How to Set Up System Center Configuration Manager on Windows Server 2016

How to Configure Windows Server 2016 Configuration Manager

System Center Configuration Manager (SCCM), also known as ConfigMgr or now Microsoft Endpoint Configuration Manager, is the enterprise-grade solution for managing large fleets of Windows servers and workstations. SCCM handles operating system deployment, software distribution, patch management, hardware and software inventory, compliance settings, and endpoint protection from a single administrative console. Deploying SCCM on Windows Server 2016 gives IT teams the tools needed to maintain consistent, compliant, and up-to-date computing environments at scale. This tutorial covers installing a standalone primary site, configuring discovery methods, deploying the SCCM client, distributing software, and setting up software update points.

Prerequisites

You need a Windows Server 2016 server with at least 8 GB of RAM and 100 GB of disk space, SQL Server 2016 with the Database Engine and Full-Text Search features installed, Active Directory schema extended for SCCM, a service account (svc-sccm) with local admin and SQL sysadmin rights, and the SCCM 2016 installation media. Extend the Active Directory schema before installation using the extadsch.exe tool from the SCCM media.

# Extend Active Directory schema (run as Enterprise Admin)
D:SMSSETUPBINX64extadsch.exe

# Create the System Management container in AD if it doesn't exist
$adsi = [ADSI]"LDAP://CN=System,DC=corp,DC=local"
$container = $adsi.Create("Container","CN=System Management")
$container.SetInfo()

# Grant the SCCM computer account Full Control on the System Management container
# (do this through ADSI Edit or via PowerShell)
$acl = Get-Acl "AD:CN=System Management,CN=System,DC=corp,DC=local"
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
    ([System.Security.Principal.NTAccount]"CORPSCCM01$"), `
    "GenericAll", "Allow", "All", [System.Guid]::Empty
$acl.AddAccessRule($rule)
Set-Acl -AclObject $acl "AD:CN=System Management,CN=System,DC=corp,DC=local"

Step 1: Install Required Windows Features

SCCM requires numerous Windows features on the site server. Install them before running the SCCM setup wizard.

Install-WindowsFeature `
    NET-Framework-Features, `
    NET-Framework-45-Features, `
    RDC, `
    BITS, `
    Web-Server, `
    Web-WebServer, `
    Web-Common-Http, `
    Web-Default-Doc, `
    Web-Dir-Browsing, `
    Web-Http-Errors, `
    Web-Static-Content, `
    Web-Http-Redirect, `
    Web-DAV-Publishing, `
    Web-Health, `
    Web-Http-Logging, `
    Web-Log-Libraries, `
    Web-Request-Monitor, `
    Web-Http-Tracing, `
    Web-Performance, `
    Web-Stat-Compression, `
    Web-Security, `
    Web-Filtering, `
    Web-Basic-Auth, `
    Web-Windows-Auth, `
    Web-App-Dev, `
    Web-Net-Ext, `
    Web-Net-Ext45, `
    Web-Asp-Net, `
    Web-Asp-Net45, `
    Web-ISAPI-Ext, `
    Web-ISAPI-Filter, `
    Web-Mgmt-Console `
    -IncludeManagementTools -Restart

Step 2: Install SCCM Primary Site

Run the SCCM Setup Wizard from the installation media. Choose Install a Configuration Manager primary site. Enter the site code (three characters), site name, SQL Server instance, and service account credentials. The wizard validates prerequisites before proceeding with installation. Allow 30 to 60 minutes for setup to complete.

# Unattended installation using a script file
D:SMSSETUPBINX64Setup.exe /SCRIPT C:SCCMSetupConfigMgr.ini

A sample ConfigMgr.ini for an unattended install looks like the following. Create this file before running the command above.

[Identification]
Action=InstallPrimarySite

[Options]
ProductID=EVAL
SiteCode=P01
SiteName=Corp Primary Site
SMSInstallDir=C:Program FilesMicrosoft Configuration Manager
SDKServer=SCCM01.corp.local
RoleCommunicationProtocol=HTTPorHTTPS
ClientsUsePKICertificate=0
MobileDeviceLanguage=0
ManagementPoint=SCCM01.corp.local
ManagementPointProtocol=HTTP
DistributionPoint=SCCM01.corp.local
DistributionPointProtocol=HTTP
DistributionPointInstallIIS=1
AdminConsole=1
JoinCEIP=0

[SQLConfigOptions]
SQLServerName=SQL01.corp.local
DatabaseName=CM_P01
SQLSSBPort=4022

[CloudConnectorOptions]
CloudConnector=1
CloudConnectorServer=SCCM01.corp.local
UseProxy=0

Step 3: Configure Discovery Methods

SCCM discovers resources such as computers, users, and groups using discovery methods. Enable Active Directory System Discovery and Active Directory User Discovery to populate the SCCM database with managed resources.

