Beginner Guide – How to populate device collection with the help of AD groups

 

I’ve wanted to try out and make guides in a video format for some time and mainly because some things is easier to show in a video and takes less time to prepare compared to writing a full blog post about it. So this is my first attempt and i will definitely changes some things for the next ones. It’s all trial and error and my first youtube video ever.

 

What do we want achieve?

We want to be able to link Active directory groups directly to Device collections so if we add a computer to a Active Directory group it will sync and then be added to the Device collection we linked the AD group with. It’s very simple and here’s how its done:

 

 

here’s the WQL-query mentioned in the guide

 


select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client

from SMS_R_System

where SMS_R_System.SecurityGroupName = "COMPANY\\Special group"

 

 

Don’t forget to follow me on

Cheers,  Timmy

 

Alternative workaround if SUP Endpoint definition deployment fails

 

There will come a day when something isn’t working as it should any more, when that day arrives  we have to be able to estimate the situation and also preparing to do the necessary action to solve it. A big part of our job as administrators is to solve problems and come up with solutions. One important thing to always consider when troubleshooting something is if there’s another way to achieve the same result but in a different way then what just broke, finding a temporary workaround until you figured out what the actual cause of the problem is and how to fix it.

In this scenario we are playing with the idea that ADR is broke or just that Endpoint protection definitions aren’t being deployed successfully any more and after some brief troubleshooting one realize that i will probably take some time until the cause of the problem is found. What do you do in the mean time?

 

Goal

We wan’t to have a alternative way of being able to get the latest Endpoint Protection definitions and deploy them to all the machines needed on a set schedule so we can get the same result as if the ordinary Definition deployment was working properly.  We will do this with the help of ConfigMgr, Powershell and Schedule Task’s.

 

In ConfigMgr we will make a package containing the latest definition being deploy and with Powershell we will get the latest definitions and then update the package source files when there’s new one and we will make a Schedule task for this Powershell script to 3 times a day, every 8 hours.

 

The Script


# Configuration and variables 

[String]$SourcePath = "D:\Packages\Endpoint Definitions"
$DeploymentPackage = ("Endpoint Definition Delta x64" ,"Endpoint Definition Delta x86")

[String]$FullDefExe = "mpam-fe.exe"
[String]$DeltaDefExe = "mpam-d.exe"
[String]$NisDefExe = "nis_full.exe"

[String]$SCCMmodule = "D:\program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1"
Import-Module $SCCMmodule
# Creating folder structure 

$Allpaths = "$Sourcepath\x64\Full", "$Sourcepath\x64\Delta", "$Sourcepath\x64\Nis", "$Sourcepath\x86\Full", "$Sourcepath\x86\Delta", "$Sourcepath\x86\Nis"
Foreach ($Paths in $Allpaths)
{
If (Test-Path "$Paths")
{}
Else
{New-Item -Path $Paths -ItemType Directory}
}

# Downloading Updates

$Fullx64 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64", "$($SourcePath)\x64\Full\$FullDefExe")
$Deltax64 = ("http://go.microsoft.com/fwlink/?LinkId=211054", "$($SourcePath)\x64\Delta\$DeltaDefExe")
$Nisx64 = ("http://go.microsoft.com/fwlink/?LinkId=197094", "$($SourcePath)\x64\Nis\$NisDefExe")

$Fullx86 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86", "$($SourcePath)\x86\Full\$FullDefExe")
$Deltax86 = ("http://go.microsoft.com/fwlink/?LinkId=211053", "$($SourcePath)\x86\Delta\$DeltaDefExe")
$Nisx86 = ("http://go.microsoft.com/fwlink/?LinkId=197095", "$($SourcePath)\x86\Nis\$NisDefExe")

$WebClient = New-object System.Net.WebClient

$WebClient.DownloadFile($Fullx64[0], $Fullx64[1])
$WebClient.DownloadFile($Fullx86[0], $Fullx86[1])

$WebClient.DownloadFile($Deltax64[0], $Deltax64[1])
$WebClient.DownloadFile($Deltax86[0], $Deltax86[1])

$WebClient.DownloadFile($Nisx64[0], $Nisx64[1])
$WebClient.DownloadFile($Nisx86[0], $Nisx86[1])

#Update distrubution point with latest patches, don't forget to modify the Set-location to the correct Site code 

Set-Location TS1: 

Foreach ($Package in $DeploymentPackage)
{
Update-CMDistributionPoint -PackageName $Package
}

WordPress is messing with me and I’m not sure why. WP is adding what it looks like HTML characters to the variables containing URL’s “<a href=“but that’s only when i post the full script. Under the dissecting part it doesn’t. The characters does not appear in the in the Text editor at all. This is not the first time WP is adding unwanted characters in the code snippets but generally they appear while editing and can be removed manually but this time the chars doesn’t show up until its published and i cant remove it. If anyone have an idea how to fix this please let me know.

