Microsoft

SCCM/MECM Enterprise Deployment

System Center Configuration Manager deployment for large-scale cryptographic monitoring

Deployment Overview

Deploy TYCHON Quantum Readiness across thousands of Windows endpoints using Microsoft System Center Configuration Manager (SCCM/MECM) with enterprise-grade automation, scheduling, and centralized management.

πŸ“¦

Package & Distribute

SCCM Application or Package deployment

βš™οΈ

Configure & Schedule

Group Policy and Task Sequences

πŸ”„

Automate & Monitor

Maintenance Windows and Compliance

πŸ“Š

Report & Analyze

SCCM Reporting and SIEM integration

Prerequisites & Environment

SCCM/MECM Environment

Required Components

  • β€’ SCCM 2019 or newer (Current Branch)
  • β€’ Distribution Points configured for target sites
  • β€’ Software Update Point for updates
  • β€’ Reporting Services Point for analytics
  • β€’ Active Directory integrated

Required Permissions

  • β€’ Application Administrator role
  • β€’ Operating System Deployment Manager
  • β€’ Collections Administrator
  • β€’ Software Update Manager
  • β€’ Local Admin on endpoints (for EventLog)

Network & Security Requirements

Firewall Rules

  • β€’ HTTPS (443) to SCCM server
  • β€’ HTTP (80) for content download
  • β€’ WinRM (5985/5986) for PowerShell

Certificate Requirements

  • β€’ Code signing certificate
  • β€’ SCCM server certificates
  • β€’ Client authentication certs

Group Policy Settings

  • β€’ PowerShell execution policy
  • β€’ Windows Event Log settings
  • β€’ Task Scheduler permissions

Method 1: SCCM Application Deployment (Recommended)

1.1 Create SCCM Application

Navigate to Software Library β†’ Application Management β†’ Applications

Application Properties

NameTYCHON Quantum Readiness Cryptographic Monitoring
PublisherIT Security Department
Software Version1.0.42
Optional ReferenceCryptographic Asset Discovery Tool

Deployment Type Configuration

Installation Settings
  • β€’ Technology: Script Installer
  • β€’ Content Location: \\\\sccm-server\\sources\\TYCHON Quantum Readiness
  • β€’ Installation Program: powershell.exe -ExecutionPolicy Bypass -File install-sccm.ps1
  • β€’ Uninstall Program: powershell.exe -ExecutionPolicy Bypass -File uninstall-sccm.ps1
Detection Method
  • β€’ Type: Use custom script
  • β€’ Script Type: PowerShell
  • β€’ Script: Upload detection-sccm.ps1
  • β€’ Run as 32-bit: No

1.2 SCCM Installation Script (install-sccm.ps1)

# install-sccm.ps1 - SCCM Application Installation Script
param(
    [string]$InstallPath = "C:\Program Files\TYCHON Quantum Readiness",
    [string]$TaskName = "TYCHON Quantum Readiness-SCCM-Monitoring",
    [string]$LogPath = "C:\Windows\Logs\TYCHON Quantum Readiness"
)

# Exit codes for SCCM
$SUCCESS = 0
$FAILURE = 1603

try {
    Write-Host "πŸ”„ Installing TYCHON Quantum Readiness via SCCM..."
    
    # Create installation and log directories
    New-Item -ItemType Directory -Path $InstallPath -Force | Out-Null
    New-Item -ItemType Directory -Path $LogPath -Force | Out-Null
    
    # Copy binary and configuration files
    Copy-Item "certscanner.exe" -Destination "$InstallPath\certscanner.exe" -Force
    Copy-Item "sccm-config.json" -Destination "$InstallPath\config.json" -Force
    
    # Create Event Log source (requires admin privileges)
    try {
        if (![System.Diagnostics.EventLog]::SourceExists("TYCHON Quantum Readiness")) {
            New-EventLog -LogName "Application" -Source "TYCHON Quantum Readiness"
            Write-Host "βœ… Created TYCHON Quantum Readiness Event Log source"
        }
    } catch {
        Write-Host "⚠️ Event Log source creation failed: $($_.Exception.Message)"
    }
    
    # Configure Windows service (alternative to scheduled task)
    $ServicePath = "$InstallPath\certscanner.exe"
    $ServiceArgs = "-mode local -scanfilesystem -scanmemory -scanconnected -outputformat eventlog -tags `"sccm-managed,enterprise`" -daemon"
    
    # Register as Windows service for continuous monitoring
    New-Service -Name "TYCHON Quantum ReadinessService" -BinaryPathName "`"$ServicePath`" $ServiceArgs" `
        -DisplayName "TYCHON Quantum Readiness Cryptographic Monitoring" `
        -Description "Automated cryptographic asset discovery and monitoring service" `
        -StartupType Automatic -ErrorAction SilentlyContinue
    
    # Start the service
    Start-Service -Name "TYCHON Quantum ReadinessService" -ErrorAction SilentlyContinue
    
    # Alternative: Create scheduled task for systems that prefer tasks over services
    $TaskXml = @"


  
    TYCHON Quantum Readiness SCCM-managed cryptographic monitoring
    SCCM Deployment
  
  
    
      
        PT6H
      
      2025-01-01T06:00:00
      PT45M
      true
      
        1
      
    
  
  
    
      S-1-5-18
      HighestAvailable
    
  
  
    IgnoreNew
    false
    false
    true
    true
    false
    PT45M
    7
  
  
    
      $InstallPath\certscanner.exe
      -mode local -scanfilesystem -scanmemory -scanconnected -outputformat eventlog -tags "sccm-managed,scheduled-scan"
      $InstallPath
    
  