# Use the ConfigMgr PowerShell module (available after console install)
Import-Module 'C:Program Files (x86)Microsoft Configuration ManagerAdminConsolebinConfigurationManager.psd1'

$siteCode = 'P01'
$siteServer = 'SCCM01'

Set-Location "$siteCode`:"

# Enable Active Directory System Discovery
Set-CMDiscoveryMethod -ActiveDirectorySystemDiscovery -SiteCode $siteCode `
    -Enabled $true `
    -ActiveDirectoryContainer "LDAP://DC=corp,DC=local" `
    -Recurse $true `
    -ScheduleInterval Days -ScheduleCount 1

Step 4: Create Boundaries and Boundary Groups

Boundaries define the network ranges or Active Directory sites where SCCM clients can be located. Boundary groups associate boundaries with site system servers so clients know which management point and distribution point to use.

Set-Location "$siteCode`:"

# Create an IP subnet boundary
New-CMBoundary -Name 'HQ Subnet' -Type IPSubnet -Value '192.168.1.0/24'

# Create a boundary group and add the boundary to it
New-CMBoundaryGroup -Name 'HQ Boundary Group'
Add-CMBoundaryToGroup -BoundaryName 'HQ Subnet' -BoundaryGroupName 'HQ Boundary Group'

# Set the site system for the boundary group
Set-CMBoundaryGroup -Name 'HQ Boundary Group' `
    -DefaultSiteCode $siteCode `
    -AddSiteSystemServer 'SCCM01.corp.local'

Step 5: Deploy the SCCM Client

Push the Configuration Manager client to discovered computers using Client Push Installation. Alternatively, deploy the client via Group Policy or a startup script for environments where push installation is not suitable.

# Configure Client Push settings
Set-CMClientPushInstallation -SiteCode $siteCode `
    -EnableAutomaticClientPushInstallation $true `
    -InstallClientToDomainController $false `
    -EnableSystemTypeConfigurationManager $true `
    -EnableSystemTypeServer $true `
    -EnableSystemTypeWorkstation $true

# Initiate client push to a specific collection
Invoke-CMClientOperationSummarizer -CollectionId 'SMS00001'

Step 6: Create Device Collections

Collections are the fundamental targeting mechanism in SCCM for deployments and compliance policies. Create collections based on AD organizational units, query rules, or direct membership.

# Create a collection based on an AD OU
$schedule = New-CMSchedule -RecurInterval Days -RecurCount 1
New-CMDeviceCollection -Name 'All Windows Server 2016' `
    -LimitingCollectionName 'All Systems' `
    -RefreshSchedule $schedule `
    -RefreshType Periodic

# Add a query rule to the collection
Add-CMDeviceCollectionQueryMembershipRule `
    -CollectionName 'All Windows Server 2016' `
    -QueryExpression "select SMS_R_System.ResourceId from SMS_R_System
        inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId
        where SMS_G_System_OPERATING_SYSTEM.Caption like '%Windows Server 2016%'" `
    -RuleName 'WS2016 Query'

Step 7: Configure a Software Update Point

The Software Update Point (SUP) integrates SCCM with WSUS to provide centralized patch management. Install the SUP role on a server with WSUS already installed.

# Add the Software Update Point site system role
Add-CMSoftwareUpdatePoint -SiteCode $siteCode `
    -SiteSystemServerName 'SCCM01.corp.local' `
    -WsusIisPort 8530 `
    -WsusIisSslPort 8531 `
    -UseProxy $false `
    -ClientConnectionType IntranetOnly

# Synchronize the SUP immediately
Sync-CMSoftwareUpdate -SiteCode $siteCode

Step 8: Deploy Software to a Collection

Create an application or package and deploy it to a device collection. The following example deploys a simple MSI application.

# Create an application from an MSI
New-CMApplication -Name 'Notepad++' -SoftwareVersion '8.6' -Publisher 'Notepad++ Team'

Add-CMMsiDeploymentType -ApplicationName 'Notepad++' `
    -DeploymentTypeName 'Notepad++ MSI' `
    -InstallCommand 'npp.8.6.Installer.x64.exe /S' `
    -ContentLocation '\SCCM01SourcesAppsNotepadPP' `
    -EstimatedRuntimeMins 5 `
    -MaximumRuntimeMins 30

# Deploy the application to a collection
Start-CMApplicationDeployment `
    -ApplicationName 'Notepad++' `
    -CollectionName 'All Windows Server 2016' `
    -DeployAction Install `
    -DeployPurpose Required `
    -UserNotification DisplaySoftwareCenterOnly

System Center Configuration Manager on Windows Server 2016 is a powerful tool for maintaining control over large Windows environments. This guide covered site installation, discovery methods, boundary configuration, client deployment, collection management, software update integration, and application deployment. As your environment matures, explore additional SCCM capabilities such as OS deployment with task sequences, compliance baselines, Endpoint Protection policy management, and co-management with Microsoft Intune. Regularly monitor the SCCM site status in the Monitoring workspace and review the distmgr.log, ccmsetup.log, and updatessyncmgr.log files for troubleshooting deployment and synchronization issues.