Microsoft SCCM

The SCCM Plugin enable the creation of services that simplifies creating, removing, and deploying computers and software in your organization and doing this in a standardized and automated way that hides away a lot of the complexity.

Installation and Configuraiton

  • Verify that the frontend account has read permissions in the Organizational Unit where the Deployment groups are created in Active Directory.
  • Verify that the backend account has read and write permisssions in the Organizational Unit where the Deployment groups are created in Active Directory.
  • Local group membership on the SCCM Server (frontend and backend account)
    • Local Group Name: Remote Management Users
    • Description: Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
    • Local Group Name: SMS Admins
    • Description: Members have access to the SMS Provider.
  • Permissions in SCCM (frontend account)
    • Permission Name: Read-only Analyst
    • Description: Grants permissions to view all Configuration Manager objects.
  • Permissions in SCCM (backend account)
    • Permission Name: Application Administrator
    • Description: Grants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also manage queries, view site settings, manage collections, edit settings for user device affinity, and manage App-V virtual environments.
    • Permission Name: Operating System Deployment Manager
    • Description: Grants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage operating system installation packages and images, task sequences, drivers, boot images, and state migration settings.

Start the 'Windows PowerShell Console' as both the frontend and backend accounts on the SCCM server and choose to trust the Microsoft published files associated with SCCM:

Do you want to run software from this untrusted publisher?
File C:\Program Files (x86)\Microsoft Configuration
Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.PowerShell.Types.ps1xml is published by CN=Microsoft
Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and is not trusted on your system. Only
run scripts from trusted publishers.
[V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is "D"): A

Recommendations

For this service to work SCCM needs to have Discovery Methods "Active Directory User Discovery" and "Active Directory Group Discovery" activated with a reoccuring pulling schedule.

Recommendation is to have a standardlized set of collection with target systems to use as limiting collections when creating new collections for package deployment. This is since the "All Systems" collection will cause performance issues in larger environments.

To deploy the application to computers the computers need to be members of the created Install AD group. But our recommendation is that it is also a member of the Uninstall group. Since the Uninstall query requires that the machine is not a member of the Install group before uninstalling any application, this is just to have one group to administer (Install AD group) when Uninstalling computers.

And to easly install/uninstall applications by just adding membership to the "Install" AD Group.

Update Provider Config

ProvisioningSystem

Update the provider config with the settings applicable for your environment

sccm.provisioningsystem.providers.xml

Key Example Value Description
SCCMServer SCCM01.domain.local Target SCCM Server FQDN
SiteCode P01 Site code to use
DomainController DC01.domain.local Preferred domain controller FQDN
Protocol Wsman Protocol to use (Wsman or DCOM)
UICulture en-US language to display state messages in (en-US or sv-SE

ClientWebService

Update the provider config with the settings applicable for your environment

sccm.clientwebservice.provider.xml

Key Example Value Description
SCCMServer SCCM01.domain.local Target SCCM Server FQDN
SiteCode P01 Site code to use
DomainController DC01.domain.local Preferred domain controller FQDN
Protocol Wsman Protocol to use (Wsman or DCOM)
UICulture en-US language to display state messages in (en-US or sv-SE

Dependencies

  • Install SCCM 2012 R2 SDK on the Zervicepoint server running ProvisioningSystem/ClientWebService