"@
    
    Register-ScheduledTask -TaskName $TaskName -Xml $TaskXml -Force
    
    # Write installation success to SCCM log
    $LogEntry = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - TYCHON Quantum Readiness installation completed successfully"
    Add-Content -Path "$LogPath\sccm-install.log" -Value $LogEntry
    
    Write-Host "βœ… TYCHON Quantum Readiness installed successfully"
    Write-Host "πŸ“ Installation Path: $InstallPath"
    Write-Host "πŸ”„ Service: TYCHON Quantum ReadinessService (Automatic startup)"
    Write-Host "⏰ Scheduled Task: $TaskName (Every 6 hours)"
    Write-Host "πŸ“ Logs: $LogPath"
    
    exit $SUCCESS
    
} catch {
    Write-Error "❌ Installation failed: $($_.Exception.Message)"
    $LogEntry = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Installation failed: $($_.Exception.Message)"
    Add-Content -Path "$LogPath\sccm-install.log" -Value $LogEntry -ErrorAction SilentlyContinue
    exit $FAILURE
}

1.3 SCCM Detection Script (detection-sccm.ps1)

# detection-sccm.ps1 - SCCM Application Detection Script
$InstallPath = "C:\Program Files\TYCHON Quantum Readiness\certscanner.exe"
$ServiceName = "TYCHON Quantum ReadinessService"
$TaskName = "TYCHON Quantum Readiness-SCCM-Monitoring"

# Check if binary exists
$BinaryExists = Test-Path $InstallPath

# Check if service exists and is configured
$ServiceExists = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
$ServiceConfigured = $ServiceExists -and ($ServiceExists.StartType -eq 'Automatic')

# Check if scheduled task exists (backup monitoring method)
$TaskExists = Get-ScheduledTask -TaskName $TaskName -ErrorAction SilentlyContinue

# Application is detected if:
# 1. Binary exists AND
# 2. (Service is configured OR Scheduled task exists)
if ($BinaryExists -and ($ServiceConfigured -or $TaskExists)) {
    Write-Host "TYCHON Quantum Readiness is installed and properly configured"
    
    # Log detection success for SCCM reporting
    $LogPath = "C:\Windows\Logs\TYCHON Quantum Readiness\sccm-detection.log"
    $LogEntry = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Detection successful: Binary=$BinaryExists, Service=$ServiceConfigured, Task=$($TaskExists -ne $null)"
    Add-Content -Path $LogPath -Value $LogEntry -ErrorAction SilentlyContinue
    
    exit 0
} else {
    Write-Host "TYCHON Quantum Readiness not properly installed or configured"
    
    # Log detection failure details
    $LogPath = "C:\Windows\Logs\TYCHON Quantum Readiness\sccm-detection.log"
    $LogEntry = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Detection failed: Binary=$BinaryExists, Service=$ServiceConfigured, Task=$($TaskExists -ne $null)"
    Add-Content -Path $LogPath -Value $LogEntry -ErrorAction SilentlyContinue
    
    exit 1
}

1.4 SCCM Configuration File (sccm-config.json)

{
  "deployment_method": "sccm",
  "scan_settings": {
    "default_mode": "local",
    "enable_filesystem_scan": true,
    "enable_memory_scan": true,
    "enable_connected_scan": true,
    "enable_outlook_archives": false,
    "scan_frequency": "every_6_hours",
    "maintenance_window_only": true
  },
  "output_settings": {
    "primary_format": "eventlog",
    "backup_format": "json",
    "backup_location": "C:\\Windows\\Logs\\TYCHON Quantum Readiness\\scans",
    "enable_sccm_inventory": true
  },
  "enterprise_settings": {
    "default_tags": ["sccm-managed", "enterprise-scan"],
    "enable_compliance_mode": true,
    "max_scan_duration": "30m",
    "network_throttling": true,
    "quiet_mode": true
  },
  "integration_settings": {
    "sccm_hardware_inventory": {
      "enabled": true,
      "crypto_asset_class": "CryptographicAssets",
      "certificate_class": "CertificateInventory"
    },
    "windows_event_log": {
      "source": "TYCHON Quantum Readiness",
      "event_ids": {
        "scan_start": 1001,
        "scan_complete": 1002,
        "crypto_asset_found": 1003,
        "vulnerability_detected": 1004,
        "error_occurred": 1005
      }
    }
  }
}

Method 2: SCCM Package Deployment (Legacy)

2.1 Create SCCM Package

Navigate to Software Library β†’ Application Management β†’ Packages

NameTYCHON Quantum Readiness Package v1.0.42
Version1.0.42
ManufacturerIT Security Department
LanguageEnglish
Source Directory\\\\sccm-server\\sources\\TYCHON Quantum Readiness

2.2 Create Program for Package

Program Name: Install TYCHON Quantum Readiness
Command Line: powershell.exe -ExecutionPolicy Bypass -File install-sccm.ps1
Startup Folder: (Leave blank - uses source directory)

Program Properties:
β˜‘ This program can run on any platform
β˜‘ This program can run whether or not a user is logged on  
β˜‘ Run with administrative rights
β˜‘ Allow users to view and interact with the program installation
☐ Suppress program notifications

Advanced Settings:
β˜‘ Run another program first: (None)
β˜‘ When this program is assigned to a computer: Run once for every user who logs on
☐ Only when no user is logged on
β˜‘ Run once for the system

Requirements: (None specified - runs on all Windows systems)

