The SCCM Dos and Donts – 2020 Edition

We’ve been in the consulting world since SMS 2003 and we’ve seen so much stuff over the years! From the famous task sequence deployed to All system to the “fuck it let’s set our collections to be all incremental to make SCCM faster!”, we’ve seen it all… or have we? This blog post is an informative post on some of the SCCM Dos and Donts that you need to follow when using SCCM/MEMCM.

This post is intended to be informative, use it to refresh your skill or simply if you’re starting your SCCM journey and you’re looking to learn something new about.

SCCM/MEMCM – Donts

Ok, let’s start with the Don’ts. What you should avoid doing in the latest SCCM version?

Install a Central Administration Site

Don’t use a CAS. You’ll see this advice everywhere… and it’s true. Don’t use it. Just don’t.

When the Central Administration Site was introduced back in SCCM 2012 SP1 there was no concept of a preferred site system. If you had to manage thousands of clients in a remote site/region and a secondary site was not an option, the installation of numerous Primary Sites was needed (so was the CAS).

But now that new client management options were introduced in later SCCM version, this is not needed anymore.

A Central Administration Site may be needed in specific scenarios. If you need to manage more than 175 000 clients or need more than 250 distribution points and you’re still unsure or don’t know what you’re doing, please ask for external help!

Install a Seconday Site in remote locations

There was a day where putting a Secondary site to “big” remote site was the only solution available. Basically, you would install a secondary site if you had :

• More than 500 clients in a remote location
• Need a local Management Point
• Need a local Software Update Point

With the latest SCCM version, clients can use boundaries to find site systems. Our recommendation would be to install Management Point, Distribution Points and Software Update Point remotely and use boundaries to communicates to these site systems.

Follow Microsoft recommendation for installing a secondary site but as for us, we didn’t install a secondary site for months. I’m not even sure it’s still required to this day to support the addition of secondary sites.

Install SQL on a separate server

In most scenarios, co-locate your SQL installation on your SCCM Primary Server. This is always debatable and often an unpopular topic among Database Administrators. DBA likes to have control and centralized databases as much as possible, however, co-location ensures better performance of your SCCM server.

From a licensing point of view, it’s not an issue since all of the System Center products include SQL Server technology

Incremental Collection everywhere

Collection refreshes are heavy processes on your server resource. It can bring your server running really slow if you configure collection incorrectly. The biggest mistake is enabling incremental refresh on all collections. We also often see incremental AND full collection updates enabled on the same collections.

Here’s a bunch of resource to help you out :

• Limit the number of incremental collection
• Use our SCCM Collection report to identify which collections are badly configured
• Detect those Nasty Collections
• Do not use both Full and Incremental on the same collection
• Delete unused and empty collection
• Use Collection Management Insight (1802+)
• Use Collection Evaluation Viewer (CEViewer) from the SCCM Toolkit

SCCM Dos and Donts – Deploy to large collections without double verification

This one is fairly simple but so often forgotten. How many times we’ve seen an admin panicking because its deployment was spreading to All System. Unfortunately, there’s no Big red button to stop a wrong deployment out of the box. When deploying, always make sure to :

• Double-check the collection and its members. Is the scoping right? Is the collection up-to-date?
• Ensure that the correct setting for the reboot is set. You don’t want to reboot a workstation in the middle of the day after a sneaky deployment
• Ensure that no Maintenance Windows are applied to the collection or set your deadline behaviour accordingly
• Ensure that your available/required option and schedule are set correctly
• When you check all of the above, check again and then, hit Apply

SCCM/MEMCM – DO

Enable Co-management

Enabling Co-management lets you to manage Windows 10 devices by using both SCCM and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. By using co-management, you have the flexibility to use the technology solution that works best for your organization.

So why enable CoManagement ? Why not is more the question. It’s so easy to enable, that you should at least try it to start your modern management strategy. (See next tip)

Get familiar with Intune

Microsoft is putting efforts to fill in the management possibility between SCCM and Intune. Will SCCM die? Not in the near future. But who knows what the future hold in a world where technology changes so fast.

If you use mobile devices (Phone, Tablet), Intune is a no brainer.

For Windows 10 devices, Intune is an additional management tool that you should at least start to use. It gives you new possibilities to manage your devices even if they are outside your organization network. (Device Profile, Conditional Access, Compliance Policies).

Microsoft has announced that on September 1, 2019, they retired the hybrid MDM service offering. If you’re still running SCCM in Hybrid mode, plan your migration to Intune Standalone.

We thus recommend to start looking at intune to manage your devices.

Setup and install a Cloud Management Gateway

The cloud management gateway provides a simple way to manage SCCM clients on the internet. The CMG is a cloud service in Microsoft Azure, you can manage traditional clients that roam on the internet without an additional on-premises infrastructure. You don’t need to expose your on-premises infrastructure to the internet.

With the COVID outbreak, the CMG became a must to manage a roaming device during the time that everyone was working from home. Without a cloud management gateway or an Internet Based Client Management solution, you would simply won’t be able to manage them until they came back to the office.

Become a CMPivot Expert

SCCM has always been good with reporting and inventory of it’s managed devices but SCCM data is up-to-date at the last time the inventory has been run. SCCM CMPivot allows SCCM administrators to initiate a live query on selected computers on a specific topic. The result of that query can then be used to mitigate and fix potential issues.

How many time were you asked “what is the current state as of NOW?” well, you’ll finally be able to answer appropriately with SCCM CMPivot.

We have 2 blog post on the subject, one on how to use CMPivot and the other one is one of our most popular blog these day which gives CMPivot query examples.

Start using Power BI Dashboard

You may already use many SSRS reports to monitor and visualize your SCCM data. Microsoft has released Power BI a couple of years ago and has its advantage over SSRS:

• A large amount of data can be processed
• Rich visuals
• Less engineering resources to use
• It can be embedded into your own custom apps

The latest SCCM 2002 Version includes the integration of Power BI server. There are various Free and paid Dashboard solutions on the web to fit your reporting needs.

That’s the list for now, we’ll add more in the coming weeks ! Be sure to come back.