 

Here’s the code in plain text

 

$Fullx64 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64", "$($SourcePath)\x64\Full\$FullDefExe")
$Deltax64 = ("http://go.microsoft.com/fwlink/?LinkId=211054", "$($SourcePath)\x64\Delta\$DeltaDefExe")
$Nisx64 = ("http://go.microsoft.com/fwlink/?LinkId=197094", "$($SourcePath)\x64\Nis\$NisDefExe")

$Fullx86 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86", "$($SourcePath)\x86\Full\$FullDefExe")
$Deltax86 = ("http://go.microsoft.com/fwlink/?LinkId=211053", "$($SourcePath)\x86\Delta\$DeltaDefExe")
$Nisx86 = ("http://go.microsoft.com/fwlink/?LinkId=197095", "$($SourcePath)\x86\Nis\$NisDefExe")

 

Dissecting the script

 

We start out with these 2 variable’s you need to modify-

$DeploymentPackage you need change to the name of the Package you created that will be deployed (but you need to download the files before you create your package. More on that in the examples section)

$SourcePath is the actual path the source files. You just need to create the root folder and the script will create the rest.

 


$DeploymentPackage = ("Endpoint Definition Delta x64" ,"Endpoint Definition Delta x86")
[String]$SourcePath = "D:\Packages\Endpoint Definitions"

 

Next section needs only 1 change and thats

$SCCMmodule and that’s the path where you have installed SCCM and point to the ConfigurationManager.psd1 file that contains all the SCCM 2012 Powershell cmdlets.

 


[String]$FullDefExe = "mpam-fe.exe"
[String]$DeltaDefExe = "mpam-d.exe"
[String]$NisDefExe = "nis_full.exe"

[String]$SCCMmodule = "D:\program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1"
Import-Module $SCCMmodule

 

Next up is the creation of the sub folders in the source path you specified earlier in the $SourcePath variable and here’s no need for modification.

 


# Creating folder structure

$Allpaths = "$Sourcepath\x64\Full", "$Sourcepath\x64\Delta", "$Sourcepath\x64\Nis", "$Sourcepath\x86\Full", "$Sourcepath\x86\Delta", "$Sourcepath\x86\Nis"
Foreach ($Paths in $Allpaths)
{
If (Test-Path "$Paths")
{}
Else
{New-Item -Path $Paths -ItemType Directory}
}

 

The following section downloads the definitions to the correct folder.

 


$Fullx64 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64", "$($SourcePath)\x64\Full\$FullDefExe")
$Deltax64 = ("http://go.microsoft.com/fwlink/?LinkId=211054", "$($SourcePath)\x64\Delta\$DeltaDefExe")
$Nisx64 = ("http://go.microsoft.com/fwlink/?LinkId=197094", "$($SourcePath)\x64\Nis\$NisDefExe")

$Fullx86 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86", "$($SourcePath)\x86\Full\$FullDefExe")
$Deltax86 = ("http://go.microsoft.com/fwlink/?LinkId=211053", "$($SourcePath)\x86\Delta\$DeltaDefExe")
$Nisx86 = ("http://go.microsoft.com/fwlink/?LinkId=197095", "$($SourcePath)\x86\Nis\$NisDefExe")

$WebClient = New-object System.Net.WebClient

$WebClient.DownloadFile($Fullx64[0], $Fullx64[1])
$WebClient.DownloadFile($Fullx86[0], $Fullx86[1])

$WebClient.DownloadFile($Deltax64[0], $Deltax64[1])
$WebClient.DownloadFile($Deltax86[0], $Deltax86[1])

$WebClient.DownloadFile($Nisx64[0], $Nisx64[1])
$WebClient.DownloadFile($Nisx86[0], $Nisx86[1])

 

and the last step will update the distribution point with the latest files that’s been downloaded. Dont for get to modifie the Set-location to your sitecode.

 


Set-Location TS1:

Foreach ($Package in $DeploymentPackage)
{
Update-CMDistributionPoint -PackageName $Package
}

 

 

Example

 

Here i will go through all the steps necessary to setup and make this work.

