Managing Unprovisioned Computers in System Center 2012 Configuration Manager
Managing Unprovisioned Computers in System Center 2012 Configuration Manager
I was recently asked about troubleshooting operating system deployments. One item in particular was around failures with unknown computers. An administrator was deploying Windows 7 to a group of devices but did not have the content replicated out to the distribution points. I pointed out that we had a rich content monitoring experience to ensure the content was available prior to deployment. =) Of course we know that things happen and there can be issues with operating system deployments. First thing first, we resolved the content issue. Now that is resolved we wanted to restart the deployment. Since the unknown computer started the process, by selecting the task sequence, it generated a temporary ‘unknown’ record. We need to go clear that record to restart the deployment. This type of record will exist for any failed unknown computer deployment.
By default the temporary unknown record is part of All Systems. Naturally we do not want to give the delete permissions so we can go create a custom collection and delegate permissions to correct operating system deployment administrator to manage this.
Before we begin, save the UnprovisionedComputers.Zip from the blog and extract it.
We are going to do three steps to do this:
- Import a custom collection ‘Unprovisioned Computers’
- Import a custom security role 'Computer Deletion Manager’
- Associate the security role with the new collection
Import a custom collection:
- Go to Assets and Compliance > Device Collections and select Import Collections
- Browse to the UnprovisionedComputers.mof file (part of the downloaded ZIP file) and complete the wizard to import
Note: This links to All Systems so you need to have access to that collection to import.
To delete the record, an admin will need Collection Resource Delete permissions. You can add this to your current roles or you can import the custom role I have attached.
Create a custom security role:
- Go to Administration > Security > Security Roles
- Select Import Security Role from the ribbon
- Browse to the Computer Deletion manager XML (part of the downloaded ZIP file), click OK.
- You will now see a new custom role ‘Computer Deletion Manager’
Now we need to configure the administrator with the correct permissions
Associate the administrator with correct roles and permissions:
- If you have not already done so, Add the user or group to the Administrative users
- Administration > Security > Administrative Users > Add User or Group
- Select the user or group and assign them the Operating System Deployment Manager role and Computer Deletion Manager
- Go to the properties of the user and select the ‘Security Scopes’ tab
- Select the radio button ‘Associate assigned security roles with specific security scopes and collections’
- Select the Computer Deletion Manager role and click Edit
- Ensure you only have Unprovisioned Computers and a default scope. This can be your scope for OSD objects (or you can make a scope that is not assigned to anything). Click OK.
- Select the Operating System Deployment Manager role and click Edit
- Add the appropriate collections and scopes. At this point add any collection you want to give the administrator permissions to deploy. Click OK.
Note: the collection you assign cannot be edited, only collections limited by it. This is in order for an admin not to be able to change their own scope. So if you want the admin to change rules directly on the OSD collection make sure to assign them a higher level collection that the OSD collection is limited by. - Click OK to save
Now that we have done this, we will have allowed an administrator to delete only the objects that are in an unprovisioned state. This can be done from the devices node under Assets and Compliance. This will restrict an admin from deleting managed clients.
Additionally, if you want to have a nice view to see the devices in this state, you can import the query attached to the blog. This will list all the devices, their MAC address and SMBIOS IDs.
Create an unprovisioned computers query:
- Go to Monitoring > Queries and select Import Objects
- Browse to the AllUnprovisionedComputersQuery.mof (part of the downloaded ZIP file) and complete the wizard to import
Thanks to Steven Gao with assistance in the blog.
John Vintzel
Microsoft Corporation | Sr. Program Manager | System Center Configuration Manager | twitter: jvintzel
http://blogs.technet.com/b/inside_osd
This posting is provided "AS IS" with no warranties, and confers no rights.