đź““ Jorkle's Notes

SCCM/MECM Basics

Dec 15, 20256 min read

Concept Info

What is SCCM/MECM?

SCCM (System Center Configuration Manager), now called MECM (Microsoft Endpoint Configuration Manager), is Microsoft’s enterprise systems management platform for managing large groups of computers. It provides centralized management for deploying operating systems, applications, software updates, and configuration settings across an organization’s Windows, macOS, and Linux endpoints.

SCCM/MECM is built on top of Windows Management Instrumentation (WMI) and SQL Server, providing administrators with powerful capabilities for endpoint management, compliance enforcement, and software distribution.

What is a Site?

A Site is the fundamental building block of an SCCM/MECM hierarchy. It’s a grouping of Configuration Manager infrastructure components that manages a specific set of devices. Each site contains a site server, site database (SQL Server), and various site system roles.

Site Types:

  • Central Administration Site (CAS) - Top-level site in a multi-site hierarchy, used for coordination (no clients directly assigned)
  • Primary Site - Manages clients directly, contains the site database, can exist standalone or under a CAS
  • Secondary Site - Used to extend management to remote locations with bandwidth constraints, no site database (uses primary site’s database)

Each site has a unique three-character site code that identifies it within the hierarchy.

What is a Management Point?

The Management Point (MP) is a site system role that serves as the primary communication interface between SCCM/MECM clients and the site infrastructure.

Key Responsibilities:

  • Provides clients with policy information (what software, updates, and configurations to apply)
  • Receives hardware and software inventory data from clients
  • Processes client status messages and state messages
  • Provides clients with content location information (which Distribution Points have requested content)
  • Handles client registration and site assignment
  • Processes certificate requests for client authentication

Clients contact the Management Point regularly (default every 60 minutes) to check for new policy and report status. The MP queries the site database and acts as the intermediary between clients and the site server.

What is a Distribution Point?

The Distribution Point (DP) is a site system role responsible for storing and delivering content to clients. Content includes applications, software packages, software updates, operating system images, boot images, and driver packages.

Key Responsibilities:

  • Hosts content packages distributed from the site server
  • Delivers content to clients over HTTP, HTTPS, or SMB
  • Supports PXE boot for operating system deployment scenarios
  • Can leverage BranchCache, peer cache, and BITS for bandwidth optimization
  • Validates content integrity using package hashes

DP Variants:

  • Standard DP - Basic content hosting and delivery
  • Pull DP - Downloads content from another DP rather than from the site server (useful for remote locations)
  • Cloud DP - Distribution Point hosted in Azure for internet-based clients

What is the SMS Provider?

The SMS Provider is a WMI provider that acts as an intermediary between the Configuration Manager console and the site database. It’s the interface layer that enables administration.

Key Functions:

  • Translates Configuration Manager console requests into SQL database queries
  • Enforces Role-Based Access Control (RBAC) permissions
  • Provides the WMI namespace (root\SMS\site_<sitecode>) for scripted interactions
  • Handles object creation, modification, and deletion

Multiple SMS Providers can be installed for redundancy. The SMS Provider is typically installed on the site server, database server, or a dedicated server.

What is a Site System?

A Site System is any server that hosts one or more Configuration Manager site system roles. The site server itself is a site system that hosts the core site role, but other servers can be designated as site systems to host additional roles.

Common Site System Roles:

  • Site Server - Core role, hosts the site database and SMS Provider
  • Management Point - Client communication interface
  • Distribution Point - Content hosting and delivery
  • Software Update Point (SUP) - WSUS integration for patch management
  • Reporting Services Point - SQL Server Reporting Services (SSRS) integration
  • Endpoint Protection Point - Antimalware policy and definition management
  • Application Catalog - Self-service software portal (deprecated in newer versions)
  • State Migration Point - Stores user state data during OS migrations

What is the Site Database?

The Site Database is a SQL Server database that stores all Configuration Manager data for a site, including:

  • Client inventory (hardware and software)
  • Collections and membership rules
  • Application and package definitions
  • Deployment configurations
  • Compliance data
  • Site configuration and settings

The site database is the central repository that all site components query and update. Database replication occurs between sites in a hierarchy to synchronize data.

What are Collections?

Collections are logical groupings of devices or users used for targeting deployments, queries, and management operations. Collections are dynamic (membership based on query rules) or static (manually added members).

Built-in Collections:

  • All Systems - Contains all discovered devices
  • All Users - Contains all discovered users
  • All User Groups - Contains all discovered user groups

Collections are the primary targeting mechanism for deployments. Administrators create custom collections based on criteria like operating system, hardware specifications, AD organizational unit, installed software, or any other queryable attribute.

What is a Client?

The Configuration Manager Client is an agent installed on managed endpoints that:

  • Communicates with Management Points to receive policy
  • Downloads content from Distribution Points
  • Reports hardware/software inventory
  • Executes deployments and evaluates compliance
  • Sends status messages back to the site

The client runs as a service (CcmExec) and uses WMI extensively for local operations.

What is Client Push Installation?

Client Push Installation is a deployment method where the site server automatically installs the Configuration Manager client on discovered computers. The site server connects to the target using SMB and admin shares (ADMIN$) to copy client files and initiate installation.

This method requires credentials with local administrator rights on target systems, making it a high-value target from an offensive security perspective if those credentials are compromised.

Security Considerations

From a penetration testing perspective, SCCM/MECM infrastructure represents high-value targets:

Attack Vectors:

  • Credential compromise - SCCM service accounts often have elevated privileges across the environment
  • Client push accounts - Stored credentials used for client installation
  • Application deployment - Can be weaponized to deploy malicious payloads to collections
  • Network Access Account (NAA) - Used by clients to access DPs, often has broad network access
  • Administrative console - Compromising a system with console installed provides management access
  • SQL database access - Direct database access can expose sensitive data and enable privilege escalation

High-Value Systems:

  • Site servers (especially CAS and primary sites)
  • SMS Provider systems
  • Site database servers
  • Management Points
  • Systems with Configuration Manager console installed

Understanding SCCM/MECM architecture is essential for red team operations in enterprise environments, as it’s commonly present in organizations using Microsoft infrastructure and provides significant post-exploitation opportunities.

Related Notes

Graph View

Backlinks

  • No backlinks found