Step 3: Collection Management & Deployment

3.1 Create Device Collections

Collection Hierarchy Strategy

πŸ“ All Systems
   πŸ“ TYCHON Quantum Readiness Deployment Collections
      πŸ“ TYCHON Quantum Readiness-Pilot-Group (Manual, 10-50 systems)
      πŸ“ TYCHON Quantum Readiness-Servers (Query-based, Server OS)
      πŸ“ TYCHON Quantum Readiness-Workstations (Query-based, Client OS)
      πŸ“ TYCHON Quantum Readiness-Critical-Infrastructure (Manual, High-priority systems)
      πŸ“ TYCHON Quantum Readiness-Exclusions (Manual, Systems to exclude)

Sample Collection Queries

All Windows Servers: 
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Server%"
Windows 10/11 Workstations: 
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 10.0%" or SMS_R_System.OperatingSystemNameandVersion like "%Windows 11%"
Critical Security Systems (by OU): 
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName like "%Security%" or SMS_R_System.SystemOUName like "%Critical%"

3.2 Deployment Configuration

Pilot Deployment

  • β€’ Collection: TYCHON Quantum Readiness-Pilot-Group
  • β€’ Purpose: Available (user-initiated)
  • β€’ Schedule: As soon as possible
  • β€’ User Experience: Display in Software Center
  • β€’ Deadline: None (pilot testing)

Production Deployment

  • β€’ Collection: TYCHON Quantum Readiness-Servers
  • β€’ Purpose: Required
  • β€’ Schedule: After pilot validation
  • β€’ User Experience: Hide all notifications
  • β€’ Deadline: 7 days after available

3.3 Maintenance Windows Integration

# PowerShell script for SCCM maintenance window compliance
# This ensures TYCHON Quantum Readiness respects SCCM maintenance windows

$MaintenanceWindowActive = $false

# Check if we're in a maintenance window
try {
    $ActiveMW = Get-CimInstance -Namespace "root\ccm\ClientSDK" -ClassName "CCM_ServiceWindow" | 
        Where-Object { 
            $_.Type -eq 1 -and  # Software Updates maintenance window
            (Get-Date) -ge $_.StartTime -and 
            (Get-Date) -le $_.EndTime 
        }
    
    if ($ActiveMW) {
        $MaintenanceWindowActive = $true
        Write-Host "βœ… Maintenance window active - proceeding with scan"
    } else {
        Write-Host "⏸️ No active maintenance window - scan deferred"
        exit 0
    }
} catch {
    Write-Host "⚠️ Unable to check maintenance windows - proceeding with scan"
    $MaintenanceWindowActive = $true
}

# Only run scan during maintenance windows or if check failed
if ($MaintenanceWindowActive) {
    & "C:\Program Files\TYCHON Quantum Readiness\certscanner.exe" -mode local -scanfilesystem -scanmemory -scanconnected -outputformat eventlog -tags "sccm-maintenance-window"
} else {
    Write-Host "🚫 Scan skipped - outside maintenance window"
}

Step 4: Task Sequence Integration

4.1 OS Deployment Integration

Integrate TYCHON Quantum Readiness into Windows deployment task sequences for immediate post-deployment scanning:

Task Sequence Step: Install TYCHON Quantum Readiness

Step NameInstall TYCHON Quantum Readiness Security Monitoring
TypeInstall Application
ApplicationTYCHON Quantum Readiness Cryptographic Monitoring
Group/PhaseState Restore (after Windows setup)
Continue on ErrorYes (don't block deployment)

Task Sequence Step: Initial Baseline Scan

Step Name: TYCHON Quantum Readiness Initial Baseline
Type: Run Command Line
Command Line: powershell.exe -ExecutionPolicy Bypass -Command "& 'C:\Program Files\TYCHON Quantum Readiness\certscanner.exe' -mode local -scanfilesystem -scanconnected -outputformat eventlog -tags 'baseline-scan,new-deployment'"
Package: (None)
Timeout: 30 minutes
Continue on Error: Yes

4.2 Compliance Baseline Integration

# SCCM Configuration Item - TYCHON Quantum Readiness Compliance
# This ensures TYCHON Quantum Readiness is installed and running on all managed systems

# Discovery Script (PowerShell)
$InstallPath = "C:\Program Files\TYCHON Quantum Readiness\certscanner.exe"
$ServiceName = "TYCHON Quantum ReadinessService"

if ((Test-Path $InstallPath) -and (Get-Service $ServiceName -ErrorAction SilentlyContinue)) {
    return "Installed"
} else {
    return "NotInstalled" 
}

# Remediation Script (PowerShell)
try {
    # Trigger SCCM application installation
    $Application = Get-CimInstance -Namespace "root\ccm\ClientSDK" -ClassName "CCM_Application" | 
        Where-Object { $_.Name -like "*TYCHON Quantum Readiness*" }
    
    if ($Application) {
        Invoke-CimMethod -Namespace "root\ccm\ClientSDK" -ClassName "CCM_Application" -MethodName "Install" -Arguments @{
            Id = $Application.Id
            IsMachineTarget = $Application.IsMachineTarget
            IsRebootIfNeeded = $false
            Priority = "High"
            Revision = $Application.Revision
        }
        Write-Host "TYCHON Quantum Readiness installation triggered via SCCM"
        return "Remediated"
    }
} catch {
    Write-Error "Failed to trigger installation: $($_.Exception.Message)"
    return "Failed"
}

Step 5: Hardware Inventory Extension

5.1 Custom Inventory Classes

Extend SCCM hardware inventory to collect cryptographic asset data:

MOF File: TYCHON Quantum Readiness_Inventory.mof

// TYCHON Quantum Readiness_Inventory.mof - SCCM Hardware Inventory Extension

#pragma namespace("\\\\.\\root\\cimv2")
#pragma deleteclass("TYCHON Quantum Readiness_CryptographicAssets", NOFAIL)

