Download packages from SCCM distribution points




405 latest version

3.1 quality score

Version information

  • 0.2.0 (latest)
released Mar 31st 2021
This version is compatible with:
  • Puppet Enterprise 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 8.0.0
  • windows

Start using this module


puppetlabs/sccm — version 0.2.0 Mar 31st 2021


Table of Contents

  1. Description
  2. Setup - The basics of getting started with sccm
  3. Usage - Configuration options and additional functionality


This module provides Puppet types & providers to natively download packages from SCCM distribution points over HTTP. This module supports HTTP with either anonymous or Windows authentication. HTTPS with client certificates is not currently supported.


What sccm affects

This module will download a package from a SCCM distribution point and store it on the local disk. Since Windows can't install software directly from a HTTP source, the files need to be downloaded locally first. This module provide a way to do that with ease.

Setup Requirements

To start with sccm, complete the following prerequirements:

  • Ensure this module is added to your control repo's Puppetfile
  • This module uses the Puppet Resource API. This is built-in to Puppet 6.x and higher.

Beginning with sccm

To download an SCCM package with this module, we need to define two things:

  • An sccm_dp resource to identify an SCCM Distribution Point
  • An sccm_package resource to identify the package we want to download & manage

Example for a SCCM Distribution Point with anonymous HTTP access:

sccm_dp { '':    # <-- FQDN of the SCCM distribution point
  auth     => 'none'                  # <-- 'none' for anonymous authentication

sccm_package{ 'PRI00005':             # <-- PRI00005 is the SCCM package ID
  ensure => present,
  dp     => '',  # <-- Must match name of sccm_dp resource
  dest   => 'C:\Windows\Temp\Pkg'     # <-- Folder in which to store packages

The above code will download the PRI00005 package from$/PRI00005 and store it in C:\Windows\Temp\Pkg\PRI00005.

Example for the same situation but now with authenticated HTTP access:

sccm_dp { '':     # <-- FQDN of the SCCM distribution point
  auth     => 'windows',               # <-- 'windows' for Windows authentication
  username => 'svcSCCM',               # <-- Username for authentication
  domain   => 'companyAD',             # <-- Domain name (NetBIOS) for authentication
  password => 's3cr3tp@ss',            # <-- Password for authentication

sccm_package{ 'PRI00005':              # <-- PRI00005 is the SCCM package ID
  ensure => present,
  dp     => '',   # <-- Must match name of sccm_dp resource
  dest   => 'C:\Windows\Temp\Pkg'      # <-- Folder in which to store packages


This module's sccm_package resource works well with Puppet's standard package resource to get a Windows application installed. For example, to retrieve Notepad++ from SCCM and install it with Puppet, we can do the following:

sccm_dp { '':
  auth     => 'none'

sccm_package{ 'PRI00009':
  ensure => present,
  dp     => '',
  dest   => 'C:\Windows\Temp\Pkg'

package { 'Notepad++ (64-bit x64)':
  ensure          => 'present',
  source          => 'C:\Windows\Temp\Pkg\PRI00009\npp.7.9.4.Installer.x64.exe',
  install_options => ['/S'],
  require         => Sccm_package['PRI00009']

Recommended Usage

The most flexible way to use this module in production is to make the Puppet code fully dynamic, and move the definition & selection of packages to Hiera. Some aspects like which Sites and Distribution Points exist, as well as info about each package, is best maintained in Hiera and then leveraged in your Puppet code.

This module provides a sccm_site_code fact, that will report the SCCM Site the machine is assigned to if the SCCM Client is installed. You can take advantage of this in Hiera.

For example, let's create the following structure (a YAML file per SCCM site) in Hiera:


and then extend hiera.yaml to include the SCCM site YAML files in the hierarchy:


version: 5

  datadir: 'data'

  - name: 'Yaml backend'
    data_hash: yaml_data
      - "nodes/%{trusted.certname}.yaml"
      - "sccm_sites/%{sccm_site_code}.yaml"
      - 'common.yaml'

Next, we can populate the relevant information for a site:



    auth: none
    auth: windows
    username: svcSCCM
    domain: companyAD
    password: s3cr3tp@ss

    id: S0100006
      file: winrar-x64-600.exe
        - /S
    id: S0100007
    name: Notepad++ (64-bit x64)
      file: npp.7.9.4.Installer.x64.exe
        - /S

This structures all the relevant information for us, and allows us to reference packages by a friendly name, instead of the SCCM Package ID. That way, if the Package ID changes for whatever reason, you can update this in a single location.

Next, we need to build a Puppet profile with the logic to parse the information from Hiera:


# Class: profile::sccm_packages
# This profile downloads & installs packages from SCCM
class profile::sccm_packages(
  $dest = 'C:\Windows\Temp\Pkg'
) {
  $networks   = lookup('sccm::networks')
  $dp_configs = lookup('sccm::distribution_points')
  $dp         = $networks[$facts['network']]

  sccm_dp { $dp:
    auth     => $dp_configs[$dp]['auth'],
    username => $dp_configs[$dp]['username'],
    domain   => $dp_configs[$dp]['domain'],
    password => $dp_configs[$dp]['password'],

  $pkgs = lookup('sccm::packages')
  $apps.each |$app| {
    sccm_package { $pkgs[$app]['id']:
      ensure => 'present',
      dp     => $dp,
      dest   => $dest

    package { $pkgs[$app]['name']:
      ensure          => 'present',
      source          => "${dest}\\${pkgs[$app]['id']}\\${pkgs[$app]['install']['file']}",
      install_options => $pkgs[$app]['install']['args'],
      require         => Sccm_package[$pkgs[$app]['id']]

The profile above will, in the context of each node's assigned SCCM Site:

  • Lookup the mapping of subnets to distribution points in the sccm::networks hash, and select the correct distribution point based on a matching entry to the network fact of the node
  • Lookup the configurations of all distribution points in the sccm::distribution_points hash, and create a sccm_dp resource with the configuration for that specific distribution point
  • Lookup all available SCCM packages in the sccm::packages hash
  • Create sccm_package resources for any apps passed to the profile in the $apps parameter (we will lookup this parameter in Hiera below)
  • Create package resources for any apps passed to the profile in the $apps parameter, to actually install the application

Finally, we can specify the value for $apps on individual nodes, or groups of nodes, using Hiera again:


  - winrar
  - notepad++

This will cause WinRAR and Notepad++ to get installed by downloading their respective packages from SCCM, and installing the software as described in the sccm::packages hash for the site.


  • This module does not currently support passing the value to the password parameter of a sccm_dp resource as a Sensitive datatype. A change in the Puppet Resource API is needed to enable this scenario properly. Once the Resource API is updated, a new version of this module will be released that supports passing a Sensitive value.
  • This module currently does not provide support for SCCM Distribution Points running in HTTPS mode.
  • This module was tested against Microsoft Endpoint Configuration Manager, build 2002.