System center configuration manager windows deployment services

In Configuration Manager, you can view the state of Windows as a service in your environment. Create servicing plans to form deployment rings, and keep Windows systems up to date when new builds are released. You can also view alerts when Windows clients are near end of support for the build version. For more information about Windows servicing options, see Overview of Windows as a Service.

For more information, see Integration with Windows Update for Business. Enable heartbeat discovery. The data that the Windows servicing dashboard displays comes from discovery. For more information, see Configure heartbeat discovery.

The following Windows channel and build information is discovered and stored in the following attributes:. For example, Configure the service connection point for Online, persistent connection mode. When the site is in offline mode, you don't see data updates in the dashboard until you get Configuration Manager servicing updates.

For more information, see About the service connection point. Configure and synchronize software updates. Before any Windows feature upgrades are available in the Configuration Manager console, select the Upgrades classification, and synchronize software updates. For more information, see Prepare for software updates management. Verify the configuration of the following client settings, to make sure they're appropriate for your environment:.

Starting in version , the Windows Servicing dashboard was simplified to make it more relevant. Servicing plan and Windows 10 ring information were removed from the dashboard. The following charts are displayed for the selected Collection :. Feature Update Versions : Displays the distribution of Windows major releases.

This chart as previously called Windows 10 Usage. Quality Update Versions : This chart displays the top five revisions of Windows across your devices. Windows 10 Latest Feature Update added in : This chart shows the number of devices that installed the latest feature update for Windows Windows 11 Latest Feature Update added in : This chart shows the number of devices that installed the latest feature update for Windows Latest Feature Update versions and : This chart shows the number of devices that installed the latest feature update.

Collection Errors : This tile shows the number of devices that failed with the specified error code. For more information, see Analyze SetupDiag errors. Errors Timeline : Displays the top errors and the number of devices with each error over the course of time for the chosen collection.

The Windows 10 servicing dashboard provides you with information about Windows 10 computers in your environment, servicing plans, and compliance information. The data in the Windows 10 servicing dashboard is dependent on the service connection point.

The dashboard has the following tiles:. Windows 10 Usage : Provides a breakdown of public builds of Windows Windows Insiders builds are listed as Other , and any builds that aren't yet known to your site. The service connection point downloads metadata that informs it about the Windows builds, and then this data is compared against discovery data.

Windows 10 Rings : Provides a breakdown of Windows 10 by channel and readiness state. Create Service Plan : Provides a quick way to create a servicing plan. You specify the name, collection, deployment package, and readiness state. It only displays the top 10 collections by size, smallest first, and the top 10 deployment packages by most recently modified.

It uses default values for the other settings. Select Advanced Settings to start the Create Servicing Plan wizard, where you can configure all of the service plan settings. Expired : Displays the percentage of devices that are on a build of Windows 10 that's past its end of service.

Configuration Manager determines the percentage from the metadata downloaded by the service connection point and compares it against discovery data. A build that's past its end of service is no longer receiving monthly cumulative updates, which include security updates. Upgrade the computers in this category to the latest build version. Configuration Manager rounds up to the next whole number. Expire Soon : Displays the percentage of computers that are on a build that's within four months of its end of service.

It's similar to the Expired tile otherwise. Service Plan Monitoring : Displays servicing plans that you've created and a chart of the compliance for each. This tile gives you a quick overview of the current state of the servicing plan deployments. If an earlier deployment ring meets your expectations for compliance, then you can select a later servicing plan deploying ring.

Select Deploy Now instead of waiting for the servicing plan rules to automatically trigger. Collection errors : Starting in version , this tile shows the number of devices that failed with the specified error code.

You can scope the tile to a specific collection. For more detailed information about Windows 10 builds, see the Product Lifecycle dashboard. The information shown in the Windows 10 servicing dashboard is provided for your convenience and only for use internally within your company. You should not solely rely on this information to confirm update compliance. Be sure to verify the accuracy of the information provided to you.

You can drill through compliance statistics to see which devices require a specific Windows feature update. To view the device list, you need permission to view updates and the collections the devices belong to. Look at the Summary tab and find the pie chart under Statistics. To drill down into the device list, select View Required next to the pie chart. This action takes you to a temporary node under Devices.

Here you can see the devices requiring the update. You can also take actions for the node such as creating a new collection from the list. Windows servicing plans in Configuration Manager are much like automatic deployment rules for software updates. You create a servicing plan with the following criteria that Configuration Manager evaluates:. Upgrades classification : Only updates that are in the Upgrades classification are evaluated.

