SCCM 2012: Part V – System Configuration – Security and Roles

Here in Part V we’ll be performing more configuration of our SCCM 2012 environment. We’ll pick back up where we left off in Part IV, on the Administration tab of the SCCM console.

Before we continue with the configuration of the site and adding new roles, we need to configure the Security section. By default, just like with System Center Virtual Machine Manager, only the installation user can login to console and has permissions, so we need to change this. Navigate to Security and right-click on Administrative Users and select Add User or Group. You will be prompted with the wizard. Click Browse… I am going to select Domain Admins user group and click OK. Then click Add… then select Full Administrator then click OK. Then select the All instances of the objects that are related to the assigned security roles then click OK.

The wizard will close and you will see the group added to the list. This will ensure that all Domain Administrators will have full access to your SCCM environment now. Add any other users/groups with permissions as may be necessary to your environment and then proceed.

image

image

image

Next, click on Security Roles. Here you will see all of the 14 built-in roles available in SCCM. Next, click on Security Scopes. There are two scopes defined by default, the All and Default scopes. You can also create custom security scopes. By default, Full Administrators are in the All scope, which means that you will have permissions of their role for every object in the Configuration Manager environment. This is another way of assigning granular permissions if you would like to protect applications and packages. At this point in the installation, and in most cases, leaving the default is ok here.

The Accounts and Certificates sections we will not be addressing at this point. We’ll be moving on to the Site Configuration, where the first thing we will do is configure a security related item, the SCCM Agent account.

Navigate to Site Configuration > Sites. Right-click on the name of your site and select Client Installation Settings > Client Push Installation. On the General tab leave the defaults.

I highly recommend that you do not enable the “Enable automatic site-wide client push installation” checkbox.

The reason for this is that if you set certain properties on your Client Settings section, covered later in this guide, you could cause reboots of all of your production servers once the agent is pushed (or pulled via Group Policy, depending on your configuration). In almost every case, you will be integrating SCCM into your existing production environment, not vice-versa. Therefore we want to avoid any unintended consequences of this option. We System Administrators like our jobs and want to keep them, right? Smile

image

Click on the Accounts tab. Click the starburst and select New user account. Here you will enter in the AD user account domain\sccm.agent in Part I. It should be a Domain Admin or a user account with local admin permissions on all servers, where SCCM agent will be installed. It is a good idea to use the Verify test option to confirm your UN/PW combination and permissions. Click Apply and close the Client Push Installation Properties.

image

As a reminder, I highly recommend you have this password documented in a secure place. For enterprise secret management, I use Secret Server by Thycotic. It is a great product worth checking out, and they’ll enjoy some free product placement for me I suppose!

http://www.thycotic.com/products_secretserver_onlinestarted.html

For personal or small business, you can not go wrong with Keepass password management. I use this everyday:

http://keepass.info/

Next, right-click on your site again and click Properties.

1

We will not be changing anything here, but here is a breakdown of the options, as you may or may not need to make some updates here depending on your configuration:

- General tab – Most of the important information about your Site. It includes the Type (Primary), the Parent site (if you are running a multi-site configuration), Version of SCCM, Build number, the Site Server name, the Installation directory for SCCM, the SQL Server Computer and the SMS Provider location.

- Wake On Lan tab– Here is where you can enable the WoL feature for your site.

- Ports tab – Here is where you can set custom ports for your HTTP, HTTPS, and WoL services. By default, 80, 443, and 9 are defined respectively.

-Sender tab – This is a feature of multiple sites.

- Publishing tab – Here is where, if you have multiple domains in your forest, you can choose which domains you will and will not Publish to.

- Client Computer Configuration tab – On this page you configure any SCCM site IIS server communications with clients, HTTPS only, or HTTPS and HTTP. Further, you can change the Trusted Root Certification Authority (or add another RootCA) and set advanced features on SCCM client certificates and toggle CRL checks on and off.

- Alerts tab – You can generate an alert when free disk space on the DB server is low. I have monitoring outside of SCCM that is already doing this. You may want to enable this if you do not have a similar service in place.

- Security tab – This is where we can see a list of Administrative users. By default, the only user added to SCCM is the user who installed the site server and is the only user who can login. You’ll also see the Domain Admin account we added earlier if you are following along.

