It has been very long since i did post on Configmgr as i am spending more time on office 365 projects but i got something on SCCM this week that i would like to share . I have many other posts in TO-DO list especially on custom reporting but will get release them when i find time.
Recently , I was looking into automation of azure servers through SCCM . for newly build azure servers, We use SCCM to install apps ,configurations ,software updates and others using task sequence as part of operation readiness.
When a new server build in azure (using terraform and other tools) ,SCCM (on-prem) will pick the server ,add into OR (operation readiness) collection ,let the task sequence runs ,if it success or failure,send email respective team for further check and remove the device from collection (only for success).
As part of this ,what we noticed is,when the new azure server joined to domain and appear in SCCM default collection (all systems) ,it usually takes quite long time before it run the task sequence . So i have to dig into this and see if we can improve adding the server to collection that has got TS deployed.
To make things faster (adding the device to collection and run the TS on the device upon adding to collection) ,there are 2 things that i need to look at mainly.
1.check ‘use incremental updates for this collection’: Select this option to periodically scan for and update only new or changed resources from the previous collection evaluation, independently of a full collection evaluation. Incremental updates occur at 5 minute intervals by default.
2.Create device collection settings with client policy polling interval. Default time is 60 min which is longer and change it to 15 min and deploy this to OR Collection .When TS run succeeds ,device from OR collection will be deleted so ,the the collection must not have any device by default unless the TS fail and respective team will troubleshoot it further.
But on this occasion ,i have decided to look further on use incremental updates for this collection option.
Microsoft recommendation is Do not use incremental updates for a large number of collections. This configuration might cause evaluation delays when you enable it for many collections. The threshold is about 200 collections in your hierarchy. For more info refer here
Based on above recommendations ,how do you maintain the collections with ‘use incremental updates for this collection ‘ option not more than 200 collections ? If you exceed more than 200 ,it still work but it adds delay to collection evaluation ,hurt server performance and you should enable this ONLY for ‘HIGH PRIORITY’ collections.
since SCCM is being used by many people in organisation and they do have option to create collections hence knowingly/unknowingly ,they might enable use incremental updates for this collection for every collection which is not actually required unless you need to deploy something on them so urgent.
To have limited number of collections with ‘incremental updates ‘ option, i have gathered the list of all HIGH PRIORITY collections which must get update so frequent and rest of the collections that are created by users/admins should not have incremental updates and follow Full Update schedule.
I use powershell code to validate if there are any collections that have both Incremental Update (Only) & Incremental and Full Update Scheduled OR Incremental and Full Update Scheduled are ticked and make changes as per the recommendation.
If you have any collections that are enabled with use incremental updates for this collection then you don't need Full Scheduled Update.
Below given the powershell that query SCCM and get list of all collections that are enabled with Incremental Update (Only) & Incremental and Full Update Scheduled excluding HIGH PRIORITY that we collected earlier.
if there are any collection that is not high priority then use incremental updates will be disabled unless you add the new collections to HIGH PRIORITY list.
How to use this script ?
Create a folder and put the script into it. Create txt file called ExclusionIDs.txt and add all your HIGH PRIORITY collection ID’s into it.
Change values for collection membership types that you want for . Example ,i want to change the schedule for Incremental and Full Update Scheduled to Full Scheduled Update ONLY.
download the script from here
<#
Title: Update collection membership schedule
Following are the collection membership values for refreshtype
1:No Scheduled Update
2:Full Scheduled Update
4:Incremental Update (Only)
6:Incremental and Full Update Scheduled
Author: Eswar Koneti
Blog:www.eskonr.com
Date:31-12-2018
#>
$scriptPath = $script:MyInvocation.MyCommand.Path #Get the current folder of the script that is located
$CD = Split-Path $scriptpath
$RefreshTypefrom='6' #This is to identify the collections with Incremental and Full Update Scheduled
$RefreshTypeto='2' #This is to convert Incremental and Full Update Scheduled collections to Full Scheduled Update
$date = (get-date -f dd-MM-yyyy-hhmmss)
$exclusions="$CD\ExclusionIDs.txt" #High Priority collections (need your input with list of all collectionID's including device /used based)
$collectionsfound="$CD\collections with inc and full-"+$date+".csv" #Collections that are found with Incremental and Full Update Scheduled membership for your reference later
$ErrorActionPreference= 'silentlycontinue'
#Load SCCM module and map the powershell drive
Try
{
import-module (Join-Path $(Split-Path $env:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1)
$SiteCode=Get-PSDrive -PSProvider CMSITE
cd ((Get-PSDrive -PSProvider CMSite).Name + ':')
}
Catch
{
Write-Host "[ERROR]`t SCCM Module couldn't be loaded. Script will stop!"
Exit 1
}
#Get the collection ID (HIGH PRIORITY) exclusions that you want to exclude from being removing the collection membership into an array.
$exc= @()
foreach ($exc1 in get-content $exclusions )
{
$exc += $exc1
}
#Get all device collections that have both incremental and full update schedule but skip from the exclusion of the collection ID's that we imported above using exc variable
Get-CMCollection | where-object {$_.RefreshType -eq $RefreshTypefrom -and $_.collectionID -notin $exc} | select collectionID,Name | Export-CSV -NoTypeInformation $collectionsfound -append
#import the collection that we want to change the membership into variable
$CollectionIDs=Import-Csv $collectionsfound | select -ExpandProperty collectionID
Foreach ($CollID in $CollectionIDs) {
#Get the collection details that we want to change the membership (removal of incremental collection)
$Collection = Get-CMCollection -CollectionId $CollID
$Collection.RefreshType = $RefreshTypeto
$Collection.Put()
}
Script folder looks like this before execution:
After execution:
New CSV file will be added with list of all collections that are enabled with ‘Incremental and Full Update Scheduled’ and we will act on these collections.
You can run this script using task scheduler on daily or weekly .
Following is the SQL code to identify the collection membership types and validate the results.
select
case Flags
when 1 then 'No Scheduled Update'
when 2 then 'Full Scheduled Update'
when 4 then 'Incremental Update (Only)'
when 6 then 'Incremental and Full Update Scheduled'
when 4100 then 'default collection'
else 'total'
End as ScheduleType,
count(*) as Total
from v_Collections_G
where siteid not like 'SMS%'
group by flags,flags with rollup
Output:
If you want list of all collections with membership type then use the following SQL code: Replace the refreshtype values as per your needs.
select coll.SiteID,coll.CollectionName from v_FullCollectionMembership fcm
inner join v_Collections_G coll on coll.SiteID=fcm.CollectionID
where coll.Flags in ('4','6')
group by coll.SiteID,coll.CollectionName
you can also use CEViewer.exe (Collection Evaluator viewer ) which is now part of CMCB 1810 server tools to see what is the total run time for full evaluation and for incremental evaluation. It is always recommended to run this tool to check what is going on with collection execution time .
Following is the results of incremental evaluation which is 57 sec for 67 collections and you can see what is the run time for each collection. The same can be viewed for full evaluation.
In the next post ,i will talk about ,how to get collections with direct membership rules ONLY (no query based) with membership schedule enable and how remove the schedule option using powershell.
For collections with direct rule added, you don't need to update them on schedule basis .
References:
https://byteben.com/bb/identifying-and-updating-sccm-collection-evaluations/