I’m a certified Endpoint Manager consultant and Enterprise Mobility MVP.

I run my own consultancy company SCCM Solution Ltd and have 25 years of deployment, design and infrastructure experience and have spent the last 12 years specialising in Endpoint Manager deployments and advising clients how to use Endpoint Manager effectively within their environment via on-prem or cloud solutions.

I hope you find something useful from the tips and fixes within this blog.

You can read more about me at LinkedIn.

Follow me on Twitter




  1. Hi Paul
    I just find your blog and i think it is “super” …
    A lot of good and useful tips and fixes.
    I looking for an answer:
    why an application (MS office 2010 32bit) not on laptop after deplyment.
    We have laptop from lenovo T440 X240 the application been installed but i have a problem with T540p. any tip where i need look??
    I use sccm 2012 R2 and the client os Win7x64.

    Best regards
    Avi Achiel

  2. cool ! I will check.
    Do you have tip or command: How to change that the pc start up from the c: harddisk not from CD.
    I would like to make this change/action at the TS (Not manuall after i install a new computer)

  3. We use bit locker and its cuase a problem when the user forget CD or USB, the computer don’t start than we get a call to helpdesk… 😦

    \\ Avi

  4. You’d have to check if Lenovo has a bios utility that allows you to do this. I know HP has the BIOSUtilityTool which allows for this sort of thing. Not sure if the Lenovo has.

    1. Lenovo does have a utility but its command line based. I don’t have the commands on me now as I’m at home but I will try and look them up for you Avi if you want…

  5. Hi Paul
    I cant find a solution in the internet, why my SCCM 2012 R2 deployments (packages or applications) are not visible in Software-Center when I deploy it with a User-Collection, but they are if I deploy it with a System-Collection.

  6. Hi Paul,

    I came across your link actually on LinkedIn, and think its fantastic.
    Thank you for sharing so much of your knowledge and time with us… I’d always appreciate any help you can offer, and if you don’t mind – I’d like to send you a request on LinkedIn? (in case you don’t know who the person is who randomly adds you on there)

    Hope your weekend went well.

    Sith aka Ambrish

  7. After struggling endlessly to get SCCM 2012 SP1 installed from scratch, I stumbled across this blog when I innocently searched “step by step SCCM install”. What can I say… “THANK YOU!” I only wish I’d found this earlier. Your guides are simply worded, supported by real-life experience with straight down the line installation step by step detail. Thanks to you, my SCCM server install went through in one go and is now live – yet to actually DO anything with it, but that’s for tomorrow! I can’t wait to get SCCM working for me and to see it start to save me and my staff real hours of hard labour. Blogs like this are what make the Internet great.

  8. Hi Paul,

    First, thank you for the very structured blogs!

    Since last week, it is no longer possible to install the CM and client applications during OSD. The operating system is installed, but the client and applications are skipped…

    The only thing i can find (in yellow) in the smsts.log file is: Unsuccessful in releasing P0100043. 80070490.

    SCCM version: 2012 R2 SP1

    Can you help me with this annoying problem?


  9. Paul,

    With a new captured image, the problem is solved. Very weird!

    Anyway thanks for your helpfulness!

  10. Hi Paul,
    I deployed an application with purpose ‘available’ to 80+ clients, so it appears in the local Software Center from where the users can install it themselves. Standard monitoring shows me the successes or failures of the installation (when the user runs the installer), but I cannot find a way to monitor the success or failure of the installer getting into Software Center prior to installation. Is there a way of doing that?

  11. No, I’m not saying that, Paul. The point is that I have no way of monitoring whether it is appearing in Software Center or not. I know it has appeared in some of them, because the users have done the installation and that shows in monitoring. But I would like to anticipate any calls from users if it has failed to appear in their Software Center.


    1. TBH Nigel if the app is not appearing in the software center then the machine is either not targeted or has policy issues or other but you would need to troubleshoot this on the clients You can use the ConfigMgr 2012 Toolkit SP1 and run Deployment Monitoring Tool on the client to see if it shows the targeted application and then troubleshoot from there. Otherwise check the Monitoring\Overview\Deployments node in the Console. Find the deployment and check the statuses of the deployments.

    1. Make sure you log your installs. If running msi then use the /L*v .log switch to log the install. You can then take a look and see if anything is holding up this part of the OSD process.

