Restrict SCCM2012 Deployed tool from scanning virtual machines

 We have a Intel-SA-00086 tool that is configured to scan all our server estate via SCCM2012. However we do not want it to scan the server virtual machines we want it to scan the server physical machines. How to do l configure the tool via SCCM to scan only the physical machines and not the virtual one. Your assistance will be greatly appreciated.
Phil MapfumoInfrastructure EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nagendra Pratap SinghDesktop Applications SpecialistCommented:
If I understood correctly then this Intel software has to be deployed against each machine to scan it, right? It does not go out automatically, correct?

If this is the case then you can make a collection of servers which are physical using a query.


To list all physical computers ,create another collection using operator not in from above collection like below:

    select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from  SMS_R_System where SMS_R_System.ResourceId not in (select SMS_R_SYSTEM.ResourceID from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like "%Virtual%")

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Phil MapfumoInfrastructure EngineerAuthor Commented:
Its currently set to scan all the devices is there are way to to stop it scanning the virtual machines without creating a separate collection for the servers, as it seems like even if we set it to scan the physical servers it scans the virtual machines as well
Mike TLeading EngineerCommented:

The  first rule of SCCM (aka CM) is NEVER set things to run on "all machines" aka All Systems.
The correct, safe and job keeping method is to create separate Collections for every class of device.


All Windows 7
All Window 8
All Domain Controllers
All SQL Servers
All Windows Server 2012
All Windows 7 Virtual machines

Once you have done that, you use THOSE (above) as Limitiing Collections.
Now you can create sub-collections that do not have any way of accidentally targetting machines you do not want.

Marketing Windows Clients  > Set to 10 PCs with names begining Mark > Limiting Collection "All Windows 7"
will only ever send anything to Windows 7 PCs that are named Mark-something.

Then deploy software/patches/configs to the Marketing Windows Clients.

Setting up Collections is a design decision you need to decide probably even before you install CM in the first place.
NEVER deploy anything to the "All Systems" in-built collection. It is a resume (CV) triggering act.

Note if your physical servers are a mix of OSes, you can easily combine collections.

Windows File Servers = Include "All Windows 2008", "All Windows 2012"

Finally you just Exclude "All Virtual Servers". Use Nagendra's SQL filter above will be fine.

Job done.

The key thing is to make sure each master collection is populated correctly.

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Nagendra Pratap SinghDesktop Applications SpecialistCommented:
If you have targeted this to all machines then it will go to all the machines. Expect 1 or 2 % failures but it is doing what it is supposed to do.

Are you doing this via startup scripts? There are other ways to limit it running on virtual machines like using a script to detect if the device is a physical oe virtual one.

But you need to make separate collections if you want the machines to get separate software bundles (If you are using normal SCCM methods). Otherwise you have to make other arrangements like scripts to stop it running from virtual machines.
Phil MapfumoInfrastructure EngineerAuthor Commented:
Hi Nagendra
 Thanks for that l would appreciate the script method of detecting whether a machine is virtual or not and then running the tool, do you have a script l can use or suggestions on how l can do that. I am relatively new to SCCM so could do with some guidance
Mike TLeading EngineerCommented:
Hi Phil,

You really only need scripts as a last resort. You need to sort out collections first. They can easily handle the scenario you have described. You would only use a script as a belt and braces solution: i.e. you have a collection that contains VMs AND some script mechanism just in case.

Nagendra Pratap SinghDesktop Applications SpecialistCommented:
Adequate answer with a working example.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.