Microsoft System center configuration manager 2012 step by ......MICROSOFT SYSTEM CENTER CONFIGURATION MANAGER 2012 STEP BY STEP ... (Enterprise Administrator Windows 2008), MCITP

Author

Mai Ali, MCSE Private Cloud

MICROSOFT SYSTEM CENTER

CONFIGURATION MANAGER

2012 STEP BY STEP

Abstract This document include step by step guide for Installing SCCM components including

Software distribution, Software updates and reporting.

Microsoft System center configuration manager 2012 step by step

1 | P a g e

Table of Contents Chapter 1 ..................................................................................................................................................... 5

Installing System Center Configuration Manager Server 2012 ............................................................. 5

Environmental Prerequisites for SCCM Server 2012 ......................................................................... 5

System Center Configuration Manager Server 2012 Prerequisites ................................................... 5

Active Directory Preparation for SCCM Server 2012 ......................................................................... 7

Extend the Active Directory schema for System Center Configuration Manager.......................... 11

Installing System Center Configuration Manager 2012 .................................................................... 11

Chapter 2 ................................................................................................................................................... 18

Configure System Center Configuration Manager 2012 ....................................................................... 18

Configure SCCM site boundary and boundary Group ..................................................................... 18

Configure SCCM Discovery Method .................................................................................................. 22

Configure SCCM Client Installation................................................................................................... 25

Configure System Center Configuration Manager Roles ................................................................. 28

Configure Client Agent Settings .......................................................................................................... 32

Chapter 3 ................................................................................................................................................... 36

Reporting in System Center Configuration Manager ........................................................................... 36

Configure Reporting Services Role in SCCM .................................................................................... 36

Configure Reporting in SCCM ............................................................................................................ 39

Chapter 4 ................................................................................................................................................... 42

Application Management in System Center Configuration Manager ................................................. 42

Deploy MSI Application using SCCM 2012 ....................................................................................... 42

Deploy EXE Application using SCCM 2012 ....................................................................................... 52

Chapter 5 ................................................................................................................................................... 65

Software Updates in System Center Configuration Manager .............................................................. 65

Install WSUS and WDS ........................................................................................................................ 65

Configure Software Update Point Role ............................................................................................... 69

Distribute software updates Using SCCM .......................................................................................... 76

Chapter 6 ................................................................................................................................................... 86

Operating System Deployment in System Center Configuration Manager ........................................ 86

Distribute Boot images to the Distribution Point ............................................................................... 88

Import captured Windows 7 WIM file ............................................................................................... 91

Distribute O.S image to the Distribution points ................................................................................. 93

Create Task Sequence ........................................................................................................................... 96


2 | P a g e

Create new collection for Deploy Windows 7 ................................................................................... 101

Import Computer Information .......................................................................................................... 103

Deploy Task Sequence ........................................................................................................................ 106

APPEDIX ................................................................................................................................................. 111

Firewall Ports for Configuration Manager .......................................................................................... 111

Ports Used by Configuration Manager Clients and Site Systems ................................................... 111

Asset Intelligence Synchronization Point -- > Microsoft ............................................................. 111

Asset Intelligence Synchronization Point -- > SQL Server.......................................................... 111

Application Catalog Web Service Point -- > SQL Server ............................................................ 111

Application Catalog Website Point -- > Application Catalog Web Service Point ..................... 111

Client -- > Application Catalog Website Point ............................................................................. 111

Client -- > Fallback Status Point .................................................................................................... 112

Client -- > Global Catalog Domain Controller ............................................................................. 113

Client -- > Management Point ........................................................................................................ 113

Client -- > Software Update Point ................................................................................................. 113

Client -- > State Migration Point ................................................................................................... 113

Client -- > System Health Validator .............................................................................................. 113

Configuration Manager Console -- > Client ................................................................................. 113

Configuration Manager Console -- > Internet ............................................................................. 114

Configuration Manager Console -- > Reporting Services Point ................................................. 114

Configuration Manager Console -- > Site Server ......................................................................... 114

Configuration Manager Console -- > SMS Provider ................................................................... 114

Configuration Manager Policy Module (Network Device Enrollment Service) -- > Certificate

Registration Point ........................................................................................................................... 114

Distribution Point -- > Management Point ................................................................................... 114

Endpoint Protection Point -- > Internet ........................................................................................ 114

Endpoint Protection Point -- > SQL Server .................................................................................. 115

Enrollment Proxy Point -- > Enrollment Point ............................................................................ 115

Enrollment Point -- > SQL Server ................................................................................................. 115

Exchange Server Connector -- > Exchange Online ...................................................................... 115

Exchange Server Connector -- > On Premises Exchange Server ............................................... 115

Mac Computer -- > Enrollment Proxy Point ................................................................................ 115

Management Point -- > Domain Controller .................................................................................. 115

Management Point < -- > Site Server ............................................................................................ 115

Management Point -- > SQL Server .............................................................................................. 116


3 | P a g e

Mobile Device -- > Enrollment Proxy Point .................................................................................. 116

Mobile Device -- > Windows Intune .............................................................................................. 116

Out of Band Service Point --> Enrollment Point ......................................................................... 116

Out of Band Service Point --> AMT Management Controller ................................................... 116

Out of Band Management Console --> AMT Management Controller ..................................... 116

Reporting Services Point -- > SQL Server .................................................................................... 116

Site Server < -- > Application Catalog Web Service Point .......................................................... 116

Site Server < -- > Application Catalog Website Point .................................................................. 116

Site Server < -- > Asset Intelligence Synchronization Point ........................................................ 117

Site Server -- > Client ..................................................................................................................... 117

Site Server -- > Cloud-Based Distribution Point .......................................................................... 117

Site Server -- > Distribution Point ................................................................................................. 117

Site Server -- > Domain Controller ............................................................................................... 117

Site Server < -- > Certificate Registration Point .......................................................................... 117

Site Server < -- > Endpoint Protection Point ................................................................................ 117

Site Server < -- > Enrollment Point ............................................................................................... 118

Site Server < -- > Enrollment Proxy Point .................................................................................... 118

