Month: December 2014

Top Level Limiting Collections for Configuration Manager 2012

Having been through quite a few CM07 to CM12 migrations over the past few years, one of the things that I have seen heavily used in previous versions is nested collections, which had a similar functionality in SCCM as nested groups in Active Directory. However, this option has been removed with CM12, leaving administrators to re-think their collection hierarchy practices. Proper folder management is a large part of that, especially in larger organizations, but top level collections are still just as important, if not more, in the new version of Configuration Manager. The main reason for this is that we use these top level collections to limit the memberships of the operational collections that we (and our support staff) use on a daily basis. We group machines together in large criteria to limit deployments, reports, as well as implement security access for those that use Configuration Manager. When creating collections in Configuration Manager 2012, and when viewing the Membership Rules tab afterwards, there is an option to Use incremental updates for this collection. I strongly caution on the use of this button, as enabling it on more than a hundred collections can create drastic performance issues in your environment. As a general rule, I will use incremental updates for my top level collections only. Here are a few of the top level collections that I like to implement for...

Read More

Dynamic Server Collections for Managed Endpoint Protection in Configuration Manager 2012

One of the reasons why I really like System Center Endpoint Protection is its ease of management. This goes double when we’re using it to manage servers, as we get to leverage all the stuff that Configuration Manager has in its database to target policies. By targeting Antimalware Policies to collections that are based upon dynamic variables, we create an easy to manage environment that automates the provisioning of exclusion and scan policies for new and existing servers. In this post I’m not going to get into the process of creating the exclusion policies. Microsoft has included templates for most of their stuff, which is what we’ll focus on today. What I will show, however, is the collections that we’re going to create and the order of the policies that will be applied. To keep things clean and manageable, I like to keep my Endpoint Protection and Firewall collections together, so in the Assets and Compliance workspace we’ll create a folder called Managed Servers under the Device Collections Node. The first collection we’ll created is for DCs, called Managed Servers – Domain Controller. Configure a Query Rule with the following statement: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.DomainRole >= 4   Next is Managed Servers – DNS with a Query Rule to check for the service: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SERVICE...

Read More

Patching Images in Configuration Manager 2012 to Reduce Deployment Time

In my previous post, we went through the process of using Automatic Deployment Rules to create a fully automated patching process, complete with a pilot period, ideal for SMB customers. We’re now going to take those same patches and apply them to our Gold Image. This will reduce deployment times and frequency of Gold Image rebuilds, while maintaining a high initial patch level for newly deployed operating systems. Note that in order for the following process to work, you have to have Software Updates configured in your environment, and have used it to patch workstations with a similar OS as the image we wish to service. It will also only work with Microsoft updates, and even those have to be Component Based Servicing updates, so not everything is able to be added with this method. To patch our Gold Image, we need to expand the Operating Systems node in the Software Library and click on Operating System Images, then selecting our Gold Image. From the Ribbon, we’re going to click on the Schedule Updates button. I haven’t patched my Windows 8.1 image yet, so there’s quite a few in the screenshot.   Next, Next, Finish through the rest of the pages, and the servicing process begins. We’ll monitor the process from the OfflineServicingMgr.log file. As we can see, it’s ultimately just using DISM to mount the WIM and inject...

Read More