sccm top console user vs primary user

On the Create User Collection Wizard, type in the name of collection. These tasks might relate to one or more groups of management tasks, such as deploying applications and packages, deploying operating systems and settings for compliance, configuring sites and security, auditing, remotely controlling computers, and collecting inventory data. Starting in Configuration Manager version 2010, the troubleshooting portal in Microsoft Endpoint Manager admin center allows you to search for a user and view their associated devices. Create your own custom security roles to support your specific business requirements. For example, for administrative users to deploy applications or to run remote control, they must be assigned to a security role that grants access to a collection that contains these resources. The other challenge is that, if a user has recently rebooted their machine, and then another patch is applied that does require a reboot, we don't want to ask the user to reboot multiple times. The Primary Devices list shows devices that are already set up as primary devices for this user, and the method by which each user-device relationship was assigned. Primary User and Device relationships in ConfigMgr are something that’s not very easy to make out in the ConfigMgr console for the administrator, at least not for a collection of Devices or Users. Now assuming that you have enabled the SMS_SystemConsoleUsage and SMS_SystemConsoleUser, top console user details will be available in SCCM / CM12 / CM07 for use by the application model, collections and … Role-based administration configurations replicate to each site in the hierarchy as global data, and then are applied to all administrative connections. You can also use Microsoft Intune to find the primary use of an enrolled device. If this behavior occurs, existing logon events might not be available to Configuration Manager. I have copied a report and adjusted the SQL to add the Top Console user filed to the report. In the User and Device Affinity group, enable the setting to Allow user to define their primary devices. In this file, each user-and-device pair must be on its own row, with values separated by a comma. Think about a call center or a security desk, where multiple users share the same hardware. User device affinity in Configuration Manager associates a user with one or more devices. The application catalog's Silverlight user experience isn't supported as of current branch version 1806. With Configuration Manager, you use role-based administration to secure the access that is needed to administer Configuration Manager. Where's the option in the GUI query builder for that? Used together, they define the administrative scope of a user, which is what that user can view and manage in your Configuration Manager deployment. Additionally, users can defin… Security requirements and business processes. The administrative scope controls the objects that an administrative user views in the Configuration Manager console, and it controls the permissions that a user has on those objects. This match each user to its most used to device. Applies to: Configuration Manager (current branch). I am trying to report on which PC's are in a particular subnet and who is the primary user. For example, separate collections for production and test computers. On the Home tab in the ribbon, in the Create group, choose Import User Device Affinity. Role-based administration configurations replicate to each site in the hierarchy as global data, and then are applied to all administrative connections. I couldn't find a built-in report that did what I wanted so I made my own query. With the combination of security roles, security scopes, and collections, you segregate the administrative assignments that meet your organization's requirements. Geographic alignment. If a match is found, that user is assigned to the record. Organization alignment. Since we are switching to target users instead of machines with SCCM, here is my SQL Query for finding devices with no primary user and devices with more than 1 primary user: — Check for duplicates select MachineResourceName, count(*) from v_UserMachineRelationship group by MachineResourceName having count(*) > 1 order by count(*) Instead of deploying the application to each of the user's devices, you deploy the application to the user. If you modify the default client settings, the site deploys them to all computers in the hierarchy. ... Use the credentials to log onto the SCCM Server and connect via Windows PowerShell from the System Center Configuration Manager console at least once to set the path variable for that credential. The result is a mismatch -- in my case 36 users matching with 64 primary devices. Specify a comma-separated values (CSV) file that has a list of users and devices between which you want to create an affinity. On the Home tab in the ribbon, in the Properties group, choose Properties. By default if some users logs into a device for 48 hours in a month then it's considered as Primary device of that user. Role-based administration configurations are applied at each site in a hierarchy. Creating Device Collections Based on Primary Users (and vice versa) Justin Holloman on SCCM | 07 Oct 2018 Go beyond the limitations of the SCCM query builder wizard and … As a security best practice, assign the security roles that provide the least permissions. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the Devices node. Security Administrator grants permissions to add and remove administrative users and associate administrative users with security roles, collections, and security scopes. Before you configure role-based administration, check whether you have to create new collections for any of the following reasons: For information about how to configure collections for role-based administration, see Configure collections to manage security in the Configure role-based administration for Configuration Manager article. Then SCCM Connector runs and sets that primary user onto any Windows Computer objects, optionally followed by the Cireson Hardware Asset Sync workflow setting the primary user from Windows Computer objects into Hardware Assets. Distribution points and distribution point groups, Windows CE device setting items and packages. Create User Collection in SCCM. On the Device tab in the ribbon, choose Edit Primary Devices. For example, separate collections for North America and Europe. Review the security roles and their permissions to determine whether you'll use the built-in security roles, or whether you have to create your own custom security roles. Now we will create a dynamic collection that contains all IT Users. Choose Add. Software distributions can now be targeted at users rather than just at devices. The site ignores the header row during the import. Then when the user logs on, the app is already installed and ready to run. For more information, see Find the primary user of an Intune device in the Intune documentation. Right click CM12 Console Logon Audit and click Enforced. In the Configuration Manager console, go to the Assets and Compliance workspace. In Software Center, go to the Options tab. In the Work information section, select the option I regularly use this computer to do my work. To modify the default client settings, select Default Client Settings. 