SCCM 2012 Part 1. Installation


Update: This post has been superseded since the release of the RTM version of Configuration Manager 2012. To see the new post please click here.
If you’ve been following my previous series of guides on System Center Configuration Manager 2012 Beta 1 and Beta 2, then you’ll know where this is going, we are going to install System Center Configuration Manager 2012 Release Candidate from scratch and configure it, use it, test it, learn it. This is Part 1 of a series, to see the entire list please see this index.
Technet Recommended Reading:-
Release Notes for the System Center 2012 Configuration Manager Release Candidate – http://technet.micro…y/hh508784.aspx
Fundamentals of Configuration Managerhttp://technet.micro…y/gg682106.aspx Supported Configurations for Configuration Managerhttp://technet.micro…y/gg682077.aspx Planning for Configuration Manager Sites and Hierarchyhttp://technet.micro…y/gg682075.aspx
Getting Started with Configuration Manager 2012 – http://technet.micro…y/gg682144.aspx What’s New in Configuration Manager – http://technet.micro…y/gg699359.aspx Planning for Site Systems in Configuration Manager – http://technet.micro…y/gg712282.aspx Install Sites and Create a Hierarchy for Configuration Manager – http://technet.micro…y/gg712320.aspx Technical Reference for Site Communications in Configuration Manager – http://technet.micro…y/gg712990.aspx Migrating from Configuration Manager 2007 to Configuration Manager 2012 – http://technet.micro…y/gg682006.aspx Frequently Asked Questions for Configuration Manager – http://technet.micro…y/gg682088.aspx
Site Types
Configuration Manager 2012 introduces the central administration site and some changes to primary and secondary sites. The following tables summaries these sites and how they compare to sites in Configuration Manager 2007.
Central administration site The central administration site coordinates intersite data replication across the hierarchy by using Configuration Manager database replication. It also enables the administration of hierarchy-wide configurations for client agents, discovery, and other operations. Use this site for all administration and reporting for the hierarchy.Although this is the site at the top of the hierarchy in Configuration Manager 2012, it has the following differences from a central site in Configuration Manager 2007:

  • Does not process client data.
  • Does not accept client assignments.
  • Does not support all site system roles.
  • Participates in database replication

Primary site Manages clients in well-connected networks. Primary sites in Configuration Manager 2012 have the following differences from primary sites in Configuration Manager 2007:

  • Additional primary sites allow the hierarchy to support more clients.
  • Cannot be tiered below other primary sites.
  • No longer used as a boundary for client agent settings or security.
  • Participates in database replication.

Secondary site Controls content distribution for clients in remote locations across links that have limited network bandwidth.Secondary sites in Configuration Manager 2012 have the following differences from secondary sites in Configuration Manager 2007:

  • SQL Server is required and SQL Server Express will be installed during site installation if required.
  • A proxy management point and distribution point are automatically deployed during the site installation.
  • Secondary sites can be tiered to support content distribution to remote locations.
  • Participates in database replication.

Hardware Requirements Note: The following page on Technet describes the recommended hardware requirements for a stand-alone Primary Server.
Stand-alone primary site (SQL Server installed Locally)

  • Up to 100,000 clients
  • SQL Server is installed on the site server computer

The following hardware requirements are recommended for a stand-alone Primary server.

  • 8 cores (Intel Xeon E5504 or comparable CPU)
  • 32 GB of RAM
  • 550 GB hard disk space for the operating system, SQL Server, and all database files

Step 1. Create the Lab Environment
We are going to create a Standalone Primary Site in our LAB (creating a CAS and then another Primary is a bit more work, I may write up that process in the future), so let’s get started, and to start off with I re-used/recycled my lab from Beta 2 by applying the day 1 snapshots effectively giving me a blank activated AD and blank SCCM 2012 server with the Operating System ready and activated.
This is a huge advantage of doing labs in a virtual environment.
The SCCM 2012 RC server for this lab has a C: partition (OS) and 150GB D: partition (DATA). The Domain Controller (AD1) is running Server 2008 R2, and is hosting the DHCP server and DNS roles.
I chose to install Windows Server 2008 R2 standard as the server OS for SCCM 2012 RC. Once done I joined it to my domain (SERVER2008R2), verified DNS was working correctly via nslookup and was ready to begin the steps below.
Create AD users: Note: Perform the following on the Active Directory Domain Controller server as Local Administrator
In addition I created some accounts in AD, namely:
* SMSadmin, a domain user * Testuser, a domain user * Testuser2, a domain user * Testuser3, a domain user * DomJoin, a domain user,(for joining computers to the domain) * ReportsUser, a domain user for reporting services. * ClientInstall, a domain user used when installing the Configuration Manager Client for Client Push. This user must  be a local administrator on computers you want to install the Configuration Manager Client. * SCCMNAA, a domain user, (Network Access Account) used during OSD
Create Local Administrator accounts:
Note: Perform the following on the SCCM 2012 server as Local Administrator
On the SCCM server add the SMSadmin user to the Local Administrators group (you can add the ClientInstall account also).
local admin.png
Step 2. Download SCCM 2012 Release Candidate
you can download it from Microsoft here. System requirements
Supported Operating Systems: Windows Server 2003 R2 x64 editions, Windows Server 2008, Windows Server 2008 R2
Site System Requirements

  • Site servers and site roles require 64-bit OS (distribution points are an exception)

Branch Distribution Points

  • Branch distribution points have been deprecated and replaced with standard distribution points that can be hosted on Configuration Manager 2012 client operating system platforms, with the exception of Windows XP Professional Service Pack 3 and Windows XP Tablet PC SP3
  • Standard DPs can run on Windows Server 32-bit but will not support advanced functionality

Server Operating System Requirements

  • Windows Server 2008 (64-bit) and Windows Server 2008 R2
  • Distribution points can run on Windows Server 2003

Client Operating System Requirements

  • Windows XP professional SP3 – x86 and Windows XP SP2 pro for 64 bit systems
  • Windows Vista SP2 (x86,x64)
  • Windows Server 2003 R2 SP2 (x86,x64)
  • Windows Server 2008 (x86,x64)
  • Windows Server 2008 R2 (x86,x64)
  • Windows 7 (x86,x64)

Database Requirements

  • SQL Server 2008 SP2 with CU 7
  • SQL Server 2008 R2 with SP1 and Cumulative Update 4
  • SQL Server Express 2008 r2 WITH SP1 and CU 3 is supported only on secondary sites
  • SQL Reporting Services is ONLY reporting solution

