Dive into the comprehensive installation process of Microsoft Endpoint Configuration Manager (MECM) with this blog post! This guide equips IT professionals of all levels with step-by-step instructions for MECM installation. It uncovers the complexities of the initial setup, provides insight into detailed configuration, and presents solutions for post-installation troubleshooting. Stay tuned and master your MECM deployment with ease!

In this blog post, you’ll take on the challenge of installing Microsoft Endpoint Configuration Manager (MECM) from scratch. The focus will be on establishing a single site server and implementing crucial roles, including:

• The Site System Role, serving as the home for your server and its components.
• The Management Point Role, overseeing system communications.
• The Software Update Point Role, maintaining system updates.
• The SQL Database Role, managing data storage and retrieval.
• The Reporting Services Role, producing insightful reports.

For this example, I’ll install all roles onto a single server. In future blogs, I’ll show you how to migrate roles onto separate servers for scalability. If you want each role on separate servers, refer to the appropriate blog post when you reach that stage in the installation and configuration. Then, come back to this post to complete the process. I plan to include references to all separate blog posts for segregated roles per-server in each section.

1. Accounts, Groups, & Permissions

The table breaks down the necessary accounts for MECM installation and configuration, specifying each account’s permissions and roles. It covers essential roles such as the Management Point Role, Software Update Point Role, SQL Database Role, and Reporting Services Role. You need to understand these accounts and their permissions to successfully set up and operate MECM.

Account Name	Required Permissions	Description
MECM Admin Account	Full administrator rights in MECM, Local Administrator rights on MECM site servers and remote site system servers, and necessary permissions to administer the SQL Server and its databases.	This account installs and manages the MECM environment.
Schema Extension Account	Member of the Schema Admins, and Domain Admin security group in Active Directory	Performs the Active Directory schema extension required for MECM. Performs Active Directory post-configuration changes to Active Directory.
MECM Service Account	Local Administrator rights on MECM site servers and remote site system servers, and necessary permissions to administer the SQL Server and its databases.	This account runs various MECM services and tasks.
SQL Service Account	sysadmin role on the SQL Server, dbcreator and securityadmin server roles during setup.	This account runs the SQL Server service during the MECM setup and operates the SQL Server after setup completion.
Reporting Services Point Account	Local Administrator rights on the server where the Reporting Services Point is installed, db_datareader role on the MECM database, necessary permissions to administer the SQL Server Reporting Services (SSRS).	This account configures and manages the Reporting Services Point role.
Software Update Point Account	Local Administrator rights on the server where the Software Update Point is installed, necessary permissions to administer WSUS.	This account configures and manages the Software Update Point role.
Management Point Account	Local Administrator rights on the server where the Management Point is installed.	This account configures and manages the Management Point role.
MECM Network Access Account	Access to resources on the network	Provides MECM clients access to resources on the network.
MECM Client Push Account	Local Admin on client machines	Used by the MECM server to install the MECM client software on computers.
MECM Domain Join Account	Permissions to join computers to the domain. Privilege given to accounts in the Domain Users group by default.	Joins computers to the domain during the Operating System Deployment (OSD).
MECM Domain Admins Group	Varies	his group should contain all MECM domain admins.
MECM Site Servers Group	Varies	This group should contain all the MECM site servers.

2. Active Directory Pre-requisites

a. Active Directory Schema Extension

Firstly, when you take the step to extend the Active Directory schema for MECM, you are actively adding additional classes and attributes. This important process paves the way for MECM to store site-specific data. Furthermore, this extension also plays a crucial role in aiding site discovery and client installation.

Complete the below steps:

• Account Setup – Ensure to use an account that belongs to the Schema Admins security group in Active Directory.
• Sign In – Sign into the MECM site server with your schema master domain account you set up in the previous step.
• Locate the Tool – Find the extadsch.exe tool in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media.

• Run the Tool – Open a command line and execute extadsch.exe.

• Verify the Extension – Check extadsch.log in the root of the system drive to confirm the success of the schema extension.

b. Creating the System Management Container

It is important to create the System Management Container for MECM as it serves as a designated location for MECM to publish crucial site information. By establishing this container, you ensure a centralized hub where MECM can efficiently store and distribute site-related data.”

• On the Domain Controller, run the ADSI Edit (adsiedit.msc) with an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services.
• Connect the ADSI Edit to the site server’s domain.
• Navigate through the fully qualified domain name and the distinguished name.
• Right-click on CN=System, choose New, then Object.

• Choose Container in the Create Object window, then proceed by clicking Next.

