Perhaps Microsoft need to introduce some form of change management control within Configuration Manager with respect to the Task Sequence Deployment types (or even all deployments really since an application or package can also cause problems when deployed to say all systems when you didn’t intend it to) – similar to what they have done with Advanced Group Policy Management available to those with SA.
I’m sure there have been more of this that has happened – it’s just not been made public knowledge. From: [email protected] [mailto:[email protected]] On Behalf Of Mote, Todd Sent: Tuesday, 20 May 2014 7:40 AM To: [email protected] Subject: RE: [mssms] RE: Emory IT accidentally deploys Windows 7 to everything True, there’s always a bigger fish, but at least with RBA while you might be able to do it to yourself, you wouldn’t be able to do it to the SCCM server and EVERY machine in your enterprise, domain controllers and exchange servers included. No, those users wouldn’t be relieved that only their machines were ruined, but management might like to know that not EVERY machine was ruined, or could be ruined. If you can’t completely mitigate a risk, which in this case you can’t, contain it as best you can. Even the bigger fish shouldn’t be using the same account they used to install SCCM with. Sherry said it a couple of years ago, even the Full Administrators should scope themselves out of seeing All Systems. I think she put it somewhere along the lines of “…never open the console as god…” or something similar. If they were still using 2007… well, not much you can do there besides child primaries for security boundaries. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller, Todd Sent: Monday, May 19, 2014 1:23 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] RE: Emory IT accidentally deploys Windows 7 to everything RBA can only mitigate the scope of affected machines. So what if the damage were limited only to the machines you have rights to? Do you think your users would be relieved to find out only their machines were ruined? Remember, there is always someone else higher up in the hierarchy that can do more damage than you can. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mote, Todd Sent: Monday, May 19, 2014 12:49 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] RE: Emory IT accidentally deploys Windows 7 to everything RBA can help further here too. if folks can’t see the all systems collection, they can’t deploy to it either… From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Matt Wilkinson Sent: Monday, May 19, 2014 7:34 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] RE: Emory IT accidentally deploys Windows 7 to everything In 2012/SP1/R2 you do have to go through several screens to deploy a required OSD TS. Picking the All systems Computer collection is probably what happened. I only have access to test collections. I only deploy available applications for testing. From: Bruce Hethcote [mailto:[email protected]] Sent: 19 May 2014 12:29 To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] RE: Emory IT accidentally deploys Windows 7 to everything +1 It’s easy enough to put a condition at the beginning that would prevent a desktop OS TS from executing on a server OS. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Wallace Sent: Saturday, May 17, 2014 10:39 AM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] RE: Emory IT accidentally deploys Windows 7 to everything Or I guess that people could use the features which exist in the product such as security scopes and security roles. They could also do things like run a check via WMI or TSVs that a system is valid to have the TS run on it. On 17 May 2014, at 15:35, "Miller, Todd" <[email protected]<mailto:[email protected]>> wrote: This happens enough that you have to start wondering if the software could be improved in some way to help prevent it. Maybe there should be alerts or limits or a wizard that summarizes any change that affects a deployment or target collection. Like when you click OK, maybe there would be a "This change will result in NNNN systems receiving Package/Application "YYYYYYYY" with a mandatory time of 12:20AM" or something like that. The trouble is, you would need to do that every time you modify a collection too and that takes some computational time. - maybe that is computer in the background and you get this warning when you enable the deployment? Wouldn't it be nice if there was an option to create all deployments as disabled and then you had to enable them, and when enabling them you could see or were told how many systems are affected. You could also automatically disable advertisements when the underlying collection query was modified. So the advertisement would need to be reenabled after reviewing how that change affected the deployment. You know how your DVR shows what programs are going to be recorded over the next couple of days/weeks? Wouldn't it be great if SCCM showed a list like that of pending packages, deadlines, the target collection, the number of affected machines, and the time? With these kinds of events, there definitely is an established need to make the SCCM product harder to make unintentional blunders and easier to see what it is doing/going to do and when. Often with these kinds of things there is a long chain of events that lead to an unanticipated result. The worst part is that those machines that were ruined over night, SCCM probably "knew" it was going to happen all day long and could have warned the Admin if there was just a interface that computed what advertisements were pending, how many machines are affected etc.... I certainly would get more use from something like that than being able to manage iOS/MacOS/Linux/AntiVirus definitions/Android Apps/etc. Maybe SCCM v.Next can focus on doing core competencies better rather than extending the product into areas few care about. I dunno, I just don't think all or even half the blame falls on the guy that clicked "OK." I certainly feel a great deal of empathy for him. While this has never happened to me, it has sometimes been a recurring theme in bad dreams/nightmares. From: [email protected]<mailto:[email protected]> [[email protected]<mailto:[email protected]>] on behalf of JONES, RICK J [[email protected]<mailto:[email protected]>] Sent: Friday, May 16, 2014 5:33 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] RE: Emory IT accidentally deploys Windows 7 to everything EVERY person in IT has an OCM (Oh Crap Moment) that they remember or changed them. If a new tech haven't had their OCM yet, I tend to lock down access and not trust because the OCM has a higher chance of happen in my environment. And yes, I had my OCM, it changed how I add logging and build a back out to my scripts. Rick J. Jones Wireless from AT&T Domestic Desktop Application Management D: (425) 288-6240 C: (206) 419-1104 ________________________________ From: Murray, Mike<mailto:[email protected]> Sent: 5/16/2014 4:22 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Emory IT accidentally deploys Windows 7 to everything Wow.... ouch. So there's an opening at Emory? -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of William Jackson Sent: Friday, May 16, 2014 12:32 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Emory IT accidentally deploys Windows 7 to everything I'm thankful that I do not work over there. "A Windows 7 deployment image was accidentally sent to all Windows machines, including laptops, desktops, and even servers. This image started with a repartition / reformat set of tasks. As soon as the accident was discovered, the SCCM server was powered off – however, by that time, the SCCM server itself had been repartitioned and reformatted." http://it.emory.edu/windows7-incident/ William ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________ ________________________________ DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. _____________________________________________________________________ This email has been scanned by the MessageLabs Email Security System on behalf of Leeds College of Building. For more information please visit http://www.symanteccloud.com _____________________________________________________________________ _____________________________________________________________________ This email has been scanned by the MessageLabs Email Security System on behalf of Leeds College of Building. For more information please visit http://www.symanteccloud.com _____________________________________________________________________ ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________ ________________________________ CONFIDENTIALITY NOTICE AND DISCLAIMER The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission.
