SCCM Engagement / Best Practices

Overview

I provided a client with the following SCCM Best Practice information to aid in their use of the system. In addition to the information, I created several custom tools and scripts to aid in the detection and remediation of several SCCM related troubleshooting tasks. Snippets of those scripts are provided throughout.

Software Updates and Troubleshooting

The software update deployment phase is your process of deploying Microsoft software updates to your workstations and servers. Within SCCM, the updates are typically added to a software update group, the software updates are downloaded to distribution points, and the update group is deployed to clients.

Troubleshooting Software Updates (Server Side)

When you deploy software updates, you add the updates to a SUG and then deploy the SUG to yyour clients. When you create the deployment, the update policy is sent to client computers, and the update content files are downloaded from a DP to the local cache on the client computer. The updates are then available for installation. After the deployment and the deployment policy have been created on the server, clients receive the policy on the next policy evaluation cycle.

Before you can track a deployment, you must first find the Deployment Unique ID of the deployment by adding the Deployment Unique ID column in the console.

Making the Console More Useful

Within the SCCM console, adding the following columns under Software Updates can help when diagnosing issue in the log files and on the client side:

  • Bulletin
  • Article ID
  • Unique Update ID

Windows Update Related Reports

The following reports are available at http://VCOMscm005prd/Reports and will allow you to further diagnose server related update issues:

Compliance Reports

Report Name

Description

Compliance 1 – Overall Compliance

Displays the overall compliance data for a software update group.

Compliance 7 – Computers in a specific compliance state for an update group

Displays all computers in a collection that have a specified overall compliance state against a software update group.

Deployment Management Reports

Report Name

Description

Management 2 – Updates required but not deployed

This report returns all VCOMor-specific software updates that have been detected as required on clients but that have not been deployed to a specific collection. To limit the amount of information returned, you can specify the software update class.

Management 7 – Updates in a deployment missing content

This report returns the software updates in a specified deployment that do not have all of the associated content retrieved, preventing clients from installing the update and achieving 100% compliance for the deployment.

Deployment State Reports

Report Name

Description

States 1 – Enforcement states for a deployment

This report returns the enforcement states for a specific software update deployment, which is typically the second phase of a deployment assessment. For the overall progress of software update installation, use this report in conjunction with “States 2 – Evaluation states for a deployment”.

States 2 – Evaluation states for a deployment

This report returns the evaluation state for a specific software update deployment, which is typically the first phase of a deployment assessment. For the overall progress of software update installation, use this report in conjunction with “States 1 – Enforcement states for a deployment”.

States 5 – States for an update in a deployment (secondary)

This report returns a summary of states for a specific software update targeted by a specific deployment. For best results, start with ‘Management 3 – Updates in a deployment’ to return the software updates contained in a specific deployment, and then drill into this report to return the state for the selected software update.

Scan Report

Report Name

Description

Scan 1 – Last scan states by collection

This report returns the count of computers for a specific collection in each compliance scan state returned by clients during the last compliance scan.

Troubleshooting Report

Report Name

Description

Troubleshooting 2 – Deployment errors

This report returns the deployment errors at the site and a count of computers that are experiencing each error.

Troubleshooting Software Updates (Client Side)

When software updates do not successfully deploy to the client, several steps can be taken to troubleshoot.

Tracking Log Files within CMTrace

CMTrace is the official log viewing utility that is provided in the System Center 2012 R2 Configuration Manager Toolkit and can be downloaded on the internet. This tool allows SCCM log files to be organized and merged for troubleshooting purposes.

Troubleshooting Windows Update Deployment “Errors”

  1. Open CMTrace on the client you wish to troubleshoot and browse to C:\Windows\CCM\Logs
  2. Merge the three files below. File -> Open -> Merge Selected Files

    1. W – WUAHandler.log
    2. U – UpdateStore.log
    3. S – ScanAgent.log
  3. Filter for missing updates. Tools -> Filter -> Filter when the entry test contains “missing”

If the log file displays “missing” but Add\Remove Programs (appwiz.cpl) shows that the update is installed, you can assume scanning is not working properly.