 

Start with creating your empty source folder

2-3

 

Then Run this part of the script and modify the $SourcePath variable to the empty source folder you just created and dont forget to change the $SCCMmodule variable to the path where you have ConfigMgr installed

 

If you want to see which the latest definitions are you can do that here https://www.microsoft.com/security/portal/definitions/whatsnew.aspx

 

# Configuration and variables
$DeploymentPackage = ("Endpoint Definition Delta x64" ,"Endpoint Definition Delta x86")
[String]$SourcePath = "D:\Packages\Endpoint Definitions"

[String]$FullDefExe = "mpam-fe.exe"
[String]$DeltaDefExe = "mpam-d.exe"
[String]$NisDefExe = "nis_full.exe"

[String]$SCCMmodule = "D:\program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1"
Import-Module $SCCMmodule



# Creating folder structure and downloading files 

$Allpaths = "$Sourcepath\x64\Full", "$Sourcepath\x64\Delta", "$Sourcepath\x64\Nis", "$Sourcepath\x86\Full", "$Sourcepath\x86\Delta", "$Sourcepath\x86\Nis"
Foreach ($Paths in $Allpaths)
{
If (Test-Path "$Paths")
{}
Else
{New-Item -Path $Paths -ItemType Directory}
}
# Downloading Updates
$Fullx64 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64", "$($SourcePath)\x64\Full\$FullDefExe")
$Deltax64 = ("http://go.microsoft.com/fwlink/?LinkId=211054", "$($SourcePath)\x64\Delta\$DeltaDefExe")
$Nisx64 = ("http://go.microsoft.com/fwlink/?LinkId=197094", "$($SourcePath)\x64\Nis\$NisDefExe")

$Fullx86 = ("http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86", "$($SourcePath)\x86\Full\$FullDefExe")
$Deltax86 = ("http://go.microsoft.com/fwlink/?LinkId=211053", "$($SourcePath)\x86\Delta\$DeltaDefExe")
$Nisx86 = ("http://go.microsoft.com/fwlink/?LinkId=197095", "$($SourcePath)\x86\Nis\$NisDefExe")

$WebClient = New-object System.Net.WebClient

$WebClient.DownloadFile($Fullx64[0], $Fullx64[1])
$WebClient.DownloadFile($Fullx86[0], $Fullx86[1])

$WebClient.DownloadFile($Deltax64[0], $Deltax64[1])
$WebClient.DownloadFile($Deltax86[0], $Deltax86[1])

$WebClient.DownloadFile($Nisx64[0], $Nisx64[1])
$WebClient.DownloadFile($Nisx86[0], $Nisx86[1])


 

When that’s done the source folder should me populated with the different Definitions

 

2-5

 

If you want both x86 and x64 definitions create 2 packages and in this example I’m just planing to deploy the delta definitions

 

1-4

 

Next step is to make a Custom interval under scheduling to this packages will run every 12 hours.

 

1-5

 

Next up is to create a schedule task that will run the powershell script so we can get the latest definitions and update the package in SCCM, but before we do that we will create a .BAT script that we will let the schedule task trigger that will trigger the powershell script this is because in my own experience, trigger a powershell script directly from schedule task is a bit iffy and it’s just more reliable to trigger a bat script that triggers the powershell script.

 

I will create the BAT script in C:\temp where i aslo have my Powershell script and make it execute the following command

 


powershell.exe -ExecutionPolicy Bypass -Command "C:\temp\SCEPDef.ps1"

 

2-7

 

Now lets go to the Task scheduler and create an advanced task that will run every 8 hours so we always have the latest definitions since Microsoft releases new definitions 3 times a day.

 

2-9

 

Triggers will be

 

2-8

 

And Actions will trigger the .Bat script we created earlier


3-0

 

after that we are pretty much set, don’t forget to point the source files on the package to the correct directory of the definition you want to deploy and you do this by right clicking on the package and choose properties.

 

3-2

 

3-1

 

After all of this you can just Run the schedule task for the first time and it will download the latest definitions and update the distribution points with the latest files and it will continue to do that every time the schedule task runs.  If you have the Configuration Manager R2 toolkit installed you can check this with the content library explorer as seen below and if you look at the Time modified column you can compare that date on the actual files in the Source folder and you can see which file is on the distribution point.

 

1-8 1-9

 

This is all for now and i hope this can come in handy for someone out there. If you liked this post or might now someone who might would then feel free to share this post.

Cheers Timmy.

