Introduction to SCCM on Windows Server 2019
System Center Configuration Manager, now rebranded as Microsoft Endpoint Configuration Manager (MECM) or simply Configuration Manager (ConfigMgr), is Microsoft’s enterprise-grade solution for managing large numbers of computers. It provides OS deployment, software distribution, patch management, inventory, compliance assessment, and remote control capabilities across thousands of machines. Setting up ConfigMgr on Windows Server 2019 involves preparing a complex set of prerequisites including SQL Server, Active Directory schema extensions, IIS, and Windows ADK. This guide covers a single primary site installation suitable for environments of up to 100,000 managed clients.
Planning the SCCM Architecture
Before installation, plan the site hierarchy. A single primary site with a central administration site is suitable for large enterprises with multiple locations. For environments under 50,000 devices, a standalone primary site is sufficient. Identify the site server (Windows Server 2019), the SQL Server instance for the site database, and the management point and distribution point roles which can be collocated on the site server initially. Plan the site code (a three-character identifier like P01) and site name. Reserve static IP addresses and plan boundaries to define which devices are managed by which site.
Extending the Active Directory Schema
ConfigMgr requires Active Directory schema extensions to publish site information. This operation is irreversible and requires Schema Admins membership. Copy the SCCM installation media to the server and run the schema extension:
cd "E:SMSSETUPBINX64"
extadsch.exeVerify the schema was extended by checking for the SMS schema classes:
Get-ADObject -SearchBase "CN=Schema,CN=Configuration,DC=contoso,DC=com" -Filter {name -like "MS-SMS*"} | Select-Object NameCreate the System Management container in Active Directory and grant the SCCM site server computer account Full Control on it:
$sysContainer = [ADSI]"LDAP://CN=System,DC=contoso,DC=com"
$newContainer = $sysContainer.Create("container","CN=System Management")
$newContainer.SetInfo()
$sitServerAccount = "CONTOSOSCCM01$"
$acl = Get-Acl "AD:CN=System Management,CN=System,DC=contoso,DC=com"
$identity = New-Object System.Security.Principal.NTAccount($sitServerAccount)
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity, "GenericAll", "Allow", "All")
$acl.AddAccessRule($rule)
Set-Acl -Path "AD:CN=System Management,CN=System,DC=contoso,DC=com" -AclObject $aclInstalling Prerequisites on Windows Server 2019
Install all required Windows features and roles before running SCCM setup:
Install-WindowsFeature NET-Framework-Features, NET-Framework-Core, NET-Framework-45-Features, NET-Framework-45-Core, NET-WCF-TCP-PortSharing45 -Source "D:sourcessxs" -Restart
Install-WindowsFeature Web-Server, Web-Common-Http, Web-Static-Content, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Http-Redirect, Web-App-Dev, Web-Asp-Net, Web-Asp-Net45, Web-Net-Ext, Web-Net-Ext45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Security, Web-Windows-Auth, Web-Basic-Auth, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Scripting-Tools -IncludeManagementTools
Install-WindowsFeature BITS, BITS-IIS-Ext, Remote-Differential-Compression, RDC, RSAT-AD-ToolsInstall the Windows ADK and Windows PE Add-on from Microsoft’s website. Also install SQL Server 2019 on the site server or a dedicated SQL server. Configure SQL Server with a SQL_Latin1_General_CP1_CI_AS collation and allocate at least 8 GB RAM to SQL Server:
sqlcmd -Q "SELECT SERVERPROPERTY('Collation') AS Collation, SERVERPROPERTY('ProductVersion') AS Version"Running the SCCM Setup Wizard
Launch setup.exe from the SCCM installation media. The prerequisite checker will run automatically. Address any errors before proceeding. Common prerequisites to fix include enabling the BITS server extension for IIS, installing the Windows ADK, and enabling .NET Framework 3.5. On the Getting Started page, select Install a Configuration Manager primary site. Accept the license terms and provide the product key or select the evaluation edition. On the Site and Installation Settings page, enter the site code (for example P01), site name (for example Contoso Primary Site), and installation folder. On the Primary Site Installation page, select Install the primary site as a stand-alone site. On the Database Information page, enter the SQL Server name and instance, verify the database name (default CM_P01), and configure the SQL Server Service Broker port (default 4022). Configure the SMS Provider location (usually the site server) and the communication ports. Review the summary and begin installation. Installation typically takes 30 to 60 minutes.