  12. Hi Paul,

    I was wondering if you can help me with something I have come across in my setup at work.
    Basically I have started to notice that when applying the WIM file for the OS, the entire Task Sequence slows down significantly… normally the entire process of building a machine takes up to 30-40 minutes maximum, including all drivers and additional software/tweaks. Now it’s taking a lot longer and in some cases, errors out.

    Do you know of any checks I could do to resolve this?

    I upgraded this infrastructure from SCCM 2012 CU1 to SCCM 2012 R2 CU5, and have not experienced any problems with deployments up until a week or so ago.

    Any help you can provide would be gratefully received.

    Many thanks and see you at the event tomorrow… 🙂


  13. Hi there, Any help on would be appreciated, totally at sea
    Error: The XML content is invalid; check that the XML matches the schema for the SMS task sequence.

    I am completely new to SCCM 2012 ( sccm in general for that matter)

  14. Paul,
    I started out in computing in the early 80s owning a Commodore C64, I studied both Computer Programming and Networking.
    Just started working with SCCM back in December 2015 and frankly this is great site, love the documentation format.

  15. Hi Paul

    Are you aware of any new features in SCCM 1511 or 1602 regarding Client location caching in the SCCM database? Someone mentioned this to be but I can’t find any information regarding it.


  16. Hi Paul.

    I have setup my OSD, and when you look at the progress during the setup, everything seems fine. It goes though everything, saying installing, setting up config manager, applying auto drivers, etc. But none of the drivers install. i have looked at the smsts.log but i have no idea whats wrong

  17. Can there be a hardware issue that causes an application not to install?

    I have a number of different lenovo model computers I am imaging using sccm 2012. I have setup Office 2016 as a part of the imaging process. On one of the models, the Office just hangs and never installs. Maybe 2-3 hours just sits there on the Office install, then all of a sudden moves on to the rest of the task sequence, never actually installing the software. These are refurbished Lenovo T540p laptops. Every other model runs the task sequence as it should, no issues at all.

    All other apps and packages install without issue on the t540p, except the office install. Any thoughts? Hardware, something in the bios maybe?

    1. Are you deploying as an application or package? Check the appenforce.log for any timeouts and also check the Office setup.log for an issues on effected devices. Run the install manually with the same switches but remove any silent commands on one of the laptops to see if anything interferes with the deployment.

  18. Hi Lee,

    This is unlikely to be hardware related… as I’m guessing the other parts of the install work in the usual timeframe that they would on any other piece of hardware.

    If the machine takes a while to install, and moves on after a while – that may be related to the time-out period.

    What may be worth checking is the log file which will give you the best info…
    Check in:

    Windows Operating System – (After the SCCM client is installed) c:\windows\ccm\logs\Smstslog\smsts.log
    Windows Operating System – (When the Task Sequence is complete) c:\windows\ccm\logs\smsts.log

    As a workaround, and presuming this image is generally universal – you may wish to consider “baking” MS office into your original WIM file, though this increases the size it may save you more time going forward.


  19. Application. I also have it setup in our application catalog, and when the rest installs, I try installing from there and it works fine. Like I said, the application installs fine on a different model computer sitting right next to it during the Task Sequence. That is why I was thinking hardware or bios. I looked in the app enforce log like you suggested and I see where it fails, it says “waiting for process 4660 to finish. Timeout =120 minutes”, then when it exceeds that timeout it moves on with installing. Ideas???

    1. Try the same install on the failing hardware manually with all your install switches except silent to see if anything is interfering with the install. Check the office setup log files also

  20. Trying to install a MSI and then move configuration files into the newly created directory. 2012. It’s an application that I want people to be able to download in Software Center. I understand you cannot advertise Packages.

    So I thought script install. My MSI installs but my move doesn’t work. I read people aren’t concise as per what to do. I’ve seen massive VB scripts, powershell magic, and massive batch files.

    I mean how hard should it be to move a file from the local machine machine to C:\Program Files(x86) somewhere?

    Or even overwrite?

    Download Package Content is pointless because it makes the content in a subfolder. Missed opportunity.

    1. You can advertise packages if that would make your task easier. You could create a .bat file to run the msi file first then do a copy or move from the package source.

  21. Hello Paul,

    I am working on a task sequence that would allow me to apply; OS, drivers, and a couple other items. Then have the task sequence shut down so it can be set on the shelf and restarted later. I am running into an issue with the shutdown and restart. Any thoughts or direction on this?