For Supported Configurations information, visit

Step 3. Create The System ManageMent Container
Note: Perform the following on the Active Directory Domain Controller as a Domain Administrator
Open ADSI Edit, click on Action, Connect To and click Ok, Double Click on Default Naming Context and the DC= that appears below it. Click on the + and scroll down to CN=System.
Right Click on CN=System and choose New, Object
new object.png
Choose Container from the options, click Next and enter System Management as the value. Click Next and Finish. Press F5 to refresh ADSI Edit and you should now see the new System Management Container. Close ADSI Edit.
Step 4. Delegate Permission to the System Management Container.
Note: Perform the following on the Active Directory Domain Controller as a Domain Administrator
Open Active Directory Users and Computers. Click on view, select Advanced Features.
Select the System Management Container, and right click it, choose All Tasks and Delegate Control.
delegate control.png
When the Welcome to Delegation of Control Wizard appears click next, then click Add. click on Object Types, select Computers. Type in your SCCM server name and click on Check Names, it should resolve.
Click Ok, then Next. Choose Create a Custom Task to Delegate, click next, make sure This folder, existing objects in this folder and creation of new objects in this folder is selected.
delegation of control wizard.png
click next, select the 3 permissions General, Property-Specific and Creation-deletion of specific child objects are selected then place a check mark in FULL CONTROL, and click next then Finish.
full control.png
Failure to do the above will mean that the System Management Container in AD will NOT POPULATE with ConfigMgr site info needed by the Clients and you will see many errors in your site status warning you of same.
Note: Repeat the above for Each site server that you install in a Hierarchy.
Step 5. Extend the Active Directory schema for Configuration Manager
Note: Perform the following on the Active Directory Domain Controller as a Domain Administrator
The Active Directory schema extensions for Configuration Manager 2012 are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not need to extend the schema again for Configuration Manager 2012.
Perform the below on your Active Directory server, simply browse the network to your sccm server \\sccm\d$ and locate the folder where you uncompressed SCCM 2012 and find \SMSSetup\Bin\x64\Extadsch.exe, right click and choose Run As Administrator.
A command prompt window will appear briefly as the schema is extended, check in c:\ for a log file called ExtADSch.log it should look similar to this


< 10-27-2011 07:31:43> Modifying Active Directory Schema – with SMS extensions. <10-27-2011 07:31:43> DS Root:CN=Schema,CN=Configuration,DC=server2008r2,DC=lab,DC=local <10-27-2011 07:31:45> Defined attribute cn=MS-SMS-Site-Code. <10-27-2011 07:31:45> Defined attribute cn=mS-SMS-Assignment-Site-Code. <10-27-2011 07:31:45> Defined attribute cn=MS-SMS-Site-Boundaries. <10-27-2011 07:31:45> Defined attribute cn=MS-SMS-Roaming-Boundaries. <10-27-2011 07:31:45> Defined attribute cn=MS-SMS-Default-MP. <10-27-2011 07:31:46> Defined attribute cn=mS-SMS-Device-Management-Point. <10-27-2011 07:31:46> Defined attribute cn=MS-SMS-MP-Name. <10-27-2011 07:31:46> Defined attribute cn=MS-SMS-MP-Address. <10-27-2011 07:31:46> Defined attribute cn=mS-SMS-Health-State. <10-27-2011 07:31:46> Defined attribute cn=mS-SMS-Source-Forest. <10-27-2011 07:31:46> Defined attribute cn=MS-SMS-Ranged-IP-Low. <10-27-2011 07:31:46> Defined attribute cn=MS-SMS-Ranged-IP-High. <10-27-2011 07:31:46> Defined attribute cn=mS-SMS-Version. <10-27-2011 07:31:46> Defined attribute cn=mS-SMS-Capabilities. <10-27-2011 07:31:47> Defined class cn=MS-SMS-Management-Point. <10-27-2011 07:31:48> Defined class cn=MS-SMS-Server-Locator-Point. <10-27-2011 07:31:48> Defined class cn=MS-SMS-Site. <10-27-2011 07:31:48> Defined class cn=MS-SMS-Roaming-Boundary-Range. <10-27-2011 07:31:48> Successfully extended the Active Directory schema.
<10-27-2011 07:31:48> Please refer to the ConfigMgr documentation for instructions on the manual <10-27-2011 07:31:48> configuration of access rights in active directory which may still <10-27-2011 07:31:48> need to be performed.  (Although the AD schema has now be extended, <10-27-2011 07:31:48> AD must be configured to allow each ConfigMgr Site security rights to <10-27-2011 07:31:48> publish in each of their domains.)

Step 6. Open TCP port 1433 and 4022 for SQL replication
Note: Perform the following on the Active Directory Domain Controller as a Domain Administrator
If you are setting up a hierarchy (CAS/Primary/etc) then on your AD server do the following, start Group Policy Management tool and create a new GPO,
Select Computer Configuration, Policies, Windows Settings, Windows Firewall with Advanced Security and select Inbound Rules, choose New and follow the wizard for opening up TCP port 1433 as per this guide on Technet. Once done, repeat the above for Port 4022.
Step 7. Install .NET 3.5.1 and WCF Activation
Note: Perform the following on the SCCM 2012 server as SMSadmin
In Server Manager select Features, Add Features, Select .NET Framework 3.5.1, also select WCF Activation and when prompted answer Add Required Role Services click next and next again
add roles and features.png
Verify the following IIS componentsare installed in addition to the ones preselected by the wizard.