Further, when looking through the WUHandler column in CMTrace, you can track a deployment as follows:


Troubleshooting “In Progress” and State Message Communication

If the UpdateStore.log shows that a particular windows update component is installed, but it is still in progress in the SCCM console, the State Message is likely not communicating properly to the SQL server.

State messaging is a mechanism in SCCM which replicates point in time conditions on the client.

Fix-DGMSCCMStateMessage Tool

The tool, Fix-DGMSCCMStateMessage.ps1, located at \\VCOMscr001prd\c$\Scripts\Fix-DGMSCCMStateMessage was written by David Maiolo which will automatically update the State Message locally on the SCCM client by invoking the following two commands:

• $SCCMUpdatesStore = New-Object -ComObject Microsoft.CCM.UpdatesStore

• $SCCMUpdatesStore.RefreshServerComplianceState()

The tool requires the –csvfile argument, which is the path to a csv file containing one column, Hostname, with the hostnames listed in the column and can be run as in the example below.

Core Function of the Fix-DGMSCCMStateMessage.ps1 tool

Fix-DGMSCCMStateMessage Log FIle

The utility will create a log file that is compatible with the CMTrace tool, which includes the thread, time, state and component for each process.

Troubleshooting Empty CCMCache Folders

In some cases the cache subfolder within C:\Windows\ccmcache for the content will be empty.

  1. Open CMTrace on the client you wish to troubleshoot and browse to C:\Windows\CCM\Logs
  2. Merge the three files below. File -> Open -> Merge Selected Files

    1. L – LocationService.log
    2. C – ContentTransfer.log
    3. D – Data Transfer
  3. Find call backs. Find -> Find What: “calling back”

Calling back with an “empty distribution point list” means there are no DPs for the boundary group (likely no boundary group). Also look at the “Locality=” below the calling back line. This will tell you where the boundary group is. Also look at ContentTransferManager component. This will tell you what DP was actually used.

Fixing Windows UpdateStore Corruption (Datastore.edb)

The Windows UpdateStore Datastore.edb in Windows\Software Distribution\.. contains scan results. This may become corrupted.

Fix-DGMSCCMUpdateStore Tool

The tool, Fix-DGMSCCMUpdateStore.ps1, located at \\VCOMscr001prd\c$\Scripts\Fix-DGMSCCMUpdateStore was written by David Maiolo which will automatically attempt to fix the Windows Update Store on an array of clients imported via a CSV.

  • Stop the Windows Update Service
  • Move SoftwareDistribution to a backup location
  • Start Windows Update Service
  • Recreate SoftwareDistribution

The tool requires the –csvfile argument, which is the path to a csv file containing one column, Hostname, with the hostnames listed in the column and can be run as in the example below.

Core Function of the Fix-DGMSCCMUpdateStore.ps1 tool

Fix-DGMSCCMUpdateStore Log FIle

The utility will create a log file that is compatible with the CMTrace tool, which includes the thread, time, state and component for each process.

Verifying Software Update Point in Client Registry

On the client, the Software Update Point can be verified in the following registry location:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

Looking up Errors in CMTrace

CMTrace has the option to look up an error code. For example, you might come across the message: Unable to find or read WUA Managed Server Policy 0x80004005. More information can be found in Tools -> Error Lookup.

Also, searching on the internet for a 0x80004005 error shows us you can rename registry.pol and run gpupdate /force as a potential solution.

Understanding Data Discovery Record (DDR) Workflow

Although discovery data records youre covered mostly by a different engagement, you did touch on the subject.

When SCCM Discovery runs, it creates discovery data records (DDRs). The information contained in a DDR varies depending upon the discovered resyource. For example, it can include the NetBIOS name of a computer, the IP address and IP subnet of a computer or device, and the computer operating system name.

DDRs are sent to the site server inbox located as a .DDR file:

  • \\VCOMscm005prd\d$\Program Files\Microsoft System Center Configuration Manager\inboxes\auth\ddm.box

Once processed, the .DDR file is erased. If many .DDR records are visible, that likely means Active Directory discovery in SCCM is set to too short of an interval.

