Orchestrator Runbook: Approve Clients in SCCM

Orchestrator Runbook: Approve Clients in SCCM

The article will detail a runbook to auto-approve clients from an SCCM collection. This runbook is important if you only approve devices from trusted domains. I recently had to set up an untrusted domain that contained devices that I wanted to manage from SCCM. I need these devices to be approved without me having to do it manually, but I do not want to just auto-approve any device. This runbook will achieve that purpose.


This is a fairly simple runbook with only three activities. You will need the SC 2012 Configuration Manager Integration Pack, found here: https://www.microsoft.com/en-us/download/details.aspx?id=39622. Here is what the runbook will look like:


This runbook will first get the membership of a collection. Ensure that your devices that need to be approved are filtered into this collection. I set up the membership rule to pull anything from a particular IP address range into this collection. Another option could match the domain name of your untrusted domain. I then run a WMI method against the membership of that collection that approves everything in that collection. If there are devices that are already approved, nothing happens.

First, drag a “Monitor Date/Time” activity into your runbook. This activity will ensure that your runbook runs at a given interval. I have mine set up run every five minutes, but you can set it to fit your needs.


Next, drag a “Get Collection Members” activity into your runbook. Set your connection name to your environment. Next, identify the collection of your unapproved devices. I would identify it by the collection ID instead of the name, because that gives you the freedom to change the name in the future.


After you have this set, go to the “Run Behavior” tab. Check the “Flatten” box and specify a “Separate with” character.


Next, drag a “Run .NET Activity” into your runbook. Change the language to PowerShell, and paste this code in the box:

PowerShell {

$a_res_id = @()

$res_ID = “{Resource ID from “Get Collection Members”}”

$a_res_id = $res_ID.split(“;”)

invoke-wmimethod -computer <site server name> -namespace root\sms\site_<site code> -class SMS_Collection -name ApproveClients -argumentlist @($true,$a_res_ID)


First, be sure to replace the blue text with the actual Resource ID published data (assigned to the $res_ID variable) from the previous activity. Also, be sure to input your site server name and site code in the last command.

Now, we have a few things going here. First, you notice that this is running in a separate PowerShell session. My Orchestrator system runs on Windows Server 2012 R2, which has PowerShell version 4. Splitting the resource ID’s from the previous set proved to be impossible using the Orchestrator PowerShell engine, which runs in version 2. Running these commands from another session allows us to use the much-improved PowerShell 4 engine.

Next, we assign the resource ID’s from the previous step to a variable and split them. I used a semi-colon as my split character, but you can use whatever you want. Make sure that it matches the “Separate with” field from the previous activity. Finally, we execute the WMI method that approves the devices.

There will also be an extracted copy of my runbook under the Downloads section of this website.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.