SCCM 1610 now supports inter-node content sharing without BranchCache or 3rd party tools. Annoying part is that you have to modify client cache ACL. I threw together some quick-n-dirty bits in a few minutes and it didn’t blow in my face just yet. I rolled it out with a compliance baseline to some pilot systems and it seems to work.
Caution is advised as I didn’t test it fully yet (or if Peer Cache actually works properly). It just adds required ACE for your SCCM network access account.
#SCCM Network Access account. I think it's not possible to query it from client
$NetworkUserAccount = New-Object System.Security.Principal.NTAccount("DOMAIN\User")
#SCCM Cache path from WMI. It's pretty much the same always but just in case...
$CCMCache = (New-Object -ComObject "UIResource.UIResourceMgr").GetCacheInfo().Location
#Enums for NTFS ACLs, static stuff. Could do better but stringbased cast works fine
$ACLFileSystemRights = [System.Security.AccessControl.FileSystemRights]::FullControl
$ACLAccessControlType = [System.Security.AccessControl.AccessControlType]::Allow
$ACLInheritanceFlags = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$ACLPropagationFlags = [System.Security.AccessControl.PropagationFlags]::InheritOnly
#If cache folder doesn't exist, quit with error
If (!(Get-Item -Path $CCMCache)) {
Exit 1
}
#Current ACL
$ACL = Get-Acl -Path $CCMCache
#Check if ACL already has required entry. If it has, quit cleanly
If ($ACL.Access | Where-Object -FilterScript {
#Specific checks
$_.FileSystemRights -eq $ACLFileSystemRights -and
$_.AccessControlType -eq $ACLAccessControlType -and
$_.IdentityReference -eq $NetworkUserAccount -and
$_.InheritanceFlags -eq $ACLInheritanceFlags -and
$_.PropagationFlags -eq $ACLPropagationFlags
}
) {
#ACL entry exists
Exit 0
} Else {
#Modify ACL
$ACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($NetworkUserAccount, $ACLFileSystemRights, $ACLInheritanceFlags, $ACLPropagationFlags, $ACLAccessControlType)
$ACL.AddAccessRule($ACE)
Set-Acl -Path $CCMCache -AclObject $ACL
}