Can anyone answer a question about the behaviour of some of my SCCM client installs.

I am deploying a Win7 image that has a script that executes the ccmsetup /service and then restarts the PC after 10 minutes just after joining the domain within a specific Organisational Unit - Test OU for example.  After the PC reboots the SCCM client setup completes and I leave the PC to update its policies.  However, software I don't want gets deployed.

I am advertising packages like Adobe Reader to the collection All Workstations.  I have the criteria of All Workstations set as %Windows NT Workstation% BUT to exclude any PC's in the Active Directory OU Test.

For some reason the PC appears in the All Workstation collection, and so has software like Adobe Reader installed which I don't want.  If I manually update or wait for the next update schedule on the Discovery of AD objects and also the collections, the PC disappears from the collection and the advertised programs disappear.  This is what I want, but the software originally advertised to the All Workstations gets installed.

Is there a reason why this happens?  Is it because I have manually installed the SCCM client rather than use the Push method.  I cant understand that the All Workstations collection, that I just had the PC installed with the SCCM client gets populated, but as soon as the AD discovery and collection is updated it is removed as expected?

Anyone have any idea? 

Additionally I thought that a collection could only contain PC's once it has been discovered by the scheduled AD Discovery method, but seems to appear in the collection before this happens, is this because I manually installed the SCCM client?  After the AD Discovery process is it then removing the PC from the collection because it knows at that point where the PC is located in the AD, hence the OU Test?

It has to do with when the information is collected from the target system and when the collection updates happen.

Have you reviewed the state of the resource and the information explicitly associated with the resource after it becomes a member of the collection? Depending upon your exact query for the collection membership rule(s), some of the information could be coming from hardware inventory, some could be coming from heartbeat discovery, and some could be coming from AD discovery -- three different sources with three different data gathering cycles not to mention the update interval for the collection itself.

Why not use OSD though instead of some static deployment method so that you can actually deploy what is needed is a dynamic fashion during the OS deployment process?

Hi Jason,

Sorry for delay.

I've never used OSD and not had the time to learn it.  I think you are right with the client and how it is discovered.  I change the AD discovery to 5 minutes so that when the collection is updated it does not appear due to the associated AD group the endpoint is in.

Only trouble is that if a collection updates at the time an endpoint is discovered before AD discovery is updated.

Thanks for the feedback.

A 5 minute AD discovery cycle is way too aggressive and will cause all kinds of issues.