SCCM Best Practices (Tips and Tricks)

There’s no such thing as SCCM Best Practice. Every company, every IT department, and every computer configuration is unique.

That being said we are doing numerous SCCM assessments these days, looking at various SCCM setups and configurations. Here’s our compiled list of settings, configurations, and tricks we can give you to make your SCCM configuration better.

Central Administration Site (CAS)

The most obvious SCCM Best Practice: Don’t use a CAS. You’ll see this advice everywhere… and it’s true. Don’t use it. Just don’t.

When the Central Administration Site was introduced back in SCCM 2012 SP1 there was no concept of a preferred site system. If you had to manage thousands of clients in a remote site/region and a secondary site was not an option, the installation of numerous Primary sites was needed (so was the CAS).

But now that new client management options were introduced in the later SCCM version, this is not needed anymore.

A Central Administration Site may be needed in specific scenarios. If you need to manage more than 175 000 clients or need more than 250 distribution points and you’re still unsure or don’t know what you’re doing, please ask for external help!

Do not Install Secondary Sites in remote locations

There was a day when putting a Secondary site to “big” remote site was the only solution available. Basically, you would install a secondary site if you had :

• More than 500 clients in a remote location
• Need a local Management Point
• Need a local Software Update Point

With the latest SCCM version, clients can use boundaries to find site systems. Our recommendation would be to install Management Point, Distribution Points, and Software Update Point remotely and use boundaries to communicate to these site systems.

Follow Microsoft’s recommendation for installing a secondary site but we didn’t install a secondary site for months. I’m not even sure it’s still required for this

Colocate SQL

In most scenarios, co-locate your SQL installation on your SCCM Primary Server. This is always debatable and often an unpopular topic among Database Administrators. DBA likes to have control and centralized databases as much as possible, however, co-location ensures better performance of your SCCM server.

From a licensing point of view, it’s not an issue since all of the System Center products include SQL Server technology

SQL Configuration and Maintenance

Read and understand the basics of SQL configuration. Disk configuration and proper memory management can make a huge difference in your SCCM server performance. Don’t be shy to ask for help to your DBA, SCCM is based on SQL technology and SQL best practices apply.

Also, make sure to defragment indexes on your SQL SCCM database on a regular basis. Fragmented indexes can make your application slow down significantly.

You can use the built-in Rebuild Index site maintenance task or use Ola Hallengren’s SQL Server maintenance solution.

Site Systems SCCM Best Practice

Keep it simple! The more site server, the more complexity you’ll have to manage. We saw setups with dozen site servers to manage 1000 computers. Why? Just because they decided to separate each role based on assumptions and bad advice. There’s really no harm in doing a single SCCM site server setup (SQL included) for small businesses (in terms of SCCM Managed perspective). We have a couple of design recommendations in one of our posts. You’ll live with this setup for years to come so plan accordingly and don’t be afraid to ask for help from the community or consulting services if you never did this before.

Stay Current

I hope I’m not teaching you anything by saying that SCCM uses an in-console service method. This in-console method makes it easy to install updates for your SCCM infrastructure.

• Updates are made available 3 times a year
• Each version offers 18-month support, so don’t wait too much before upgrading to a new version
• At the time of this writing, the latest version is 1810
• The latest baseline version is 1802. Use this version to install a new server

When upgrading to the latest version, don’t forget to upgrade your clients! We are seeing too many environments where the site is upgraded but not the clients.

Review the documentation of each release to learn the new and deprecated features.

Make sure to follow David James on Twitter who is the first person to announce the new version in his famous “one of those Fridays”

Setup and install a Cloud Management Gateway

The cloud management gateway provides a simple way to manage SCCM clients on the internet. The CMG is a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without an additional on-premises infrastructure. You don’t need to expose your on-premises infrastructure to the internet.

With the COVID outbreak, the CMG became a must to manage a roaming device during the time that everyone was working from home. Without a cloud management gateway or an Internet Based Client Management solution, you wouldn’t be able to manage them until they came back to the office.

Client installation Compliance

What’s the goal of SCCM if you’re not managing all your devices? Do you want to push your software to only 70% of your computers? Will your security department accept that only 62% of devices have been patched? Do you want to give your management inventory number with a 28% error margin? No, No, and … No.

Ensure to check your client compliance number on a weekly basis. Nothing makes me sadder to see discovered devices without the SCCM client. We often see 60-70% client installation rate. We recommend aiming 95% of the machines to have SCCM clients. With laptops and road warrior, 100% is mostly impossible but with the help of Cloud Management Gateway and proper monitoring, your goal is attainable.