• Type System Management in the Value box and proceed by clicking Next, and Finish in the last window.

c. Applying Permissions

• Right-click on CN=System Management and choose Properties.

• Switch to the Security tab.
• Click Add and enter the site server security group, granting it the Full Control permission.

• Navigate to the Advanced settings, select the site server security group, and click Edit.

• Choose This object and all descendant objects in the Apply onto list.
• Confirm and save the configuration by clicking OK.

d. Additional Active Directory Requirements

• Sit Server Group
  • Add MECM Site Server to the MECM site servers group created previously.

2. Primary Site Server Pre-requisite

An MECM primary site server is a key component in the Configuration Manager infrastructure responsible for managing and controlling the deployment and management of client devices. It plays a crucial role in facilitating various operations and services within the MECM environment. Here are the roles and responsibilities of this MECM primary site server:

• Site Database: It hosts the MECM site database, which stores critical configuration information, inventory data, deployment packages, and other related data required for effective management of the MECM environment.
• SQL Database Role: The primary site server hosts the MECM SQL database role, which involves managing and maintaining the underlying SQL database that stores MECM-specific data. This includes software update metadata, client information, collections, and other relevant data.
• WSUS Role: As part of the primary site server, it hosts the WSUS (Windows Server Update Services) role, which is responsible for managing and distributing software updates to client devices within the MECM environment. WSUS integrates with MECM to provide comprehensive software update management capabilities.
• Management Point Role: The primary site server also includes the management point role, which acts as a communication gateway between client devices and the MECM infrastructure. It receives client data, deploys policies, and provides access to MECM services such as software distribution, inventory, and reporting.

NOTE: The Primary Site Server does not require to have all these roles hosted on it, they can be hosted on separate servers.

a. Primary Site Server – Disk Partitions

The table provides a summarized breakdown of the recommended drive layout for installing MECM and SQL Server. It assigns specific drive letters and names to each drive, ensuring efficient performance and optimized data storage in the MECM environment. You may adjust this to align to your company best practices.

Drive	Name	Purpose	Size
C:	System	Operating System	90GB
A:	Applications	SQL Server & MECM Installation Directory	40GB
E:	SQL DB	SQL Server System Databases	40GB
L:	SQL Logs	SQL Server Logs	40GB
B:	SQL Backups	SQL Server Backups	40GB
T:	SQL TempDB	SQL Server TempDB	40GB
F:	MECM Content	MECM Packages and Content Library	100GB
G:	MECM Source	MECM Source Library	100GB
W:	WSUS Content	WSUS Content Directory	100GB

b. Windows Firewall

• Ensure Windows Firewall is enabled on the primary site server.

• Run the below PowerShell script as Administrator to open the required ports.

PowerShell Script Download – Config-MECMFirewallPorts.ps1

c. NO_SMS_ON_DRIVE.SMS

Place a file name no_sms_on_drive.sms on the root drive of each drive you don’t want MECM to put content on.

d. Automated Windows Server Feature Installation via PowerShell

The script targets the following features for installation:

• Web-Windows-Auth – Windows Authentication
• Web-ISAPI-Ext – ISAPI Extensions
• Web-Metabase – Metabase
• Web-WMI – IIS 6 Management Compatibility
• RDC – Remote Differential Compression
• Web-Asp-Net – ASP.NET
• Web-Asp-Net45 – ASP.NET 4.5
• NET-HTTP-Activation – HTTP Activation
• NET-Non-HTTP-Activ – Non-HTTP Activation
• BITS – BITS Server Extensions
• UpdateServices – WSUS
• UpdateServices-DB -WSUS with SQL Server database

First, the script checks whether each feature already exists. If not, it initiates the installation. Built-in error handling catches and record any hiccups during the installation process, storing these logs in a file at C:\Windows\Temp\FeatureInstall.log.

Important: Before you run this script, ensure you update the

$dotNet35InstallerPath variable with the accurate path to your .NET Framework 3.5 source files.

$dotNet48InstallerPath variable with the accurate path to your .NET Framework 4.8source files.

Without this update, the .NET Framework 3.5 installation will hit a snag.

PowerShell Script Download – Install-MECMServerRolesFeatures.ps1

f. Windows 11 ADK

Download the Windows ADK

To download the latest Windows Assessment and Deployment Kit (Windows ADK), you need to visit the official Microsoft download page. Remember to select the version of the ADK that corresponds to the version of Windows you’re installing or upgrading to.

Download Windows ADK

Install the Windows ADK

1. Run the adksetup.exe file that you downloaded in the previous step.
2. Choose whether to install the ADK to the default location or to a location you specify.

