Branch Distribution Point Setup


Computer Client Agent Configuration

  • By default the BITS portion of the Computer Client agent is set to “Apply to branch distribution points only”.
    • You can select “Not Configured” if all of your BDP’s have fast connections to the site server.
    • If your BDP’s are on slow links a good example setting would be:
      • Throttling window start time – 06:00
      • Throttling window end time – 02:00
      • Maximum Transfer rate during throttling window – 40Kbps
      • Allow BITS transfer outside of throttling window
      • Maximum transfer rate outside of throttling window – 100Kbps


Create New Branch Distribution Point (BDP)

  • Ensure that the SCCM Site System account is a member of the local administrators group on the new BDP’s.
  • Open the SCCM Console and navigate to Site Database > Site Management > [Site that you want to add the BDP to] > Site Settings > Site Systems
  • Right click on Site Systems and select New Server
  • Type in the name and FQDN of the new BDP
    • Select Next
  • On the System Role Selection page select Distribution Point
    • Select Next
  • On the Distribution Point page select Enable as a branch distribution point
    • Select use a specific partition > D:
    • Select next
  • Select Next and Finish
  • Create a file in the root of the C: drive called No_SMS_on_drive.sms
    • This will prevent the BDP from using the C: drive if the D: drive ever gets filled up.

Populate New Branch Distribution Point (BDP)

  • The initial population of the new BDP should involve distributing a very small package. Doing that will create the SMSPKG[drive letter]$ folder on the BDP.
  • Select a small package that you have created and add the new BDP’s as new distribution points.
  • Wait until the SMSPKG[drive letter]$ directory is created.

Distribute Packages To The New Branch Distribution Point (BDP)

  • If your BDP’s are on fast networks and you didn’t configure BITS throttling windows then you can just distribute packages like you would to any Standard Distribution Point
  • If your BDP’s are using BITS throttling windows then chances are you will want to copy large packages manually for the initial setup and then utilize them like Standard Distribution Points when updating the packages
    • Right click the package that you want to manually copy and select the Deployment tab
    • Select “Administrator manfully copies this package to branch distribution points
      • You now have two options
        • Put the source on a DVD and send it to the branch office.
          • Have someone copy the source to the SMSPKG[drive letter] share
        • Copy the contents over the network without using BITS
    • Once the source files are on the BDP you can open the PerrDPAgent.log file and run a Branch Distribution Point Maintenance task from the SCCM Client.
    • Once all of the packages that you manually copied over are successful, you can go back into the properties of the package and select “Automatically download content when packages are assigned to branch distribution points”

Software Updates – configuration and results

Perhaps you have two different types of end user machines.  One type, the machines can be rebooted whenever software updates get applied according to the Change Schedule.  The other type, the machines can NOT be rebooted.  However, software updates still need to be installed on them and the business owner would be responsible for the reboot.  The goal is to get the updates to install on both types of machines, but prevent a reboot for the business critical machines. Attached are screen shots and test results of the various methods used when configuring and installing software updates.

SCCM Granular Security using PowerShell and SQL

SCCM Granular Security

SCCM Console Security

Your company has two (or more) different groups that utilize SCCM. To keep these groups separate and to ensure that one group can not affect another groups resources the following is needed.

Initial settings:

  • The SCCM Central Site has two local users that are used as templates in SCCM Security. The two local users are disabled.
    • User Name = SCCM-Template-WorkstationGroup
    • User Name = SCCM-Template-ServerGroup
  • Two collections have been created and dynamically populated with the appropriate resources.
    • WorkstationGroup
      • Contains only workstations
    • ServerGroup
      • Contains only servers
  • Two folders have been created in the Packages node
    • WorkstationGroup – Packages
    • ServerGroup – Packages
  • Two folders have been created in the Advertisements node
    • WorkstationGroup – Advertisements
    • ServerGroup – Advertisements
  • You granted the appropriate security rights in the SCCM Console for both users.

Unfortunately the above method doesn’t allow for inherited permissions.

Example: ‘User A’ is a member of the ‘SCCM.WorkstationGroup’ group. The ‘SCCM.WorkstationGroup’ group has rights to a Collection named ‘WorkstationGroup’. If ‘User A’ creates a subcollection, the other members of the ‘SCCM.WorkstationGroup’ group will not have rights to that new subcollection, only UserA will.

That is where these scripts come in. Open the attachment for more details.