Selectively Disable Software Distributions and Application Deployments on Clients

Credit to Niall Brady of http://windows-noob.com fame (Thanks Niall!)

You might want to separate certain computers with the Configuration Manager client agent installed by disabling the ability to install or run available (optional) or required (mandatory) Application Deployments, or Packages/Advertisements. You could achieve this by moving the computer into a collection which is excluded from All deployments but what if someone accidentally added should-be-excluded computers to a collection containing a required deployment?  It may lead to a reboot or something entirely worse. The ability to disable the Software Distribution Agent and the Application Deployment Agent would indeed be useful in this scenario.

Normally you can enable or disable System Center 2012 R2 Configuration Manager Client agent functionality via client settings in the console; however the Software Distribution Agent and the Application Deployment Agents are an exception. For those agents, to disable the software distribution agent and Application Deployment Agent, a local policy can be used. To re-enable it when needed that local policy is deleted, allowing the Site-wide settings to be reapplied.  Although it is certainly possible to do this using "mof" files and importing them, the method outlined here will use Compliance Settings to disable or enable those two agents on one or more computers depending on the collection they are in.

How To Step 1:  Attached --> Here <-- are two files.  In your Console, Compliance Settings, Import both of those .cab files by right-clicking on Configuration Baselines, Import, and pointing to each of those .cab files.  Once imported, to a previously created-by-you collection of computers you wish to disable Software Deployments, deploy the "Disable Software Distribution and Application Deployments" baseline to that collection.  Very carefully make sure you check the box about "Remediation".  In general, I recommend a schedule of daily; but really, once this is deployed those clients have this local policy. Weekly is likely frequent enough.

And... that's it.  You are really done at this point. 

Optional Step 2:  The baseline disables those two agents on clients that run it (with remediation enabled), but it was mentioned to me (Todd Hemsell and Eswar Koneti pointed it out) that it may still be possible for a person interactively logged on to the machine might still be able to see deployments in Software Center, and choose to manually install them.  If you want to prevent that possibility as well this should work (but test, I didn't test this myself), in your console, Administration, Client Settings, create a Custom Client Agent Device Setting; add Computer Agent, and in there, set the "Install Permissions" to "No Users", and deploy that custom client device setting to the same collection.

...time passes...

So, now it's months/years later.  And you want to either find out how many local policies are out there in your environment, or want to remove those local policies.  If you want to just inventory to find them, implement this: http://myitforum.com/cs2/blogs/skissinger/archive/2009/07/06/hardware-inventory-mof-edit-for-local-policies.aspx .  If you want to undo those local policies which were created by the Baseline, first remove the existing deployment; and then deploy the other Baseline of "Remove Previously Created Local Policies to Disable SWDist and App Deployment" (One of the baselines which you imported from the .zip attachment above, but never deployed).  Once the local policy is removed, whatever site-wide settings you have in default Client settings will be applicable to those machines again.