It is assumed that the Environment has a DC running and you have a domain joined Server 2016 for SCCM Server to be installed.
Make sure the servers are fully patched
A tool is available which automates the prereq installs this is linked at the end of this page.
Have access to the setup files from the Server 2016.
Logon to the server with a domain admin account.
Create 7 drives and attach to VM in Hyper-V – This can be done while the VM is running:
D: – SCCM_Install – 50GB
E: – SCCM_SQL_MDF – 75GB
F: – SCCM_SQL_LDF – 25GB
G: – SQL_TempDB – 25GB
H: – SQL_WSUS_Database – 25GB
I: – SCCM_Application_Sources – 500GB
J: – SCCM_ContentLibrary – 500GB
Once attached go to disk manager on the VM > Set all to Online and Initialise > Format and set drive letters.
copy the file ‘no_sms_on_drive.sms’ on all drives inc. C but except ContentLibrary J:
On D: drive create folder called: Microsoft Configuration Manager
On the 4x DB Drives create a folder called Database
On the ContentLibrary drive create a folder called: WSUS
Unpack Config Manager Package: SC_Configmgr_SCEP_1802
It has happened to me a few times where prereqs have not installed properly then this causes problems right at the end of the installation. To avoid this I run the prereq checker first as recommended by Microsoft. Then later again before the final SCCM install to make sure all prereqs are installed properly.
Run SCCM Prerequisite checker first. This can take a while to load but it’s worth it. This is also a good way of checking exactly what needs to be installed on the server you are installing on.
Open CMD Admin > Browse to SCCM 1802 Setup Files\SC_Configmgr_SCEP_1802\SMSSETUP\BIN\X64\ > prereqchk.exe /local
Once the prereq window finishes loading you can review the warnings and missing components.
browse in cmd to this path: SC_Configmgr_SCEP_1802\SMSSETUP\TOOLS
copy cmtrace.exe from the above path to root of C:\ – run cmd: copy cmtrace.exe c:\
Now you can open the ConfigMgrPrereq log file from root of C:\ and refer back to what needs to be installed and compare it later to the prereq check later on.
Open CMTrace.exe on C drive and open the ConfigMgrPrereq log file. You should see missing components and warnings highlighted in red and yellow.
On the DC > Open ADSI Edit > click action > connect to > click ok to open the current domain > browse to CN=System > right click new object > select container > Enter name: System Management > click finish > right click properties of the container > security tab > advanced > add > select principal > object types > computers > type in sccm (name of sccm server) > ok > set dropdowns to Allow and This object and all descendant objects > tick box full control > click ok > apply, ok, ok.
Run the following PS cmdlet to install IIS, BITS and RDC (set source to server 2016 disc drive):
Install-WindowsFeature -Source z:\sources\sxs Web-Static-Content,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Redirect,Web-Net-Ext,Web-ISAPI-Ext,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Tools,Web-Mgmt-Compat,Web-Metabase,Web-WMI,BITS,RDC
Install SQL Server 2017
Create domain service account for SQL in AD. In Managed Service Accounts > Create account SCCM_SQL and set password.
Create a SQL Admins Group in AD: SCCM_SQL_FullAdmins
Add SCCM_SQL account to the above group.
Best practice to install and run this under a domain service account.
Create a service principal name within active directory for the service account that we are going to run this service under.
Type cmd in search > Shift right click > run as different user – use domain admin login to run cmd
Enter the following:
setspn -A MSSQLSvc/SCCM:1433 VMLAB\SCCM_SQL
setspn -A MSSQLSvc/SCCM.vmlab.local:1433 VMLAB\SCCM_SQL
Add Firewall Rules > Open Firewall > New Inbound Rule > Ports > Specific ports > 1433, 4022 > allow > select domain only > Name: SQL > finish
Run extadsch.exe to extend the schema. Check log file in root of C to see if it was successful: ExtADSch.log
Start install of SQL Server 2017 run setup.exe
Installation > New SQL Standalone installation > default for updates leave unticked > tick Database Engine Services only > Instance Name leave as default: MSSQLSERVER >
Set SQL Server Agent account name and password VMLAB\SCCM_SQL – Startup type automatic
Set SQL Server Database Engine account name and password VMLAB\SCCM_SQL
Click on Collation tab > Set to SQL_Latin1_General_CP1_CI_AS
Server login accounts add current user and add domain group VMLAB\SCCM_SQL_FullAdmins
TempDB Tab > Set No. of files to 8 > Set Data Directory to G:\Database > TempDB Datafile Autogrowth 256MB > TempDB Logfile Autogrowth 256MB > Click Next > Click Install. Check TempDB drive should now have files there in the database folder.
