Configure the SMS Provider Connection
Applies to: Patch My PC Publisher
Overview
The SMS Provider is the interface that enables all interactions with ConfigMgr, including actions performed in the ConfigMgr console and through supported APIs. The Publisher also relies on the SMS Provider to perform operations such as triggering SUP synchronizations, creating and modifying applications, and distributing content.
Configuring the SMS Provider connection is therefore a foundational step for enabling the Publisher to interact with ConfigMgr.
Connection Settings
The SMS Provider Server Name field specifies which server hosts the SMS Provider role that the Publisher will connect to.
You can enter either:
The ConfigMgr site server (most common), or
A site system that has the SMS Provider role installed.
Both options are valid, as long as the specified server is hosting the SMS Provider.
You can identify which site systems host the SMS Provider site system role by navigating to Monitoring > System Status > Component Status in the ConfigMgr console, then filter for SMS_Provider.
When connecting to ConfigMgr, either using the Publisher or the ConfigMgr remote conosle, the SMS Provider you connect to isn’t always the one you specified. The site server ultimately decides which SMS Provider instance is used.
Even if multiple SMS Providers exist, the ConfigMgr site server’s boundaries and role placement determine the connection endpoint. This is the same behavior the ConfigMgr console uses when it discovers and connects to an SMS Provider.
With this in mind, if a firewall is in place between the Publisher and any SMS Provider server in the site, ensure that the Publisher server can communicate with them all using:
TCP 135 (RPC Endpoint Mapper)
Dynamic RPC ports (default TCP 49152–65535)
Restricting firewall access to only a specific site system with the SMS Provider role may result in intermittent or unexpected connection failures.
Required Software
To connect to the SMS Provider, the ConfigMgr Remote Console is required to be installed on the same device as the Publisher. If the ConfigMgr Remote Console is not installed, the following message is also indicated in the Publisher when attempting to Configure the SMS Provider.
The PatchMyPC.log will also indicate when the ConfigMgr Remote Console is not installed:
An error occurred Error checking ConfigMgr connection: Unable to find the Assembly: AdminUI.WqlQueryEngine, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 [PatchMyPC_Core.Exceptions.ConfigApiException] HResult: -2146233088
Required Permissions
Access to the SMS Provider is controlled entirely by ConfigMgr security roles and scopes, not by local server or SQL permissions.
When no action is required (most common scenario)
If the Publisher is installed on the ConfigMgr site server, and that server is also hosting the SMS Provider role (the most common deployment), no additional permission configuration is required. The Publisher runs under the local SYSTEM account and connects to the SMS Provider locally, using the same path as the ConfigMgr console would.
When additional configuration is required
If the Publisher is installed remotely, the site server ultimately determines which SMS Provider instance is used. Even if Publisher is installed on a server that has the SMS Provider site system role (for example, a remote SUP), it is not guaranteed that connections will be made to that local provider. For this reason, the computer account where the Publisher is installed (DOMAIN\SERVER$) must be granted the appropriate ConfigMgr permissions, or you must configure alternate credentials using a dedicated service account.
If the Publisher detects that it is installed on the site server, the option to use alternate credentials to connect to the SMS Provider are disabled.
To satisfy these requirements, you can either:
Option 1: Import a custom ConfigMgr security role with the correct permissions.
Option 2 (Recommended): Import the Patch My PC provided security role, which includes the minimum required permissions.
Option 1: Import a Custom ConfigMgr Security Role
Copy the XML content provided below:
Save it to a file on a system where the ConfigMgr console is installed. Example file name:
PatchMyPC-Publisher-SecurityRole.xmlOpen the Configuration Manager console.
Navigate to Administration.
Select Security.
Click Security Roles.
Click Import Security Role.
Browse to the file created in step 2.
Confirm the security role has been created succesfully.
For reference, the following permissions are configured on the Patch My PC Publisher custom security role:
Application
Read, Modify, Delete, Create, Move Object, Set Security Scope, Modify Folder
Distribution Point
Read, Copy to Distribution Point
Distribution Point Group
Read, Copy to Distribution Point Group
Folder Class
Read, Modify, Create
Security Scopes
Read
Site
Read
Software Updates
Read, Modify
Once the Patch My PC Publisher security role has been imported, it must be assigned to the account that the Publisher will use to connect to the SMS Provider. This will be either the computer account where the Publisher is installed or a dedicated service account (when alternate credentials are required).
To assign the account to the security role:
Open the ConfigMgr console.
Navigate to Administration > Security > Administrative Users.
If the account to be used by the Publisher already exists, select it and choose Properties. If the account does not exist, select Add User or Group.
Specify the account used by Publisher:
The computer account of the Publisher server (for example,
DOMAIN\PUBLISHER-SERVER$) when Publisher runs under the local SYSTEM account, orThe domain service account configured in Publisher when using alternate credentials.
Assign the Patch My PC Publisher security role.
Assign the required security scopes, ensuring the account has access to All instances of the objects that are related to the assigned security roles.
Complete the wizard and apply the changes.
Restart the Patch My PC Publisher service to ensure the updated permissions are applied.
Option 2: Import Security Roles
Patch My PC provides a ConfigMgr security role in XML format that has the minimum required permissions for the Publisher to create and manage applications, distribute content, and perform software update synchronizations.
This role can be imported directly into ConfigMgr if the user logged in with the Publisher application open already has the necessary permissions to create security roles in ConfigMgr.
When importing the Patch My PC security role from the Publisher, the user currently logged in and running Publisher must have Full Administrator permissions in ConfigMgr.
Once the role has been imported, Full Administrator permissions are no longer required. The Publisher connects to the SMS Provider using the assigned role and security scopes only.
In the SMS Provider Connection form, click Import Security Role.
If the role already exists, you will be prompted to overwrite it.
The role is imported sucessfully.
Test Connection
To test that the Publisher has the correct permissions to the SMS Provider, click Test Connection.
Connection activity for the SMS Provider from the Publisher can be found in the %ProgramFiles%\Patch My PC\Patch My PC Publishing Service\Logs\PatchMyPC-SmsProviderConfigMgrRepository.log
Last updated
Was this helpful?