Back to Basics: Collection Membership

Ever wonder why a machine doesn’t show up in a collection? You added it, either manually, <Start Plug for great product> or via an awesome tool like the Recast Right Click Tools “Add Computer to Collection(s)” <End Plug> and when you show the members of the collection, it just never shows up? I have, and it nearly drove me crazy, or perhaps a deeper level of crazy than I already am. So, why does it do that anyway? That’s what I’m intending to explain in this post.

What this Post is NOT. Collection Evaluation Troubleshooting, there are already plenty of great posts out there that give guidance in that area.

There are several things that affect, or is it effect… whichever.. the resulting collection membership, or the evaluated results.

  • Collection Queries
  • Direct Membership Rules
  • Include Collections
  • Exclude Collections
  • Limiting Collections

Collection Queries: The process of dynamically adding machines to a collection based on criteria or properties of computers. Common queries are based on:

  • Hardware Type (Make / Model)
  • Installed Software
  • Operating System Information

For some pre-created Community Queries, check out Ander’s Post
Example of a Query for 1709 Computers

Direct Membership Rules: Simple 1 to 1 mapping of Computers. This is when you manually add Computers into a Collection, either individually or via Batch, like I blogged about recently.

In this example, you can see the Direct Members that have been added to this Collection. If your collection ONLY has direct members, there is no point in checking the boxes for updating the collection.

Include Collections: When you “Nest” Collections. Collection A includes Collection B & C. This is when things become a bit more complex, but still straight forward. Why? Say you already have several collections based on Queries, Marketing & Sales or Windows 1607 and Windows 1709. Lets say you want to deploy a Task Sequence to Both Marketing & Sales, why make two deployments? Why Create a new Collection with 2 Queries, you already have those machines in collections, create a new Collection that Includes both and deploy to that. Example below of Include Collection, contains two other collections. 1607 (4 devices) & 1709 (7 Devices) = Total of 11 Devices in New Collection. 10 VMs and 1 Dell, this will be useful to know in the next example.

Exclude Collection: When you Nest a Collection of machines you want Excluded from your collection results. This is where it can be really tricky and make you scratch your head a bit. In this example, we’ll build off our last, we left the collection with 11 devices, but I want to exclude Dell’s from the upgrade, because they are not compatible with 1809 (just hypothetical). You can see in this example, I have 1 Dell machine, now that it’s been excluded, the total of machines goes down to 10. Simple right?

Now, it’s not just that simple, this example ONLY works because the Dell machine is actually running 1709, which means it was in the 1709 Collection that was included. So while it’s still in the 1709 Collection which is included, the exclude rule overrides the include rule and the Dell Machine is removed from the 1809 Deployment Collection.

Exclude Collections are great for keeping yourself safe… say you have a group of high risk machines, you create a “High Risk” Collection, and exclude it from all of your normal deployments, just make sure you’re still dealing with those high risk machines. While Exclude collections are great to keep you safe, what’s even better, using a Limiting Collection which we’ll be taking about next.

Alright, so we’ve covered the ways you add machines and exclude them from collections, but one other way to limit the machines that can be in the collection is by a limiting collection.

Limiting Collection: The collection by which you limit another collection. Say you have a collection of all Machines for a line of business “Marketing”, and they are the only group that you know has approved upgrading to 1809 from 1607 and 1709. At this point, you’d have one confusing query.. All Machines that are 1607 and 1709, but not Dell, and only in Marketing… argh. However, with Includes, Excludes, and Limiting Collections, it makes it very simple.
For the example, lets take a look at our Marketing Collection:

Marketing Contains 10 Machines, HP, Dell, VMs ranging from 1607, 1709 and 1809

So now that we know the Pool we want to pull from, we can Limit our Deployment Collection to only Machines in Marketing.

So the final tally? 6 Machines will receive the deployment. Break down of the Deployment Collection:

  • Include 1607 Machines +4
  • Include 1709 Machines +7
  • Exclude Dell -1
  • Total = 10 Machines of All Workstations fit the above criteria
  • Limit by Machines in Marketing that fit the above criteria = 6

So while there are 10 Machines in the Marketing Collection, 4 of them do not fit within the criteria and have been excluded (the HP, and the Machines not on 1607 or 1709).