Common HTTP Features Static Content Default Document Directory Browsing HTTP Errors HTTP Redirection
Application Development ASP.NET .NET Extensibility ASP ISAPI Extensions ISAPI Filters
Health and Diagnostics HTTP logging Logging tools Request Monitor Tracing
Security Basic Authentication Windows Authentication URL Authorization Request Filtering IP and Domain Restrictions
Performance Static Content Compression
Management Tools IIS Management Console IIS Management Scripts and Tools Management Service IIS 6 Management Compatibilty IIS 6 Metabase Compatibility IIS 6 WMI Compatibility IIS 6 Scripting Tools IIS 6 Management Console

answer yes to any additional prompts, then Click Next and Install and close when done.
Step 8. Download and install .NET 4
Note: Perform the following on the SCCM 2012 server as SMSadmin
Download .NET 4 from here (webinstall) or here (Standalone). Double click the file, After a while it will complete, Click Finish when done
.net finished.png
restart when prompted
Note: In some scenarios, such as when IIS is installed or reconfigured after the .NET Framework version 4.0 is installed, you must explicitly enable ASP.NET version 4.0. For example, on a 64-bit computer that runs the .NET Framework version 4.0.30319, run the following command:%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe –i –enable
Step 9. Add BITS and Remote Differential Compression
Note: Perform the following on the SCCM 2012 server as SMSadmin
Finally, in Server Manager click on Add Features, place a selection mark in BITS and RDC.
bits and rdc.png
Step 10. Download Microsoft SQL Server 2008 SP2 CU7 (if you plan on using SQL Server 2008 R2 see 10.b below)
Note: Perform the following on the SCCM 2012 server as SMSadmin The supported versions of SQL Server 2008 and SQL Server 2008 R2 are listed here on Technet:- http://technet.micro…nfigSQLDBconfig
At the time of writing this guide I chose to use SQL Server 2008 SP2, CU6 with the hotfix mentioned below, that is fine for Release Candidate 1. If you are using RC2, then use CU7 instead of CU6 and the hotfix, or use SQL Server 2008 R2 SP1 CU4 as described in 10.b below). Be aware that If you use SQL Server Standard, your CAS will only be able to support 50k clients.
Download SQL Server 2008 Standard (x86, x64) – DVD (English) from your provider (MSDN or Technet) the one I used was
File Name: en_sql_server_2008_standard_x86_x64_dvd_x14-89155.iso
Note: You can download the Trial version (180 days) from here.
While you are at it download SQL Server 2008 SP2 from here – File Name: SQLServer2008SP2-KB2285068-x64-ENU.exe
Next download CU7 , you can download CU7 from here.
Next Download the CU6 from here
Finally, you also need to Download 2603910
Step 10.b
This step if you decide to use SQL Server 2008 R2. If you want to use this version then the supported version is SQL Server 2008 R2 SP1 CU4.
Download the following from Technet:- File Name: en_sql_server_2008_r2_standard_x86_x64_ia64_dvd_521546.iso (4177 MB)

Download Microsoft® SQL Server® 2008 R2 Service Pack 1
Download Cumulative update package 4 for SQL Server 2008 R2 Service Pack 1
Step 11. Install SQL Server 2008
Note: Perform the following on the SCCM 2012 server as SMSadmin
For SQL Collation note that you must use (It is required whether you have a hierarchy of sites or a single site and regardless of the OS languages.):- SQL_Latin1_General_CP1_CI_AS
To Install SQL server you can follow this guide but please install SQL on D:\Program Files… and when running setup.exe right click and choose Run as Administrator. After you install SQL Server 2008, you must install SP2 and then CU6 and finally install KB2603910.
So install it in this order:
SQL Server 2008 >> SQL Server 2008 SP2 >> SQL Server 2008 Cumulative Update 6 >> KB2603910
Note: CU7 is available and it’s supposed to contain the above hotfix, however i have not tested it yet.
Step 12. Install Configuration Manager 2012 Release Candidate.
Note: Perform the following on the SCCM 2012 server as SMSadmin
TIP: you can open C:\ConfigMgrSetup.log with Configuration Manager Trace Tool available in the extracted media to and review the contents of the file, it will inform you of any issues during installation.
Uncompress the EXE by running it, then browse to where you uncompressed it and click on Splash.hta
when the wizard appears, click on Install, click next at the warning and then select Install a Configuration Manager Primary Site
install a configuration manager primary site.png
at the EULA click accept
Create a folder on D:\ called RC_Updates and then specify the path to download the updates
If you don’t have internet on your SCCM server then you can download the required updates on another computer by doing like so:-

  • Open a command prompt with administrative permissions
  • Navigate to .\Configuration Manager 2012 Install source\smssetup\bin\X64
  • Run SetupDL.exe target dir (in my example SetupDL.exe D:\RC_Updates)


Click next at the Server Language screen
and at the Client Language Screen
client language.png
enter your Site and Installation Settings, install the site on D:\ as per below screenshot
site and installation settings.png
select Standalone as the site type
install standalone.png
take note of the warning (ie: if will not be able to join it to an existing site heirarchy later)
review the Database Information
db info.png
review the SMS provider settings
sms provider.png
review the Client computer communication settings, select Configure the Communication method on each site system role
client computer.png
review the site system roles
site system roles.png
click next at the CEIP screen then review the summary
take note of any warnings, if like mine (WSUS and SQL memory, we can fix them later, no problem)
click on Begin Install
now is a good time to look at the C:\ConfigMgrSetup.log with CMtrace, watch it for errors
cmtrace on log.png
after a long install you should see the installer finish, click on Close
installation done.png
reboot the SCCM server and then login again as SMSadmin
start the Configmgr console
congratulations, you’ve installed System Center 2012 Configuration Manager Release Candidate
sccm20120 rc done.png
Note: This is Part 1 of a series of step-by-step Guides for Configuration Manager 2012. To view the entire list please see this index. This guide and all guides here are ©, no reproduction allowed without previous written permission.

Using SCCM 2012 RC in a LAB – Part 2. Add SUP and WDS.

Step 1. Add the WSUS Update Services 3.0 SP2 role
Perform the following on the SCCM server as SMSadmin
Before starting this step
create a folder on D:\ called sources and share it as sources, give Everyone Read access.
sources share.png
We’ll need the WSUS role installed as part of the Software Update Point role installation in the next step, so start Server Manager and click on Roles, Add Roles. Select Windows Server Update Services and a window will pop up asking to add role services required for Windows Server Update Services (IIS Dynamic Content compression), click Add Required Role Services
add wsus role.png
click next through the wizard, you’ll see the Select Role Services window appear, click next again, at the confirmation click Install, the WSUS role will be downloaded (so you’ll need a network connection to the Internet) .