Site Server < -- > Fallback Status Point ........................................................................................ 118

Site Server -- > Internet .................................................................................................................. 118

Site Server < -- > Issuing Certification Authority (CA) .............................................................. 118

Site Server < -- > Reporting Services Point .................................................................................. 118

Site Server < -- > Site Server .......................................................................................................... 119

Site Server -- > SQL Server ............................................................................................................ 119

Site Server -- > SMS Provider ........................................................................................................ 119

Site Server < -- > Software Update Point ...................................................................................... 119

Site Server < -- > State Migration Point ........................................................................................ 119

Site Server < -- > System Health Validator................................................................................... 120

SMS Provider -- > SQL Server ...................................................................................................... 120

Software Update Point -- > Internet .............................................................................................. 120

Software Update Point -- > Upstream WSUS Server .................................................................. 120

SQL Server --> SQL Server ........................................................................................................... 120

State Migration Point -- > SQL Server ......................................................................................... 120

Windows Intune Connector -- > Windows Intune ....................................................................... 120

Reference ................................................................................................................................................. 123


4 | P a g e

Mai Ali is a Senior Infrastructure Consultant, with a strong

focus in Microsoft, virtualization, Management solution

and Unified Communications area. Over 5 years' study

and hands on experience delivering small to large-scale

projects for different industries, mainly based on

Microsoft and other leading edge technologies, systems

applications and operations running on top of them. She

has Broad and mixed technical background in

infrastructure and communications field, systems

integration, Systems Management, security, as well as an

in-depth understanding of the business of computing

and networking. Currently her main tasks are Architectural design and delivery of Microsoft

environments, with specific focus on multi-vendor UC solutions, based on Microsoft System

Center 2007, Microsoft System Center 2012, Microsoft Lync 2013 with Enterprise Voice,

Office 365, Exchange Unified Messaging, migrations from Lync 2010 and OCS 2007, load

balancers, reverse proxy, firewall, Exchange UM.

Mai Ali has various Technology Certifications and Awards: Microsoft Certified Solutions

Expert (Communications, Server Infrastructure, Private Cloud, and Messaging), MCITP

(Office 365 Administrator), MCITP (Enterprise Administrator Windows 2008), MCITP

(Enterprise Messaging Administrator), MCITP (Lync Server 2010 Administrator), Microsoft

Certified Systems Engineer (Security, Messaging) Windows 2003, MCSA Windows 2012,

MCSA Windows 2008, MCSA (Security) Windows 2003, Citrix Certified Enterprise

Engineer, Cisco Certified Network Professional, Red Hat Certified Engineer, STS

Symantec Enterprise Vault 10.0 for Exchange and Symantec Certified Professional

Program Data Protection.

Mai Ali has been very involved with Windows Server based virtualization, communication

and Management solutions including Microsoft System Center, Microsoft Lync and Office

365. She is currently a prolific blogger at http://expertslab.wordpress.com and has done

many Scripts for automatic configuration on Microsoft TechNet Gallery. Mai likes giving

back via community forums: She has contributed thousands of posts to Microsoft System

Center, Microsoft Lync and Experts-Exchange community forums over the years.

Mai Ali’s Blog: http://expertslab.wordpress.com

http://expertslab.wordpress.com/technology-certifications-and-awards/

http://expertslab.wordpress.com/



5 | P a g e

Chapter 1

Installing System Center Configuration Manager

Server 2012 Posted on July 6, 2014 by Mai Ali

NOTE: Remember Configuration Manager Server 2012 Preview is not meant for live/production

environments {It’s for Lab and Show concepts and configuration}.

Setup System Center Configuration Manager Server 2012 on Windows Server 2012R2 step

by step. Here is an outline of what we will do:

1. Environmental Prerequisites for Configuration Manager Server 2012

2. Configuration Manager 2012 Prerequisites

3. Install Configuration Manager Server 2012

1. Prepare Active Directory.

2. Extend the Active Directory schema for Configuration Manager

3. Install Configuration Manager 2012

Environmental Prerequisites for SCCM Server 2012

1. Active Directory Services

2. DNS

3. SQL Server 2012 SP1 {for Details: http://expertslab.wordpress.com/2014/06/28/how-to-

install-sql-server-2012-standard-edition/}.

System Center Configuration Manager Server 2012 Prerequisites

On CCM Server– Install the Deployment Tools, Windows PE, and the User State

Migration tool from the Windows 8

ADK: http://www.microsoft.com/enus/download/details.aspx?id=30652

https://expertslab.wordpress.com/?p=701



http://expertslab.wordpress.com/author/maifawzy85/

http://expertslab.wordpress.com/2014/06/28/how-to-install-sql-server-2012-standard-edition/

http://expertslab.wordpress.com/2014/06/28/how-to-install-sql-server-2012-standard-edition/

http://www.microsoft.com/enus/download/details.aspx?id=30652


6 | P a g e

Open PowerShell as an Administrator and run the following cmdlet:

Import-Module ServerManager

Add-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-

WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-

Activation,NET-Non-HTTP-Activ,Web-Static-Content,Web-Default-Doc,Web-Dir-

Browsing,Web-Http-Errors,Web-Http-Redirect,Web-App-Dev,Web-Net-Ext,Web-Net-

Ext45,Web-ISAPI-Filter,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-

Monitor,Web-HTTP-Tracing,Web-Security,Web-Filtering,Web-Performance,Web-Stat-

Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Mgmt-Compat –Source

D:\sources\sxs

https://expertslab.files.wordpress.com/2014/07/57.jpg



7 | P a g e

Active Directory Preparation for SCCM Server 2012

To create the System container for SCCM to publish its settings in the active directory,

follow the below steps:

1. Open the Adsiedit.msc.

2. Select the System container, click New, and select container.

3. In the value, Type System Management, click Next.




8 | P a g e

4. In the create object page, click Next then Finish

To Delegate the security permissions for SCCM server, open the Active

Directory Users and Computers.

