Friday, February 19, 2016

SCCM with WSUS in DMZ serving Internet Facing clients

SCCM with WSUS in DMZ serving Internet Facing clients


This Blog will document at a high level my experience of implementing a 'Software Update Point' on a site server in our DMZ to serve SCCM clients (including Workgroup servers) on the Internet.
It will explain the implementation process as well as expected behaviour by diving into the log files on both the site server and client.

Please ask questions in the comments field; and I will update the main narrative in response.

Architectural design overview

  • One Primary site server on Internal network
  • One Site system Server within DMZ
    • Ports opened on firewall to allow servers to communicate.
    • Configured with the following System roles:
      • Management point
      • Distribution point
      • Software update point
  • Work group servers within the DMZ/Internet facing clients only

The Site system Server within DMZ had the WSUS role installed through 'Server Manager' console. Within IIS a webserver certificate was added to the binding port 8531

On the Primary site server the Software Update Point role was added the Site system Server within DMZ. The connection type set to 'Internet only client connections'.
Even though we set the webserver certificate within the binding we do not need to click 'Require SSL communications...' as the workgroup systems require PKI certificates and all communication is set to the SSL.

Within the Monitoring Workspace> System Status>Site Status the new SUP role will be displayed. Right click and Show all Messages. Review messages and ensure the role installed and started.

Within the Software Library Workspace> Software updates> All Software Updates right click and select 'Synchronize Software Updates'.
Go back the Monitoring Workspace> 'Software Update Point Synchronization Status' ensure there is the new SUP server and that it is a down stream server from the Primary site. The initial sync will take upwards of 30 minutes and progress can be reviewed wsyncmgr.log on the Primary server.

The SCCM environment is now aware of the additional SUP server and as it is Internet facing and configured to respond to Internet-only clients it will become the preferred choice for theWorkgroup servers within the DMZ/Internet facing clients.
When these clients 'Software Updates Scan Cycle' occurs they will assess the SCCM environment and the locationservces.log will update the WSUS path with the new SUP server. 

This WSUS path is updated within LocalPolicy and the WindowsUpdate registry value is updated.

Now that the role is installed and client is pointing at the correct SUP server. It will check in for policy and review available Software update packages. Internet clients will always download the content from the Internet first and if this fail then attempt to download from a DP.

Content is downloaded and installed as a normal deployment as seen within Software Center.

Thursday, February 18, 2016

SCCM Microsoft DHCP Policy items

Microsoft DHCP Policy items

Within Policy right click:
Define New vendor classes

PXEClient (EUFI x64)

Sends out out in dhcp request the type of hardware it is

PXEClient (EUFI x64)




PXEClient (EUFI x86)




PXEClient (BIOS x86 & x64)



Create new Policy

Tuesday, February 9, 2016

Enterprise deployment of Windows 10 Deployment via System Center configuration Manager and Office 365

Enterprise deployment of Windows 10 Deployment via System Center configuration Manager and Office 365

In this blog I will discuss Windows 10 deployment as well as what has changed in System Center Configuration Manager. In addition servicing models for Windows 10, SCCM, and Office 365.

The latest version of SCCM has re-branded itself without a year designation i.e. SCCM 2012 R2.  It has rather adopted the SaaS model of Windows 10 and updates will flow down more frequently rendering the year in the title obselete. The new name is System Center Configuration Manager 1511 (current branch).  The 1511 designation implies that the the current branch is 2015 November.

Within the Configuration Manager console updates synchronise when the 'Service Connection Point' role is configured.  This role supports In-console updates for Configuration Manager infrastructure and clients, and replaces the following separate update methods previously understood within SCCM:
Service packs
Cumulative updates
Extensions for Microsoft Intune
Individual fixes

Office 365 servicing model is similar to Windows 10 in the fact that there is a Current Branch and Current Branch for Business release of updates.  Within SCCM it is possible to deploy these branches via SCCM + WSUS as a normal Windows update deployment package, making use of Distribution Points rather than clients directly connecting to the Internet.  Unfortunately the process to synchronize the update with WSUS is manual however, the effort is minimal. The link referenced below refers to the Technical release however,

Finding documentation is now a little harder since the year has been dropped. Please see useful links below.

ConfigMgr 1511 Supported Configurations

Supported client counts and site system scale

SQL requirements (CU requirements, collation requirements, etc)

Recommended hardware specs for ConfigMgr

SCCM 1511 – Step by Step Installation Guide

Upgrade to Windows 10 with System Center Configuration Manager

Manage Office 365 client updates with System Center Configuration Manager