    Thank you for your time and work on this blog.


    1. Jesse, thanks for the nice comment, glad you like the blog. So I would take a look at the SMSTSPostAction task sequence variable. With this you can specify something to be run as the soon as the Task Sequence completes. To use it you create a Task Sequence variable called SMSTSPostAction and then point it to a script on your device or you could simply enter a shutdown command in the value field. Here is a link to the all builtin TS variables https://technet.microsoft.com/en-us/library/hh273375.aspx?f=255&MSPPError=-2147217396. Hope this helps. Thanks Paul

  22. Hi Paul, hope you are well. Congrats on the MVP award. Have you in your travels had to setup ConfigMgr to support a DMZ environment? There are a number of different posts on the topic, but they do not seem to cover every step. I am in the process of configuring ours, but have hit a problem (the MP in the DMZ is not able to communicate back with the SQL CM_V01 DB in the internal network). Thanks

      1. Hi Paul, thanks for the reply. A bit of background:

        We are installing a site system within the untrusted domain to act as the MP, DP and SUP.

        We are using Configuration Manager 2012 R2 SP1 with a Primary on our internal domain. The primary site server is running Windows 2008 R2 and the CM database is also installed locally. The forest disovery to the untrusted domain is working fine and the devices in the untrusted domain are listed within the Configuration Manager console (we have a one-way trust where the external (DMZ) domain trusts internal). We can resolve hostnames OK between the domains and the schema in the untrusted domain has been extended. I can connect from the primary in the internal domain out to the site server in the external domain via remote registry and WMI.

        I have opened the ports per technet article: https://blogs.technet.microsoft.com/jchalfant/ports-required-for-a-site-system-in-dmz-in-configuration-manager/ (135, 445, 1433 for SQL).

        I am having issues however, with the Management Point role on the site server in the external domain. I can install the role OK, however, the MP does not communicate back with the SQL server on the primary on the internal domain. The following errors appear in the MP_GetAuth.log:

        SQL Server Name : xxx
        SQL Database Name : CM_V01
        Integrated Auth : True
        MPDB Method : Init()
        MPDB Method HRESULT : 0x80004005
        Error Description : null
        OLEDB IID : null
        ProgID : null

        And this error in the MP_Status.log

        SQL Server Name : xxx
        SQL Database Name : CM_V01
        Integrated Auth : True
        MPDB Method : Init()
        MPDB Method HRESULT : 0x80004005
        Error Description : Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
        OLEDB IID : {0C733A8B-2A1C-11CE-ADE5-00AA0044773D}
        ProgID : Microsoft SQL Server Native Client 11.0
        SQL Server Name : xxx
        Native Error no. : 18452
        Error State : 1
        Class (Severity) : 14
        Line number in SP : 1

        We implemented the following workaround as recommended by Microsoft:


        It looks like the connectivity is there, but possibly as issue with authentication. I have had the firewall team run a trace, but they cannot see anything getting blocked.


  23. Hi Paul, that is very helpful. I will request this change and see how it goes. I have complied a list of all the changes I have made to get this solution going, so will have to publish it at some point! Thanks again.

      1. Hi Paul – sorry, just to confirm the SPN change: I am assuming this gets made on the internal (trusted) domain and the syntax should be:

        setspn –A MSSQLSvc/:1433


      2. My assumption here would be that it is set in the untrusted forest on the account that is specified to connect to the DB. setspn –A MSSQLSvc/:1433

  24. Hi Paul, OK, yes that makes sense. I just realised WP takes all the text between “” characters away – thanks for the confirmation. Regards – MPK

    1. Hi Paul, just to let you know – we did get a solution to this issue of supporting our DMZ servers – via Microsoft – I had pointed my service account to the incorrect domain. As soon as this change was made and firewall connectivity resolved – all the best – MPK

  25. Hi Paul,
    Re: https://sccmentor.com/2013/06/12/deploying-exe-files-via-sccm-2012/
    When following the steps of your post, you indicate to use Windows Installer (Native) however it does not show as an option in our system. We are using version 1702. I chose MSI and proceeded through. Test deployments have been successful. I ran this by one of our other techs who recommended that I use a script for .exe installs instead. I am curious if scripts would really make a difference or if SCCM is already handling all that would be necessary in a script. Your expertise would be greatly appreciated.