- Signing and Encryption tab – Here you configure signing and encryption requirements for clients. You can require signing, Require SHA-256, and Use encryption (3DES to encrypt inventory information sent to SCCM server). By default, none of these are checked and I will not be enabling these options. Depending on your environment, you may need to enable one or more of these options. Consult your IT Security Department if this is outside of your scope.

Before we configure the roles, there is one other item we need to address. Navigate to the Distribution Points object. Right-click on your SCCM server in the list and click Properties. You will need to select the Import certificate radio button. We exported this certificate in Part II. Browse to the cert and select it and enter the password and click Apply. Now our Distribution Point has the proper certificate associated within SCCM.

Next we’ll move on to Servers and Site System Roles. Here you will see both your SCCM and SQL servers. Before we begin this section, I’d like to reference the TechNet documentation on SCCM 2012 Roles. You can find what roles are allowed in any scenario:

http://technet.microsoft.com/en-us/library/gg712282.aspx

At this point, by default, your SCCM Primary Standalone configured server will have the following roles:

- Component Server
- Distribution Point
- Management Point
- Site Server
- Site System

Your SQL server will have the following roles:

- Component Server
- Site Database Server
- Site System

We will be adding more roles to each of these servers.

To the SCCM server we will be adding the following roles, for a total of 11 roles:

- Application Catalog Web Service Point
- Application Catalog Website Point
- Asset Intelligence Synchronization Point
- Endpoint Protection Point
- Fallback Status Point
- Software Update Point

To the SQL server we will be adding just the Reporting Services Point, for a total of 4 roles.

Let’s start with adding the roles to the SCCM server. First we will need to remove Configuration Manager from the Antimalware Policy Sources (otherwise this will be flagged during the Endpoint Protection Role installation). Navigate to the Assets and Compliance tab, then navigate to Endpoint Protection > Antimalware Policies. Right-click on the Default Client Antimalware Policy, and click Properties. Select Definition Updates section and then click the Set Source button, and then uncheck the Updates distributed from Configuration Manager option. We will change this later, but for now we only want to pull Endpoint Protection Updates from WSUS, MS Update, and MS MPC.

image

Head back over to Administration > Site Configuration > Servers and Site System Roles. Right-click on the SCCM server under the Servers and Site System Roles section and click Add Site System Roles. You’ll be prompted with the Add roles wizard:

Select the roles we discussed above for installation.
image

Leave default here.
image

Click the checkbox here, as this will be the active software update point. Also select the second radio button, as WSUS is on a custom site.
image

Synchronize from Microsoft, default.
image

Enable synchronization, every day.
image

Immediately expire superseded updates, default.
image

Make sure to select Definition Updates, if you are installing Endpoint Protection Manager.
image

Select the Products you need here.
image

Choose languages.
image

Leave default for FSP settings.
image

Leave defaults for Asset Intelligence.
image

Enter Proxy, if applicable.
image

Specify how often Asset Intelligence synchronization occurs.
image

Select HTTPS radio button, and leave other defaults as Application Catalog website will run under the default site.
image

Leave the defaults here, ensure you site server is selected, the NetBIOS name is the hostname of your SCCM server, and that HTTPS is selected.
image

Name your catalog and select a color.
image

Endpoint Protection, Accept the license agreement.
image

Choose your Microsoft Active Protection Service Membership.
image

Review the Summary and click Next for the installation of the roles to begin.
image

It should complete successfully.
image

Now if you right-click on the SCCM and click Refresh, you will see all 11 roles installed. Next we will move on to installing the Reporting Services Point role on the SQL server.

Before we add the Reporting Services Point to our SQL server, we’ll need to configure the Report Services on our SQL server. RDP to the SQL Server, and click Start > Microsoft SQL Server 2008 R2 > Configuration Tools > Reporting Services Configuration Manager. At the Reporting Services Configuration Connection page click Connect.

image

Select the Service Account tab and enter the domain\sccm.service user account we created in Part I. Click Apply.
image

The click the Web Service URL option, and set it like this:
image

Click the Database tab, and Change Database:
RSDB wiz 1

image

I changed the Report Server, but the default is fine.
image

Make sure to use the sccm.service account here.
image

Confirm all settings and finish out the wizard.
image

Now you’ll be back at the Database tab with your Report Database configured.
image

Confirm settings for Report Manager URL.
image

Set the SMTP settings.
image

Set the account settings as the sccm.service in the Execution Account tab. Apply the changes, go up to the top tab and STOP and then START the Report server. Then close Reporting Services Configuration Manager.

