Overview
This post describes the firewall ports that need to be opened between an SCCM console and SCCM servers in order to use the Create Task Sequence Media wizard. I recently had to run the Create Task Sequence Media wizard from an SCCM console installed in a secure environment. All the network ports as documented by Microsoft were open but the wizard didn’t work. This post describes the requirements of the process in more detail and shows the network ports that were missing from the Microsoft documentation.
Create Media Wizard Requirements
The official list of ports used by the SCCM console are listed at https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/ports. However, this list only covers the basic SCCM console operations and does not cover the Create Task Sequence Media process.
During the media creation process the console allows the choice of various Distribution Points (DPs) in order to download the content required for the specified task sequence. An SMB connection is made to the DP’s ContentLib$ network share. All content is downloaded from the DP via SMB and not http/https as might be expected. All other console requirements (RPC) are as documented by Microsoft.
Create Media Wizard Firewall Port List
The table below shows the full list of firewall ports that need to be opened between the SCCM console and the various SCCM server systems in order to run the Create Task Sequence Media wizard. The RPC connections to the SMS provider system would be to the primary Site Server or CAS.
| Description | UDP | TCP |
| RPC (initial connection to WMI to locate provider system) | 135 | |
| RPC Endpoint Mapper | 135 | 135 |
| RPC Dynamic Ports (Windows Vista, Windows Server 2008, or later) | 49152-65535 | |
| RPC Dynamic Ports (Windows XP, Windows Server 2003) | 1025-5000 | |
| SMB to SCCM Distribution Point (For each DP where content needs to be accessed by the console) | 137, 138 | 137, 139, 445 |