[dynamic, provider("CIMWin32"), ClassContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\TYCHON Quantum Readiness\\Inventory")]
class TYCHON Quantum Readiness_CryptographicAssets
{
    [key] string     ComputerName;
    [key] string     AssetID;
           string     AssetType;          // "certificate", "cipher", "crypto_library"
           string     AssetName;
           string     AssetLocation;      // File path, memory address, network endpoint
           string     CipherSuite;
           string     SecurityLevel;      // "high", "medium", "low", "deprecated"
           boolean    PQCReady;
           datetime   ExpirationDate;
           datetime   LastScanned;
           string     ScanTags;
           string     RiskLevel;
           string     Recommendations;
};

#pragma namespace("\\\\.\\root\\cimv2")
#pragma deleteclass("TYCHON Quantum Readiness_ScanHistory", NOFAIL)

[dynamic, provider("CIMWin32"), ClassContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\TYCHON Quantum Readiness\\History")]
class TYCHON Quantum Readiness_ScanHistory  
{
    [key] string     ComputerName;
    [key] datetime   ScanTimestamp;
           string     ScanMode;           // "local", "remote", "hybrid"
           string     ScanScope;          // "filesystem", "memory", "connected", "outlook"
           int32      AssetsFound;
           int32      VulnerabilitiesFound;
           int32      ScanDuration;       // seconds
           string     ScanTags;
           string     ScanVersion;
           boolean    ScanSuccessful;
           string     ErrorDetails;
};

Inventory Population Script

# populate-sccm-inventory.ps1
# Populates SCCM hardware inventory from TYCHON Quantum Readiness results

param(
    [string]$ScanResultsPath = "C:\Windows\Logs\TYCHON Quantum Readiness\latest-scan.json"
)

# Registry paths for SCCM inventory classes
$InventoryPath = "HKLM:\SOFTWARE\TYCHON Quantum Readiness\Inventory"
$HistoryPath = "HKLM:\SOFTWARE\TYCHON Quantum Readiness\History"

# Create registry keys if they don't exist
New-Item -Path $InventoryPath -Force | Out-Null
New-Item -Path $HistoryPath -Force | Out-Null

try {
    # Load scan results
    if (Test-Path $ScanResultsPath) {
        $ScanData = Get-Content $ScanResultsPath | ConvertFrom-Json
        
        # Clear previous inventory
        Remove-Item -Path "$InventoryPath\*" -Force -ErrorAction SilentlyContinue
        
        # Populate cryptographic assets
        $AssetCount = 0
        foreach ($Asset in $ScanData.cryptographic_assets) {
            $AssetID = "Asset_$AssetCount"
            $AssetKey = "$InventoryPath\$AssetID"
            
            New-Item -Path $AssetKey -Force | Out-Null
            Set-ItemProperty -Path $AssetKey -Name "ComputerName" -Value $env:COMPUTERNAME
            Set-ItemProperty -Path $AssetKey -Name "AssetID" -Value $AssetID
            Set-ItemProperty -Path $AssetKey -Name "AssetType" -Value $Asset.type
            Set-ItemProperty -Path $AssetKey -Name "AssetName" -Value $Asset.name
            Set-ItemProperty -Path $AssetKey -Name "AssetLocation" -Value $Asset.location
            Set-ItemProperty -Path $AssetKey -Name "CipherSuite" -Value $Asset.cipher_suite
            Set-ItemProperty -Path $AssetKey -Name "SecurityLevel" -Value $Asset.security_level
            Set-ItemProperty -Path $AssetKey -Name "PQCReady" -Value $Asset.pqc_ready
            Set-ItemProperty -Path $AssetKey -Name "LastScanned" -Value (Get-Date -Format "yyyy-MM-dd HH:mm:ss")
            
            $AssetCount++
        }
        
        # Populate scan history
        $HistoryKey = "$HistoryPath\$(Get-Date -Format 'yyyyMMdd_HHmmss')"
        New-Item -Path $HistoryKey -Force | Out-Null
        Set-ItemProperty -Path $HistoryKey -Name "ComputerName" -Value $env:COMPUTERNAME
        Set-ItemProperty -Path $HistoryKey -Name "ScanTimestamp" -Value (Get-Date -Format "yyyy-MM-dd HH:mm:ss")
        Set-ItemProperty -Path $HistoryKey -Name "AssetsFound" -Value $AssetCount
        Set-ItemProperty -Path $HistoryKey -Name "ScanSuccessful" -Value $true
        
        Write-Host "βœ… SCCM inventory populated: $AssetCount assets"
    }
} catch {
    Write-Error "Failed to populate inventory: $($_.Exception.Message)"
}

Step 6: SCCM Reporting & Analytics

6.1 Custom SCCM Reports

Report: Cryptographic Asset Inventory

-- SCCM SQL Report: Cryptographic Asset Summary
SELECT 
    sys.Name0 as 'Computer Name',
    sys.Operating_System_Name_and0 as 'OS Version',
    inv.AssetType as 'Asset Type',
    COUNT(*) as 'Asset Count',
    SUM(CASE WHEN inv.SecurityLevel = 'low' THEN 1 ELSE 0 END) as 'Low Security Assets',
    SUM(CASE WHEN inv.PQCReady = 0 THEN 1 ELSE 0 END) as 'PQC Vulnerable',
    MAX(inv.LastScanned) as 'Last Scanned'
FROM v_R_System sys
LEFT JOIN v_GS_TYCHON Quantum Readiness_CryptographicAssets0 inv ON sys.ResourceID = inv.ResourceID
WHERE sys.Client0 = 1 
    AND sys.Obsolete0 = 0
    AND inv.AssetType IS NOT NULL
GROUP BY sys.Name0, sys.Operating_System_Name_and0, inv.AssetType
ORDER BY sys.Name0, inv.AssetType

