Allow us to configure Proxy server settings for the console that is downloading Software Updates
On our Primary site server, under Admin > Site System properties, we have set the proxy settings with username and password.
In our company, Domain Admins are blocked at the proxy server from accessing the internet. My colleague, who is an SCCM admin, but not a Domain Admin, can download Software Updates and add them to a Deployment Package. I am a Domain Admin, and when I try this, it fails with: "Error: Failed to download content ID 16902216. Error %1 is not a valid Win32 application."
So, that proxy setting is used by some functions of ConfigMgr, but not all.
According to Scott Breen [MSFT]:
Configuration Manager needs to connect to the Internet to download the source files for Software Updates. This process is initiated via:
- The Configuration Manager server during the execution of an Automated Deployment Rules (ADR);
- The Configuration Manager console (in the user context on the computer where the console is running) during creation of a Software Update package.
The download process requires the computer or user account where the download originates to have access direct to the internet or through a proxy server.
The proxy server configured within Configuration Manager settings is for the server initiated downloads only - NOT the console initiated downloads.
What I would like is for the admin console to have a proxy settings section, so that for software downloads, it can used a specific user account to do the downloads. In my case, using Internet Options proxy settings is not feasible, as that account doesn't have rights to logon to the server.
Desired behaviour: Either use the proxy settings set in the Site Server properties to do the downloads, OR, allow us to specify the settings in the console (including specifying user/password there).
David Frazer commented
Whether or not it is appropriate to use a domain admin account is not the point. Being able to provide alternate proxy credentials for console-initiated Internet connections (not just update downloads) would be a useful feature.
Like many companies, we have regular accounts and dedicated admin accounts. Our admin accounts are not allowed through the proxy at all. But we are required by our InfoSec policies to use our admin accounts to access the CM Admin Console. We've traditionally relied on proxy bypass rules to allow things like software updates downloads but it's cumbersome to have to research and request a new bypass rule when a new Internet-connected feature like the Community workspace is introduced.
Being able to simply tell the console to use my regular account when connecting to the Internet would be much easier to manage and relatively future-proof.
Noam Salomon commented
Why would you use an account with domain admin rights to administer SCCM. You should not use a domain admin account for tasks that do not require domain admin rights.