Now lets say, you get a request to add someone to get the 1809 deployment, so you think “Hey, I’ll just quick add a computer to the collection via direct membership so the user gets the deployment on their computer.” So you go ahead and add the 1709 computer to the collection, but they never get the deployment… you look at the Collection to see the members, and you don’t see the machine you added, but you check the direct membership and you see it there, what is going on?? aaaahhhhhh!

Then you finally remember, LIMITING COLLECTION! “PC08” isn’t in Marketing, the computer will not be evaluated to be in the collection due to limiting the collection membership to only machines in the Marketing Collection!

So now I hope you understand how collection memberships work, how Direct Membership on a Collection doesn’t always equal what the evaluated membership is. There are a lot of moving parts to Collections, of which any can drastically change the collection membership.

Posted on

Tools: Add and Remove Computers To/From Collection

Hey Recast Right Click Tools users.  This is a nifty tip that I often forget about, but is pretty powerful when adding or removing machines to and from collections. Bonus.. learn about Direct Membership vs Evaluated Membership.

Blog Summary: Wild Cards! 

Lets say I want to add all machines that start with “town” into a collections… wild cards make this simple.

In this Demo, I highlighted 2 collections at the same time, and launch the tool “Add Computers to Collection(s)”

I’ve added my wildcard name, %town%, lets see what happens:

You can see here, it has added the machines with the string ‘town’ in the name into the collections.

Something also to note, in my demo I have one collection limited to “All System” (FYI not a good practice) and one collection limited to 1607 machines collection.  After I’ve added the devices, you can see the collection counts are different, as only 1 machine in the batch is in the 1607 collection (the limiting collection).  If I show the evaluated results of that collection, there would only be 1 device, as opposed to the direct membership there would be 14, the same as the collection without a limiting collection.

Now, lets say you want to remove machines that have the word “pc” or “hp” in the name, and leave the rest…

Pretty simple.  After the removals, there are only 3 devices in each collection (Direct Membership), and the one with a limiting collection now evaluates to 0 machines, because none of the machines in that collection are part of the 1607 Collection.

I hope this demo shows the power of the Add / Remove Computers Right Click Tools, along with the difference between Direct Collection Membership and Evaluated Collection Membership.

Posted on

Windows 10 Rollback (SetupRollback.cmd) and ConfigMgr

This might not be a widely known fact, but Rollback in Windows 10 has been partially broken for a very long time (1803), and still is with current media of 1809 & 1903 as of today, 2019/08/20. In this post we deep dive into what the issue is and what you can do to fix it.

What is exactly broken? SetupRollback.cmd is not triggered in Windows if the machine fails the upgrade process.

Why should I care?  If you have created your own SetupRollback.cmd file, or expect to leverage it in the case of an upgrade failure and the machine rolls back, you will not get the experience you are expecting.  The Same goes for OS Uninstall (Revert back to Previous OS).  You would need to rely on outside processes to restore full functionality to the machine.  You know that folder in the In-Place Upgrade Task Sequence Template that says Rollback, with the condition _SMSTSSetupRollback = True.. guess what never gets set if the SetupRollback.cmd file never gets run?  Yep, that variable to trigger the RollBack Section of your Upgrade TS.
Picture of SetupRollBack.cmd & IPU TS

What should I do if I need this?  This is a two part fix.  Both Windows upgrade media needs an update (Dynamic Update, August and newer for 1809) and ConfigMgr needs a Variable Set. As of now, I don’t know if there is a fix for Win 10 1903.. still coming?  I have been told it will be built into Win 10 1909 whenever that is released.

