Prerequisites - Intune only

These are the prerequisites for an installation of SoftwareCentral with the "Intune only" version, using Azure OpenID authentication and Entra ID (no on-premise domain)

A server with Microsoft Windows Server 2019 or above, with "Desktop Experience" and internet access.
- Only SoftwareCentral and optionally a SQL server can be installed on the server.
- TCP Port 8080 must be free for SoftwareCentral.
Microsoft SQL Server 2019 or later, Express or Azure SQL database. Azure databases must have auto-pause disabled.
A local service account with local administrative permissions.

During setup, it is required to have access to the below account(s). You will be prompted to sign on with these account(s) during setup.

A local user account with local administrative permissions on the server.
An account with permissions to create a SQL database and add logins and users to the database server.
An account with permissions to register an app with Microsoft Entra ID, assign the app registration with the required permissions and grant administrative consent on behalf of the organization.

Note that if using an Azure database, it must be on the same tenant as the app-registration created during setup.

Prerequisites - ConfigMgr edition

A web server (Windows Server 2019 or above) to install SoftwareCentral and its associated services on.
A Microsoft SQL database (SQL Server 2019, SQL Express 2019 or above or Azure SQL).
The SQL server and database must run the same collation.
- Recommended collation: SQL_Latin1_General_CP1_CI_AS
- Azure databases must have auto-pause disabled.
A service account with the following permissions:
- Read, write and execute permissions on the SoftwareCentral database. (This does not apply for Azure databases)
- Read and execute permissions on all ConfigMgr site databases.
- Local Administrative rights on the web server.
- Log on as a service rights on the web server.
- Act as part of the operating system permissions on the web server.
- Replace a process level token permissions on the web server.
- Adjust memory quotas for a process permissions on the web server.
A local Active Directory or Entra ID group to manage administrative users for SoftwareCentral.

To install SoftwareCentral, the account that signs on to the web server must also have the following permissions:

Local Administrative rights on the web server.
Administrative permissions for the SoftwareCentral database. If the account does not have permissions to create a database and login, an empty database can be manually created with a login for the SoftwareCentral service account.
- If you choose to manually create the database, use collation "SQL_Latin1_General_CP1_CI_AS".
- The login must have read, write and execute permissions.
If the account has access to the ConfigMgr database, the SoftwareCentral installer can create the required login and assign read and execute permissions to the ConfigMgr database. Otherwise this will have to be done manually.
If you are using an on-prem Active Directory, the service account must also be able to read users, their group memberships, groups and their group memberships from the Active Directory. You may follow the guide here.

Windows Server minimum requirements

The minimum requirements for this server is as follows:

Windows Server 2019 or above
Microsoft Internet Information services (IIS) 10 or above
Microsoft .NET Framework 4.8 or above
IIS URL Rewrite Module 2.1 or above (Download from here)
Dual core processor or above
8 GB of memory or above
10 GB of free disk space or above
Microsoft SQL Server 2019 or above or Microsoft SQL Express Server 2019 or above

Hardware requirements will increase with the amount of simultaneous users of SoftwareCentral. If needed, SoftwareCentral supports load balancing and SQL clusters.

Required server roles and features

The following server roles and features are required to run SoftwareCentral. They will automatically be installed during setup if they are not pre-installed.

Web Server (IIS)
- Web Server
  - Common HTTP Features
    - Static Content
  - Application Development
    - ASP
    - ASP.NET 3.5
    - ASP.NET 4.8
  - Security
    - Windows Authentication (Only needed if you intend to use Windows Authentication)
.NET Framework 4.8 Features
- .NET Framework 4.8
- ASP.NET 4.8
.NET Framework 3.5 Features
- .NET Framework 3.5

Firewall ports

The following ports must be open for ConfigMrg and hybrid environments:

443 for HTTPS connections to the site
80 for the HTTP connection to the site
1433 for database connections
135 and the port range defined in the environment for WMI calls
2701 and 2702 for the Remote Control Tool on ConfigMgr
389 for LDAP or 636 for LDAPS.
445 to read log files on clients
137 UDP/TCP for network discovery
138 UDP for network discovery
139 TCP for network discovery

ConfigMgr requirements

SoftwareCentral connects to your ConfigMgr using the service account. You may also add additional service accounts after the installation, that can be used for this connection.

