r/SCCM

Hey everyone,

I'm currently going through SCCM/MECM training and I just hit a massive milestone today—I successfully packaged and deployed my very first application using the PowerShell App Deployment Toolkit (PSADT).

Honestly, seeing the welcome prompt pop up and watch the installation execute perfectly off-heat was incredibly satisfying. I can already see why everyone says PSADT is a lifesaver compared to raw MSI/EXE switches.

Now that I have the basics down, I want to break things in my test lab to actually learn how to handle real-world enterprise chaos.

What are some of the craziest, most complex, or "mad scientist" packaging scenarios you’ve had to build? What are some fun challenges I should try to script out in PSADT to really test my limits?

Whether it's messy user-context configurations, crazy active setup tricks, or wiping out ancient legacy software before a clean install—hit me with your best lab ideas!

Hello everyone,

I've inherited an MECM environment a while ago, and while I'm fairly experienced with packaging apps and selectively updating systems, I've ran into a bit of a snafu. Our organization is looking to upgrade our existing 23H2 fleet to 25H2, and we've seen wildly inconsistent behavior with feature updates. For the majority of our users, they appear to get stuck at 0%. The interesting thing is that we have no such issues with regular security updates. Right now I think the issue is our implementation of Branch Cache and Peer Cache, which... Appears haphazard.

A little bit of information on the environment before we proceed. It's an air gapped environment with no internet or cloud connectivity. The topology looks like this:

Single Site

HQ - 500~ Workstations, Primary + Failover site servers w/ MP enabled. 2 DPs, both are SUPs (Shared content/DB), 1 of which is PXE enabled.

Regional HQ A - ~150 Workstations, 1 MP/DP/SUP (Metadata only, connects to WSUS servers at HQ) Combo

Regional HQ B - ~100 Workstations, 1 MP/DP/SUP (Metadata only connects to WSUS servers at HQ) Combo

Regional HQ C - ~50 Workstations, 1 MP/DP/SUP (Metadata only connects to WSUS servers at HQ) Combo

Remaining sites number nearly 80 or so, with varying numbers of workstations between 3-15, with numbers usually trending higher.

Outside of one specific location, all clients are desktops, with on

WSUS updates are copied from a separate, online source and imported to the primary HQ server. This process has worked well.

The HQ/Regional HQ usually have workstations that are online 24/7, except for a daily reboot that occurs at night (We're not a 24/7 organization).

The branch sites, however, have workstations that are either powered on 24/7, for a few hours a day, or not at all for weeks at a time.

Anyways, I've never had time to fully examine this environment as much as I've wanted, because it has mostly just worked and my team is already stretched thin as is. Application updates are reliable, workstations remain patched, etc. But this feature update has kicked my ass.

Anyways, I've gone and taken a look at some settings, and what I've found hasn't been pretty. GPOs are enabled which have hard-configured defaults for BITS, Branch Cache, Delivery Optimization, etc. Based on what I've learned, this isn't the correct way to go about it, and this should instead be set to not configured for most settings, with Client Settings taking precedence instead.

As is... Client settings are set to have Peer Cache everywhere, and Branch Cache on no more than a few workstations throughout the network... All of which are located at HQ. I've seen varying things from different time periods, but am I correct in thinking that this should be the reverse, with Branch Cache configured everywhere, and peer cache on more stable workstations (Conference rooms, high uptime workstations, etc.)? Does this seem right? What would you all recommend?

I know some of you guys work for larger companies with 10s of thousands of devices. I am curious how your company handles stale devices, or devices that get thrown in a drawer and come out every 30+ days. Do you just allow cleanup to remove them and not your problem any more? Do you have any type of alerting for department or device owners? I work in a large manufacturing company where 80% of our workstations are laptops and I feel like I am in a constant battle or tracking down devices and get them back online.
I'd love to know what you guys have in place, or do you rely on Service Desk to track them down and get them updated?

Is anyone else having the worst time getting machine upgraded to 25H2? I fix one issue and then another appears. I feel like I am chasing my tail trying to get machines upgraded this year. Have any advice?

