Compliance Mgmt

Hi,
I need Compliance mgmt help.
I want to run a command against 2500 switches that make all Fast Ethernet ports implement as speed auto & duplex auto, except Gig port and trunk ports. Any help appreciated.
THANKS
I am using;
LMS:3.2
RME: 4.3
CM:5.2.1

Since you have RME 4.3, you might also consider using a Netconfig port-based job.  To do this, go to RME > Config Mgmt > Netconfig > Netconfig Jobs and create a new port-based job.  Define an custom group with the ruleset:
Port.PortName StartsWith "Fa" AND
Port.CM.AccessStatus = "Configured"
Then select the Adhoc task, and enter the IOS commands:
speed auto
duplex auto
Deploy that to all of the required switches and that will accomplish what you want.  Note: this requires that all switches are managed by Campus Manager.

Similar Messages

  • Ciscoworks LMS 3.2 - Compliance mgmt negation problem

    Hi,
    Strange problem, that I am sure is being caused by me.
    Basically trying to run an advanced Compliance mgmt job, looking for a set of pre-requisites (this is working) and then removing all non compliance SNMP community strings from a sample device.
    I use two lines for this removal
    - snmp-server community [#!testR[OW]mon#] [#.*#] [#.*#]
    - snmp-server community [#!SNMP#] [#.*#] [#.*#]
    From what I see, this should remove all snmp-server communities from a device other than "testROmon", "testRWmon" and "SNMP". Obvious caveat is that they would all need to have two words after this (in this case, these are ro or rw and an ACL).
    When I run this it seems to try and remove twice as many snmp community strings as there actually are on the device config? So I guess the core questions are: -
    1) Does the above look sound and would it do what I think
    2) Does the Compliance management engine parse the entire config independantly for each line of the above and hence explain why I am getting more removals than I would expect or is there a problem somewhere?
    Any help on this appreciated as its driving me nuts

    Thanks Joseph,
    So if I also wanted to remove all SNMP traps bar: -
    snmp-server host 10.10.10.x (where x is any ip in the last octet)
    From a device, would I use
    - [#snmp-server host (!#10\.10\.10\..*#).#]
    Or doesn't this make sense?

  • What means "commandLets" in Compliance mgmt in LMS 4.1

    Hi,
    I provided a compliance check using an advanced template. This check shows me a lot of non-compliant interfaces on one device. I would like to deploy the compliant configuration's commands to the non-compliant interfaces - so I click on the button deploy. The next window shows me: device, commands and commandlets. In the commandlets frame two templates are seen: dot1 and dot2 - these templates are components of the advanced template. After these templates is some number in the parentheses like pod1(000), pod1(0045), pod2(0075). My question is what these numbers mean, because I can select one of them??
    Thank you very much
    Roman  

    Hi Leolaohoo,
    It is no duplicate post. I tried to search this problem on Cisco Support Community and there is no same problem. If are you right, so send me this link, please.
    The customer has a problem that he see no phone registered on the CUCM in the LMS 4.1. UT discovered the phone, but the customer has no detail information about this phone.
    Roman

  • Ciscoworks LMS 3.2 compliance mgmt negation problem 2

    Sorry one more question,
    If I also wanted to remove all SNMP traps bar: -
    snmp-server host 10.10.10.x (where x is any ip in the last octet)
    From a device, would I use
    - [#snmp-server host (!#10\.10\.10\..*#).#]
    Any help appreciated

    Thanks Joseph,
    But if the line is say: -
    snmp-server host 10.10.10.1 testROmon
    Would I not need the .*# for the extra word? I guess this would only be needed if I were also searching for variations in this word?

