如何在 Configuration Manager 中建立集合How to create collections in Configuration Manager

適用於:Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

集合是使用者或裝置的群組。Collections are groupings of users or devices. 請使用集合來執行像是管理應用程式、部署合規性設定,或安裝軟體更新等工作。Use collections for tasks like managing applications, deploying compliance settings, or installing software updates. 您也可以使用集合來管理用戶端設定群組,或搭配角色型系統管理來指定系統管理使用者可以存取的資源。You can also use collections to manage groups of client settings or use them with role-based administration to specify the resources that an administrative user can access. Configuration Manager 包含數個內建集合。Configuration Manager contains several built-in collections. 如需詳細資訊,請參閱集合簡介For more information, see Introduction to collections.

注意

集合可包含使用者或裝置,但不能同時包含兩者。A collection can contain users or devices, but not both.

此文章中的資訊可協助您在 Configuration Manager 中建立集合。The information in this article can help you create collections in Configuration Manager. 您也可以匯入在目前這個 Configuration Manager 站台或是在其他站台建立的集合。You can also import collections that were created at the current Configuration Manager site or at another one. 如需有關如何匯出與匯入集合的詳細資訊,請參閱如何管理集合For more information about how to export and import collections, see How to manage collections.

集合規則Collection rules

您可以使用不同類型的規則在 Configuration Manager 中設定集合的成員。There are different types of rules that you can use to configure the members of a collection in Configuration Manager.

直接規則Direct rule

您可以使用直接規則來選擇要新增到集合的使用者或電腦。Use direct rules to choose the users or computers that you want to add to a collection. 除非從 Configuration Manager 中移除資源,否則這個成員資格不會變更。The membership doesn't change unless you remove a resource from Configuration Manager. Configuration Manager 必須已探索到資源或您必須匯入資源,才可以將它們新增至直接規則集合。Before you can add the resources to a direct rule collection, Configuration Manager must have discovered them or you must have imported them. 直接規則集合比查詢規則集合具有更高的系統管理負荷,因為需要手動變更。Direct rule collections have more administrative overhead than query rule collections because they require manual changes.

查詢規則Query rule

依據 Configuration Manager 排程執行的查詢,來動態更新集合的成員資格。Dynamically update the membership of a collection based on a query that Configuration Manager runs on a schedule. 例如,您可以在 Active Directory 網域服務中,建立屬於人力資源組織單位成員的使用者集合。For example, you can create a collection of users that are a member of the Human Resources organizational unit in Active Directory Domain Services. 當人力資源組織單位加入或移除新使用者時,此集合會自動更新。This collection is automatically updated when new users are added to or removed from the Human Resources organizational unit.

如需可用來建立集合的查詢範例,請參閱如何建立查詢For example queries that you can use to build collections, see How to create queries.

裝置類別規則Device category rule

透過將裝置類別與裝置集合相關聯,可以更輕鬆地管理裝置。You can make management of your devices easier by associating device categories with the device collections.

如需詳細資訊,請參閱自動將裝置分類為集合For more information, see Automatically categorize devices into collections.

包含集合規則Include collection rule

在 Configuration Manager 集合中包含另一個集合的成員。Include the members of another collection in a Configuration Manager collection. 如果包含的集合有所變更,則目前集合的成員資格會依排程由 Configuration Manager 更新。If the included collection changes, Configuration Manager updates the membership of the current collection on a schedule.

您可將多個包含集合規則新增至某個集合。You can add multiple include collection rules to a collection.

排除集合規則Exclude collection rule

排除集合規則可讓您將某一個集合的成員從另一個 Configuration Manager 集合中排除。Exclude collection rules let you exclude the members of one collection from another Configuration Manager collection. 如果排除的集合有所變更,則目前集合的成員資格會依排程由 Configuration Manager 更新。If the excluded collection changes, Configuration Manager updates the membership of the current collection on a schedule.

您可將多個排除集合規則新增至某個集合。You can add multiple exclude collection rules to a collection. 如果一個集合同時具有包含集合規則和排除集合規則,就會發生衝突,此時排除集合規則的優先順序會較高。If a collection includes both include collection and exclude collection rules and there's a conflict, the exclude collection rule takes priority.

