Bulk changing Configuration Manager & SCEP policy priorities

This is one that has caused me unnecessary effort in the past when working on migrations with customers. There is a limitation in the Configuration Manager 2012 console whereby if you want to amend the priority of either a client settings or endpoint protection policy your only option is to right click or hit the ribbon and either increase or decrease priority.

imageimage

Your other option is to use PowerShell with the Set-CMClientSetting or Set-CMAntiMalwarePolicy cmdlets like so:

Set-CMAntiMalwarePolicy -Priority Increase -Name "SCEP Policy 1"
Set-CMClientSetting –Priority Decrease –Name “Client Settings 1”

See

That’s all fine and in particular the PowerShell can be useful for bulk changes however it’s still a pain when like in my experience with a customer you have 49 policies that all need re-prioritising. There a separate argument for why you may find yourself in this situation in the first place but I’m not going to go into that one here.

So 2 solutions here, one probably more preferable than the other but I’ll write them up anyway.

The nice way

Let’s first go with the preferable one which is as you may have guessed is using PowerShell. Now I can’t take full credit for this particular bit as the base of the code is provided by t.c.rich whom I was involved in a TechNet forum thread with on this subject following my own investigations.

As always this assumes you have the ConfigurationManager.psd1 powershell module loaded. If you are outside of the ConfigMgr Powershell windows you can import the module like so:

Import-Module “C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1”

Set-Location PR1:

The above assumes your path is C:\ and that your site code is PR1 – please change accordingly.

What the code essentially does is increase or decrease your policy/setting priority a specified number of times.

Endpoint Protection

Usage examples are:

Usage: Move-CMAntiMalwarePolicy -times <Number of Moves> -UporDown <"Up","Down"> -PolicyName <Policy Name>

Example: Move-CMAntiMalwarePolicy -times 4 -UporDown "Up" -PolicyName "My AntiMalware Policy Name"

 

Function Move-CMAntiMalwarePolicy
{
Param(
	[Parameter(Mandatory=$true,Position=1)]
		[int]$times,
	[Parameter(Mandatory=$true,Position=2)]
		[ValidateSet("Up", "Down")]
		[string]$UporDown,
	[Parameter(Mandatory=$true,Position=3)]
		[string]$PolicyName
)
echo "I'm out of the parameters section"
	switch ($UporDown)
	{
		"Up"
		{
			echo "I'm going up"
			$i = 0
			do
			{
				$i++
				Set-CMAntimalwarePolicy -Name $PolicyName -Priority Increase
				echo "I went Up once"
			}
			while ($i -lt $times)
		}
		"Down"
		{
			echo "I'm going down"
			$i = 0
			do
			{
				$i++
				Set-CMAntimalwarePolicy -Name $PolicyName -Priority Decrease
				echo "I went down once"
			}
			while ($i -lt $times)
		}
	}
}

 

Client Settings

Usage examples are:

Usage: Move-CMClientSettings -times <Number of Moves> -UporDown <"Up","Down"> –SettingsName <Settings Name>

Example: Move-CMClientSettings -times 4 -UporDown "Up" –SettingsName "Client Settings 1"

Function Move-CMClientSettings
{
Param(
     [Parameter(Mandatory=$true,Position=1)]
         [int]$Times,
     [Parameter(Mandatory=$true,Position=2)]
         [ValidateSet("Up", "Down")]
         [string]$UporDown,
     [Parameter(Mandatory=$true,Position=3)]
         [string]$SettingsName
)
echo "I'm out of the parameters section"
     switch ($UporDown)
     {
         "Up"
         {
             echo "I'm going up"
             $i = 0
             do
             {
                 $i++
                 Set-CMClientSetting -Name $SettingsName -Priority Increase
                 echo "I went Up once"
             }
             while ($i -lt $times)
         }
         "Down"
         {
             echo "I'm going down"
             $i = 0
             do
             {
                 $i++
                 Set-CMClientSetting -Name $SettingsName -Priority Decrease
                 echo "I went down once"
             }
             while ($i -lt $times)
         }
     }
}

In order to use these you will need to save the code as a psm1 file and import them. Alternatively you can download them from the Microsoft Gallery

SCEP Policy - http://gallery.technet.microsoft.com/System-Center-Endpoint-4e696cea

Client Settings  - http://gallery.technet.microsoft.com/Configuration-Manager-202ee1e0

Import them with the following:

Import-Module "C:\<yourpath>\MoveSCEPPolicy.psm1"

Import-Module "C:\<yourpath>\MoveClientSettings.psm1"

The output should be as follows:

The not so nice way

Now that’s the “nice” solution although still not perfect as you need to run to multiple times if you have several policies, so here’s the not so nice solution. This involves editing the SQL database so as usual I cannot suggest you try this anywhere outside of a lab – no guarantees from me.

It turns out that if you open up the Configuration Manager SQL database in SQL management studio and take a look inside the dbo.ClientSettings table, you will find that you can actually amend the policy/setting priorities as free text.

image

Firstly you will notice that in this table you have a combination of both SCEP policies and Client policies, these are signified as follows:

FeatureType

1 = Client or User

2 = SCEP

Again I don’t recommend you do this in production but in my own lab based tests I have been able to simply edit the policy/setting priority values in the ‘Priority’ field of this table. This reflects in the console when you refresh the page and in my own testing doesn’t seem to have had any adverse effects on either the console, CM servers or clients. Obviously doing this opens up a risk that you set 2 policies to the same priority – I don’t fully know how this will effect clients as I haven’t yet tested this far however I did test that it is entirely possible to do so.

image

The moral of the story then is obviously check and double check. Although a risky approach this is by far the quickest.

There you have it 2 ways of making quicker changes to your Configuration Manager 2012/SP1/R2 SCEP and client policy priorities. Feel free to fire any questions my way and I will one day purely out of curiosity test the effects of duplicate priorities. I can make some educated guesses but there’s nothing like a proper test.

  • Really like what you've done here, perhaps the next version of the script can take a /Position argument so that you can keep iterating up\down until the correct priority is arrived at (or closest to), would be even cooler :-)

  • Yes agree I should aim for that. It's been sat on the todo list for a while now and I wanted to get it out there. Let me go scratch my head for a bit and I'll see what I can come back with.