  • Ciscoworks LMS 3.2 Compliance Mgmt

    Would it be possible to create a template do the following?
    1.  check all interfaces, include Ethernet, FastEthernet, GigabitEthernet, Serial, Token, etc
    2.  if the interface is found to have "ip helper-address", it must match x.x.x.x and y.y.y.y
    The reason is that I am running this search and replace script, and I need to verify afterward.
    Name: ChkHelpers     SubMode: Yes      isPrerequisite: Yes
    Ordered : No     Prerequisite-Commandset : none     Parent: none
      interface   [#.*#]
      +   ip   helper-address  [#10\.\d\.\d\.\d\#]
    Name: ReplOldHelpers     SubMode: No      isPrerequisite: No
    Ordered : No     Prerequisite-Commandset : ChkHelpers     Parent: ChkHelpers
      -   ip   helper-address   10.a.a.a
      -   ip   helper-address   10.b.b.b
      +   ip   helper-address   x.x.x.x
      +   ip   helper-address   y.y.y.y

    There are a few typos where, but in general what you have it correct.
    Name: ChkHelpers
    IsPrereq: yes
    Submode: interface [INTF]
    Body:
    + ip helper-address [#10\.\d+\.\d+\.\d+#]
    Name: ReplOldHelpers
    Prereq: ChkHelpers
    Parent: ChkHelpers
    Body:
    - ip   helper-address   10.a.a.a
    - ip   helper-address   10.b.b.b
    + ip   helper-address   x.x.x.x
    + ip   helper-address   y.y.y.y

  • RME/compliance mgmt - deploy ntp

         Hi,
    Using RME 4.3.0
    I'm trying to deploy new ntp settings across all network infrastructure. I prepare baseline template and check complance. When i try to deploy i'v got this issue:
    Job finished sucessfully, but some of devices are still in pending state. All of this devices "wating" for deploy this command:
    no ntp server X.X.X.X key 1 prefer
    My template looks like this:
    +   ntp   server   A.A.A.A
    +   ntp   server   B.B.B.B
    -  [#ntp   server   (?!A.A.A.A|B.B.B.B).*#]
    Is there any way to change this bahavior? To generate simply: "no ntp server X.X.X.X" instead of "no ntp server X.X.X.X key 1 prefer" while complance check?

    HI,
    This error states that "but some of devices are still in pending state". So, kindly check if you have any device showing under " Pending Devices" category.
    Kindly go to RME > Devices. Post the screenshot of this location here.
    Thanks,
    Gaganjeet

  • Exchange 365 and in-place eDiscovery

    I created dozens of in-place eDiscovery search in powershell for the users who have left the company, but we need to retain their mailboxes for legal compliance reasons. The powershells looked like this:
    New-MailboxSearch -name "User1" -SourceMailboxes [email protected] -ExcludeDuplicateMessages $true -InPlaceHoldEnabled $true -ItemHoldPeriod 255
    And when I go into the EAC> Compliance Mgmt> in-place eDiscovery, I can see all of them but their status says "Status: Search Not Started."  So I used the EAC to edit one, and check if I missed something, but everything from the PS script
    is correct, and when I clicked Save, again without actually changing anything, the search did start at that point! I looked at a few other cmdlets, and I found the start-mailboxsearch. So I issued:
    start-MailboxSearch -Identity "User1"
    But that comes back with "Unable to execute the task. Reason: TargetMailbox is required for copying messages returned by the search." So why am I able to use the EAC eDiscovery portion without having to specify TargetMailbox, but when I use Powershell
    I do have specify it?

    Instead of an in-place hold, one workaround may be to use set-mailbox cmdlet with parameters LitigationHoldEnabled and LitigationHoldDuration .
    This *may* have a  couple advantages:
    1. LitigationHold is the entire account and is binary (it's either on or off),
    2. A New-MailboxSearch on that mailbox can still be done if needed (and assuming the account is on hold, see above),
    3. A MailboxSearch for IPH/eDiscovery can be removed if no longer needed without affecting the account on hold.
    Hope that helps and gives you a creative spark.

