Config Overlord: Conquering Endpoints with SCCM Sorcery

Config Overlord: Conquering Endpoints with SCCM Sorcery

Scott Markham

Published by Scott Markham, 2025.

While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

CONFIG OVERLORD: CONQUERING ENDPOINTS WITH SCCM SORCERY

First edition. April 12, 2025.

Copyright © 2025 Scott Markham.

Written by Scott Markham.

Table of Contents

Title Page

Copyright Page

Config Overlord: Conquering Endpoints with SCCM Sorcery

Config Overlord: Conquering Endpoints with SCCM Sorcery

Introduction: Welcome to the Empire of Endpoints

from Config Overlord: Conquering Endpoints with SCCM Sorcery

In a world where IT chaos lurks behind every misconfigured registry key and unpatched machine, one tool rises to bring order from entropy—System Center Configuration Manager, or SCCM, to those of us who whisper it between server racks and sips of cold coffee. This isn’t just software. This is the overlord of configuration, the architect of enterprise stability, the dark wizard behind the curtain who knows what version of Chrome you’re running and why you’re three patches behind. And now, dear reader, you’re about to become its master.

This book is your spellbook of SCCM sorcery—a practical, engaging, occasionally snarky guide to taming the digital wilderness of endpoints. Whether you're here to roll out applications at lightning speed, patch thousands of machines before lunch, or ghost-deploy Windows across a sleepy office park on a Tuesday morning, Config Overlord is your map, your compass, and your wand. And the best part? You don’t have to chant in PowerShell (unless you want to).

Let’s face it—IT management can feel like chasing gremlins in a server room at 3 a.m. A rogue user installs malware wrapped in a game mod. Another disables antivirus because it was slowing down my Solitaire. Multiply that across hundreds—or thousands—of machines, and you’ve got a kingdom teetering on the brink of collapse. SCCM doesn’t just help; it commands. It deploys, updates, enforces, reports, and reaches into the very soul of your devices to whisper, You shall comply.

SCCM is less like a tool and more like a strategy—a way of thinking about systems management that scales, adapts, and asserts dominance in the most elegant ways possible. In this book, we’re not just going to explain features. We’re going to weaponize them. You’ll learn how to build a pristine lab, unleash deployment magic, enforce policy with the wrath of a digital demigod, and generate reports that would make auditors swoon.

But fear not, brave reader—we won’t get lost in dull documentation. We’ll break down complex topics with clarity, crack jokes only IT folk would understand, and pepper this journey with real-world tactics, war stories, and best practices. You’ll walk away not just knowing SCCM, but understanding its intent, its quirks, and how to bend it to your will.

Whether you’re a sysadmin, a desktop engineer, a security pro in disguise, or an IT overlord in training, this book is for you. SCCM mastery doesn’t just keep systems in line—it frees your time, improves your security posture, and earns you the silent respect of every technician who’s ever manually installed a printer driver in despair.

So grab your config wand, ready your boundary groups, and prepare to rule your environment. You are now entering the realm of Config Overlord. And by the end, you won’t just manage endpoints—you’ll conquer them. Let the sorcery begin.

Table of contents:

1. Summon the Beast: Installing SCCM in the Realm of Servers

•  How to prep your environment like a digital battleground

•  Roles, prerequisites, and not angering the SQL gods

•  Installing SCCM without setting fire to your domain

2. Hierarchy of the Wise: Sites, Roles, and the SCCM Tree of Power

•  CAS vs. Primary vs. Secondary (and when not to overthink it)

•  Role assignments like you’re building a royal court

•  Understanding scalability, without summoning demons

3. Discovery Spells: Finding Devices, Users, and Rogues

•  AD discovery like a stealthy network bloodhound

•  Group discovery that doesn’t lead to identity crises

•  Preventing SCCM from discovering everything—including the janitor’s iPod

4. Collections: Herding Your Digital Sheep (and Wolves)

•  Building smart, dynamic, and downright magical device groups

•  Include, exclude, and tame rogue devices with logic

•  Nested collections and the hierarchy of sorcery

5. Applications & Packages: Deploy with Sorcerous Style

•  Packages are the past, applications are the future

•  Detection methods, supersedence, and other enchantments

•  Targeting wisely—lest ye deploy Notepad++ to HR printers

6. Distributing the Goods: Content, DP Magic, and Distribution Points

•  Setting up Distribution Points without grief

•  Content prestaging, throttling, and bandwidth-friendly charms

•  Troubleshooting stubborn DPs like a traffic wizard

7. Task Sequences: The Art of Automated Alchemy

•  Building a golden OS deployment recipe

•  Task sequencing like a symphony conductor

•  Drivers, apps, and post-deployment sorcery

8. Operating System Deployment: Image Your Kingdom

•  Capturing a reference image (without capturing despair)