Additional values in DDR files appear within the SCCM console in the client properties of an asset. Although it is not officially supported, one can create their own DDRs to be processed by the site server by

  1. Creating a new instance of the SMSResGen class.
  2. Creating a new DDR by using the NewDDR method.
  3. Adding properties to the DDR by using the ADDPROP_ methods.
  4. Writing the new DDR to a file by using the DDRWrite method.

The site server can process multiple DDRs for the same asset, as is the case in a custom PFE engagement that was mentioned during your engagement.

Infrastructure Health (SQL and Site Server)

The SCCM infrastructure health is vital to the overall system responsiveness and functionality for your installation.

Bandwidth Throttling

Within the SCCM console, bandwidth throttling is available to the Distribution Points at Administration > Overview > Distribution Points -> Properties -> Rate Limits.

Limited to a specific maximum: This method allows you to limit bandwidth to a configured percentage by hyour as a time slice.

Pulse mode throttling is also available, which divides the data into data blocks, transmitted at a time interval. In your example above, 20KB would transmit every second, or 20KBps.

SQL Memory Allocation

At DGM your SCCM SQL instance is handled as a failover SQL Cluster CNO: TISSQL2014 betyouen SQL Cluster Server 1: VCOMSQL711PRD and SQL Cluster Server 2: VCOMSQL712PRD.

Using the Virtual Machine Manager Console, you first increased the minimum and maximum memory available to the two SQL servers:

Opening SQL Management Studio alloyoud us to then adjust the maximum memory used by the SQL service

Site Server Memory Allocation

Using the Virtual Machine Manager Console you verified your SCCM site server, VCOMSCM005PRD, had adequate memory allocation:

TempDB Memory Allocation

Opening SQL Management Studio alloyoud us to verify and adjust the initial size and autogrowth settings on the Tempdb database.

Console Latency

Rebuilding Indexes can help maintain the SCCM SQL database efficiency. To turn on database indexing, goto

Administration > Site Configuration > Sites

To help with console latency, the rebuild index task was enabled with a Sunday 12:00AM to 5:00AM schedule.

Client Troubleshooting

Troubleshooting Configuration Manager Client Issues is an important step to understanding why you have certain deployment issues and understanding the overall client health in SCCM.

Understanding Client Health

A client heath task on each client will perform checks to make sure that key areas such as prerequisites, dependent services and WMI are all functioning, and if needed remediate those issues. The Configuration Manager Health Evaluation runs as a schedule task and launches an executable called CCMEval.EXE which will perform checks and remediation listed in the CCMEval.XML file. This scheduled task is called “Configuration Manager Health Evaluation” when vieyoud in Task Scheduler.

The results of the CCMEval task can be vieyoud in the Monitoring > Client Status > Client Check area of the console:

Client Health Reports

The reports server http://VCOMscm005prd/Reports has several client health reports available. Searching for “Client Health” yields plenty of useful results, including the new Dashboard – Client Health Statistics report that was imported as a result of this engagement.

DGM Baseline Collections

In order to create a good baseline for your other collections to limit against, the following best practice queries are recommended to create the baseline collections:

Exclude Inactive Clients

select SMS_R_SYSTEM.ResyourceID,SMS_R_SYSTEM.ResyourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResyourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResyourceId = SMS_R_System.ResyourceId where SMS_G_System_CH_ClientSummary.ClientActiveStatus = 0

Exclude Heartbeat Discovery That is Greater Date > 14 Days

select SMS_R_SYSTEM.ResyourceID,SMS_R_SYSTEM.ResyourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResyourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResyourceId in (select ResyourceID from SMS_R_System where (SMS_R_SYSTEM.AgentTime <= DateAdd(dd,-14,getdate())) and AgentName = ‘Heartbeat Discovery’) and SMS_R_System.ResyourceId NOT in (select ResyourceID from SMS_R_System where (SMS_R_SYSTEM.AgentTime > DateAdd(dd,-14,getdate())) and AgentName = ‘Heartbeat Discovery’) and SMS_R_System.ResyourceId in (select ResyourceId from SMS_G_System_CH_ClientSummary Where ClientActiveStatus = 1)