1 In the Configuration Manager console, go to the Administration workspace, and select the Client Settings node. You also secure access to the objects that you manage, like collections, deployments, and sites. For information about how to create and configure security roles for role-based administration, see Create custom security roles and Configure security roles in the Configure role-based administration for Configuration Manager article. Hardware 04A - Computers with multiple users (shared) Displays computers that don't have a primary user because no one user has a signed-in time greater than 66%. Use security scopes to provide administrative users with access to securable objects. I assume the UDA, but I can't find a resource to cite for this. If you select False, you need to manually approve all user device affinity assignments. For example: You have a group of administrative users who must be able to see production applications and not test applications. Set up primary devices for a user. At the bottom, you can also see the current primary user of this device. Configuration Manager, group, query, SCCM, sub select query, top console user, topconsoleuser, user, user in group ConfigMgr 2007 SP2 and … SCCM reports show differnt info when I add Top Console user field to report. Make sure the target devices are already discovered by the site and exist as resources in the Configuration Manager database. Q21: How to take the Remote control of the Client Computer using SCCM Console? Click Browse and specify the Limiting Collection. In the left pane, under Manage, click Properties. This theme is carried forward throughout the product. Administrative users who are associated with this role can create collections, software update groups, deployments, and templates. Pre-deploy software to the user's primary device: If the deployment is to a user, select this option to deploy the application to the user's primary device. Choose Add. You can also import security roles that you've exported from another hierarchy, for example, from a test network. To create many relationships at one time, import a file that has the details for multiple user device affinities. All securable objects must be assigned to one or more security scopes. Since time logged into a device is the metric User and Device Affinity relies on, it should match your Primary User for a device, so you can use it to associate a user with a device in a WMI query. For instance I’ve been longing for the ability to show the Primary User or Primary … For information about how to monitor intersite database replication, see the Data transfers between sites topic. System Center Configuration Manager 1610 Clients Settings. If the tasks that you identified don't map to the built-in security roles, create and test new security roles. Tenant attached devices that are assigned user device affinity automatically based on usage are returned when searching for a user. Security scopes don't support a hierarchical structure and can't be nested. Configuration Manager has several built-in security roles to support typical groupings of administrative tasks, and you can create your own custom security roles to support your specific business requirements. Asset Manager grants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules. After you understand the concepts introduced in this article, you can Configure role-based administration for Configuration Manager. At present when I add a user field to the active computer report I get multiple users associated with a machine, how can I get an output that only shows the top user that has logged into a computer. If the user's activity for the device falls below the thresholds you've set, the site removes the user device affinity. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the Users node.. When you disable the client setting to Automatically configure user device affinity from usage data, you need to manually approve all user device affinity assignments. In the Edit Primary Devices dialog box, search for and then select the devices to add as primary devices for the selected user. When you design and implement administrative security for Configuration Manager, you use the following to create an administrative scope for an administrative user: The administrative scope controls the objects that an administrative user views in the Configuration Manager console, and it controls the permissions that a user has on those objects. For more information about collections, see Introduction to collections. And… Hi Everyone, could anyone tell me if user based deployments are based on User Device Affinity (regardless of how the user is assigned), or if it's based on the Top Console User that is determined from the security audit log? There are built-in security roles that are used to assign the typical administration tasks. Configuration Manager automatically manages user device affinities for the mobile devices that it enrolls. If an error causes the Windows event log to generate a high number of entries, it might create a new event log. I know SCCM builds up user-device affinity over a period of sustained usage of a device by a user. Purpose: To provide SCSM administrators an easy and quick way to login as a different user, such as a user with Administrator level permissions. To create custom client agent settings, on the Home tab in the ribbon, in the Create group, choose Create Custom Client User Settings. You can select collections of users or devices. In the Configuration Manager console, go to the Administration workspace, and select the Client Settings node. Starting in version 1902, use Software Center to set affinity. I am often asked for primary users of some collection. On the Home tab in the ribbon, in the Properties group, choose Properties. This behavior can eliminate the need to know the names of a user's devices to deploy an application to the user. