Amending a SCCM 2012 Automatic Deployment Rule to Create a new Deployment Package


If you use a SCCM 2012 Automatic Deployment Rule (ADR) to deploy software updates, over time the package can become quite large.  This procedure details the steps taken to link a new package to an existing ADR.  A good time to do this is early January (before Patch Tuesday) as this will result in packages/folders for each calendar year.

  • Create a new folder for the package source files, typically under a shared folder containing all your software update source files (needs to be referenced by a UNC later in this procedure).
  • In the SCCM Admin Console, open the Properties dialogue for the relevant ADR.
  • On the General tab select the Create a new Software Update Group.
  • On the Deployment Package tab select Create a new Deployment Package.
  • Give the package a meaningful name.
  • Browse to the package source folder created earlier to set the Package Source.
  • Run the rule so it creates the new software update group and new package.
  • View the RuleEngine log file on the SCCM server to monitor the actions instigated by running the ADR.
After the Running of the Rule is Complete
  • Access the Deployment Packages node, right-click the new package that has just been created by the ADR and select Distribute Content.
  • Access the Software Update Group node.
  • Rename the group the ADR has just created so it reflects the fact it is the software update group created by the ADR, e.g. Server-2012-ADR-SUG.
  • Return the properties page of the ADR just changed.
  • On the General tab select Add to an Existing Software Update Group.  This ensures that next time the rule is run it uses the group just created and does not keep creating a new group every month.

Note:  When editing an ADR the link to the deployment package is not maintained thus the need to distribute the package.  This step will be automated next time the rule is run.

Note:  Be careful if you run an ADR manually as the deadline will be set based on the Specific time setting on the Deployment Schedule tab of the ADR.  The automatic rule probably sets this to the early hours of the morning, e.g. the rule runs at 05:00 and the deadline is 05:00 seven days later.  If the ADR is run manually the deadline will be exactly seven days from when the rule is run and this may be during the working day which you probably don’t want.

Active Directory Group Policy Restricted Groups

I use a Group Policy setting to ensure certain users or groups are always administrators on every machine I add to my test domain.   This is a reminder to myself how I do this.

Open the GP Editor and navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups.

  • Right-click and select Add Group.
  • Browse to the appropriate group, select it and click OK twice.

The membership dialogue appears.

  • In the This Group is a Member of:  section click Add.
  • Select Administrators.

The group will now be a member of the Administrators group on all computers the policy is applied to.

More info:


Remove Protection Against Accidental Organizational Unit Deletion

I recently tried to remove an OU from my Test AD came and up against this message:  You do no have sufficient privileges to delete xxxx or this object is protected from accidental deletion.

To get round this I followed this procedure.

  • Ensured Advanced Features was selected in AD Users and Computers.
  • Selected the OU, the Properties and then Security.
  • Clicked the Advanced button.
  • Removed the Deny option from the Everyone group.

I was then able to delete the OU.

More info:

SCCM 2012 – How to Create a Custom Compliance Report with Hardcoded Parameters

In order to allow users to run the SCCM 2012 Compliance 1 – Overall compliance report without the need to enter the two required parameters the following procedure was completed.

Obtain the Required Parameters

  • Obtain the Collection ID of SCCM collection to run the compliance report against.  In my case I used SMSDM003 which is the generic ID for the All Desktop and Server Clients SCCM collection.
  • Obtain the Software Update Group ID to run the compliance report against.  This can be obtained by exposing the CI Unique ID column in the SCCM console, using ctrl+c to copy the data and then ctrl+v into Notepad.

Create Folders

  • Access the SSRS home page.
  • Create a new folder called Custom Reports.
  • Create a subfolder called Compliance Reports.

Link the Report

Note:  You need to link the report rather copy the report otherwise the secondary reports will not run.

  • Navigate to the Software Updates – A Compliance report folder.
  • Click the Compliance 1 – Overall compliance report and select Manage from the dropdown.
  • From the menu bar click Create Linked Report.
  • Give the report a name, e.g. Overall Compliance Report.
  • Click the Change Location button.
  • Navigate to the Compliance Reports folder just created and click OK at the bottom of the page.
  • Click OK again to save the new report.

Adding the Parameters

  • Navigate to the Compliance Reports folder and the newly saved report should be visible.
  • Select the Overall Compliance Report and Manage from the dropdown.
  • Click the Parameters button on the left.
  • Clear the two checkboxes in the Prompt User column.
  • Tick the two checkboxes in the Has Default column (adjacent to AuthListID and CollID labels).
  • Enter the Collection ID in the CollID text box and the Software Update Group ID in the AuthListID text box.
  • Click the Apply button.

Running the Report

  • Back at the folder list run the Overall Compliance Report.  It should now run without the need to enter any parameters.
  • When the report opens in Internet Explorer copy the URL of the report.

The URL can now be distributed to users who will be able to run the report without the need to enter the parameters (subject to appropriate permissions).