SCCM
Account Permission and Ports
Below Accounts
used for AD discovery purpose
Active
Directory Discovery Account
Your Site server computer Account or User account must
have read permission for below AD attributes
Active Directory group discovery account
Active Directory system discovery account
Active Directory user discovery account
Active Directory forest account
The Site Server Computer
account must have full access required for System Management container
and all its child objects
Note: Don’t grant interactive sign-in rights to this account and
avoid account lockouts create service account
For extent AD schema, the
user account must be either a member of the
Schema Admins group or have been delegated sufficient permissions to
modify the schema
Client
Push Installation Account
The Client Push user account must be a member of the
local Administrators group on
the target client computers. This account doesn't require Domain Admin rights
(Using GPO we make our client push account as member of all domain machine
local administrator.
Note: Don’t grant interactive sign-in rights to this account and avoid
account lockouts create service account
Network
Access Account
Client computers use the network access account when
they can't use their local computer account to access content on distribution
points. It mostly applies to workgroup clients and computers from untrusted
domains. This account is also used during OS deployment, when the computer
that's installing the OS doesn't yet have a computer account on the domain
Its only used for access content in distribution point
where computer account unable to access it
This Account mush be in domain user and have access to
Distribution point, It doesn’t need any special rights
Note: Don’t grant interactive sign-in rights to this account and avoid
account lockouts create service account
Reporting
Service Point Account
It’s a normal domain account, Configuration Manager
automatically grants the specified user access to the site database. The user
is displayed in the Accounts subfolder of the Security node in the
Administration workspace with the ConfigMgr Reporting Services Point account
name
Note: Don’t grant interactive sign-in rights to this account and avoid
account lockouts create service account
Task
sequence domain join account
Windows Setup uses the Task sequence domain join
account to join a newly imaged computer to a domain, the specific user
account requires the Domain Join right in the target domain
Note: Don’t grant interactive sign-in rights or domain
admin rights to this account and avoid account lockouts create service account
For other SCCM task like,
site installation and role configuration, create an dedicated domain user
account which doesn’t required any special permissions
Create separate account for
SQL server service account, we use this for SQL server installation and
configuration, this account doesn’t required any special permission.
We can also create SCCM Admin group, which will help
to troubleshoot SCCM server and clients
This group required local admin permission for all
SCCM server and SCCM client computers
We can also create another SCCM AD group for having
access in AD system container and all SCCM servers
This group required local admin permission for all
SCCM server and full permission on System Management container in AD
Ports required
between clients to site server
|
From
|
To
|
UDP
|
TCP
|
Description
|
Direction
|
|
Client
|
App Catalog Website Point
|
|
80/443
|
http/https
|
Unidirection
|
|
Client
|
Client (wol)
|
|
9/25536
|
WOL/WUP
|
Unidirection
|
|
Client
|
NDES
|
|
80/443
|
http/https
|
Unidirection
|
|
Client
|
Cloud DP
|
|
443
|
https
|
Unidirection
|
|
Client
|
DP
|
|
80/443
|
http/https
|
Unidirection
|
|
Client
|
DP with Multi Cast
|
63000-64000
|
445
|
Multi
Cast/SMB
|
Unidirection
|
|
Client
|
DP with PXE
|
67/68/69/4011
|
|
DHCP/TFTP/BINL
|
Unidirection
|
|
Client
|
FSP
|
|
80
|
http
|
Unidirection
|
|
Client
|
Domain
|
|
3268/3269
|
LDAP/LDAP
SSL
|
Unidirection
|
|
Client
|
MP
|
|
10123/80/443
|
Client
Notification/http/https
|
Unidirection
|
|
Client
|
SUP
|
|
80/8530/443/8531
|
http/https
|
Unidirection
|
|
Client
|
SMP
|
|
80/443/445
|
http/https/SMB
|
Unidirection
|
|
Client
|
PXE DP
|
67/68/69/4011
|
|
PXE
Enable DP
|
Unidirection
|
|
Client
|
DP
|
|
445
|
Windows
File Share
|
Unidirection
|
Ports Required
between SCCM Site Server to Clients
|
From
|
To
|
UDP
|
TCP
|
Description
|
Direction
|
|
Console
|
Client
|
|
2701/3389
|
RC/RDP/RTC
|
Unidirection
|
|
Console
|
Client
|
|
135/445
|
WMI and
Windows File Share
|
Unidirection
|
|
Console
|
Client
|
|
2701/3389
|
Remote
Control
|
Unidirection
|
|
Console
|
Client
|
|
|
ICMP
Echo Request
|
Unidirection
|
|
Console
|
Client
|
135
|
|
RPC
Endpoint Mapper
|
Unidirection
|
|
Console
|
Client
|
49152-65535
|
|
RPC
Ports
|
Unidirection
|
It’s recommended to enable windows firewall in on each
desktop & server, some certain things we can’t install without enable
windows firewall.