Report: PQC Readiness Dashboard

-- SCCM SQL Report: Post-Quantum Cryptography Readiness
SELECT 
    sys.Name0 as 'Computer Name',
    sys.AD_Site_Name0 as 'Site',
    COUNT(*) as 'Total Crypto Assets',
    SUM(CASE WHEN inv.PQCReady = 1 THEN 1 ELSE 0 END) as 'PQC Ready',
    SUM(CASE WHEN inv.PQCReady = 0 THEN 1 ELSE 0 END) as 'PQC Vulnerable',
    CAST((SUM(CASE WHEN inv.PQCReady = 1 THEN 1 ELSE 0 END) * 100.0 / COUNT(*)) as DECIMAL(5,2)) as 'PQC Readiness %',
    MAX(history.ScanTimestamp) as 'Last Assessment'
FROM v_R_System sys
LEFT JOIN v_GS_TYCHON Quantum Readiness_CryptographicAssets0 inv ON sys.ResourceID = inv.ResourceID  
LEFT JOIN v_GS_TYCHON Quantum Readiness_ScanHistory0 history ON sys.ResourceID = history.ResourceID
WHERE sys.Client0 = 1 AND sys.Obsolete0 = 0
GROUP BY sys.Name0, sys.AD_Site_Name0
HAVING COUNT(*) > 0
ORDER BY [PQC Readiness %] ASC, sys.Name0

Report: Certificate Expiration Tracking

-- SCCM SQL Report: Certificate Expiration Monitoring  
SELECT 
    sys.Name0 as 'Computer Name',
    inv.AssetName as 'Certificate Subject',
    inv.AssetLocation as 'File Path',
    inv.ExpirationDate as 'Expiry Date',
    DATEDIFF(day, GETDATE(), inv.ExpirationDate) as 'Days Until Expiry',
    CASE 
        WHEN DATEDIFF(day, GETDATE(), inv.ExpirationDate) < 0 THEN 'EXPIRED'
        WHEN DATEDIFF(day, GETDATE(), inv.ExpirationDate) < 7 THEN 'CRITICAL'
        WHEN DATEDIFF(day, GETDATE(), inv.ExpirationDate) < 30 THEN 'WARNING'
        ELSE 'OK'
    END as 'Status',
    inv.LastScanned as 'Last Verified'
FROM v_R_System sys
INNER JOIN v_GS_TYCHON Quantum Readiness_CryptographicAssets0 inv ON sys.ResourceID = inv.ResourceID
WHERE sys.Client0 = 1 
    AND sys.Obsolete0 = 0
    AND inv.AssetType = 'certificate'
    AND inv.ExpirationDate IS NOT NULL
    AND DATEDIFF(day, GETDATE(), inv.ExpirationDate) < 90  -- Next 90 days
ORDER BY [Days Until Expiry] ASC, sys.Name0

6.2 Dashboard Integration

SCCM Console Dashboard Tiles

Deployment Status Tile
  • β€’ Systems with TYCHON Quantum Readiness installed
  • β€’ Installation success/failure rates
  • β€’ Systems pending deployment
  • β€’ Systems excluded from deployment
Security Posture Tile
  • β€’ PQC readiness percentage
  • β€’ Critical security findings
  • β€’ Certificates expiring soon
  • β€’ Weak cipher usage trends

PowerBI Integration

-- Data source query for PowerBI SCCM connector
-- This query provides data for executive cryptographic security dashboards

SELECT 
    sys.Name0 as ComputerName,
    sys.AD_Site_Name0 as Site,
    sys.Operating_System_Name_and0 as OS,
    COUNT(DISTINCT inv.AssetID) as TotalAssets,
    COUNT(DISTINCT CASE WHEN inv.SecurityLevel = 'low' THEN inv.AssetID END) as HighRiskAssets,
    COUNT(DISTINCT CASE WHEN inv.PQCReady = 0 THEN inv.AssetID END) as PQCVulnerable,
    COUNT(DISTINCT CASE WHEN inv.AssetType = 'certificate' AND DATEDIFF(day, GETDATE(), inv.ExpirationDate) < 30 THEN inv.AssetID END) as ExpiringCerts,
    MAX(history.ScanTimestamp) as LastScanDate,
    AVG(history.ScanDuration) as AvgScanDuration
FROM v_R_System sys
LEFT JOIN v_GS_TYCHON Quantum Readiness_CryptographicAssets0 inv ON sys.ResourceID = inv.ResourceID
LEFT JOIN v_GS_TYCHON Quantum Readiness_ScanHistory0 history ON sys.ResourceID = history.ResourceID  
WHERE sys.Client0 = 1 AND sys.Obsolete0 = 0
GROUP BY sys.Name0, sys.AD_Site_Name0, sys.Operating_System_Name_and0
ORDER BY sys.AD_Site_Name0, sys.Name0

Step 7: Group Policy Integration

7.1 Group Policy Configuration

Configure domain-wide settings through Group Policy for standardized TYCHON Quantum Readiness behavior:

GPO: TYCHON Quantum Readiness Enterprise Configuration

Computer Configuration
  • β€’ Administrative Templates β†’ Custom
  • β€’ Windows Settings β†’ Registry
  • β€’ Windows Settings β†’ Files
  • β€’ Windows Components β†’ Event Log Service
Registry Settings
  • β€’ HKLM\SOFTWARE\TYCHON Quantum Readiness\Policy
  • β€’ EnableAutomatedScanning: 1
  • β€’ ScanFrequency: 21600 (6 hours)
  • β€’ OutputFormat: eventlog