Hello all:

I’m really banging my head against the wall on this one. I have a VM imaged with Win11 25H2, and some software installation via Software Center fails. The AppDiscovery.log says that the software installation fails because the detection scripts isn’t signed (Exection Policy is set to “All Signed”). However, the Client Settings say that the Powershell Execution Policy is set to “Bypass”, and on the VM itself, under the System context, Machine Policy, etc is Undefined, Undefined, Undefined, and Bypass. These detection methods work on all other machines except this one.

Is there anything else I can check to see what is setting the policy to “All Signed”? I’ve been assured that there’s no Group Policy setting it, but I’m not sure (GPResult pending). All signs in SCCM point to Bypass, so I’m not sure what to do at this point.

Guys

Wondering if anyone ran into this issue after upgrading to 2509. I’m beginning to notice a bunch of clients within the console have the green checkmark but if I try to manage them or look at their logs, it states device is not on. I’ve also noticed on the same devices when I deploy updates to them they seem to only get the 365 apps update not the monthly cumulative update.

We have mostly W11 24H2 systems, and we've seen recently an odd or different behavior when applying the LCU via CM/Wsus - systems need 2 reboots to fully apply the LCU. Is that everyone else's experience as well?

Hi,

We have some Optiplex 7070 that don't update uefi 2023 certificates.

Bios version is 1.35.0

uefica2023error is 8007015e

Event id is 1800.

It says a reboot is needed but even after restarting more than 5 times, it's still the same.

Do you have the same issue with this model ?

Thanks

I have been deploying Windows 11 24H2 as a feature update for the last several months, but there are some machines that just will not upgrade this way. We successfully upgraded a few of these workstations by copying the Win11 24H2 ISO to the workstations and manually running Setup.exe. I've got too many computers remaining to be upgraded this way, so automation.

I created a package that uses the extracted ISO (minus the extra .wim files) as its content. The program uses PSADT to execute Setup.exe /auto upgrade /quiet /eula accept /dynamicupdate disable /noreboot /copylogs "C:\Logs\Microsoft\Win11 24H2\10.0.26100.4946".

The PSADT log shows Setup.exe exited with 0 which I then convert to 3010. It's totally unnecessary because the program is configured "Configuration Manager restarts computer."

I've tested this on two VMs and they were both upgraded to Win11 24H2, but SCCM is reporting that they both failed with "Program failed (unexpected restart). Since SCCM initiated the restart, I'm assuming it's one of the subsequent restarts done by the upgrade process that is breaking this.

Is there any way I can avoid these failures? Should I just ignore them? Is this the most idiotic plan you've ever heard?

OSD Task Sequence deployments.

In our case, the local MP is acting as a DP. We noticed that when the MP was associated with the remote site Boundary Group, OSD content download during TS became very slow.

After removing the MP association from the remote site Boundary Group, while keeping only the remote DP assigned, the Task Sequence started working normally, and download performance improved significantly.

What makes this confusing is that Microsoft documentation and recent ConfigMgr changes seem to recommend adding MPs to Boundary Groups.

So now it’s unclear whether this is:

• expected behavior,
• a bug/regression,
• or related specifically to scenarios where the MP is also hosting the DP role.

Interested to know if others experienced the same thing during OSD.

Hello all,

Looking for some advice please for some issues I'm facing with my CMG.

My setup:

Hybrid Joined

Co-Manged

Boundaries setup via AD sites.

Public cert provided by cloudflare

DNS and CName all fine

In ccm messaging log, I am seeing entries like

IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070005. Defaulting to state of 1216.

Post to https://CMGNAME/CCM_Proxy_MutualAuth/72057594037978093/ccm_system_windowsauth/request failed with 0x87d00231.

[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set

In location services log

Failed to send management point list Location Request Message to CMGNAME/CCM_Proxy_MutualAuth/72057594037978093

Failed to get AAD info from CMG with error 0x87d00231, Status Code 0, StatusText

Failed to get CMG metadata 0x87d00231

I've obviously done a search for these errors but found nothing helpful.

Any help would be appreciated, as I'm starting to see a few issues with devices.

Thanks in advance.

