete installation.

Adding the required Certificate to a managed endpoint

In order to manage your endpoints with SCCM, they are required to have the appropriate certificate installed.  To automatically install the correct certificate, please link the GPO labeled "SCCM 2016 - Client Settings" to the OU where your client's computer object exists in Active Directory or configure an existing GPO to enable the setting that allows "Auto enrollment of certificates".

 

Turning on Auto Discovery/Adding Computers

NOTE:  The recommended way to add machines to SCCM is via autodiscovery.

1.  In the admin console, click on "Administration".


2.  Click on "Hierarchy Configuration" and then "Discovery Methods"


3.  Right-Click on "Active Directort System Discovery" for your site and select "properties".


4.  Check "Enable Active Directory System Discovery" and click "OK".  From this screen, you can also edit and add "Active Directory Containers".  This setting tells SCCM which OU's to get the endpoints from.  We will configure it initially for you, but you may edit this setting as you see fit.


5.  Click "OK". 

 

MANUAL ADDING:

1.  Right-Click on "Devices" and select "import Computer information"


2. Select "Import Single Computer" and click "Next"


NOTE:  Alternatively, you can choose to manually add multiple computers using a file.

3.  Enter the Computer Name and MAC Address of the machine and click "Next".


4.  If everything appears correct, click "next" on the "Data Preview" screen.


5.  Click next on the "Choose Target Collection" screen or click "Add" to add this machine to a collection.


6.  On the final screen, click "Next" to add the machine.


 

NOTE:  For PXEboot, import computers by name with the MAC Address. 

 

 

Installing the Client

1.  In the admin console, left-click on devices


2.  Right-click on the computer and select "Install Client"


 

Configure your User Application Catalog

1. In System Center Configuration Manager click ok "Administration" ,


2. Click on "Client Settings".


3.  Click on "Create Custom Client Device Settings".

NOTE: Alternatively, you can edit existing Custom Client Device Settings.  If creating new Custom Device Settings, be sure to enter a name and description.


4.  On the General Tab, check Computer Agent. The computer agent tab will then appear.


5.  Click on the Computer Agent Tab.


6.  On the computer agent tab, click the button that says "Set Website ...".


7.  In the value drop down box, select your primary site (for example, SCCM-PS05.ad.uic.edu (use internet FQDN)).


8.  Click "OK". 

9.  Click on the "Add default Application Catalog Website to Internet Explorer trusted site zones" dropdown and select "yes".


10.  Click "OK"

NOTE: You may add other settings to this policy if you would like.

11.  Deploy that policy to an OU that has a test machine in it. We recommend making a test collection with just that machine.

12.   Wait an hour or so for the client policy to get applied, or force it by using the control panel applet on the local machine.

13. Try to access the site by clicking on The “Open the Application Catalog website” link in the Software Center client.  If everything works correctly, then deploy to a non-test collection as needed.
 

 

 

 

Adding a Computer to a Collection

1.  Browse to the collection you need to add a client to.

2.  Right click the collection and select “Add Resources”.

 

 

 

3.  Make sure “System Resource” is selected as the Resource type (it should be by default).

4.  Type in the name (or part of the name) of the computer you want to add to this collection.  Click Search.

 


5.  Select the correct machine and click "Add".


 

6.  Click "OK". 

7.  Now, update the policy on your client to finish the deployment.

 

Adding multiple computers to a collection using Powershell.

Powershell can be used to easily add multiple computers to a collection.  Below is an example of a simple powershell script that you can use to add multiple computers to a collection.  

$computers = Get-Content "<path to text file containing list of computer names>"

foreach($computer in $computers) {

   try {

      Add-CMDeviceCollectionDirectMembershipRule  -CollectionName $collectionname -ResourceId $(get-cmdevice -Name $computer).ResourceID

       }

   catch {

      "Invalid client or direct membership rule may already exist: $computer" | Out-File "<path to text file to write errors to>" -Append

       }

}

 Special considerations when creating an application.

Prior deployment:

 

Right-click application
Select Properties
Deployment types tab
click on the type
(do for every deployment types
edit
content tab
check "allow client to use distribution pints from the default site boundary group"
deployment options: Download content from distribution point and run locally
Ok
 

 

Deploying an MSI

Overview

  1. Create a new Application
  2. Create a target Collection
  3. Create a Deployment
  4. Monitor the Deployment status

I will assume you can handle downloading and storing the installation file by yourself, so I will begin with creating the new Application in Configuration Manager. Let's dive in.

 

Create a new application

  1. Store the source .MSI package file in a folder which is shared over the network. (You can only select content for making an Application deployment if it can be accessed via a UNC path reference, so drive letters are not allowed.)

  2. In the Configuration Manager  Administrator Console (hereinafter referred to as the "Admin Console"), expand "Software Library" in the left-hand panel. Right-click on "Applications" and select "Create Application".

  3. Accept the default selection, and click the "Browse" button to locate and select the .MSI package file. Make sure you navigate to the source folder location using the UNC path, not by using a drive letter. Once selected, click Next. Click Next again on the confirmation page.

  4. On the "General Information" page, fill-in the form fields to describe the application as best as you can. The more information you provide, the more it can help with future tasks. Note that you do not need to append MSIEXEC user-interface options, such as "/q" or "/qn" since CM will do that automatically later in the process. In addition, the "Installation behavior" option allows you to target a User, a Device ("System") or a combination of the two; however, for this example I'm going to target a Device Collection, so I've chosen "System".

  5. On the confirmation page, click Next to continue. After the Application is created, click the Close button.

  6. 7. Once the Application is created, click the "Deployment Types" tab at the bottom to see the results. Unlike a "Package" in CM 2007, an Application can have multiple Deployment Types, allowing you to configure actions relating to specific Operating Systems or Devices.

      

Staging the application content

The next step in the process is to make sure the Application content is placed where clients can access it when they're instructed to use it. This is referred to as "Distributing Content". Basically, the files associated with the Application are copied to selected Distribution Point servers, either explicitly, or by way of Distribution Point Groups. For this example, I will Distribute the content to a selected Distribution Point.

  1. Right-click on the Application you just created, and select "Distribute Content". This will allow you to stage the installation binaries and related files on your Distribution Point servers so that clients can access it when executing the installation requests.

  2. On the Content options page, accept the content confirmation and click Next to continue.

  3. On the Content Destination page, click the Add button to select the target Collection, Distribution Point server, or Distribution Point Groups, to stage the Application content. In this example, I've selected an individual Distribution Point server. Once you select all of the desired content locations, click OK and then click Next to continue.

  4. Check the boxes for each desired Distribution Point and click OK to continue.  

  5. On the Summary page, click Next to continue. After a few seconds a progress bar will show the content begin copying to the Distribution Point.
  6. When the content has finished distribution, you will see the Confirmation page. Click Close to finish. The next step is to target the Application to desired Users or Devices (computers, etc.).

Deploying the application

If you already have a target Collection created, you can skip this step, as I'm only showing this to illustrate that I have a Direct Membership Device collection for use in targeting the Application "Deployment" in the next step.

  1. In the "Software Library" section of the Admin Console, under Applications, right-click on your new Application once again, and this time select "Deploy".
  2. Since I am deploying to a Device Collection, select "Device Collections" at top-left, and then select the appropriate target Collection on the right, and click OK, then click Next. You can just as well target a User Collection or a Query-based User or Device Collection. This is only for demonstration. 
  3. Once you have selected the Software (Application) and the Collection, you now have the option of entering some comments to describe this particular Deployment if you desire. After this, click Next to continue.

  4. Confirm the Distribution Point selections, or click Add to select additional Distribution Points or Distribution Point Groups if desired, and click Next to continue. 
  5. On the Deployment Settings page, select "Install" for the Action, and for the Purpose select "Required". If you aren't familiar with "Available" and "Required", you can think of them as synonymous with "Published" and "Assigned" as it pertains to Group Policy software installations. The first option makes the package available for users to choose when to install it. The second option runs the installation without requesting any approval or interaction from the users. For this example, I'm leaving the three checkboxes alone. I recommend reading up on each of them and testing them yourself to see if they benefit you within the context of your environment.

  6. On the Scheduling options page, you can specify a date and time for the Deployment to begin, as well as setting a specific deadline date. For this example I chose "As soon as possible", and then click Next to continue.

  7. Since I am deploying this installation to computers, I don't want it to interrupt the users, nor do I want it to display any prompts during the process. For this reason, select "Hide in Software Center and All Notifications". If you have specific Maintenance Windows in place, you should carefully consider the remaining three options; however, for this example, I'm leaving them as shown, and then click Next.