  • Base device config storage in Ciscoworks

         Thanks again to all who have assisted in my previous question. We are being asked to find a place within Ciscoworks to store a device config for each of the type devices that we have on our network.
        So we would have 1 config for a 3750, a 2900, 3548's, etc. I was thinking  we can label a config file, without addressing info, hostname, etc., on it and accomplish it that way. I could label one 3750 -12 port, 3750-48 port, etc., and just add the address info to the config when we deploy a config to a new device.
        Is this the best way to do it or is there another way that would work better? We have Ciscoworks LMS 3.2.
    Thanks again for you help.
    Dave Lehmann

    You could use config labeling for this, but the recommended way to accomplish what you describe is with baseline templates.  Go to RME > Config Mgmt > Compliance Mgmt > Template Mgmt.  Create baseline templates for each device type that contains all of the general config commands you want.  You can even add macro substitutions within the templates to be filled in during deployment.  For example:
    + hostname [HOSTNAME]
    + snmp-server community ourReadOnly RO
    + snmp-server community ourReadWrite RW
    + enable secret 5 $1$...
    During deployment, you would be given an opportunity to fill in the value of [HOSTNAME] for each device.  Consult the online context-sensitive help for baseline compliance for more details.

  • Report needed for overall view of update compliancy

    I've been asked to provide a custom report to give an overall status for the update compliancy for the servers in place.
    Have been fiddling about in sql mgmt studio and kind of understand where to get the information from, but am missing something.  so I was hoping someone could point me in the right direction
    I realize that this kind of report might take some querying time, but this is what the customer wants: instead of him going to the builtin report compliance 7 (category sw updates - compliance A) where he has to select a collection AND a baseline AND a compliance
    status, he wants to obtain a list of all server systems being compliant to some server baselines and a list of all server systems being non-compliant to some server baselines
    currently the sqlcode i Have to show the compliant servers, is:
    SELECT
         v_R_System.Name0
    AS Servername,
    v_GS_OPERATING_SYSTEM.Caption0
    AS OS,
    v_ConfigurationItems.CI_ID,
    v_AuthListInfo.Title,
    v_StateNames.TopicType,
                          v_StateNames
    .StateID,
    v_StateNames.StateName
    FROM
             v_ConfigurationItems
    INNER
    JOIN
                          v_AuthListInfo
    ON v_ConfigurationItems.CI_ID
    = v_AuthListInfo.CI_ID
    CROSS
    JOIN
                          v_R_System
    INNER
    JOIN
                          v_GS_OPERATING_SYSTEM
    ON v_R_System.ResourceID
    = v_GS_OPERATING_SYSTEM.ResourceID
    CROSS
    JOIN
                          v_StateNames
    WHERE    
    (v_R_System.Client0
    = 1) 
    AND(v_R_System.Operating_System_Name_and0
    LIKE
    '%server%')
    AND
    (v_AuthListInfo.Title
    LIKE
    '%server%')
    AND(v_StateNames.TopicType
    = 300)
    AND(v_StateNames.StateID
    =
    '1')
    ORDER
    BY Servername
    BUT if I now change the stateid to 2 in the query I get the same amount of rows back (being 134 servers with an sccm client times 4 server update groups)
    so my problem is: how and when do i make the correct join here ?

    I was thinking that it might be better to use the assignmentstate views, and I quickly came up with this alternative:
    SELECT
         v_R_System.Name0
    AS ServerName,
    v_CIAssignment.AssignmentName
    as
    'Deployment Name',
    v_StateNames.StateName
    FROM
             v_AssignmentState_Combined
    INNER
    JOIN
                          v_R_System
    ON v_AssignmentState_Combined.ResourceID
    = v_R_System.ResourceID
    INNER
    JOIN
                          v_FullCollectionMembership
    ON v_R_System.ResourceID
    = v_FullCollectionMembership.ResourceID
    INNER
    JOIN
                          v_CIAssignment
    ON v_AssignmentState_Combined.AssignmentID
    = v_CIAssignment.AssignmentID
    INNER
    JOIN
                          v_StateNames
    ON v_AssignmentState_Combined.StateID
    = v_StateNames.StateID
    WHERE    
    (v_StateNames.TopicType
    = 300)
    AND(v_StateNames.StateID
    = 1
    OR
                          v_StateNames
    .StateID
    = 2)
    AND(v_FullCollectionMembership.CollectionID
    =
    N'D01003FE')
    ORDER
    BY servername
    at first glance this produces what I want, let me check with the customer.
    you guys agree with that or not?