Readiness state : The readiness state defined in the servicing plan is compared with the readiness state for the upgrade. The metadata for the upgrade is retrieved when the service connection point checks for updates.

Time deferral : The number of days that you specify for How many days after Microsoft has published a new upgrade would you like to wait before deploying in your environment in the servicing plan. If the current date is after the release date plus the configured number of days, Configuration Manager evaluates whether to include an upgrade in the deployment. When an upgrade meets the criteria, the servicing plan adds the upgrade to the deployment package, distributes the package to distribution points, and deploys the upgrade to the collection.

It does these actions based on the settings that you configure in the servicing plan. Monitor the deployments with the Service Plan Monitoring tile on the Windows servicing dashboard.

For more information, see Monitor software updates. Windows 10, version and later was added to Microsoft Update as its own product rather than being part of the Windows 10 product like earlier versions. This change caused you to do a number of manual steps to make sure that your clients see these updates.

We've helped reduce the number of manual steps you have to take for the new product in Configuration Manager version Read the blog. Faster time-to-value Realize value quickly with simple installations, in-place upgrades, and automated workflows.

Efficient operations Quickly get things done with one-click features and a straightforward console. Cloud integration Get visibility and control of data and apps with Azure security and management integration.

Read what's new in System Center System Center Operations Manager offers flexibility, cost-efficiency and increased security Our customers are realizing the benefits of upgrading to System Center where they are seeing better all-up management, including predictable performance and availability, increased security, and better integration with Azure management. Infrastructure provisioning Deploy and manage your software-defined datacenter with a comprehensive solution for networking, storage, compute, and security.

Automation and self-service Free up your organization and increase efficiency with automated workflow processes and self-service options. Explore System Center solutions. Infrastructure and workload monitoring Diagnose and troubleshoot infrastructure, workload, or application issues to maintain reliability and high performance. If you are planning on installing an older version of SQL, please follow our previous post here. Click the following link to see all supported SQL versions.

For our post, we will install SQL locally on the same server where the Primary Site will be installed. Note that some steps in the wizard are automatically skipped when no action is required. We will install it in order to have an updated SQL Installation. Note that CU2 is the minimum requirement. Since we are using a domain account, we must run the Setspn tool on a computer that resides in the domain of the SQL Server.

It must use Domain Administrator credentials to run. Run both commands to create the SPN, Change the server name and account name in each commands. We always recommend creating the SCCM database before the setup. This is not mandatory, SCCM will create the database for you during setup but will not create it the optimal way. Visit his blog post and download the provided Excel file. Input your values in the blue cells and keep it for the next part.

Be sure to select a unique Site Code. If you find out that you made an error, you can safely delete the Database using SQL Management Studio and rerun the script. Run the following scripts to size the TempDB. The server is now ready for the SCCM installation. We will install a stand-alone Primary site.

Before launching the SCCM installation, we recommend launching the Prereqchk tool in order to verify if all components are configured correctly. We prefer to use the standalone tool before running the setup. Refer to this Technet article to see the list of all checks done by the tool.

If you have any warning or error refer to this Technet article in order to resolve it, or go thought part 1 and part 2 of this guide. We are finally ready to launch the setup. First, reboot the server.

This will make sure that the machine is not in a Reboot pending state. Before opening the SCCM console, we suggest to install the following tools :. Download and install it here. It covers all you need to know. The first task we like to do after a new SCCM installation is to upgrade it to the latest version. We have a bunch of guides for each version. For reference, at the time of this blog post, the baseline is and the latest version is SCCM The next sections will be for configuring the various site server roles in your newly installed SCCM server.

Role installation order is not important, you can install roles independently of others. Both of these roles are now unsupported. We do not recommend adding this role to your hierarchy. Starting in version , updated clients automatically use the management point for user-available application deployments. Support ends for the application catalogue roles with version The Application Catalog web service point provides software information to the Application Catalog website from the Software Library.

This is not a mandatory site system but you need both the Application Catalog website point and the Application Catalog web service point if you want to provide your user with a Self-Service application catalog web portal. The Application Catalog web service point and the Application Catalog website point are hierarchy-wide options.

The Application Catalog web service point must reside in the same forest as the site database. If you have more geographically distributed users, consider deploying additional application catalogs to keep responsiveness high and user satisfaction up. Use client settings to configure collections of computers to use different Application Catalog servers. Read more on how to provide a great application catalog experience to your user in this Technet blog article. If your client needs HTTPS connections, you must first deploy a web server certificate to the site system.

