Recommended Practices

Table of Contents

Remove Retired Devices

Why remove stale devices? So that resources can be focused on managing devices that actually require management. It also gives you a better picture of your environment.

ConfigMgr will automatically remove stale data, however the deletion time depends on the type of data. The Inactive Client discovery data is automatically deleted after 180 days (object exists in AD) while the Obsolete Client Discovery Data (object removed from AD) is deleted after 30 days. For better hygiene, you can manually delete the host from AD, which would then fall under the Obsolete Client Discovery Data and thus be removed after 30 days. For faster removal, you can manually delete the host(s) from AD and then from ConfigMgr.

OU Discovery Exclusion

Devices that are not going to have a Configuration Manager client but are objects in your Active Directory OU will be discovered and show up in the "Non-client Discovered Windows Devices" collection. Request an OU discovery exclusion from the EPM core team to have a specific OU excluded from discovery, this can be one or more OUs. These exclusions can be used to "reduce the noise" when trying to track down any systems that should have a client but are missing it.

This is not the same as an ISO exception and excluding an OU from Configuration Manager will not grant ISO exceptions to any object in that OU. 

Collections

Collection refreshes are a heavy process on site server resources.

If a collection does not need to be updated, remove the evaluation interval from the collection by unchecking the box(es). Be sure the interval is cleared as seen below.

BeforeAfter


Deployments

Delete and remove any deployments that are no longer in use.

For example, if you created and ran a test deployment that has now completed, you can delete it.

ADRs

Do not duplicate downloading updates that are already downloaded by EPM, instead use the workflow in place for those updates such as the "3rd Party - Include" collection. See Windows and Application Patching for a list of Microsoft products and see 3rd Party Updates List.

Admin Accounts

They must be managed and separate from personal use, i.e. not tied to a personal EID which are typically used for email, web browsing and other productivity tasks.

Establish lifecycle management for administrative accounts. Ensure you have a process for disabling or deleting administrative accounts when admin personnel leave (or leave their administrative position).

Quantity

For business continuity and resiliency, it is recommended that each CSU have 2 admins. However, limit the number of admin accounts to those that need access for their job tasks as well as to reduce potential risks.

Workstation Security

Install the MECM console on a virtual machine or on a different physical workstation that is not used for day-to-day activities like internet browsing, email, etc. 




Related Information

Related pages