 

You can find me over at

 

 

 

 

 

 

 

 

 

 

 

 

#update

Guide – Configuration Item with Powershell discovery and remediation – String Compliance

This is a guide for Configuration Item and Powershell, if you are new to Configuration Item and baselines i recommend you look at my previous blog post that’s more of a overview and in this post i will go more in to depth on Powershell discovery and remediation with String compliance rule.

SCCM – Assets & Compliance – Compliance settings – Configuration Item

SCCM – Assets & Compliance – Compliance settings – Configuration Baseline

 

Foreword

So I’m not really sure where to start but when i first learned about configuration baseline and that you could use script and specifically powershell i was totally stoked. I thought to my self omg there’s no limit to what one can do with this and that is probably the case there’s some caveats also. If you search for configuration baseline and powershell you will encounter a few post about how it doesn’t work or that it works in very odd ways sometimes and that is true, i have had my own problem with this but that was also part of my lack of knowledge until i started to investigate it further. But with these guides I’m planning to show you the ways that work and hopefully you can make your own script and remediation’s.

 

And this is directly taken from Microsoft and it shows what kind of outputs ConfigMgr is looking for when using scripts

 

stderr

 

Goal

So the goal is to make a Configuration item that has a discovery Powershell script looks for a certain folder and if it doesn’t exist we will trigger a Powershell remediation script that creates the said folder.

 

Let’s get started

as for the discovery script further down in this post i’m trying to find a specific folder and this could also be done with the File system setting type as well as shown below but i’m only doing this to show how it would work if you wanted to use Powershell.

 

13

Configuration Item properties

First of all we need to set the properties to “Setting Type – Script” and “Data type – String for this example and then we need to make a powershell script for both the Discovery Script and t he Remediation Script 

 

3

 

Discovery Script

 

 

12

 

 

Trying to find the folder TopSecret in C:\temp and puts the result in to the variable $TopSecret. Next step is the IF statement that asks if $Topsecrets contains any thing and if it does’t it will populate the $Compliance variable with the string No and if it do exist anything meaning that the folder exist it will populate $Compliance with the string Yes and at the end we output the result with just calling the $Compliance variable  so that ConfigMgr can get the result of our query.  

 

 


$Topsecret = (get-item C:\temp\TopSecret)

if ($Topsecret -eq $null)
{$Compliance = "No"}
Else
{$Compliance = "Yes"}

$Compliance

 

Compliance Setting

Here’s the compliance rule, so we have selected the Rule type as Value and then “The value returned by the specific script:” is set to “Equal” and the actual value it self “Yes”, if the result is any other then Yes it will trigger of the an alert and remediation.

 

6

 

You have to configure the deployment properties to “Remediate noncompliant rules when supported” forget to activate this and your remediation won’t trigger and also use “Allow remediation outside of maintenance window” if that’s suitable for your specific needs.

 

9

 

Remediation Script

 

 

2

 

 

Creates a new Folder called TopSecretRemediation


New-Item -Path C:\temp -ItemType Directory -Name TopSecretRemediation

 

Deployment

Once deployed you just need to wait for the evaluation to run which by default is set to every hour or check out my blog post on how to trigger baseline evaluation remotely here  . And you can ones the evaluation is done check the report on the client to see if its compliant or not. To access this report open up a cmd window and write control smscfgrc and go to “Configurations” and mark the baseline you want and click “View report”

 

14

15

 

And in the report you will see if it’s Compliant or not and also in the right down corner you can see remediation and what’s been done.

 

10

 

Thats all for now, Cheers Timmy

 

SCCM – Assets & Compliance – Compliance settings – Configuration Baseline

Compliance Settings

Helps you make sure that resources in your environment are compliant with a standard and/or criteria you set. There are many built-in features like being able to check registry key/values, File system(File version,date, folder etc), Active directory Query, SQL Query, WQL Query and more. If that won´t help you then there´s also the option of being able to create your own script in for example VB and Powershell to help you determine if the node is compliant with the setting you are looking for (Freaking awesome!). If you know what you are looking for then there´s pretty much nothing stopping you from finding it.

If a node or device collection Is not compliant with the setting/criteria you have the option to set it to alert and it will show up under “Monitoring – Alert” or if you have an SMTP server available you can configure so SCCM will send an email alert to specified receivers. One could also configure auto remediation for the setting.

Compliance Settings is a giant rabbit hole to explore but I´m going to go through some of the basics in the coming blogs but as I mentioned earlier the key thing is that you know what you are looking for.

