User device affinity question

Similar Messages

• How to determine best User Device Affinity Settings

  We've configured User Device Affinity for our site based on the canned defaults. Initially we started with 14 days and 1440 minutes. But after a recent deployment, we discovered that our Antivirus service account is registering as a "Primary User"
  on all of our machines which has triggered a very bad situation.
  My question is how do you determine these settings? My first try was to find a report that showed how many minutes each user was registering in the given period so that I could adjust it accordingly. I assume that my regular users are using the computers
  a lot more than my service account but I have no way of verifying this.
  I've tried combing through the security logs, but I'm not sure what SCCM is picking up on to determine the time period.
  To me, it seems that 24 hours is a really low threshold and that I could bump that up to 120 hours over 14 days pretty easily without issue. My concern is that there is a reason that they are setting it so low to begin with that I'm missing. Even then, I'm
  just randomly trying things hoping to get it right as I don't have the proper information to make the right decisions.
  Any ideas? Feedback?  

  Yeah, I saw those logs but it still seems mysterious to me. I'm not sure where it's getting it's info. I assume it's the security log for each machine but I have nothing to confirm that. It's odd because our service account for our antivirus solution isn't
  actually logging onto the machines so I'm not sure how it decides that this user is a primary user. 
  Ultimately, we worked around the problem by switching antivirus solutions but that won't be an option next time. 
  My guess is that we could have fixed our problem by adjusting our security logging settings in windows. But it wasn't something I wanted to do without direct confirmation with how this all works. 
  Thank you for your help on this though. 

• Automatic User Device Affinity - Audit logs retention

  Hello,
  We have problems on generating primary user info on a lot Computers and we suspect that problem is because audit logs are kept for too short time.
  So the config is following:
  1) User device affinity threshold (minutes): 2880
  2) User device affinity threshold (days): 30
  So there are two questions:
  1) For how long do we need to keep audit logs on SCCM client to successfully generate user device affinity;
  2) How long do we need to wait till information populates in SCCM DB?
  Thanks,
  Pēteris

  Also from UserAffinity.log I can see that information is sent with state messages:
  "Found same state message existing. (was sent before) Skip sending same state message for user"
  Hi,
  You could try to delete state message about the user in WMI on a client to see if user device affinity could be populated. That is stored in root\ccm\statemsg -> Enum Classes -> Recursive -> double-click CCM_StateMsg -> Instances. There
  should be messages that contain "domain/user_Auto".
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Automatic User device affinity, historical time stamp

  Hi all,
  I have a small questions. I've enabled Automatic User Device Affinity for all my works stations today. After a few hours I've see that nobody has primary device attached. If I go to an user at edit primary device I can see on what devices and how many
  times the user was logged,
  I've setup affinity for minutes 2880 min (48 hours) and 30 days, so who was logged more than 48 hours in last 30 days is made automatically device owner. How long I need to wait now. He can use historical data, no?
  Thanks. 

  No, I dont believe it will use historical data. After 48 hours from you enabling it, you should start seeing primary users, but only if the users have been logged in for 48 consecutive hours.
  Honestly I would not expect data for a good week.
  Daniel Ratliff | http://www.PotentEngineer.com
  I shrink the period 300 min with 14 days. Just to see some reports, after I will come back with longer times. Thanks.

• [Forum FAQ]How to troubleshoot common issue when configuring user device affinity from usage data

