SCCM Best Practices (Tips and Tricks)

That being said we are doing numerous SCCM Assessment these days, looking at various SCCM setup and configuration. Here’s our compiled list of settings, configuration and tricks we can give you to makes your SCCM configuration better.

Central Administration Site (CAS)

Don’t use a CAS. You’ll see this advice everywhere… and it’s true. Don’t use it. Just don’t.

When the Central Administration Site was introduced back in SCCM 2012 SP1 there was no concept of a preferred site system. If you had to manage thousand of clients in a remote site/region and a secondary site was not an option, the installation of numerous Primary Site was needed (so was the CAS).

But now that new client management options were introduced in later SCCM version, this is not needed anymore.

A Central Administration Site may be needed in specific scenarios. If you need to manage more than 175 000 clients or need more than 250 distribution points and you’re still unsure or don’t know what you’re doing, please ask for external help!

Colocate SQL

In most scenario, co-locate your SQL installation on your SCCM Primary Server. This is always debatable and often an unpopular topic among Database Administrators. DBA likes to have control and centralized databases as much as possible, however, co-location ensures better performance of you SCCM server.

From a licensing point of view it’s not an issue since all of the System Center products include SQL Server technology

SQL Configuration and Maintenance

Read and understand the basics of SQL configuration. Disk configuration and proper memory management can make a huge difference in your SCCM server performance. Don’t be shy to ask help to your DBA, SCCM is based on SQL technology and SQL best practices applies.

Also, make sure to defragment indexes on your SQL SCCM database on a regular basis. Fragmented indexes can make your application slow down significantly.

You can use the built-in Rebuild Index site maintenance task or use the Ola Hallengren’s SQL Server maintenance solution.

Site Systems

Keep it simple! The more site server, the more complexity you’ll have to manage. We saw setups with dozen site servers to manage 1000 computers. Why? Just because they decided to separate each role based on assumptions and bad advices. There’s really no harm doing single SCCM site server setup (SQL included) for small businesses (in term of SCCM Managed perspective). We have a couple of design recommendation in one of our post. You’ll live with this setup for years to come so plan accordingly and don’t be afraid to ask for help from the community.

Stay Current

I hope I’m not teaching you anything by saying that SCCM uses an in-console service method. This in-console method makes it easy to install updates for your SCCM infrastructure.

• Updates are made available 3 times a year
• Each version offers 18-month support, so don’t wait too much before upgrading to a new version
• At the time of this writing, the latest version is 1810
• The latest baseline version is 1802. Use this version to install a new server

When upgrading to the latest version, don’t forget to upgrade your clients ! We are seeing too many environment where the site is upgraded but not the clients.

Review the documentation of each release to learn the new and deprecated features.

Make sure to follow David James on Twitter who is the first person to announce the new version in his famous “one of those Fridays”

Client installation Compliance

What’s the goal of SCCM if you’re not managing all your devices? Do you want to push your software to only 70% of your computers? Will your security department accept that only 62% of devices have been patched? Do you want to give your management inventory number with a 28% error margin? No, No and … No.

Ensure to check your client compliance number on a weekly basis. Nothing makes me sadder to see discovered devices without the SCCM client. We often see 60-70% client installation rate. We recommend aiming 95% of the machines to have the SCCM clients. With laptops and road warrior, 100% is mostly impossible but with the help of Cloud Management Gateway and proper monitoring, your goal is attainable.

There’s also many solution out there to help you :

• 1901 Technical Preview is adding a nice client health dashboard (but still not in the production version)
• Client Health Script by Anders Rodland
• ConfigMgr Client Startup Script by Jason Sandys
• Our SCCM Client Health Report

Software Update Maintenance

Doing Software update deployment and not doing regular maintenance will bring your server to a non-functioning state.

