Simplifying User Application Deployments in ConfigMgr

There are numerous types of application and deployment options in ConfigMgr/SCCM today. Everything from traditional MSI to the new MSIX and Windows Store apps. Throw in Co-Management and Intune and you get even more options. Deployments can be targeted to specific devices and users. Most companies use some mix of these to get software onto devices. Some people even still refuse to use the Application model in ConfigMgr in favor of the Package model because of that one time they had trouble with it back in 2012.

For today’s adventure, I decided that I wanted to understand how to make User applications show up in Software Center (All testing was done on 1806 and 1810 TP without the Application Catalog role installed. ). I had been trying to instruct our Licensing team on how to help users who call about missing applications in Software Center. I started digging and ended up here.

AD Group Based User Collection

Recently on Twitter, we had some great discussion about using Active Directory Security Groups as direct (instead of query membership) members in ConfigMgr user collections and several people were surprised that this was an option or were just doing it an a sub-optimal way using query memberships. There’s great write-up by Nicke Källén about it here that got me on the right track months ago. If you haven’t read it, you should do that before proceeding because this information will build on that post.

In Active Directory, create new security group called App – Google Chrome.

All of my user application collections will start with the App – prefix to enable me to quickly identify them in AD and in the ConfigMgr console.

It’s very hard to find that ONE group hidden amongst all of these other groups in my lab!

Enable Active Directory Group Discovery in ConfigMgr as well. Once you have created the AD group, either manually run Active Directory Group Discovery or wait until it runs the next time to allow it to import your new group.

Navigate to the Users (there’s no User Groups node, filter by Resource Type) node in the console and you should see your new AD Group.

In the ConfigMgr console, create a new User Collection called Google Chrome. Set the limiting collection to All User Groups (unless you plan to add user direct User memberships as well as Groups). Then add a Direct rule. Select AD Group Resource then type % into the search box and click Search. You should see your new group.

Select the group and complete the wizard and close the collection.  Once the collection membership updates, the AD group should be the only member.

Deploying Applications to User Collections

For this example, I have create a standard MSI application for Google Chrome for Enterprise, but any application will work. Simply create a new Available deployment to your new user collection. I will touch on Required in a moment.

Instant Application Delivery

At this stage, you have an AD group with no users, a User Collection and a deployment to that collection. You should be logged in with your test account and have Software Center closed. Add your test account to your AD Security group.

Wait however long you think your AD replication takes. In my lab, there’s no delay, so this is immediate. Lock then Unlock Windows. Open Software Center. Your app should be there.

User Available Application Using AD Security Group Membership

Let’s Look at the Logs

To see what’s going on, first, remove your user account from the AD group then Lock and Unlock again. 

Open PolicyAgent.log in CMTrace and check the box to Ignore existing lines so you can get a fresh look. Open Software Center. The application should be gone. Now check the log. (Note, my account is not a member of any AD groups at this moment.) Here’s what you should see.

These are the key entries we are looking for:

As you can see, the Unlock event triggers a User Policy update. To me, this is the hidden gem in the whole process. Understanding that a machine unlock event will trigger a user policy update, helps communicate a simple process to users who request software.

Now, add the Test user account back to the AD Group and repeat the process. PolicyAgent.log will show that your account was a member of X security groups in the previous entry and the new entry will show X+1. During this refresh, PolicyAgent checked for new group memberships and then performed a delta policy update. However, unlike Machine policies where you can look in WMI and see all of the advertisements listed, this policy update is only concerned about your AD Group membership.

Next, switch over to the most current SCClient log. Mine is called [email protected]_2.log. When you open Software Center, you can see SCClient checking WMI for applications then it also uses the CMUserService_WindowsAuth web service to check for user advertisements.

At this point, I spent hours digging through WMI and even mounting the SQL Compact Edition databases that the ConfigMgr client uses and I never found any indication of User Available applications on the device until they get installed. To test my web query theory (stop rhyming now, I mean it!), I disconnected my NIC then opened Software Center. All User Available applications disappeared!! This behavior further confirms that they User Available applications in Software Center are truly dynamic.

Then I watched the DB using SQL Query Analyzer and found that the client uses a query to check for User Advertisements. You can see that it calls the Stored Procedure usp_GetApplicationsTargetedToUserFiltered and passes in the user SID as well as the AD Security Group SIDs that it discovered when you unlocked the device.

Then I watched the DB using SQL Query Analyzer and found that the client uses a query to check for User Advertisements. You can see that it calls the Stored Procedure usp_GetApplicationsTargetedToUserFiltered and passes in the user SID as well as the AD Security Group SIDs that it discovered when you unlocked the device.

I manually ran this query in SQL and got this result:

You could dig into the SQL Stored Procedure and build a report using the same functions and queries, I just haven’t gotten THAT far into it.

User Required Applications

The behavior I noticed for Required applications was slightly different. While Available applications required you to open Software Center, Required applications began installing almost immediately after unlocking. (Note, I left Software Center open for the video, but even with it closed, the application will auto install just after unlock.)

User Required application auto installing after Unlock.

What Does This All Mean?

