As you might assume, a Collection in SCCM is a collection of computers determined by a set of rules.
By default, a Collection will be created for each delegated OU, that contains the entire list of computers within the OU. The <OU>-OU Admins group will be all permissions except modifying the Membership Rules and Limiting Collection settings (which would let you include other unit’s computers). Additional custom Collections that are created will need to have the “limit to:” setting targeting the initial pre-created Collection. All custom Collections must have a “limit to:” setting targeting a Collection the user account has Read on.
These custom Collections need to be named <OU>-whatever, following standard naming conventions.
Collections that follow standard conventions for Operating Systems and Software Packages should be created under the “Operating System Collections” and “Software Package Collections” folders in the console. A script to automate the creation of software package collections that observe the standard conventions has been published here: Create SCCM Software Package Collections.
Queries are used for doing dynamic membership rules for Collections. They can also be used for simple, spreadsheet-ish reports (under Montioring\Queries in the SCCM Console).
Example of a Query that pulls in all computers within a given OU:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName = "WOLFTECH.AD.NCSU.EDU/NCSU/COE/COEDEAN/PUBLIC LABS"
Example of a Query that pulls in all computers within a group:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = "WOLFTECH\\COEDEAN-EB3-2108-Active"
Example of a Query that pulls in all computers within an EX\SW software group, but not in the DN deny group:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.SystemGroupName = "WOLFTECH\\NCSU-EX-MathWorks-MATLAB-R2013a" or SMS_R_System.SystemGroupName = "WOLFTECH\\NCSU-SW-MathWorks-MATLAB-R2013a") and SMS_R_System.Name not in (select SMS_R_System.Name from SMS_R_System where SMS_R_System.SystemGroupName = "WOLFTECH\\NCSU-DN-MathWorks-MATLAB-R2013a")
Example of a Query that pulls all computers with a file named “iexplore.exe” in a path like “%prog%internet%” and a version less than 8:
select distinct SMS_G_System_SoftwareFile.FileDescription, SMS_G_System_SoftwareFile.FileVersion, SMS_G_System_SYSTEM.Name, SMS_G_System_OPERATING_SYSTEM.Caption, SMS_R_System.ResourceNames from SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "iexplore.exe" and SMS_G_System_SoftwareFile.FilePath like "%prog%internet%" and SMS_G_System_SoftwareFile.FileVersion < "8" order by SMS_G_System_SYSTEM.Name
Example of a Query that pulls all Bitlocker Info from after “9/27/2011 10:57:58 AM” and uses Table Aliasing to clean up the code (the “AS” part of the Query):
select SMS_R_System.NetbiosName, BL.DeviceID, BL.DriveLetter, BL.GroupID, BL.PersistentVolumeID, BL.ProtectionStatus, BL.ResourceID, BL.RevisionID, BL.TimeStamp from SMS_R_System inner join SMS_G_System_BITLOCKER AS BL on BL.ResourceID = SMS_R_System.ResourceId where BL.TimeStamp > "9/27/2011 10:57:58 AM"
Collections in SCCM have settings on them that control how the machines interact with other portions of the system.
If a computer is a member of multiple collections, each applying different maintenance windows, then the following actions will be taken:
- If maintenance windows do not overlap then they are treated as separate maintenance windows
- If the maintenance windows do overlap, it will be treated as a single maintenance window including all the time covered by both maintenance windows
Power management settings allow to set or prevent power management schedules. You can have a Peak plan and a Non-peak plan.
Careful! If you are setting power policies within SCCM please verify you are not enabling the “Require a Password When a Computer Wakes” setting. SCCM 2012 checks to see if Group Policy has set any power policy settings before applying its own; this is something that SCCM 2007 did not do. If there is a conflict SCCM will NOT apply its own settings. The NCSU-level Windows 7 Desktop Policy is applying that setting and the default in the SCCM power plans needs to be disabled. To check to see if you are experiencing this issue check in your C:\Windows\CCM\Logs\PwrProvider.log for the error “Error code 1260, Conflict with Group Policy”.
Note that the “Wakeup time” setting is a bios timer, not a WoL packet, and does not apply to laptops.
If a computer is a member of multiple collections, each applying different power plans, then the following actions will be taken:
- Power plan: If multiple values for power settings are applied to a computer, the least restrictive value is used.
- Wakeup time: If multiple wakeup times are applied to a desktop computer, the time closest to midnight is used.
In order for a Computer to run an Advertisement that is targeting a Collection based on Group Membership (like say, putting a computer into a software group), the following conditions must be met:
- The Computer is installed and joined to AD
- The SCCM Agent is installed – requires a couple reboots to get cert, install script, and installation run
- System Discovery Runs (the computer object is created in SCCM) – every four hours starting at 12 AM
- Security Group Discover Runs (the group memberships on the computer object in SCCM are updated) – every four hours starting at 1 AM
- Collection Membership is updated (the collection is updated with the computers meeting the criteria) – every four hours starting when the collection was created
- Client Checks In – every fifteen minutes
- Maintenance Windows are evaluated – is the client allowed to run the Advertisement at this time