1. Right click on the System Management object, and select delegate control.

2. In the welcome to delegation wizard, click Next.





9 | P a g e

3. In the object, set the object to computer, select the <CCM>, click Next.

4. In the task to delegate, select custom task.

5. In the delegate control of, select this folder and create new objects for the folder, click

Next.




10 | P a g e

6. In the permissions page, select full control, and click Next.

7. In the Delegation of Control page, click Finish.





11 | P a g e

Extend the Active Directory schema for System Center Configuration

Manager

Follow the below steps to extend active directory schema for SCCM:

1. Run the Command Prompt as Administrator, Run “cd D:\SMSSETUP\BIN\X64″ screen,

click Enter.

2. Run extadsh.exe, click Enter

Installing System Center Configuration Manager 2012

Follow the below steps to install SCCM primary site:

1. Run the setup.exe from the SCCM installation media.

2. In the Welcome screen, click Next.





12 | P a g e

3. In Getting Started Screen, select Install a Configuration Manager Primary Site then click

Next

4. In the license term page, Select Accept the license then click Next

5. Create a folder on C:\ Downloads and then specify the path to download the updates






13 | P a g e

6. In Server Language Selection screen, Click Next

7. In Client Language Selection Screen, Click Next

8. Enter site code “001″, site Name “HQ” and Installation Settings, install the site on

“C:\Program Files\Microsoft Configuration Manager”






14 | P a g e

9. In Primary Site Installation, Select Standalone site. Then click yes on information

window

10. In Database Information, Type SQL Server Name <CCM.lab.local>

11. In SMS provider settings, Click Next






15 | P a g e

12. In Client computer communication settings, select Configure the Communication method

on each site system role

13. In site system roles, Click Next

14. Click Next at the CEIP Screen then review Settings Summary





16 | P a g e

15. Click on Begin Install

16. After few minutes, The installation finish, click Close

17. Congratulations, you’ve installed System Center 2012 Configuration Manager SP1, Start

the Configmgr console






17 | P a g e



18 | P a g e

Chapter 2

Configure System Center Configuration Manager 2012

Configure SCCM site boundary and boundary Group

Posted on July 5, 2014 by Mai Ali

To configure SCCM site Boundary, Follow below steps

1. In the Administration section, select Boundaries, Click Create Boundary

2. In Type select Active Directory Site ,and In Active Directory site name, Select Browse

“Default-First-Site-Name”

http://expertslab.wordpress.com/?p=1023





19 | P a g e

3. Click OK, The boundary is created.

To configure SCCM site Boundary Group, Follow below steps

1. Right click on Boundary Groups and choose Create Boundary Group

2. Give the Boundary Group a HQ Boundary Group, click on Add.

3. In the Add Boundaries window, place a check mark in “Default-First-Site-Name”

Boundary





20 | P a g e

4. click OK, It now appears in list of Boundaries which are a member of this Boundary

Group, click on References

5. Select “Use this Boundary Group for site assignment” then click on Add




21 | P a g e

6. Select site system “\\CCM.Lab.local” then click OK

7. click Apply




22 | P a g e

8. Now we have defined which site our clients can get assigned to via the Boundary Group,

and we have defined their content location

Configure SCCM Discovery Method


To allow SCCM to discover system, users and network resources and discovery method has

to be configured to discover those resources, follow the below steps to configure SCCM

Discovery Method:

1. Click on the Administration workspace, expand Overview, Hierarchy Configuration and

select Discovery Methods, you will find that Heartbeat Discovery is the only Method

Enabled by Default.






23 | P a g e

2. Enable the following discovery methods

a) Active Directory Forest Discovery

b) Active Directory System Discovery

c) Active Directory Group Discovery

d) Active Directory User Discovery

2. Right click on Active Directory Forest Discovery and choose Properties

3. Select “Enable Active Directory Forest Discovery” with two below options





24 | P a g e

4. Click Apply and Select yes to run Full Discovery question

5. Configure Active Directory System Discovery , Right click it and select Properties, the

properties page will show, Select Enable Active Directory System Discovery

6. Click on the Yellow StarBurst, then click Browse and select default Active Directory

Container

7. Select the options, Check two options “Only discover computers” and press OK






25 | P a g e

8. Same Previous Steps, to enable Active Directory User Discovery and Active Directory

Group Discovery.

Configure SCCM Client Installation


Follow the below steps to configure the SCCM client installation methods:

1. In Administration, click on Site Configuration, Sites, select our site, In the ribbon above

click on Settings, select Client Installation Settings then select Client Push Installation

2. On the general screen, Select “Enable Automatic site-wide client push installation”






26 | P a g e

3. Click on the Accounts tab, and select the yellow star, choose New Account

4. Type “Domain\username” the Client Push account, use Client Install account which we

created in Active Directory<Lab\CMAdmin>





27 | P a g e

5. Click on Verify and type in Network Path “\\CCM\Sources” to check.

6. Click Ok.

7. Click on Assets and Compliance and expand Devices, All Systems, Select Exchange

Server, Right click on “EX13″ and click Install Client.

8. Set Installation Options as exist in below screen





28 | P a g e

9. After some minutes the client is installed and refresh the view, you’ll notice is says

Client=Yes on “EX13″ which deploy agent on it.

Configure System Center Configuration Manager Roles


By default SCCM doesn’t install Application Catalog features which responsible to deploy

Applications, use the following steps to install Application Catalog features:

1. In Administration, click on Servers and Site System Roles and right click on Site Server,

choose Add Site System Roles.








29 | P a g e

2. In General and proxy screen, Click next.

3. Select both”Application Catalog website point” and “Application Catalog web service

point” roles.

4. In Application Catalog Web service point, click Next.





30 | P a g e

5. In Application Catalog Website Point settings, click Next.

6. Enter Organization name <Lab HQ> and pick a Color scheme for the Application

Catalog!




