|
The Microsoft technician recommended me to check this post out. http://www.windows-noob.com/forums/index.php?/topic/4045-system-center-2012-configuration-manager-guides/ It holds a lot of instructions with screenshots. I myself hit the first small problem. I forgot to order the Reporting Server role to the SQL instance where we installed SCCM2012 and i'm not able to create the reporting point after i later personally created the ReportServer databases and configured it. Didn't have much time to look at it though, so i'm just going to continue tomorrow. I only have my computer as a client on the site now, and larger deployment is scheduled for next month. It leaves me enough time to prep the software portal and time for me to finally learn deploying operating systems with SCCM.
|
# ? Aug 9, 2012 21:07 |
|
|
# ? May 21, 2024 15:13 |
|
Moey posted:Yea SCCM 2012 buddy! Let me know what you think of that book when you get it. If it's useful I'll pick up a copy myself. From the TOC it looks like more a step by step book than a technical reference (which in my view is a good thing).
|
# ? Aug 9, 2012 21:52 |
|
InfiniteDonkey posted:The Microsoft technician recommended me to check this post out. I love this site, it got me through a clean install of SCCM 2007 without too many troubles. I've got high hopes again this time around. In fact, I need to register an account there and see if they can answer some of my imaging questions...
|
# ? Aug 9, 2012 21:55 |
|
InfiniteDonkey posted:The Microsoft technician recommended me to check this post out. Funny that you post that. I was following a similar guide, but came across that one via google. Today my boss sends me the word document of SCCM 2012 install instructions and says that they are from his "SCCM Expert" and are for internal company use (his "expert" is supposed to come in next week for a few hours). After opening said document, I realize it is one of the guides that user posted for download. I wonder if I should tell him its from the interwebs
|
# ? Aug 10, 2012 03:12 |
|
The switch from packages to applications in 2012 can either be absolutely amazing, or some of the most frustrating work ever. The self service portal can cause support nightmares if you haven't setup your applications perfectly. Make sure you have your detection and app requirements set correctly. App logic should not be difficult at all, but it seems like there is a bit of a learning curve. Most of my day is troubleshooting app models, and it really comes down to you can't cut any corners in your logic.
Also, whoever encounters "CI Version Info Timed Out" issues in deployment reports, we can be best buds and share horror stories.
|
# ? Aug 10, 2012 04:19 |
|
I'm actually curious, which of these products that we currently use could we replace with SCCM 2012, and would it even be worth it? Symantec Endpoint Protection Vmware Shavlik patch management Scriptlogic Assetmanager Desktop Authority Manager (with licenses for 215 devices) and possibly an additional ~50 servers Symantec PGP Symantec Web Security.Cloud
|
# ? Aug 10, 2012 21:55 |
|
System Center could replace the first 4 programs on your list. With some caveats though. I'm familiar with Shavlik, I used to manage NetChk6.5 for our environment. SCCM can replace that with WSUS and SCCM but it doesn't do the 3rd party patches like Adobe and stuff. It would completely replace Assetmanager for sure. The Asset and Intelligence in SCCM 2012 is insanely powerful. Want to know what computers have a Texas Instruments 1394 card in them? No problem. Software Metering and inventory is nice as well. I only briefly looked at the product page for Assetmanager but I would bet SCCM does everything it does. SCCM has an endpoint protection component, but you might find it lacking in certain features depending on what you have Symantec do. Desktop Authority is going to be the main issue. You can probably get 80% of the functionality of it (from what I've read about online, never used it) from SCCM. The User Environment Config component of DA doesn't really have a counterpart in SCCM, most of that stuff can be handled via Group Policy though. Depending on your licensing costs, it could very well be worth it. Not sure what your Microsoft Licensing is like, but if you're on any kind of plan with them you could get some pretty agressive pricing from them. We had a big Enterprise Agreement with them already and were paying for Core and Enterprise CAL's for SCCM so all we had to do was pay for a server license. I have no idea what the CAL pricing is like but you would be moving 4 systems to 1, and more than likely saving a bunch of money in the process. It's a bitch to roll out though, so there's a big time/project planning component to it. I just started using SCCM 2012 less than a month ago and let me tell you I'm in loving love.
|
# ? Aug 10, 2012 22:32 |
|
skipdogg posted:System Center could replace the first 4 programs on your list. With some caveats though. Actually, it will absolutely do third party patching. Adobe provides their own patch definitions specifically for SCCM in fact. The definitions are only for reader x and flash, but better than nothing. You can build your own patches for anything else you want as well.