If you haven´t read the first part that goes through Configuration Items i recommend you doing so. 

https://timmyit.com/2016/05/02/sccm-assets-compliance-compliance-settings-configuration-item/

 

Configuration Baseline

Is simply explained a collection of one or more Configuration Items that creates a baseline for the specific group you would like to deploy it to, it can be for example a baseline that only is for the service desk and their computers. In other words you create one or more items, put that in to a baseline and then deploy that baseline to the device collection of your choice (If you don´t know what a device collection is or need help creating one then check out my blog post about it Here).

Create a baseline

First of all just make sure that “Compliance evaluation on clients” are set to “Yes”, it’s set to “Yes” by default but it will save you a lot of headache to ensure that it actually is activated. Do so by clicking on “Administration” in the lower left and then on “client settings” in the upper left. Then right-click on the “Default Client settings” and go to “Compliance Settings”.

Configuration Baseline - 21

Then go to Assets and Compliance, click on the drop down menu “Compliance Settings” and click on “Configuration Baseline”

Configuration Baseline - 00

Then right-click and choose “Create Configuration Baseline”

Configuration Baseline - 01

Input the name and description and then click on “add” and choose “Configuration Items” and continue with “ok”

Configuration Baseline - 02

Here you will select the Configuration Items you want to add in to this Baseline but in this example we just got one. Click “add ” and then “ok”

Configuration Baseline - 03

The Configuration Baseline should now appear in the configuration menu as showed here

Configuration Baseline - 04

If you want to see which Items are in the baseline you can simply select the baseline and “right-click” on it and click on “show members”

Configuration Baseline - 05

This will show you which Items are in the specified baseline.

Configuration Baseline - 06

Navigate back to the baseline and the next step is to deploy it to the device collection for your choice and to that you can either select the baseline and”right-click” and choose “Deploy” or click on “deploy” in the upper center.

Configuration Baseline - 07

In this menu we will choose to “Generate an alert” and set the “When the compliance is below” 100% since this is a super-duper important setting and its crucial that every one has it and if any node doesn’t we have to know. We will set the start date for 2016-05-04 and time at 06:00 and then click on “browse” to select which device collection to deploy it to.

Configuration Baseline - 08

In the upper left menu choose “Device Collections” by default it will have chosen “User collections”

Configuration Baseline - 09

Located the device collection of your choice and press “ok”

Configuration Baseline - 10

Now we want to schedule the evaluation of this compliance to run every day since its super-duper important to have this setting, so this will schedule the evaluation to 06:00 AM every day so when the person in charge of following this up have the alert in SCCM if any computer wouldn’t be compliant the first thing in the morning when he gets in to work.

So chose “Simple schedule” “run every” “1” “days” and press “ok”

Configuration Baseline - 11

Back at the Baseline overview select the baseline we just created and in the bottom left corner you will click on “Deployments” and you will see the deployment we just made to the service desk device collection and that the compliance is 0% so far, that’s because the evaluation haven’t started yet.

Configuration Baseline - 12

So let´s say that the next day has come and your task is to see if there’s any Alerts in SCCM for the Baseline, click on “Monitoring” in the lower left corner and then click on “Alerts”. You will see a notification about the “Recent Alerts” in the center but i want you to click on “Active Alerts”

Configuration Baseline - 13

Here you will see the all the Alerts that are active right now

Configuration Baseline - 14

You can right-click on an alert and choose from a few options on what to do with it (Sadly you can’t choose  to go directly to monitoring of the deployment to see which resources that aren’t compliant, why Microsoft why?)

Configuration Baseline - 15

Instead you can either go back to the configuration Baseline, select the baseline as we did before and click on “deployment” in the lower center and from there right-click on the deployment and click “View result” or you can click directly on Deployments under monitoring.

Configuration Baseline - 16

Here you will see all the deployments in your environment and not just Baselines, select the one you want to view and it will get some initial information in the lower half of the screen, you can see that we have 1 Compliant resource and 1 Non-compliant

Configuration Baseline - 17

Select the deployment and right-click and then click on “View Status”

Configuration Baseline - 18

This will give you information about which exact device is compliant

Configuration Baseline - 19

If you click on “non-compliant” you will see which devices who aren’t and you can from here take the actions needed to make the device compliant.

Configuration Baseline - 20

 

This is all for now and i hope this was helpful for you, if you have any questions don’t hesitate to either post them in comments below.

