Posted: 3/8/2015 5:14:07 AM EDT
|
So we had someone take a short SCCM class. The next day they tried to reimage a few machines and accidentally sent it to a bunch of them. So, is there any fix to this besides not letting dumb people work on the network? I mean, I guess we could split the machines into a bazillion groups so the total damage done is less but I'm afraid that would be an administrative nightmare. I'm not an SCCM guy myself, although I did do some SMS admin stuff about 15 years ago. But this Role Based Administration is fairly new and I dont know if there is some aspect of it that may have a solution for our type of problem. If not, is there some training course that is good for the Operating System Deployment Manager role? I have to figure out a way to make sure this doesn't happen again. |
Lol, sorry but that.... SCCM 2007 had less protection against those mistakes. 2012 is better in that a deployed task sequence can be setup, for example, to only run when boot media is being used. That way, if you deploy accidently to a collection of live systems, they would have to be in WinPE before it would execute. I've worked (until very recently) for MS for roughly 10 years supporting SCCM. I helped write the SCCM OSD workshop, so there is definitely training on the product. I would suggest you contact your Microsoft TAM about the workshop.I had a customer that wiped 40,000 systems once .... its probably the most dangerous IT tools left in the wrong hands....wow, never thought such an obscure topic would pop up on ArfCom |
|
How many machines are you looking at? My campus has each department in their own group. We easily manage 5k computers with minor issues. We never push images through SCCM as we've found it to not work across the board. Usually, SCEP and whatever the enterprise version of Windows Defender is for Windows 7 doesn't work properly. So, we manually image machines if issues occur. We rarely have to do this, and, when we do, we have loaner PC's ready to go. Typical turn around time is a day and data is transferred to the loaner before and then back to the reimaged PC. |
|
Quoted:
Lol, sorry but that.... SCCM 2007 had less protection against those mistakes. 2012 is better in that a deployed task sequence can be setup, for example, to only run when boot media is being used. That way, if you deploy accidently to a collection of live systems, they would have to be in WinPE before it would execute. I've worked (until very recently) for MS for roughly 10 years supporting SCCM. I helped write the SCCM OSD workshop, so there is definitely training on the product. I would suggest you contact your Microsoft TAM about the workshop.
I had a customer that wiped 40,000 systems once .... its probably the most dangerous IT tools left in the wrong hands....wow, never thought such an obscure topic would pop up on ArfCom
That is exactly the kind of information I need! How hard is it to setup such a task sequence and should an SCCM admin typically know how to do this? And yeah, I know what you mean by obscure topics! But the arfcom hive has so many experts that the knowledge here is unbelievable! I mean, it blows my mind that the first response to my question is from a guy that worked at MS supporting SCCM.  
|
|
Quoted:
How many machines are you looking at? My campus has each department in their own group. We easily manage 5k computers with minor issues. We never push images through SCCM as we've found it to not work across the board. Usually, SCEP and whatever the enterprise version of Windows Defender is for Windows 7 doesn't work properly. So, we manually image machines if issues occur. We rarely have to do this, and, when we do, we have loaner PC's ready to go. Typical turn around time is a day and data is transferred to the loaner before and then back to the reimaged PC. I won't give out numbers because of where I work. The command was meant to go to 8 but went to thousands. Fortunately, it was stopped before it caused nearly as much damage as it could have. Nevertheless, it had some impact and was a wakeup call that we need to find a way to ensure it doesn't happen again. I've also been asked to suggest training that would be relevant. I tried googling but what I find doesn't focus on the reimaging portion of the product. I suppose they figure the average person ought to competent enough to handle that. |
|
Quoted: That is exactly the kind of information I need! How hard is it to setup such a task sequence and should an SCCM admin typically know how to do this? And yeah, I know what you mean by obscure topics! But the arfcom hive has so many experts that the knowledge here is unbelievable! I mean, it blows my mind that the first response to my question is from a guy that worked at MS supporting SCCM. Quoted: Quoted: Lol, sorry but that.... SCCM 2007 had less protection against those mistakes. 2012 is better in that a deployed task sequence can be setup, for example, to only run when boot media is being used. That way, if you deploy accidently to a collection of live systems, they would have to be in WinPE before it would execute. I've worked (until very recently) for MS for roughly 10 years supporting SCCM. I helped write the SCCM OSD workshop, so there is definitely training on the product. I would suggest you contact your Microsoft TAM about the workshop.I had a customer that wiped 40,000 systems once .... its probably the most dangerous IT tools left in the wrong hands....wow, never thought such an obscure topic would pop up on ArfComThat is exactly the kind of information I need! How hard is it to setup such a task sequence and should an SCCM admin typically know how to do this? And yeah, I know what you mean by obscure topics! But the arfcom hive has so many experts that the knowledge here is unbelievable! I mean, it blows my mind that the first response to my question is from a guy that worked at MS supporting SCCM. See the how to deploy task sequence section It's not hard at all, actually it's part of the steps when