•  PXE boot tricks and multicast secrets

•  Handling UEFI, BitLocker, and BIOS like a seasoned mage

9. Software Updates: The Patchwork Wizard’s Handbook

•  Setting up SUPs without sacrificing sleep

•  ADRs, SUGs, and update ring hexes

•  Keeping Windows patched, happy, and vaguely obedient

10. Endpoint Protection: Antivirus with an Iron Staff

•  Enabling SCCM-managed Defender like a knight’s shield

•  Policies that block, alert, and eradicate

•  Reporting on threats like a prophecy

11. Compliance Settings: Enforcement by Spellbook

•  Configuration Items and Baselines explained without tears

•  Enforcing password policies with dignity

•  Scripts and custom settings that bring order to chaos

12. Inventory & Asset Intelligence: Know Thy Domain

•  Hardware inventory deep-dives and hidden gems

•  Software inventory without getting overwhelmed

•  Reporting on licenses and lurking freeware infestations

13. Reporting & Queries: Clairvoyance Through SQL and SSRS

•  Crafting magical queries like a data wizard

•  Using SSRS for dashboards that sparkle

•  Letting non-techies marvel at your clairvoyance

14. Role-Based Access Control (RBAC): Gatekeeping with Grace

•  Setting permissions without creating bottlenecks

•  Scoped views for teams, regions, and realms

•  Avoiding Oops, I gave everyone full control

15. Intune & Co-Management: Hybrid Sorcery for the Brave

•  Connecting SCCM and Intune like a power couple

•  Workloads, policies, and the dance of modern management

•  Device sync, cloud sync, and sanity sync

16. Remote Tools: Troubleshooting from Afar (and with Flair)

•  Remote Control: the cloaked access of champions

•  Client push, wake-on-LAN, and other ninja tricks

•  Helping users without leaving your lava throne

17. Maintenance Windows & Schedules: When to Cast Your Spells

•  Timing deployments to avoid mid-meeting mayhem

•  Maintenance windows that are merciful yet firm

•  Mastering the calendar of destiny

18. Monitoring & Alerts: The Watchtower of Configuration

•  Alerts for patching, deployments, and dark omens

•  Custom SCOM integration and log-watching potions

•  The art of fix it before someone notices

19. Client Settings: Shaping the Behavior of Your Minions

•  Custom client settings for custom kingdoms

•  Anticipating updates, inventory, and restart rebellion

•  When to override, and when to let defaults rule

20. Troubleshooting SCCM: Exorcisms, Logs, and Registry Rites

•  Logs that matter (and ones that mislead)

•  Client repair spells and firewall banishments

•  The difference between corruption and just needs a reboot

21. Backups, DR, and High Availability: SCCM’s Sacred Wards

•  Backing up the right things, the right way

•  Restoring with confidence instead of cursing

•  HA with SQL Always On and site replication sorcery

22. Automation with PowerShell: Scripts of Arcane Efficiency

•  Must-have PowerShell spells for SCCM admins

•  Automating reporting, deployments, and collections

•  Script responsibly—magic without fireballs

23. Security, Certificates & HTTPS: Fortify Thy Config Tower

•  PKI, HTTPS, and certificates decoded

•  Securing communication and avoiding rogue portals

•  Boundaries, MP encryption, and encryption spells

24. SCCM in the Cloud Era: Azure Integration and Evolving Sorcery

•  Azure Services, tenant attach, and co-management glow-ups

•  Cloud DP, cloud-based CMG, and the path to modern

•  SCCM isn't dying—it's ascending

25. Ascension to Overlord: Best Practices, Pitfalls, and Rituals

•  War stories from the SCCM frontlines

•  Mistakes to dodge like fireballs in a boss fight

•  Building an empire of reliability, speed, and sorcery

Chapter 1: Summon the Beast – Installing SCCM in the Realm of Servers

Every mighty overlord begins their reign somewhere, and for SCCM sorcerers, that journey begins with summoning the beast. SCCM isn’t just software—it’s an intricate arcane construct of SQL databases, IIS components, WSUS modules, and dark magic drawn from Active Directory. One does not simply double-click Setup.exe and walk away. If you’re doing this in production without a test lab, please pause and reconsider your life choices. Your environment is a delicate tapestry of permissions, configurations, and components—tug one wrong thread and it may unravel. Preparation is half the battle, the other half is coffee. So buckle up, because we’re about to install something with more moving parts than a steampunk octopus.