GPO Registry Configuration Script

# gpo-registry-config.ps1
# Deployed via Group Policy Preferences β†’ Registry

$RegistryPath = "HKLM:\SOFTWARE\TYCHON Quantum Readiness\Policy"

# Create the registry path if it doesn't exist
New-Item -Path $RegistryPath -Force | Out-Null

# Configure enterprise scanning policies
$PolicySettings = @{
    "EnableAutomatedScanning" = 1
    "ScanFrequency" = 21600              # 6 hours in seconds
    "OutputFormat" = "eventlog"
    "EnableFileSystemScan" = 1
    "EnableMemoryScan" = 1
    "EnableConnectedScan" = 1
    "EnableOutlookScan" = 0              # Disabled by default for performance
    "MaxScanDuration" = 1800             # 30 minutes max
    "ScanPriority" = "BelowNormal"       # Low system impact
    "EnableNetworkThrottling" = 1
    "ComplianceMode" = 1
    "AllowUserOverride" = 0              # Prevent end-user changes
    "CentralizedLogging" = 1
    "DefaultTags" = "sccm-managed,enterprise-policy"
}

# Apply all settings
foreach ($Setting in $PolicySettings.GetEnumerator()) {
    Set-ItemProperty -Path $RegistryPath -Name $Setting.Key -Value $Setting.Value -Type String
    Write-Host "Set $($Setting.Key) = $($Setting.Value)"
}

Write-Host "βœ… TYCHON Quantum Readiness enterprise policies configured via Group Policy"

7.2 Windows Event Log Policy

Group Policy Path: Computer Configuration β†’ Policies β†’ Administrative Templates β†’ Windows Components β†’ Event Log Service β†’ Application

Settings to Configure:
β€’ Maximum Log Size: 512 MB (increased from default 20MB)
β€’ Log Retention Method: Overwrite events as needed
β€’ Event Log Readers: Add "NT AUTHORITY\SYSTEM", SCCM service accounts
β€’ Forward Events: Yes (if using WEF for centralized collection)

Registry Values (applied via GPO):
HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application
  MaxSize: 536870912 (512 MB in bytes)
  Retention: 0 (overwrite as needed)
  
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Application
  Enabled: 1
  OwningPublisher: (leave default)
  
# Allow TYCHON Quantum Readiness to write to Event Log
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\TYCHON Quantum Readiness
  EventMessageFile: C:\Windows\System32\EventCreate.exe
  TypesSupported: 7 (Error, Warning, Information)

Step 8: Enterprise Scaling & Performance

8.1 Large-Scale Deployment Strategy

Phase 1: Pilot (100 systems)

  • β€’ IT Security team computers
  • β€’ Selected servers per site
  • β€’ Manual collection assignment
  • β€’ Validation period: 2 weeks
  • β€’ Monitor performance impact

Phase 2: Servers (1,000 systems)

  • β€’ All Windows Server systems
  • β€’ Query-based collection
  • β€’ Maintenance window deployment
  • β€’ Staged by site (10% per week)
  • β€’ Enhanced monitoring enabled

Phase 3: Workstations (10,000+ systems)

  • β€’ All Windows client systems
  • β€’ Automatic collection rules
  • β€’ Business hours avoidance
  • β€’ 5% per day rollout rate
  • β€’ Performance monitoring alerts

8.2 Performance Optimization for Scale

# performance-optimization-sccm.ps1
# SCCM deployment script with enterprise performance optimizations

param(
    [int]$MaxConcurrentScans = 50,        # Limit concurrent scans per DP
    [int]$ScanDelayMinutes = 5,           # Random delay between scans
    [string]$MaintenanceWindow = "02:00-06:00"  # Preferred scan window
)

# Performance configuration for enterprise scale
$PerformanceConfig = @{
    "scan_throttling" = @{
        "max_concurrent_scans" = $MaxConcurrentScans
        "random_delay_range" = "0-$($ScanDelayMinutes * 60)"
        "preferred_window" = $MaintenanceWindow
        "cpu_priority" = "BelowNormal"
        "io_priority" = "Low"
        "memory_limit" = "100MB"
    }
    "network_optimization" = @{
        "enable_compression" = $true
        "batch_uploads" = $true
        "upload_window" = $MaintenanceWindow
        "max_bandwidth" = "1Mbps"
        "retry_attempts" = 3
    }
    "storage_optimization" = @{
        "enable_log_rotation" = $true
        "max_log_size" = "50MB"
        "compress_old_logs" = $true
        "retention_days" = 30
    }
} | ConvertTo-Json -Depth 10

# Deploy configuration to all endpoints via SCCM
$ConfigPath = "C:\Program Files\TYCHON Quantum Readiness\performance-config.json"
$PerformanceConfig | Out-File -FilePath $ConfigPath -Encoding UTF8 -Force

Write-Host "βœ… Performance configuration deployed for enterprise scale"

# Register performance counters for monitoring
$CounterScript = @"
# Custom performance counters for TYCHON Quantum Readiness monitoring
lodctr /c:"TYCHON Quantum Readiness Performance Counters" "Scans Per Hour" "Average Scan Duration" "Memory Usage MB" "Network Bandwidth Used"
"@

Invoke-Expression $CounterScript

Step 9: Advanced SCCM Integration Features

9.1 Software Metering Integration

Track TYCHON Quantum Readiness usage across the enterprise:

SCCM Console β†’ Assets and Compliance β†’ Software Metering

Create Software Metering Rule:
β€’ File Name: certscanner.exe
β€’ Original File Name: certscanner.exe  
β€’ Version: 1.0.42
β€’ Language: Any
β€’ Site Code: (Your site)

Collection Schedule:
β€’ Enable automatic software metering data collection
β€’ Summarize file usage data: Every 7 days
β€’ Delete aged summarized file usage data: After 90 days

