Documentation for SCCM task sequence deployment orchestrator

Active directory - Broker account

There should be one Active directory broker account per Realm. As the name suggests, this account acts as an intermediary or a broker between the SCCMTSPSI user interface and the backend infrastructure. Create the below Active Directory account.

sccmtspsi-broker-XXX  [Where XXX is the Realm name]

Add the broker account as a member of the below security group.

sccmtspsi-users-XXX [Where XXX is the Realm name]

This Active Directory account should have the following privileges : [This will be the security context for the Realm]

  • Permission to add/remove computer object and corresponding leaf objects in ADDS. We recommend narrowing the permission scope to specific areas within ADDS.
  • Permission to remove computer objects from SCCM. We recommend narrowing the permission scope to specific areas within SCCM. E.g. Deny permission to Server collections, Allow access to non-server collections.
  • Permission to stage computer objects into SCCM. We recommend narrowing the permission scope to specific areas within SCCM. E.g. Just “All Systems” [or one derived from that] and the Realm deployment collection “sccmtspsi-deployments-r01” [r01 is the name of the Realm].
  • Read access to the “patch“, “token” and “usmt” folders within the configuration directory (discussed later in this page).
  • Read/Write access to the logging location set in the configuration file (discussed later in this page).
  • ‘Advanced helpdesk’ or ‘Administrator’ level  access to Microsoft Bitlocker Administration and Monitoring services (discussed later in this page).

 

 

Suggest Edit

DCOM hardening issue.

This application fails to authenticate with WMI on the SCCM server because Microsoft has not yet hardened DCOM on their Windows Preinstallation Environment. We are working on a different approach, but it will only be released during the first quarter of 2024. But until that time, the only workaround will be to uninstall the update corresponding to KB5004442.