 

Cheers,

Timmy

SCCM – Assets & Compliance – Compliance settings – Configuration Item

Compliance Settings

Helps you make sure that resources in your environment are compliant with a standard and/or criteria you set. There are many built-in features like being able to check registry key/values, File system(File version,date, folder etc), Active directory Query, SQL Query, WQL Query and more. If that won´t help you then there´s also the option of being able to create your own script in for example VB and Powershell to help you determine if the node is compliant with the setting you are looking for (Freaking awesome!). If you know what you are looking for then there´s pretty much nothing stopping you from finding it.

If a node or device collection Is not compliant with the setting/criteria you have the option to set it to alert and it will show up under “Monitoring – Alert” or if you have an SMTP server available you can configure so SCCM will send an Email alert to specified receivers. One could also configure auto remediation for the setting.

Compliance Settings is a giant rabbit hole to explore but I´m going to go through some of the basics in the coming blogs but as I mentioned earlier the key thing is that you know what you are looking for.

Configuration Item 

Is the actual setting we want to check the compliance state off, here we will configure the what setting it is, how to determine if its compliant or not and what SCCM should do about it.

First thing we need to do is configure an item so go to Assets & Compliance – Compliance Settings and expand the menu.

Configuration Items - 01

Click on “Configuration item” in the menu to the left and then right-click and choose “Create Configuration Item”

Configuration Items - 02

Give the specific Item a name and click “next”, I´m just naming it Test-setting but you should name it so its pretty obvious what the Item is so can keep track of them later when you have a lot of them and every Item can be used multiple times and be included in several baselines but more on that later.

Configuration Items - 03

If the setting you have only exist on certain Windows versions you can filter it here so the item only will assess the specified OS, if the settings is OS independent then you can just have it to “select all” and click “next”

NOTE                                                                                                                                                                      This does not mean the item will get deployed to the selected OS´s, deployment will come later.

Configuration Items - 04

Under Settings click “New” to create a new setting

Configuration Items - 05

First name the setting then write a description about if you want and for this exercise choose Setting type “Registry Value”

Configuration Items - 07

And under “Data type” choose “String”

Configuration Items - 08

After that you need to specify  “Hive Name”, “Key Name” and “Value Name”. If you don´t know the specific path in your head you can use the “Browse” button and you will be able to browse to the specified Key and value and you can connect to remote computers.

When done lets continue and press “ok”

Configuration Items - 06

Click “next”

Configuration Items - 09

under “Compliance Rule” click “New”

Configuration Items - 10

Name the Rule and click “Browse” and choose the Setting you just created

Configuration Items - 10.5

Now you can either choose “Value” or “Existential”.

Configuration Items - 13

If you choose value you can determine if the registry value should comply with a specific value or not and Existential is if the key are compliant if it exist or not on the node.

Configuration Items - 12

Under “Noncompliance severity for reports” you can choose between

Configuration Items - 14

So if the node is non compliant what should happen regarding to reports.I´m going to choose “Critical” so that will generate a Critical Alert under Monitoring – Alerts.

Click “Ok”

Configuration Items - 15

Click “Next”

Configuration Items - 16

Click “next” until the wizard is completed and then “Close”

Configuration Items - 17

And now you have created your first Configuration Item and it should show up here:

Configuration Items - 18

There´s still some steps to go through before we can test our Configuration Item, In the next part I will be talking about Configuration Baseline and deployment.

If there´s any questions don´t hesitate to post them in the comment section below.

 

Cheers,

Timmy

 

 

 

 

 

Assets and Compliance – Device collections Part 2 (Query rule)

Part 2

Device collections as the name implies is a collection of devices, you can for example create a device collection that contains all the PC´s for the Service desk or the HR department by Active directory groups. You can create a device collection based on what OS the device is running, different manufacturer like HP, Dell or Fujitsu and even what kind of mouse they have plugged in. The limitation for what criteria you base you device collection comes down to WMI(Windows Management Instrumentation) and its query language WQL but more on that in a later post

Part 1 covered Direct rule https://timmyit.com/2016/04/28/assets-and-compliance-device-collections-part-1-direct-rule/

Query Rule

If you want to have a device collection that updates dynamically based on certain criteria then Query rule is generally the way to go, with that said you don´t have to make it update dynamically. Figuring out and configuring Query Rules tends to take a little more time at first but in the end you will save a lot of time since you don´t have to manually add resources every time there´s a new one added to your environment. In this example we are just gonna cover a simple query that will get all the Computers with a specific name just to get started and in a later post I will go in to more detail about other ways to use WQL.

