System Center Configuration Manager Best Practices: Default Limiting Collection

Author by Matt Herman

One of my favorite things about being a consultant is the opportunity to go into different organizations, learn what they do best and share what I have learned from previous organizations.  SCCM is an amazing tool, but it is easy to get lost when you have several ways to get the same thing done, so I am starting this blog series on the best practices I have seen implemented.

For the first entry in the series, let’s talk about creating and using a Default Limiting Collection. 

You have probably created hundreds of collections without a Default Limiting Collection, so why should you bother now?  Simple, it may keep you from getting fired.  In a lot of organizations, SCCM is thought of as “just a desktop management tool.”  However, there aren’t many systems that can reformat the hard drives on every desktop, laptop and server on your network in an hour, so it is worth the time to put a few safe guards in place. 

The idea behind a Default Limiting Collection is that you identify what the critical systems are in your organization, create a collection for them, and exclude from the Default Limiting Collection.  Then, you use the Default Limiting Collection for any future collections and deployments, so that you will not accidently deploy software to, reboot or reformat your critical systems.  If you do need deploy something to your critical systems, you will need to do something outside of your normal procedures, which should trigger some extra attention to detail to make sure you are only affecting the systems you intend to change.

Now let’s talk about what is a critical system.  This will be different for every organization, but think of these as the systems that need to be running 24/7 and that the organization cannot function without.  If you are in a hospital, this could be the PCs in the ER and operating rooms.  In a manufacturing setting, it could the systems on a production line.  In any organization it could be the executive team’s laptops because they could be up and working at 2:00AM, and if Windows Updates force a reboot, you are going to get a call at 2:05AM to hear about it.  Basically, make a list, make a collection and update it as needed.

A word of caution, don’t go overboard here.  Your 8:00AM to 5:00PM customer service center is critical to your organization, but they should still be in your Default Limiting Collection.  You should use Maintenance Windows to prevent SCCM from impacting these systems during their core hours, but that is a different best practice.

OK, enough talking, let’s see what this looks like in SCCM.

In the root of Device Collections, create a collection named CRITICAL SYSTEMS. (Yes, I do use all caps for this one.) Limit it on the All Systems Collection and use whatever type of membership rules work best for you.

image

image

For the Default Limiting Collection, create it in the root of the Device Collections.  This way it will be in the first screen when you click on Browse for the limiting collection when you create future collections.  Limit it on All Systems.

image

Use an Include Collection rule for All Systems and an Exclude Collection rule for CRITICAL SYSTEMS.  Also, check the box for “Use incremental updates…” to make sure the Default Limiting Collection stays in sync with any changes to All Systems or CRITICAL SYSTEMS.

image

Now all you have to do it use the Default Limiting Collection as the limiting collection for any new collections you create and your critical systems will be excluded.

There is one final note and gotcha with this approach.  Three to six months after you set this up, you will create a new collection, use the Default Limiting Collection and then spend 30 minutes trying to figure out why your membership rules aren’t working.  The answer will be that the system you are trying to add through a membership rule is in your CRITICAL SYSTEMS collection, so you will want to take a different approach for the collection.  If you work in an environment with multiple SCCM administrators, you may see this play out several times, so you should walk through an example with your other admins.

Thanks for reading my SCCM Best Practices series.  If you have any of your own best practices you would like to share, please leave a comment or send me an email at: mherman@concurrency.com

Author

Matt Herman

Technical Architect