Exclude HW Missing

select SMS_R_SYSTEM.ResyourceID,SMS_R_SYSTEM.ResyourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResyourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResyourceID = SMS_R_System.ResyourceId where SMS_G_System_COMPUTER_SYSTEM.Model is null and SMS_R_System.ResyourceId in (select ResyourceId from SMS_G_System_CH_ClientSummary Where ClientActiveStatus = 1)

Exclude HW Inventory Greater Than 30 Days

select SMS_R_SYSTEM.ResyourceID,SMS_R_SYSTEM.ResyourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResyourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResyourceId not in (select SMS_R_System.ResyourceId from SMS_R_System inner join SMS_G_System_WORKSTATION_STATUS on SMS_G_System_WORKSTATION_STATUS.ResyourceId = SMS_R_System.ResyourceId where SMS_G_System_WORKSTATION_STATUS.LastHardwareScan >= DateAdd(dd, -30, getdate())) and SMS_R_System.ResyourceId in (select ResyourceId from SMS_G_System_CH_ClientSummary Where ClientActiveStatus = 1)

Exclude SW Inventory Greater Than 30 Days

select SMS_R_SYSTEM.ResyourceID,SMS_R_SYSTEM.ResyourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResyourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResyourceId not in (select ResyourceID from SMS_R_System inner join SMS_G_System_LastSoftwareScan on SMS_G_System_LastSoftwareScan.ResyourceID = SMS_R_System.ResyourceId where SMS_G_System_LastSoftwareScan.LastScanDate >= DateAdd(dd,-30,getdate())) and SMS_R_System.ResyourceId in (select ResyourceId from SMS_G_System_CH_ClientSummary Where ClientActiveStatus = 1)

These queries youre used to create new baseline collections and exclusions for those collections

Content Distribution Troubleshooting

Troubleshooting content distribution is important. The following SCCMContentLib folders are located in the Content Library folder on any given distribution point, such as \\VCOMscm005prd\d$\SCCMContentLib

  1. P – PkgLib
  2. D – DataLib
  3. F – PkgLib

Tracing content through a distribution point starts by identifying its Package ID in the SCCM console at Monitoring > Overview > Distribution Status > Content Status

Then, using this Package ID, you can further discover the GUID within the associated INI file within PkgLib:

Now using the GUID, you can find the content information in DataLib:

Finally, using the last 4 characters of the hash value within this INI, you can find the differential content in the FileLib directory:

SCCM only stores differential content in order to save space. In other words, these files are the differences betyouen this and a different content folder somewhere else in SCCM of similar files. This is used in order to save space on the distribution point.

The only two places the full content exists is at the syource location and final cache on the client:

  • \\VCOMscm005prd\d$\SyourCE_FILES
  • c:\windows\ccmcache

Distribution points, as you saw in the P. D. F. example above only contain the differential content.

Internet Based Client Management (IBCM)

Internet-based client management, or IBCM, allows us to manage clients when they are not connected to your network, but have an Internet connection. Cloud Management Gateways (CMG) and Cloud Distribution Points (CPD) are used as the cloud infrastructure to support IBCM.

IBCM Requirements

  • In order to implement IBCM into your environment, you need an Azure subscription.
  • It also requires clients and the site system servers that the clients connect to use PKI certificates

Not Supported in IBCM

  • Actual Client installation deployment over the Internet (do it manually)
  • Wake-on-LAN
  • OS deployment (you can deploy task sequences that do not deploy an OS)
  • Remote control
  • Software deployment (unless the Internet-based management point can authenticate the user in AD)
  • Roaming


How IBCM Works with a Software Update Point

Scan: against this software update point.  