This tracks:
- Which systems are actively running scans
- How frequently scans execute
- Resource usage patterns across sites
- Compliance with scanning policies

9.2 Compliance Settings Integration

# SCCM Configuration Baseline: TYCHON Quantum Readiness Security Compliance
# This ensures TYCHON Quantum Readiness meets enterprise security requirements

# Configuration Item 1: Installation Compliance
$CI1_Discovery = @"
# Check if TYCHON Quantum Readiness is properly installed and configured
`$InstallPath = "C:\Program Files\TYCHON Quantum Readiness\certscanner.exe"
`$ServiceName = "TYCHON Quantum ReadinessService"
`$ConfigPath = "C:\Program Files\TYCHON Quantum Readiness\config.json"

if ((Test-Path `$InstallPath) -and (Get-Service `$ServiceName -ErrorAction SilentlyContinue) -and (Test-Path `$ConfigPath)) {
    return "Compliant"
} else {
    return "NonCompliant"
}
"@

# Configuration Item 2: Recent Scan Activity
$CI2_Discovery = @"
# Check if system has recent scan activity (within last 24 hours)
`$LogName = "Application"
`$Source = "TYCHON Quantum Readiness"  
`$Hours = 24

try {
    `$RecentEvents = Get-WinEvent -FilterHashtable @{
        LogName = `$LogName
        ProviderName = `$Source
        StartTime = (Get-Date).AddHours(-`$Hours)
    } -MaxEvents 1 -ErrorAction SilentlyContinue
    
    if (`$RecentEvents) {
        return "Compliant"
    } else {
        return "NonCompliant"
    }
} catch {
    return "NonCompliant"
}
"@

# Configuration Item 3: Security Configuration Validation
$CI3_Discovery = @"
# Validate TYCHON Quantum Readiness security configuration
`$ConfigPath = "C:\Program Files\TYCHON Quantum Readiness\config.json"

if (Test-Path `$ConfigPath) {
    `$Config = Get-Content `$ConfigPath | ConvertFrom-Json
    
    # Check security requirements
    `$SecurityCompliant = (`$Config.enterprise_settings.enable_compliance_mode -eq `$true) -and
                         (`$Config.output_settings.primary_format -eq "eventlog") -and
                         (`$Config.enterprise_settings.quiet_mode -eq `$true)
    
    if (`$SecurityCompliant) {
        return "Compliant"
    } else {
        return "NonCompliant"
    }
} else {
    return "NonCompliant"
}
"@

Write-Host "βœ… Compliance configuration items ready for SCCM baseline"

9.3 Software Updates Integration

Integrate TYCHON Quantum Readiness updates with SCCM Software Update management:

SCCM Console β†’ Software Library β†’ Software Updates β†’ Third-Party Software Update Catalogs

1. Import TYCHON Quantum Readiness Update Catalog:
   β€’ Catalog Name: TYCHON Quantum Readiness Security Updates
   β€’ Publisher: IT Security Department  
   β€’ Update Source: Internal Repository
   β€’ Sync Schedule: Weekly

2. Create Software Update Group:
   β€’ Name: TYCHON Quantum Readiness Updates
   β€’ Description: Security updates for TYCHON Quantum Readiness cryptographic monitoring
   β€’ Include: All TYCHON Quantum Readiness security updates
   
3. Automatic Deployment Rule:
   β€’ Name: TYCHON Quantum Readiness Auto-Updates
   β€’ Collection: All TYCHON Quantum Readiness Deployed Systems
   β€’ Schedule: Deploy within 7 days of release
   β€’ Maintenance Window: Yes
   β€’ User Experience: Hide in Software Center, suppress restarts

4. Update Classifications:
   β€’ Security Updates: High priority
   β€’ Feature Updates: Standard deployment
   β€’ Critical Updates: Immediate deployment

Step 10: Enterprise SIEM Integration

10.1 Windows Event Forwarding (WEF)

WEF Subscription Configuration

<!-- WEF Subscription: TYCHON Quantum Readiness-Enterprise.xml -->
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>TYCHON Quantum Readiness-Enterprise</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Forward TYCHON Quantum Readiness events from all enterprise endpoints</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Normal</ConfigurationMode>
    <Delivery Mode="push">
        <Batching>
            <MaxItems>100</MaxItems>
            <MaxLatencyTime>30000</MaxLatencyTime>
        </Batching>
        <PushSettings>
            <Heartbeat Interval="300000"/>
        </PushSettings>
    </Delivery>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*[System[Provider[@Name='TYCHON Quantum Readiness']]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
    <ReadExistingEvents>false</ReadExistingEvents>
    <TransportName>HTTP</TransportName>
    <ContentFormat>Events</ContentFormat>
    <Locale Language="en-US"/>
    <LogFile>ForwardedEvents</LogFile>
    <PublisherName>Microsoft-Windows-EventCollector</PublisherName>
    <AllowedSourceNonDomainComputers></AllowedSourceNonDomainComputers>
    <AllowedSourceDomainComputers>O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)</AllowedSourceDomainComputers>
</Subscription>

Deploy WEF Configuration via SCCM

# deploy-wef-config.ps1 - SCCM script for WEF client configuration

# Configure WinRM for event forwarding
Enable-PSRemoting -Force -SkipNetworkProfileCheck
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "wef-collector.domain.com" -Force

# Configure Windows Event Collector service
sc.exe config Wecsvc start= auto
Start-Service Wecsvc

# Add computer to event log readers group (via Group Policy preferred)
$GroupName = "Event Log Readers"
$ComputerAccount = "$env:COMPUTERNAME$"

try {
    Add-LocalGroupMember -Group $GroupName -Member "NT AUTHORITY\NETWORK SERVICE"
    Write-Host "βœ… Added NETWORK SERVICE to Event Log Readers"
} catch {
    Write-Host "⚠️ Event Log Readers group configuration may require Group Policy"
}

