Restrict SCCM2012 Deployed tool from scanning virtual machines
Hi
We have a Intel-SA-00086 tool that is configured to scan all our server estate via SCCM2012. However we do not want it to scan the server virtual machines we want it to scan the server physical machines. How to do l configure the tool via SCCM to scan only the physical machines and not the virtual one. Your assistance will be greatly appreciated.
We have a Intel-SA-00086 tool that is configured to scan all our server estate via SCCM2012. However we do not want it to scan the server virtual machines we want it to scan the server physical machines. How to do l configure the tool via SCCM to scan only the physical machines and not the virtual one. Your assistance will be greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
The first rule of SCCM (aka CM) is NEVER set things to run on "all machines" aka All Systems.
The correct, safe and job keeping method is to create separate Collections for every class of device.
e.g.
All Windows 7
All Window 8
All Domain Controllers
All SQL Servers
All Windows Server 2012
All Windows 7 Virtual machines
Once you have done that, you use THOSE (above) as Limitiing Collections.
Now you can create sub-collections that do not have any way of accidentally targetting machines you do not want.
e.g.
Marketing Windows Clients > Set to 10 PCs with names begining Mark > Limiting Collection "All Windows 7"
will only ever send anything to Windows 7 PCs that are named Mark-something.
Then deploy software/patches/configs to the Marketing Windows Clients.
Setting up Collections is a design decision you need to decide probably even before you install CM in the first place.
NEVER deploy anything to the "All Systems" in-built collection. It is a resume (CV) triggering act.
Note if your physical servers are a mix of OSes, you can easily combine collections.
e.g.
Windows File Servers = Include "All Windows 2008", "All Windows 2012"
Finally you just Exclude "All Virtual Servers". Use Nagendra's SQL filter above will be fine.
Job done.
The key thing is to make sure each master collection is populated correctly.
Mike
The first rule of SCCM (aka CM) is NEVER set things to run on "all machines" aka All Systems.
The correct, safe and job keeping method is to create separate Collections for every class of device.
e.g.
All Windows 7
All Window 8
All Domain Controllers
All SQL Servers
All Windows Server 2012
All Windows 7 Virtual machines
Once you have done that, you use THOSE (above) as Limitiing Collections.
Now you can create sub-collections that do not have any way of accidentally targetting machines you do not want.
e.g.
Marketing Windows Clients > Set to 10 PCs with names begining Mark > Limiting Collection "All Windows 7"
will only ever send anything to Windows 7 PCs that are named Mark-something.
Then deploy software/patches/configs to the Marketing Windows Clients.
Setting up Collections is a design decision you need to decide probably even before you install CM in the first place.
NEVER deploy anything to the "All Systems" in-built collection. It is a resume (CV) triggering act.
Note if your physical servers are a mix of OSes, you can easily combine collections.
e.g.
Windows File Servers = Include "All Windows 2008", "All Windows 2012"
Finally you just Exclude "All Virtual Servers". Use Nagendra's SQL filter above will be fine.
Job done.
The key thing is to make sure each master collection is populated correctly.
Mike
If you have targeted this to all machines then it will go to all the machines. Expect 1 or 2 % failures but it is doing what it is supposed to do.
Are you doing this via startup scripts? There are other ways to limit it running on virtual machines like using a script to detect if the device is a physical oe virtual one.
But you need to make separate collections if you want the machines to get separate software bundles (If you are using normal SCCM methods). Otherwise you have to make other arrangements like scripts to stop it running from virtual machines.
Are you doing this via startup scripts? There are other ways to limit it running on virtual machines like using a script to detect if the device is a physical oe virtual one.
But you need to make separate collections if you want the machines to get separate software bundles (If you are using normal SCCM methods). Otherwise you have to make other arrangements like scripts to stop it running from virtual machines.
ASKER
Hi Nagendra
Thanks for that l would appreciate the script method of detecting whether a machine is virtual or not and then running the tool, do you have a script l can use or suggestions on how l can do that. I am relatively new to SCCM so could do with some guidance
Thanks for that l would appreciate the script method of detecting whether a machine is virtual or not and then running the tool, do you have a script l can use or suggestions on how l can do that. I am relatively new to SCCM so could do with some guidance
Hi Phil,
You really only need scripts as a last resort. You need to sort out collections first. They can easily handle the scenario you have described. You would only use a script as a belt and braces solution: i.e. you have a collection that contains VMs AND some script mechanism just in case.
Mike
You really only need scripts as a last resort. You need to sort out collections first. They can easily handle the scenario you have described. You would only use a script as a belt and braces solution: i.e. you have a collection that contains VMs AND some script mechanism just in case.
Mike
Adequate answer with a working example.
ASKER