排除集合規則的範例Example of an exclude collection rule

您可以建立一個集合,其中具有一個包含集合規則和一個排除集合規則。You create a collection that has one include collection rule and one exclude collection rule. 包含集合規則是針對 Dell 桌上型電腦的集合。The include collection rule is for a collection of Dell desktops. 排除集合規則是針對 RAM 容量低於 4 GB 的電腦集合。The exclude collection is for a collection of computers that have less than 4 GB of RAM. 新的集合會包含至少擁有 4 GB RAM 的 Dell 桌上型電腦。The new collection contains Dell desktops that have at least 4 GB of RAM.

建立集合Create a collection

  1. 在 Configuration Manager 主控台中,移至 [資產與合規性] 工作區。In the Configuration Manager console, go to the Assets and Compliance workspace.

    • 若要建立裝置集合,請選取 [裝置集合] 節點。To create a device collection, select the Device Collections node. 然後在功能區 [首頁] 索引標籤上的 [建立] 群組中,選取 [建立裝置集合]。Then, on the Home tab of the ribbon, in the Create group, select Create Device Collection.

    • 若要建立使用者集合,請選取 [使用者集合] 節點。To create a user collection, select the User Collections node. 然後在功能區 [首頁] 索引標籤上的 [建立] 群組中,選取 [建立使用者集合]。Then, on the Home tab of the ribbon, in the Create group, select Create User Collection.

  2. 在精靈的 [一般] 頁面,提供 [名稱] 和 [註解]。On the General page of the wizard, provide a Name and a Comment. 在 [限制集合] 區段中選取 [瀏覽],以選取限制集合。In the Limiting collection section, select Browse, and then select a limiting collection. 您所建立的集合將只會包含來自限制集合的成員。The collection you're creating will contain only members from the limiting collection.

  3. 在 [成員資格規則] 頁面的 [新增規則] 清單中,選取您要用於此集合的成員資格規則類型。On the Membership Rules page, in the Add Rule list, select the type of membership rule that you want to use for the collection. 您可以為每個集合設定多個規則。You can configure multiple rules for each collection. 每個規則的設定各不相同。The configuration for each rule varies. 如需有關如何設定每個規則的詳細資訊,請參閱此文章的以下各節:For more information on configuring each rule, see the following sections of this article:

  4. 此外,在 [成員資格規則] 頁面上,檢閱下列設定。Also on the Membership Rules page, review the following settings.

    • 針對此集合使用累加式更新:選取此選項可定期掃描,並僅更新上一次集合評估中的新資源或變更的資源。Use incremental updates for this collection: Select this option to periodically scan for and update only new or changed resources from the previous collection evaluation. 此流程獨立於完整的集合評估之外。This process is independent of a full collection evaluation. 根據預設,累加式更新的時間間隔為每 5 分鐘發生一次。By default, incremental updates occur at 5-minute intervals.

      重要

      具有使用下列類別之查詢規則的集合不支援累加式更新:Collections with query rules that use the following classes don't support incremental updates:

      • SMS_G_System_CollectedFileSMS_G_System_CollectedFile
      • SMS_G_System_LastSoftwareScanSMS_G_System_LastSoftwareScan
      • SMS_G_System_AppClientStateSMS_G_System_AppClientState
      • SMS_G_System_DCMDeploymentStateSMS_G_System_DCMDeploymentState
      • SMS_G_System_DCMDeploymentErrorAssetDetailsSMS_G_System_DCMDeploymentErrorAssetDetails
      • SMS_G_System_DCMDeploymentCompliantAssetDetailsSMS_G_System_DCMDeploymentCompliantAssetDetails
      • SMS_G_System_DCMDeploymentNonCompliantAssetDetailsSMS_G_System_DCMDeploymentNonCompliantAssetDetails
      • SMS_G_User_DCMDeploymentCompliantAssetDetails (僅限使用者的集合)SMS_G_User_DCMDeploymentCompliantAssetDetails (for collections of users only)
      • SMS_G_User_DCMDeploymentNonCompliantAssetDetails (僅限使用者的集合)SMS_G_User_DCMDeploymentNonCompliantAssetDetails (for collections of users only)
      • SMS_G_System_SoftwareUsageDataSMS_G_System_SoftwareUsageData
      • SMS_G_System_CI_ComplianceStateSMS_G_System_CI_ComplianceState
      • SMS_G_System_EndpointProtectionStatusSMS_G_System_EndpointProtectionStatus
      • SMS_GH_System_*SMS_GH_System_*
      • SMS_GEH_System_*SMS_GEH_System_*
    • 排程此集合的完整更新:排程集合成員資格的定期完整評估。Schedule a full update on this collection: Schedule a regular full evaluation of the collection membership.