after a while you’ll see the Welcome to Windows Server Update Services 3.0 SP2 setup wizard appear click next (which is probably hidden behind the active window, so in your system tray find it and click on it to show the wizard otherwise you’ll be twiddling your thumbs for a long time wondering whats going on)
wsus setup.png
Accept the Eula and click next
for Select Update Source, choose where to store the updates locally, select D:\sources\WSUS
d wsus.png
for database options choose Use an existing database server on this computer, click next
existing db on server.png
it will connect to your SCCM SQL server instance, click next
sql db.png
accept the web site preference, Use an existing Default website
iis website.png
at the ready to install WSUS, click next
read to install.png
click Finish when done.
followed by cancelling the WSUS configuration Wizard.
and close the Roles Wizard
wsus done.png
Step 2. Add Windows Deployment Services.
Perform the following on the SCCM server as SMSadmin
Update:- You no longer need to install the Windows Deployment Services Role because when you enable PXE support on the Distribution Point, the WDS Service will get installed (and configured) by ConfigMgr, so  please skip this step. You can review this via the Distrmgr.log.
In Server Manager, click Add roles select Windows Deployment Services and click next
windows deployment services role.png
click Next, Next, and Install and click Close when done. Close Server Manager.
Step 3. Add the SUP role
Perform the following on the SCCM server as SMSadmin
Note: In a Multi Hierarchy setup (CAS+Primaries+…) you must install a Top Level SUP on your CAS, and your Primaries and optionally on your Secondary site servers. In a standalone setup (such as we have here) we need to install the SUP on our Standalone Primary. In a multi Hierarchy the CAS SUP is the only SUP to sync directly with Microsoft Update to get the update catalog, all the SUPs on the Primaries sync with the CAS SUP. The Primary sites SUP is the only SUP which clients use to scan for Updates Compliance.
Start up the ConfigMgr console, click on Administration in the Wunderbar, click on Site Configuration, and select Servers and Site System Roles, Right click on your server and choose Add Site System Role
add site role.png
click next at the Add Site System Roles Wizard
add site systems role wizard.png
Select Software Update Point and click Next
software update point role selected.png
if you need to input proxy information, do it here
proxy info.png
next select Use this server as the Active Software Update Point and the wizard screen will expand as a result, leave the ports as they are (we didn’t change them from the Default when we installed WSUS)
use this server as the active software update point.png
to Specify Synchronization Settings, select Synchronize from Microsoft Update
synchronise from microsoft update.png
next we configure the Schedule and Alert settings, please enable both.
enable sync on a schedule and alert when sync fails on any site in the heirarchy.png
leave the supersedence rules as they are, note the note about Service packs and Endpoint Protection updates.
Supersedence rules.png
As we will be configuring System Center Endpoint Protection (SCEP) later in this series, let’s add Definition Updates in the Classifications choice
definition updates.png
Remove the checkmarks from Office and Windows in the Products list, we will revisit this list after our first Sync.
remove office and windows products.png
On the Languages screen, remove all checkmarks in all languages except English (well if you want other languages add them, but for me it’s just English)
english selected.png
click next at the summary and progress, review the completion message and click Close.
sup done.png

Using SCCM 2012 RC in a LAB – Part 3. Configuring Discovery and Boundaries.

Configuring Discovery Methods.
Active Directory Discovery Methods Configuration Manager 2012 Active Directory discovery methods can discover Active Directory sites, subnets, users, and computers that are stored in Active Directory Domain Services. To discover information from Active Directory, Configuration Manager requires access to the Active Directory locations that you specify and will use the computer account of the site server that runs the Active Directory discovery method. Or, you can specify a Windows account to run any Active Directory discovery method.
For information on Planning Discovery methods for SCCM 2012, please refer to these pages on Technet:-

Decide Which Discovery Methods to Use

To discover possible Configuration Manager client computers or user resources, you must enable the appropriate discovery methods. You can use different combinations of discovery methods to locate different resources and to discover additional information about those resources. The discovery methods that you use determine the type of resources that are discovered and which Configuration Manager services and agents are used in the discovery process. They also determine the type of information about resources that you can discover.
Discover Computers When you want to discover computers, you can use Active Directory System Discovery or Network Discovery. As an example, if you want to discover resources that can install the Configuration Manager client before you use Client Push Installation, you might run Active Directory System Discovery. Alternately you could run Network Discovery and use its options to discover the operating system of resources (required to later use push client installation). However, by using Active Directory System Discovery, you not only discover the resource, but discover basic information and can discover extended information about it from Active Directory Domain Services. This information might be useful in building complex queries and collections to use for the assignment of client settings or content deployment. Network Discovery, on the other hand, provides you information about your network topology that you are not able to acquire with other discovery methods, but Network Discovery does not provide you any information about your Active Directory environment. It is also possible to use only Heartbeat Discovery to force the discovery of clients that you installed by methods other than client push installation. However, unlike other discovery methods, Heartbeat Discovery cannot discover computers that do not have an active Configuration Manager client, and returns a limited set of information. It is intended to maintain an existing database record and not to be the basis of that record. Information submitted by Heartbeat Discovery might not be sufficient to build complex queries or collections. If you use Active Directory Group Discovery to discover the membership of a specified group, you can discover limited system or computer information. This does not replace a full discovery of computers but can provide basic information. This basic information is insufficient for client push installation.
Discover Users When you want to discover information about users, you can use Active Directory User Discovery. Similar to Active Directory System Discovery, this method discovers users from Active Directory and includes basic information in addition to extended Active Directory information. You can use this information to build complex queries and collections similar to those for computers.
Discover Group Information When you want to discover information about groups and group memberships, use Active Directory Group Discovery. This discovery method creates resource records for security groups. You can use this method to search a specific Active Directory group to identify the members of that group in addition to any nested groups within that group. You can also use this method to search an Active Directory location for groups, and recursively search each child container of that location in Active Directory Domain Services. This discovery method can also search the membership of distribution groups. This can identify the group relationships of both users and computers. When you discover a group, you can also discover limited information about its members. This does not replace Active Directory System or User Discovery and is usually insufficient to build complex queries and collections or serve as the bases of a client push installation.
Discover Infrastructure There are two methods that you can use to discover infrastructure, Active Directory Forest Discovery and Network Discovery. You can use Active Directory Forest Discovery to search an Active Directory forest for information about subnets and Active Directory site configurations. These configurations can then be automatically entered into Configuration Manager as boundary locations. When you want to discover your network topology, use Network Discovery. While other discovery methods return information related to Active Directory Domain Services and can identify the current network location of a client, they do not provide infrastructure information based on the subnets and router topology of your network.
Step 1. Enable Discovery Methods
Perform the following on the SCCM server as SMSadmin
Note:- Site Hierarchy and Site Operations have been renamed from Beta 2 to Hierarchy Configuration and Site Configuration.
Click on the Administration workspace, expand Overview, Hierarchy Configuration and select Discovery Methods, you can see that Heartbeat Discovery is the only Method Enabled by Default.
Discovery Methods.png
We want our LAB to discovery All Computers and Users so we will enable the following discovery methods