Hi everyone,

I’m building an OSD Task Sequence in SCCM (no MDT) for Windows 11 24H2 and I need advice on the best way to handle a specific requirement before installing the CCM client.

Environment:

•	Pure SCCM OSD, no MDT  
•	Hybrid Azure AD Join  
•	HTTPS-only site with PKI

Requirements:

Before the CCM client can be installed, the following steps must be completed in the right order:

1.	Computer naming — machines must follow our naming convention  
2.	Domain join  
3.	AD group membership — the machine must be added to a specific static AD security group  
4.	Machine certificate — we use a certificate template scoped to that AD group. Auto-enrollment only triggers once the machine is a member of the group. This certificate is unique per machine and required by the CCM client to authenticate against the Management Point over HTTPS

Questions:

1.	What is the recommended TS step ordering for this kind of scenario?  
2.	How do you handle the AD group membership during OSD (no RSAT available in WinPE)?  
3.	How do you deal with auto-enrollment timing — how do you make sure the certificate is actually delivered before the CCM client install starts?  
4.	Should there be a reboot between domain join and certificate enrollment?

Thanks in advance!

The final version of Wim Wizard is released (until someone comes up with a new needed feature!) Let's try to summarize what it can do now...

• It can build a fully patched WIM-image from Microsoft ISO:s. It supports x64 and ARM64. And Windows Professional or any other Windows Version.
• By fully patched I mean that it will download all the latest updates from Microsoft including .Net and patch Windows, WinRE, WinPE and languages too.
• It supports Windows 25Hx and 24H2 LTSC. It should theoretically support new versions.
• It can add any or all of the supported languages from the language ISO to the WIM - Built in apps will be in the correct language and not English.
• It can remove some or all of the less needed enterprise applications like XBOX-apps and Bing Search...
• It can add Features on Demand like .Net Framework 3.5
• It can automatically add the new WIM as a package to SCCM. Or update it.
• You can just choose to patch a WIM and not build it from scratch. And import it into SCCM.
• Full CLI-mode too. You can run almost everything with the Wimwizard.ps1 script. Note that WimWizard-GUI.ps1 needs that script in order to work.
• It will probably walk your dog and put the kettle on and it knows all the Dad-jokes.

There may or may not be bugs. I have tested it quite a lot but there are so many scenarios to test right now that all combinations may exceed the number of dandelions on my lawn. (Yes, I have a lawn. No it is not large.)

If I haven't answered a question or feature request in the original thread, please add them here. I have been trying to read all comments in order to build this version. Thanks!

Oh! One more important thing. Windows Defender really hates DISM and WUSA. There's a script in the repository on Github that add exclusions for those processes that you can run. But if that feels scary, I've also added the paths and processes in the description text on Github. Patching will fail 100% without exclusions. If you're in a locked down environment where you can't make exclusions, I recommend you to build the image on a virtual host.

Here's a mini-guide.

First tab. The Wizard will auto detect Win11-ISOs and the language pack ISO (if you have it) in the folder specified and will auto suggest a filename based on version and features added. You may choose ARM64 too but that requires the correct ISO of course. New is that you now can choose any edition of Windows.

https://preview.redd.it/1zs51fs4yu1h1.png?width=763&format=png&auto=webp&s=8049b9320a9642e3ab2501263ad193a61ea489bc

Language tab. You add languages. :-) There's a SCCM example on the projects Github page on how to set default language in the task sequence.

https://preview.redd.it/4ws3hn801v1h1.png?width=665&format=png&auto=webp&s=9750f38a0ab9243731c55454386cc8a08e97b9ff

Applications. I've preselected the ones I feel can be left out for an enterprise.

https://preview.redd.it/n13s18cb1v1h1.png?width=713&format=png&auto=webp&s=cc2bf9765b6a47822074fd3bc035605266811b1f

Features on Demand. I know many of you wanted to add .Net Framework to the image.

https://preview.redd.it/nevksctj1v1h1.png?width=540&format=png&auto=webp&s=15759d6efacf9222e1a3522d4c05dd0045a8b956

