You could also tie this into Orchestrator and if the number of computers added is > 80% of your environment it can get the termination process started on that user.
On Thu, May 21, 2015 at 11:59 AM, Ryan <[email protected]> wrote: > You could make it only allow direct membership rules... wouldn't that > cover everything then? > > On Thu, May 21, 2015, 12:17 PM Jason Sandys <[email protected]> wrote: > >> What if someone accidentally adds a security group containing all >> domain computers to the collection? >> >> >> >> There simply are too many what ifs and possibilities on this one and so >> yes, the below would help mitigate the risk, as does the high risk >> collection detection that they added to R2 SP1/RTM SP2, but nothing will >> ever mitigate the risk entirely – except not using required deployments. >> I’m not saying don’t use them (well, actually I do recommend never to use >> them) but if you choose to use them there is always some risk involved and >> that you need to understand as well as accept this and put checks in place >> to control the risk. >> >> >> >> J >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Ryan >> *Sent:* Thursday, May 21, 2015 10:06 AM >> >> >> *To:* [email protected] >> *Subject:* Re: [mssms] Switch to UEFI during OSD >> >> >> >> I can greatly reduce and/or eliminate that risk with status filter rules. >> I've been wanting to write a system that did the following: >> >> >> >> Query 1: Whenever a TS deployment is made, run a PS script that checks >> the number of clients in the collection. If > a certain %, it changes the >> deadline date of the deployment. Also, it creates a status message query >> for the collection it's deployed to that runs a PS script whenever the >> collection properties are changed (ie, rule added). That script waits until >> the collection refresh is complete and then checks the number of clients. >> If > a certain %, it changes the deadline date of the deployment. It could >> also automatically remove any include collection rules to avoid the I added >> to x collection which includes to y collection which adds the computer to >> the imaging collection. >> >> >> >> Query 2: Whenever a collection is removed it checks if any status filter >> rules are associated with the collection and, if there are, removes them. >> >> >> >> Query 3: Whenever a TS deployment is removed it removes status filter >> rules associated with it. >> >> >> >> I'd prefer something like this was built into ConfigMgr, but status >> filter rules could probably do it. >> >> >> >> On Thu, May 21, 2015 at 9:53 AM, Jason Sandys <[email protected]> wrote: >> >> Nothing as long as someone doesn’t accidentally add unwanted systems to >> that collection or accidentally add a query that in turn adds unwanted >> systems (or all systems). These are risks for you to weigh and there are >> ways of mitigating them but there are at least three very well known cases >> of a TS being deployed as required to all systems in an environment and >> causing major havoc as well as being an RGE. >> >> >> >> J >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Steve Whitcher >> *Sent:* Thursday, May 21, 2015 9:38 AM >> >> >> *To:* [email protected] >> *Subject:* Re: [mssms] Switch to UEFI during OSD >> >> >> >> I do mandatory OS deployment TS, to a collection specifically for >> machines to be (re)imaged. Is there something wrong with that? >> >> >> >> On Tue, May 19, 2015 at 4:28 PM, Michael Niehaus < >> [email protected]> wrote: >> >> That would cause issues with a mandatory TS PXE boot, but hopefully no >> one does mandatory OS deployment task sequence deployments anyway J >> >> >> >> Thanks, >> >> -Michael >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Niall Brady >> *Sent:* Tuesday, May 19, 2015 1:58 PM >> *To:* [email protected] >> >> >> *Subject:* Re: [mssms] Switch to UEFI during OSD >> >> >> >> no, it's not a ts, it's a prestart (before a ts) which would detect if >> legacy, and if so, change to uefi, reboot and then on with normal business. >> >> >> >> On Tue, May 19, 2015 at 10:53 PM, Roland Janus <[email protected]> >> wrote: >> >> Doesn’t that reboot also mean the TS, with the prestart, has to run >> again? >> >> That would be an issue with a required TS and PXE