Install SQL Reporting Services use all defaults > Click close once it has installed.
Install SQL Server Management Studio
Install SQL 2017 Latest Cumulative Update: SQLServer2017-KB4229789-x64.exe
During the file running check stop those processes that are running if any then re-run check
Start SQL Management Studio > Login > Right click the DB > Properties > Memory > Set Min to 8192 and Max to 12288 (This is based on my own environment as i currently have only 16GB RAM available in total on the server) > Save settings
Install Server Role Windows Software Update Services (WSUS) > Select defaults > On Role Services Page > Untick WID Connectivity and Tick SQL Server Connectivity > Store updates in this path J:\WSUS (ContentLibrary Drive) > Specify sccm.vmlab.local as the existing db server > check connection, ok > click Install > run post install task in server manager notifications > this automatically creates the WSUS DB and files on J drive.
Increase queue length and memory on IIS for our WSUS app service (This is for better performance)
search iis > SCCM > Application Pools > WsusPool > right click advanced settings > set queue length to 2000 > mem limit x4 to 7272076 > click ok then right click WsusPool > Stop Service WSUS Service
Change default path for WSUS DB > Open SQL MS > Databases > right click SUSDB properties > Files > Copy path into explorer > click ok > Right click SUSDB > Tasks > Detach > Tick Drop Connection > OK > Go to folder path above and cut SUSDB and SUSDB_log files and paste into the WSUS DB Disk H:\Database
Right click Databases in SQL MS > Attach DB > Browse to H:\Database and select SUSDB.mdf > click ok > right click SUSDB properties > Check and the file paths should be correct.
Start the WSUS Service and the IIS App Pool for WSUS.
Install Offline ADK > Select Deployment Tools, WinPE, USMT > Install
Precreate DBs for SCCM
In SQL MS > Right click Databases > New DB > DB Name CM_PR1 > Owner: sa > Click Add 3 times > Name the 4 DBs: CM_PR1_1, CM_PR1_2, CM_PR1_3, CM_PR1_4 > We want the initial db size as 1GB so set Initial size as 256MB on each of the files > For log file CM_PR1_log set initial size 512MB > Set autogrowth to 128MB on the 4 DB files and 256MB on the log file > change the path for the MDF DB files to E:\Database and the log file path to F:\Database > Click options tab on the left > Set recovery model to Simple > click ok to create the DBs and log file > check the paths contain the new files.
Run the prereqs using the tool mentioned at start of this page. There should only be a SQL Mem warning which can be ignored as the min is already set to 8192MB.
Install SCCM 1802
Run splash.hta in SC_Configmgr_SCEP_1802 > Click Install > Click Evaluation > Use previous downloaded prequisite files specify path > click next > Enter unique site code: PR1, Site name: VMLAB Headquarters Site, Install folder: D:\Microsoft Configuration Manager > Select standalone primary site > click next, next > Enter path for SQL Data file and Log file E:\Database and F:\Database > Click next, next > Select Configure the comms method on each site system role > Click next, next, next, next, next > The prereq check is performed, fix any issues then begin install > Open C:\ConfigMgrSetup.log file with cmtrace.exe to view install process running.
The core components will be finished but in the background other components will still be installing.
Run the SCCM Console to test.
Component installation can be seen in the background by viewing the log file here:
D:\Microsoft Configuration Manager\Logs\sitecomp.log
Open SCCM Console > Monitoring > System Status > Site Status > Make sure all the status are ok
To enable reporting services point we need to configure reporting services
Start Reporting Services Configuration Manager > Click Connect > Web Service URL > Name Virtual Directory: ReportServer > Click Apply
Database > Change Database > Create New report server database > Test Connection, Next > Next, Next, Finish
Web Portal URL > Set virtual directory to: Reports > Click Apply > Click Exit
SCCM Console > Administration > Site configuration > Servers and Site System Roles > right click server > add site system role > Next, next > Tick Endpoint protection, Fallback status point, software update point > next > choose 8530 port for 2012 or newer > next, next, next > sync schedule set to custom recur 1 day at 12am > next > select immediately expire a superseded sw update, tick box: Run WSUS cleanup wizard > next select Critical updates, definition updates, updates, upgrades > ok, next > select all products then untick all products as some are randomly selected, select windows 7, (Server 2016 and Win10 not appearing as we need to update catalog) click next > untick all other language boxes and leave both english boxes only > next > click verify, click set: new account, browse, add SCCM_SQL account, type password click ok >
Tick box endpoint protection license, next > cloud service select do not join or basic > next, close.