|
# ? Aug 11, 2012 01:11 |
|
Serfer posted:Actually, it will absolutely do third party patching. Adobe provides their own patch definitions specifically for SCCM in fact. The definitions are only for reader x and flash, but better than nothing. You can build your own patches for anything else you want as well. You're right of course, I probably wasn't as clear as I should have been. Shavlik and the other 3rd party patching programs create those packages and automatically download them for you. It's like a subscription service so you don't have to do it.
|
# ? Aug 11, 2012 03:56 |
|
InfiniteDonkey posted:
This was really simple. Forgetting that SCCM 2007 was a single server setup with the SQL in the same server and SCCM 2012 being a dedicaded server for the SQL and a dedicaded server for SCCM, i just tried to install the role on the wrong server. Friday i fiddled most with the setting that make the link with the primary user for a computer. Slowly getting the hang of things. Next week i'm going to create applications, device groups and try deploying windows updates with SCCM.
|
# ? Aug 11, 2012 09:22 |
|
skipdogg posted:System Center could replace the first 4 programs on your list. With some caveats though. Thanks for the clarification. I'm not really clued into the licensing/management costs of those systems, so I'm not really sure how much we pay for them. Which features is Microsofts AV program lacking in compared to Symantec? Honestly I would rather be doing all of our group log on stuff through GPO rather than with DA. There are some nasty as poo poo caveats when doing registry changes with the Scriptlogic software that WILL bite you in the rear end unless you've read all the tiny fine print in their documentation. Making REZ_MULTI_SZ changes? Better be sure as gently caress you're writing your reg key like 'entry1|entry2|entry3' instead of separating them with a space!...and stuff like that. The one big thing we would be losing would be the remote desktop agent that DA uses, which I will admit is fairly handy.
|
# ? Aug 13, 2012 17:17 |
|
Wicaeed posted:Thanks for the clarification. I'm not really clued into the licensing/management costs of those SCCM has Remote Control/Remote Assistance/Remote Desktop built into it. Right Click a device > Start > Remote Control You can set it up to allow the end user to allow/deny, or to just give you control. The policy for it modifies windows firewall, etc etc. As for the A/V question, I'm not sure as I haven't used it. I know our current Sophos Console has all sorts of things besides the standard A/V and Malware scanning. Device Control, App Control, etc. etc. My guess is the Endpoint Protection for SCCM is just that... A/V and Malware protection, not all those extra bells and whistles.
|
# ? Aug 13, 2012 17:29 |
|
skipdogg posted:SCCM has Remote Control/Remote Assistance/Remote Desktop built into it. Right Click a device > Start > Remote Control This I am pretty excited about. Currently all of our machines have LogMeIn installed. So if I do not feel like walking to a users desk, I just connect with LMI. While it works, I really like the using SCCM and Remote Control instead. So my journey into SCCM is going pretty well so far. I just found out that when you purchase SCCM 2012, you get a license to run SQL standard for SCCM to use. I have having some hangups installing it and having it point at an existing SQL server. Now for the fun. On the first day I worked with only a very small (2) set of test computers. That was the only OU that I had SCCM discover so I wouldn't roast anything in production. Was able to successfully do a client push to both of those. Then create a software update group to patch flash (both activeX and plugin) to the most current version. Pretty sad that this is exciting, but I want our next pen test/vuln scan to come back with with a big smiley face on it. My boss is pushing me aggressively to start pushing out some patches to production. I am modifying my discovery methods to now include production workstations OUs. Just out of curiosity, how often does everyone have this polling? I have about 300 items within that OU, and it seemed to poll it pretty instantly, so I don't think having it poll every 3 hours or so should be an issue in production. Also preferred collection methods? For the basic stuff I am doing now, I am finding it easiest to create collections based on query, then just have it hit a specific OU. Anyone doing anything different? Edit: Random tip! When you create a collection, I would advise setting up maintenance windows on it. While it doesn't seem like a big thing, it could prevent you/someone from pushing out updates/sw/whatever during mid day. To set this, right click on a collection, and go to properties. This is then set in the Maintenance Windows tab. Moey fucked around with this message at 18:53 on Aug 17, 2012 |
# ? Aug 17, 2012 18:49 |
|
The way do maintenance windows is we have a set of nested collections that set them. There's WSUS Final, inside of that is WSUS General, inside of that is WSUS Test (they're called WSUS because it was setup by an old grey beard and it will forever be WSUS). Final has the smallest maintenance window, general slightly bigger, and test is always in a maintenance window for testing. If you start setting maintenance windows all over you could get confused about how a maintenance window is being set on a particular client (because your clients will be in multiple collections).