      • 當您停用此設定時,網站會清除排程。When you disable this setting, the site clears the schedule. 這個來自先前行為的變更可確保網站不會繼續評估查詢。This change from previous behavior makes sure that the site doesn't continue to evaluate the query. 若要停止網站評估集合排程,請停用此選項。To stop the site evaluating a collection on a schedule, disable this option.

      • 您無法停用內建集合 (例如所有系統) 的評估,但可設定排程。You can't disable the evaluation of built-in collections like All Systems, but you can configure the schedule. 此行為可讓您在符合需求時自訂此動作。This behavior allows you to customize this action at a time that meets your requirements.

        提示

        在內建集合上,請只變更自訂排程的 [時間]。On built-in collections, only change the Time of the custom schedule. 請勿變更 [定期模式]。Don't change the Recurrence pattern. 未來的 Configuration Manager 版本可能會強制執行特定的定期模式。Future versions of Configuration Manager might enforce a specific recurrence pattern.

  5. 完成精靈以建立新的集合。Complete the wizard to create the new collection. 新集合會顯示在 [資產與相容性] 工作區的 [裝置集合] 節點中。The new collection is displayed in the Device Collections node of the Assets and Compliance workspace.

注意

若要查看新的集合成員,請重新整理或重新載入 Configuration Manager 主控台。To see new collection members, refresh or reload the Configuration Manager console. 直到第一次排定的更新後,它們才會出現在集合中。They don't appear in the collection until after the first scheduled update. 您也可以手動為集合選取 [更新成員資格]。You can also manually select Update Membership for the collection. 可能需要幾分鐘的時間才能完成集合更新。It might take a few minutes for a collection update to complete.

設定直接規則Configure a direct rule

  1. 在 [建立直接成員資格規則精靈] 的 [搜尋資源] 頁面上,指定下列資訊:On the Search for Resources page of the Create Direct Membership Rule Wizard, specify the following information:

    • 資源類別:選取您要搜尋並新增至集合的資源類型。Resource class: Select the type of resource you want to search for and add to the collection. 例如:For example:

      • 系統資源:搜尋從用戶端電腦傳回的清查資料。System Resource: Search for inventory data returned from client computers.
      • 未知的電腦:從未知的電腦傳回的值中選取。Unknown Computer: Select from values returned by unknown computers.
      • 使用者資源:搜尋 Configuration Manager 收集的使用者資訊。User Resource: Search for user information collected by Configuration Manager.
      • 使用者群組資源:搜尋 Configuration Manager 收集的使用者群組資訊。User Group Resource: Search for user group information collected by Configuration Manager.
    • 屬性名稱:選取您要搜尋與所選資源類別建立關聯的屬性。Attribute name: Select the attribute associated with the selected resource class that you want to search for. 例如:For example:

      • 如果您想要依 NetBIOS 名稱選取電腦,請選取 [資源類別] 清單中的 [系統資源] 和 [屬性名稱] 清單中的 [NetBIOS 名稱]。If you want to select computers by their NetBIOS name, select System Resource in the Resource class list and NetBIOS name in the Attribute name list.

      • 如果您想要依組織單位 (OU) 名稱選取使用者,請選取 [資源類別] 清單中的 [使用者資源] 和 [屬性名稱] 清單中的 [使用者 OU 名稱]。If you want to select users by their organizational unit (OU) name, select User Resource in the Resource class list and User OU Name in the Attribute name list.

