How to remove clients automatically, from operating system deployment collections in SCCM

It is a common scenario that the Windows deployment collections fill up with clients, who has already completed the OSD. If you use mandatory deployments, this is not an issue, but if you are using available deployments, you might have users who accidently reinstall their computers.

There is nothing built into Configuration Manager to do this, but luckily it can be done with a PowerShell script and a status filter rule.

There are a couple of prerequisites

  • The ConfigMgr PowerShell module must be trusted.
  • The ConfigMgr server needs permissions in SCCM and DCOM.
  • This version of the PowerShell script requires SCCM 2012 R2.

PowerShell Module

To trust the PowerShell module, run PowerShell from the Configuration Manager console. Answer “A” when it asks, “Do you want to run software from this untrusted publisher?”

SCCM permissions

Your ConfigMgr server needs “full administrator” rights in SCCM. To do this, go to \Administration\Overview\Security\Administrative Users in the SCCM console and “add user or group”. Find your server under browse and add it to “Full Administrator”.

DCOM permissions

To grant your ConfigMgr server the appropriate rights in DCOM, start Component Services and expand Computers and rightclick ‘My Computer’. Go to the tab “COM Security” and click “Edit Default” under “Access Permissions”. Ensure the System has ‘Allow’ in Remote Access.

Now that the prerequisites are in place, we can move on to the actual function. This consists of a PowerShell script that does the actual legwork and a status filter rule that decides when to run the script.

The PowerShell script

#Call example:
#C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass <Path to Script>\RemoveFromCollection_1.0.ps1 %msgsc %msgsys
#%msgsc = Site-Code
#%msgsys = ComputerName#Set required Input Parameters

#User defined variables here

$CollectionIDs = “CEN000B3;CEN000B4;CEN000B5”
$bEventlogEntry = “1”
$bClearPXE = “0”

#End user defined variables
If($SiteCode -and $ComputerName){}
Write-Host “Required Input is missing! Omit SiteCode and Computername.”
#Import SCCM Module
$ModuleName = (get-item $env:SMS_ADMIN_UI_PATH).parent.FullName + “\ConfigurationManager.psd1″
Import-Module $ModuleName
CD $SiteCode”:”

#Remove Client from collections
#Get collection id array
$aCollections = ($CollectionIDs).Split(“;”)

#check for each collection if a directmembership exist, and remove it
foreach($Collection in $aCollections){
$TrytoRemove = 1
#Check if Collection exists, if not, write an event log error
If((Get-CMDeviceCollection -CollectionId $Collection).Count -eq 0){
write-eventlog -logname Application -source “SMS Client” -eventID 3001 -entrytype Error -message “Collection $Collection does not longer exist, please remove from SCCM Script!” -category 1 -rawdata 10,20
$TrytoRemove = 0
else {
If((Get-CMDeviceCollectionDirectMembershipRule -CollectionId $Collection -ResourceName $ComputerName).count -eq 0) {
#DirectMemberShipRule does not exist, no need to delete
$TrytoRemove = 0

If($TrytoRemove -eq 1){
#Write Eventlog entry
If($bEventlogEntry -eq 1){
write-eventlog -logname Application -source “SMS Client” -eventID 3001 -entrytype Information -message “Computer $ComputerName will be removed from Collection $Collection” -category 1 -rawdata 10,20

#Remove Client from collection
Remove-CMDeviceCollectionDirectMembershipRule -CollectionId $Collection -ResourceName $ComputerName -Force

#Clear PXE Flag
If($bClearPXE -eq 1){
Clear-CMPxeDeployment -DeviceName $ComputerName


All you have to edit in this script are the collection ID’s.

Status Filter Rule

To create the rule that runs the script, when a client has successfully finished OSD, do the following. In the Configuration Manager console, navigate to \Administration\Overview\Site Configuration\Sites, select your site and click status filter rules, either by right clicking or by selecting it on the ribbon.

Create a new rule as follows:

General tab.

  • Component: Task Sequence Manager (this can’t be selected from the drop down menu, you need to write it).
  • Message ID: 11171 (the task sequence completed successfully message in SCCM)


Actions tab.

  • Check “report to the event log” if you want this.
  • Check “replicate to the parent site”
  • Check “run a program” in put this in the program box:
“C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe” -ExecutionPolicy ByPass \\LocationOfTheScript\ScriptName.ps1 %msgsc %msgsys


Click next and finish – and your new status filter rule is in place and ready for testing.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s