#ConfigMgr Speed up AD-Group discovered Client Push Installation #SCCM

Imagine the following situation:

You have to deploy SCCM a well controlled and step by step. You want to use (automatic) push installation.

This can be done by putting the PCs you want into AD-groups and throw some GPOs at them, to add an ConfigMgrPush Account to local admins for example.

Then Active Directory Group Discovery has to be set up to discover items in the selected AD-Group.

Now, when you put in a PC to this AD-Group, it will be discovered in a short time (5 Minutes in standard delta discovery settings).

After discovery, SCCM will try to push the client to the new PCs but it fails, because the ConfigMgr push account is not a local admin. This happens, because a reboot is needed for the PC to be aware of new group memberships and applying the GPO.

You now can wait until every PC is rebooted, or do the following:


Create a collection for PCs without an installed client:


Add a new query rule


Click “Show query language” and paste the query (delete linebreaks after inserting)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select SMS_R_System.ResourceId from  SMS_R_System where SMS_R_System.Client = 1) and (SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Workstation 6.1")     





Now that you have created the collection, it´s time for some Powershell and psexec.

Download psexec and place it somewhere on your SCCM Server, e.g. c:psexec

Create a powershell script that gets all members of the “no client” Collection, refreshes PC AD-Group Membership and forces a gpupdate:

$SiteServer = ‘localhost’

# Replace  YSC with your SiteCode

$SiteCode = ‘YSC’
$CollectionName = ‘All Windows 7 PCs without installed Clients’
#Retrieve SCCM collection by name
$Collection = get-wmiobject -NameSpace "ROOTSMSsite_$SiteCode" -Class SMS_Collection | where {$_.Name -eq "$CollectionName"}
#Retrieve members of collection
$SMSClients = Get-WmiObject -ComputerName $SiteServer -Namespace "ROOTSMSsite_$SiteCode" -Query "SELECT * FROM SMS_FullCollectionMembership WHERE CollectionID=’$($Collection.CollectionID)’ order by name" | select Name
#Try to Refresh AD-Goup Membership and force gpupdate for every collectionmember
ForEach ($SMSClient in $SMSClients){
write-host "Next Client:" $SMSClient.Name
$hostname = $smsclient.name

c:psexecpsexec.exe \$hostname -s cmd /c "klist -li 0x3e7 purge"
c:psexecpsexec.exe \$hostname -s cmd /c "gpupdate /force"

If the script runs successfully, you will get an output like


To get this working, the account running the script needs to have the right to access the client PC!

Now that the group policy is applied, the ConfigMgr Push Account can install the client.

To go even further you could schedule this task, or even better, let Orchestrator do the job.





Leave a Reply

Your email address will not be published. Required fields are marked *