    • 排除標記為已過時的資源:如果用戶端電腦已標記為過時,請不要在搜尋結果中包含此值。Exclude resources marked as obsolete: If a client computer is marked as obsolete, don't include this value in the search results.

    • 排除未安裝 Configuration Manager 用戶端的資源:這些資源將不會顯示在搜尋結果中。Exclude resources that do not have the Configuration Manager client installed: These resources won't be displayed in the search results.

    • :輸入值以搜尋所選屬性名稱。Value: Enter a value to search the selected attribute name. 使用百分比字元 (%) 作為萬用字元。Use the percent character (%) as a wildcard. 例如:For example:

      • 若要搜尋 NetBIOS 名稱開頭是 M 的電腦,請在此欄位中輸入 M%To search for computers that have a NetBIOS name beginning with M, enter M% in this field.

      • 若要在 Contoso OU 中搜尋使用者,請在此欄位中輸入 ContosoTo search for users in the Contoso OU, enter Contoso in this field.

  2. 在 [選取資源] 頁面上,從 [資源] 清單中選取您想要新增至集合中的資源,然後選取 [下一步]。On the Select Resources page, select the resources that you want to add to the collection in the Resources list, and then select Next.

設定查詢規則Configure a query rule

在 [查詢規則內容] 對話方塊中,指定下列資訊。In the Query Rule Properties dialog box, specify the following information.

  • 名稱:指定查詢的唯一名稱。Name: Specify a unique name for the query.

  • 匯入查詢陳述式:開啟 [瀏覽查詢] 對話方塊。Import Query Statement: Opens the Browse Query dialog box. 選取 Configuration Manager 查詢 以作為集合查詢規則。Select a Configuration Manager query to use as the query rule for the collection.

  • 資源類別:選取您要搜尋並新增至集合的資源類型。Resource class: Select the type of resource you want to search for and add to the collection. 從 [系統資源] 選取一個值以搜尋用戶端電腦傳回的清查資料,或選擇 [未知電腦] 以從未知電腦所傳回的值進行選取。Select a value from System Resource to search for inventory data returned from client computers or from Unknown Computer to select from values returned by unknown computers.

  • 編輯查詢陳述式:開啟 [查詢陳述式內容] 對話方塊,您可以在其中撰寫查詢以作為集合的規則。Edit Query Statement: Opens the Query Statement Properties dialog box, where you can write a query to use as the rule for the collection. 如需查詢的詳細資訊,請參閱查詢簡介For more information about queries, see Introduction to queries.

    提示

    在 [一般] 索引標籤上,若您選取 [略過重複的資料列 (選取相異的資料列)] 選項,其可能會傳回較少的資料列,但可能會更快速地傳回結果。On the General tab, if you select the option to Omit duplicate rows (select distinct), it may result in less rows returned but potentially quicker results.

裝置類別規則Device category rule

[選取裝置類別] 視窗中提供下列動作。The following actions are available in the Select Device Categories window.

  • 建立:指定名稱以建立新的類別。Create: Specify a name to create a new category.
  • 重新命名:重新命名選取的類別。Rename: Rename the selected category.
  • 刪除:選取一或多個類別,然後使用此動作將其從清單中移除。Delete: Select one or more categories, and use this action to remove them from the list.

如需詳細資訊,請參閱自動將裝置分類為集合For more information, see Automatically categorize devices into collections.

設定包含集合規則Configure an include collection rule

在 [選取集合] 對話方塊中,選取您想要在新集合中包含的集合,然後選取 [確定]。In the Select Collections dialog box, select the collections you want to include in the new collection, and then select OK.

設定排除集合規則Configure an exclude collection rule

在 [選取集合] 對話方塊中,選取您想要在新集合中包含的集合,然後選取 [確定]。In the Select Collections dialog box, select the collections you want to exclude from the new collection, and then select OK.

匯入集合Import a collection

從站台匯出集合時,Configuration Manager 會將它另存為受控物件格式 (MOF) 檔案。When you export a collection from a site, Configuration Manager saves it as a Managed Object Format (MOF) file. 使用此程序將該檔案匯入至您的站台資料庫。Use this procedure to import that file into your site database. 若要成此程序,您需要集合類別上的建立權限。To complete this procedure, you need Create permissions on the collections class.