  • Active Directory Forest Discovery
  • Active Directory Group Discovery
  • Active Directory System Discovery
  • Active Directory User Discovery

Right click on Active Directory Forest Discovery and choose Properties,

active directory forest discovery properties.png
place a checkmark in the three available options
enable forest discovery.png
click Apply and answer yes to the Full Discovery question
Do you want to run a full discovery as soon as possible.png
Now we will Enable Active Directory Group Discovery, so as before, right click on it, choose Properties
when the properties screen appears, place a checkmark to Enable the discovery Method,
enable adgd.png
Click on Add, select Location
add location.png
click on Browse
browse group location.png
Select your Active Directory Container and click ok
select active directory container.png
click ok, Give the Name a descriptive name like All My AD Groups
all my ad  groups.png
click ok, and it will now appear in the list of Discovery Scopes
all my ad groups enabled.png
Click on the Polling Schedule Tab, note that Delta Discovery is enabled already, now click on the Option tab (this is new since Beta 2)
polling schedule.png
Note:- There are three new options available in the interestingly named Option tab, select them if you wish, basically they allow us to NOT discovery stale objects in AD (no DDR will be created when they are detected), this is good as not all AD people remove stale accounts and this will help to improve our SLA’s with more accurate information about what systems are live or not in our organisation.
option tab.png
Next we will configure Active Directory System Discovery, so right click it and select Properties, the properties page will show, place a checkmark to Enable Active Directory System Discovery

click on the Yellow StarBurst, then click on Browse and select your default Active Directory Container
ad system discovery.png
so it appears like so
active directory system discovery containers.png
you can review the other tabs, including the new Option tab, select the options within there also.
active directory system discovery option tab.png
and finally we’ll enable Active Directory User Discovery, right click on it, choose Properties, and enable it as below
enable active directory user discovery.png
add the Active directory container discovery by clicking on the yellow starburst and adding the default container
adud container.png
Once done you can click on Assets and Compliance to verify that your Users, Groups and Systems are being Discovered (in the screenshot below I’m showing users and user groups).
assets and compliance.png
Step 2. Configure Boundaries
Perform the following on the SCCM server as SMSadmin
In Configuration Manager 2012, a boundary is a network location that can contain one or more devices that you want to manage. Boundaries can be an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range, and it can include any combination of these elements. To use a boundary you must add the boundary to one or more boundary groups. Boundary groups are collections of boundaries and they allow clients to find an assigned site and to locate content when they need to install software, such as applications, software updates, and operating system images.
Boundaries are no longer site-specific. Instead, you define them one time only for the hierarchy and they are available for all sites in the hierarchy. Each boundary must be a member of a boundary group before a device on that boundary can identify an assigned site or locate content on a distribution point. Each boundary represents a network location in Configuration Manager 2012 and it is available from every site in your hierarchy. A boundary does not enable you to manage clients at the network location. To manage a client, the boundary must be a member of a boundary group.
Content Location
You can associate one or more distribution points with each boundary group. You can also associate a distribution point with multiple boundary groups. When a client requests content for a deployment, Configuration Manager sends the client a list of distribution points that have the content and that are associated with a boundary group that includes the current network location of the client.
Configuration Manager 2012 supports overlapping boundary configurations for content location. When a client requests content and the client network location belongs to multiple boundary groups, Configuration Manager sends the client a list of all distribution points that have the content. This behavior enables the client to select the nearest server from which to download the content.
You can configure the network connection speed of each distribution point in a boundary group. Clients use this value when they connect to the distribution point. By default, the network connection speed is configured as Fast, but it can also be configured as Slow. The network connection speed and the deployment configuration determine whether a client can download content from a distribution point when the client is on an associated boundary.
In the Administration section, select Boundaries, our previosly discovery Active Directory Site is listed.
default first site name.png
right click on Boundary Groups and choose Create Boundary Group
create boundary group.png
give the Boundary Group a name (and a description if you wish), click on Add
add boundary group.png
In the Add Boundaries window, place a checkmark in our Default-First-Site-Name Boundary.
add boundaries.png
click ok, It now appears in our list of Boundaries which are a member of this Boundary Group, click on References
place a checkmark in Use this Boundary Group for site assignment then click on Add
add content location.png
select our site system then click ok
add site system.png
click Apply
boundary group site assignment and content location.png
Now we have defined which site our clients can get assigned to via the Boundary Group, and we have defined their content location
my boundary groups.png
In the next Part we will configure some more Site roles and configure Client Settings.

Part 4. Configuring Client Settings and adding roles

Step 1. Add the Application Catalog Web Site Roles
Perform the following on the Configuration Manager server as SMSadmin
In Administration, click on Servers and Site System Roles and right click on our Site Server, choose Add Site System Roles.
Note: If you are using a multi-site hierarchy setup (CAS + Primaries), you need to perform the following on your Primary site(s) as the roles listed below won’t be available for CAS. For a Standalone setup perform the following on your standalone primary.
add site system roles.png
click next at the wizard general screen
Select both of the Application Catalog roles
application catalog roles.png
confirm your Application Catalog Web service point selections
application catalog web service point.png
and the Application Catalog Website Point settings
application catalog website point.png
enter your Organisation name and pick a Color scheme for the Application Catalog ! (New since Beta 2) !
application catalog customizations.png
click next through the summary and progress screens, verify everything at the completion screen.
summary screen.png
Step 2. Configure Client Agent Settings
Perform the following on the SCCM server as SMSadmin
Note: You can configure custom client settings applicable for each site in your hierarchy by creating custom client settings on that Primary site, or if you want settings applied to all your computers in your hierarchy you can edit the Default Client Settings (on your CAS site).
In the Administration section click on Client Settings in the left pane, and select the Default Client Settings listed, right click choose Properties
client settings properties.png
Click on Client Policy and we’ll set this to every 15 minutes as it’s a LAB (the Default setting is 60 minutes), this means that once every 15 minutes the Client will contact it’s Management Point for any new policy.
client policy.png
now choose Computer Agent and configure it as follows:-
Click on Set Website for Default Application Catalog Website and set it to select the FQDN one that is listed
Set Add default Application Catalog website to Internet Explorer trusted zone to True
Set the Organization Name Displayed in Software Center to My Organization (change that to suit your organization)
so your Computer Agent settings should look like this
computer agent settigns.png
Set the Software updates schedule from 7 days to 1 day, this will be because we want to synchronize Endpoint Protection definition updates on a daily basis.
1 day.png
Select User and Device Affinity and change Allow users to define their primary device to True.
define uda.png
click Ok to save the Client Agent Settings.
Step 3. Deploying the Client Agent
Perform the following on the SCCM server as SMSadmin
Note: In a Multi-site Hierarchy (CAS+Primaries) you will need to configure client installation settings on the primaries as CAS does not manage clients and the options will therefore be greyed out on the CAS.
Now that we have made changes to the Default Client settings, we want to deploy the ConfigMgr Client to our computers in the LAB. Before doing so we need to decide what method is appropriate for installing the client on our computers.
The following methods are available
Client Installation Method Description

