Tag Archives: powershell

Deploy Java Runtime Environment Application using SCCM 2012

I am going to take you through the process of deploying the latest Java Runtime Environment installation using SCCM and making that available to your users.

Firstly we need to download the latest offline version of Java (currently Version 8 Update 25) and extract the MSI file – http://java.com/en/download/manual.jsp.

Launch the Executable file you just downloaded and when the Welcome to Java screen appears, browse to the following location so we can extract the MSI file:


Copy the MSI file from this directory in to your SCCM Source directory for your Applications. I like to keep things organised to make it easier in the future when you are adding newer version, For example my folder structure will be similar to this: \\SCCM\Sources\Applications\Java\8.0_65\

Create SCCM Application


Launch your SCCM Management Console, click Software Library from the left pane and go to Applications (Overview-Application Management and select Applications).

Click Create Application button from the Ribbon along the top.

Browse to the UNC path for the Java application files on the SCCM Application Source directory, select the MSI and click Next.

Verify the Imported Information and Click Next to add some additional information as shown in the screenshot below. Ensure the Installation Program has the /qn switch at the end.


Follow through the rest of the wizard and click Next on the Summary Screen. Click Close to exit the Wizard.

Edit the Application

Select the newly created Application and open the Properties from the Ribbon along the top.

Under the General Information screen, select the checkbox to Allow this application to be installed from the Install Application task sequence action without being deployed.

Click the Deployment Types tab and select Edit for the MSI Deployment Type. Amend the deployment name to Java Runtime Environment as shown below.


Select the Programs Tab and enter the information as shown below.

  • Installation Program: msiexec /i “jre1.8.0_65.msi” /qn
  • Uninstall Program: msiexec /x {26A24AE4-039D-4CA4-87B4-2F83218065F0} /qn
  • Product Code: Click Browse and specify the MSI file from the source application directory


Select the Detection Method tab, and click Edit Clause for the MSI product clause. Select the second Radio box to make sure the MSI Product Code checks for a specific version of 8.0.650.17.


Click OK to close the Detection Rule screen.

Select the Requirements tab and amend the run time details to suit your needs. Click OK twice to close the Application properties.

Distribute Application

Distribute the Application to your Distribution Point/Distribution Point Group by selecting the Application and select Distribute Content.


Click Next on the wizard, click Add and select the appropriate Distribution Point/Groups. Click Next and Close to distribute the application files.

Deploy Application

You will now need to Deploy the Application to the your desired collection. I prefer to base my collections on Active Directory Security Groups – Click here for a quick blog on how this can be done in Powershell

Select the Application from the list and click Deploy


Click Next on the Content screen as you have already distributed the application.

Select the option to Required or Available for the Application.

  • Available: Will Allow the user to choose to install the application. If this is being deployed to a Device Collection, the application will be visible in the Software Center. Applications which are deployed to User Collections can be viewed from the Application Catalogue, they are only shown in the Software Center once the user has requested the Application.
  • Required: This will force the application on to the workstation within a given time period.


You can choose to make this application available after a specific date/time period. Click Next to leave as default.

The User Experience can be configured to display all notifications to the user or only show notifications for required restarts. I prefer to select Display in Software Center and show all notifications.


Select the required Alert level and click Next to complete.

The Java Runtime Environment application will now be made available to the ConfigMgr client. You can force the client to check in with SCCM and pick up new policies instead of waiting for the next Application Evaluation Cycle.

Launch Control Panel on the Users workstation and select Configuration Manager. Click the Actions tab and select Application Deployment Evaluation Cycle and click Run Now.


The application will now be listed in the Software Center (or the Application Catalogue if you deployed to a User Collection)


Powershell: Create SCCM 2012 Collections Based on Active Directory Security Group

This script will significantly decrease the length of time taken to create device collections in SCCM. I created this script for a college where I deployed SCCM 2012, it allowed the college to mass create the device collections required for their environment.

First of all we will need to import the SCCM Powershell Module as shown below.
Note the SMSSITECODE variable will be your 3 letter SCCM Site Code and the location of the Module will need to match the installation path of SCCM.

Import-Module "C:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1" -Verbose

There are two parts to this script, the first is the command to create the new device collection (New-CMDeviceCollection) with its given parameters. The second is to add a query membership rule which will specify how the collection is populated (Add-CMDeviceCollectionQueryMembershipRule)

The RefreshType parameter in the example has been set to ‘Both’, this ensures the device collection is populated on the schedule which has been specified and it also uses the Incremental Updates setting of SCCM 2012 to ensure newly added devices in between the schedule are also added. The alternative options for this are ‘ConstantUpdate’, ‘Periodic’ or ‘Manual’.

The script below requires the following parameters in order to run:

  • Schedule Date: In the format of DD/MM/YYYY H:MM AM/PM
  • Schedule Day: Day of the week schedule will begin
  • Limiting Collection
  • Collection Name
  • Security Group Name: In the format of DOMAIN\\SecurityGroupName
$ScheduleDate = "16/10/2014 9:00 PM"
$ScheduleDay = "Thursday"
$Schedule1 = New-CMSchedule -Start $ScheduleDate -DayOfWeek $ScheduleDay -RecurCount 1
$LimitingCollection = 'All Systems'
$CollectionName = "COLLECTION_NAME"
#***********END PARAMETERS*********************
$QueryRuleName = $CollectionName

$SecurityGroupQuery = "select *  from  SMS_R_System where SMS_R_System.SystemGroupName = '$SecurityGroupName' "

New-CMDeviceCollection -Name $CollectionName -LimitingCollectionName $LimitingCollection -RefreshSchedule $Schedule1 -RefreshType Both

Add-CMDeviceCollectionQueryMembershipRule -CollectionName $CollectionName -QueryExpression $SecurityGroupQuery -RuleName $QueryRuleName

I am working on an improvement to this script, which will allow you to choose from multiple queries to form the membership rule. Once complete I will post the complete script up on here.

Powershell: Active Directory – Set Change Password at Logon for all Users

When faced with a situation where you have an OU full of users who need to be forced to change password at logon your first option may instinctively be the GUI – Active Directory Users and Computer. This may seem a lot easier than powershell as you only need to highlight all the users, select properties and set the checkbox and there you have it.

However, if you needed to reverse the situation, you are not able to use the same procedure to select the checkbox for all users. This is where powershell saves the day. Here are the steps you need to take:

First things first, Launch a Powershell Window with the Active Directory module

Next, we need to get a list of Active Directory users that match our parameters, for this we will use the Get-ADUser cmdlet with a filter for all users in the OU called Users in my domain.

Get-ADUser -Filter * -SearchBase "OU=Users,DC=justinfra,DC=co,DC=uk

The next step would be to use the | (pipe key) to pipe the results from that search and set the properties for each user account. A quick reference from TechNet Library for the Get-ADUser cmdlet will list -changepasswordatlogon as an available parameter. So we would need to use a foreach-object command to set this property. Here is the full powershell command:

Get-ADUser -Filter * -SearchBase "OU=Users,DC=justinfrastructure,DC=co,DC=uk" | foreach-object {set-aduser $_.SamAccountName -changepasswordatlogon 0 }