First, I want to make sure you understand an Agent isn't required to scan and deploy patches to a machine and Machine Groups are primarily used for agentless scans/deployments or to initially install agents on a machine(s). In other words, any scan.deploy action from a Machine Group will be bypassing the agent installed on the target machine. Most customers will use one of the other unless using both make sense, like on laptops that are out in the field a lot. So installing an agent on a machine and making sure it is in the proper Machine Group won't make much sense here.
For agentless scans/deployments through a Machine Group. Placing machines in specific OU containers would be you best bet since Protect will enumerate the OU before scanning the machine group (agentless). I know other customers have setup systems using 'Link to file' where the Machine Group would scan machines from a text files. The caveat here is you would need to determine the best method to populating these text files.
Let me know if you have questions.
Thanks for the info.
I guess I should clarify...I'm using agent policies for scans and deployments, my machine groups are really just a way of organizing the groups by the policy they receive and also keeping track of machines that are missing the agent. If running a scan enumerates any new machines from the OU, that should be good enough to do what I need, periodically.
Thanks for the clarification, I agree using the OUs would be your best bet at this point. Let me know if you have further questions.
I ended up adding the machine to group in AD. Then I created a powershell script that would extract group members to a text file. Then I use Shavlik and modify machine group by linking file. So as long as your machines are in AD, they will be brought into Shavlik on your next patch scan.