  Symptom:
  Some clients might fail to automatically configure user device affinity from usage data if you have manually configured user device affinity before.
  When you check the UserAffinity.log, you can find the similar error messages as below:
  User 'XXXXX\XXXXX' has xxxxx usage minutes UserAffinity 
  Setting auto affinity for user 'XXXXX\XXXXX'. UserAffinity 
  Found same state message existing. (was sent before) Skip sending same state message for user 'XXXXX\XXXXX'.. UserAffinity 
  Figure 1. Error Message in UserAffinity.log
  Cause:
  As the log said, there is a user affinity state message existing in WMI which prevents client from sending new user affinity state message.
  Resolution:
  We can delete the user affinity state message in WMI to force the client to resend the user affinity state message.
  We can follow the steps below:
    1. Run Windows Management Instrumentation Tester (“Wbemtest”).
    2. In Windows Management Instrumentation Tester dialog box, click “Connect”.(Figure 2)
  Figure 2.
    3. Type “root\ccm\statemsg” under the Namespace table and then click “Connect”.(Figure 3)
  Figure 3.
    4. Click “Enum Classes”. (Figure 4)
  Figure 4.
    5. Choose “Recursive”
  in Superclass Info dialog box.(Figure 5)
  Figure 5.
    6. Double-click “CCM_StateMsg” in Query Result dialog box.(Figure 6)
  Figure 6.
    7. Click “Instances”
  in Object editor for CCM_StateMsg dialog box. (Figure 7)
  Figure 7.
    8. Choose the messages that contain "domain/user_Auto" and click “Delete” in the Query Result dialog box.(Figure 8)
  Figure 8.
  After you delete user affinity state message in WMI, the user affinity state message for the user will be resent. After a period time, we can check the UserAffinity.log to
  see if the user affinity state message has been successfully sent. The related information would be similar as below:
  Successfully sent user affinity state message for user 'xxxxx\xxxxx'.
  Successfully created pending user affinity for user 'xxxxx\xxxxx' into WMI.
  Figure 9.
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  I'm not sure whether this is the appropriate place to add this but - a (possible) cause that I have seen which is not mentioned above is a request for an AAAA record (IPv6 address)
  being responded to with an A record (IPv4 address).
  DNS debug logging (Windows 2008 R2 SP1) captured requests to
  192.225.156.200 and the corresponding responses. In each case the response was followed in the debug log by the event “The DNS server encountered an invalid domain name
  in a packet from 192.225.156.200. The packet will be rejected. The event data contains the DNS packet.”
  The domain name in the response was the same as that in the query, and looks OK.
  The logged query shows an AAAA record (IPv6 address) request and the logged response returned an A record (IPv4 address).
  http://www.rfc-editor.org/rfc/rfc4074.txt “Common
  Misbehavior Against DNS Queries for IPv6 Addresses” says, under “Expected Behavior”:
     Suppose that an authoritative server has an A RR but has no AAAA RR
     for a host name.  Then, the server should return a response to a
     query for an AAAA RR of the name with the response code (RCODE) being
     0 (indicating no error) and with an empty answer section (see
     Sections 4.3.2 and 6.2.4 of [1]).  Such a response indicates that
     there is at least one RR of a different type than AAAA for the
     queried name, and the stub resolver can then look for A RRs.

• Thinking I may have broke User/Device Affinity in my setup?

  Morning,
  User/Device affinity has been working well for us for a number of weeks now.  I think maybe some recent changes I made to Group Policy regarding event logs may have borked it because the number of affinity's is slowing going down over the past
  few days according to the "Use device affinity associations per collection" report. 
  Here are the settings I am currently been using for weeks now:
  User Device Minutes: 960
  User Device days: 7
  Auto config: Yes
  Group Policy stuff:
  Audit account logon events: Success, Failure
  Audit logon events: Success, Failure
  Maximum Security log size: 1048576
  Retain security log: 14 days
  Retention method for security log: by days
  These changes were made just recently which we be the problem.  We made these changes because they were filling up the logs with noise and rolling over:
  Audit Filtering Platform Policy Change: Success
  Audit non sensitive Privilege Use: Success
  Audit Sensitive Privilege Use: Success

  Since no one has answer this post, I recommend opening  a support case with CSS as they can work with you to solve this problem.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• SCCM 2012 - Automatic User Device affinity - Not Working

  Hi,
  I need to enable the Automatic User Device affinity.
  Have enabled following two group policy settings:
  Audit account logon events
  Audit logon events
  In client settings User and Device Affinity
  following is enabled:
  User device affinity threshold (120 minutes)
  User device affinity threshold (2 days)
  Automatically configure user device affinity from usage data – True
  However even after 2 days there is no user device relationship getting build.
  Is there anything more required to be done?
  Any logs or links to be referred for troubleshooting?
  Regards,
  Milind Dhuri.

