Keep silverlight from installing on Domain Controllers that have SCCM client

The SCCM client keeps re-installing Silverlight on the Domain Controllers after we manually uninstall it.  

Security has flagged Silverlight on DCs and wants it permanently removed.

We want SCCM to handle endpoint protection, so I can't remove the client.

I understand that it's required for software center, and don't need to uninstall it from anything but DCs.
sy wittnetwork engineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike TLeading EngineerCommented:

You need to do two things:

  1. Create a separate client install GPO
  2. Use ccmsetup.exe in your custom install with  /skipprereq:silverlight.exe

From MS docs (1) is done like this:

How to provision client installation properties (group policy and software update-based client installation)

You can use Windows Group Policy to provision computers with Configuration Manager client installation properties. These properties are stored in the registry of the computer and are read when the client software is installed. This procedure would not normally be required, but might be needed for some client installation scenarios, such as:
You are using the Group Policy settings or software update-based client installation methods, and you have not extended the Active Directory schema for Configuration Manager.
You want to override client installation properties on specific computers.
If any installation properties are supplied on the CCMSetup.exe command line, installation properties provisioned on computers will not be used.
A Group Policy administrative template named ConfigMgrInstallation.adm is supplied on the Configuration Manager installation media, which can be used to provision client computers with installation properties.
To configure and assign client installation properties by using a Group Policy Object

Import the administrative template ConfigMgrInstallation.adm into a new or existing Group Policy Object, by using an editor such as Windows Group Policy Object Editor. The file can be found in the folder TOOLS\ConfigMgrADMTemplates on the Configuration Manager installation media.
Open the properties of the imported setting Configure Client Deployment Settings.
Choose Enabled.

In the CCMSetup box, enter the required CCMSetup command-line properties. For a list of all CCMSetup command-line properties and examples of their use, see About client installation properties in System Center Configuration Manager.
Assign the Group Policy Object to the computers that you want to provision with Configuration Manager client installation properties.


One other trick:
If the DCs already have the client installed and you have client push enabled to a wide collection it may well be wise to create new collection for DCs only, and add that as an EXCLUDE. I'm just not sure if the client self-healing would grab silverilght, so the GPO method is probably best.
It's a good idea to have a DCs collection anyway, to exclude from patching, settings and other nice things that might well break DCs, annoy security etc.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sy wittnetwork engineerAuthor Commented:
Thanks.  I forgot to close this before.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.