Microsoft SCCM Integration with TEM

Overview

Microsoft System Center Configuration Manager (SCCM) is an enterprise systems management platform that enables organizations to deploy software, manage updates, monitor device compliance, and enforce configuration policies across their endpoints. It provides centralized visibility and control to help maintain operational consistency and strengthen IT hygiene.

When integrated with Check Point Threat Exposure Management (TEM), SCCM becomes a security-driven enforcement tool. The integration automates IoC sharing, detects configuration gaps, and improves operating system hardening. This combined workflow enables faster detection, prioritized remediation, and consistent policy enforcement across all managed devices enhancing both security posture and operational efficiency.

The integration includes Operating System Hardening, enabling TEM to surface misconfigurations and exposure risks, while SCCM enforces corrective policies across managed devices. This combined capability improves configuration integrity, minimizes attack vectors, and enhances endpoint resilience.

Integrating Microsoft SCCM with TEM

• Step 1 - Creating a TEM Integration User

• Step 2 - Creating SCCM Security Roles

• Step 3 - Assigning Roles to the TEM User

• Step 4 - Allowing Script Authors to Approve Their Own Scripts

• Step 5 - Configuring Database Access

• Step 6 - Validating AdminService Connectivity

• Step 6 - Validating AdminService Connectivity

• Step 7 - Configuring the TEM Portal

Prerequisites

Active Directory user created for TEM integration

Step 1 - Creating a TEM Integration User

1. Log in to the Azure Portal.

2. Create a dedicated TEM user account in Active Directory.

3. Add the created user to the local Administrators group on the Configuration Manager server:

   1. Open Computer Management.

   2. Navigate to Local Users and Groups > Groups.

   3. Open the Administrators group and click Add.

   4. Enter the newly created TEM username.

   5. Click OK.

   6. Click Apply.

   7. Click OK.

Step 2 - Creating SCCM Security Roles

Create three new Security roles:

• ScriptRunners

• ScriptAuthors

• ScriptApprovers

For each role, do these:

1. Open Configuration Manager.

2. Go to Administration > Security > Security Roles.

   

3. Right-click the Read-only Analyst role and select Copy.

   Note - It is mandatory to select the Read-only Analyst role.

4. Enter one of these relevant names for the role.

   • ScriptRunners

   • ScriptAuthors

   • ScriptApprovers

5. Apply these permissions:

   • For ScriptRunners

     Category	Permission	State
     Collection	Run Script	Yes
     Site	Read	Yes
     SMS Scripts	Read	Yes

   • For ScriptAuthors

     Category	Permission	State
     Collection	Run Script	No
     Site	Read	Yes
     SMS Scripts	Create	Yes
     SMS Scripts	Read	Yes
     SMS Scripts	Delete	Yes
     SMS Scripts	Modify	Yes

   • For ScriptApprovers

     Category	Permission	State
     Collection	Run Script	No
     Site	Read	Yes
     SMS Scripts	Read	Yes
     SMS Scripts	Approve	Yes
     SMS Scripts	Modify	Yes

Step 3 - Assigning Roles to the TEM User

1. Navigate to Administration > Security > Administrative Users.

2. Click Add.

3. Select the TEM user created in Step 1 - Creating a TEM Integration User.

   

4. Assign the following three security roles:

   • ScriptRunners

   • ScriptAuthors

   • ScriptApprovers

5. Click OK to apply the assignment.

Step 4 - Allowing Script Authors to Approve Their Own Scripts

1. Navigate to Administration.

2. Go to Site Configuration > Sites.

3. Select the site and click Hierarchy Settings from the Home tab.

   

4. In the General tab, disable the Script authors require additional script approver checkbox.

5. Click OK to save.

Step 5 - Configuring Database Access

1. Open Microsoft SQL Server Management Studio.

2. Connect to the SQL instance hosting SCCM.

3. Go to Security > Logins.

4. Right-click on Logins and select New Login.

   

5. Search and add the TEM user.

6. Assign permissions:

   1. For Server Roles, select public, sysadmin

      

   2. For User Mapping,

      • In the upper section, select the SCCM database

      • Enable public and db_datareader.

      

7. Click OK.

Step 6 - Validating AdminService Connectivity

1. Open a browser in Private/Incognito mode and access the AdminService using this URL:

   https://<CM Host IP or Hostname>/AdminService/wmi/SMS_Site

2. Log in using the Veriti user credentials.

   If the response displays valid WMI output, communication and permissions are functioning correctly. If an HTTP 404 error appears, the permission assignment is incorrect.

Step 7 - Configuring the TEM Portal

1. Log in to the TEM portal.

2. Go to Settings> Integrations > Catalog and select Microsoft System Center Configuration Manager.

   

3. In the Connection tab, enter the following details to establish integration with SCCM:

   

   1. In the Connection Name field, enter a name for this integration instance.

   2. In the Username field, enter the SCCM integration user created previously.

   3. In the Password field, enter a password for the SCCM integration user.

   4. In the Host field, enter the FQDN or IP address of the Configuration Manager server.

   5. In the Domain field, specify the domain for the SCCM integration user account.

   6. In the SQL Server IP field, enter the IP address of the SQL server hosting the SCCM database.

   7. In the SQL Server User field, enter the SQL login configured with the required permissions.

   8. In the SQL Server Password field, enter the password for the SQL database user.

   9. In the Database Name field, enter the name of the SCCM database mapped during configuration.

   10. (Optional) Enable the Use Windows Authentication if authentication is performed using Windows credentials instead of SQL authentication.

   11. Click Connect to validate the connection and complete the configuration.