FIX Issues with SCCM RBAC Clear Required PXE Deployments Options. Clear Required PXE Deployments is a regularly used option in SCCM / ConfigMgr.
What I recently found is that Operating System Deployment Managers (default security role) are not able to perform the above-mentioned function by right-clicking on a device.
FIX Issues with SCCM RBAC Clear Required PXE Deployments Options
Full Administrators won’t face this issue. The clear PXE option is available in SP1 beta. I’m not able to replicate this issue in the Service Pack 1 version of ConfigMgr 2012.
The Clear Required PXE deployment option is available in the ribbon menu. However, this will clear the required PXE boot deployments of all the members assigned to this site in this collection.
The members NOT assigned to this site will not be affected. So basically, it’s collection-based clear PXE deployments and we don’t normally use this option because it will clear the PXE for all the members of that collection.
I’ve done some analysis on this. Following are steps that you need to follow to get this option available for Operating System Deployment Managers or any other security roles.
1. The security role should have “Modify Resource” access on Collection. Collection –-> Modify Resource –> Yes.
Administrative User/s (for e.g Operating System Deployment Manager) should be part of “All Systems” and “All Users and User Groups” collections irrespective of Security Scopes.
Note:: If you remove any of those (above mentioned) collections from the administrative user then the option to clear the PXE will get removed. Providing modify access to “All Systems” and “All Users and User Groups” is not a good idea.
The workaround for this issue is to create a separate collection for PXE clear devices. If you want to clear the PXE advert of a device then move that device into that collection and then do “Clear Required PXE Deployments”. This collection would act as a temporary holding place for the device/s which we need to clear PXE adverts. I know there is slightly more administrative work involved in this method. However, it is better than providing “modify resource” access to all the systems and users.
No need for much worry, as I can see this issue is not there in System Center 2012 Configuration Manager SP1 version (beta).
To know more about other issues we normally face during RBA implementation and How to fine-tune RBA in your organization, you can go through my posts – Post 1 and FIX Default Client Settings Issue With SCCM Security Role Infra Admin HTMD Blog (anoopcnair.com)
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…