Create a new Device collection (If you are unsure how, then read Part1) and under the Membership rule this time choose “Query Rule”

Device Collection Part 2 - 01

Enter the name you want to name your Query and then click on “Edit Query Statement”

Device Collection Part 2 - 02

This will open up the Query Statement Properties and here is where the magic happens, click on the “sun”

Device Collection Part 2 - 03

and then in Result properties click on “select” as seen on the right

Device Collection Part 2 - 04

Attribute class should be System Resource and under Attribute find the one called “NetBIOS Name” and click “ok”

Device Collection Part 2 - 05

In Result Properties click “ok”

Device Collection Part 2 - 06

The selection you just did should now show up in the results list and lets click on “show Query Language” to take a look at how the query looks like so far

Device Collection Part 2 - 07

The WQL Query should look like this “select SMS_R_System.NetbiosName from  SMS_R_System” this is queried against the SCCM site database to get the result we specified in the Query, so far we have only asked for “Select all the information in the column SMS_R_System.NetbiosName from the table SMS_R_System in the Site database” and for our purpose that´s to broad of a statement so lets define it a bit more to get the result we really want. Press “ok”

Device Collection Part 2 - 08
Click on “Edit Query Statement” again in the Query Rule properties

Device Collection Part 2 - 02

Click on “Criteria” in the upper left

Device Collection Part 2 - 09

Click on the “sun” to add a criteria

Device Collection Part 2 - 10

Click on “Select..”

Device Collection Part 2 - 11

Under “Attribute class” choose “System Resource” and under “Attribute” choose “NetBIOS Name” and click “ok”

Device Collection Part 2 - 12

Under “opertator” choose the options “is like” and in the Value field input SD% and press “ok”

Device Collection Part 2 - 13

The new criteria should now show up in the criteria list and lest go to “show Query Language” again to take a look at the WQL query and see what happened

Device Collection Part 2 - 14

The old Query was just “select SMS_R_System.NetbiosName from  SMS_R_System” and the new one is “select SMS_R_System.NetbiosName from  SMS_R_System where SMS_R_System.NetbiosName like “SD%”” can you see what changed?

The criteria we added was “where SMS_R_System.NetbiosName like “SD%”” so we are selecting the information from the column SMS_R_System.NetbiosName from the table SMS_R_System in the site database where the NetBiosName is like “SD%” this should now only give us the computers with a computer name that starts with SD.

 

Press “ok” until you get back to the “Create device collection wizard” and take a look at “Use incremental updates for this collection” by checking this check box it will allow for the device collection to update automatically when a new devices that fulfills the requirements we set to be added to the specific device collection, if this option is not checked the update will only occur when the scheduled full update is running and its in this case every 7th day as seen below. If you uncheck “Schedule a full update on this collection” and “Use incremental updates for this collection” no newly added resources will be added to the device collection unless you do it manually by “Direct rule” as we did in Part1 or by running this Wizard again.

Device Collection Part 2 - 15

Finish the wizard with “next”, “next” and then close and the device collection should start to get filled with resources and the result should look something like this

Device Collection Part 2 - 16

And if you right-click on the device collection and choose “show members” you will see that we have only Computers with the name starting with “SD” which is exactly what we wanted.

Device Collection Part 2 - 17

Now lets add the HR departments computers to this device collection, go back to the location of the device collection and right click on and choose “properties”

Device Collection Part 2 - 18

Then click on the “Membership Rules” tab

Device Collection Part 2 - 19

Click on “Edit..”

Device Collection Part 2 - 20

Click on “Edit Query statement” as we did earlier in this guide and then click on “Show Query Language”

I sorted it a bit so we easily could see Select and From, what we are gonna do here is to add a Or criteria directly in to the Query without needing to go through the steps we did before, you could write the whole Query directly here if you could and wanted to. The statement we are going to add will look like this “or  SMS_R_System where SMS_R_System.NetbiosName like “HR%” and this will add all the computer names from the HR department since all of the their computers starts with HR in this environment .

 

Device Collection Part 2 - 21

Press “ok”, “ok”, “apply” and “ok” to get out from the properties and then give it a few seconds for the device collection to update and right click and choose “show members” and you should see the new members there

Device Collection Part 2 - 22

So this was it for this lesson and the things i showed here is just the tip of the iceberg, the possibilities and selection on what kind criteria to use for device collection are huge. I really recommend playing around with it and you really should learn more about WMI (Windows management Instrumentation) and WQL if you don´t really know what it is and how its structured because knowing that will help you understand what kind of possibilities there are.

 

Hope this was useful information for you and if you have any questions or suggestions just post them in the comments below.