Download: from Microsoft Update

Setting up an IBCM

Prerequisites:

  1. Site Server Must be in DMZ – UPDATE, now you have CMG (Cloud Management Gateway) and this is no longer necessary.
  2. Site systems must be connected to the Internet and must be in AD

    1. Distribution point, Software update point, etc
  3. The FQDN of site server needs to be on public DNS server as host record

Setup

  1. Create 3 certificates

    1. youB SERVER (IIS) CERTIFICATE (youb Server Template)
    2. CLIENT CERTIFICATE (Workstation Authentication  Template)
    3. DISTRIBUTION POINT SITE SERVER CERTIFICATE (Workstation Authentication  Template)
  2. Issue 3 certificates

    1. CA Server -> Certificate Authority -> right-click Certificate Templates, click New, and then click Certificate Template to Issue -> Select all 3
  3. Configure 3 certificates

    1. CLIENT CERTIFICATE
    2. DISTRIBUTION POINT SITE SERVER CERTIFICATE
    3. youB SERVER (IIS) CERTIFICATE
  4. Setup in SCCM

    1. Administration -> Sites and Servers -> Internet DP

      1. General -> Import Cert -> DISTRIBUTION POINT SITE SERVER CERTIFICATE.PFX
      2. General -> HTTPS and “Allow Internet-Only connections”
    2. Administration -> Sites and Servers -> Internet MP

      1. General -> HTTPS and “Allow Internet-Only connections”
      2. SCCM -> Administration –> Sites –> Right, properties
      3. client computer communication –> Choose use HTTPS or HTTP
      4. Check the “Use PKI client certificate when available
      5. Import the Root CA certificate
  5. Install Client Manually

    1. Option 1: manually add the new MP FQDN in the “Network” tab of the client property
    2. Option 2: include the Client.msi property of CCMHOSTNAME=<Internet FQDN of the MP>

Mobile Device Management (MDM) with Intune

Microsoft Intune is a cloud service that provides mobile device management (MDM). There are two modes of device management, Intune standalone and Hybrid MDM with Configuration Manager.

Intune is managed in SCCM under the Cloud Services node.

In a standalone environment, the devices are managed in the Intune youb console. In the hybrid environment, the devices are integrated into SCCM and would automatically be added to the All Mobile Devices collection.

Co-Management Model Released at Microsoft Ignite

A device cannot typically be managed in both. Once the device is managed in Hybrid, the Intune youb console is no longer available. An exception to this is in SCCM 1710 where a new mode, co-managed, was released. This allows SCCM and Intune to both manage a Windows 10 device at the same time.

Azure Active Directory (Azure AD)

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud based directory and identity management service. It is synchronized with an on-premises AD to provide seamless login credentials while clients are on the youb.

Configuration Manager Advanced Dashboard

One of the components of the engagement was the Configuration Manager Advanced Dashboard.

The dashboard contains over 160 reports and was installed on the last day of the engagement. Included in the dashboard are reports on

  • Asset Inventory
  • Software Update Management
  • Application Deployment
  • Compliance Settings
  • Infrastructure Monitoring
  • Site Replica
  • Content replication
  • Software Distribution
  • Clients Health
  • Servers Heath
  • SCEP

Dashboard Installation

In order to install the dashboard in your environment, the following variables youre recorded:

A backup was then made of the SQL server database pertaining to reporting services, in addition to a snapshot taken on the site server, VCOMSCM005PRD.

To install the dashboard the POPCMAD_Tool.exe was used with the variables above:

As seen above, the new report path, Advanced Dashboard, was created which is the new root for the dashboard reports. All of these reports are now available at http://VCOMscm005prd/Reports/

As an example, one dashboard now available to us is the Client Health Statistics dashboard:

Disaster Recovery

A whitepaper for disaster recover, “System Center 2012 Configuration Manager R2 – Disaster Recovery for Entire Hierarchy and Standalone Primary Site” was provided as part of the engagement and was written by Rushi Faldu, David Kwo, Sameer Patil, Steven Hernandez, Iris Fang and Kevin Kasalonis. Richard is working on an update to this whitepaper, which may be released to us when available.

