If you are building master image that will be used to deploy out to multiple devices, such as in a Citrix environment, it’s recommended to provision the ConfigMgr client by removing the SMSCFG.ini file and deleting the ConfigMgr certificates from the local computer store.

There are TechNet guides out there that discuss how to do this, one for ConfigMgr 2007 https://technet.microsoft.com/en-gb/library/bb694095.aspx?f=255&MSPPError=-2147217396 and one for ConfigMgr 2012 https://technet.microsoft.com/en-us/library/gg712298.aspx#Anchor_7. I also blogged about some recommended steps to provision for Citrix XenDesktop here

If you want to provision the ConfigMgr client as part of your Task Sequence then unfortunately the first step in the process, net stop ccmexec (stopping the SCCM service) is going to kill the Task Sequence and it’s game over.

So can we provision the ConfigMgr client as part of a Task Sequence build? Well thanks to the built-in Task Sequence variable SMSTSPostAction we can.

SMSTSPostAction was introduced in ConfigMgr 2012 SP1. If you create a TS variable called SMSTSPostAction whatever value is entered for that variable is executed as soon as the Task Sequence completes. The only downside is that whatever is executed is not reported upon in the SMSTS.log file.

A couple of simple steps in the Task Sequence will get our master image’s ConfigMgr client provisioned for us though. Pretty awesome and here’s how.


As you can see from the image above I have created a group that will only executed if the Task Sequence variable GoldImage equals Yes. I have a UDI driven Task Sequence (alternatively you could set a collection variable) and I only want to build out a master image when I am provisioning a new Citrix master. So I have a drop down in my UDI wizard that can set GoldImage to Yes. Once this is achieved the next two steps are executed.

Provision CCMClient


The Provision CCMClient step references a package. This package contains the following:


  • ProvisionCCMClient.CMD file
  • A folder called ProvisionCCMClient containing the PS1 script (ProvisionCCMClient.PS1) that will seal the client for the master image.

The provisionCCMClient.CMD file contains the following command and is executed via the package’s program:

xcopy %~dp0ProvisionCCMClient "C:\Windows\ProvisionCCMClient" /e /s /y /h /i

All this command is doing is copying the folder ProvisionCCMClient into the Windows folder on the device being built.

Note that with ConfigMgr Current Branch you could use the ‘Download Package Content’ step to achieve this.

SMSTSPostAction Provision CCMClient


The PS1 script, ProvisionCCMClient.PS1, was copied to the Windows folder in the previous step. In this step I use the Task Sequence variable SMSTSPostAction and call up the script in the value field.

Since it’s a PS1 script the command to issue is:

powershell -ExecutionPolicy ByPass -file "C:\Windows\ProvisionCCMClient\ProvisionCCMClient.ps1"

The Task Sequence will continue to execute and once completed the PS1 script will execute.


I have used the following commands in my script to seal for the master image. I also shut the device down at the end of the build.

net stop ccmexec
del c:\Windows\smscfg.ini
Remove-Item -Path HKLM:\Software\Microsoft\SystemCertificates\SMS\Certificates\* -Force
wmic /namespace:\\root\ccm\invagt path inventoryActionStatus where InventoryActionID="{00000000-0000-0000-0000-000000000001}" DELETE /NOINTERACTIVE
shutdown -s -t 0

Now I can provision for a master image build without having to run a script post Task Sequence deployment.