31 | P a g e

7. Confirm the settings, click next on summary screen.

8. Configuration roles finish now successfully.




32 | P a g e

Configure Client Agent Settings


Follow the below steps to configure the SCCM client setting:

1. In the Administration section click on Client Settings in the left pane, and select the

Default Client Settings listed, click Properties

2. Click on Client Policy and Set client policy polling interval to every 5 minutes as it’s a

LAB (the Default setting is 60 minutes), this means that every 5 minutes Client will

contact it’s Management Point for any new policy






33 | P a g e

3. Select Computer Agent and configure it as below

a) Click on Set Website for Default Application Catalog Website and set it to select

“use intranet FQDN”

b) Set Add default Application Catalog website to Internet Explorer trusted zone to

yes




34 | P a g e

c) Set the Organization Name Displayed in Software Center to “My Lab”

4. Set Software updates Scan schedule and deployment re-evaluation from 7 days to 1 day

5. Select User and Device Affinity and change Allow users to define their primary device to

Yes






35 | P a g e

6. Click Ok to save the Client Agent Settings.



36 | P a g e

Chapter 3

Reporting in System Center Configuration Manager

Microsoft System Center Configuration Manager 2012 reporting helps you to gather, organize,

and present information about users, hardware and software inventory, software updates, site

status, and other Configuration Manager operations in your organization. Reporting provides you

with a number of predefined reports that you can use as is or that you can modify to meet your

needs, or custom reports and dashboards can be created to meet your needs. To configure

Reporting in Configuration Manager, Here is an outline of what we will do:

1. Configure Reporting Services Role

2. Configure Reporting

Configure Reporting Services Role in SCCM


By default SCCM doesn’t install Reporting Services features which responsible to run

Reports, use the following steps to install Reporting Services features:

1. In the ConfigMgr console, click on Administration, Site Configuration, Servers and Site

System Roles, right click on our server and choose Add Site System Roles.

2. When Add site system roles wizard appears, click Next



http://expertslab.files.wordpress.com/2014/07/661.jpg


37 | P a g e

3. Select Reporting Services Point, click next.

4. Specify some Reporting Services settings, click on Verify beside Database name

<CM_001>.





38 | P a g e

5. For User Name click on the Set drop down menu and select New Account, when

prompted for Windows User Account, enter the credentials of ReportsUser account Click

OK.

6. In Specify Reporting Services setting, click next.

7. Confirm the settings, click next on summary screen.





39 | P a g e

8. Reporting Services role is installed successfully.

Configure Reporting in SCCM


Now that the Reporting Services Point role is installed we need to do some configuration

before we can view reports.

1. In the Monitoring Space of ConfigMgr console click on Reports it will list 0 items.

2. In the Monitoring Space of ConfigMgr console click on Reporting, Click on link

http://CCM/Reports below Report Manager.


https://expertslab.wordpress.com/author/maifawzy85/

http://ccm/Reports




40 | P a g e

3. Click Folder Settings

4. Click New Role Assignment

5. In Group or Username Enter ReportsUser <lab\administrator> and give the user

permissions you want






41 | P a g e

6. Now we can see that the ReportsUser has all reporting roles

7. In the ConfigMgr console, expand reports, Select the All Collections report, right click it,

and choose Run.

8. A list of collections appears in the Report Viewer, you can drill down further into the

report by clicking on All Systems






42 | P a g e

Chapter 4

Application Management in System Center Configuration

Manager

Application management in Microsoft System Center 2012 Configuration Manager provides a

set of tools and resources that can help you to create, manage, deploy, and monitor applications

in the enterprise. Use the topics in the following section for detailed information about

application management in Configuration Manager. There are two type of deployment

Application:

1. Deploy MSI Application

2. Deploy EXE Application

Deploy MSI Application using SCCM 2012


To create a custom package for installing Xml Note, you will have to use the msi file to

create a package and program to distribute the package to the clients.

1. Copy the Xmlnotepad.msi to the folder <\\CCM\Sources\ Xmlnotepad.msi>

2. In the Configmgr Console, click on Software Library, Applications, in the ribbon click

on Create Application

3. When the Create Application wizard appears click on browse then point it to the UNC of

where the MSI is stored <\\CCM\Sources\ Xmlnotepad.msi>





43 | P a g e

4. Click next and you’ll get to the Imported Information screen

5. Click Next again to enter General Information about this application, verify that the

installation switches and click Next




44 | P a g e

6. In confirm the setting for this Application, click Next

7. Now Create Application finish Successfully





45 | P a g e

8. Now that we’ve created our first application, let’s distribute it to DP, select listed

application and in the ribbon above, and click on Distribute Content

9. The distribute content wizard appears, click Next

10. Review the content to distribute, click Next

11. In Specify the Content destination, Click Add





46 | P a g e

12. Select Distribution Point<CCM.Lab.local> and click OK

13. Click Next




47 | P a g e

14. Review the summary and click Next

15. Click close




48 | P a g e

16. Select Xml Notepad 2007 and in the ribbon, click on Deploy

17. When the wizard appears click on browse beside Collection, and choose Device

Collections <Temp>, Click OK

18. Click Next






49 | P a g e

19. In Deployment Settings, Action choose Install and Purpose chose Required for automatic

installation

20. In scheduling screen, Select “As soon as possible after the available time” then click Next




50 | P a g e

21. In User Experience Screen, Click Next

22. In Alert Screen, Click Next




51 | P a g e

23. Review the summary then proceed to the completion screen, click close

24. After few minutes, Application deploy successfully on the client






52 | P a g e

Deploy EXE Application using SCCM 2012


To create a custom package for installing WINRAR, you will have to use the EXE file to

create a package and program to distribute the package to the clients.