Configuring Boundaries and Boundary Groups
Boundaries define the network locations of managed clients. Boundary groups associate boundaries with site system roles so clients know which management point, distribution point, and software update point to use. In the ConfigMgr console, navigate to Administration > Hierarchy Configuration > Boundaries. Create boundaries for your IP subnets:
# Use ConfigMgr PowerShell module after importing
Import-Module "$env:SMS_ADMIN_UI_PATH..ConfigurationManager.psd1"
$siteCode = "P01"
New-CMBoundary -Type IPSubnet -Name "HQ Subnet" -Value "192.168.1.0/24" -SiteCode $siteCode
New-CMBoundary -Type IPSubnet -Name "Branch NY" -Value "10.20.0.0/16" -SiteCode $siteCodeCreate a boundary group and add the site systems:
New-CMBoundaryGroup -Name "Default Site Boundary Group" -AddSiteSystemServerName "SCCM01.contoso.com" -DefaultSiteCode $siteCode
Add-CMBoundaryToGroup -BoundaryName "HQ Subnet" -BoundaryGroupName "Default Site Boundary Group"Deploying the ConfigMgr Client
The ConfigMgr client (CCMSetup) must be installed on managed computers. For domain-joined machines, use client push installation. In the ConfigMgr console, navigate to Administration > Site Configuration > Sites, select the site, and click Client Installation Settings > Client Push Installation. Enable automatic site-wide client push installation, provide domain admin credentials, and select the installation properties. Alternatively install the client manually:
\SCCM01SMS_P01ClientCCMSetup.exe /MP:SCCM01.contoso.com /LOGON SMSSITECODE=P01 SMSMP=SCCM01.contoso.com FSP=SCCM01.contoso.comDeploy via Group Policy startup script or use a Group Policy Software Installation package pointing to the CCMSetup MSI. Verify client installation:
Get-Service CcmExec | Select-Object Status
CCMSetup.log # Located at C:WindowsccmsetupLogsConfiguring Software Distribution
Deploy software to managed clients using ConfigMgr applications. In the console, navigate to Software Library > Application Management > Applications. Create a new application, choose the deployment type (MSI, script-based, etc.), and configure detection methods so ConfigMgr can determine if the application is already installed. Deploy the application to a device or user collection. Devices check in on their configured polling schedule (default 60 minutes) to receive new policy assignments:
New-CMApplication -Name "7-Zip 22.01" -SoftwareVersion "22.01" -Publisher "7-Zip project" -LocalizedDescription "File archiver"
Add-CMMsiDeploymentType -ApplicationName "7-Zip 22.01" -DeploymentTypeName "7-Zip MSI" -ContentLocation "\SCCM01Packages$7-Zip7z2201-x64.msi" -InstallCommand "msiexec /i 7z2201-x64.msi /q"Configuring Software Updates
Configure Software Update Point (SUP) to synchronize Windows Updates from WSUS and deploy patches to managed clients. In the console, navigate to Administration > Site Configuration > Servers and Site System Roles. Add the Software Update Point role to the site server. Specify the WSUS server port (8530 for HTTP or 8531 for HTTPS). Configure synchronization schedule and products to synchronize. After initial synchronization, create an Automatic Deployment Rule for critical updates:
New-CMSoftwareUpdateAutoDeploymentRule -Name "Critical Updates" -CollectionName "All Systems" -AddToExistingSoftwareUpdateGroup $false -EnabledAfterCreate $true -NoInstallOnUnprotected $true -SoftwareUpdateFilter "Severity=Critical" -AvailableImmediately $true -DeadlineImmediately $falseMonitoring ConfigMgr Health
Monitor the ConfigMgr infrastructure using built-in reports and the Monitoring workspace. Key health checks include reviewing component status under Monitoring > System Status > Component Status, checking distribution point content status, and reviewing client health statistics. Use the cmtrace.exe log viewer included with ConfigMgr to parse log files. Critical site server logs include sitecomp.log for component health, distmgr.log for package distribution, and smsprov.log for SMS Provider activity. Check site status from PowerShell:
Get-CMSite | Select-Object SiteCode, SiteName, Version, ServerName, Status
Get-CMSiteComponent | Where-Object {$_.Status -ne 0} | Select-Object ComponentName, Status, Message