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections. Select User Collections, and on top ribbon click Create User Collection. One of the big themes in SCCM 2012 is User Centric Management. Intersite replication delays can prevent a site from receiving changes for role-based administration. For more information, see Configure client settings. An administrative scope includes the objects that an administrative user can view in the Configuration Manager console and the tasks related to those objects that the administrative user has permission to perform. I'm looking for a way to generate a report that will display all active computers and the top user associated with that computer. If you have a team who regularly use SCCM console to perform daily tasks, it is not recommended to use the console installed on site server . Select the user or device collection for which you want to manage affinity requests. For example, one group of administrative users requires Read permission to specific software update groups, and another group of administrative users requires Modify and Delete permissions for other software update groups. WMI does contain SMS_G_system_SYSTEM_CONSOLE_USAGE.TopConsoleUser, which is the user who has been logged in the most on the device. Administrative access to these objects can't be limited to a subset of the available objects. For more information, see the following articles: In the application catalog, choose My Systems. This way you can see any potential issues with your security roles,… To view the roles, in the Administration workspace, expand Security, and then select Security Roles. Tenant attach: ConfigMgr client details in the admin center, Find the primary user of an Intune device, To create custom client agent settings, on the. With previous versions of SCCM, the users could set their device as primary device via application catalog. However you cannot connect a Configuration Manager console to a secondary site . Anybody? Select a device. For example, separate collections for each business unit. You also can use user device affinity to predeploy software on a user's device when the user isn't signed in. User device affinity threshold (days): Set the number of days over which the site measures the usage-based affinity threshold. Choose the level of access to assign to remote assistance sessions that are initiated in the Configuration Manager console. It is also doesn't take much to teach someone how to use the GUI query builder to create a device collection filtered on one of the many hardware inventory fields, such as OS version, or devices with a specific software GUID installed. In the Configuration Manager console, go to the Assets and Compliance workspace, and select either the Users or Devices node. Examples of the built-in security roles: Full Administrator grants all permissions in Configuration Manager. Navigate to SCCM console – Assets and Compliance – User Collections; Right-click and select “Create User Collection” from User Collections node; On the General page provide a Name and a Comment. For example, permission to create or change client settings. Is it possible to somehow limit my query further to try and get the device that the user … Posting it here since I figured it might be useful to others. You create administrative users for a hierarchy and only need to assign security to them one time. Set User device affinity threshold (days) to a value of at least seven days. Hardware 03B - Computers for a specific primary console user: Displays all computers for which a specified user is the primary console user. It's possible that 1 device can be Primary device of many users, and also 1 user can have more than 1 Primary device. Under Work Information, check the box “I regularly use this computer to do my work“. It depends on the criteria configured in Client Settings to identify Primary device. However, on a device that's not a primary device, you might deploy Visio as a virtual application. Summary In your environment you may have Users that have multiple machines E.G. Transforming the assigned user. Different administrative users require different access for some instances of an object type. Using SCCM Built-in report. Identify the tasks that the administrative users perform in Configuration Manager. In a recent forum post, someone mentioned that user details were not being displayed within a ConfigMgr report called Hardware 01 A – Summary of computers in a specific collection.. To begin with, there are two major steps that many people miss when troubleshooting why top console user details aren’t displayed in … To modify the default client settings, select Default Client Settings. A security scope is a named set of securable objects that are assigned to administrator users as a group. Use this format: \,. Because a boundary object can't be associated to a security scope, when you assign a security role that includes access to boundary objects to a user, that user can access every boundary in the hierarchy. Using Configuration Manager console, you can either connect to a central administration site or a primary site. On the Home tab in the ribbon, in the Device group, choose Edit Primary Users. Because the boundary object doesn't support security scopes, you can't assign this user a security scope that provides access to only the boundaries that might be associated with that site. In the User and Device Affinity group, set the following settings: User device affinity threshold (minutes): Set the number of minutes of device usage before the site creates a user device affinity. Collections specify the user and computer resources that an administrative user can view or manage. This setting doesn't require the user to sign in before the deployment runs. Security scopes are used to group specific instances of objects that an administrative user is responsible to manage, like an application that installs Microsoft 365 Apps. If some of the administrative users perform the tasks of multiple security roles, assign the multiple security roles to these administrative users instead of creating a new security role that combines the tasks. You also can't install new application catalog roles. The Primary Users list shows users who are already primary users of this device, and the method by which each user-device relationship was assigned. On the Home tab in the ribbon, in the Collection group, choose Manage Affinity Requests. Open the software center and click Options. This configuration manager report is considered one of the top reports as it helps remove duplicate records, and filter orphan records based on last time seen online. In the Primary User Window, you can see all user associated with this machine; You can also click Primary Users in the related objects in the bottom right pane. Ans: Open the SCCM console, Click All systems collections where the client has been populated. After Configuration Manager creates an automatic user device affinity, it continues to monitor the user device affinity thresholds. Here’s some background on how I came to write this blog post. Then, in Limiting collection, choose to Browse to select a limiting collection. Select a user. Software Update Manager grants permissions to define and deploy software updates. It shouldn't give you any duplicate user … Then, user device affinity automatically makes sure that the application installs on all devices that are associated with that user. In the Import User Device Affinity Wizard, on the Choose Mapping page, set this information: File name. Configuration Manager reads data about user logon events from the Windows event log. For more information, see Tenant attach: ConfigMgr client details in the admin center. Create one security scope for production applications and another for the test applications. On the Device tab in the ribbon, choose Edit Primary Devices.. For more information, see How to configure client settings. It's pretty simple and straightforward to build a device collection based on combinations of other device collections. On the Windows Device properties page, you will see the device details. Map these administrative tasks to one or more of the built-in security roles. Administrative users see only the objects that they have permissions to manage. Use security roles to grant security permissions to administrative users. For example, separate collections of servers and workstations. Security scopes can contain one or more object types, which include the following items: There are also some objects that you can't include in security scopes because they're only secured by security roles. To change the primary user click Change Primary User button. This SQL Query will display Users and their Primary computers (1 Row per User, which is achieved using the SQL Function Stuff). Sites aren't used as administrative boundaries. Create SCCM User Collection. Choose Add. If the file you import has more than two items in each row, use Column and Assign to specify which columns represent users and devices, and which columns to ignore during import. The SCCM Computer Identity transform script attempts to set the Assigned to field in the CMDB record by looking up the name of the user in the SCCM source table and comparing the value with the matching field in the ServiceNow sys_user table. But what if you want to create a device collection of the primary devices of a specific group of users? But the people asking want full User's Names and not the username. Functional organization. You can view the list of built-in security roles and custom security roles you create, including their descriptions, in the Configuration Manager console. I've had to use SCCM top console user to update our severely out of date inventory. When you first install Configuration Manager, all objects are assigned to this security scope. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the Users node. Define primary devices that users use every day for their work. Objects that aren't limited by security scopes include the following items: Create security scopes when you have to limit access to separate instances of objects. some Users with Both a Laptop and a Desktop. ... Running Configuration Manager Console 2006. Select a device for which you want to change the primary user. When you create an affinity between a user and a device, you gain more app deployment options. For example, you might have an administrative user who creates boundary groups that are used for a specific site. The Default built-in security scope is used for all objects, by default. To automatically create user device affinities, turn on these two options in the local security policy on client computers to store logon events in the Windows event log: To configure these settings, use Windows Group Policy. Click Next. The role-based administration model centrally defines and manages hierarchy-wide security access settings for all sites and site settings by using the following items: Security roles are assigned to administrative users to provide those users (or groups of users) permission to different Configuration Manager objects. You only manage user device affinity information for computers. You can't change the permissions for the built-in security roles, but you can copy the role, make changes, and then save these changes as a new custom security role. Starting in version 1906, updated clients automatically use the management point for user-available application deployments. Select the option I regularly use this computer to do my work. In the Manage User Device Affinity Requests dialog box, select an affinity request, and then choose Approve or Reject. Create different security scopes for these software update groups. As an example, if you set User device affinity threshold (minutes) to 60 minutes and you set User device affinity threshold (days) to 5 days, the user must use the device for at least 60 minutes over a period of 5 days to automatically create a user device affinity. Provided also the SQL query powering this report, along with some tips to help you add more information. If you modify the default client settings, the site deploys them to all computers in the hierarchy. Automatically configure user device affinity from usage data: Select True to let the site automatically create user device affinities. Configuration Manager has two built-in security scopes: The All built-in security scope grants access to all scopes. Configure role-based administration for Configuration Manager. If you want to restrict the objects that administrative users can see and manage, you must create and use your own custom security scopes. The first view contains records of valid PC's; the second contains logon-information containing: PC-id, username, timestamp, etc; the third contains PC-id, IP-address. Applies to: Configuration Manager (current branch). For information about how to configure security scopes for role-based administration, see the Configure security scopes for an object in the Configure role-based administration for Configuration Manager article. SCCM Report primary device for user May 13, 2016 May 13, 2016 Anders Rødland ConfigMgr So a customer of mine wanted a report from configuration manager to list primary devices for their users. Each security role has specific permissions for different object types. This configuration avoids situations in which an automatically configured user device affinity might be lost while the user isn't signed in, for example, during the weekend.