Friday, July 19, 2013

Prepare ConfigMgr client for Sysprep or Master Image

When building and deploying a master image with ConfigMgr for VDI usage, it's needed that a ConfigMgr client is installed. I did this multiple times in Citrix and VMware environments. Before the image is used for production usage, it's needed to prepare the ConfigMgr client first. Here are the steps that must be followed to do this.

1) Install the ConfigMgr client on the reference system during task sequence deployment or using local installation;
- CCMsetup.exe SMSSITECODE=<Site code>
2) Stop the SCCM client service;
- Start > Run - CMD.exe
- Type > Net stop "SMS Agent Host"
3) Remove the 2 SMS certificates in the local certificate store;
- Start > Run - MMC.exe
- Select Add/Remove Snap-In
- Select Certificates > Add
- Select Computer account > Next
- Select Local computer > Finish > OK
- Expand Certificates > SMS
- Delete both certificates
4) Delete the %SystemRoot%\SMSCFG.ini file;

Additional steps that can be taken to the Endpoint Protection client:
- For VDI, verify a Full Scan has been run on the Master Host Image, and that persistent cache has been populated;
- You can check the value in HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\SFCState (if it’s 7 then it’s complete, on initial install it will be 0);
- To force the persistent cache to generate, RUN (from an elevated CMD):
- CD C:\Program Files\Microsoft Security Client
- Start > MpCmdRun.exe -buildSFC

Just for information:
- You can export the SCEP policy used and change DisableCatchupFullScan and DisableCatchupQuickScan from 0 to 1. After that the policy can be imported again. Not sure if this is needed all times, but it will surely help;
- The policy name in SCEP will be named "Antimalware policy" by default. All SCEP policies applied can be found in registry: "HKLM\Software\Microsoft\CCM\EPAgent\LastAppliedPolicy";
- During buildSFC a logfile (MpCmdRun.log) can be monitored in: "C:\Users\<username>\AppData\Local\Temp". It's possible that buildSFC must be started multiple times because of a timeout 2400 error. Just start it again till it shows "Service stopped. Exiting Idle TaskEnd";
- The cache file created can be found in: "C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\CacheManager". In my case the file was 1,820 KB in size;
- After buildSFC is finished, the SFCState can be found in registry again: "HKLM\Software\Microsoft\Microsoft Antimalware\Scan". The SFCState key should be changed from 0 to 7 then!

After that shutdown the reference image, create a snapshot (optional) and use it for your environment. This prevents multiple objects (with the same name) in ConfigMgr and duplicate hardware ID's (as we had in 2007 version). Hope it helps!

Source: Premier Field Engineering

Update 22-7-2013: Running the buildSFC command is something different then running a full scan on the master image. With a full scan the SCEP client can still start another full scan after using it in VDI. With the buildSFC command it will stop doing that.

Update 13-5-2014: During or after OS deployment the MpCmdRun.log can be found in: C:\Windows\Temp (because no one is logged in during deployment).


  1. Hi Henk

    Do you know how often full scan and/or buildSFC command should be run?
    Is it related to definitions update or does the cache last longer?


    1. Hi Eero, whether the persistent cache should be build again ​​after installing definition updates is not known to me. It's possible that this is done faster, since the cache already exists.

  2. This is great info. Not a lot of doc out there regarding linked clones and SCCM. I'm now working on a way to force, or at least immediately initiate, App-V delivery on newly discovered or online machines without having to wait for policy updates and deadline verification. This gets me one step closer.

  3. Hi Henk

    This is very useful post but I am having a problem that I hope you can help with?
    I am running a full scan using "MpCmdRun.exe -Scan -ScanType 2" which works fine but then when running a "MpCmdRun.exe -buildSFC" it errors with "ERROR: Creating Idle Notifier Context Failed 800704C7". This is not a timeout 2400 error so assume not the issue that you mentioned. I have re-run it significant number of times but makes not difference. Any ideas?



    1. Hi Dave, when you start MpCmdRun.exe -buildSFC instead of MpCmdRun.exe -Scan -ScanType 2, is that a different way? Don't recognize the error mentioned. Hope it helps! HEnk

  4. Is there a way that this could be scripted? I am using MDT to build my reference images, and it would be awesome to install the agent then clean it up before capture.

    1. Yes, this can be done scripted during task sequence. Just install the SCEP agent (with or without SCEP policy), Install the MPAM and NIS definitions and run the MpCmdRun.exe -buildSFC command afterwards. Then you have a fully loaded SCEP installation in the end.

  5. Having some issues with duplicate GUIDS even though we are generalizing the SCCM client as shown above. Thoughts?

    1. When using this on VDI environments I will see them also. SCCM cannot handle that I guess..

    2. Has nothing to do with the environment.

      Configuration Manager client stores most of its information in WMI, in namespaces specific to CCM that are setup as part of CCMSetup. You'd have to go in and remove the GUID from the relevant WMI namespace, and if you have multiple sites you'd have to remove all that site information as well.

      The GUID is only generated if a Site is configured. The client can't be assigned a GUID until it has a Site. This is why you aren't supposed to use the SMSSITECODE switch when installing ConfigMgr for an image (

      I'd recommend reinstalling ConfigMgr without the SMSSITECODE. You can just run CCMSetup.exe locally to configure the SMSSITECODE variable after deployment (literally just add "%SystemRoot%\System32\CCMSetup\CCMSetup.exe SMSSITECODE=XYZ" to SetupComplete.cmd).

      Sysprep only generalizes native Windows settings. CCM isn't native Windows, so its settings in its custom WMI namespaces don't get touched by Sysprep.

  6. Thanks for this post. I have followed the above steps on Windows 2012r2 and 2008rs VM images. After deploying servers from these images, they are brought online, joined to the domain and the CCM client starts communicating with ConfigMgr as expected. SCEP, however, doesnt seem to switch to 'managed' mode. ConfigMgr never recognizes that the server has SCEP client installed. Any suggestions?

    1. Is the agent/service running? Is there a anti-malware policy applied? Are definition updates installed? Maybe the SCEP client is outdated? Hope it helps!