3. Choose whether to participate in the Customer Experience Improvement Program (CEIP).

4. Accept the license agreement.
5. On the Select the features you want to install panel; select any optional features you require. The core features we want to install here are:
   • Deployment Tools
   • User State Migration Tool (USMT)
6. Click Install.

4. After a few seconds, you’ll see a progress bar. Once the installation has completed, close the wizard.

g. Download the WinPE Addon

After you’ve installed the Windows ADK, you can download the WinPE Addon. This is available from the same download page as the Windows ADK.

Download WinPE Addon

Install the WinPE Addon

1. Run the adkwinpesetup.exe file that you downloaded in the previous step.
2. Click Next on installation location.

3. Choose whether to participate in the Collect Insights.
4. Accept the license agreement.
5. Select Windows Preinstallation Environment (Windows PE) and click Install.

3. After a few seconds, you’ll see a progress bar. Once the installation has completed, close the wizard.

Quick Tip! Sometimes the Windows ADK doesn’t fully install until you perform a system reboot. This causes the Boot Images not to show up in MECM, so out of practice I always perform a system reboot after installing\upgrading the ADK.

h. Local Account Permissions

• Local Admin Group
  • Add the MECM site sever security group to the local administrator group on the site server.
  • Add the MECM Administrator security group to the local administrator group on the site server.

NOTICE: Before proceeding ensure all pending updates and system reboots have been performed.

3. Microsoft SQL 2022 Complete Installation

We will be installing SQL Server 2022 to serve as the backend database for MECM (Microsoft Endpoint Configuration Manager). SQL Server 2022 provides a reliable data storage platform for managing the MECM site database, configuration information, inventory data, and more.

a. Installing SQL 22 & SQL Management Studio

Download SQL Server 2022

Download yourself a copy of SQL from Microsoft Volume Licensing, Microsoft Download Center, Visual Studio Subscriptions, or SQL Server Builds.

Install SQL Server 2022

1. Execute Setup.exe to open the SQL Server Installation Center and go to the Installation tab.
2. Select New SQL Server stand-alone installation or add features to an existing installation.

3. Select the appropriate Edition if required. Standard is the default required for MECM.
4. Enter the product key or use the evaluation and enter it at a later time.
5. Select the appropriate license tick box that suites your license, click Next.

5. Review and accept the license terms and click Next to proceed with the installation.

6. Tick Use Microsoft Updates to check for updates if required and Click Next.

7. Review the SQL Operations Check. Just note that Windows Firewall will always be yellow if you have it turned on. This isn’t an issue provided you have opened the required ports manually or using my script prior. Click Next.

8. Select Database Engine Services and specify any additional installation features you want to include.
9. Specify the directory where you want SQL to install, in this case a separate drive for my applications A:\, and click Next.

10. Select Default instance, and keep the default Instance ID, click Next.

11. Update SQL Server Agent and SQL Server Database Engine to utilize your SQL Service Accounts you would have created based on the table at the beginning, and click on the Collation tab.

12. Select Customize and Select SQL_Latin1_General_CP1_CI_AS and OK and Next.

13. Select Server Configuration tab, select Windows authentication mode, and add your SQL Server Administrators such as the MECM Administrators group you would have created based on the table at the beginning.

14. Select the Data Directories tab and specify the directories for your database, backups, and logs. It’s best practice to to have these on separate drives for both performance and disaster recovery.

15. Select the TempDB tab and specify the directories for your TempDB and TempDB logs and specify your Database sizing. Click Next.

16. Click Next, wait for the installation to complete.

17. If prompted, reboot your computer to complete the setup.

You will also be presented with the installation log file location if you wish to review or require for troubleshooting.

b. Install SQL Management Studio

Download SQL Management Studio

You can download the latest SQL Management Studio directly from the Microsoft Website. You will be redirected to the site by clicking on the Install SQL Server Management Tools from SQL Installation Center.

Installing SQL Management Studio

• Execute the SMS-Setup-ENU.exe installer.
• Set the installation location, in my case I am installing to my A:\ applications directory and click Install.

• Click Close to complete the installation wizard.

c. Install SQL Reporting Services

Download SQL Server 2022 Reporting Services

You can download the latest SQL Server Reporting Services directly from the Microsoft Website. You will be redirected to the site by clicking on the Install SQL Server Reporting Services from SQL Installation Center.