1. Copy the WINRAR.exe to the folder <\\CCM\Sources\ wrar390.exe>

2. In the ConfigMgr Console, click on Software Library, Applications, in the ribbon click

on Create Application

3. Choose “Manually specify the application information”, Click Next

4. Enter a name <Winrar> and click Next

5. In Application Catalog Screen, click Next






53 | P a g e

6. In Deployment Types, Click Add

7. In Content Screen, Enter the share location for the application source files on content

location “\\ccm\sources”, enter command to execute the installation, in this instance

wrar390.exe /s, Click Next




54 | P a g e

8. Add in a detection clause for the application, Click Next

9. Choose Installation behavior and click Next





55 | P a g e

10. Click Next all the way to the end of Create Deployment Type wizard

11. In Deployment Types Screen, Click Next





56 | P a g e

12. Confirm the settings of the application in summary screen

13. Click Close





57 | P a g e

14. Now that we’ve created our first application, let’s distribute it to DP, select listed

application and in the ribbon above, and click on Distribute Content

15. The distribute content wizard appears, click Next

16. Review the content to distribute, click Next

17. In Specify the Content destination, Click Add





58 | P a g e

18. Select Distribution Point<CCM.Lab.local> and click OK

19. Click Next




59 | P a g e

20. Review the summary and click Next

21. Click close




60 | P a g e

22. Select Winrar and in the ribbon, click on Deploy

23. When the wizard appears click on browse beside Collection, and choose Device

Collections <Temp>, Click OK

24. Click Next





61 | P a g e

25. In Deployment Settings, Action choose Install and Purpose chose Required for automatic

installation

26. In scheduling screen, Select “As soon as possible after the available time” then click Next




62 | P a g e

27. In User Experience Screen, Click Next

28. In Alert Screen, Click Next




63 | P a g e

29. Review the summary then proceed to the completion screen, click close

30. After few minutes, Application deploy successfully on the client.





64 | P a g e




65 | P a g e

Chapter 5

Software Updates in System Center Configuration Manager

Software updates in System Center 2012 Configuration Manager provides a set of tools and

resources that can help manage the complex task of tracking and applying software updates to

client computers in the enterprise. An effective software update management process is

necessary to maintain operational efficiency, overcome security issues, and maintain the stability

of the network infrastructure. However, because of the changing nature of technology and the

continual appearance of new security threats, effective software update management requires

consistent and continual attention.

To Configure Software Updates in Configuration Manager, Here is an outline of what we

will do:

1. Install Windows Server Update Services and Windows Deployment Services Role

2. Configure Software Update Point Role

3. Distribute software updates

Install WSUS and WDS


To install WSUS and WDS, follow the below steps

1. From Server Manager, click Add Roles and Features

2. On the Before you begin page, click Next.On Installation Type Screen and Screen

Selection, Click Next





66 | P a g e

3. On the Add Roles Wizard, Select Windows Server Update Services and Windows

Deployment Services

4. Click Next on the Windows Server Update Services page

5. Confirm in Role services of WSUS, Select ” WID Database, WSUS Services”, Click

Next





67 | P a g e

6. On content Screen, Enter path to download updates “c:\wsus” and Share this folder

7. Click Next on the Windows Deployment Services page

8. Confirm in Role services of WDS, Select ” Deployment Server, Transport Server”, Click

Next





68 | P a g e

9. Click Install on confirmation Page

10. Installation Role finish Successfully

11. Click on WSUS from start menu to finish installation





69 | P a g e

12. On WSUS configuration Screen Click Cancel

Configure Software Update Point Role


To configure Software Update Point Role, follow below steps

1. From the Configuration Manager console, click Administration, expand Site

Configuration and click Servers and Site System Roles, Right click the primary server

and click Add Site System Roles.

2. On the General page, click next and on proxy page, click next.






70 | P a g e

3. On the System Role Selection page, check Software update point

4. On the Software Update Point page, Select “WSUS is configured to use ports 8530 and

8531 for client communication”, click Next




71 | P a g e

5. Specify proxy settings if needed to connect to the internet to synchronize and download

content.

6. On the Synchronization source page, select to Synchronize from Microsoft Update. This

option is only available for stand-alone primary servers and for CAS servers. Secondary

servers and primary servers within a hierarchy are automatically configured to upstream

through their parent site.

7. Under WSUS reporting events, keep the default selection since Configuration Manager

doesn’t interpret WSUS reporting events.




72 | P a g e

8. On the Synchronization Schedule page, check to Enable synchronization on a schedule

and check to Alert when synchronization fails on any site in the hierarchy

9. On the Supersedence Rules page, if you click to immediately expire a superseded

software update, you will be able to see the expired updates in the Configuration

Manager console for a period of 7 days. Following that, expired updates that are not

associated with any deployment will be tomb-stoned.

10. You can select some time if you would need to wait before a superseded software update

is expired




73 | P a g e

11. On the Classifications page, select the classification you want to synchronize

12. On the Products page, select the products you want to synchronize




74 | P a g e

13. On the Languages page, select the language you want to synchronize

14. On the Summary page, click Next




75 | P a g e

15. On the Completion page, click Finish

16. From the Configuration Manager console and from the Administration tab, click All

Software Updates and click Synchronize Software Updates

17. Click Yes on the informational box





76 | P a g e

18. You can monitor the synchronization progress by checking wsyncmgr.log

19. Windows update download Successfully

Distribute software updates Using SCCM


Before starting distributing updates, WSUS needs to synchronize the list of updates from

the Microsoft updates catalog, then updates could be distributed to windows clients, to

distribute the updates follow the below steps:

1. In the ribbon, Select Software Library, Select on “All Software Updates” and then Click

on “Create Software Update Group”








77 | P a g e

2. Name “Windows 7 Updates” and click on Create

3. Click on Software Update Groups in the console, In ribbon, click Show Members to see

the updates in this group.

4. This lists the Software Updates contained in the Software Update Group

5. Select Windows 7 Updates Software Update Group and in the Ribbon click on Deploy.






78 | P a g e

6. Give it a name. On collection, select Browse and select “windows 7″ collection

7. Click Next

8. For Deployment Settings, set the type of deployment to Required and Detail level “Only

Success and error messages”.






