Hi Matt, Really love the concept, but in my case I wanted to add a twist which is to remove the deployment if the comment field for the collection (all the other comment fields are not easy to access from Powershell after the objects are created) doesn't contain "Approved: $application" it also means that each collection needs to have what applications are being deployed to it approved. I've added the updated script below. Cheers Steve <# SCCM Deployment Warning Script
Written by: Matt Atkinson ([email protected]) Purpose: Send an email alert whenever a deployment targeting more than a certain number of computers/users is created Notes: Make sure that you set your warning threshold number, and the list of email recipients to receive the warning, your email server, port, location for the SCCM powershell module, and your SCCM site code. Change log: v1.0: Initial Script v1.1: Swapped some if else statements for switch statements, added curly braces for assignment unique ID. #> param( [string]$AssignmentUniqueID ) #AssignmentUniqueID is passed to the script without curly braces, so we need to add them $AssignmentUniqueID = "`{$AssignmentUniqueID`}" ##Import the powershell module for configuration manager import-module "D:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\configurationmanager.psd1" ## Declare variables #Number of computers to be the warning threshold. If the deployment goes to more than this number of computers, warning will be sent $WarningThreshold = 0 #Comma separated list of email addresses to send warning to $EmailAddresses = "[email protected], [email protected]" #Email server $EmailServer = "smtp.server.com" #Email server port (adjust as needed) $EmailPort = "25" #SCCM Site Code $CMSiteCode = "001" #Switch to the CMSite PSDrive Set-location $CMSiteCode #Get the application name $Application = (Get-CMDeployment -DeploymentId $AssignmentUniqueID).SoftwareName #Get the config type (required or available) $DesiredConfigType = (Get-CMDeployment -DeploymentId "$AssignmentUniqueID").DesiredConfigType #Switch for the desired config (Install or Uninstall) Switch ($DesiredConfigType) { 1{$DesiredConfigType = "Installed"} 2{$DesiredConfigType = "Uninstalled"} } #Switch for the deployment intent (Available or Required) $DeploymentIntent = (Get-CMDeployment -DeploymentId "$AssignmentUniqueID").DeploymentIntent Switch ($DeploymentIntent) { 1{$DeploymentIntent = "Required"} 2{$DeploymentIntent = "Available"} } #Get the collection that is targeted $TargetCollection = (Get-CMDeployment -DeploymentId $AssignmentUniqueID).CollectionName #Get the member count of the collection after testing whether it is a user or device collection If ((Get-CMDeviceCollection -Name "$TargetCollection") -ne $null) { $MemberCount = (Get-CMDeviceCollection -name "$TargetCollection").MemberCount $ClientType = "Devices" $Comment = (Get-CMDeviceCollection -name "$TargetCollection").Comment } Else { $MemberCount = (Get-CMUserCollection -name "$TargetCollection").MemberCount $ClientType = "Users" $Comment = (Get-CMUserCollection -name "$TargetCollection").Comment } If ($Comment -contains "Approved: $application") { $approved = $true If ($MemberCount -ge $WarningThreshold) { Send-MailMessage -SmtpServer $EmailServer -Port $EmailPort -From "SCCM Warning System" -To "$EmailAddresses" -Subject "SCCM Deployment Notice $Application Being $DesiredConfigType on $MemberCount $ClientType" -Body "Application Name: $Application `n Is Being: $DesiredConfigType`n On: $MemberCount $ClientType" } } else { Remove-CMDeployment -ApplicationName "$application" -CollectionName "$TargetCollection" -Force Send-MailMessage -SmtpServer $EmailServer -Port $EmailPort -From "SCCM Warning System" -To "$EmailAddresses" -Subject "Unapproved SCCM Deployment Notice $Application Being $DesiredConfigType on $MemberCount $ClientType" -Body "Application Name: $Application `n Was Being deployed to : $TagetCollection`n As this does not meet the requirements for a deployment it has been removed." } From: [email protected] To: [email protected] Subject: RE: [mssms] RE: I finished up my deployment warning system, maybe others will find it useful too Date: Fri, 1 Aug 2014 07:50:38 -0500 Nice work, Matt! Very creative. J Cheers,Trevor SullivanMicrosoft PowerShell MVP From: [email protected] [mailto:[email protected]] On Behalf Of Stewart, Michael Sent: Thursday, July 31, 2014 12:57 PM To: [email protected] Subject: [mssms] RE: I finished up my deployment warning system, maybe others will find it useful too Absolutely Brilliant! Thanks! From: [email protected] [mailto:[email protected]] On Behalf Of Atkinson, Matt Sent: Thursday, July 31, 2014 10:38 AM To: [email protected] Subject: [mssms] I finished up my deployment warning system, maybe others will find it useful too I started a thread regarding a deployment warning system a couple of days ago, just following up to share the results and code with the rest of the group. I used 2 scripts to accomplish everything, 1 to setup the WMI event subscriber and 1 to actually do the check and