Documentation for SCCM task sequence deployment orchestrator

Active directory - Security group

The Realm security group serves two objectives.

  1. Acts as the gate keeper, by maintaining a list of Active Directory users who can access a SCCMTSPSI Realm instance.
  2. Provides read access into the configuration directory for a Realm.

Create the below Active Directory global security group.

sccmtspsi-users-XXX [Where XXX is the Realm name]

The security group members tab will look similar to the below image. Where “Build Engineer 1” , “Build Engineer 2” and “Build Engineer 3” are normal sccmtspsi operators and “sccmtspsi-broker-r01” is the broker account [discussed in the next section].


  • The Realm security group can be a nested group. But for performance purposes, we recommend using a flat membership structure.
  • Do not add any foreign security principals as a member of this group.
Suggest Edit

DCOM hardening issue.

This application fails to authenticate with WMI on the SCCM server because Microsoft has not yet hardened DCOM on their Windows Preinstallation Environment. We are working on a different approach, but it will only be released during the first quarter of 2024. But until that time, the only workaround will be to uninstall the update corresponding to KB5004442.