you deploy a task sequence. Another good practice is to never deploy a task sequence as required...rather, available only. That way if you deploy to the wrong collection, the user would actually have to initiate the task sequence. Of course, there are reasons why a required deployment are sometimes needed to automate mass re-imaging without any user involvment. I've written scripts for customers that run as the first step in a task sequence which queries another DB that is populated with computers that are explicitly allowed to be reimaged. This helps avoid an oops as someone would need to not only deploy the task sequence to the target systems, but also add them to a specific db table. Of course, that's a customized solution and there are a hundred ways to prevent what happened to your environment. However, nothing can replace a knowledgeable and careful SCCM admin. Whether your admin should have known that? That's hard to say. SCCM is a massive product and no admin knows all the features at a 300 or 400 level (hell, even a 100 level). However, someone that is responsible for the OSD feature should have been trained and played extensively in a test environment before releasing into the wild  Eta.. The OSD workshop I mentioned above is highly recommended... OSD stands for Operating System Deployment and the workshop is geared towards SCCM and not MDT. It'll probably cost $3000 for 3 days, but that's cheap when compared to the accident you mentioned. |
|
Quoted:
https://technet.microsoft.com/en-us/library/hh273490.aspx#BKMK_DeployTS See the how to deploy task sequence section It's not hard at all, actually it's part of the steps when you deploy a task sequence. Another good practice is to never deploy a task sequence as required...rather, available only. That way if you deploy to the wrong collection, the user would actually have to initiate the task sequence. Of course, there are reasons why a required deployment are sometimes needed to automate mass re-imaging without any user involvment. I've written scripts for customers that run as the first step in a task sequence which queries another DB that is populated with computers that are explicitly allowed to be reimaged. This helps avoid an oops as someone would need to not only deploy the task sequence to the target systems, but also add them to a specific db table. Of course, that's a customized solution and there are a hundred ways to prevent what happened to your environment. However, nothing can replace a knowledgeable and careful SCCM admin. Whether your admin should have known that? That's hard to say. SCCM is a massive product and no admin knows all the features at a 300 or 400 level (hell, even a 100 level). However, someone that is responsible for the OSD feature should have been trained and played extensively in a test environment before releasing into the wild
Eta.. The OSD workshop I mentioned above is highly recommended... OSD stands for Operating System Deployment and the workshop is geared towards SCCM and not MDT. It'll probably cost $3000 for 3 days, but that's cheap when compared to the accident you mentioned. Quoted:
Quoted:
Quoted:
Lol, sorry but that.... SCCM 2007 had less protection against those mistakes. 2012 is better in that a deployed task sequence can be setup, for example, to only run when boot media is being used. That way, if you deploy accidently to a collection of live systems, they would have to be in WinPE before it would execute. I've worked (until very recently) for MS for roughly 10 years supporting SCCM. I helped write the SCCM OSD workshop, so there is definitely training on the product. I would suggest you contact your Microsoft TAM about the workshop.
I had a customer that wiped 40,000 systems once .... its probably the most dangerous IT tools left in the wrong hands....wow, never thought such an obscure topic would pop up on ArfCom
That is exactly the kind of information I need! How hard is it to setup such a task sequence and should an SCCM admin typically know how to do this? And yeah, I know what you mean by obscure topics! But the arfcom hive has so many experts that the knowledge here is unbelievable! I mean, it blows my mind that the first response to my question is from a guy that worked at MS supporting SCCM. It's not hard at all, actually it's part of the steps when you deploy a task sequence. Another good practice is to never deploy a task sequence as required...rather, available only. That way if you deploy to the wrong collection, the user would actually have to initiate the task sequence. Of course, there are reasons why a required deployment are sometimes needed to automate mass re-imaging without any user involvment. I've written scripts for customers that run as the first step in a task sequence which queries another DB that is populated with computers that are explicitly allowed to be reimaged. This helps avoid an oops as someone would need to not only deploy the task sequence to the target systems, but also add them to a specific db table. Of course, that's a customized solution and there are a hundred ways to prevent what happened to your environment. However, nothing can replace a knowledgeable and careful SCCM admin. Whether your admin should have known that? That's hard to say. SCCM is a massive product and no admin knows all the features at a 300 or 400 level (hell, even a 100 level). However, someone that is responsible for the OSD feature should have been trained and played extensively in a test environment before releasing into the wild
Eta.. The OSD workshop I mentioned above is highly recommended... OSD stands for Operating System Deployment and the workshop is geared towards SCCM and not MDT. It'll probably cost $3000 for 3 days, but that's cheap when compared to the accident you mentioned. The people doing the reimaging are desktop support people with limited skills and knowledge. If the leadership at work is too cheap to spring for $3000 then I guess we'll get what we deserve. Thank you for the great info! 
|