you can also add a password to the task sequence itself as i show here <http://www.windows-noob.com/forums/index.php?/topic/2336-password-protect-a-task-sequence/> if you feel all other options have been compromised
On Mon, Jul 21, 2014 at 4:15 PM, Miller, Todd <[email protected]> wrote: > That helps a lot. Thanks. I was hoping to avoid targeting an “all > workstations” equivalent collection, but maybe with all the other > safeguards in place it is not too risky. Switching to this new method > *would* let me avoid the problem of direct membership adds for new > objects taking a long time in SCCM 2012. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Niall Brady > *Sent:* Monday, July 21, 2014 2:57 AM > > *To:* [email protected] > *Subject:* Re: [MDT-OSD] SMSPreferredAdvertID experiences? > > > > hi Todd, > > the way we use it is to create an OSD collection which is limited to *All > Systems*, > > that OSD collection contains queries to include only workstations running > Windows 7 or XP, > > *select > SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client > from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like > "Microsoft Windows NT Workstation%" or > SMS_R_System.OperatingSystemNameandVersion like "%Windows 7%"* > > and it also includes direct membership queries for All Unknown computers > (All X86 Unknown Computers - and All X64 Unknown Computers...) > > we target (deploy) OSD task sequences to that collection and they are > either visible or hidden (6 task sequences in total) > > the deployment of the task sequences are always set to a *Purpose* of > *Available* (we never use mandatory/Required), in addition, the task > sequences are set to only run on Windows Vista X64 (which we dont have in > the company) and are deployed to *Only Media and PXE* (for the visible > task sequences) and *Only Media and PXE (Hidden)* for the hidden task > sequences (we don't start any task sequences in Windows). > > This is working well so far (27k clients) and the collection update > refresh is every 7 days with Incrememental updates also selected. > > Lastly, the PXE enabled distribution points and USB media are all *password > protected*. > > I hope that helps, > > cheers > niall > > > > On Mon, Jul 21, 2014 at 1:13 AM, Miller, Todd <[email protected]> > wrote: > > I did read through your posts initially on a google search for answers to > my question before I posted, and they were pretty helpful. > > > > But I am still a little lost on what I guess is a key question. The Task > Sequences must still be advertised to the computer object that is going to > run the task sequence, and the only way for that to really work in all > cases is to deploy all potential task sequences to a collection that > contains all systems. Isn't that very risky? Or does everyone think > limiting it to PXE/Media makes that OK? > > > > > > My current method is that i have 6 task sequences that are deployed to 6 > empty collections. I have an pre-execution hook that runs a HTA to ask the > user to select a task sequence. Then I use a web service to Direct > Membership add that computer object to the collection targeted by the > selected Task Sequence. When the OSD is started, I remove the object from > the collection. It is only in there to get to OSD Task Sequence kicked off. > > > > With this new method, I would have those same 6 task sequences but instead > of advertising them to 6 unique collections, I would advertise them all to > one single collection, but set it to PXE/Media (hidden). And that > collection would contain the equivalent of "All Systems" + Unknown Systems. > Instead of adding the computer object to a collection, I set the > SMSTSPreferredAdvertID to the DeploymentID of the chosen Task Sequence. I > am pretty nervous about deploying a task sequence to a collection that is > all systems equivalent, even though I can set it to run only for Windows XP > SP1 64bit, PXE/Media Only, and hidden. Should I not be nervous about that? > > > > > The only problem with my current method is that the direct membership adds > to collections takes a long time, I have a workaround where I script a > refresh of the All Systems collection, wait, and then refresh the targeted > collection that i added the machine to. That all takes ~ 60 seconds and > places an unknown burden on the site server - is it ok to refresh the All > Systems collection every time someone kicks off an OSD? (40-60 times per > day?) > > > > Trying to figure out which way is better going forward. > > > ------------------------------ > > *From:* [email protected] [[email protected]] > on behalf of Niall Brady [[email protected]] > *Sent:* Saturday, July 19, 2014 3:04 AM > *To:* [email protected] > *Subject:* Re: [MDT-OSD] SMSPreferredAdvertID experiences? > > how did you DEPLOY the task sequence Todd, that's key, hint look for > 'hidden' in the deployment > > (see screenshot) > > > > below are two guides I've written which will help you with this variable > and using it to it's full advantage > > > http://www.windows-noob.com/forums/index.php?/topic/6456-how-can-i-deploy-a-hidden-task-sequence-in-configuration-manager-2012-sp1/ > > > http://www.windows-noob.com/forums/index.php?/topic/10374-how-can-i-make-multiple-hidden-task-sequences-available-on-demand-in-configuration-manager-2012-r2/ > > > > On Sat, Jul 19, 2014 at 3:52 AM, Miller, Todd <[email protected]> > wrote: > > Anyone have experience with this ts variable? I am having trouble getting > it to work and have a couple of questions. > > Does the computer need to be in a collection that is targeted for several > task sequences and then this variable is used to chose one of them without > asking the user for which of the assigned TSes to run? Or can the variable > be used to run a task sequence that is not targeted to the computer in > question? > > I am using a pre-execution hook to assign this variable, but I get the no > task sequences available error. I thought I read in the documentation that > this variable is to be used to run task sequences independently of > assignments, but clearly I am doing something wrong. > > If I have to add the computer to a collection or multiple collections > (which is newly problematic in ConfigMgr 2012 - takes forever for direct > adds to show up in the target collection) what is the point of the variable? > > Doing bare metal fresh installs. I've been using web services to add the > computer to sccm and to the target collection for the chosen task sequence. > This is pretty slow and takes about 60-90!seconds for the computer to show > up in the collection and find an assigned task sequence. I was hoping to > speed the process by just defining what ts deployment to run, but it looks > like instill need to make sure the computer is in the target collection, so > I can't figure out what is gained by this new variable. > > > > > > > ________________________________ > Notice: This UI Health Care e-mail (including attachments) is covered by > the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is > confidential and may be legally privileged. If you are not the intended > recipient, you are hereby notified that any retention, dissemination, > distribution, or copying of this communication is strictly prohibited. > Please reply to the sender that you have received the message in error, > then delete it. Thank you. > ________________________________ > > > > > ------------------------------ > > Notice: This UI Health Care e-mail (including attachments) is covered by > the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is > confidential and may be legally privileged. If you are not the intended > recipient, you are hereby notified that any retention, dissemination, > distribution, or copying of this communication is strictly prohibited. > Please reply to the sender that you have received the message in error, > then delete it. Thank you. > ------------------------------ > > > > > ------------------------------ > Notice: This UI Health Care e-mail (including attachments) is covered by > the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is > confidential and may be legally privileged. If you are not the intended > recipient, you are hereby notified that any retention, dissemination, > distribution, or copying of this communication is strictly prohibited. > Please reply to the sender that you have received the message in error, > then delete it. Thank you. > ------------------------------ >