  8. On the Alerts settings page, you should select the first two threshold options so that you can properly monitor the Deployment when it becomes active. The default values are usually sufficient, but you may want to adjust them to suit your needs. If you are using System Center Operations Manager 2012, you may want to use the last two options, but I've skipped them for this exercise.

  9. On the Summary page, click Next to continue.

  10. After the progress bar finishes, you should see a successful Confirmation. Click Close.
  11. Click on the Application once again, and this time select the "Deployments" tab at the bottom. This will show all of the current Deployment configurations you have created for this Application. At this point, there should only be one Deployment for this Application.

From this point, you should now have an active Deployment which clients will begin evaluating and executing, as long as they are members of the target Collection and they meet any optional Global Conditions you may have set on the Deployment.

Monitoring the deployment

Now that the Application is in Deployment, the next step is to monitor its progress. Click on the Monitoring section in the Admin Console, and select Deployments. From here you can view the current status of each Deployment and see successes and failures. You can also drill-down into each status indicator to view more detail if needed.


Deploying an .EXE

Basic process

  1. Create/Edit/Test the Installation Script
  2. Create a new Application
  3. Create a Deployment
  4. Monitor the Deployment status

I’m not going to spend time on step 1 since this is really about the deployment aspects, so let's dive in.

Create a new Application

  1. Store the source files in a folder which is shared over the network. (You can only select content for making an Application deployment if it can be accessed via a UNC path reference, so drive letters are not allowed.)

  2. In the SCCM 2012 Administrator Console (hereinafter referred to as the "Admin Console"), expand "Software Library" in the left-hand panel. Right-click on "Applications" and select "Create Application". You can also click the "Create" button at the top-left end of the ribbon menu, and click the "Application" sub-option.
  3. Select "Manually specify the application information", and click Next to continue.

  4. On the "General Information" page, fill-in the form fields to describe the application as best as you can. The more information you provide, the more it can help with future tasks. Note that this is not specifying the script itself, but rather it describes the application. When finished, click Next to continue.

  5. On the "Application Catalog" page, specify the language and localization options. If you have online documentation to refer your users to, you can enter the URL or UNC path for providing access to it. You can also provide additional information if desired, such as Localized description, and keywords for catalog searching. Click Next to continue.

  6. On the "Deployment Types" page, click "Add".
  7. On the "General Information" page of the Deployment Type, select "Script Installer" from the "Type" drop-down list, and click "Next". Enter the Name and (optionally) Administrator comments, as well as selecting the default Language options. Click Next to continue.
  8. Specify the UNC path for the "Content Location" field, then click "Browse" to locate and select the installation script file.

  9. On the “Content” page, click Browse and select the script file to use for the Deployment. If you have an “uninstall” script (and you really should), specify that as well. When finished, click Next to continue.
     
  10. On the "Detection Method" page, if you want to create a detection rule, click the "Add Clause" button, and specify the properties to tell Configuration Manager whether or not the application has already been installed on a given client. In this example, I want to check for the existence of the "hwinventory.accdb" file in the default folder path. This step is not mandatory, but it is usually a good idea to instruct Configuration Manager on how to detect custom application bundles so it can track inventory accurately. When finished, click "Next" to continue.

  11. On the "User Experience" page, specify how you wish to deploy this application (per user, per device or mixed). In the example, I chose to deploy to the Device (computer), and have it install regardless of whether a user is actively logged on or not. Click Next to continue.

  12. On the "Requirements" page, you can specify any hardware or operating system requirements, however in this example I have no such requirements. Click Next to continue.
  13. On the "Dependencies" page, I am specifying that the client needs to have Microsoft Access 2010 installed. This is so it can properly handle opening the Access database file which is the core component of this "application" bundle. I could also specify the Access 2010 Runtime client, or even the entire Microsoft Office 2010 suite, since there is an Excel spreadsheet included. When finished, click Next to continue.

  14. Click Next to accept the confirmations and summary, and then click the Close button after the Application is created.

  15. Once the Application is created, click on it and review its properties to verify everything is as you expect it to be.

Staging and deploying the content

The next step in the process is to make sure the installation files are placed where clients can access them when needed. 

The Deployment process is the same as with a .MSI or .EXE application. You can make the Deployment “available” or “required”, as well as having it install based upon a user logon or not.

