Microsoft SCCM

If you use the Microsoft System Center Configuration Manager (Microsoft SCCM, or SCCM) to manage your organization’s devices and users, you can use the Microsoft SCCM plugin within a workflow to streamline your vulnerability management process.

To set up a Microsoft SCCM plugin:

  1. First learn about the actions you can take with the SCCM plugin.
  2. Collect the plugin's required configuration information.
  3. Configure the SCCM plugin action step in InsightConnect.
  4. Troubleshoot the plugin connection as needed.
  5. Visit Microsoft's documentation for further information.

Microsoft SCCM Plugin Actions

You can use the Microsoft SCCM plugin to conduct the following actions in InsightConnect:

  • Create, retrieve, add to, and configure software for update groups
  • Create, add to, and retrieve collections of devices
  • Get software update information
  • Look up and retrieve device details
  • Download software updates for deployment packages
  • Schedule deployments of software groups to collections
  • And more

Collect Configuration Information

Plugin connections to your SCCM server require the following configuration details:

Credentials (username and password)

Acceptable credentials for a SCCM plugin must correspond to an account with administrative privileges on your desired SCCM server. Make sure this account has read/write access to the SCCM software.

Your SCCM server’s IP address

To find the IP address of the Windows server hosting your SCCM, open a terminal window and run ipconfig.

Your SCCM Server’s WinRM port number

Windows Remote Management uses the default listener port 5986 for HTTPS and SSL. Your WinRM listeners will typically use either of these ports, but your SCCM administrators can configure them for any port. Reach out to your SCCM administrators if port 5986 causes your connection tests to fail.

InsightConnect does not currently support port 5985 for HTTP.

Learn more about WinRM ports at https://docs.microsoft.com/en-us/windows/desktop/winrm/installation-and-configuration-for-windows-remote-management#winrs-default-configuration-settings.

Path to your SCCM AdminConsole binaries

You will need the absolute path to your SCCM AdminConsole binaries. AdminConsole files can be installed at any filepath, but typically found at C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin. If you need help finding the exact filepath, contact your SCCM administrator.

Your desired SCCM server’s site code

Your SCCM server’s site code is typically three characters. Site codes help identify each site within your configuration manager hierarchy. To find a site’s code, navigate to Administration > Site Configuration > Sites in the SCCM Admin Console. Alternatively, you can use Windows PowerShell to get your site code using the command get-CMsite.

Configure a Microsoft SCCM Action Step

Before you begin adding connection details in the workflow builder, collect the required configuration parameter details.

To configure a Microsoft SCCM action step:

  1. When creating a new action step, choose Microsoft SCCM as the plugin.
  2. Choose an action you want Microsoft SCCM to automate.
  3. Choose one of your existing connections, or add a new connection using the configuration information you collected earlier. When you add a new connection, InsightConnect will automatically run a new connection test to make sure the plugin application works properly. Then click the ** Continue** button.
  4. Name the step something descriptive.
  5. Configure the action input. The parameters will vary depending on what action you choose. For example, the “Get Device by Hostname” action requires a hostname as string input. You can add input as a variable or directly as the required data type.
  6. Click the Continue button.

Troubleshoot Microsoft SCCM Connection

If your Microsoft SCCM connection tests fail, try the following solutions to resolve your issues.

Test Orchestrator-to-SCCM Network Connection

Make sure your orchestrator and SCCM server connect properly.

To test the network connection using the command line:

  1. SSH into your Orchestrator server with PuTTy or your preferred terminal emulator.
  2. From the Orchestrator shell, run telnet <server IP> <winRM port> with the configuration details of your SCCM server.
  3. If the telnet connection passes, you likely have issues with the other configuration details in InsightConnect, or might have incorrect values in InsightConnect. If the telnet connection does not pass, contact your network administrator to investigate the cause.

Test WinRM

Make sure WinRM is running properly.

To check that WinRM is installed, running, and listening:

  1. Open PowerShell from your SCCM Admin Console for your desired server with these instructions: https://docs.microsoft.com/en-us/sccm/develop/core/understand/connecting-to-configuration-manager-with-windows-powershell.
  2. Run winrm enumerate winrm/config/listener.
  3. Check the output against information provided at https://docs.microsoft.com/en-us/windows/desktop/winrm/installation-and-configuration-for-windows-remote-management#listener-and-ws-management-protocol-default-settings. The resulting output should include HTTP or HTTPS for the transport variable.

Configure a Self-Signed SSL Certificate

If you require Certificate Authority (CA) settings for your SCCM server and do not already have CA settings configured for InsightConnect, set up a new self-signed SSL certificate.

To set up a self-signed SSL certificate:

  1. Open PowerShell from your SCCM Admin Console for your desired server with these instructions: https://docs.microsoft.com/en-us/sccm/develop/core/understand/connecting-to-configuration-manager-with-windows-powershell.
  2. Run New-SelfSignedCertificate -DnsName <SERVER_DNS_NAME> -CertStoreLocation Cert:\LocalMachine\My. This will print your CERTIFICATE_THUMBPRINT.
  3. Copy the CERTIFICATE_THUMBPRINT value.
  4. Run winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="<YOUR_DNS_NAME>"; CertificateThumbprint="<COPIED_CERTIFICATE_THUMBPRINT>"}'. Replace <COPIED_CERTIFICATE_THUMBPRINT> with the value you copied in the previous step.
  5. Run winrm enumerate winrm/config/listener to check that WinRM is running properly. The resulting output should include HTTP or HTTPS for the transport variable.

Troubleshoot Site Not Found Error

If you receive a Site Not Found error while trying to configure an SCCM plugin in InsightConnect, you likely have insufficient permissions to conduct operations in SCCM. Follow the instructions at http://jackstromberg.com/2014/08/system-center-2012-r2-the-user-account-running-the-configuration-manager-console-has-insufficient-permissions-to-read-information-from-the-configuration-manager-site-database/ to address the issue.

Resources

If you have further questions or are looking for more information from the Microsoft side of things, please visit Microsoft's SCCM documentation at https://docs.microsoft.com/en-us/sccm/core/understand/introduction.