There are also many solutions out there to help you :

• 1901 Technical Preview is adding a nice client health dashboard (but still not in the production version)
• Client Health Script by Anders Rodland
• ConfigMgr Client Startup Script by Jason Sandys
• Our SCCM Client Health Report

Software Update Maintenance

Doing Software update deployment and not doing regular maintenance will bring your server to a non-functioning state.

• Configure IIS to stop recycling the App Pool
• Enable the built-in SCCM WSUS Server Cleanup on a regular basis
• Decline superseded updates in WSUS
• Use this script: Fully Automate Software Update Maintenance in Configuration Manager – By Brian Dam
• Or This one: Clean Software Update Packages in ConfigMgr with PowerShell – By Nickolaj Andersen [MVP]

Collection Maintenance

Collection refreshes are heavy processes on your server resource. It can bring your server to run really slow if you configure it incorrectly. The biggest mistake is enabling incremental refresh on all collections. We also often see incremental AND full collection updates enabled on the same collections.

Give your SCCM Collections some love by :

• Understand the refresh process – Great article by Garth Jones
• Limit the number of incremental collection
• Use our SCCM Collection report to identify which collections are badly configured
• Detect those Nasty Collections
• Do not use both Full and Incremental on the same collection
• Delete unused and empty collection
• Use Collection Management Insight (1802+)
• Use Collection Evaluation Viewer (CEViewer) from the SCCM Toolkit

Deployment Maintenance

Delete and remove any deployments that are no longer in use. If the deployment compliance is 100% and no longer necessary, delete it. If it’s a test deployment, delete it. If it’s a deployment created in 2009… delete it.

We created a script to help you detect and delete old deployments

Windows 11/10 Servicing

If you haven’t migrated yet, it’s a question of time before all your computers run Windows 10/11. Windows 7 is end of support and you must plan an upgrade strategy now. SCCM is giving you 2 options to manage Windows 10 Servicing. Upgrade task sequences and Servicing Plan. Master those topics because you’ll have to update your Windows 10 on a regular basis.

Also, ensure to track your Windows 10 version and establish an upgrade strategy for the long run. Microsoft has recently changed its support policy for 30 months for the September releases (Enterprise edition). The March release still has a support life cycle of 18 months.

SCCM Log Files

SCCM is a logging machine. It logs everything. I lose my mind when someone tells me that it’s not in the logs… it is! You just haven’t looked at the right one. One of the best skills you can have it knowing the exact meaning of all the logs file. (Joking!). Just learn the most important one… and use CMTrace to open them, not Notepad. (Sorry Wally).

And in case you didn’t know, CMtrace is part of every client since SCCM 1806. No need to copy it during your task sequence or use a deployment/script.

Maintenance Tasks SCCM Best Practice

Review your maintenance task on a regular basis. Is the setting you set 3 years ago still valid? Some SCCM upgrades can bring new maintenance tasks.

The most important part is the backup of your database. SCCM built-in task or an SQL backup is a debatable option. Some like the built-in one, others the SQL one, I like to recommend having either one of them and knowing the restore path of the one you decide. Make sure to monitor your backup tasks, a failing backup is like having no backup!

Modern Management

The buzzword of the moment. You need to go to Intune absolutely now! SCCM will be dead in a couple of years. Wrong!

However, Microsoft has announced that on September 1, 2019, they will retire the hybrid MDM service offering. If you have SCCM in Hybrid mode, plan your migration to Intune Standalone.

SCCM is not dead and it’s in better shape than ever. Just look at all the new features that get developed in each release. However, it would be wrong not to look at these new device management possibilities that Intune and Autopilot bring. Just keep an eye on these new technologies, enable co-management and start playing with it.

Enable Co-management

Enabling Co-management lets you manage Windows 10 devices by using both SCCM and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. By using co-management, you have the flexibility to use the technology solution that works best for your organization.

So why enable CoManagement? Why not is more the question. It’s so easy to enable, that you should at least try it to start your modern management strategy.

Attend Conferences

This is not really an SCCM best practice but it will help you learn a lot. Some of them are big events (Microsoft Ignite) but there are smaller events like the Minnesota Management Summit (MMS – not the Las Vegas one back in the day) that will allow you to target your expertise a lot more and meet accessible experts and MVPs.

There are also new events organized by other groups like Modern Management Summit London 2018 organized by SCConfigMgr/TrueSec that are worth the price (FREE!) if you are in the region.

And there are many local groups that meet up on a regular basis which you can join if you are near them.

Use Social Media

Once again not an SCCM best practice but the SCCM community out there is awesome. Follow them on Twitter, read the Reddit SCCM Community, and join Facebook, Linkedin and Slack groups.

On Twitter, follow the EMS MVP which tweets relevant information.

This list could have gone on for a while but I’ll stop there for now. Leave your tips and trick using the comment section.