From this point, you should now have an active Deployment which clients will begin evaluating and executing, as long as they are members of the target Collection and they meet any optional Global Conditions you may have set on the Deployment.

Monitoring the Deployment

Now that the Application is in Deployment, the next step is to monitor its progress. Click on the Monitoring section in the Admin Console, and select Deployments. From here you can view the current status of each Deployment and see successes and failures. You can also drill-down into each status indicator to view more detail if needed.

Removing Inactive Clients

NOTE: By default, a client is marked as inactive if they haven’t completed one of the following within seven days:

  • Requested a policy update
  • Sent a hardware inventory
  • Sent a heartbeat message

1.  Locate the device in devices.


2. Right click on it and select "Delete"


 

Running a report

1.  Connect to your Primary Site in Configuration Manager (e.g. SCCM-PS01.ad.uic.edu)

2.  Click on monitoring


3.  Click on "reporting"


4.  Click on "reports"


5.  Click on the folder for the type of report you want to run.

NOTE:  "Installed Applications" gets scanned by hardware inventory, not software inventory. software inventory is for specific file types.


6.  Right-click on the report and select "run"


7.  Enter requested information and click "view report"


NOTE:  If you click on "values" you may be presented with a list of acceptable parameters.

 

Creating a Subscription to Run a Report on a Schedule

You can "subscribe" to a report to have it run regularly and automatically emailed to you 

1.  Connect to your Primary Site in Configuration Manager (e.g. SCCM-PS01.ad.uic.edu)

2.  Click on monitoring


3.  Click on "reporting"


4.  Click on "reports"


5.  Click on the folder for the type of report you want to run.


6. Right-click on the report and select "create subscription"


5. Enter the following information:

      Report dilevered by: E-mail

      To:  <yournetID>@uic.edu

      Cc:  Can be left blank.  Otherwise enter the email address of the person you want to receive a copy.

      Bcc: Can be left blank.

      Reply-to:  Can be left blank.

      Subject: Enter a subject for the email.

      Priority: Normal

      Include Report:  Check

      Render Format: XML File with report Data (or whichever format is convenient for you)


6.  Click "next"

7.  Click "Create new Schedule" 

8.  Enter the desired time to receive the report


9.  Click "next"

10.  Enter requested parameters.

NOTE:  You may be able to click on "values" to see a list of possible parameters. 


11.  Click "next"

12.  Click "next"

13.  Click "close"

NOTE: The email should come in from noreply@uic.edu

 

How to configure a State Migration point

NOTE: Prior to adding a state migration point role, run though the following pre-req steps:

a.  Windows Server roles and features

  • .NET Framework 3.5 (or later)

  • .NET Framework 4.5.2, 4.6.1, 4.6.2, 4.7, 4.7.1, or 4.7.2:

    When this site system role installs, Configuration Manager automatically installs the .NET Framework 4.5.2. This installation can place the server into a reboot pending state. If a reboot is pending for the .NET Framework, .NET applications might fail until after the server reboots and the installation finishes.

    • HTTP Activation (and automatically selected options)

    • ASP.NET 4.5

IIS configuration

  • Common HTTP Features:

    • Default Document
  • Application Development:

    • ASP.NET 3.5 (and automatically selected options)

    • .NET Extensibility 3.5

    • ASP.NET 4.5 (and automatically selected options)

    • .NET Extensibility 4.5

  • IIS 6 Management Compatibility:

    • IIS 6 Metabase Compatibility

 

b. Run through the pre-requisite checker (\\sccm-storage01.ad.uic.edu\UIC EPM File Share\Prerequisite Checker

How to run the pre-requisite checker

 

1. Navigate to Administration -> Site Configuration ->  Sites -> Servers and Site System  Roles



 

2.  Right-click on your Distribution Point


3.  Select "Add Site System Roles"


4. Click "Next".

5. Click "Next".

6. Select "State Migration Point".


7.  Click "Next"

8.  Click the New button.


9.  Enter a storage folder path.


NOTE:   Do not create the folder prior to this step. 

NOTE:  You may also need to alter the amount of maximum clients.

5.  Click "next".

NOTE: Make sure your boundary group and the default site boundary group are shown.