Cheers,

Timmy

 

 

Assets and Compliance – Device collections Part 1 (Direct rule)

Assets and Compliance – Device collections Part 1 (Direct rule)

Part 1

Device collections as the name implies is a collection of devices, you can for example create a device collection that contains all the PC´s for the Service desk or the HR department by Active directory groups. You can create a device collection based on what OS the device is running, different manufacturer like HP, Dell or Fujitsu and even what kind of mouse they have plugged in. The limitation for what criteria you base you device collection comes down to WMI (Windows Management Instrumentation) and its query language WQL but more on that in a later post.

 

As for now i want to focus on how to create a simple device collection and adding devices to this collection using “direct rule”.

 Direct Rule

Open up System Center Configuration Manager 2012  and click on “Assets and compliance” in the lower left and then go to “Device Collection”
Device Collection Part 1 - 00

 

Here you will see the 4 default Device collections that exist by default

All Systems

All Unknown Computers

All Desktop and Server Clients

All Mobile Devices

DO NOT MODIFY THESE! Copy them and make a new one of you want to experiment or modify!

Device Collection Part 1 - 01

Depending on your environment the folder structure will be different but for this guide i have created the following structure:

 

Device Collection Part 1 - 02

 

 

Go to the Device collection and to create a new Device collection you can either click on the button “Create Device collection” in the top left corner of the screen or just right click on the Service desk folder or in the window to the right.

Device Collection Part 1 - 03

A wizard will appear where you have to enter a Name for the device collection and also choose on how to limit the collection

Device Collection Part 1 - 04

Note

Limiting collection is mandatory and it acts like a possible security layer so one only can add members from that specified collection. But by using the “all system” device collection as limiting collection there is no limit since All systems are in the “All Systems” device collection. Depending on your environment the complexity of device collections could vary but only use “All system” when creating sub-collections that will later be used as a limiting collection. 

 

 

Click on “browse” and the following windows will show up:

Device Collection Part 1 - 08

 

Here you have to choose from what Device collection you want to be able to add resources from, in this case we have to choose “all desktops” since the computers we want to choose from are in that collection. Press “ok” and then “next”

Membership Rules

Press “Add Rule” and select “Direct Rule” and then “next” and a new wizard will appear and press next.

By default Resource class will be “System Resource” and Attribute name “name” and this is WMI.

In Value you will enter the String that in this case is the Computer name that you want to add to the device collection. Name standards are different from environment to environment but in this example i´m using the followings standard for my Service desk computers SDXXX (XXX = numbers) and we can use wildcards and WQL operators so for me to get all the SD computers i will just write SD% and click “next”

Device Collection Part 1 - 09

At the next page you will see all the resources that matches your search from the previous page. As you can see we have 4 different computers here and I want them all so I will click “Select All” and click “next”

 

Device Collection Part 1 - 10

 

Click next on the “Summary” and “Progress” page and hopefully you will see the following result:

Device Collection Part 1 - 11

 

After you have clicked “closed” you will come back to the this page and just click “next” until you are finished with this wizard. Incremental updates and schedule full updates is not really important when using “direct rule” but more about those topics later when we talk about “Query rule”

Device Collection Part 1 - 12

 

Depending on how many resources you added it can take some time for the device collection to update, but generally when it’s below a few hundred it will only take 10 seconds or so but you have to switch view and go back in to the location of the device collection for the visual member count to update.

Device Collection Part 1 - 13

Right click on the device collection and choose “show members” if  you want so see which resources are included in the device collection.

Device Collection Part 1 - 14

 

Or if you want to add more resources to the device collection click “Add resources”

Device Collection Part 1 - 15png

 

Adding resources this way is faster than going through the wizard every time and it will get you the same result. just enter String in this case Resource name and I´m gonna search for a specific Payroll computer in the collection “All desktops” so i will just type PR001 and the computer with computer name PR001 will show up, press “add” and then “ok” to add them all to the device collection.

Device Collection Part 1 - 16

If you wanted to search for the 10 first PR machines you could do this: PR0[0-1][0-9] instead of PR001 it will then search for all the computers with name starting with PR001 up to PR010.

 

This was just a short guide on Device collections and “Direct Rule”, hopefully it helped you in some way. I will be back soon again with more information regarding  Device collections in SCCM 2012. If there´s any question just post them below and i will answer them as quickly as i can.

 Part 2 https://timmyit.com/2016/04/29/assets-and-compliance-device-collections-part-2-query-rule/

Cheers,

Timmy

 

 

 

 

 

 

#beginner, #device-collection, #direct-rule, #sccm, #system-center-configuration-manager, #wmi, #wql