SCCM 2012 Multiple Deployments with PowerShell

One of the strongest tools an SCCM engineer can have to strengthen their system management experience is good organization practice.  I refer to organization as a tool because it not only makes your life easier when evaluating the various deployments and collections that manage them, in some cases, it can make setting them up a whole lot easier as well.

I recently had a client looking to migrate off of a third party antivirus to System Center Endpoint Protection.  They had roughly 25 unique scan exclusion policies that needed to be created and targeted to different sets of servers.  There was no easy way to get through creating each unique policy (at least none that I’m aware of).  But because of how I generally recommend organizing deployments, getting the collections created and the policies deployed could be completed with some simple PowerShell in a matter of minutes.

Getting Organized

My recommendation for organizing SCCM 2012 deployments is simple.  Make the name of your deployment object (in this case SCEP policy) and your targeting collection the same name.  In my opinion, using this approach makes working with your deployments extremely easy, as there is no confusion of which piece belongs to which deployment.  This approach can work with all deployment types in SCCM 2012 for the most part.  The only slight variation to this, is if you had a package with more than one program, I would say name the targeted collection “<Package Name> – <Program Name>”.

Now let’s get to the fun part.  For this demonstration we have 5 Antimalware policies.  You can see them in the screen shot with no deployments.

SCEP Policy

 

 

 

 

 

Now a neat little trick I stumbled upon is that you can actually highlight, copy, and paste these policy names.  So let’s do that and put them in a csv file.  Delete the excess data off of the csv because you don’t need it and add a column header name at the top.  For this we will use “Policy”.  So my csv looks like this.

SCEP csv

 

Connect with PowerShell

Now that we have our csv, we can use PowerShell to quickly create the collections and deploy the policies to those collections.  To get started, click the down arrow at the top of the SCCM console and select “Connect via Windows PowerShell”

Connecting with PowerShell to SCCM

 

 

Create the Collections

This should open a PowerShell window connected to your site server with the SCCM 2012 cmdlets at your disposal.  First let’s import the csv into a variable.  You can name the variable anything you like.  I’m going to name it “policies”.

$policies = Import-Csv C:\Users\jkline\Desktop\SCEP-Policies.csv

Next we need to loop through the csv to create each collection.  We need to identify our limiting collection for the collections we are creating.  Since this is my lab, I’m going to use the “All Systems” collection.  In most cases you probably don’t want to use this as your limited collection in a production environment.  For example, in this particular clients scenario, I created a collection based on a query that populated all servers with endpoint protection installed.  This was a good limiting collection since the policies we were deploying should only apply to server OS systems with Endpoint Protection installed.  If some of these collections should use different limiting collections, add an additional column to your csv and place each limiting collection name next to the policy name.  We loop through the csv and create the collections with this command.

foreach ($i in $policies) {New-CMDeviceCollection -Name $i.Policy -LimitingCollectionName "All Systems"}

Substitute the limiting collection name “All Systems” with $i.<header name> if your using multiple limited collections.  Now double check under Device Collection to make sure our collections are there.  Feel free to move them into a folder at this time if you need to.  Remember… being organized is important!

SCEP Collections

Start the Deployments

The last step is to deploy the policies to the collections we just created.  To do this we once again loop through the csv with this command.

foreach ($i in $policies) {Start-CMAntimalwarePolicyDeployment -AntimalwarePolicyName $i.Policy -CollectionName $i.Policy}

Now we can check the policies are deployed by heading back to the policies in the console and noting their deployment changed from 0 to 1 as well as viewing the collection name they are deployed to in the Deployments tab.

SCEP Policies Deployed

 

 

 

 

 

 

 

 

 

 

It’s really that simple.  For this particular client I probably saved myself an hour of work doing it this way as opposed to creating collections and deployments one by one in the console.  As I stated before, this can be done with pretty much any deployment type.  Using csv’s and foreach loops are a great simple way of getting through bulk deployment work like this.  Just refer to the technet below for additional deployment cmdlets.

http://technet.microsoft.com/en-us/library/jj821831(v=sc.20).aspx

Questions?

Thanks for reading!  Ask in the comments!

Leave a Reply

Your email address will not be published. Required fields are marked *