The latest addition is full SCCM integration. Enter your SCCM-server name and site code and press test. The storage path is where the WIM-file will end up. The package name template is for the name of the WIM-package generated in SCCM. Automatic import and DP update is to control what happens after you press RUN. You can also choose to create a new package each time you run or build the image or to replace the old one. In case you have created an image that is not imported, you can do a manual import here which will do that and nothing more. But it will use the package name suggested in the template. On the bottom you can see the commandline in case you want to run the Wimwizard.ps1 version without the GUI.

https://preview.redd.it/9jm3m7o6bv1h1.png?width=762&format=png&auto=webp&s=558897335ede133cac56ee30d98372c8b620f915

A slight change is that I moved the manual patching options to a tab of its own. If you already have a good working image in SCCM that just needs patching, you can point WimWizard to the image and then updated it. WimWizard will download the image and patch it and then either replace the package or create a new package. You can also patch a Wimfile that is not in SCCM.

https://preview.redd.it/lkctjf6c3v1h1.png?width=727&format=png&auto=webp&s=5f75cd94f8aa74e7e6a81304049aa368791f88e1

The project is here on Github:
TacII/WimWizard: WimWizard is a tool to build fully patched OS-Images with languagepacks for use with SCCM/SCEM

//Mathias Haas

Setup:

Domain Controller (DHCP server)

SCCM-VM: 1st NIC static with default gateway (management)

2nd NIC on Imaging VLAN with static IP and no Default Gateway

switchport settings for PXE booting: switchport access VLAN 80 (imaging VLAN also second NIC is on this VLAN)

helper-address x.x.x.x (Domain Controller running DHCP address)

helper-address x.x.x.x (IP address of second NIC on SCCM server for PXE booting)

*** the issue im seeing in SMSPXE.log is that it is finding my task sequence, putting the machine i am booting to pxe ipv4 into unkown computers which is fine. The last entry on the SMSPXE.log is this.

Sending reply to x.x.x.x , DHCP (this x.x.x.x is the default gateway of my imaging VLAN 80 which is the secondary NIC on the VM on its own virtual port group in VMware as well)

the computer doesnt get past the "attempting to boot from ipv4" screen and goes straight back to the bios.

I think the issue is narrowed down to my distribution point settings, the boundaries, and/or DHCP scope settings.

Curious if other people are seeing random failures in Software Center for Cumulative Updates the last couple of months. Sometimes just re-installing the update works. Other times we end up downloading the update from the Windows Catalog and installing manually. Very frustrating.

Hi guys

I got two questions regarding user synchronisation in SCCM:

Does the Active Directory Group Discovery also sync users within those groups, eventhough those users are not synced in the Active Directory User Discovery? Because we only sync one OU and I found out that there are a lot of users in our Database outside of this OU and even users from Azure AD (we are hybrid) and I am wondering where those users are coming from.

How do you cleanup deleted/inactive users? As far as I know, if you delete a User in AD, it does not delete the record in SCCM. I found a Site Maintenance task named "Delete aged discovery data" and I am wondering if this task is what I am looking for. Or do you guys use another way to delete old users from the database?

Appreciate your feedback!

Hi. I notice if want to deploy apps or software update to multiple collection or vice versa deploy multiple apps to single collection.

Just wondering if is it possible to do the deployment like select multiple item at once like Intune. Or only can do deployment one by one.

Hi all - in need of some pointers to try to resolve an issue since upgrading to 2509 last week

We have only 3 servers in our SCCM setup

• Site Server with all roles
• One remote site which is an MP - this is the server having the issue with Component Server
• One server acting as Fallback Status Point

During the upgrade all pre-reqs passed and there were no errors displayed during the upgrade.

When I check in 'Site Status' I see 'Component Server' for the remote MP marked with a red cross. The other components for this remote MP are marked with a green tick and 'OK'

In 'Component Status' everything is marked with a green tick and I can't see anything in any logs I've looked in so far.

What can I check or do to try to resolve the issue with the 'Component Server' on the remote MP?

Thanks

https://preview.redd.it/fl2hhqjvo12h1.jpg?width=636&format=pjpg&auto=webp&s=73e52aa06d99cd77c820884c7ccbc5f2221c34ff