I’m in the process of installing Forefront Endpoint Protection and wanted to look at some of the collection queries that was created… but with the ConfigMgr console you cant view them…

So Powershell it is.

Did a function that you can use on any collection (with subcollections) to view the WQL.

Import-Module SCCM\SCCM-Functions -Force
Function Get-CollectionRules {
        PARAM (
                $parentCollection,
                $spacer,
                $sccm
        )

        $subCollections = Get-SCCMSubCollections -SccmServer $sccm -CollectionID $parentCollection

        if ($subCollections -ne $null) {
                $subCollections | ForEach-Object {
                        $collection = Get-SCCMCollection -Filter "CollectionID='$($_.subCollectionID)'" -SccmServer $sccm
                        Write-Host "$($spacer) Name: " -ForegroundColor Yellow -NoNewline
                        Write-Host "$($collection.CollectionID) - $($collection.Name)"

                        $collectionRule = (Get-SCCMCollectionRules -SccmServer ( Connect-SCCMServer ) -CollectionID $collection.CollectionID)
                        if ($collectionRule -ne $null) {
                                Write-Host "$($spacer)Limit: " -ForegroundColor Yellow -NoNewline
                                if ($collectionRule.LimitToCollectionID.Length -gt 0) {
                                        Write-Host "$($collectionRule.LimitToCollectionID)" -ForegroundColor White
                                } else {
                                        Write-Host "" -ForegroundColor Gray
                                }

                                Write-Host "$($spacer)  WQL: " -ForegroundColor Yellow -NoNewline
                                Write-Host "$($collectionRule.QueryExpression)"
                        } else {
                                Write-Host "$($spacer)" -ForegroundColor Gray
                        }
                        Write-Host ""

                        Get-CollectionRules -parentCollection $_.subCollectionID -spacer "   $($spacer)" -sccm $sccm
                }
        }
}

Get-CollectionRules -parentCollection "XYZ00123" -spacer "" -sccm (Connect-SCCMServer)

A small warning: It will loop all of the subcollections, and the subcollections subcollections, and so on…

If you want to enforce users to use a specific screensaver you can do most of it via standard group policies. But if you run Windows 7 and a user changes the current theme… the screensaver will be blank until the next group policy refresh.
This is due to that the default .theme-files have no screensaver defined.

With Group Policy Preferences you can change this…

First we need to change the current ACL on the themes directories since SYSTEM cant write there.

Edit or create a Group Policy.
Browse to Computer Configuration – Windows Settings – Security Settings – File System
Right Click and select Add File… then write %SystemRoot%\Resources\Themes in the Folder-box.
Set the security rights as you want them, but remember to give SYSTEM the rights to Modify.
In the dialog “Add Object” that pops up when you press OK, select Replace existing permissions on all suboflders and files with inheritable permissions, this option is not selected as a default.
Repeat that for %SystemRoot%\Resources\Ease of Access Themes directory.

Then browse to Computer Configuration – Preferences – Windows Settings – Ini Files
Right Click and select New – Ini File
Give the following options:

(I would recommend that you set a item level targeting to check that the file exist)

Now to the boring part, repeat that for all Theme-files in the directories %SystemRoot%\Resources\Themes and %SystemRoot%\Resources\Ease of Access Themes

If there is something else you want to change you can find loads of options for themes in this reference http://msdn.microsoft.com/en-us/library/bb773190%28v=vs.85%29.aspx