Now head back over to your SCCM server and we can install the Reporting Services Point for our SQL server. Go to the Administration tab, then navigate to Site Configuration > Servers and Site System Roles and then right-click the SQL Server and select Add Roles.

On the Add Site Systems Roles Wizard, select Reporting Services Point, and it should auto-fill everything you need, you’ll need to click Verify and once that completes, you’ll need to click the Set… button to set a user to connect to the Report Server. Use the domain\sccm.service account for this connection.

Once that is complete, navigate to the Monitoring tab. Then navigate to Overview > Reporting > Reports. After you click Reports wait for a bit as all the report templates are populated in the console:

image

At this point we have all of the roles that we need for our Configuration Manager environment installed. In the next part we will configure a few remaining pieces of the site, the SC Endpoint Protection Policy, and the SC Agent Policy.

Thanks for reading, hopefully you find this information helpful as you deploy your Configuration Manager environment.

  • Pingback: System Center Configuration Manager and Endpoint Protection Manager 2012 | Gabe's Blog

  • Paul Drummond

    Gabe I have followed your instructions line by line word for word. I am trying to install sccm 2012 configuration manager. I just cant get sccm to push the client to the computers

    • Gabriel

      Hi Paul, I hope the guide has been helpful to this point. The first place I would check is on the target client. In the %WINDIR%/ccmsetup folder there is a log text file that may have your answer. Let me know what, if any error code is there. Further, if you don’t have a ccmsetup folder on the target, verify your communication between SCCM and the target, specifically firewall rules on host and any firewalls between. You can also try calling the SCCM install from the target server via file share to SCCM server or command line installation with parameters. Reply back with some info and I’ll do what I can to help.


      Gabe

      • Paul Drummond

        >
        <![LOG[Sending message header '{242208CB-AFFD-44AC-BF53-CACFA08C8C17}OSCARmp:[http]MP_LocationManagerdirect:OSCAR:LS_ReplyLocations36005931HTTPS://oscar.josimars.localMP_LocationManagerSynchttp2012-12-28T00:32:26Z’]LOG]!>

        >> Client selected the PKI Certificate [Thumbprint B12B1E49329F38BD797A8E4A8396D4D28D920C16] issued to ‘OSCAR.josimars.local’]LOG]!>

        Okay here is the ccmsetup.log from the sccm server. I have the sccm server and the database on the same machine. Is that a problem. This is how I had it in sccm 07 and it worked fine. This is in the lab. We are testing it in the lab before we bring it in production. I turned off the firewall and at least I am getting it to identify the site code however I cant get it to push the client.

  • Paul Drummond

    As I indicated it was a firewall problem. Also there a few pointers that you missed in your article. Overall it was a fine article though

    • Gabriel

      Hi Paul, apologies for the delay. I’ve been on holiday and had some sickness at home, so I’ve been unable to look until now. Very glad that you were able to figure out your issue. You mention that there are some things missing, I’d love to have your feedback and I will update the article as necessary. Perhaps your experience and an update to the article may help others. Best of luck in your SCCM 2012 testing!

  • MarioTunes

    Hello Paul,

    I am going to install Reporting to the separate new SQL server. When I config new SQL using your instruction I can’t see “ConfigMgr SQL Server Identification Certificate”, but this certificate exist on my main SQL server.
    Should I export this certificate or it will be created automatically?

    Thank you

  • MarioTunes

    Hello Gabriel,

    I am going to install Reporting to the separate new SQL server. When I config new SQL using your instruction I can’t see “ConfigMgr SQL Server Identification Certificate”, but this certificate exist on my main SQL server.
    Should I export this certificate or it will be created automatically?