79 | P a g e

9. For scheduling set the Time Based on to “Client local time”

10. For User Experience, Select “Software update Installation” and “System Restart”




80 | P a g e

11. Set Alerts client compliance is below the following to 95%

12. Set the Download Settings to “Download a Software Update from distribution point and

install”, click next




81 | P a g e

13. In Deployment Package page, Select create a new deployment package, and Set Package

Source Path “CCM\WSUS\Windows 7 updates”

14. On Distribution Point, Click Add




82 | P a g e

15. Select Distribution Point “CCM.Lab.local” from the list

16. On Distribution Point screen, click Next




83 | P a g e

17. For Download Location select Download Software Updates from the Internet, click Next

18. Select the English language and click Next




84 | P a g e

19. At the summary screen, click Next

20. The Deploy Software Update Wizard completed successfully




85 | P a g e

21. Finally, Downloaded and Deployed is “Yes”





86 | P a g e

Chapter 6

Operating System Deployment in System Center

Configuration Manager Posted on July 7, 2014 by Mai Ali

Below are the step by step instructions to Deploy Operating System using configuration

Manager Server 2012. Here is an outline of what we will do:

1. Add a WDS role on Configuration Manager server

2. Add a DHCP scope on Domain Controller

3. Configure Option 66 and 67 on DHCP {Option 66: FQDN OF SCCM Server,

Option 67: smsboot\x86\wdsnbp.com}

4. Enabled a PXE service point on Distribution Point under Configuration Manager 2012

site systems

5. Enabled Unknown computer support






87 | P a g e

6. Distributed both x86 and x64 Boot images to the Distribution Point

7. In Boot file properties, under Data Source tab checked the option : “Deploy this boot

image from the PXE service point “

8. Import Capture OS Image for Windows 7

9. Distributed O.S image to the distribution point

10. Created a task sequence to deploy the O.S image

11. Create Collection to deploy O.S image

12. For new clients, Import Computer Information

13. Assigned the task sequence to a Collection, under device collections.

14. Power on Client PC to Start O.S Deployment




88 | P a g e

Distribute Boot images to the Distribution Point


To distribute Boot image {both x86 and x64} to the distribution Points, follow below steps

1. Select Boot image (X86). In the ribbon above click on Distribute Content

2. When the Distribute Content Wizard appears, click Next

3. To specify the destination, click on Add



https://expertslab.files.wordpress.com/2014/07/sccm-client.png




89 | P a g e


5. On content destination screen, click Next




90 | P a g e

6. In summary page, click Next

7. The Distribution content complete successfully




91 | P a g e

Import captured Windows 7 WIM file


To import captured Windows 7 WIM file, follow below steps

1. In the Software Library, Operating Systems section of the ConfigMgr console, click

on Operating System Images, in ribbon, click Add Operating System Image

2. Browse to the UNC of of captured the image and select the captured wim

file<\\CCM\Sources\windows 7.wim>






92 | P a g e

3. Fill in some details about the image

4. click through the summary, progress to completion




93 | P a g e

5. Import finish Successfully

Distribute O.S image to the Distribution points


To distribute O.S image to the distribution Points, follow below steps

1. Select Windows 7 image. In the ribbon above click on Distribute Content






94 | P a g e

2. When the Distribute Content Wizard appears, click Next

3. To specify the destination, click on Add






95 | P a g e

5. On content destination screen, click Next

6. In summary page, click Next




96 | P a g e

7. The Distribution content complete successfully

Create Task Sequence


To create Task Sequence, follow below steps

1. In Task Sequences, right click and choose Create Task Sequence.






97 | P a g e

2. Select “Install an existing image package”, click Next.

3. Fill in some details about the image and Click browse and select the X86 boot image,

click next to proceed.






98 | P a g e

4. Select the Windows 7 image by clicking on browse and set an administrator password,

unchecked “Partition and format the target computer before installing the operating

system”.

5. For the Configure the Network, select join the domain so click on browse beside join a

domain, specify the user <lab\administrator> that has permissions to join the domain.

6. In Install the Configuration Manager client Screen click on browse, Select “Configuration

Manager client package”, and click Next




99 | P a g e

7. For Configure State Migration, select “Microsoft Corporation USMT” package, Select

“user settings Locally” and click Next.

8. For Include Updates select All Software Updates.




100 | P a g e

9. In Install Applications Screen, Click Next

10. In Summary Page, Click Next




101 | P a g e

11. The Create Task Sequence Wizard completed Successfully

Create new collection for Deploy Windows 7


To create new collection for deploy windows7, follow below steps

1. In the ConfigMgr console, click on Assets and Compliance, select Device Collections,

and click on Create Device Collection in the Ribbon.






102 | P a g e

2. Fill in the collection details, Name “Windows 7″, limit it to All Systems

3. Membership Rules page, will not create any queries or any computers and Click Next.

4. In Summary page, click Next





103 | P a g e

5. The create Device collection wizard completed successfully

Import Computer Information


To import computer information for new PC, follow below steps

1. In Assets and Compliance, Select Devices. In Ribbon, Select “Import Computer

Information”






104 | P a g e

2. On Select Source page, Select “Import Single Computer”, and Click Next

3. Specify the information to import computer, Enter Computer Name “Client” and Mac

Address of Machine “00:0C:29:2C:B5:98″ that you want to import it

4. In Data Preview, Click Next





105 | P a g e

5. Choose Target Collection, Select “Add computer to the following Collection”, Click

Browse and select “Windows 7″

6. In Summary Page, Click Next




106 | P a g e

7. The Import Computer Information Wizard completed successfully

Deploy Task Sequence


To Deploy Task Sequence, follow below steps

1. In Assets and Compliance, Select “Windows 7″ collection. In Ribbon, Select Deploy, and

Click Task sequence






107 | P a g e

2. On General Page, Select collection “Windows 7″ and Click Next

3. In Deployment Settings, Change purpose to Available, and in Make available to

following select “configuration Manager clients, media and PXE”

4. In Scheduling Screen, Rerun behavior “Rerun if failed previous attempt”





108 | P a g e

5. In User Experience Page, Click Next

6. In Alerts Page, Click Next






109 | P a g e

7. In Distribution Points, Click Next

8. In Summary Screen, Click Next

9. The Deploy Software Wizard completely successfully




110 | P a g e



111 | P a g e

APPEDIX

Firewall Ports for Configuration Manager

Ports Used by Configuration Manager Clients and Site Systems

The following sections detail the ports used for communication in Configuration Manager. The

arrows in the section title, between the computers, represent the direction of the communication:

-- > indicates one computer initiates communication and the other computer always

responds

< -- > indicates that either computer can initiate communication

Asset Intelligence Synchronization Point -- > Microsoft

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS) -- 443

Asset Intelligence Synchronization Point -- > SQL Server

Description UDP TCP

SQL over TCP -- 1433 (See note 2, Alternate Port Available)

Application Catalog Web Service Point -- > SQL Server

Description UDP TCP


Application Catalog Website Point -- > Application Catalog Web Service Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS) -- 443 (See note 2, Alternate Port Available)

Client -- > Application Catalog Website Point

Description UDP TCP



Client -- > Client


112 | P a g e

In addition to the ports listed in the following table, wake-up proxy also uses Internet Control

Message Protocol (ICMP) echo request messages from one client to another client when they are

configured for wake-up proxy. This communication is used to confirm whether the other client

computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands.

ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following

table. However, any host-based firewalls on these client computers or intervening network

devices within the subnet must permit ICMP traffic for wake-up proxy communication to

succeed.

Description UDP TCP

Wake on LAN 9 (See note 2, Alternate Port Available) --

Wake-up proxy 25536 (See note 2, Alternate Port Available) --

Client -- > Configuration Manager Policy Module (Network Device Enrollment Service)

Description UDP TCP

Hypertext Transfer Protocol (HTTP) 80


Client -- > Cloud-Based Distribution Point

Description UDP TCP


Client -- > Distribution Point

Description UDP TCP



Client -- > Distribution Point Configured for Multicast

Description UDP TCP

Server Message Block (SMB) -- 445

Multicast Protocol 63000-64000 --

Client -- > Distribution Point Configured for PXE

Description UDP TCP

Dynamic Host Configuration Protocol (DHCP) 67 and 68 --

Trivial File Transfer Protocol (TFTP) 69 (See note 4 Trivial FTP (TFTP) Daemon) --

Boot Information Negotiation Layer (BINL) 4011 --

Client -- > Fallback Status Point

Description UDP TCP


113 | P a g e


Client -- > Global Catalog Domain Controller

A Configuration Manager client does not contact a global catalog server when it is a workgroup

computer or when it is configured for Internet-only communication.

Description UDP TCP

Global Catalog LDAP -- 3268

Global Catalog LDAP SSL -- 3269

Client -- > Management Point

Description UDP TCP

Client notification (default communication before falling

back to HTTP or HTTPS)

-- 10123 (See note 2, Alternate

Port Available)

Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port

Available)

Secure Hypertext Transfer Protocol (HTTPS) -- 443 (See note 2, Alternate Port

Available)

Client -- > Software Update Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) -- 80 or 8530 (See note 3, Windows Server Update

Services)

Secure Hypertext Transfer Protocol

(HTTPS)

-- 443 or 8531 (See note 3, Windows Server Update

Services)

Client -- > State Migration Point

Description UDP TCP




Client -- > System Health Validator

The client requires the ports established by the Windows Network Access Protection client,

which is dependent upon the enforcement client being used. For example, DHCP enforcement

will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health

Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for

the IPsec filters. For more information, see the Windows Network Access Protection

documentation.

Configuration Manager Console -- > Client

Description UDP TCP


114 | P a g e

Remote Control (control) -- 2701

Remote Assistance (RDP and RTC) -- 3389

Configuration Manager Console -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP) -- 80

Configuration Manager Console -- > Reporting Services Point

Description UDP TCP



Configuration Manager Console -- > Site Server

Description UDP TCP

RPC (initial connection to WMI to locate provider system) -- 135

Configuration Manager Console -- > SMS Provider

Description UDP TCP

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC (See note 6, Dynamic ports)

Configuration Manager Policy Module (Network Device Enrollment Service) -- > Certificate

Registration Point

Description UDP TCP


Distribution Point -- > Management Point

A distribution point communicates to the management point in the following scenarios:

To report status of prestaged content

To report usage summary data

To report content validation

A pull distribution point reports package download status

Description UDP TCP



Endpoint Protection Point -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP) -- 80


115 | P a g e

Endpoint Protection Point -- > SQL Server

Description UDP TCP


Enrollment Proxy Point -- > Enrollment Point

Description UDP TCP


Enrollment Point -- > SQL Server

Description UDP TCP


Exchange Server Connector -- > Exchange Online

Description UDP TCP

Windows Remote Management over HTTPS -- 5986

Exchange Server Connector -- > On Premises Exchange Server

Description UDP TCP

Windows Remote Management over HTTP -- 5985

Mac Computer -- > Enrollment Proxy Point

Description UDP TCP


Management Point -- > Domain Controller

Description UDP TCP

Lightweight Directory Access Protocol (LDAP) -- 389

LDAP (Secure Sockets Layer [SSL] connection) 636 636





Management Point < -- > Site Server

(See note 5, Communication between the site server and site systems)

Description UDP TCP

RPC Endpoint mapper -- 135




116 | P a g e

Management Point -- > SQL Server

Description UDP TCP


Mobile Device -- > Enrollment Proxy Point

Description UDP TCP


Mobile Device -- > Windows Intune

Description UDP TCP


Out of Band Service Point --> Enrollment Point

Description UDP TCP


Out of Band Service Point --> AMT Management Controller

Description UDP TCP

Power control, provisioning, and discovery -- 16993

Out of Band Management Console --> AMT Management Controller

Description UDP TCP

General management tasks -- 16993

Serial over LAN and IDE redirection -- 16995

Reporting Services Point -- > SQL Server

Description UDP TCP


Site Server < -- > Application Catalog Web Service Point

Description UDP TCP




Site Server < -- > Application Catalog Website Point

Description UDP TCP





117 | P a g e

Site Server < -- > Asset Intelligence Synchronization Point

Description UDP TCP




Site Server -- > Client

Description UDP TCP

Wake on LAN 9 (See note 2, Alternate Port Available) --

Site Server -- > Cloud-Based Distribution Point

Description UDP TCP


Site Server -- > Distribution Point


Description UDP TCP




Site Server -- > Domain Controller

Description UDP TCP

Lightweight Directory Access Protocol (LDAP) -- 389

LDAP (Secure Sockets Layer [SSL] connection) 636 636





Site Server < -- > Certificate Registration Point

Description UDP TCP




Site Server < -- > Endpoint Protection Point

Description UDP TCP





118 | P a g e

Site Server < -- > Enrollment Point

Description UDP TCP




Site Server < -- > Enrollment Proxy Point

Description UDP TCP




Site Server < -- > Fallback Status Point


Description UDP TCP




Site Server -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP) -- 80 (See note 1, Proxy Server port)

Site Server < -- > Issuing Certification Authority (CA)

This communication is used when you deploy certificate profiles by using the certificate

registration point. The communication is not used for every site server in the hierarchy; it is used

only for the site server at the top of the hierarchy.

