With SCCM 2007 you had the option to automatic uninstall virtual applications. In the package you selected ‘Remove this package from clients when it is no longer advertised’. If the user was no longer member of the collection the virtual application was removed. With SCCM 2012 this feature has been discontinued.

In SCCM 2012 the trick is to create a collection that contains all the users that are no longer member of the group that belongs to the application.

In this example the application ‘Demo_MoreShortcuts_1.0_ENG – TEST’ will be removed by the users who are no longer member of the Active Directory group ‘APPL – Demo_TST’

The start position

The shortcut is visible for the user:

 Application is visible in Start Menu.


Create a query for the user based collection

The query:

SELECT SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
SMS_R_User INNER JOIN SMS_G_System_AppClientState ON SMS_R_USER.UniqueUserName = SMS_G_System_AppClientState.UserName
SMS_G_System_AppClientState.AppName = "Demo_MoreShortcuts_1.0_ENG - TEST" 
G_System_AppClientState.ComplianceState = 1 AND SMS_R_USER.UniqueUserName NOT IN 
UserGroupName = "DEMOFOREST\\APPL - Demo_TST")

The most important parts are:

  1. SMS_G_System_AppClientState.AppName = “Demo_MoreShortcuts_1.0_ENG – TEST” and G_System_AppClientState.ComplianceState = 1

    Query is based on the Application Name in CM12.

    More information can be found at SMS_G_System_AppClientState Server WMI Class
  2. SMS_R_USER.UniqueUserName not in (select distinct SMS_R_USER.UniqueUserName from SMS_R_User where UserGroupName = “DEMOFOREST\\APPL – Demo_TST”)

The query does not return any users:

The query does not give any results.

The application has both a install and uninstall deployment attached to it.

The application has both an install and uninstall deployment.

User management

Remove the user from the group and perform all client actions on the client.

Remove the user from the group.

After a while the user who was member of the group is now visible in the collection:

After a while the removed user is visible in the collection.

If you install Configuration Manager Support Center on a server, you can open both the AppIntentEval.log and the AppEnforce.log. It shows as a ProhibitedApplication in the AppIntentEval.log.

The AppIntentEval log and AppEnforce log (1 of 2).

The installer can be found on cd.latest\SMSSETUP\Tools\SupportCenter\SupportCenterInstaller.msi on the SCCM Site Server. 


The AppIntentEval log and AppEnforce log (2 of 2).

The virtual application has been uninstalled.