  • Client push installation – Automatically installs the client to assigned resources and manually installs the client to resources that are not assigned.
  • Software update point installation – Installs the client by using the Configuration Manager 2012 software updates feature.
  • Group Policy installation – Installs the client by using Windows Group Policy.
  • Logon script installation – Installs the client by using a logon script.
  • Manual installation – Manually installs the client software.
  • Upgrade installation – Upgrades clients to a newer version by using Configuration Manager 2012 application management. You can also use Configuration Manager 2007 software distribution to upgrade clients to Configuration Manager 2012.
  • Client Imaging – Prestages the client installation in an operating system image.

Please refer to Technet to Determine the Client Installation Method to Use in Configuration Manager 2012.
For the purposes of this LAB we will select Client Push Installation. Make sure to review the Client deployment Prerequisites on Technet, in particular pay attention to the Firewall Ports used during client push installation.
firewall ports.png
Note: we will use the ClientInstall account to install the configmgr client on our computers, make sure that this account is a local administrator on your target computers.
In Administration, click on Site Configuration, Sites, select our site, in the ribbon above click on Settings, it will open a new menu, from that menu select Client Installation Settings and from there select Client Push Installation.
client push installation.png
On the general screen, place a checkmark in Enable Automatic site-wide client push installation
general tab client push.png
Click on the Accounts tab, and select the yellow star, choose New Account
type in (or browse to select the AD user) the Client Push account, use our ClientInstall account which we created in Active Directory in Part 1.
Note the Verify button, this is new since Beta 2 and allows you to verify that the credentials can connect to your network resources, if you get your password wrong it will tell you !
Click on Verify and type in a Unc path to check.
successfully verified.png
Click Ok.
Click on Assets and Compliance and expand Devices, All Systems, you should see that our SCCM server has a client installed but our Domain Controller does not.
Note: If the site server cannot contact the client computer or start the setup process, it automatically repeats the installation attempt every hour for up to 7 days until it succeeds.
You can wait until Client push installs the client or manually install it right now by Right clicking on the Domain Controller and choose Install Client.
install client.png
set the Installation Options
installation options.png
click next through the wizard, close. Meanwhile, on the DC (AD1-Domain Controller) check task manager, and you’ll see ccmsetup starting…success
after some minutes the client is installed and you can refresh the view, you’ll notice is says Client=Yes on both our systems in the Lab and there are new tabs to look at since beta 2 on the bottom of the screen. We’ll get to them in a later post.
ad has client.png
On your AD computer you can start Software Center
software center.png
click on Find applications from the application catalog
and your Application Catalog will pop up in Green !
application catalog green.png

Part 5. Enable the Endpoint Protection Role and configure Endpoint Protection settings.

When you use Endpoint Protection with Configuration Manager, you benefit from the following:

  • You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings.
  • You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.
  • You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Endpoint Protection installs its own client, which is in addition to the Configuration Manager client. The Endpoint Protection client has the following capabilities:

  • Malware and Spyware detection and remediation.
  • Rootkit detection and remediation.
  • Critical vulnerability assessment and automatic definition and engine updates.
  • Integrated Windows Firewall management.
  • Network vulnerability detection via Network Inspection System.

Recommended Reading:-

Prerequisites for Endpoint Protection in Configuration Manager – http://technet.micro…y/hh508780.aspx Best Practices for Endpoint Protection in Configuration Manager – http://technet.micro…y/hh508771.aspx Administrator Workflow for Endpoint Protection in Configuration Manager – http://technet.micro…y/hh526775.aspx
Step 1. Configure the Endpoint Protection Role
Perform the following on the SCCM server as SMSadmin
Note: The Endpoint Protection point site system role must be installed before you can use Endpoint Protection or before you can set EndPoint Protection client settings. It must be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site.
In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Servers and Site System Roles and click on Home in the Ribbon and click on Add Site System Roles.
home in the ribbon.png
when the wizard appears click next
wizard next.png
Select the Endpoint Protection Point role and click next
select endpoint protection role.png
Read and then accept the License Agreement terms
eula for endpoint.png
Next you get some choices about Microsoft Active Protection service, you can opt in, or opt out, let’s select Basic Membership.
microsoft active protection service.png
click next at the summary and review the status on the completion screen.
ep role added.png
within a few minutes you’ll see the Endpoint Protection client appear in the System Tray of your ConfigMgr Server (this is normal behaviour and is expected, you must have the SCEP client installed on your ConfigMgr Server hosting the Endpoint Protection role).
ep client in systray.png
Note: you can review the EPSetup.log on the server to monitor role installation progress.

Step 2. Configure alerts for Endpoint Protection
Perform the following on the SCCM server as SMSadmin
Note: Alerts inform the administrator when specific events have occurred, such as a malware infection. Alerts can be displayed in the Configuration Manager console, through reports, or optionally can be emailed to specified users. You can configure Endpoint Protection alerts in System Center 2012 Configuration Manager to notify administrative users when specific security events occur in your hierarchy. Notifications display in the Endpoint Protection dashboard in the Configuration Manager console, in reports, and you can configure them to be emailed to specified recipients.
Configure Email Notification (Optional)
If you have access to an SMTP server then you can optionally configure Email Notification Alerts. In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Email Notification.
email notification.png
enter your desired settings for SMTP and click Apply. Note that you can test your SMTP settings also.
test smtp connection.png
Configure Alerts for Collections
Next let’s configure Alerts for a Collection, but first let’s create a collection called All Windows 7 Computers (in a LAB this is fine for what we want to do, in Production you should create EndPoint Protection specific Collections).
Note:- You cannot configure alerts for User Collections.Click on Assets and Complicance in the console,click on Device Collections and in the ribbon click on Create Device Collection.
create device collection.png
Call the collection All Windows 7 Computers and limit it to All Systems
create device collection wizard.png
click next, choose Query Rule from the drop down menu and fill in a Query like so (edit query statement, criteria, show query language and replace the code with the below)

select *  from  SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%"

query rule properties.png
set the schedule as follows (it’s a LAB)
custom schedule.png
click next through the wizard, the collection is now created.
collection created.png
Assets and Compliance select Devices and choose Device Collections, select the All Windows 7 Computers collection (we have no computers in this collection yet but we will have soon), choose properties
properties of collection.png
Click on the Alerts tab and place a checkmark in View this collection in the Endpoint Protection Dashboard
alerts tab.png
click on Add and select all the options
alerts options.png
click ok and leave the other Alert settings as they are
alerts tab configured.png