boot. >> >> >> >> -Roland >> >> >> >> >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Roland Janus >> *Sent:* Dienstag, 19. Mai 2015 22:26 >> *To:* [email protected] >> *Subject:* RE: [mssms] Switch to UEFI during OSD >> >> >> >> What’s the magic part here, that it is in prestart? >> >> I can get HPs to switch to UEFI with a command line, but I think doing it >> in a single TS is the hard or impossible part. >> >> Would prestart help here also? >> >> >> >> -Roland >> >> >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *[email protected] >> *Sent:* Dienstag, 19. Mai 2015 16:50 >> *To:* [email protected] >> *Cc:* [email protected] >> *Subject:* RE: [mssms] Switch to UEFI during OSD >> >> >> >> *Dell - Internal Use - Confidential * >> >> Dell IT has worked out a Legacy -> UEFI solution using the Dell >> PowerShell Provider. Bill Moore blogged about it here - >> http://www.billamoore.com/2014/05/16/easy-legacy-efi-dells-powershell-provider/ >> >> >> >> >> Thanks, >> >> >> >> Warren >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *Michael Niehaus >> *Sent:* Monday, May 18, 2015 11:58 PM >> *To:* [email protected] >> *Subject:* RE: [mssms] Switch to UEFI during OSD >> >> >> >> Overall, it’s a painful thing to do – most people who ask want to do this >> as part of an OS refresh, preserving user data and settings at the same >> time without moving data off of the system. We don’t recommend even trying >> – just keep the system running legacy BIOS emulation until it’s replaced >> (or until you “reclaim” the system for redeployment). >> >> >> >> If you just want to automate the switchover (and destroy the contents of >> the drive later), it’s a little easier, but still vendor-specific (to >> modify firmware settings). >> >> >> >> You would only want to consider this for Windows 8 logo-certified devices >> (those running UEFI 2.3.1 or higher), since previous UEFI versions were way >> too flaky. >> >> >> >> I would also start thinking about this as a point-forward change: Stop >> deploying Windows 7 systems using legacy BIOS emulation if you are planning >> to upgrade or refresh them to Windows 10 sometime within the machine’s >> lifetime. >> >> >> >> Thanks, >> >> -Michael >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *Niall Brady >> *Sent:* Monday, May 18, 2015 9:49 PM >> *To:* [email protected] >> *Subject:* Re: [mssms] Switch to UEFI during OSD >> >> >> >> i've thought about it and perhaps you could build some type of script to >> run before the prestart even, which checks for UEFI and if not, set's the >> bios to UEFI (lenovo and others have scripts for that), then reboots to the >> correct mode before allowing you to select a UEFI mode task sequence >> >> you'd have to use something that kicks off before the task sequence >> engine, like this >> <http://www.windows-noob.com/forums/index.php?/topic/12277-updated-script-how-can-i-check-for-network-connectivity-storage-before-starting-a-task-sequence-in-system-center-2012-r2-configuration-manager/> >> >> i have not tested it but i believe it will work for some hardware at >> least, the key is that it would be a script that is not task sequence >> aware, that runs before your task sequence and involves user input of some >> sort (to make the decision) >> >> >> >> On Tue, May 19, 2015 at 1:07 AM, Jason Sandys <[email protected]> wrote: >> >> Correct. There have discussions on this by Tim Mintner, Keith Garner, >> and Michael Niehaus and the conclusion is that this is not possible in an >> unattended manner or with a single TS. >> >> >> >> J >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Roland Janus >> *Sent:* Monday, May 18, 2015 5:02 PM >> *To:* [email protected] >> *Subject:* [mssms] Switch to UEFI during OSD >> >> >> >> Anyone tried that? >> >> >> >> Switching the BIOS to UEFI with a command line isn’t the problem, but >> doing this as part of OSD might be. >> >> Refresh using hardlinks can’t work, but anyone tried switching to UEFI >> during OSD for baremetal? >> >> (That of course would lead to a mix of legacy and UEFI installations) >> >> >> >> Assuming the computer is currently configured to use Legacy bios mode, >> that seems like a chicken/egg problem. >> >> >> >> -Roland >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >
