SCCM 2012 – Device Collections

Working IT in health care means we sometimes have to deal with some crazy (sometimes over the top) requirements for data protection. In this case I am being required to encrypt all of our clinical laptops that might contain PHI. So how do I find and track all the machines that need to be encrypted or that are encrypted? Because we use System Center Configuration Manager 2012 in our environment for client management we can use Device Collections to help sort out the issue.

The first step to this project was to have SCCM be able to tell which machines were encrypted or not encrypted. Normally this would not be very hard because you could just do a Device Collection based on a query for software inventory like this:

select distinct SMS_R_System.Name from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Software Title as listed on Add/Remove Programs"

However, with our deployment we are using Mcafee Endpoint Encryption Agent with is a plugin for the Mcafee Agent for EPO. This means it’s not listed in add/remove programs in Windows. What I ended up doing was to tell SCCM to inventory some registry keys that show up after the module for the agent is installed as part of the hardware inventory. Then I could create queries based off of the registry entries. For more information on how to accomplish this in SCCM 2012 I highly recommend reading Sherry Kissinger’s post over on myITForum.com. It shows you exactly how to do this. Thanks Sherry!

Now onto the point of this post. How to use Device Collections Effectively. I needed a way for SCCM to show me all the machines of a specific model type and then show me which ones were already encrypted and which ones still needed to be encrypted. Also, our AD is not in the most, shall we say, clean state when it comes to machines so I need a way to show the machines I just don’t know the status of. On top of this – specific model’s of machines require a BIOS update if they are on specific BIOS versions.

In order to keep this all clean in my SCCM console I added a new folder Labeled “Encryption” then a sub folder for each Model Type we have.
sccm1

So, in order to start we create a collection based on a query to give us a device collection with only machines of a specific model type:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like '%5410%'

In the above example I’m using 5410 for a Dell Latitude E5410. We have 4 different models of laptops in production and this is one of them. I did this for each of the 4 models we had so now I have 4 new collections each with a specific model.

Next, I need to figure out which ones are encrypted and which are not encrypted. For this I create 2 more collections for each model type in the correct folder. I limit the collection to only pull from the base collection.

sccm2

Here is the query for the encrypted machine collection:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_EEADMIN_100064 on SMS_G_System_EEADMIN_100064.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_EEADMIN_1000 on SMS_G_System_EEADMIN_1000.ResourceId = SMS_R_System.ResourceId where SMS_G_System_EEADMIN_100064.Version = "7.0.0.311" or SMS_G_System_EEADMIN_1000.Version = "1.2.1.315" or SMS_G_System_EEADMIN_100064.Version = "1.2.1.315" or SMS_G_System_EEADMIN_100064.Version = "7.0.0.311"

Here is the query for the Non-encrypted machine collection:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_EEADMIN_100064 on SMS_G_System_EEADMIN_100064.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_EEADMIN_1000 on SMS_G_System_EEADMIN_1000.ResourceId = SMS_R_System.ResourceId where SMS_G_System_EEADMIN_100064.Version is null or SMS_G_System_EEADMIN_1000.Version is null

In my case I was querying the registry key I had pulled into the hardware inventory to see if it was null (not encrypted because the software is not installed) or looking for the specific versions of the module we are using in production (for both 32 and 64 bit installs).

Now, what I found was the numbers did not match up real well. Why? Well some machines are off network, or not turned on, or might be asleep. So I wanted to create a 3rd collection to show me the machines that were not accounted for in the encrypted and non-encrypted collections. Here is the query for that:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select ResourceID from SMS_CM_RES_COLL_BC100027) and SMS_R_System.ResourceId not in (select ResourceID from SMS_CM_RES_COLL_BC100028)

Notice the BC100027 and BC100028. Those are my collection ID’s for the 5010’s. I’m just excluding them and I’ve limited my collection to pull from the base collection of 5010’s.

Now all the machines SCCM knows about for my specific model are accounted for in my collection.
sccm3

On the Dell Latitude E5420’s we have in production the encryption software requires a specific Bios version or greater – so for the 5420’s I created 2 more collections:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like "%5420%" and SMS_G_System_PC_BIOS.SMBIOSBIOSVersion < "A09"

Here is what my 5420 collections look like in the SCCM console:
sccm4

One other note – for this project I told my collections to update their membership every 1 day rather than the default every 7 days. This allows me to track my progress much quicker (and you can just update it manually anytime of course).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s