重要

請確定 MOF 檔案僅包含集合資料、來自受信任的來源,而且未遭到竄改。Make sure the MOF file contains only collection data, is from a trusted source, and hasn't been tampered with.

另請確定從中匯出檔案的網站具備與匯入網站相同的 Configuration Manager 版本。Also make sure to export the file from a site that's the same version of Configuration Manager as the import site.

如需有關匯出集合的詳細資訊,請參閱如何管理集合For more information about exporting collections, see How to manage collections.

  1. 在 Configuration Manager 主控台中,移至 [資產與合規性] 工作區。In the Configuration Manager console, go to the Assets and Compliance workspace. 選取 [使用者集合] 或是 [裝置集合] 節點。Select either the User Collections or the Device Collections node.

  2. 在功能區 [首頁] 索引標籤的 [建立] 群組中,選取 [匯入集合]。On the Home tab of the ribbon, in the Create group, select Import Collections.

  3. 在 [匯入集合精靈] 的 [一般] 頁面上,選取 [下一步]。On the General page of the Import Collections Wizard, select Next.

  4. 在 [MOF 檔案名稱] 頁面上,選取 [瀏覽]。On the MOF File Name page, select Browse. 瀏覽至包含您要匯入之集合資訊的 MOF 檔案。Browse to the MOF file that contains the collection information you want to import.

  5. 完成精靈以匯入集合。Complete the wizard to import the collection. 新集合會顯示在 [資產與相容性] 工作區的 [使用者集合] 或 [裝置集合] 節點中。The new collection is displayed in the User Collections or Device Collections node of the Assets and Compliance workspace. 若要查看新匯入集合的集合成員,請重新整理或重新載入 Configuration Manager 主控台。Refresh or reload the Configuration Manager console to see the collection members for the newly imported collection.

使用 PowerShellUse PowerShell

您可以使用 PowerShell 建立和匯入集合。You can use PowerShell to create and import collections. 如需詳細資訊,請參閱下列 Cmdlet 文章:For more information, see the following cmdlet articles:

將成員同步處理至 Azure AD 群組Synchronize members to Azure AD groups

提示

此功能最初是在 1906 版中引進作為發行前版本功能This feature was first introduced in version 1906 as a pre-release feature. 從 2002 版開始,其不再是發行前版本功能。Beginning with version 2002, it's no longer a pre-release feature.

您可以啟用將集合成員資格同步至 Azure Active Directory (Azure AD) 群組。You can enable the synchronization of collection memberships to an Azure Active Directory (Azure AD) group. 此同步可讓您根據集合成員資格結果建立 Azure AD 群組成員資格,藉以在雲端中使用現有的內部部署群組規則。This synchronization allows you to use your existing on premises grouping rules in the cloud by creating Azure AD group memberships based on collection membership results. 您可以同步處理裝置或使用者集合。You can synchronize device or user collections. 只有含 Azure AD 記錄的資源會反映在 Azure AD 群組中。Only resources with an Azure AD record are reflected in the Azure AD group. 同時支援已加混合式入 Azure AD 與已加入 Azure AD 的裝置。Both hybrid Azure AD-joined and Azure AD-joined devices are supported.

Azure AD 同步處理會每五分鐘進行一次。The Azure AD synchronization happens every five minutes. 這是一個從 Configuration Manager 到 Azure AD 的單向程序。It's a one-way process from Configuration Manager to Azure AD. 在 Azure AD 中進行的變更不會反映在 Configuration Manager 集合中,但也不會由 Configuration Manager 覆寫。Changes made in Azure AD aren't reflected in Configuration Manager collections, but aren't overwritten by Configuration Manager. 例如,若 Configuration Manager 集合有兩部裝置,而 Azure AD 群組有三部不同裝置,則在同步處理後,Azure AD 群組將會有五部裝置。For example, if the Configuration Manager collection has two devices, and the Azure AD group has three different devices, after synchronization the Azure AD group has five devices.

