You could make it only allow direct membership rules... wouldn't that cover everything then?
On Thu, May 21, 2015, 12:17 PM Jason Sandys <[email protected]> wrote: > What if someone accidentally adds a security group containing all domain > computers to the collection? > > > > There simply are too many what ifs and possibilities on this one and so > yes, the below would help mitigate the risk, as does the high risk > collection detection that they added to R2 SP1/RTM SP2, but nothing will > ever mitigate the risk entirely – except not using required deployments. > I’m not saying don’t use them (well, actually I do recommend never to use > them) but if you choose to use them there is always some risk involved and > that you need to understand as well as accept this and put checks in place > to control the risk. > > > > J > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ryan > *Sent:* Thursday, May 21, 2015 10:06 AM > > > *To:* [email protected] > *Subject:* Re: [mssms] Switch to UEFI during OSD > > > > I can greatly reduce and/or eliminate that risk with status filter rules. > I've been wanting to write a system that did the following: > > > > Query 1: Whenever a TS deployment is made, run a PS script that checks the > number of clients in the collection. If > a certain %, it changes the > deadline date of the deployment. Also, it creates a status message query > for the collection it's deployed to that runs a PS script whenever the > collection properties are changed (ie, rule added). That script waits until > the collection refresh is complete and then checks the number of clients. > If > a certain %, it changes the deadline date of the deployment. It could > also automatically remove any include collection rules to avoid the I added > to x collection which includes to y collection which adds the computer to > the imaging collection. > > > > Query 2: Whenever a collection is removed it checks if any status filter > rules are associated with the collection and, if there are, removes them. > > > > Query 3: Whenever a TS deployment is removed it removes status filter > rules associated with it. > > > > I'd prefer something like this was built into ConfigMgr, but status filter > rules could probably do it. > > > > On Thu, May 21, 2015 at 9:53 AM, Jason Sandys <[email protected]> wrote: > > Nothing as long as someone doesn’t accidentally add unwanted systems to > that collection or accidentally add a query that in turn adds unwanted > systems (or all systems). These are risks for you to weigh and there are > ways of mitigating them but there are at least three very well known cases > of a TS being deployed as required to all systems in an environment and > causing major havoc as well as being an RGE. > > > > J > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Steve Whitcher > *Sent:* Thursday, May 21, 2015 9:38 AM > > > *To:* [email protected] > *Subject:* Re: [mssms] Switch to UEFI during OSD > > > > I do mandatory OS deployment TS, to a collection specifically for machines > to be (re)imaged. Is there something wrong with that? > > > > On Tue, May 19, 2015 at 4:28 PM, Michael Niehaus < > [email protected]> wrote: > > That would cause issues with a mandatory TS PXE boot, but hopefully no > one does mandatory OS deployment task sequence deployments anyway J > > > > Thanks, > > -Michael > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Niall Brady > *Sent:* Tuesday, May 19, 2015 1:58 PM > *To:* [email protected] > > > *Subject:* Re: [mssms] Switch to UEFI during OSD > > > > no, it's not a ts, it's a prestart (before a ts) which would detect if > legacy, and if so, change to uefi, reboot and then on with normal business. > > > > On Tue, May 19, 2015 at 10:53 PM, Roland Janus <[email protected]> > wrote: > > Doesn’t that reboot also mean the TS, with the prestart, has to run > again? > > That would be an issue with a required TS and PXE boot. > > > > -Roland > > > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Roland Janus > *Sent:* Dienstag, 19. Mai 2015 22:26 > *To:* [email protected] > *Subject:* RE: [mssms] Switch to UEFI during OSD > > > > What’s the magic part here, that it is in prestart? > > I can get HPs to switch to UEFI with a command line, but I think doing it > in a single TS is the hard or impossible part. > > Would prestart help here also? > > > > -Roland > > > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *[email protected] > *Sent:* Dienstag, 19. Mai 2015 16:50 > *To:* [email protected] > *Cc:* [email protected] > *Subject:* RE: [mssms] Switch to UEFI during OSD > > > > *Dell - Internal Use - Confidential * > > Dell IT has worked out a Legacy -> UEFI solution using the Dell PowerShell > Provider. Bill Moore blogged about it here - > http://www.billamoore.com/2014/05/16/easy-legacy-efi-dells-powershell-provider/ > > > > > Thanks, > > > > Warren > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Michael Niehaus > *Sent:* Monday, May 18, 2015 11:58 PM > *To:* [email protected] > *Subject:* RE: [mssms] Switch to UEFI during OSD > > > > Overall, it’s a painful thing to do – most people who ask want to do this > as part of an OS refresh, preserving user data and settings at the same > time without moving data off of the system. We don’t recommend even trying > – just keep the system running legacy BIOS emulation until it’s replaced > (or until you “reclaim” the system for redeployment). > > > > If you just want to automate the switchover (and destroy the contents of > the drive later), it’s a little easier, but still vendor-specific (to > modify firmware settings). > > > > You would only want to consider this for Windows 8 logo-certified devices > (those running UEFI 2.3.1 or higher), since previous UEFI versions were way > too flaky. > > > > I would also start thinking about this as a point-forward change: Stop > deploying Windows 7 systems using legacy BIOS emulation if you are planning > to upgrade or refresh them to Windows 10 sometime within the machine’s > lifetime. > > > > Thanks, > > -Michael > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Niall Brady > *Sent:* Monday, May 18, 2015 9:49 PM > *To:* [email protected] > *Subject:* Re: [mssms] Switch to UEFI during OSD > > > > i've thought about it and perhaps you could build some type of script to > run before the prestart even, which checks for UEFI and if not, set's the > bios to UEFI (lenovo and others have scripts for that), then reboots to the > correct mode before allowing you to select a UEFI mode task sequence > > you'd have to use something that kicks off before the task sequence > engine, like this > <http://www.windows-noob.com/forums/index.php?/topic/12277-updated-script-how-can-i-check-for-network-connectivity-storage-before-starting-a-task-sequence-in-system-center-2012-r2-configuration-manager/> > > i have not tested it but i believe it will work for some hardware at > least, the key is that it would be a script that is not task sequence > aware, that runs before your task sequence and involves user input of some > sort (to make the decision) > > > > On Tue, May 19, 2015 at 1:07 AM, Jason Sandys <[email protected]> wrote: > > Correct. There have discussions on this by Tim Mintner, Keith Garner, > and Michael Niehaus and the conclusion is that this is not possible in an > unattended manner or with a single TS. > > > > J > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Roland Janus > *Sent:* Monday, May 18, 2015 5:02 PM > *To:* [email protected] > *Subject:* [mssms] Switch to UEFI during OSD > > > > Anyone tried that? > > > > Switching the BIOS to UEFI with a command line isn’t the problem, but > doing this as part of OSD might be. > > Refresh using hardlinks can’t work, but anyone tried switching to UEFI > during OSD for baremetal? > > (That of course would lead to a mix of legacy and UEFI installations) > > > > Assuming the computer is currently configured to use Legacy bios mode, > that seems like a chicken/egg problem. > > > > -Roland > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