If you’ve used ConfigMgr for any length of time, you know that most Software Center related delays are a result of Collection Membership Updates and Client Policy Processing. In my environment, our collections take ~30 mins to process fully. We have a web portal for users to request applications that adds their devices to collections, updates membership then triggers client policy updates. This has always lead to users complaining that their apps aren’t available yet. If we were to switch over to User Available application deployments, we could reduce the number of wasted hours trying to make applications show up for impatient users.

I know there are licensing and other issues that potentially cause this to fall apart for some companies/applications, but User-based Application deployments should be the norm. Windows Store for Business, Intune and AutoPilot are all User-Centric in their application delivery and moving ConfigMgr over to the same model should help us stay current with Modern Device Management. It sure will make hardware lifecycle and device replacements much less painful for users.


  • Reply
    Andrew Porter
    October 30, 2018 at 10:46 am

    Nice post!

  • Reply
    Rico Rosenheim
    October 30, 2018 at 1:26 pm

    This blog post is a gem in it’s own right and thankfully not hidden. This was truely useful info.

  • Reply
    November 1, 2018 at 5:58 am

    Great post Rico.
    However, i have a problem.
    When i remove the user from the group or disconnect my NIC as you say, the application does not go away.
    Looking back in the Policy Agent log, it’s still states that the user is a member for 2 security groups. I can confirm they are only in 1, Domain Users. I can reboot, lock/unlock and this will not change.
    The SCCM console shows the users is removed from the collection.
    Not sure if i am doing something wrong here, if you have any pointers that would great.

    • Reply
      Adam Gross
      November 1, 2018 at 6:03 am

      That sounds like an AD replication issue. Until the PolicyAgent shows that the security group count decreases, that will indicate that the user still hasn’t gotten the change from AD on the client. Try testing to see what DC the user is connected to using CMD then run SET and look for LOGONSERVER. Then in ADUC, Connect to that DC to make your group change for the user. That should make the change more rapid in AD and prevent the replication delay. Basically, until you see the change in the log, you won’t see a change in Software Center.

      • Reply
        November 1, 2018 at 6:19 am

        Rico, sorry i was wrong, when adding the user back to the group it correctly increments to 3 and decrements to 2 when removed again, confirmed in PolicyAgent.log. However the software is still available in Software Center.

        Does Deployment Type need to be “Install for User” as the particular test app i chose to deploy (Filezilla) is set to Install for System?

        • Reply
          Rico Rosenheim
          November 1, 2018 at 7:00 am

          Hi Nandyol
          For what it’s worth, I have seen this behavior before…
          Call it a bug or a feature, but unfortunately I haven’t managed to figure out why…only a complete uninstall -> reinstall of the CM client managed to fix my problem.
          I suspect it being remnants in either WMI or in the registry that doesn’t get removed as part of the policy update process.

          • Adam Gross
            November 1, 2018 at 7:10 am

            I haven’t seen the behavior in my testing, but I will see if I can manage to duplicate it and see if I can sort it out. Thanks for the info.

          • nandyol
            November 1, 2018 at 4:24 pm

            Thank you Rico and Adam, the same applies here. However, deployments to device collections does not show this same behavior. I have never been able to get user deployments to work as described in this blog post.

          • Adam Gross
            November 1, 2018 at 8:58 pm

            I just tested this and it worked as expected. I advertised the Recast RCT MSI Application set to install as for System to a user collection that uses a AD Group as the only direct member. I installed the MSI. Then I uninstalled it. Then I removed the user from the AD Group. Locked then unlocked and reopened Software Center and the app was no longer advertised. When you have uninstalled, does the button change to Install or does it still say Uninstall? Are you uninstalling from Software Center?

          • nandyol
            November 2, 2018 at 7:55 pm

            I always uninstall from Software Center and yes the button changes back to Install. I’ve followed the exact same process as you and it will just not go away. The only difference is the application i deploy is not an MSI, just and exe packaged with PSADT. I’ve rebuilt this vm a dozen times now and it is always the same outcome.

          • Adam Gross
            November 2, 2018 at 8:00 pm

            What if you try an MSI app to see if you get different results?

          • nandyol
            November 2, 2018 at 10:14 pm

            Ok i just tested with the LAPS msi and it still hasn’t disappeared. I had another application sitting there that i never installed and that DID disappear :/

  • Reply
    November 6, 2018 at 10:02 am

    The downside with this approach is that when you change from a “query rule” to a “direct rule”, it’s no longer possible to see deployments for a specific user.
    Example: Assets and Compliance – Users – “John Smith” – Right Click – Properties – Deployments.
    Only “query rules” show in the list and no “direct rules”.

    • Reply
      Adam Gross
      November 6, 2018 at 10:10 am

      True. You can always make a separate collection that uses a query rule if you want to use the collection for reporting. You could also just look at the security group membership. It’s all about preference. Do you want fast user app delivery or do you want to use collections to report on user deployments?

  • Reply
    November 16, 2020 at 9:06 pm

    Adam –

    Do you have any thoughts on this approach when deploying software to laptop users on a (non always-on) VPN solution ? I’m of the impression that this approach has limitations that might require users to take additional actions like refreshing group policy to ensure the user token includes the AD group memberships..

    I’ve too frequently experienced users not seeing their software in software center until manual user intervention.. Am I experiencing an oddity, or is this expected?


  • Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.