  • LMS 4.2.3 baseline compliance template and standard ACL

    When using a baseline compliance template to check and deploy a standard ACL, I encountered what seems to be a bug:
    I configured a template with these commands:
    +ip access-list standard 21
    +; Hosts allowed access
    +  permit host 10.20.30.40
    +  permit host 40.30.20.10
    +  deny any log
    When I do compliance check and deployment, the last line is dropped by LMS.
    In fact, when I look into the job's "Work Order", the commands are:
    ip access-list standard 21
    ; Hosts allowed access
      permit host 10.20.30.40
      permit host 40.30.20.10
    After the job run, "show running-config" shows the access list matching the "Work Order" (without the "deny any log" command.)
    Is this a bug?

    Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
    Name:
    Archive Mgmt Job Work Order
    Summary:
    General Info
    JobId: 2704
    Owner: admin
    Description: test_acl
    Schedule Type: Immediate
    Job Type: Compliance Check
    Baseline Template Name: test_acl
    Attachment Option: Disabled
    Report Type: NAJob Policies
    ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
    Job Based Password: DisabledDevice Details
    Device
    Commands
    Sup_2T_6500
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    10.104.149.180
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
    -Thanks
    Vinod
    **Rating Encourages contributors, and its really free. **

  • LMS 4.2 Compliance check extended access-list

    Hi,
    I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
    I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
    I have made a new compliance check like this:
    'submode': ip access-list extended 'acl-name'
    +deny tcp any any eq smtp
    But that is not working, Can some one show me the 'right path'?
    Thanks
    Soren                 

    Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
    Name:
    Archive Mgmt Job Work Order
    Summary:
    General Info
    JobId: 2704
    Owner: admin
    Description: test_acl
    Schedule Type: Immediate
    Job Type: Compliance Check
    Baseline Template Name: test_acl
    Attachment Option: Disabled
    Report Type: NAJob Policies
    ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
    Job Based Password: DisabledDevice Details
    Device
    Commands
    Sup_2T_6500
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    10.104.149.180
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
    -Thanks
    Vinod
    **Rating Encourages contributors, and its really free. **

  • Software Update Compliance Report in SCCM 2012

    Hi Everyone,
    My question is in sccm 2007 we generate the  compliance report based on update list without downloading the patches just adding the same to update list, However the update list is being replaced by update group in sccm 2012, How can we achieve the same
    in sccm 2012 or do we need to build the custom report if yes please let me know.
    Thanks In Advanced
    ashu Maheshwari

    Because of the retrograde reporting for WSUS data in SCCM, I have the "send info to WSUS" checked on the SUP so I can view data in the old WSUS console. By comparing what computers need how many patches and using the reports in SCCM, you can see massive
    discrepancies in both how many computers need patches and how many patches each computer needs. For example, WSUS will say ComputerA needs 10 patches and SCCM will say it needs 6, or whatever. As far as these two points go, WSUS is far more accurate. 
    I first noticed this months ago.
    I think this is not a matter of how the SCCM queries are written, but because SCCM is far more flaky than WSUS. To me, WSUS is like a good reliable run of the mile car and SCCM is like a race car--powerful but finicky and persnickety. It's harder to get
    clients to fully check in with SCCM. SCCM can do lots but my biggest gripes with it are:
    1) Clients especially flaky and persnickety, one tiny thing gets out of whack and it won't work
    2) WSUS is far more accurate in reporting what patches are needed
    3) For WSUS reporting, they took a lot of WSUS-related/patch reporting out of SCCM, towit you can't get the info you used to be able to get without writing a custom report. This is why you can easily find code samples on the net. And along that point I still
    can't get report builder to work and I don't have another report tool available to me. I know the SQL code samples I have work because I can run the queries in Mgmt Studio.
    Ben JohnsonWY

  • Issue in Positive Time Mgmt

    Dear SAP - HR Experts .
    In My Client side , they want to shift for Positive Time Mgmt (want to capture actual times).
    They Usually run payroll on 25th day of every month .
    if they implement Positive Time in Company then they will have Time Evaluation up to 25th of the month .
    Suppose if a employee took two days absences from durring the period of 26th to 31st Jan . but we have Time Evaluation up to 25th day only and we run payroll for Jan upto 1st to 31st .
    in that case Employee will recieve complete salary , while in actaul scenrio he was absent for 2 days .
    so client have some quries about this situation ...
    Q 1 : How his salary will deduct and recover the absence of 2 days  ?
    Q 2 : How we have to run  Time Evaluation from 26th  to 31th day of Jan .
    Q 3 : what changes are required in PA03 and PU03 ?
    Regards : rajneesh
    Edited by: Rajneesh Kumar on Feb 13, 2009 8:53 AM