6.  Click "Next"

7. Click "Close".

How to Run the Pre-Requisite Checker

1.  Click on "roles"


2. Select the system role.


 

3.  Select the system to run the checker on (e.g. local or remote).


4.  Click "install".


 

How to setup Automatic Deployment Rules

  1. If you don't already have a collection to hold your devices you want to deploy updates to, create a new collection. 

    1. Recommended: Query Rule by update target. 

  2. Navigate to Software Library > Software Updates and click Create Automatic Deployment Rule. 

  3. Right-click on Automatic Deployment Rules. 

    1. Give the ADR a unique name starting with your department's acronym. (ex: ACCC-Windows 10 CB Updates) 

    2. Select the collection you want to use. 

    3. For each time the rule runs, you have two options: 

      1. Add to an existing Software Update Group - an update group is created on first run of the rule and is reused each time the rule runs. 

      2. Create a new Software Update Group - a new update group is created each time the rule is evaluated. 

      3. Recommended: Create a new Software Update Group. 

    4. Make sure "Enable the deployment after this rule is run" is checked. 

    5. Click Next. 

    6. Choose how much Detail level you'd like clients to report back. Recommended: Only success and error messages. 

    7. Choose "Automatically deploy all software updates found by this rule, and approve and license agreements. 

    8. Click Next. 

    9. Select the Updates you'd like to include. 

      1. Recommendations: 

        1. Make a new rule for each product you'd like to keep updated. 

          1. Each rule should have its own file share source and package. 

        2. Example: One rule for Office, one rule for Windows 10, one rule for defender, one rule for Windows 7, etc. 

    10. Click Next. 

    11. Set the evaluation schedule. This will depend on how frequently you want the ADR to run. 

      1. Recommendations:  

        1. Windows/Office updates, every 3-7 days. 

        2. Defender Definitions, run after any software update point synchronization (Synchronization starts at 12 am, 8am, and 4pm every day and finishes within an hour or two after. If these times don't work, feel free to set a different time schedule for your environment. Every 8 hours is a Microsoft recommendation for this product as many definitions are release daily) 

    12. Click Next. 

    13. Set the deployment schedule. 

      1. Recommendations: 

        1. For available, set "As soon as possible." 

      2. For deadline, set how long it's okay for users to delay updating their machines. 

    14. Click Next. 

    15. Set what users should experience when an update is made available to them.  

    16. Click Next. 

    17. Set alert settings as desired. 

    18. Click next. 

    19. Download Settings: 

      1. Select Download software updates from distribution point and install (needed for off-campus download/install) 

      2. Select Download and install software updates from the fallback content source location. (also required for off-campus download/install) 

      3. The rest of the settings are up to your environment. 

        1. Recommended: 

          1. Don’t' check box for "If software updates are not available on preferred distribution point or remote distribution point, download content from Microsoft Updates" 

    20. Click Next. 

    21. Deployment Package. 

      1. Here you can create a deployment package, or use a premade one. 

      2. Make sure your package source is different for each update deployment package and that the folders are not nested. 

        1. Example file structure: 

          1. Updates - no deployment package 

            1. Windows 10 - linked deployment package 

            2. Office - linked deployment package 

            3. Windows 7 - linked deployment package 

            4. Defender - linked deployment package 

        2. Example of what you can't do: 

          1. Windows 10 OS updates - linked deployment package 

            1. Windows 10 office updates - linked deployment package 

            2. Windows 10 defender updates - linked deployment package 

              1. Anything in these nested package source folders will get overwritten by the parent package source folder. 

    22. Click Next. 

    23. Click Close. 

 

Troubleshooting: 

 

  1. Monitoring/Deployments and add filters to narrow down the results. 

  2. Monitor the ruleengine.log on your primary site \\sccm-psXX\sms_pXX\logs 

  3. Email endpointmgmt@uic.edu for further assistance with troubleshooting any issues. 

 

 

Additional information can be found here:  

https://www.prajwaldesai.com/create-automatic-deployment-rule-in-sccm-2012-r2/ 

 

Sample Query for a collection to add all computers that are running Windows 10 CB Enterprise: 

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.Caption = "Microsoft Windows 10 Enterprise" order by SMS_R_System.Name 




Keywords:gpo, epm, endpoint, management, deploy   Doc ID:91314
Owner:Teresa B.Group:University of Illinois at Chicago ACCC
Created:2019-04-25 08:59 CDTUpdated:2019-08-22 10:17 CDT
Sites:University of Illinois at Chicago ACCC
Feedback:  0   0