# Configure firewall for WEF (if needed)
New-NetFirewallRule -DisplayName "Windows Event Forwarding" -Direction Inbound -Protocol TCP -LocalPort 5985 -Action Allow -Profile Domain

Write-Host "βœ… WEF client configuration completed"

10.2 Splunk Integration via SCCM

# Splunk Universal Forwarder Integration
# Deploy Splunk UF alongside TYCHON Quantum Readiness via SCCM for direct SIEM integration

SCCM Application: Splunk Universal Forwarder + TYCHON Quantum Readiness
Components:
  1. Splunk Universal Forwarder MSI
  2. TYCHON Quantum Readiness application  
  3. Splunk inputs.conf configuration
  4. Deployment coordination script

inputs.conf for TYCHON Quantum Readiness integration:
[WinEventLog://Application]
disabled = false
start_from = oldest
current_only = false
checkpointInterval = 5
whitelist = TYCHON Quantum Readiness

# Index TYCHON Quantum Readiness events in dedicated index
[monitor://C:\Windows\Logs\TYCHON Quantum Readiness\*.json]
disabled = false
sourcetype = certscanner:json
index = security_crypto
crcSalt = <SOURCE>

# Parse structured EventLog data
[WinEventLog://Application]
whitelist = EventCode="100[1-5]" AND Source="TYCHON Quantum Readiness"
sourcetype = certscanner:eventlog  
index = security_crypto

# Performance monitoring
[perfmon://TYCHON Quantum Readiness]
object = TYCHON Quantum Readiness
counters = Scans Per Hour; Average Scan Duration; Memory Usage MB
instances = *
interval = 300
index = infrastructure

Troubleshooting & Monitoring

Common SCCM Deployment Issues

Issue: Application installation fails with error 0x80070005
Solution: Verify SCCM client service account has local admin rights and "Log on as a service" permission
Issue: Detection script always returns "Not Installed"
Solution: Check PowerShell execution policy in Group Policy and ensure script runs as SYSTEM
Issue: Scheduled tasks not executing on target systems
Solution: Verify Task Scheduler service is running and task XML contains correct paths after deployment
Issue: High network utilization during scanning
Solution: Enable network throttling in config and stagger scan times across distribution points

SCCM Monitoring & Reporting

Built-in SCCM Reports

  • β€’ Application Deployment Status
  • β€’ Hardware Inventory History
  • β€’ Software Metering Usage
  • β€’ Compliance Baseline Results
  • β€’ Client Health Dashboard

Custom KPI Monitoring

  • β€’ Deployment success rate (target: >98%)
  • β€’ Active scanning systems (target: 100%)
  • β€’ Scan frequency compliance (target: >95%)
  • β€’ Event forwarding health (target: >99%)
  • β€’ Performance impact (target: <5% CPU)

Enterprise Success Metrics

98%
Deployment Success Rate
24/7
Continuous Monitoring
<5%
CPU Impact
10K+
Managed Endpoints

Uninstallation Script

# uninstall-sccm.ps1 - SCCM Application Uninstallation Script
param(
    [string]$InstallPath = "C:\Program Files\TYCHON Quantum Readiness",
    [string]$ServiceName = "TYCHON Quantum ReadinessService",
    [string]$TaskName = "TYCHON Quantum Readiness-SCCM-Monitoring"
)

$SUCCESS = 0
$FAILURE = 1603

try {
    Write-Host "πŸ”„ Uninstalling TYCHON Quantum Readiness via SCCM..."
    
    # Stop and remove Windows service
    try {
        Stop-Service -Name $ServiceName -Force -ErrorAction SilentlyContinue
        sc.exe delete $ServiceName
        Write-Host "βœ… Windows service removed"
    } catch {
        Write-Host "⚠️ Service removal: $($_.Exception.Message)"
    }
    
    # Remove scheduled task
    try {
        Unregister-ScheduledTask -TaskName $TaskName -Confirm:$false -ErrorAction SilentlyContinue
        Write-Host "βœ… Scheduled task removed"
    } catch {
        Write-Host "⚠️ Task removal: $($_.Exception.Message)"
    }
    
    # Remove installation directory
    if (Test-Path $InstallPath) {
        Remove-Item -Path $InstallPath -Recurse -Force
        Write-Host "βœ… Installation directory removed: $InstallPath"
    }
    
    # Clean up logs (preserve for compliance if needed)
    $LogPath = "C:\Windows\Logs\TYCHON Quantum Readiness"
    if (Test-Path $LogPath) {
        # Archive logs before deletion
        $ArchivePath = "$env:TEMP\TYCHON Quantum Readiness-Logs-Archive-$(Get-Date -Format 'yyyyMMdd').zip"
        Compress-Archive -Path "$LogPath\*" -DestinationPath $ArchivePath -ErrorAction SilentlyContinue
        
        Remove-Item -Path $LogPath -Recurse -Force
        Write-Host "βœ… Logs archived to: $ArchivePath"
    }
    
    # Remove registry entries (SCCM inventory data)
    Remove-Item -Path "HKLM:\SOFTWARE\TYCHON Quantum Readiness" -Recurse -Force -ErrorAction SilentlyContinue
    
    Write-Host "βœ… TYCHON Quantum Readiness uninstalled successfully"
    exit $SUCCESS
    
} catch {
    Write-Error "❌ Uninstallation failed: $($_.Exception.Message)"
    exit $FAILURE
}