First and foremost, you need to prepare your sacrificial server—er, installation host. It’s best to use a dedicated Windows Server 2019 or 2022 box that isn’t also being used to run Fortnite tournaments in the break room. Install all updates, set a static IP address, and join it to the domain. Why static IP? Because SCCM doesn’t like playing hide-and-seek with DHCP when it’s trying to command its digital minions. Next, install the Remote Server Administration Tools (RSAT) so you can manage AD without summoning the wrath of your domain admin. This server is your SCCM throne—treat it like royalty and feed it the finest patches. And no, you can’t install SCCM on your laptop unless your laptop is also your data center.

Before you even touch the SCCM install wizard, you need to consult the Book of Requirements—also known as Microsoft's documentation. You’ll need Windows ADK (Assessment and Deployment Kit) and its sibling, the Windows PE add-on. Think of these as the boots and cloak your deployment engine wears. You’ll also need SQL Server installed and configured—yes, the full one, not that express nonsense. Use SQL Server 2019 for now, unless your SCCM version is ready for something newer. Configure it with a proper collation (SQL_Latin1_General_CP1_CI_AS), or the install wizard will smite you. And if you’re new to SQL, don’t worry—we all cried the first time we had to configure a SQL Service Broker port.

The Active Directory schema is next on your checklist—yes, it needs to be extended. This is the digital equivalent of carving SCCM’s name into the ancient stone walls of your domain. You only need to do it once, and yes, it’s scary, but if done right, your domain won’t explode. Use the extadsch.exe tool from the SCCM media and run it as a domain admin. If successful, the logs will whisper to you, Completed with no errors, like a lullaby for sysadmins. If it fails, you’ll be greeted with cryptic errors that sound like ingredients in a forbidden potion. Trust but verify—check the extadsch.log in C:\ for reassurance. And then take a deep breath—you’ve passed the first trial.

Next, you’ll create some critical AD objects—System Management container, we’re looking at you. This container is where SCCM will write system data so your clients can find their mothership. Use ADSI Edit to create it in the root of the domain, and assign permissions to your SCCM site server’s computer account. Yes, this means navigating the arcane rites of delegation, ACLs, and right-click menus. If done correctly, you’ll never have to touch it again—like a trapdoor you pray stays sealed. If done incorrectly, you’ll spend hours troubleshooting client site assignment failures while whispering Why? to your monitor. Don’t be that person. Secure it, bless it, and move on.

With your environment properly prepared and AD appeased, it’s time to install the beast itself. Run splash.hta from the installation media and choose to install a Primary Site. For most of us mortals, that’s the right choice—Central Administration Sites (CAS) are for massive environments with trust issues. Follow the wizard carefully: enter your site code (three letters max—make them cool), and give it a friendly site name. Choose to install the management point and distribution point roles now—you’ll need them anyway. When it asks for SQL info, don’t panic—just provide the server name and instance, and make sure your firewall isn’t silently mocking you. Finally, kick off the install and watch as components are summoned from the digital ether. Grab coffee or stare dramatically at your screen—it’s happening.

As the setup wizard churns, you’ll notice it checking prerequisites like a paranoid airline passenger reviewing their boarding pass. Every check must pass, or your install will halt faster than a download on dial-up. Issues with missing roles, incorrect collation, or botched IIS settings will show up here like a parade of regret. If everything’s green, rejoice. If not, consult the log files and prepare for detective work. Most errors are fixable; a few will haunt you. Still, every warning is a lesson in disguise. Learn them well—they will serve you in future battles.

When installation completes, resist the urge to immediately deploy to every device you own. First, open the SCCM console and bask in its complexity. This is your new kingdom, with tabs, nodes, and wizards awaiting your decree. Confirm that your roles are healthy, your site status is green, and no critical components are plotting your downfall. Test the console from another admin machine. If it launches and doesn’t crash, you’re