In this blog post, “Successfully Deploy MEMCM Console Install – User Collection Based” I outline the details to install the Microsoft Endpoint Manager, Configuration Manager console separate from the CAS/Primary site server installation (Standalone). In addition, this blog post will detail how to leverage an Active Directory security group to use a MEMCM User-Based collection to simplify the application deployment. A device based collection could be used but would require maintaining the device computer names for the MEMCM Admins or technicians. User-based collections are a great way to deploy applications to groups of users regardless of location or what device they login to.

Requirements

Active Directory global security group

security group Users added to the new AD global security group

MEMCM USER collection configured with Dynamic Query Rule based on the AD User security group

collection configured with Dynamic Query Rule based on the AD User security group MEMCM USER collection “ Membership Rule ” incremental update enabled (“ Use incremental updates for this collection “)

collection “ ” incremental update enabled (“ “) Copy of MEMCM Console Install source files from the Management Point

Access to create a MEMCM App model application

Access to create a user collection

Deployment configured as “AVAILABLE” (not required) for User Collection

Create AD Security Group

Before starting anything create the AD global security group. If required, submit a change request for your organization. Once created ensure all application MEMCM admins, technicians and anyone else that needs MEMCM console installed is added to the security group. Be sure at least ONE user is added to the security group before the MEMCM discovery cycle. Empty AD groups won’t populate in the MEMCM console during the group discovery cycle. Take note of the group name.

Take note of the AD security group name.

Ensure users are added to the security group.

Run “Active Directory Group Discovery”

Once the AD security group is created and users are added, manually run a full Active Directory Group discovery from the MEMCM Console. The automatic timing of this may vary depending on the update cycle of the AD group discovery of the MEMCM environment. It may take some time before the new AD security group shows up under “All Users and User Groups” or “All User Groups”.

Create User Collection

Create the MEMCM user-based collection using the following options. Optionally, pre-create a folder to contain user-based collections. This will be the deployment collection for the MEMCM application that will be added.

Limiting Collection: All Users and User Groups

Membership Rules: Check “Use incremental updates for this collection”

Membership Rules: Optional – Uncheck “Schedule a full update on this collection”

Membership Rules: Query type change “MYDOMAIN\\MEMCM_Console_Install” to the applicable AD domain name and AD group name. Be sure to include the double backslashes “\\”.

Query Statement: Edit the Query statement and copy/paste the example below.

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.UserGroupName = “MYDOMAIN\\MEMCM_Console_Install”

Alternatively, use the drop-down menu to set the Criteria query type as a User Resource as shown in the example here.

Update the MEMCM user collection and ensure the users are listed that were added to the Active Directory Global Security group created earlier. If no users are listed doublecheck the User Collection query and confirm the group is listed under All User Groups.

Copy MEMCM Console Source Files

Copy the MEMCM source install files from the Management Point site server local “tools” folder to a NEW network share location. All files below are required EXCEPT “ReportViewer.exe”. This will be the location where the MEMCM installation folder exists (C Drive in this example). C:\Program Files\Microsoft Configuration Manager\tools\ConsoleSetup

Create MEMCM Console Application

Using the network share where the MEMCM console source files were copied, create a NEW application model app using the settings below and deploy the content. Pay close attention to the syntax for the install/uninstall program and ensure you enter YOUR CAS or Primary site server FQDN DNS name.

General: Manually specify the application information Name: Microsoft MEMCM Console (Whatever name preferred) Icon: Optional

Deployment Type: Manually specify the Deployment Type information Name: MEMCM Console Deployment Content location: UNC path where MEMCM install files where copied Installation Program: ConsoleSetup.exe /q TargetDir=”%ProgramFiles%\ConfigMgr Console” DefaultSiteServerName=mysiteserver.mydomain.com Uninstall Program: ConsoleSetup.exe /uninstall /q Detection Method: Windows Installer – Navigate to the AdminConsole.MSI file on the UNC network share location. This will auto-populate the Product Code. Installation Behavior: Install for System Logon Requirements: Wheather or not a user is logged in Max allowed Runtime: 30 minutes Requirements: Windows 10 x86 and x64 – Device > Operating System

Dependencies: None

Content location for MEMCM Console installation files.

Install Program: ConsoleSetup.exe /q TargetDir=”%ProgramFiles%\ConfigMgr Console” DefaultSiteServerName=mysiteserver.mydomain.com

Uninstall Program: ConsoleSetup.exe /uninstall /q

For more details about the ConsoleSetup install switches refer to the Microsoft documentation here.

Distribute the MEMCM Console application content to the applicable DPs.

Create MEMCM Console Deployment

Once the application is created, deploy to the User Collection created in the previous steps using the options below. Defaults for all other options will work.

General: Software: MEMCM Console Install (App model app) Collection: MEMCM_Console_Install or whatever name used. Deployment Settings: Action – Install Deployment Settings: Purpose – Available Deployment Settings: Allow end user to attempt to repair this application

Scheduling: Check the box “Schedule the application to be available at : the Default time

: User Experience: Display in Software Center, and only show notifications for computer restarts

Software Center Client Experience

Log in as one of the users added to the Active Directory security group. Since a User-based collection was used, the application will only be available to the users added to the AD security group on any device with the MEMCM client installed.

Navigate to “Software Center” from the Start Menu, select Applications and click “Install” to install the application.

Bonus Details

The MEMCM console installation in Add/Remove programs has been updated and now is called “Microsoft Endpoint Configuration Manager Console” starting in MEMCM 1910. Once installed, the Product Code is listed in the registry path as shown here.

Troubleshooting Application Installation

The following logs can be reviewed to troubleshoot the application installation.

AppEnforce.log: Shows the application installation which is helpful to confirm the command line syntax is correct.

AppDiscovery.log: Shows the deployment status/deployment type assignment information.

That concludes this blog post “Successfully Deploy MEMCM Console Install – User Collection Based” and I hope this helps to manage the deployment of the MEMCM console for your organization.

References

Install the Configuration Manager console – reference document from Microsoft.

Create applications in Configuration Manager – A Configuration Manager application defines the metadata about application.

Deploy applications with Configuration Manager – Create or simulate a deployment of an application to a device or user collection in Configuration Manager.