    Thank you

    • MarioTunes

      When I am trying to add new DB I got error “The specified database is not a Configuration manager database”

      • MarioTunes

        I have successfully install Reporting Service on new SQL server, but can’t see “Reports” under “Monitoring”.
        Thank you

        • Gabriel

          Hi Mario, recently I ran through the installation for SCCM 2012 SP1. It took a while for the reports to show up in the console. One thing you can check is go to http://server/Reports and see if you see the ConfigMgr_(SiteCodeHere) folder. If you do have any trouble and this does not show up for you, look for the srsrp.log file on your SQL server or check the component in the SCCM monitoring section. Good luck.


          Gabe

  • kate

    Hello there, I wanted to know if I can set my client agent push daily? If yes, how? thank you

    • Gabriel

      Hi, can you elaborate on the use case for this a bit? Your machines should all be checking in with SCCM at regular intervals for policy updates. You should enable automatic site-wide agent deployment if you are wanting to catch new builds.


      Gabe

      • kate

        Thank you Gabe for answering quickly.

        The first time I’ve run the cilent installation settings on my network, clients are successfully discovered. My client push installation setting is not enabled to automatic site-wide client push install… However, rather than automatic site wide installation, i wanted to schedule it daily. is it possible? because I cant find any setting for that in SCCM2012. I hope you understand where I am going on this.

        Or is it okay to enable the automatic site-wide install?

        • Gabriel

          No problem Kate :)

          My understanding is that this is the intent of the Automatic Site-Wide installation. Just as I did in my deployment, just ensure you’ve got all your existing machines setup and in SCCM first. Then enable this to catch all new machines in AD. Preferably during an off hours time, just in case, though if you’ve done due diligence you are fine. I never check the include domain controllers box, I always want to manually push to DCs. Personal preference. Hope this helps.


          Gabe

          • kate

            Great! You are correct, I’ve also doesn’t want to push client settings to DCs.

            Now my question is, how to set automatic site-wide installation on my specific time only, for example, during off hours only? Is it in the Client Settings? I’m sorry for these questions.

            Thank you so much, you are clearing my mind :)

          • Gabriel

            I believe this is tied to your Discovery of new computers. My discovery runs once daily at 12AM. I believe once a new computer is detected by SCCM, SCCM will initialize the attempt to push install the agent. So setting the discovery job would be the key here I believe.


            Gabe

  • James

    I have reporting setup (Separate SQL box) and everything was working fine on my Console installed my Primary Site server. I could navigate to the web server for reporting using IE and within the console I could also display the list of reports. I moved along to the next step and installed a remote console on my laptop everything seemed to be fine until I went to look at the list of reports under the monitoring tab. When I did there were no reports listed. I went into to the Report Options and picked my SQL box from the drop-down but get a error that says there was a problem connecting to the specified reporting server. In our Domain we have Windows Firewall turned off so it should not be a port issue. I am not sure where to go next with troubleshooting, help please?

    • Gabriel

      Hi James, apologies for some delay here. Hopefully you’ve been able to resolve this by now, if not…

      Triple-check that your Reporting instance is up and running and that the reports are accessible from web interface locally and on your desktop as well. If not, perhaps restart the Reporting service on the SQL server and try again. Since you say there are no local firewalls enabled, that should not be issue; however, I’d look again just to be sure. Make sure that the account you are using to connect to the Reporting service is not expired or locked out by chance. Take a look at the health of all your SCCM objects, Monitoring > System Status > Site Status. See if the Reporting Services Point is in a “Critical” state. Take a look at recent errors for clues. Also try to initiate the connection to the SQL reports again, then take a look at the local event log for the SQL server for any clues. Good luck, let me know how you get on.


      Gabe

  • Hamid

    Hi Gabe,
    I have SCCM 2012 and SQL 2012 everything the same as your instruction install site status all are green no error, but I don’t have ConfigMgr_SIT folder on my report server page and no items found on my Reports console.
    Also I could not find spsrp.log on my SQL server. please advise me.
    Hamid

    • Gabe

      Hi Hamid, to confirm you successfully installed the Reporting Services role on your remote SQL server? If so, did you configure reporting services on the remote SQL server? This is much more rare, but on your remote SQL instance, do you happen to be using SCOM on that instance? SCCM cannot share an instance with SCOM.

      I’d be interested in seeing your SQL server’s reporting configuration as that is most likely where your issue is from the info I have here.

      Thanks,

      Gabe

  • Hamid

    Reporting Services configuration installed as you can see screen shut, but the Instance name maybe, because it is SCCM2K12.