If you need to allow Internet clients to access the application catalog, you also need to deploy a web server certificate to the Management Point configured to support Internet clients. When supporting Internet clients, Microsoft recommends that you install the Application Catalog website point in a perimeter network, and the Application Catalog web service point on the intranet.

For more information about certificates see the following Technet article. Using Windows Server , the following features must be installed before the role installation:. For this post, we will be installing both roles on our stand-alone Primary site using HTTP connections. If you split the roles between different machines, do the installation section twice, once for the first site system selecting Application Catalog web service point during role selection and a second time on the other site system selecting Application Catalog website point during role selection.

Ensure that the client settings for your clients are set correctly to access the Application Catalog. The AISP is a hierarchy-wide option. SCCM supports a single instance of this site system role in a hierarchy and only at the top-level site. In order to have inventory data, first ensure that Hardware Inventory is enabled in your Client Settings. On the machine that will receive the CRP role, install the following using Windows server role and features:.

Once all the above has been configured and verified, you are ready to create your certificate profile in SCCM. Several distribution points can provide better access to available software, updates, and operation systems. On the DP, add a group that contains your site system computer account in the Administrators group.

Configuration Manager requires some roles and features to be installed on the server prior to the DP installation. IIS needs to be installed on the server but it will automatically be installed using the site installation wizard.

For Windows only, you need to enable Powershell 3. Now that the Distribution point server is ready to receive a new role, we need to add the server to the site server list. That results in errors but be patient and the installation should succeed anyway.

You can now replicate your content to your newly created DP. Replicate manually all your content or add your DP in an existing DP group. If you have multiple Distribution Points, I suggest you read our post on 8 ways to monitor your distribution points. This post explains in detail the various options to make sure that your DP is healthy.

You can also check our custom report about Distribution Point Monitoring to display all your DP status using a single click. The Endpoint Protection Point provides the default settings for all antimalware policies and installs the Endpoint Protection client on the Site System server to provide a data source from which the SCCM database resolves malware IDs to names. This Site System is a hierarchy-wide option. SCCM supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy.

After the installation, you must add Endpoint Protection definition files in your Software Update Point. We have a complete guide to managing endpoint protection. You can download it from our product page.

This is not a mandatory site system but you need both Enrollment Point and Enrollment Proxy Point if you want to enroll legacy mobile devices, Mac computers and to provision Intel AMT-based computers. Since modern mobile devices are mostly managed using Windows Intune , this post will focus mainly on Mac computer enrollment. When you support mobile devices on the Internet, as a security best practice, install the Enrollment Proxy Point in a perimeter network and the Enrollment Point on the intranet.

If you split the roles between different machine, do the installation section twice, once for the first site system selecting Enrollment Point during role selection and a second time on the other site system selecting Enrollment Proxy Point during role selection. The FSP helps monitor client installation and identify unmanaged clients that cannot communicate with their management point.

This is not a mandatory Site System but we recommend to install a FSP for better client management and monitoring. You can also check if reports that depend on the FSP are populated with data. See the full list of reports that rely on the FSP here. The Management Point is the primary point of contact between Configuration Manager clients and the site server.

Management Points can provide clients with installation prerequisites, configuration details, advertisements and software distribution package source file locations. Additionally, Management Points receive inventory data, software metering information and state messages from clients. Multiple Management Points are used for load-balancing traffic and for clients to continue receiving their policy after Management Point failure.

Read about how clients choose their Management Point in this Technet article. The Management Point is a site-wide option. By default, when you install a Secondary site, a Management Point is installed on the Secondary site server. Secondary sites do not support more than one Management Point and this Management Point cannot support mobile devices that are enrolled by Configuration Manager. See the full Supported Configuration in the following Technet article.

On Windows , the following features must be installed before the Management Point Installation:. This role can be installed on a remote machine, the process is the same but the location of the logs is different. Continue through the wizard and reboot the computer at the end of the installation if instructed to do so. Before configuring the reporting point, some configuration needs to be made on the SQL side.

The virtual instance needs to be created for SCCM to connect and store its reports. If you install SSRS later, then you will have to go back and configure it as a subsequent step.

This wizard creates two databases: ReportServer , used to store report definitions and security, and ReportServerTempDB which is used as scratch space when preparing reports. This step sets up the SSRS web service. The web service is the program that runs in the background that communicates between the web page, which you will set up next, and the databases.

This step sets up the Report Manager web site where you will publish reports. Using the simple recovery model improves performance and saves your server hard drive and possibly a large transaction log file.

Check for the following logs for reporting point installation status. Both logs are under the SCCM logs file locations. This Site System is a site-wide option. When using WSUS 3. This has changed with and