Installing and configuring the SCCM connector

This topic describes a process for installing and configuring the connector for Microsoft System Center Configuration Manager (SCCM). All other system connectors except the SCCM connector are installed during the installation of the TrueSight Vulnerability Management application. To install the SCCM connector, you need to download and run a small program on the Windows computer where you want to install the connector.

In addition to running the program for the SCCM connector, you must also run a configuration script to set up the correct environmental parameters.

To install and configure the SCCM connector, follow these steps:

Before you begin

Ensure that you have downloaded the TSVM<versionNo>-SCCM-CONN-WIN64.zip file from the EPD.

Confirm that the server on which you want to install the connector meets the following minimum requirements:

Configuration	Required Value
Operating System	Microsoft Windows 2012 R2
CPUs	4
Available memory	16 GB
Disk space	20 GB free space
Java	AdoptOpenJDK 11.0.2
Communication requirements	HTTPS outbound connection to the docker host on which the TrueSight Vulnerability Management application will be running Access to the SCCM server
Active Directory domain	Connector host must reside in the same domain as the Active Directory server and the SCCM server. Active Directory must be running on Windows 8, or Windows Server 2012 or later operating systems because the Remote Management Users group exists only on these Windows versions. SCCM remote tools use this group to store the permitted viewers that are configured in the permitted viewers list. SCCM server must be configured to support Active Directory. For more information, see Configuring-SCCM-for-Active-Directory.

If the Active Directory server is not located on the SCCM server, perform the following steps to install an Active Directory module:
1. Open a PowerShell prompt.
2. Enter the following commands in the specified order:
  import-module servermanager
  Add-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

Installing the SCCM connector

Extract the TSVM<versionNo>-SCCM-CONN-WIN64.zip file to a temporary directory.
From the command prompt, navigate to the TSVM<versionNo>-SCCM-CONN-WIN64 directory.
Run the following command: sccm-connector-setup.bat
When prompted, enter the directory where JRE is installed and press Enter.
Type the IP address of the computer where you want to install the TrueSight Vulnerability Management application or where the application is already installed, and press Enter.
(Port number is prompted only for fresh installation of SCCM connector and only if you have downloaded the TSVM<versionNo>-SCCM-CONN-WIN64.zip for application version 3.0.01 and later) Type the port number to be used for the WorkManager communication on the computer where you want to install the application or where the application is already installed (default 9443), and then press Enter.
Tip
If you have already installed the application, run the following command on the application computer to obtain this port number:
docker port truesight-common-workmanager | awk -F ":" '{print $2}'
The SCCM connector is installed and its service is started.

Configuring the SCCM connector host

Some configuration must be performed on the SCCM connector host. To make that configuration process simpler, you must download and run a configuration script. If the parameters set in the configuration script are not appropriate for your site, you can edit the values set in the script or pass in different parameter values when executing the script.

Configuring the SCCM connector host for the execution policy

On the SCCM connector host, perform the following procedure:

Download the wmi_config_param.zip file, which is attached to this page.
Extract the contents of the wmi_config_param.zip file using any standard compression tool.
Open a PowerShell prompt.
Navigate to the location of the extracted contents of the ZIP file.
Enter the following commands in the specified order:
Set-ExecutionPolicy Unrestricted
.\wmi_config_param.ps1

Configuring PowerShell sessions and user sessions

Optionally, you can configure some of the behavior of the SCCM connector using the application.properties file. The file resides at the location on the host where you downloaded the connector: <extracted_zip_file>\config\application.properties. If you modify any of the settings in this file, you must restart the connector program (From the Windows Control Panel on the connector host, select Administrative Tools > Services. Find and right-click the BMC SCCM Connector service, and then select Restart.)

All communication between the SCCM connector and the SCCM server occurs by means of PowerShell processes. Each new request from TrueSight Vulnerability Management creates a PowerShell process. When the response is received from the SCCM server, the PowerShell process is terminated.

Configuring PowerShell sessions on the SCCM connector host

The number of concurrent PowerShell sessions is limited, but those limits are configurable. There are two types of limits: priority and normal. You can configure the limits on priority and normal sessions by configuring the application.properties file on the SCCM connector, as described in the following table:

Property	Description
powershell.priority.max.session	The maximum number of concurrent PowerShell sessions that can be created for priority requests (such as logins). The default value is 20. If the maximum is exceeded, new requests must wait until a session becomes available.
powershell.priority.wait.time	The maximum time in seconds to wait for a priority PowerShell session to be created if the maximum number of priority sessions has reached its limit. For example, if the maximum 20 priority PowerShell sessions have been created, the system waits this amount of time for next priority session. The default wait time is 1 second. If a priority session is not available after the wait time elapses, an error occurs.
powershell.normal.max.session	The maximum number of concurrent PowerShell sessions that can be created for anything other than priority requests. The default value is 50. If the maximum is exceeded, new requests must wait until a session becomes available.
powershell.normal.wait.time	The maximum time in seconds to wait for a normal PowerShell session to be created if the maximum number of normal sessions has reached its limit. For example, if the maximum 50 normal PowerShell sessions have been created, the system waits this amount of time for the next normal session The default wait time is 10 seconds. If a normal session is not available after the wait time elapses, an error occurs.