  Hi,
  Please post this in SCCM 2012 forum.
  tx.

• Anyone use User Device Affinity?

  Just wanted to know if anyone is using User Affinity to deploy software and if
  you are, can you please share any headaches I should be on the lookout for. We
  use it in limited fashion (via AD Group Membership) and its working well. I would like to expand its use
  and wanted to make sure I don't miss anything.
  Any assistance / recommendations are appreciated...
  Thank you 

  sorry for the confusion...
  We have User Device Affinity working. I've created AD user groups, created the collection which populates the primary device for the users in the group, and deployed software to it. Works perfect "so far" but I've only used it for a couple applications.
  Lets say I move this to 50 or 100 applications though
  In thinking long term. Is there anything I should be away of in the deployment process. Any type of User Device Affinity maintenance issues, allowing users to assign primary devices, etc.. just anything out of the ordinary that people have seen
  when using the Primary Device deployment method that maybe I should be away of...
  Thanks again

• SCCM 2012 User Device Affinity : Insure affinity is not lost...opinions?

  ok, so i'd like your opinions.  
  situation: i manage a school district environment of around 1500 computers, which is a good mix of labs/student laptops/teacher computers.  
  What I've done is set user device affinity by user to 60 minutes over 7 days.  For helpdesk reasons, we obviously need to be able to bring up the teacher's primary computer through searching for that user's primary device (we use right click tools,
  which is AMAZING...shout-out.)  What happens is when we go on Thanksgiving/Christmas/Summer break, the teacher's are gone for 7/14/90 days respectively.  
  I do not want these user's to lose connection to their primary device, because when we just came back from our 2 week break we find NO connections using right click tools.  
  What I just did was set the days to 90, since 3 months is the longest we'll be away...is that a bad idea, or is there a better way to get this connection to stick?
  Also, if there is a better way to do this, please let me know...i'm open to suggestions. 
  Thank you!  

  Due to our environment I have ours set to 80 hours in 30 days. I have checked machines that haven't reported in since before December of last year and those objects still have the appropriate user defined as the Primary User.
  The thresholds don't define how long the data is held in the database for. It just means "If a user uses a device for x amount of minutes within the window of x amount of days then this device can be considered to be their device." What "X" should equal
  is the variable that you have to make fit your environment. We had to increase the threshold here because techs and other users were getting pulled into too many devices due to their prolonged use of the machine.
  As for why your devices lose their Primary Users, did you configure some sort of custom settings in the site maintenance tasks?
  Dustin Estes - MCP | www.dustinestes.com

• Automatic User Device Affinity doesn't work

  Hi, the automatic User Device Affinity doesn't work in my environment and I don't know why! The audit policies are enabled by GPO and User Device Affinity is correctly configured in SCCM. Below are some screenshots including de log of User Device Affinity.
  Anybody could help-me please?

  An old post but,
  This can happened when activating
  advanced audit policy in one of the GPO. once it was activated, it gets override the regular audit policy with different event id's that SCCM don't recognize. in addition, the machine tattooed with those settings so removing the GPO wont revert the settings.
  Check out this thread for more information and help:
  http://social.technet.microsoft.com/Forums/en-US/f3a4b675-e955-4cd2-bba6-d51ea06dd362/user-affinity-not-working-properly?forum=configmanagergeneral
  Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

• User / Device Affinity

  I'm wanting service desk level technicians to be able to view devices that a user has logged into without being able to set a primary device.  As a full administrator I can right-click a user and modify primary devices, and see which devices they
  have logged into.  Is there a way to create a role with permissions that specific?  We don't have user/device affinity enabled yet so I just want them to be able to view it without manually setting a primary device for a user.