View sitepoint.log to view components installing in the background D:\Microsoft Configuration Manager\sitecomp.log – This shows the management point and reporting point installed.
Other logs to check are SUPSetup.log which shows SW update point was setup.
Verify we can connect to WSUS view the WCM.log (WSUS Control Manager). Earlier in the setup we did not see Win 10 or Win Server 16 as options as WSUS had not run. These should now be available.
srsrp.log – Used for uploading reports. This did not work when accessing the report server url from the log. I had to start the SQLServerReportingServices Service.
fspmgr.log – Verify Fallback status point was installed.
Configure accounts needed in SCCM
Client Push Account – Used for pushing client out
You can right click a device and click install client or set to automatic below.
Create SCCM_PUSH Service Account in AD (set pass never expires)
Open CM Console > Administration, Site Configuration, Sites, right click the site, Client installation settings > Client push installation > Enable site wide automatic installation (this will auto install client on all computers automatically) . accounts tab > click new account > add SCCM_PUSH Account, enter pass and click ok, apply, ok.
Setup network account for machines that are not joined to domain or part of workgroup also used for OS Deployment. Used to connect to DP to get content and request policies,
On the top ribbon click > configure site components > sw distribution > click tab network access account > add new account and select SCCM_NAA domain service account, enter password and click ok, apply ok.
Client Push account will need some settings on the Client side. This will need to be a local administrator to be able to install the client.
Enable group policy > Open group policy management console > expand domain vmlab.local > create the following OU’s:
Managed > Within this: Groups, Servers, Service Accounts, Users, Workstations (Sub OU: SCCM-Site-PR1-Workstations)
Note: Creating the above OU’s will also make them appear under AD Users and Computers. Move the Server, workstations and Service accounts to the corresponding folders.
Browse to Managed, Workstations, SCCM-Site-PR1-Workstations > Create new GPO under here called SCCM Settings, click ok > Right click edit policy > browse to Computer config > Preferences > control panel > local users and groups > create new group > choose update, group name: administrators > click add, SCCM_PUSH account, apply, ok. (This policy will apply to any machine that is in this OU). This is done quite specific on the OU level but this client push policy can also be done at the top domain level if required.
Edit Firewall Settings (We need to be able to connect from SCCM Site server to the remote machine. This will allow us to connect and deploy the client remotely)
Edit the same policy as above > computer configuration > policies > windows settings > security settings > windows firewall > inbound rule > right click new > predefined, select WMI > next, allow > finish
New inbound rule > predefined > file and printer sharing > next, allow > finish.
These represent a location on the network to tell clients where to get content and what site to assign to > Options for boundaries include: Subnet, AD Site name, IPv6 PRefix or IP Address Range.
In previous SCCM Versions some boundary types were recommended and others had issues such as IP Range had a performance impact. In current version these issues no longer exist so you should use the boundary type based on your needs with the least number of boundaries.
CM Console > Administration > Hierarchy Configuration > Boundaries > Right click Create Boundary > IP Address Range > Label as Lab IP Range and set range as 192.168.10.1 to 192.168.10.255 click apply ok. Any computers that are in this range will match this boundary.
Boundaries don’t do anything themselves they need to be added to boundary group. Boundary groups control how clients locate content from DP/MP and determine their site assignment.
New Boundary Group > Name: Lab IP Range – DP to SCCM1 > Add existing boundary ip range already created > click references tab > site systems add SCCM server. (So clients in this ip range will get their content from this SCCM server). For remote locations you would set clients on that subnet or ip range to get content from their local DP which is local to them.
Create new boundary group for Site Assignment. Its good to split out boundaries for content and site assignment.
Name: Site Assignment for PR1 > add the IP Range > Click references tab and tick box ‘Use this boundary group for site assignment’. > click apply, ok
Configure discovery methods to discover clients within the site
Discovery Methods > AD System discovery > Properties > Tick enable > specify path for discovery the whole domain or the specific OU created: Managed/Workstations/SCCM-Site-PR1-Workstations > tick box recursively search AD child containers > Polling schedule tab, for lab just set to every 1 day at 12am > Options tab can set to not discover computers not on domain or not logged on for a while for stale accounts. Leave this as it is for now.