Description UDP TCP


RPC (DCOM) -- DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Reporting Services Point


Description UDP TCP




119 | P a g e


Site Server < -- > Site Server

Description UDP TCP


Site Server -- > SQL Server

Description UDP TCP


During the installation of a site that will use a remote SQL Server to host the site database, you must open

the following ports between the site server and the SQL Server:

Description UDP TCP




Site Server -- > SMS Provider

Description UDP TCP




Site Server < -- > Software Update Point


Description UDP TCP



Services)


(HTTPS)


Services)

Site Server < -- > State Migration Point


Description UDP TCP




120 | P a g e

Site Server < -- > System Health Validator


Description UDP TCP




SMS Provider -- > SQL Server

Description UDP TCP


Software Update Point -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP) -- 80 (See note 1, Proxy Server port)

Software Update Point -- > Upstream WSUS Server

Description UDP TCP


Services)


(HTTPS)


Services)

SQL Server --> SQL Server

Intersite database replication requires the SQL Server at one site to communicate directly with

the SQL Server of its parent or child site.

Description UDP TCP

SQL Server Service -- 1433 (See note 2, Alternate Port Available)

SQL Server Service Broker -- 4022 (See note 2, Alternate Port Available)

Tip

Configuration Manager does not require the SQL Server Browser, which uses port UDP 1434.

State Migration Point -- > SQL Server

Description UDP TCP


Windows Intune Connector -- > Windows Intune

Description UDP TCP



121 | P a g e

Notes for Ports Used by Configuration Manager Clients and Site Systems

1. Proxy Server port: This port cannot be configured but can be routed through a

configured proxy server.

2. Alternate Port Available: An alternate port can be defined within Configuration

Manager for this value. If a custom port has been defined, substitute that custom port

when defining the IP filter information for IPsec policies or for configuring firewalls.

3. Windows Server Update Services: WSUS can be installed either on the default Web

site (port 80) or a custom Web site (port 8530).

After installation, the port can be changed. You do not have to use the same port number

throughout the site hierarchy.

o If the HTTP port is 80, the HTTPS port must be 443.

o If the HTTP port is anything else, the HTTPS port must be 1 higher—for

example, 8530 and 8531.

4. Trivial FTP (TFTP) Daemon: The Trivial FTP (TFTP) Daemon system service does not

require a user name or password and is an integral part of the Windows Deployment

Services (WDS). The Trivial FTP Daemon service implements support for the TFTP

protocol defined by the following RFCs:

o RFC 350—TFTP

o RFC 2347—Option extension

o RFC 2348—Block size option

o RFC 2349—Time-out interval, and transfer size options

Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP

Daemons listen on UDP port 69 but respond from a dynamically allocated high port.

Therefore, enabling this port will allow the TFTP service to receive incoming TFTP

requests but will not allow the selected server to respond to those requests. Allowing the

selected server to respond to inbound TFTP requests cannot be accomplished unless the

TFTP server is configured to respond from port 69.

5. Communication between the site server and site systems: By default, communication

between the site server and site systems is bi-directional. The site server initiates

communication to configure the site system, and then most site systems connect back to

the site server to send status information. Reporting service points and distribution points

do not send status information. If you select Require the site server to initiate

connections to this site system on the site system properties, after the site system is

installed, it will not initiate communication to the site server. Instead, the site server


122 | P a g e

initiates the connections and uses the Site System Installation Account for authentication

to the site system server.

6. Dynamic ports: Dynamic ports (also known as ephemeral ports) use a range of port

numbers, which is defined by the operating system version.


123 | P a g e

Reference TechNet Microsoft

http://technet.microsoft.com/en-us/evalcenter/dn205297.aspx

http://technet.microsoft.com/en-us/library/gg682129.aspx

http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2-

configuration-manager/default.aspx#fbid=QM1QXL1UEfx

Other articles This eBook is part of a series of articles dedicated to Configuration and Troubleshooting System

Center Family.

They are actually written and hosted on Mai Ali’s Blog http://expertslab.wordpress.com

How to Install Operation Manager 2012R2 using PowerShell

Monitoring Lync Server using Operations Manager

Enable Proxy Agent for all SCOM Agents

Install and Import Management Pack from Disk

Error 25211″Failed to install performance counters”

Fix Agent not Monitored or Gray state

http://technet.microsoft.com/en-us/evalcenter/dn205297.aspx

http://technet.microsoft.com/en-us/library/gg682129.aspx

http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2-configuration-manager/default.aspx#fbid=QM1QXL1UEfx

http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2-configuration-manager/default.aspx#fbid=QM1QXL1UEfx


http://expertslab.wordpress.com/2014/06/28/how-to-install-operation-manager-2012r2-using-powershell/

http://expertslab.wordpress.com/2014/07/04/monitoring-lync-server-using-operations-manager/

http://expertslab.wordpress.com/2014/07/04/enable-proxy-agent-for-all-scom-agents/

http://expertslab.wordpress.com/2014/07/04/install-and-import-management-pack/

http://expertslab.wordpress.com/2014/07/02/error-25211failed-to-install-performance-counters/

http://expertslab.wordpress.com/2014/07/02/fix-agent-not-monitored-or-gray-state/

Documents

Microsoft System center configuration manager 2012 step by ......MICROSOFT SYSTEM CENTER CONFIGURATION MANAGER 2012 STEP BY STEP ... (Enterprise Administrator Windows 2008), MCITP