  To add-on to Wally, I've created a very limited scope for user device affinity before. I just did it again and I haven't been able to reproduce your behavior. I have a scope with the minimum rights required, which is:
  Collection: Read (and Read resource if you want to look in collection itself);
  User Device Affinities: Read, Modify, Delete, Create (otherwise the option Edit Primary User / Device does not show).
  Even playing arround with scopes (and collections), I was always able to edit the primary user or device and it always showed the number of logons (unless you perform a search). Also, when you perform a search it does look at the configured scope. It will
  only show the users or devices in the scope.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• User Device Affinity PXE Setting

  In the settings for PXE on a DP, there is an option for user device affinity with three possible choices.  Do not use UDA, use UDA with manual approval or use UDA with automatic approval.  What exactly do these settings do?  The TechNet info
  is a bit vague.
  Select Do not use user device affinity to not associated users with the destination computer.
  Select Allow user device affinity with manual approval to wait for approval from an administrative user before users are associated with the destination computer.
  Select Allow user device affinity with automatic approval to automatically associate users with the destination computer without waiting for approval.
  If I select do not use user device affinity, does that mean that the machine will not participate in UDA regardless of client settings?

  Perhaps this blog post will share some light on what the settings are used for:
  http://blogs.technet.com/b/inside_osd/archive/2011/06/20/configuration-manager-2012-user-device-affinity-and-os-deployment.aspx
  Regards,
  Nickolaj Andersen | www.scconfigmgr.com | @Nickolaja

• User device affinity in Microsoft System Center 2012 Configuration Manager

  What would be the microsoft recommended User device affinity  time in sccm 2012
  User device affinity usage threshold (minutes)-?
  User device affinity usage threshold (Days)-?
  Thanks,
  Sengottuvel m

  The default settings seem to work well.
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson

• SCCM 2012 Clear all user device affinity

  Over a year ago UDA was set by mistake to manual affinity confirmations
  Since that time
  several thousands of requests was received at admin console.
  Couple of weeks ago UDA was set to automatic affinity based on usage statistics. Unfortunately only new OS deployments get UDA based on usage and 98% of other PCs still have no affinity.
  It was decided to
  clear the queue of current device affinity requests at admin console on "All systems" collection by rejecting them due to I do not want to set admin affinity record in UDA - it is permanent IMO.
  It did not help to get new UDA for old PCs
  because clients believing that they already set it before. (see log file)
  User 'XXXXX\XXXXX' has 25960 usage minutes UserAffinity 07.07.2014 16:11:21 2112 (0x0840)
  Setting auto affinity for user 'XXXXX\XXXXX'. UserAffinity 07.07.2014 16:11:21 2112 (0x0840)
  Found same state message existing. (was sent before) Skip sending same state message for user 'XXXXX\XXXXX'.. UserAffinity 07.07.2014 16:11:21 2112 (0x0840)
  It is definitely a client WMI issue, because reinstalling client with uninstallation checkbox  fix the problem on second computer policy retrieval cycle.
   I need a way to clear somehow old affinity states in client history to set it again based on usage statistics. Any advice?

  Hi,
  Have you tried to delete the state message from WMI? I saw that is stored in root\ccm\statemsg -> Enum Classes -> Recursive -> double-click CCM_StateMsg -> Instances. There should be messages that contain "domain/user_Auto".
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Giving Permission to Helpdesk so they can set users Primary Device (User Device Affinity)

  Hi,
  I am trying to give our helpdesk access so they can right click a computer object in the console and edit the Users Primary Device. They have the option to right click and select "Edit Primary Users", but when typing in Domain\Username it doesnt
  populate with any usernames?
  Its almost as though they dont have rights to search AD for the usersnames in our domain.
  I am full administrator so it works fine for me.
  I have set the following permissions for our helpdesk and thought this would be enough:
  Collection = Read, Modify, Remote Control, Modify Resource, Delete Resource, Read Resource, Modify Collection Setting, Control AMT
  Site = Read, Import Computers
  User Device Affinities = Read, Modify, Delete, Create, Run Report, Modify Report
  Helpdesk all have appropriate rights in AD so its definitely something within SCCM 2012 RBAC causing the issue, any ideas ?
  Note: I already have automatic UDA in place but it takes the agent a week to pick this up so need a manual of doing this too.
  Thanks

  RESOLVED
  I had to give them read permission to the All Users and Groups collection.
  I thought it might enumerate the list of users straight from AD, but it does this from the all users collection which makes sense.
  Cheers