  1. ConfigMgr: In the Task Sequence, you need to leverage /postrollbackcontext command, and set it to system (/postrollbackcontext system) otherwise it will try to launch SetupRollback.cmd in the user context, which helps nobody.  This behavior is supposed to change in 1910, and that will be the default which we should be able to confirm at that point.
  2. Windows Upgrade Media:  A couple ways to do this.  Enable Dynamic Updates during your Upgrade.  This by far is the easiest way, if your infrastructure can handle it.  If it can’t be enabled, you’ll need to “inject” them into your offline media.  There are several guides out there on how to accomplish this (including below), along with a community tool, OSDBuilder, which will help automate the process.  Short Version.. Download the KB, extract the CAB file, copy the extracted files / folder structure into your Upgrade Media overwriting the files that were previously there.

Updating Offline Media (ConfigMgr 1809 Source Content)


Download, then Extract (expand):

Go to folder: (Contents of the Extracted KB)

Copy to your 1809 Upgrade Media


Now update your DPs with your latest upgrade media, and you’re set.  Please make sure you’re also updating it with the other monthly patches and dynamic updates.

In the Task Sequence:
Set Variable Step:

Upgrade Step (If you can update Dynamic Updates):

Now with the Rollback Mechanism working properly, the Task Sequence is supposed to kick back in after the machines fails to upgrade, allowing you to run additional cleanup / diagnostic tasks (Like trigger SetupDiag for example).

Originally posted on

People Problems: Going From Good and Great in I.T.

Team Typing is Best Typing.

The relationship between man and machine is a lot less dramatic (or in some cases, ridiculous) in real life than it’s often portrayed in fiction– but that doesn’t mean the potential for trouble is less real.  At Recast, we have a unique opportunity of getting to talk with thousands of senior-level system administrators about their environments every year.  We often begin conversations with a frank discussion about what’s working and what isn’t– and why.  From our experience, and with few exceptions, the success or failure of a systems management effort at any organization hinges on the ability of it’s IT department to manage people problems.

What Do You Mean “People Problems?”

Simply put– people are messy.  All the great things we can do when we work together are easily turned on their head when we don’t.  In IT, this is often more pronounced than in other professions.  More often than not, those with the technical knowledge to make well-reasoned decisions are not the ones granted decision-making power, which means IT is faced with a fundamental problem and responsibility: communication. 

Image result for no signal gif

How Bad Can It Be?

Organizations that operate on the highest levels of success in IT are also the ones who have the best communication strategies.  Organizations who utterly lack the communication skills to overcome people problems, well– they end up in the news.  The point is, communicating well, especially when faced with a technically-important decision, is paramount. 

Image result for equifax gif
Don’t end up on the news.

Tips? Best Practices?

By and large, organizations who do this well have a few things in common.  Here are a few places to get started:

  • Technical teams and Organizational leadership regularly meet and discuss ways to meet the needs from both sides.
  • I.T. puts SLA’s on response times for different tasks and sticks to them.
  • I.T. over-communicates updates, outages, successes to userbase, and consistently requests/acts on feedback.
  • When a poor decision is made– iterate, re-litigate, reiterate.  Decisions shouldn’t be set in stone, as technology advances, so should you.

Right Click Tools Can Help

With smarter data, comes better decision making.  RCT Enterprise’s Security and Compliance Dashboards can help you communicate, decide, and act on common fall-down points for most organizations.  You can get a 1 on 1 session with an expert anytime by scheduling a walkthrough here

RCT Tip of the Week: Add AV Exclusions to Avoid Console Slowdowns

In some scenarios, installing RCT 3.2 can cause noticeable console slowness due to Endpoint Protection or other AV apps having to scan additional XML files that Right Click Tools add into the console.  If this is something you’re experiencing– this week’s blog post will take you through what you need to do to add AV exclusions and avoid the slowdown.

Step 1: Download the Latest Release

We always recommend getting and staying current with Right Click Tools, but in this instance we’ve added packs of the necessary exclusions for SCEP into the latest .msi for the tools.  You want to be on version 3.2.6859.27396 or later.

To download Community Tools, navigate to our website and click “Download RCT Community”

For Enterprise Customers, simply login to Recast Portal to view/download the latest releases anytime, selecting version 3.2.6859.27396 or later.

If you can’t update yet for some reason, you can find the packs of exclusions on the troubleshooting page of our Wiki.