Step 3. Configure the SUP Products to Sync and Perform a Sync
Perform the following on the SCCM server as SMSadmin
Click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Software Update Point.
software update point components.png
In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected.
forefront endpoint protection.png
change the Sync Schedule to 1 days
1 day sync.png
Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates
sync now.png
answer Yes to the Sync
yes to sync.png
at this point you can review the Wsyncmgr.log in CMtrace
done syncing.png

Step 4. Configure SUP to deliver Definition Updates using an Automatic Deployment Rule
Perform the following on the SCCM server as SMSadmin
In the Configuration Manager console, click Software Library, expand Software Updates and click on Automatic Deployment Rules
Automatic Deployment Rules.png
in the Ribbon click on Create Automatic Deployment Rule and the wizard appears, give the rule a suitable name like Automatic Deployment Rule for Endpoint Protection and point it to our previously created All Windows 7 Computers collection, select add to an exisiting software update group
add to an existing software update group.png
On the Deployment Settings page of the wizard select Minimal from the Detail level drop-down list and then click Next this reduces State Messages returned and thus reduces Configuration Manager server load
detail level minimum.png
on the Software Updates page select Date Released or Revised
value to find.png
in the Search Criteria pane, click on Value to find and select Last 1 day
last 1 day.png
In the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected. product = forefront endpoint protection 2010.png
for Evaluation Schedule, click on Customize and set it to run every 1 days,
Tip: notice that the Synchronization Schedule is listed below, make sure that this occurs at least 2 hours before you evaluate for Forefront Endpoint Protection definition updates, there is no point checking for updates if we haven’t synchronized yet.
every 1 days.png
for Deployment Schedule set Time based on: UTC (if you want all clients in the hierarchy to install the latest definitions at the same time. This setting is a recommended best practice.), for software available select 2 hours to allow sufficient time for the Deployment to reach all Distribution Points and select As soon as possible for the installation Deadline.
adr deployment schedule.png
for the User Visual Experience select Hide from the drop down menu
hide user visual experience.png
for Alerts enable the option to generate an alert
generate an alert.png
for download settings as the definition updates are important let’s download them even if on slow networks
download settings.png
For Deployment Package we are creating a new one so give it a suitable name like Endpoint Protection Definition Updates and point it to a previously created folder
Note: Make sure that \\sccm\sources\updates\Endpoint (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won’t exist. In addition Everytime this ADR runs it will want to create a new deployment package as specified above, we do not want this to happen so after running the ADR once, retire it and create a new ADR except this time point the deployment package to the packaged which is now created called Endpoint Protection Definition Updates.
create a new deployment package.png
click your way through the rest of the Wizard till completion
adr done.png
if you scroll to the right you’ll see nothing has been downloaded, yet…(because our Automatic Deployment Rule hasn’t run yet since the sync)
not downloaded.png
so let’s force the Automatic Deployment Rule to run now, right click on our ADR and choose Run Now
automatic deployment rules run now.png
and after a few minutes look at our Definition Updates again, notice the difference ?
downloaded yes.png
Step 5. Configure Custom Client Settings for Endpoint Protection
Perform the following on the SCCM server as SMSadmin
Note: Do not configure the default Endpoint Protection client settings unless you are sure that you want these applied to all computers in your hierarchy.
Below is an explanation of the EndPoint Protection settingsavailable:-


Manage Endpoint Protection client on client computers

  • Select True if you want to manage existing Endpoint Protection clients on computers in your hierarchy.
  • Select this option if you have already installed the Endpoint Protection client and want to manage it with Configuration Manager.
  • You should also select this option if you want to create a script to uninstall an existing antimalware solution, install the Endpoint Protection client and deploy this script using a Configuration Manager application or package and program.

Install Endpoint Protection client on client computers

  • Select True to install and enable the Endpoint Protection client on client computers where it is not already installed.

Automatically remove previously installed antimalware software before Endpoint Protection is installed

  • Select True to uninstall existing antimalware software.

Posted ImageNote Endpoint Protection uninstalls the following antimalware software only:

All current Microsoft antimalware products except for Windows InTune and Microsoft Security Essentials Symantec AntiVirus Corporate Edition version 10 Symantec Endpoint Protection version 11 Symantec Endpoint Protection Small Business Edition version 12 Mcafee VirusScan Enterprise version 8 Trend Micro OfficeScan
Suppress any required computer restart after the Endpoint Protection client installed

  • Select True to suppress a computer restart if it is required after the Endpoint Protection client installs.

Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours)

  • Specify the number of hours that users can postpone a computer restart if this is required after the Endpoint Protection client installs.

Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers

  • Select True if you want to allow only Configuration Manager to install the initial definition update on client computers. This setting can be helpful to avoid unnecessary network connections and reduce network bandwidth during the initial installation of the definition update.

