- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
SCCM is a beast. It is a software deploying, application packing, OS installing, and cappuccino making machine (currently in testing, expected in System Center 2015). This complexity can make it difficult to use, especially when you just want to deploy an application.
By linking applications to security groups, you can move software deployment tasks to Active Directory. This will save time as you do not have to jump between MMCs as often, and you can easily delegate app management. To save time, we are going to assume that you have already imported an MSI into SCCM. If you haven’t yet created an application in SCCM, start with this article and then come back.
Getting SCCM to see Active Directory
Configuration Manager relies on a variety of discovery methods to detect security groups and their members. Launch the Configuration Manager console and navigate to Administration/Hierarchy Configuration/Discovery Methods.
Be sure that Active Directory Group Discovery and Active Directory System Discovery are enabled. Open the properties for each discovery method and ensure that “Enable delta discovery” is checked. Delta discovery will ensure that new/updated resources are updated within SCCM.
Enabling delta discovery for Active Directory groups
With both of these settings configured, SCCM will be able to see our Active Directory resources. The next step is to create a group and a collection.
Linking a security group to a collection
In Active Directory Users and Computers, create a new security group. For easy reference, I like to prefix any application deployment group with APP_ . Copy this group name, as you will be pasting it quite a bit in the upcoming steps.
Head back to the Configuration Manager console and navigate to Assets and Compliance/Device Collections. Create a new device collection. For standardization, name your new collection the same as your security group. Specify a limiting collection. In the screenshot below, my APP_Adobe Flash Player collection is limited to All Desktop and Server Clients:
Create Device Collection Wizard
On the Membership Rules page, select Add Rule – Query Rule. Name your rule by pasting your saved group name. Because you likely won’t have multiple query rules, you don’t need to get very specific with the name.
Under Edit Query Statement, select Criteria and Add (star button), and then press Select. Specify System Resource as the attribute class and System Group Name as the attribute.
Selecting our query attributes
We can now specify the security group that will define our query. For value, specify your group name as: DOMAIN\GROUP Name. Below is an example:
Certainly a few more steps than scoping in Group Policy!
Click OK until you are back at the Device Collection Wizard. If you want this collection to update quickly, enable incremental updates. If you do not wish to enable incremental updates, adjust the full update schedule to fit your environment.
Now that you are finished with the wizard, we have just one final step. We need to link our collection to our application. Right-click your collection and select Deploy – Application. Specify your application deployment settings in the wizard.
Deploying a preexisting application to our AD linked collection
Creating an AD group-based collection with PowerShell
The steps above can be quite repetitive if you need to create many AD-based collections. By using PowerShell, we can automate these tasks. The script below has served our organization well; I hope it helps you.
A portion of this script relies on the Quest AD cmdlets. This script is designed to be run from the Configuration Manager Server. Before running it for the first time, select Connect via Windows PowerShell in the Configuration Manager console.
This menu can be found in the top left of the console.
The script will prompt you for any information needed. It does have a few hardcoded values in it. To replace these, search for Test.local and specify your domain name. If you have any questions about using Active Directory with SCCM (or about using this script below), just leave a comment!
Add-PSSnapin Quest.ActiveRoles.ADManagement
#Set Collection Type
$CollectionType = Read-Host "Is this a computer or user collection?"
if ($CollectionType -eq "Computer")
{$CollectionType = "2"}
if ($CollectionType -eq "User")
{$CollectionType = "1"}
#Build Collection Name and Description
$CollectionName = Read-Host "What is the name of the Application group? EX: APP_Adobe Flash Player"
$Description = $CollectionName
#Configuration Block for SCCM
$Sitename = "GC1"
$Domain = "Test.local"
$GroupOU = "OU=Software Distribution,DC=Test,DC=LOCAL"
$Namespace = "Root\SMS\Site_" + $Sitename
#Create Collection Block
Function Create-Collection($CollectionName)
{
$CollectionArgs = @{
Name = $CollectionName;
CollectionType = "1"; # User Collection Type
LimitToCollectionID = "SMS00002" # All Users Collection
}
Set-WmiInstance -Class SMS_Collection -Arguments $CollectionArgs -Namespace $Namespace | Out-Null
}
#Update Query Block
Function Update-Query($CollectionName) {
$QueryExperssion = 'select * from SMS_R_User where SMS_R_User.UserGroupName = "' + $Domain + '\\' + $CollectionName + '"'
$Collection = Get-WmiObject -Namespace $Namespace -Class SMS_Collection -Filter "Name='$CollectionName' and CollectionType = '$CollectionType'"
#Validate Query syntax
$ValidateQuery = Invoke-WmiMethod -Namespace $Namespace -Class SMS_CollectionRuleQuery -Name ValidateQuery -ArgumentList $QueryExperssion
If($ValidateQuery){
$Collection.Get()
#Create new rule
$NewRule = ([WMIClass]"\\Localhost\$Namespace`:SMS_CollectionRuleQuery").CreateInstance()
$NewRule.QueryExpression = $QueryExperssion
$NewRule.RuleName = $CollectionName
#Commit changes and initiate the collection evaluator
$Collection.CollectionRules += $NewRule.psobject.baseobject
$Collection.RefreshType = 6 # Enables Incremental updates
$Collection.Put()
$Collection.RequestRefresh()
}
}
#The WorkHorse
Create-Collection $CollectionName
Update-Query $CollectionName
New-QADGroup -Name $CollectionName -ParentContainer $GroupOU -groupScope Global -Description $Description
Can you describe the variables involved in the time it takes for a system to be added to an AD Security Group setup in this way to actually receive an application on the client? Here’s my understanding, but would appreciate confirmation.
If I’m correct here, it could potentially take up to 2 weeks for an environment left in the Default configuration. Thanks!
Your understanding is pretty close. Here is the revised order:
When I image computers, I set a custom client settings to change the Machine Policy Refresh down to 5 minutes. This speeds up software installation times.
Great article and concept!
What are some troubleshooting steps for group memberships not being discovered with the delta discovery? Full discovery updates them just fine, so I have it set running 4 hours for now. These are systems already in SCCM, recently added to a purpose-driven AD group.
adsgdis.log doesn't show any clear indication of an issue during delta.