"Allow this program to be installed from the Install Software task sequence without being advertised"
If you are trying to install multiple software packages using a ConfigMgr task sequence "Install Software" step, where each of the package and program combinations is stored in a task sequence variable (e.g. PACKAGES001=XXX00001:Install), you might find that they don't work. If you go digging through the SMSTS.LOG, you'll see messages like this:
No matching policy assignments received.
Policy download failed, hr=0x80004005
This is because you have to give ConfigMgr permission to install a package that isn't advertised to the computer. (ConfigMgr always tries to be "secure by default" and making this the default would violate that principle.) This is done using the "Allow this program to be installed from the Install Software task sequence without being advertised" checkbox on each program's properties. The explanation given in the ConfigMgr documentation (http://technet.microsoft.com/en-us/library/bb680842.aspx) is:
The program specified must have the Allow this program to be installed from a list of software packages in the "Install Software" task sequence step without being advertised option selected or the installation will fail. This option can be selected when adding a program to an existing package in the New Program Wizard. Alternatively, you can specify this option by right-clicking an existing program, selecting clicking Properties, and then clicking the Advanced tab.
So, before you can install a dynamic list of packages, you need to check this box on every program that you are planning to install this way. Depending on how many programs you have, this could be rather painful via the ConfigMgr console. So in MDT 2008 Update 1, we included a new sample script to help with this (a script I forgot to mention in my previous post). Look in the "C:\Program Files\Microsoft Deployment Toolkit 2008\Samples" folder for a file named EnableProgramsForTS.vbs. You will need to make a few edits toward the top of this script before it will work in your environment:
sProviderServer = ""
sSiteCode = "CEN"
sNamespace = "root\sms\site_" & sSiteCode
sUsername = ""
sPassword = ""
Change these values to specify the proper connection details for your ConfigMgr site (whichever site owns packages that need updating, typically the central primary site) and then run it. (Don't specify a username and password if you are running the script on the ConfigMgr server. These values are always optional, but when making a local WMI connection they can't be specified.) The script will check the "Allow" box for every program on every package.
If there is a subset of programs that you want to enable, you can tweak the script as required. (Of course if the criteria is too complex it's probably easier to just use the UI.)