In the Configuration Manager console, click Administration, click Client Settings and on the Home tab in the Create group, click Create Custom Client Device Settings.
create customclient device settings.png
Select Endpoint Protection and call it Custom Client Device Endpoint Protection Settings
custom client device endpoint protection settings.png
click on Endpoint Protectionand review the settings, change them to as follows:-

  • Manage Endpoint Protection Client on Client Computers = True
  • Install Endpoint Protection Client on Client Computers = True
  • Automatically remove previously installed antimalware software before Endpoint Protection is installed   = True
  • Suppress any required computer restart after the Endpoint Protection client installed  = False
  • Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours)  = 1
  • Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers   = True

endpoint protection manage clients.png
click ok when done, right click on the new
custom settings and choose Deploy
deploy custom client settings.png
select our All Windows 7 Computers collection and choose Ok.
deploy to all windows 7 computers.png

Step 6. Configure Custom AntiMalware Policies
Perform the following on the SCCM server as SMSadmin
Note: Do not configure the default client Malware Policy unless you are sure that you want these applied to all computers in your hierarchy.
There are several pre-created AntiMalware Policies available, to review/use them click on Import. (see screenshot below)
import antimalware policies.png
We will create our own policy in this LAB so in the Configuration Manager console, click Assets and Compliance, click Endpoint Protection, select Antimalware Policies. In the ribbon select Create Antimalware Policy
create antimalware policy.png
give the policy a name like Custom Endpoint Protection Antimalware Policy
custom endpoint protection antimalware policy.png
for Scheduled scans change to Daily at 12 pm (default was Saturday, 2am) and set it to check for latest definition updates before the scan and to randomize the scan start time
scheduled scans.png
for Definition Updates set the check to 2 hours and click on set source, only select Updates distributed from Configuration Manager (deselet the other options)
Note: if your SCCM server has no internet access you can configure it to check for updates from UNC file shares
updates distributed from Configuration Manager.png
Click Ok, Ok.
Right click our Custom Endpoint Protection Antimalware Policy and select Deploy, choose our All Windows 7 Computers Collection as we did for the Device settings above.
deploy custom antimalware policy.png
that’s it we are done !
we have now created custom Client Device settings and a Custom Antimalware Policy for our All Windows 7 Computers collection, in further posts we will add some computers to that collection and verify our Endpoint Protection settings.
Note: If you are having issues with the client installing or getting the Endpoint Protection role installed please refer to the following Endpoint Protection Log files.

  • EndpointProtectionAgent.log – Records details about the installation of the Endpoint Protection client and the application of antimalware policy to that client.
  • EPCtrlMgr.log – Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database.
  • EPMgr.log – Monitors the status of the Endpoint Protection site system role.
  • EPSetup.log – Provides information about the installation of the Endpoint Protection site system role

Part 6. Deploying Software Updates.

Step 1. Configure the SUP Products to Sync and Perform a Sync
Perform the following on the SCCM server as SMSadmin
Click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Software Update Point.
configure sup.png
In the Products tab ensure that the product Windows 7 check box is selected.
windows 7 product in products.png
Click on Software Library, Software Updates, right click on All Software Updates and choose Synchronize Software Updates, answer Yes when prompted.
sync software updates.png
Monitor the Sync process using the Wsyncmgr.log file in CMTrace.
As we started the sync manually you should search for the following string “Performing Sync on local request“, followed by the status of the sync and you know it’s complete when you can see the following line “Sync Succeeded. Setting Sync alert to cancelled on Site P01.
sync succeeded.png

Step 2. Specify Search Criteria for Software Updates
Perform the following on the SCCM server as SMSadmin
In the console, click Software Library, expand it and select All Software Updates then click on Add Criteria in the top right of the search field. In the scrollable Add Criteriamenu, select the following options

  • Bulletin ID
  • Expired
  • Superseded
  • Product

add criteria.png

then define the criteria using the drop down menus beside each option
windows 7 product.png
so that they look as follows:-

  • Product = Windows 7
  • Bulletin ID =MS
  • Expired = No
  • Superseded = No

then click on Search, you’ll get a list of results like so

153 items shown.png
let’s save our Search criteria and call it Windows 7 Updates search criteria, you can return to this search later by clicking on saved searches and selecting your search from the list.
windows 7 updates search criteria.png
Step 3. Create a Software Update Group that Contains the Software Updates
Perform the following on the SCCM server as SMSadmin
Note: Normally you’d want to look through all these updates and filter out (delete) the ones that are not applicable to you, such as Beta or Service Packs, Delete these from your list before continuing.
After we’ve trimmed down out updates we’ll select the remaining updates by selecting all the updates found in our search criteria above by clicking on one update and then pressing CTRL + A, it should say 153 (or similar) items selected in the bottom left corner, make sure you are still in the Search Criteria as in the picture below
153 items selected.png
In the ribbon, click on Home and then in the Update click on Create Software Update Group, call it Windows 7 Updates and click on Create
create software update group.png
Now you can click on Software Update Groups in the console and you’ll see your newly created Software Update Group, right click on it and choose Show Members to see the updates in this group.
show members.png
this lists the Sotware Updates contained in the Software Update Group

Step 4. Deploy the Software Update Group
Perform the following on the SCCM server as SMSadmin
We could Posted Imagedownload the Content for the Software Update Group to verify that it’s available before distributing it to our Distribution Points, but we’ll skip that step and go ahead and deploy our Updates to our previously created All Windows 7 Computers collection. Select the Windows 7 Updates Software Update Group and in the Ribbon click on Deploy.
deploy windows 7 updates.png
give it a name and point it to our All Windows 7 Computers collection.
deploy to windows 7 collection.png
Note: if you click on Select deployment Template, it will appear empty as you have no created any templates yet.
for Deployment Settings set the type of deployment to Required (mandatory) and State message level to Minimal (to reduce Configuration Manager server load via state messages)
minimal state messages.png
For scheduling set the Time Based on to UTC
for User Experience we want the user to see they are being updated,
user experience.png
set Alerts client compliance is below the following to 80%,
Set the Download Settings to download if a slow or unreliable connection detected, click next
download settings for bac deployment.png
when you get to Deployment Package, choose create a new deployment package,
Note: Make sure that \\sccm\sources\updates\windows7 (or whatever path you choose) exists otherwise the wizard will fail below when it tries to Download as the Network Path won’t exist
create a new deployment package windows 7 updates.png
select your Distribution Point and click next, then for Download Location select Download Software Updates from the Internet, select the English language and at the summary screen click on Save As Template, call the template Windows 7 updates Template
save as template.png
TIP: To review the progress of this task, while you are waiting for the wizard to complete you can browse the UNC on your server of your Deployment Package to see that it’s actually filling up with updates, you should see something like this
unc working.png
And that’s it, after you complete the wizard the software updates in the software update group are deployed to computers in the target collection
deploy software updates wizard completed.png
Finally, create a new collection called Build and Capture Windows 7 X64 and repeat the above Deployment for our Windows 7 Updates and target it to the Build and Capture Windows 7 X64 Collection as follows

3 thoughts on “SCCM 2012 Part 1. Installation”

  1. Really good.provide the part 2 link

  2. rajasekar said:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s