Installing SQL Server 2022 Reporting Services

• Execute SQLServerReportingServices.exe installer.
• Select Install Reporting Services on the welcome screen

• Enter the product key for SSPRS. This product key is the same as your SQL Server product key, which can be found by executing the SQL Server installer.

• Accept the license terms and conditions, click Next.

• Click Next on the Install Reporting Services only section.

• Set your installation directory, in my case it will be the A:\ for my applications.

• Wait for the installation to complete.

• Close the reporting services wizard and reboot the server to complete the installation. We will configure the reporting service at a later time.

d. Configuring SPN’s

When setting your SPN’s this will differ from environment to environment. But we will be registering the SPN’s manually because we are using service accounts for our SQL services. If you are using the local system account for your SQL Services, you can skip this step as it’s automatically created in active directory.

• Run command line as Administrator
• Execute the bellow two commands:
  
  setspn -A MSSQLSvc/<YOURSQLSERVERNAME>:1433 <YOURDOMAIN>\<YOURSQLSERVICEACCOUNT>

setspn -A MSSQLSvc/<YOURSQLSERVER FQDN>:1433 <YOURDOMAIN>\<YOURSQLSERVICEACCOUNT>
  
• Verify your SPN’s have been configured correctly by executing the bellow command:
  
  setspn –L <YOURDOMAIN>\<YOURSQLSERVICEACCOUNT>

e. Configure SQL Memory

To ensure optimal performance, SCCM setup checks that SQL Server reserves a minimum of 8 GB of memory for the primary site. To address this requirement and avoid any warnings, we can configure the SQL Server memory limits to allocate between 8 GB and 12 GB (which is approximately 80% of the available RAM)

Here’s how you can accomplish this:

1. Launch SQL Server Management Studio.
2. Right-click on the top SQL Server instance node.
3. Select Properties from the context menu.
4. In the Memory tab, specify the memory limits for the SQL Server.
5. Configure the minimum and maximum server memory values to reserve 80% of the available RAM. For example, if you have 16 GB of available RAM, set the following values:
   • Minimum: 8192 (8 GB)
   • Maximum: 12288 (12 GB)

By adjusting the SQL Server memory limits in this manner, you can ensure that the allocated memory meets the requirements specified by MECM setup, optimizing the performance of your primary site.

f. MECM SQL DATABASE SIZING

While it is not mandatory, it’s highly recommend creating the SCCM database prior to the setup process. Although MECM can create the database during setup, it may not be optimized according to best practices.

You can read through Kent’s blog to understand why you need to create your own DB, follow the guide by MVP Kent Agerlund. But for this case, we will be utilizing the ConfigMgr Prerequisites Tool.

You can also download a copy of the Excel Database Calculator if you require assistance.

• Download the latest ConfigMgr Prerequisites Tool.
• Extract the downloaded .zip folder.
• Execute ConfigMgrPrerequisitesTool.exe
• Click Settings > Connections and enter your SQL Server FQDN > Connect.

• Navigate to SQL Server > Collation > Validate. This will automatically validate the current collation of your SQL Server so that it meets the requirements for MECM.

• Navigate to SQL Server > Database.
• Specify a three-letter site code for you MECM site.
  • Remember this, we will need to enter this site code at a later time.
  • This will automatically pre-create the database with the correct naming convention:
    • CM_<SiteCode>
• Set your required size limits and click create.

Now if we go back to SQL Management Studio, you can see the database has been created.

If we check the files section, we can also see that the required files have been created in the allocated directories we specified when installing SQL.

g. MECM SQL TEMP DATABASE SIZING

Review your tempDB file size and path to ensure they are the correct sizing to suite your server and storage location.

h. SQL Native Client

SQL Native client has discontinued from SQL 2016 onwards, at the time of writing this it is still required to have SQL Native Client.

Download the latest SQL native client and install following the installation wizard with the default configurations.

You can read more about the support of SQL Native Client on the Microsoft Docs Website.

4. MECM CURRENT BRANCH INSTALLATION

a. MECM Prerequisite Checker

The MECM Pre-requisite checker is a tool that scans your server and checks for the required components and configurations needed for installing MECM. By running this tool, you can identify any missing prerequisites or issues before the installation process, allowing you to address them and ensure a smooth and successful MECM deployment.

The MECM Prerequisites Checker is found on the MECM installation media.

1. Open a PowerShell session with administrative privileges.
2. Navigate to the directory where the MECM Pre-requisite checker tool is located:.\SMSSETUP\BIN\X64
3. Execute .\Prereqchk.exe /AdminUI

At this point all prerequisites should be completed successfully. If any errors or warnings are present, please proceed to address these before moving forward. Close the Wizard once completed.

b. MECM New Installation

• Launch the MECM installation wizard by running splash.hta.
• On the Microsoft Endpoint Configuration Manager Setup page, select Install.

