Application approval in SCCM 1810 and beyond is a game changer

Application approval in the latest version of Configuration Manager 1806/1810 has gotten a lot of love! It's one of the biggest changes to application deployment in many years. It still needs some finishing touches, but it's well worth it to try it out and start using it.

Application approval per email is a great feature, but the thing I'm thinking of is the fact we can right now install and uninstall applications without using collections with or without Active Directory (AD) group queries to populate them, and that's big! I'm someone who always creates two collections per application: one for the install and one for the uninstall. That's a lot of collections, and collection evaluation is expensive from a performance perspective.

How does this work then? You approve an application by using PowerShell, for example, as this serves for automation primarily. You deny the already approved request, which then automatically uninstalls the application. This is really cool, but wait, it takes around 15 seconds in my environment before the installation or uninstallation starts! No more "SMS" (Slow Moving Software) as someone called it back in the SMS days. It is lightning fast.

There is a blog post on TechCommunity by the product group. It contains more information about the source of my sample PowerShell script as well.

To start with, we configure the setting available in the Software Center under Hide Unapproved Applications. This primarily serves for use with an in-house app store, for example, and in this scenario we don't want the users to see all the unapproved apps, which should be all of them if this should work. If we use the Powershell script in the next section to set an additional flag on the deployment of the application, hiding unapproved apps is not needed. The end user will not see them anyway before they are approved.

Software Center setting

Software Center setting

I have focused my testing around computer-based deployment, and to get this to work, we need to create the application deployment with PowerShell, as the option required is not available in the UI yet. For machine-based preapproved requests to work, you must also enable the Approve application requests for users per device feature.

In this example, I will use 7-Zip 16.04 and 7-Zip 18.06; I have superseded 7-Zip 16.04 with 7-Zip 18.06 to test that as well. To deploy them so I can approve the application for all users on the computers, we run the following PowerShell commands to deploy both versions to all users, require application approval, and make the approval per machine.

We can use three methods in Windows Management Instrumentation (WMI) to approve, deny, and reapprove the application requests and deployments.

Application approval WMI

Application approval WMI

To approve the application for the first time, we use the CreateApprovedRequest method, so it both creates the request and approves it using this sample script.

We then execute it using the following command line:

This then installs the application on the computer; amazing—no collections needed!

Application installation

Application installation

And we can see it as approved as well for all users on W10Test04.

Application approved

Application approved

If we want to uninstall 7-Zip 16.04 from the test computer, we run the DenyApp.ps1 script:

Execute it using the following parameters:

Powershell.exe -executionpolicy bypass -file .\DenyApp.ps1 "W10test104" "7‑Zip 16.04"

This uninstalls the application.

Application uninstall

And it changes the status under application approval to Denied:

Application denied

Application denied

If we want to reapprove it, we need to use the other method. There is already a denied request, so we cannot use the CreateApprovedRequest method; we need to use the Approve method instead.

This reinstalls the application; let's see how fast it really is.

Application installation demo (click to view)

Application installation demo (click to view)

What happens if we deploy 7-Zip 18.06 then, which is configured to supersede 7-Zip 16.04? It handles this as well. Running the ApproveApp.ps1 script with 7-Zip 18.06 will in my example uninstall 7‑Zip 16.04 and install 18.06 automatically—so simple, so fast!

Both versions show up as approved under application approval, but only one version is installed.

Both applications approved

Both applications approved

7 Zip 18.06 installed

7 Zip 18.06 installed

What would be a great addition would be a task sequence step to install all approved applications. This would solve application installations during an OS reinstall as well.

Test it out in a test environment to start with—the speed will amaze you!

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

1 Comment
  1. James Leitz 1 year ago


    I appreciate the thorough guide.  Two notes I found in making this work in my environment:

    1. We didn't have to hide unapproved applications to make the device collection deployments that required approval to be hidden, they just were.  Leaving this setting off allows us to still perform user collection deployments that require approval and have them show up.
    2. I can't seem to re-approve an approved, then denied, device collection deployed application.  Any time I try to do it either via the script you posted above or manually inserting the values and running just the Invoke command I get the following error:
      Invoke-WmiMethod : Operation is not valid due to the current state of the object.
      I am running 1810 at the moment but haven't applied either of the hotfix patches yet.

    Thanks for the tips again!

    James Leitz


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2020


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account