    Hi Rajneesh,
    Time evaluation period can vary from the payroll periods. You can run the payroll from first of the month till last day and Time evaluation from 26th of previous month till 25th of current month. In this situation employee will be paid for the whole month by the payroll and it will not take into account the absences/sick etc that took place after 25th of the month till the month end.
    Later when you do Time evaluation during the following month system will capture those 2 days (as you mentioned) sick/absence took place after 25th of current month and it will deduct the amounts from the Payroll of the following month. But it will not deduct from the current month as the Time evaluation was only done till 25th of the month.
    It doenst need any changes in PA03 / PU03
    Hope this clarifies your query.
    Thanks,
    Tara

  • ADA 508 Compliance Workflow Overview (tab key for navigation / WebAim Toolbar)

    Hi,
      I've been assigned to update interactive training for a State agency..... with of course, an emphasis on ADA / 508 compliance.
    So, before I pinpoint my two questions/scenarios, here is a basic, initial attempt at providing an overview of ADA compliance workflow in Captivate and beyond. 
    PS - useful Captivate forum urls are at the end of this post. I'm using Captivate v.6
    ADA Compliance Workflow Overview:
    1. All assets need an alt tag and conceivably a description > highlight the asset, like a pic, and click the Accessibility button under Properties.
    2. Create slide notes for each slide > load slide, highlight no assets and click the Accessibility tab under Properties. Copy and paste your notes > for screen readers.
    3. Need closed captioning for video/audio content > I use Camtasia for CC and will use the JW player for screen reader of video content.
    4. Interactivity needs to be accessible via the tab and enter keys.
    What else am I missing?
    Question 1
    My question targets how to get the enter key to initiate after a successful tab. To be clearer.... I hit tab and I can navigate through all the buttons in the correct order, but hitting enter provides no action. I am gettining the yellow highlights around buttons when I tab through. Everything works very well when using the mouse, but blind users don't use mice.
    I did create my own animation buttons in Flash and imported them in as animations. I then placed a Click Box behind the button animation to engage the rollover action. Could this be causing problems? The prebuilt (and clunky looking) buttons on the quizzes do work (ie) tabbing to them and hitting enter provides effective navigation.
    I'm opting not to use the playback control skin, only my Flash nav bar.
    Question 2 (Scenario 2)
    I have downloaded the WebAim Toolbar feature designed for FireFox, used to check ADA compliance issues.
    I am getting this error message:
    A frame does not have a title attribute or value. Okay... I bet I can fix this via the .html file or via the standard.js file??
    and these warnings:
    Alert: Javascript in head - A javascript element is present in the page head section.
    Alert: Flash - A Flash object is present.
    Does anyone know if these alerts are worth fixing?
    Obviously Captivate is going to pump out, or rather publish... javascript elements, but is this bad in the page head section?
    And..... of course a Flash object is present...Captivate produces Flash / Shockwave files.
    I'll obviously ask the programmers at WebAim for guidance as well. As always any help would be appreciated and Tanks in advance.
    http://forums.adobe.com/message/117985#117985
    http://gneil.blogspot.com/2008/09/target-6-million-settlement-is-your.html
    http://kb2.adobe.com/cps/403/kb403160.html
    http://forums.adobe.com/message/3515968#3515968
    Screen grabs are attached.
    Thanks, Calif Dreamin'