• On the Before You Begin page, review the information and click Next.

• Select Install a Configuration Manager primary site, and click Next.

• Enter the product key, your software assurance expiration date, and click next.

• Agree to the license terms and conditions, and click Next.

• Specify a temporary location to store the required setup files, which can be deleted after the installation of MECM. Click Next.

The wizard will then begin to download the required files before proceeding.

• Select the required server language and any additional languages required, click Next.

• Select the required client language and any additional languages required, click Next.

• Set the Site Code:
  • This should be the same three letter site code we used when creating the MECM database in the previous stage.
• Set the Site Name:
  • This is utilized in the MECM console to help identify the site.
• Set your installation folder location, in my case I am setting to the A:\ for applications.
• Tick the Install the Configuration Manager console and click Next.

• Select Install the primary site as a stand-alone site. Since this is a new instance, we won’t be joining to an existing hierarchy. Click Next.

• Click Yes on the warning.

• Specify you SQL Server FQDN, since this is a standalone server, I will enter my MECM server name.
• Leave the Instance blank.
• Enter the database name we created in the previous stage.
• Keep the Service Broker Port as 4022. Click Next.

• The Database Information screen should automatically detect the locations to store the data file and log file. Double check these matches, otherwise set them accordingly to your configurations. Click Next.

• The SMS Provider FQDN will automatically be detected, click Next.

• Select Configure the communication method on each site system role.
  • This can be configured again at a later time. I will be showing you this at a later post.

• Check both Install a management point and Install a distribution point. If you are installing these roles onto a separate server, specify the servers or skip this step. Click Next.

• Click Next on the Diagnostic and Usage Data wizard.

• Set where you want the Service Connection Point role, I will be installing it on the primary site server. Click Next.

• Verify your configurations and click Next.

• The wizard will now perform a pre-requisite check, which should show no errors if you performed it prior and action any warnings. Click Begin Install.

In this case there are two warnings:

• Verify site server permissions to publish to Active Directory.
  • This warning stays even if the SYSTEM MANAGEMENT permissions have been set correctly. Double check your permissions in the prior step.
• Windows Server 2012 and 2012 R2 lifecycle
  • This warning advises that Server 2012 R2 is out of support. In this case we don’t need to worry since we are installing Sever 2016.

The installation will now begin and can take around 30 minutes to complete. You can watch the progress of the installation in the log files which are stored in a default location C:\ConfigMgrSetup.log

Congratulations! You have successfully installed a fresh instance of MECM primary site server.

It’s worth checking the Microsoft Docs for an always updating Post-Installation Checklist & Tasks.

You will see your version which will take you to a checklist. Not all tasks are required for action after a fresh installation, but always worth reviewing for a sanity check.

5. Where to go from here?

From here you have a sound baseline configuration of MECM. I will list below what steps I would take in my MECM environment. These bellow steps will be published on their own dedicated blog post, as not all of them are necessary for every environment.

Distribute Boot Image

The boot image in MECM serves as a lightweight operating system that allows devices to start up and connect to the MECM environment. It provides essential components and drivers necessary for tasks such as OS deployment, booting into WinPE, and running pre-boot execution environment (PXE) services.

• Navigate to Software Library > Overview > Operating System > Boot Images
• Right-click the Boot Image and select Distribute Content

• Click Next on the Wizard
• Click Add > Distribution Point

• Select your Distribution Point in the list and click OK.

• Click Next and Next to complete the distribution of the boot image, and close the Wizard.
• You can check the progress of the boot image distribution by selecting the boot image and check the Summary tab bellow.

Configure Client Settings

Coming Soon.

Configuring Boundaries & Boundary Groups

Coming Soon.

Discovery Methods

Coming Soon.

Maintenance Tasks

Coming Soon.

Custom Backup & Restore Strategy

Coming Soon.

Creating a Windows 11 Task Sequence

Coming soon.

Creating & Deploying an Application Package

Coming soon.

Creating & Deploying a Software Package

Coming soon.

Creating & Deploying Software Updates with an ADR

Coming Soon.

Create Windows Servicing ADR

Coming Soon.

Distribution Point Installation

Coming soon.

Management Point Installation

Coming Soon.

Software Update Installation

Coming Soon.

Cloud Management Gateway Installation

Coming Soon.

Enable Co-Management

Coming Soon.