To produce the best possible scan result using Microsoft Endpoint Configuration Manager (formerly SCCM), Software Vulnerability Manager uses a relatively broad pattern, which may lead to large amounts of data being collected. If all file data is collected, a file size of between five and ten megabytes for a single host is not uncommon, and SQL Server must be dimensioned to handle this.

This article walks you through configuring settings in Software Vulnerability Manager, SQL Server, and Microsoft Endpoint Configuration Manager, which will provide you with the most comprehensive scan while handling the data load.

Prerequisites

Microsoft Endpoint Configuration Manager integration requires that the user running the Software Vulnerability Console have certain permissions configured. Then, you can set up SCCM to scan for a broad set of file types. Follow the steps below to configure these settings.

Add permissions

The user running the Software Vulnerability Manager console must have Connect and Select rights over the SQL database of the SCCM. By default, the database is named CM_<site_code>.

To add permissions:

1. Open SQL Server Management Studio.
2. Right-click on the appropriate database, then select Properties.
3. Navigate to Permissions, then add Connect and Select.

Set up the Software Inventory Agent

After SCCM has been set up:

1. Open the SCCM console and ensure that the SCCM client (agent) is installed on the hosts to be scanned.
2. In Microsoft Endpoint Configuration Manager, go to Devices and right-click Install client.
3. Then go to Administration > Client Settings > Properties > Software Inventory.
4. Select Set Types…
5. To configure the broadest possible pattern, select File Detail: full and add the patterns *.dll, *.exe, *.ocx.

NOTE: On a standard machine, there are up to ten times more .dll files than .exe files, so when you expand the scope of the SCCM agent, expect a similar increase in the SQL database. By including the .dll files from the Windows folder, the expected database increase is three to four times.

Large inventory files

Since you are changing the SCCM software inventory to gather more metadata from your SCCM agent, it’s possible that the inventory files may exceed the maximum size allowed. All the large inventory files are from SCCM secondary servers because the software inventory task is run against packages in DP folders. SCCM collects all the data, such as .exe and.dll files, in each application package.

If the full software inventory report from the client is larger than the configured maximum size (5 MB by default), then those files will be moved to the BadSINV folder. You can increase the maximum allowable size to avoid this issue by editing the registry key below. The maximum size is defined here:

HKLM\Software\Microsoft\SMS\Components\SMS_SOFTWARE_INVENTORY_PROCESSOR\Max File Size

Then, wait for the SMS Software Inventory Processor to retry the operation.

Configure System Center Inventory Import in Software Vulnerability Manager

To configure inventory import from Microsoft Endpoint Configuration Manager:

1. Navigate to Scanning > Remote Scanning Via Software Vulnerability Manager > System Center Inventory Import.
2. Then, select Configure System Center.

3. There are two options for configuring the connection between Software Vulnerability Manager and the Microsoft Endpoint Configuration Manager database:

• Enter FQDN or IP address of your Microsoft Endpoint Configuration Manager server to automatically detect SQL settings.

Or

• Enter your database details manually.

4. Select Save.