    Hi,
      Attached is my zipped project file. I did create my own buttons in Flash - this might be the problem. I have only been problem solving with navigation on the first four slides.
      To clarify, hitting the Enter key does engage navigation, however I’m having difficulty controlling the navigation so that it goes to the correct location.
      I’m using Captivate v.6 / publishing SCORM 1.2 / Using IE to deliver via the SyberWorks LMS.
    Here is question 1:
    Question 1
    My question targets how to get the enter key to initiate after a successful tab. To be clearer.... I hit tab and I can navigate through all the buttons in the correct order, but hitting enter provides no action. I am getting the yellow highlights around buttons when I tab through. Everything works very well when using the mouse, but blind users don't use mice.
    I did create my own animation buttons in Flash and imported them in as animations. I then placed a Click Box behind the button animation to engage the rollover action. Could this be causing problems? The prebuilt (and clunky looking) buttons on the quizzes do work (ie) tabbing to them and hitting enter provides effective navigation.
    I'm opting not to use the playback control skin, only my Flash nav bar.
    Thanks for reaching out!!
    Thanks,
    Bill Farrell  (aka Calif Dreamin’)

  • Update showing up in "Compliance 5 - Specific Computer" Report even after removing the update from the Software Update before creating Group and Package

    So I've created a Software Update Group and I did NOT want anything in there dealing with Internet Explorer 11 since the organization is currently stuck at using 10 as the highest. So I made sure that Internet Explorer was NOT in the list and then I deployed
    the package. 
    After running my Overall Compliance report it shows that the systems are compliant, but when I view the "Compliance 5 - Specific Computer" I see that "Internet Explorer 11 for Windows 7 for x64-based Systems" is listed in the report. 
    This is just a testing phase right now and I have not created a WSUS like Domain level GPO. I understand that the SCCM client creates a local policy on the clients for the location of the Software Update Point (Specify
    Intranet Microsoft update service location), but the "Configure Automatic Updates" policy is set to Not Configured, which it looks like when this
    is set, the "Install updates automatically (recommended)" at 3AM is the default. 
    Is the reason why the "Internet Explorer 11 for Windows 7 for x64-based Systems" update is showing up in the list due to the fact that the "Configure
    Automatic Updates" policy is set to Not Configured
    and therefore it is still reaching out to check Windows Update online? 
    So, if I do create a Domain level GPO to Disable the "Configure
    Automatic Updates" policy, then the "Internet Explorer 11 for Windows 7 for x64-based Systems" update would not show up in the "Compliance 5 - Specific Computer" report?
    By the way, I have a Software Update Maintenance Window configured for the hours of 1AM-4AM so the 3AM default time falls within this time frame, therefore, I am assuming the SCCM 2012 client will not allow the Windows Update Agent to install the "Internet
    Explorer 11 for Windows 7 for x64-based Systems" update, even though it has detected it is "Required". 
    Thanks

    But, don't you need a Deployment Package in order to deploy the Software Update Group? The Software Update Group uses the downloaded updates contained in the Deployment Package located in, wherever the Package Source is, right?
    One more quick question that you will know right off hand, because, well, you just will I'm sure.
    No. The software update group really has nothing to do with any update packages. The update group assigns updates to clients and in turn clients use update packages to download assign and applicable updates from. There is no connection between the two though
    as the client can download an update from any available update package. Thus, it's more than possible to updates in an update package that are not in any update groups and it is also possible for an update to be in an update group without being in any update
    package.
    If the "Configure Automatic Updates" policy is set to "Not Configured" and since this keeps the 3AM Automatic Updates default, if I was to remove the Software Update Maintenance Window from being between 1AM-4AM, will the WUA agent install updates
    at 3AM, or no because the SCCM 2012 client still manages and oversees it and basically blocks that from occurring?
    No, ConfigMgr does not in any way block the WUA; however, the WUA can only autonomously install updates it downloads directly from WSUS. Thus, since there are no updates approved or downloaded in your WSUS instance, there's nothing for it to download and
    install. If you happen to actually be going into WSUS and approving updates (which you should not be doing as its unsupported), then yes, it actually would install updates -- this is outside of ConfigMgr's control though. Generally, disabling the WUA via a
    GPO is the recommended to prevent any accidental installations or reboots (as the WUA wil also check for initiate pending reboots outside of ConfigMgr).
    Lots more info in these two blog posts:
    - http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
    - http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
    Jason | http://blog.configmgrftw.com

Maybe you are looking for