The account used must have the following permissions on the ConfigMgr:

Application
- Read; Modify; Delete; Create; Approve; Move Object; Modify Folder; Run Report; Modify Report
Application Group
- Read; Modify; Delete; Set Security Scope; Create; Approve; Move Object; Modify Folder
Boot Image Package
- Read; Modify; Delete; Create; Move Object; Modify Folder
Collection
- Read; Modify; Delete; Remote Control; Modify Resource; Delete Resource; Create; View Collected File; Read Resource; Move Object; Deploy Packages; Deploy Client Settings; Modify Folder; Deploy Applications; Modify Collection Setting; Deploy Task Sequences; Run Script; Notify resource; Modify Client Status Alert
Computer Association
- Read; Delete; Create; Move Object; Modify Folder; Recover User State; Run Report; Modify Report
Configuration Item
- Read; Modify; Delete; Create
Distribution Point
- Read; Copy to Distribution Point
Distribution Point Group
- Read; Copy to Distribution Point
Folder Class
- Read; Modify; Delete; Create
Package
- Read; Modify; Delete; Create; Move Object; Modify Folder; Run Report; Modify Report
Phased Deployments
- Read; Modify; Delete; Create
Query
- Read; Modify; Delete; Create; Move Object; Modify Folder
Site
- Read; Import Computers
SMS Scripts
- Read; Modify; Delete; Create; Move Object; Modify Folder; Approve
Software Metering Rule
- Read; Modify; Delete; Create; Move Object; Modify Folder; Modify Report
Software Update Group
- Read; Modify; Delete; Create; Move Object; Modify Folder
Software Update Package
- Read; Modify; Delete; Create; Move Object; Modify Folder
Task Sequence Package
- Read; Modify; Delete; Create; Move Object; Modify Folder; Modify Report
User Device Affinities
- Read; Modify; Delete; Create; Modify Report

You can import a security role with the required permissions, using the following xml. Go to the ConfigMgr console -> Administration -> Security -> Secuirty Roles and select Import in the upper left corner. Copy the XML below to notepad and save it as an xml file. Then import the file.

ConfigMgr Security Role	Copy Code
<SMS_Roles> <SMS_Role CopiedFromID="SMS0009R" RoleName="SoftwareCentral" RoleDescription=""> <Operations> <Operation GrantedOperations="1890811559" ObjectTypeID="1" /> <Operation GrantedOperations="805446663" ObjectTypeID="2" /> <Operation GrantedOperations="524289" ObjectTypeID="6" /> <Operation GrantedOperations="140295" ObjectTypeID="7" /> <Operation GrantedOperations="537011207" ObjectTypeID="9" /> <Operation GrantedOperations="1031" ObjectTypeID="11" /> <Operation GrantedOperations="813835269" ObjectTypeID="17" /> <Operation GrantedOperations="140295" ObjectTypeID="19" /> <Operation GrantedOperations="537011207" ObjectTypeID="20" /> <Operation GrantedOperations="805448711" ObjectTypeID="31" /> <Operation GrantedOperations="536871943" ObjectTypeID="33" /> <Operation GrantedOperations="9" ObjectTypeID="42" /> <Operation GrantedOperations="9" ObjectTypeID="43" /> <Operation GrantedOperations="1031" ObjectTypeID="219" /> <Operation GrantedOperations="142359" ObjectTypeID="224" /> <Operation GrantedOperations="1031" ObjectTypeID="226" /> </Operations> </SMS_Role> </SMS_Roles>

ConfigMgr Security Role

Copy Code

<SMS_Roles>
  <SMS_Role CopiedFromID="SMS0009R" RoleName="SoftwareCentral" RoleDescription="">
    <Operations>
      <Operation GrantedOperations="1890811559" ObjectTypeID="1" />
      <Operation GrantedOperations="805446663" ObjectTypeID="2" />
      <Operation GrantedOperations="524289" ObjectTypeID="6" />
      <Operation GrantedOperations="140295" ObjectTypeID="7" />
      <Operation GrantedOperations="537011207" ObjectTypeID="9" />
      <Operation GrantedOperations="1031" ObjectTypeID="11" />
      <Operation GrantedOperations="813835269" ObjectTypeID="17" />
      <Operation GrantedOperations="140295" ObjectTypeID="19" />
      <Operation GrantedOperations="537011207" ObjectTypeID="20" />
      <Operation GrantedOperations="805448711" ObjectTypeID="31" />
      <Operation GrantedOperations="536871943" ObjectTypeID="33" />
      <Operation GrantedOperations="9" ObjectTypeID="42" />
      <Operation GrantedOperations="9" ObjectTypeID="43" />
      <Operation GrantedOperations="1031" ObjectTypeID="219" />
      <Operation GrantedOperations="142359" ObjectTypeID="224" />
      <Operation GrantedOperations="1031" ObjectTypeID="226" />
    </Operations>
  </SMS_Role>
</SMS_Roles>

Intune requirements

For a complete list of Intune requirements, refer to the list here: Intune Permissions

Intune requirements (For Azure OpenID authentication)

You can use Azure OpenID to authenticate users to SoftwareCentral. To do this, an Application Registration in your Azure AD is required.

This is described in details here.