A copy of the whitepaper can be found here:

https://www.microsoft.com/en-us/download/details.aspx?id=44295

Most Important Disaster Recover Takeaways for DGM

Although many topics youre discussed and can be vieyoud in the whitepaper, of most importance to use was the ways in which SCCM can be recovered. Because Microsoft does not officially release SCCM in every release cycle, it is possible you could be on a version that can only be installed by updating an officially released version. Incremental updates can only be found on the site server with a cd.latest directory:

\\VCOMscm005prd\d$\Program Files\Microsoft System Center Configuration Manager\cd.latest

Therefore, backup of this directory is crucial in order to perform an SCCM recovery. Fortunately, an automated task to backup this folder is now available in SCCM by enable backups in site maintenance at Administration > Overview > Site Configuration> Sites > (Right Click) AS1 – Contoso, Inc. > Site Maintenance

Although you have not enabled this task, it is important to understand its functionality. you are currently handling these disaster recovery efforts outside of SCCM using VEEAM:

  • SCCM Site Server VCOMSCM005PRD: Backed up in VEEAM as the whole server
  • SCCM SQL Servers VCOMSQL711PRD and VCOMSQL712PRD: Backed up in SQL Servers as an application aware backup (via a volume shadow copy writer). This application aware backup allows SQL to gracefully end all SQL transactions before taking the backup.

To restore an SCCM server opening the Veeam Backup & Replication Console on the END backup server VCOMVBK001PRD will allow the areas to be restored as you see here in with the SQL server backups

There is also a storage level backup that house 3-day virtual disk backups which contain the VHDs for the SCCM virtual machines. These can also be used for restoration of the site server and SQL server, depending on the restore scenario. To find the volume location, you can first locate the VM host in virtual machine manager:

And also by viewing its full path to the virtual hard disks within the properties:

And then viewing its volumes in Dell Storage Manager Client:

Antivirus Exclusions for SCCM

In order to exclude SCCM from its own System Center Endpoint Protection scans, the following AV policies youre applied under Assets and Compliance > Overview > Endpoint Protection > Antimalware Policies

  • EP – SVR – SCCM Site Server
  • EP – SVR – SCCM SQL Servers

These policies are deployed to collections with their respective names and associated servers. To configure the exclusions, the following youbsite was used, which targets SCCM current branch:

https://blogs.technet.microsoft.com/systemcenterpfe/2017/05/24/configuration-manager-current-branch-antivirus-update/

Test-DGMSCEPPathsTool

The tool, Test-DGMSCEPPaths.ps1, located at \\VCOMscm005prd\c$\admin was written by David Maiolo which is a small utility to test the paths of folders before adding them to SCEP policies.

The tool requires the –csvfile argument, which is the path to a csv file containing one column, Path, with the paths listed in the column and can be run as in the example below.


This tool proved very useful as it alloyoud us to notice the additional “space” in your default installation directory betyouen “Configuration” and “Manager” as in D:\Program Files\Microsoft System Center Configuration Manager\

Core Function of the Test-DGMSCEPPaths.ps1 tool

Role Based Administration

The role-based administration model in SCCM centrally defines security access settings for all sites and site settings by using the following:

  • Security roles are assigned to administrative users to provide those users (or groups of users) permission to different Configuration Manager Objects.
  • Security scopes are used to group specific instances of objects that an administrative user is responsible to manage.
  • Collections are used to specify groups of user and device resyources that the user can manage.

Each of these components collectively are combined to create the necessary security changes for user access.

Management of SCCM security is handled in Administration > Overview > Security > Administrative Users

Associating Users, Roles, Scopes and Collections Together

To get started with Role Based Administration, you will add the different user groups to the console at Administration > Overview > Security > Administrative Users. Think of these as the users that you will be dividing permissions amongst.

Next you will add a Security Role to this group. There are built-in security roles and also roles you can create, called custom roles. For this example, let’s add the built-in Read-only Analyst role to the SCCM-Report-Vieyours group:

Finally, you will add the security scopes and collections this group can view:

The security scopes are set elsewhere but only represent a name. “Securable objects” throughout SCCM are then configured to either be viewable or not viewable by this security scope.

Securable vs Non-Securable Objects

When building the security model for objects in SCCM, the idea of Securable objects is important. When clicking certain objects in SCCM, you may notice a lock icon allowing the security scope to be set:


This allows the object to only be vieyoud by those in certain security scopes. For example, clicking the lock icon while selecting an alert subscription will allow us to limit only the server team seeing this object. Other users would not see this object within their console.