Azure AD 同步處理的先決條件Prerequisites for Azure AD synchronization

在 Azure AD 中建立群組並設定擁有者Create a group and set the owner in Azure AD

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 巡覽至 [Azure Active Directory] > [群組] > [所有群組]。Navigate to Azure Active Directory > Groups > All groups.

  3. 選取 [新增群組]、輸入群組名稱,然後選擇性地輸入群組描述Select New group, enter a Group name, and optionally enter a Group description.

  4. 請確定 [成員資格類型] 是 [已指派]。Make sure that Membership type is Assigned.

  5. 選取 [擁有者],然後在 Configuration Manager 中新增將建立同步關聯性的身分識別。Select Owners, then add the identity that will create the synchronization relationship in Configuration Manager.

  6. 選取 [建立] 以完成建立 Azure AD 群組。Select Create to finish creating the Azure AD group.

針對 Azure 服務啟用集合同步Enable collection synchronization for the Azure service

  1. 在 Configuration Manager 主控台中,移至 [系統管理] 工作區。In the Configuration Manager console, go to the Administration workspace. 展開 [雲端服務],然後選取 [Azure 服務] 節點。Expand Cloud Services, and select the Azure Services node.

  2. 針對您建立群組的 Azure AD 租用戶選取雲端管理服務。Select the cloud management service for the Azure AD tenant where you created the group. 然後在功能區中,選取 [屬性]。Then in the ribbon, select Properties.

  3. 切換至 [集合同步處理] 索引標籤,然後選取 [啟用 Azure Active Directory 群組同步] 選項。Switch to the Collection Synchronization tab, and select the option to Enable Azure Directory Group Sync.

  4. 選取 [確定] 以儲存設定。Select OK to save the setting.

啟用要同步的集合Enable the collection to synchronize

  1. 在 Configuration Manager 主控台中,移至 [資產與合規性] 工作區,然後選取 [裝置集合] 或 [使用者集合] 節點。In the Configuration Manager console, go to the Assets and Compliance workspace, and select either the Device Collections or User Collections node.

  2. 選取要同步處理的集合。然後在功能區中,選取 [屬性]。Select the collection to sync. Then in the ribbon, select Properties.

  3. 切換至 [雲端同步處理] 索引標籤,然後選取 [新增]。Switch to the Cloud Sync tab, and select Add.

  4. 視需要將租用戶變更為您建立 Azure AD 群組的位置。If necessary, change the Tenant to where you created the Azure AD group.

  5. 在 [名稱開始是] 欄位中輸入您的搜尋準則,然後選取 [搜尋]。Type in your search criteria in the Name starts with field, then select Search. 如果您將準則保留空白,搜尋就會傳回租用戶的所有群組。If you leave the criteria blank, the search returns all groups from the tenant. 如果系統提示您登入,請使用您指定為 Azure AD 群組擁有者的身分識別。If it prompts you to sign in, use the identity you specified as the owner for the Azure AD group.

  6. 選擇目標群組,然後選取 [確定] 以新增該群組。Choose the target group, and then select OK to add the group. 再次選取 [確定] 以結束集合的屬性。Select OK again to exit the collection's properties.

請等候大約五到七分鐘,然後才在 Azure 入口網站中驗證群組成員資格。Wait about five to seven minutes before you can verify the group memberships in the Azure portal. 若要開始進行完整同步處理,請選取集合,然後在功能區中選取 [同步處理成員資格]。To start a full synchronization, select the collection, and then in the ribbon select Synchronize Membership.

驗證 Azure AD 群組成員資格Verify the Azure AD group membership

  1. 移至 Azure 入口網站Go to the Azure portal.

  2. 巡覽至 [Azure Active Directory] > [群組] > [所有群組]。Navigate to Azure Active Directory > Groups > All groups.

  3. 尋找您所建立的群組,然後選取 [成員]。Find the group you created and select Members.

  4. 確認成員反映 Configuration Manager 集合中的資源。Confirm that the members reflect the resources in the Configuration Manager collection. 只有具備 Azure AD 身分識別的資源才會顯示在群組中。Only resources with Azure AD identity show in the group.

將集合同步至 Azure AD

後續步驟Next steps

管理集合Manage collections