• Configure IIS to stop recycling the App Pool
• Enable the built-in SCCM WSUS Server Cleanup on a regular basis
• Decline superseded updates in WSUS
• Use this script : Fully Automate Software Update Maintenance in Configuration Manager – By Brian Dam
• Or This one: Clean Software Update Packages in ConfigMgr with PowerShell – By Nickolaj Andersen [MVP]

Collection Maintenance

Collection refreshes are heavy processes on your server resource. It can bring your server running really slow if you configure it incorrectly. The biggest mistake is enabling incremental refresh on all collections. We also often sees incremental AND full collection updates enabled on the same collections.

Give your SCCM Collections some love by :

• Understand the refresh process – Great article by Garth Jones
• Limit the number of incremental collection
• Use our SCCM Collection report to identify which collections are badly configured
• Detect those Nasty Collections
• Do not use both Full and Incremental on the same collection
• Delete unused and empty collection
• Use Collection Management Insight (1802+)
• Use Collection Evaluation Viewer (CEViewer) from the SCCM Toolkit

Deployment Maintenance

Delete and remove any deployments that are no longer in use. If the deployment compliance is 100% and no longer necessary, delete it. If it’s a test deployment, delete it. If it’s a deployment created in 2009… delete it.

We created a script to help you detect and delete old deployments

Windows 10 Servicing

If you haven’t migrated yet, it’s a question of time before all your computers runs Windows 10. Windows 7 end of support is approaching (January 2020) and you must plan an upgrade strategy now. SCCM is giving you 2 options to manage Windows 10 Servicing. Upgrade task sequences and Servicing Plan. Master those topics because you’ll have to update your Windows 10 on a regular basis.

Also, ensure to track your Windows 10 version and establish an upgrade strategy for the long run. Microsoft has recently changed their support policy for 30 months for the September releases (Enterprise edition). The March release still have a support life cycle of 18 months.

SCCM Log Files

SCCM is a logging machine. It logs everything. I lose my mind when someone tells me that it’s not in the logs… it is! You just haven’t look the right one. One of the best skill you can have it knowing the exact meaning of all the logs file. (Joking!). Just learn the most important one… and use CMTrace to open them, not Notepad. (Sorry Wally).

And in case your didn’t know, CMtrace is part of every client since SCCM 1806. No need to copy it during your task sequence or using a deployment/script.

Maintenance Tasks

Review your maintenance task on a regular basis. Is the setting you set 3 years ago still valid? Some SCCM upgrade can bring new maintenance tasks.

The most important part is the backup of your database. SCCM built-in task or an SQL backup is a debatable option. Some like the built-in one, other the SQL one, I like to recommend having either one of them and know the restore path of the one you decide. Make sure to monitor your backup tasks, a failing backup is like having no backup!

Modern Management

The buzz word of the moment. You need to go to Intune absolutely now! SCCM will be dead in a couple of years. Wrong!

However, Microsoft has announced that on September 1, 2019, they will retire the hybrid MDM service offering. If you have SCCM in Hybrid mode, plan your migration to Intune Standalone.

SCCM is not dead and it’s in better shape than ever. Just look at all the new features that get developed in each release. However, it would be wrong not to look at these new devices management possibility that Intune and Autopilot brings. Just keep an eye on these new technologies, enable co-management and start playing with it.

Attend Conferences

This is not really a best practice but it will help you learn a lot. Some of them are big events (Microsoft Ignite) but there are smaller events like the Minnesota Management Summit (MMS – not the Las Vegas one back in the days) that will allow to target your expertise a lot more and meet accessible experts and MVPs.

There are also new events organized by other groups like Modern Management Summit London 2018 organized by SCConfigMgr/TrueSec that are worth the price (FREE!) if you are in the region.

And there are many local groups that meet up on a regular basis which you can join if you are near them.

Use Social Media

Once again not a best practice but the SCCM community out there is awesome. Follow them on Twitter, read the Reddit SCCM Community, join Facebook, Linkedin and Slack groups.

On Twitter, follow the EMS MVP List which contains 64 MVPs.

This list could have go on for a while but i’ll stop there for now. Leave your tips and trick using the comment section.

Note: There is a rating embedded within this post, please visit this post to rate it.

The post SCCM Best Practices (Tips and Tricks) appeared first on System Center Dudes.