If windows firewall is enable, we need to create few inbound and outbound rule in GPO to allow SCCM
traffic. Below are the details
|
Name
|
Group
|
Profile
|
Enabled
|
Action
|
|
ICMP Wake-up proxy communication
|
|
All
|
Yes
|
Allow
|
|
RPC End Point Mapper
|
|
All
|
Yes
|
Allow
|
|
Configuration Manager remote control
|
|
All
|
Yes
|
Allow
|
|
Windows Management Instrumentation (ASync-In)
|
Windows Management Instrumentation (WMI)
|
Private, Public
|
Yes
|
Allow
|
|
Windows Management Instrumentation (WMI-In)
|
Windows Management Instrumentation (WMI)
|
Private, Public
|
Yes
|
Allow
|
|
Windows Management Instrumentation (DCOM-In)
|
Windows Management Instrumentation (WMI)
|
Private, Public
|
Yes
|
Allow
|
|
Windows Management Instrumentation (ASync-In)
|
Windows Management Instrumentation (WMI)
|
Domain
|
Yes
|
Allow
|
|
Windows Management Instrumentation (WMI-In)
|
Windows Management Instrumentation (WMI)
|
Domain
|
Yes
|
Allow
|
|
Windows Management Instrumentation (DCOM-In)
|
Windows Management Instrumentation (WMI)
|
Domain
|
Yes
|
Allow
|
|
File and Printer Sharing (LLMNR-UDP-In)
|
File and Printer Sharing
|
All
|
Yes
|
Allow
|
|
File and Printer Sharing (Echo Request – ICMPv6-In)
|
File and Printer Sharing
|
Private, Public
|
Yes
|
Allow
|
|
File and Printer Sharing (Echo Request – ICMPv4-In)
|
File and Printer Sharing
|
Private, Public
|
Yes
|
Allow
|
|
File and Printer Sharing (Spooler Service – RPC-EPMAP)
|
File and Printer Sharing
|
Private, Public
|
Yes
|
Allow
|
|
File and Printer Sharing (Spooler Service – RPC)
|
File and Printer Sharing
|
Private, Public
|
Yes
|
Allow
|
|
File and Printer Sharing (NB-Datagram-In)
|
File and Printer Sharing
|
Private, Public
|
Yes
|
Allow
|
|
File and Printer Sharing (NB-Name-In)
|
File and Printer Sharing
|
Private, Public
|
Yes
|
Allow
|
|
File and Printer Sharing (SMB-In)
|
File and Printer Sharing
|
Private, Public
|
Yes
|
Allow
|
|
File and Printer Sharing (NB-Session-In)
|
File and Printer Sharing
|
Private, Public
|
Yes
|
Allow
|
|
File and Printer Sharing (Echo Request – ICMPv6-In)
|
File and Printer Sharing
|
Domain
|
Yes
|
Allow
|
|
File and Printer Sharing (Echo Request – ICMPv4-In)
|
File and Printer Sharing
|
Domain
|
Yes
|
Allow
|
|
File and Printer Sharing (Spooler Service – RPC-EPMAP)
|
File and Printer Sharing
|
Domain
|
Yes
|
Allow
|
|
File and Printer Sharing (Spooler Service – RPC)
|
File and Printer Sharing
|
Domain
|
Yes
|
Allow
|
|
File and Printer Sharing (NB-Datagram-In)
|
File and Printer Sharing
|
Domain
|
Yes
|
Allow
|
|
File and Printer Sharing (NB-Name-In)
|
File and Printer Sharing
|
Domain
|
Yes
|
Allow
|
|
File and Printer Sharing (SMB-In)
|
File and Printer Sharing
|
Domain
|
Yes
|
Allow
|
|
File and Printer Sharing (NB-Session-In)
|
File and Printer Sharing
|
Domain
|
Yes
|
Allow
|
|
SQL Ports for SCCM
|
TCP 1433
|
Domain,Private, Public
|
Yes
|
Allow
|
|
SQL Ports for SCCM
|
TCP 4022
|
Domain,Private, Public
|
Yes
|
Allow
|