notification. One thing that I was hung up on was the local system account of the site server needed to have the code signing certificates imported for the SCCM PS modules, found that detailed here: http://blogs.technet.com/b/microsoft_denmark_premier_field_engineering_config_manager_blog/archive/2013/01/30/running-configuration-manager-2012-powershell-scripts-as-a-service-account-or-local-system.aspx You’ll also need PowerEvents from https://powerevents.codeplex.com/. Here is the quick version of the event subscription creation script, adjust your script location in the command and number of seconds to your liking: #You are required to have imported the power event module: https://powerevents.codeplex.com/#Make sure to update the location of your script file that will be run by the even consumer.#Change the site code in the eventnamespace parameter to match your actual site code. $myfilter = New-WMIEventFilter -Name NewDeploymentCheck -EventNamespace root\sms\site_001 -query "select * from __InstanceCreationEvent within 60 where TargetInstance ISA 'SMS_DeploymentSummary'" $myconsumer = New-WmiEventConsumer -Name SCCMDeploymentMonitor -ConsumerType CommandLine -CommandLineTemplate "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -command D:\Scripts\DeploymentMonitoringScript.ps1 %TargetInstance.DeploymentID%" New-WmiFilterToConsumerBinding -Filter $myfilter -Consumer $myconsumer Here is the script that actually gets started and passed the DeploymentID as a parameter. Net result is that we are getting an email notification when anyone creates a deployment targeting more than 500 users/devices. I’ll probably expand on this in the future to include warnings when more than x number of clients are added to collections with pre-existing required deployments, but this is a good start: <# SCCM Deployment Warning Script Written by: Matt Atkinson ([email protected]) Purpose: Send an email alert whenever a deployment targeting more than a certain number of computers/users is created Notes: Make sure that you set your warning threshold number, and the list of email recipients to receive the warning, your email server, port, location for the SCCM powershell module, and your SCCM site code. Change log: v1.0: Initial Scriptv1.1: Swapped some if else statements for switch statements, added curly braces for assignment unique ID.#>param([string]$AssignmentUniqueID) #AssignmentUniqueID is passed to the script without curly braces, so we need to add them$AssignmentUniqueID = "`{$AssignmentUniqueID`}" ##Import the powershell module for configuration managerimport-module "D:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\configurationmanager.psd1" ## Declare variables #Number of computers to be the warning threshold. If the deployment goes to more than this number of computers, warning will be sent$WarningThreshold = 0 #Comma separated list of email addresses to send warning to$EmailAddresses = "[email protected], [email protected]" #Email server$EmailServer = "smtp.server.com" #Email server port (adjust as needed)$EmailPort = "25" #SCCM Site Code$CMSiteCode = "001" #Switch to the CMSite PSDriveSet-location $CMSiteCode #Get the application name$Application = (Get-CMDeployment -DeploymentId $AssignmentUniqueID).SoftwareName #Get the config type (required or available)$DesiredConfigType = (Get-CMDeployment -DeploymentId "$AssignmentUniqueID").DesiredConfigType #Switch for the desired config (Install or Uninstall)Switch ($DesiredConfigType) { 1{$DesiredConfigType = "Installed"} 2{$DesiredConfigType = "Uninstalled"} } #Switch for the deployment intent (Available or Required)$DeploymentIntent = (Get-CMDeployment -DeploymentId "$AssignmentUniqueID").DeploymentIntent Switch ($DeploymentIntent) { 1{$DeploymentIntent = "Required"} 2{$DeploymentIntent = "Available"} }#Get the collection that is targeted$TargetCollection = (Get-CMDeployment -DeploymentId $AssignmentUniqueID).CollectionName #Get the member count of the collection after testing whether it is a user or device collectionIf ((Get-CMDeviceCollection -Name "$TargetCollection") -ne $null) { $MemberCount = (Get-CMDeviceCollection -name "$TargetCollection").MemberCount $ClientType = "Devices" }Else { $MemberCount = (Get-CMUserCollection -name "$TargetCollection").MemberCount $ClientType = "Users" } If ($MemberCount -ge $WarningThreshold) { Send-MailMessage -SmtpServer $EmailServer -Port $EmailPort -From "SCCM Warning System" -To "$EmailAddresses" -Subject "SCCM Deployment Notice $Application Being $DesiredConfigType on $MemberCount $ClientType" -Body "Application Name: $Application `n Is Being: $DesiredConfigType`n On: $MemberCount $ClientType" } -Matt This message is intended for the sole use of the addressee, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete this message. - CONFIDENTIAL- This email and any files transmitted with it are confidential, and may also be legally privileged. If you are not the intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, please notify the sender immediately by reply email and then delete this email.