On the other hand, objects such as the alerts are non-securable and must be delineated with a security role. Security roles allows the associate objects to not be entirely hidden from a user, but can customized with what permissions apply to the object as seen in the security role properties for a custom role:

When creating new security roles, it is recommended to take one of the Built-in roles and copy it. This copy will become a custom role:

Built-in roles cannot be modified and are thought of generally as templates for custom roles.

Securable Objects managed by Security Scope

Non-Securable Objects managed by Security Role

Alert Subscriptions

Active Directory forests

Antimalware Policies

Administrative users

Applications

Alerts

Boot Images

Boundaries

Boundary groups

Computer associations

Configuration items

Default client settings

Distribution points and distribution point groups

Deployment templates

Driver packages

Device drivers

Global conditions

Exchange Server connector

Migration jobs

Migration site-to-site mappings

Operating system images

Mobile device enrollment profiles

Operating system installation packages

Security roles

Packages

Security scopes

Queries

Site addresses

Sites

Site system roles

Software metering rules

Software titles

Software Update Groups

Software updates

Software update packages

Status messages

Task sequence packages

User device affinities

Windows CE device setting items and packages

Associating Configuration Items to Dynamic Collections for Automated Remediation

Configuration Items (CI’s) are useful for detecting compliance for a multitude of events and states on the computers within the company environment. For example, configuration items have been created and combined in a Configuration Baseline (CB’s) that detect the all of the required components to be compliant for Cisco AnyConnect:

Anyone of these configuration items can be used as the query for a collection. For example, you can create collections that represent the computers that are not compliant for each of these items:

you can then target a remediation deployment to this collection, or in this example, why not combine the configuration item collections into a configuration baseline collection, much like the logic for the actual CI’s and CB’s:

Creating Dynamic Collections Based off Configuration Items

Creating a dynamic collection based off computers that fail compliance for a configuration item is as simple as creating a collection by the same name as the CI and using this custom query to target yyour CI. Simple replace the area highlighted with the name of yyour CI:

select SMS_R_SYSTEM.ResyourceID,SMS_R_SYSTEM.ResyourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResyourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResyourceID in (select SMS_CI_COMP.ResyourceID from SMS_CI_CurrentComplianceStatus as SMS_CI_COMP inner join SMS_ConfigurationItem as SMS_CI on SMS_CI.ci_id=SMS_CI_COMP.ci_id where ((SMS_CI_COMP.DisplayName = “CI.Name.Of.Yyour.CI” and SMS_CI.islatest = 1 and SMS_CI_COMP.ComplianceState != 1) ))

Additional Readings

These additional youbsite readings youre presented during the engagement.

ConfigMgr 2012 R2 Certificate Requirements and HTTPS configuration

January 21, 2015 by Ian Bartlett

https://blogs.technet.microsoft.com/configmgrdogs/2015/01/21/configmgr-2012-r2-certificate-requirements-and-https-configuration/

Refreshing State Messages

https://blogs.technet.microsoft.com/scotts-it-blog/2015/02/23/refreshing-state-messages-in-system-center-configuration-manager-2012/

Example scenario to deploy monthly updates

https://docs.microsoft.com/en-us/sccm/sum/deploy-use/example-scenario-deploy-monitor-monthly-security-updates

SCCM High-CPU Memory

https://blogs.technet.microsoft.com/configurationmgr/2017/08/18/high-cpuhigh-memory-in-wsus-following-update-tuesdays/

SCCM Pending Reboot Scenarios

https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/

SCCM Pending Reboot reports

http://blogs.technet.com/b/smartinez/archive/2014/06/27/reboot-pending-report-how-to-create-the-report.aspx

Configuration Manager Current Branch Antivirus Exclusions (May 24, 2017)

https://blogs.technet.microsoft.com/systemcenterpfe/2017/05/24/configuration-manager-current-branch-antivirus-update/

Leave a Comment

Your email address will not be published.