Step 2: Import Exclusions

Navigate to Endpoint Protection->Antimalware Policies in the console.  Select Import.

Navigate to where the exclusions are stored– the default if you’ve updated your tools is C:\Program Files (x86)\Recast Software\Recast RCT\Extras.

Select the SCEP exclusion you wish to import and hit “Open.”

Step 3: Deploy

Now that we’ve imported the exclusions, the last step is to deploy them.  Simply select the exclusion in the console and hit “Deploy”

Select the collection you wish to deploy these exclusions to and hit ok.  Worth noting that this policy will take effect on your normal cycle unless you force a machine policy retrieval and evaluation cycle, which you can do from the Client Actions Menu.

Surface – Refine – Act: Data-Driven Decision Making

Configuration Manager creates a lot of data.  We can be better systems managers if we can use that data to make decisions, but that process is not always as simple as it sounds.  Often, getting at the data you need in the  console feels like traversing a crevasse. You can see where you want to go, you have a good idea of how you might get there, but when it comes to actually getting across the gap there’s a lot more to it than first meets the eye.

This problem often leads to something I like to call data paralysis.  In the same way you might look down with trepidation over the edge of that gap or break out in a cold sweat at the broken rung, surfacing the data you need to make systems management decisions has a lot of ways you can get sidetracked.  We take one look at the gap we need to cross to get make the decision we need, and spend days trying to find a way to fix or fill it– spending a lot of time and effort but going nowhere.

the sword in the stone disney GIF

Build a Better Bridge

The solution to many of the procedure issues that cause gaps in the decision making cycle is to build a better bridge.  This is one of the main reasons we created the Right Click Tools in the first place– when we can surface data more easily, refine that data to a usable state, and then act on it immediately, we avoid data paralysis altogether.   

way bridge GIF

The RCT Enterprise Query tool is a perfect example of this: 

If you would like to see more of how the Query tool and other Right Click Tools can help you improve your data-driven decision making– schedule a walkthrough with us.  It’s a quick, low pressure way to learn more about the tools, ask technical questions, and see how the tools can help in your environment.

RCT Tip of the Week: Using SUDS to Check Your ADR Work

The Software Update Deployment Status (SUDS) tool, is a great way to check on software update deployments and more proactively manage your environment.  SUDS can also help you address some of the more common Automatic Deployment Rule (ADR) issues so you can refine your automation and make sure your processes aren’t missing anything.

Navigate to SUDS: Monitoring tab-> Recast node-> Software Update Deployment Status tool.

Run a scan on the collection your ADR’s target for deployment.

Looking at the non-compliant results, you can determine if there might be ADR issues by checking the “Deployed” column.  If the update is part of your ADR’s and the column shows “False”, check out your ADR’s to see what you might have missed.

For more information about SUDS and the other RCT Security and Compliance Dashboards– check out out the video below, or visit our Wiki.  You can also schedule a demo to talk more specifically how RCT Enterprise can help in your environment.

A Happy You is Good for the Org, Too

At Recast, we often get asked about the Right Click Tools in terms of dollars and time saved, and how we can help admins like you be more productive in the time you work.  It’s important stuff, maximizing your time and effort as a System Administrator can have sweeping effects on the productivity of the entire organization.  That being said, today’s blog post is all about something much more important and with much more impact: being happy.

Being Happy and Engaged in the Work is Critically Important… Especially in IT.

Systems management is hard.  Somewhere between all the technology changes, revolving security concerns, people/process issues, organizational policy/politics, and myriad of ways things can just go wrong– there’s a real person who wants to achieve their career and personal goals.  Too often in our industry, the needs of the person get lost in favor of the needs of the organization or the needs of the technology, but this thinking is actually backward for those seeking high performance from their sysadmin teams.