View log > D:\Microsoft Configuration Manager\Logs\adsysdis.log
You can now view any discovered devices under devices in CM Console.
Also Device Collections > All Systems will display the computers. If not you can right click device collections > update membership this will refresh the systems.
The client will be assigned to the site specified in the boundary group as it was in the IP range. The auto push client install would happen after discovery and if the installation is set to auto.
Setup some basic policies
CM Console > Admin > Overview > Client settings > Usually you would leave the default setting and create a custom set.
Click on ribbon Create custom device setting >Name: Lab Default Settings > client policy change time to 15 mins as we are in lab (for large environments leave as 6o mins min) > Tick sw center (allows client to see which apps are available) > click yes in dropdown > set company name and logo and bg color
Tick box endpoint protection agent > leave these as defaults . Tick box Computer Agent > Enter company name in box > deployment deadline less than 1hr set to remind 5 mins > click ok.
These custom policies need to be deployed to a collection > right click deploy > all desktop and server clients > click ok. (Policy priority lowest eg 1 will take precedence if there are any conflicting policies going to device.
On the client machine > Join domain, enable network discovery and file/printer sharing> Move the computer in AD to the correct OU Container for SCCM > Restart Machine > Logon to client with domain account and check local users and groups > open administrators group > verify SCCM_PUSH account appears.
In CM Console > Devices > All Systems > Right click VM and Install Client (You can also right click the collection to install on all devices in the collection)
> Click install client from specific site: PR1 > click ok to install. Open ccm.log client configuration manager log to view installation.
In the ccm.log it shows the client being copied to: \\Win10Host1.vmlab.local\admin$
Browse to this path remotely from the same SCCM Server > go into this folder: \ccmsetup\Logs\ run ccmsetup.log This will show the client being installed. The log file should say at the end exit code 0 which means it was successful.
Go to WCM.log on sccm server. This shows WSUS Configuration and you should see WSUS sync taking place and configuration successful.
Open CM Console > Admnistration > Site configuration > sites > right click site > config site components, sw update point > products tab you should now see all the new products such as Win 10 and Server 2016 > tick these 2 OS’s and untick Win 7 > apply, ok
Click SW Library > SW Updates > All SW Updates > Click Sync SW Updates at the top
On client machine > go to control panel > Configuration manager > click actions > machine policy retrieval and eval cycle, run now > click hardware inventory cycle, run now. (The HW inventory cycle might not appear straight away depends on the timings that are setup).
CM Console > Refresh devices you should see a green tick to show the Win10 machine has the client installed. > right click start resource explorer > hardware > should display hardware of device. Installed Apps x86/x64 is useful to look at. Reports bring in data from this section.
Test Reports are working
CM Console > Monitoring > Reporting > Reports (This was blank i had to start the SQL Server Reporting Service) >Run the report: Client Push installation status summary for specified site > click date range value All, site code PR1 > View report should show 1 install completed.
Verify SW Update point sync worked
Open wsyncmgr.log – This sync can take quite a long time. Failed so had to start the WSUS service which was not running then it started Syncing ok.
When installing a new site use a baseline install of the latest SCCM. If already installed use the inconsole updates to install the latest SCCM Version.
SCCM 2012 can not deploy Windows 10 use 2016 or later.
Install SCCM 1802 – https://www.youtube.com/watch?v=amrg_mlFvuk
Checklist for installing 1802 – https://docs.microsoft.com/en-us/sccm/core/servers/manage/checklist-for-installing-update-1802
SQL 2017 Latest Cumulative Update – https://www.microsoft.com/en-us/download/details.aspx?id=56128
SQL Collation alternative fix – https://sysmanrec.com/sccm-prereq-check-common-warnings-errors-fix
ConfigMgr Prereq auto Install tool – https://gallery.technet.microsoft.com/ConfigMgr-2012-R2-e52919cd/view/Discussions#content
Whats new in 1802 – https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1802
Setup your SCCM Lab – https://docs.microsoft.com/en-us/sccm/core/get-started/set-up-your-lab
Setup file downloader for current SCCM setup files – https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/setup-downloader
Prerequisite checker and commandline options – https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/prerequisite-checker