  26. Hi Paul,

    I follow your blog and have been to many of your WMUG events, but I have no run into an issue that I was hoping you could help me with…

    I have been tasked with creating a task sequence for Windows 10 that will use UEFI instead of legacy BIOS. Is it possible that you could help me with the conversion or cover this in a tutorial/WMUG event?


    1. Sure Ambrish. It’s pretty simple really, although I’m battling with it in WinPE at the mo. FullOS is a breeze. What hardware you dealing with out of interest?

      1. Hey Paul, sorry for the late reply.

        We are using HP devices, I managed to get it to work if I manually set the Bios to Secure Boot then boot off the USB disk (we don’t use PXE), but I would like to initiate that into the task sequence if that’s possible?

        Also Gerry from WMUG mentioned that there was a better way to do the conversion or UEFI disk… if you have any info on that – it would also be appreciated.

  27. Hi Paul,

    I’m looking for the best way to package my applications (msi or exe or whatever …).

    I deploy all my Apps with SCCM but I’m not sure about the best way to create packages (Scripting? AdminStudio? AppV? ThinApp?…)

    So based on your experiences, what are the differents tools which are used by other organizations?

    Thank you for your feedback.

    Nicolas PRIGENT

    1. @ Nicolas –

      There is no right or wrong answer, it’s dependent on the app and what level of deployment you want. I normally use batch files with it, even with MSIs. The simple reason is I can do other things in that script i.e. delete desktop shortcuts or add registry entries where necessary.

      Also think about how large the application is or how often it’s used, if it’s common – then maybe “bake” it into the WIM file of your OS to save time in redeployments.

      1. @ Sith

        Thank you for your comment.
        Until now, we also use batch files or PowerShell scripts but it’s complicated to maintain our packages (i.e uninstallation task, update package for new version, deploy on Windows 8.1 and Windows 10).

        We don’t have a packager in our team so we need a simple solution, but I understand that there is no simple solution 🙂

        I think, we will try App-V


  28. Yes, Rory sent me a very detailed email with the following options:

    -Scripted installs
    -or a third party tool named “Numecent Cloudpaging”

    He advised me to check our needs to define the best solution.


  29. Hi Paul looking for some assistance with Parallels for SCCM Mac Management (running scripts using the client in to gather info on our mac estate) and thought you might be able to assist as Parallels are unwilling to do so. Its for a corporate so consultancy is an option for you of course depending on if you are able to assist?

  30. Hi Paul, hope all is well. What would be your recommended approach to upgrade a small site (1 primary with DB, with 2 secondary sites – all running Win 2008R2) from 2012 to 1702 baseline?

    I have outlined the following, but just wanted to double check:

    1. Update to Win10 ADK/MDT on SCCM primary
    2. In-Place upgrade SCCM 2012 R2 SP1 to SCCM 1702
    3. In-Place Upgrade OS of SCCM primary from 2008 R2 SP1 to 2012 R2

    I do not think we need the 2 secondary sites anymore as we do not have slow links – but may wait until after the upgrade before removing them.

    Thanks – MPK

    1. Yep that’s fine. You can do the MDT bit last if you want. I would put ADK 1709 on there, upgrade SCCM to 1702 and then in-console upgrade to 1710 + hotfix. Take a look at your SQL also to ensure if it supported in Current Branch. You may need to install a CU to get up to speed.

  31. Hi Paul,

    thanks for this guide. I have a question regarding update an application.
    I want to deploy an actual Adobe Reader version for example. How can I supersed the deployed old version
    of the Adobe Reader by deploying the new one.


  32. Hi Paul,

    Would you please shed light on using respective value of user-defined variable in the command-line TS step when devices from the collection are being provisioned?

    I imported devices via csv file containing 5 columns (Name, BIOSGUID, Mac Address, Department, UserName) The Department and UserName are assigned as variables. The csv file contained three records for testing.

    The task sequence, deployed to the collection with those devices as members, included one command-line step (at the end) which creates the user local account based on the value of the UserName variable as defined from the Import Computer Info option in the Ribbon.

    cmd /c net user %UserName% Passw0rd /add

    When the devices were done with provisioning, I logged in one of them and did not find the created local account under the value from the UserName.variable.

    I are not sure if I wrongly deference (accessing the value of the UserName variable) the UserName with % sign in the command line above.

    Please advise.

    Thank you,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s