In an 3 year survey report published by Towers Perrin ISR, organizations with high employee engagement had nearly 6% better operating margin and 4% better profit margins compared to those with low employee engagement.  In a field that already has the potential for sweeping impact on an organization, making sure that sysadmins enjoy and believe in their work is critical for maximizing organizational success.  The fact is, when sysadmin teams are engaged in their work, magic happens.  Systems are more secure.  Downtime is decreased.  End users are better trained in the use of their technology tools and therefore more effective at their jobs.  The organization stands out from the competition because the team is more effective.  

You Can’t Be Happy if Everything is On Fire.

This might sound familiar: Well-trained, highly skilled SysAdmin is hired on and tasked with managing an environment.  SysAdmin quickly realizes this actually means putting out metaphorical fires in the environment all day, while simultaneously being blamed for starting those fires in the first place. In this scenario, job satisfaction, happiness, and engagement are going to be hard goals to reach!  The solution is to get out of the business of firefighting, but you can’t stop firefighting unless you can stop the fires from starting, but you can’t stop the fires from starting until you have time to stop firefighting.  It’s a recipe for dissatisfaction, organizational friction, and high rates of turnover.

This was the reason we created the Right Click Tools from the beginning– if we can give you the tools you need as a SysAdmin to be more productive/proactive, offer easier ways for you to get the data you need to make better decisions, and improve/integrate with the tools you already use, you might just have a chance of shifting from firefighting to fire prevention.  Tools like the Status Message viewer– which lets you troubleshoot a task sequence in seconds rather than hours.  Or the enhanced Query Tool, which lets you surface data more effectively, sort/filter results to where they need to be, and then take action immediately.  You can learn more about the what the tools can do to help you get out of the firefighting business by scheduling a demo.

How to Delete User Profiles in ConfigMgr in Less Than a Minute

The System Information tool has a wealth of actionable information available at your fingertips.  Here’s how to use this tool to delete User Profiles from a device.

Step One: Right Click and Navigate to Recast RCT>Console Tools>System Information

Step Two: Select the ‘User Profiles’ Tab

Step Three: Select, then right click on the User Profile(s) you want gone and select ‘Delete Profiles.’

You’re done!  

5 Ways RCT Enterprise Saves Organizational Resources

1: Troubleshooting

When task sequences and other areas of SCCM fail, it can put a serious time strain on productivity across the organization.  Not only is IT productivity stalled while logs and other potential causes are explored, but anyone waiting for a new computer, tech support ticket, or new image has their productivity hamstrung as well.  RCT Enterprise’s Status Message Tools let admins jump directly to the causes of trouble in 21 different places around the console, so that they can address issues at an increased rate., saving the organization’s resources.

2: Automation

SCCM is one of the largest and most complicated product Microsoft sells, and is used by an organization’s best, brightest, and most experienced (and expensive!) IT resources.  Significant organizational resources can be saved by giving these highly skilled professionals the tools they need to offload and automate complex, repetitive, and challenging tasks.  RCT Builder allows the creation of custom organizational automation tools on a grand scale, leaving the most skilled IT resources more time to better manage the constant forward march of technology and potential security threats.

3: Help Desk Enablement

RCT Enterprise reduces the skill and knowledge barrier to many common tasks in SCCM, and with its robust Role Based Administration model, enables organizations to safely offload SCCM tasks to those with less experience.  This makes the organization more effective at IT administration and helps foster employee growth.

4: Proactive over Reactive

RCT Enterprise includes several tools designed to help admins become more proactive in their systems management, stopping problems before they occur:

The Content Information dashboard gives a clearer picture into the process of managing, updating, and deploying content, letting admins keep task sequence content fresh, thereby reducing update time with the end user.

RCT Security Dashboards allow admins to surface, refine, and act on compliance data for Active Directory vs. SCCM devices, BitLocker and LAPS, and Software Update Deployments.

RCT Querying allows for bigger, more complex queries (without console crashes), with results that can be refined and acted upon immediately.

5: End User Self Help

StateLocker, part of the Lab Management Suite, enables end users to self-help when they experience tech support trouble—simply restarting their machines to return the computer to a healthy and updated state.  This allows IT to reduce tech support tickets in areas where they are most likely to cause the most organizational disruption, without forcing IT to create new device management procedures or deploy a host of group policy changes.