On a configuration manager 2007 deployment, I ran into a situation where we had split the network into two-halves. One half was controlled by our IT organization, the other half was controlled by another IT organization. We were deploying ConfigMgr 2007 into the environment, and had defined our AD sites and services so that we only had servers/workstations without our sites within the boundaries defined by ConfigMgr. A key concept to the product is that agents will not deploy if they are not within the boundaries, unless you specifically state that this agent is allowed to exist outside of the boundaries. All was working well until we had an agreement reached between the two IT organizations to install the ConfigMgr agent on a few test systems in the other environment. To make this viable, I created a collection with the half-dozen systems which I was going to deploy to. My original plan was to choose each of the members of the collection, and push the client to the systems and tell ConfigMgr to deploy the agent regardless of boundaries. Unfortunately, the first push didn’t work, so on a second push I went to a query which I had created for another purpose and selected the half-dozen systems and then did the same client push.
So… What happened? I ended up disabling the client push accounts once close to 100 systems had been deployed outside of the Configuration Manager boundaries. I de-activated client push, and opened a call with Microsoft. We dug into the situation, assessed all of the boundaries, and found no reasons why the agent would actually deploy outside of the boundaries. What we found was this:
If you highlight one system in the collection and Install Client – the agent push occurs to only that one system. If, however, you select more than one system – it installs to the entire collection or query. This is not a big deal with less than 10 systems, but how about if you do that in the All Systems collection, or a query which has hundreds of potential clients? Welcome to a most excellent game of Roshambo.
So what’s the lesson learned?
Lesson Learned: If you multiple-select systems within a collection or a query and run a client push, the push will attempt to ALL MEMBERS of the collection or query regardless of which particular systems you select within the collection or query..