Configuring user session settings on the SCCM connector host

You can also use the application.properties file to configure the behavior of user sessions on the SCCM connector. Most of these options let you configure how TrueSight Vulnerability Management interacts with distribution points.

Property	Default value	Description
sccm.adgroup.cache.refresh.interval=60	60	Sets the interval in minutes after which the connector refreshes the Active Directory group cache. The SCCM connector caches the Active Directory group of the logged in user so it can be used for subsequent logins. The minimum value is 5 minutes.
sccm.distribution.clearance.percentage=100	100	Specifies a percentage of distribution points to which the deployment package should be delivered before a deployment operation begins. For example: 100 indicates the deployment package must be deployed to all distribution points before the operation begins. 50 indicates the deployment package must be deployed to half of all distribution points before the operation begins. 0 indicates no confirmations are necessary that the deployment package has been deployed before the operation begins.
sccm.fetch.distribution.status.max.retry.count=2	2	Specifies a maximum number of polling attempts to determine if a deployment package has been deployed to a distribution point.
sccm.fetch.distribution.status.retry.wait.time=5	5	Specifies how to long wait in minutes between polling attempts to determine if a deployment package has been deployed to a distribution point. Note: Even when a deployment operation times out because it has waited the specified amount of time for each retry, the operation will still start because a client can obtain the deployment package from a backup distribution point or from the SCCM server itself. The job only fails when SCCM cannot find a deployment package for a targeted client.
sccm.user.token.validity=60	60	Sets the maximum idle time in minutes before a user session on the SCCM connector is terminated.

Configuring the SCCM server

Some configuration must be performed on the SCCM server. To make that configuration process simpler, you must download and run a configuration script.
If the parameters set in the configuration script are not appropriate for your site, you can edit the values set in the script or pass in different parameter values when executing the script.

Configuring the execution policy on the SCCM server

Copy the wmi_config_param.ps1 file from the SCCM connector host to the SCCM server.
Alternatively, you can download wmi_config_param.zip file, which is attached to this page, to the SCCM server. Then, you can extract the contents of the file, as described for the previous procedure.
On a PowerShell prompt, enter the following commands in the specified order:
Set-ExecutionPolicy Unrestricted
.\wmi_config_param.ps1

Note

Also, SCCM server must be configured to support Active Directory. For more information, see Configuring-SCCM-for-Active-Directory.

Configuring PowerShell sessions on the SCCM server

Communication between the SCCM server and the SCCM connector is based on PowerShell sessions. To enable correct functioning, some configuration of PowerShell on the SCCM server is necessary.

Establishing the recommended configuration for PowerShell

To set up PowerShell on the SCCM server, BMC recommends the following procedure:

Allow remote shells to access PowerShell on the SCCM server by running the following command:
set winrm/config/winrs '@{AllowRemoteShellAccess=true}'
Set the maximum number of shells per user by running the following command:
winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
Restart the SCCM server:
Restart-Service winrm

Setting the maximum number of concurrent sessions

The total number of priority and normal PowerShell sessions should not exceed the value of the MaxConcurrentUsers attribute on the SCCM server. By default, the SCCM server sets MaxConcurrentUsers to 50. This value should be set to at least 70 because the default configuration for TrueSight Vulnerability Management is 50 normal sessions plus 20 priority sessions.

To determine the current maximum number of concurrent sessions and to modify it if necessary, use the following procedure:

Determine the existing configuration by running the following command:
winrm get winrm/config/winrs
Set the MaxConcurrentUsers attribute by running the following command:
winrm set winrm/config/winrs '@{MaxConcurrentUsers="70"}'
Restart the SCCM server:
Restart-Service winrm

Setting the maximum number of shells per user

If you are expecting to generate thousands of actionable vulnerabilities, set the MaxShellsPerUser attribute higher than its default value of 100. BMC recommends setting this value to 250.

Determine the existing configuration by running the following command:
winrm get winrm/config/winrs
Set the MaxShellsPerUser attribute by running the following command:
winrm set winrm/config/winrs '@{MaxShellsPerUser="250"}'
Restart the SCCM server:
Restart-Service winrm

Where to go from here

If you have not installed the application, install it. If you have installed the application, you are ready to set up the SCCM connector.