According to the product folks, on average a typical ConfigMgr environment has between 2,000 and 15,000 devices, so let’s take that upper client number for our example. Most organizations that size and smaller have Client Policy set at about 60 minutes.
15,000 Devices / Checking in every 60 Minutes = 250 devices per minute. If you assume that at peak hours only about 75% of devices are on, then you get to 187.5 devices per minute. So, if you have 187 devices format their hard drive, it’s still a bad day… Certainly better than an Emory scale incident, but still a very bad day. If you have 2,000 devices, that is still a high enough number to potentially cause someone to lose their job. I think safeguards like this are a worthwhile pursuit, but they must be tied to ensuring the only people with permissions to make deployments of things like Task Sequences have a commensurate level of understanding that they can destroy stuff, and that those permissions are scoped only to the devices that they are responsible for. I’m still rooting for the ConfigMgr product team to change the wizard for creating Deployments of Task Sequences to add an extra page when you select “Required”. That page would show the summary information and ask “Are you positive you aren’t about to Emory?” and the admin must type “I am certain. Furthermore, I agree to pay Nash a total of 5 US Dollars if I make a mistake.” to proceed. But, until that happens, I think this would be a pretty decent stopgap. ☺ Nash Nash Pherson Microsoft MVP, Enterprise Client Managment Senior Systems Consultant Now Micro na...@nowmicro.com<mailto:na...@nowmicro.com> Desk: 651-796-1168 Cell: 507-304-0946 [Description: Description: Description: Description: Description: Description: cid:image002.jpg@01CBAB3D.17794790]<http://www.nowmicro.com/> [Speaker Signature]<http://www.devconnections.com/> IT/Dev Connections<http://www.devconnections.com/> September 15-19, 2014<http://www.devconnections.com/> [mms-reg]<mms.mnscug.org> Midwest Management Summit<http://mms.mnscug.org/> November 10-12, 2014<http://mms.mnscug.org/> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ryan Sent: Tuesday, July 29, 2014 11:21 AM To: mssms@lists.myitforum.com Subject: Re: [mssms] Deployment warning system? I just got the query: Select * From SMS_DeploymentSummary join SMS_Collection on SMS_DeploymentSummary.CollectionID = SMS_Collection.CollectionID where SMS_DeploymentSummary.DeploymentIntent = 2 The query executes quickly and you can pull all the Deployment information as well as the number of users / devices in the collection. From there on it is just a quick Powershell script which loads two text files and does some string comparisons. I wouldn't think this would slow down anything and you can be notified of Applications, Packages, Software Update Groups, Baselines and Task Sequences with this script. Now, here's the question. If it changes the deployment start time 59 seconds after the deployment was started, is that enough time to keep most online devices from starting the image? My test with an app says yes in a test environment of 4 computers, so clearly the answer is yes for environments of thousands of computers. :-) On Tue, Jul 29, 2014 at 11:08 AM, Todd Hemsell <hems...@gmail.com<mailto:hems...@gmail.com>> wrote: make a table in mdt db every time a machine starts to image write a row with name and time in mdt select * from that table where date > 30 min ago If it returns more than X rows exit with an error On Tue, Jul 29, 2014 at 11:05 AM, Ryan <ryan2...@gmail.com<mailto:ryan2...@gmail.com>> wrote: I think it's just as likely someone might add too many computers to a collection with a required deployment on it. This is why I'd want a little more logic. I'll need to do a little testing to see the most efficient way to get in real time the number of devices something is deployed to. I'm not sure the Deployment Summary class is in real time, but if it is that's the best. Here was the logic I sketched out: When launched, it detects if there is a scheduled task, or if the script is run as a scheduled task • If no scheduled task is detected on the computer o It displays a UI which allows users to enter in an e-mail user name and password, who to notify, deployments to exclude, and if they want to stop task sequences from being deployed o Then, they will be able to create the scheduled task o If a scheduled task is created on another computer, there will be a button which allows them to connect to a remote computer and switches to the UI if a scheduled task is detected • If a scheduled task is detected o It displays a UI which lists all the task sequences it stopped and allows the user to “approve” a task sequence and change some other generic settings like e-mail address, how often it will run, etc. • If it is run as a scheduled task o It checks to see if there are any deployments which are required and deployed to x% of the company o When it finds one: • It first checks the exclusion list. • If the deployment is on the exclusion list, it skips it • If the deployment is not on the exclusion list • It sends an e-mail to the list of people specified in the configuration with the deployment information • If it is a task sequence, it changes the start date to a year out • It adds the deployment to the exclusion list • If a deployment is on the exclusion list but not found in the query, it is removed from the exclusion list Exclusion lists and stopped task sequences would be stored in a file somewhere on the server running this scheduled task. If someone else wants to create something like this then by all means do it. I'm working on a new right click tool version so I won't be able to start on it for two or three weeks. On Tue, Jul 29, 2014 at 10:41 AM, Todd Hemsell <hems...@gmail.com<mailto:hems...@gmail.com>> wrote: no need, you use WMI Eventing on event deployment created check the deployment, do other stuff On Tue, Jul 29, 2014 at 9:55 AM, Ryan <ryan2...@gmail.com<mailto:ryan2...@gmail.com>> wrote: I was thinking of a scheduled task that runs a script every minute, this way I can add a tiny bit of logic into it. I'd think the over-head would be the same. Don't WMI triggers run the query you specify every x seconds and trigger the action if something is returned in the query? How would you exclude something if it is actually supposed to go out to x% of your computers? On Tue, Jul 29, 2014 at 8:38 AM, Michael Mott <michael.m...@1e.com<mailto:michael.m...@1e.com>> wrote: Hasn’t the Shy WMI guy already have these triggers in place or blogged out? From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of Ryan Sent: Monday, July 28, 2014 11:58 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: Re: [mssms] Deployment warning system? If you think of something, let me know. Otherwise, I've been thinking of writing something to notify you if you add too many devices to a collection or if you make a new deployment and deploy it to more than x devices. I was also thinking of making it auto-delay (change start date) a required task sequence until you tell it to allow the task sequence. I just need to find the most elegant way of checking every minute if deployments fit that criteria. On Mon, Jul 28, 2014 at 4:31 PM, Atkinson, Matt <matt.atkin...@providence.org<mailto:matt.atkin...@providence.org>> wrote: Hi All, We’ve been kicking around the idea of some kind of warning system to notify our SCCM team via email when someone creates a deployment targeting more than $x number of computers. Has anyone out there seen or built something like that? I think I can put something together using WMI events and Powershell, but want to make sure it doesn’t already exist before heading down that path. Thanks! -Matt ________________________________ This message is intended for the sole use of the addressee, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete this message. ________________________________ Legal Notice: This email is intended only for the person(s) to whom it is addressed. If you are not an intended recipient and have received this message in error, please notify the sender immediately by replying to this email or calling +44(0) 2083269015<tel:%2B44%280%29%202083269015> (UK) or +1 866 592 4214<tel:%2B1%20866%20592%204214> (USA). This email and any attachments may be privileged and/or confidential. The unauthorized use, disclosure, copying or printing of any information it contains is strictly prohibited. The opinions expressed in this email are those of the author and do not necessarily represent the views of 1E Ltd. Nothing in this email will operate to bind 1E to any order or other contract.