|
# ? Aug 17, 2012 19:33 |
|
FISHMANPET posted:The way do maintenance windows is we have a set of nested collections that set them. There's WSUS Final, inside of that is WSUS General, inside of that is WSUS Test (they're called WSUS because it was setup by an old grey beard and it will forever be WSUS). Final has the smallest maintenance window, general slightly bigger, and test is always in a maintenance window for testing. If you start setting maintenance windows all over you could get confused about how a maintenance window is being set on a particular client (because your clients will be in multiple collections). Interesting to know! I never thought about nesting them. We have a small enough environment where we will not have that many collections (only internal work). Are you using SCCM for 3rd party patching as well? If so, are you rolling things yourself, or using something like Shavlik (vCenter Protect Update Catalog)? Edit: Also the "consultant" that I worked with for a little advised I install "RightClick Tools". So far I have found them pretty handy. http://eskonr.com/2012/05/sccm-2012-right-click-tools/
|
# ? Aug 17, 2012 20:21 |
|
We're still using 2007, and we use SCCM to push out updates to 3rd party software, but not through Software Updates. I've got a complex series of queries that find computers that the currently "compliant" version of Software X, and if it doesn't have that, it advertises a program to it to install the compliant version. I haven't looked into 2012 much yet, but it sounds like that process it a lot simpler?
|
# ? Aug 17, 2012 20:51 |
|
FISHMANPET posted:We're still using 2007, and we use SCCM to push out updates to 3rd party software, but not through Software Updates. I've got a complex series of queries that find computers that the currently "compliant" version of Software X, and if it doesn't have that, it advertises a program to it to install the compliant version. I haven't looked into 2012 much yet, but it sounds like that process it a lot simpler? Far simpler if you're using an app model. Create the app, create a detection rule for the newest version or later, deploy it to all machines. If you only want it to install for machines that have a previous version just set that requirement in the app. I cannot gush enough about intelligent app deployment.
|
# ? Aug 18, 2012 01:24 |
|
spidoman posted:Far simpler if you're using an app model. Oh god this sounds so awesome. We have that set up right now, except it requires 4 collections and 3 queries for each piece of software.
|
# ? Aug 19, 2012 04:44 |
|
I feel like I'm misunderstanding something very simple with file permissions. I have a new domain and I want to be able to use an admin account to browse through people's redirected folders and roaming profiles if needed. I already figured out the group policy that adds the Administrators group to newly created profiles but now I'm going back to the existing profiles and trying to fix them too. I've got a folder with BUILTIN\Administrators having Full Control but I can't browse it without getting the pop-up saying "You don't have permission, click Continue to add it permanently" and then it adds my specific user account with Full Control. The server is joined to the domain and I verified that Domain Admins is a member of BUILTIN\Administrators, and my admin account is a member of Domain Admins. It seems like everything is correct, but it's still not working. Any ideas?
|
# ? Aug 21, 2012 19:25 |
|
Explorer doesn't run in an elevated context in Win7/2008R2 no matter what you do. So you can either run something like Explorer++ as Admin (Right click run as administrator) on the server, or browse it from a remote computer (because accessing a a share remotely gives you your full elevated permissions).
|
# ? Aug 21, 2012 20:30 |
|
To expand on what FISHMANPET said, if you run whoami /groups at a command prompt, notice that BUILTIN\Administrators is a deny only group. Now run it at an elevated command prompt and notice that it's now an enabled group. To take advantage of permissions granted to BUILTIN\Administrators, you need to run in an elevated context. Since you cannot run Explorer in an elevated context, you can never take advantage of those granted permissions.
|
# ? Aug 21, 2012 20:39 |
|
Thanks. Takeown.exe is giving me some trouble with recursing so it looks like I'll have to try something with powershell tomorrow.
|
# ? Aug 22, 2012 00:27 |
|
I'm having some issues with my SCCM 2012 reporting.... I haven't had time to get the consultant back out to look at it, so I figure I'll take a stab here. I can only run reports from the DB server itself. The reporting node of the console comes back with a 401 unauthorized, and going to http://dbserver/Reports just prompts for authentication over and over and over again from any other machine. I've looked at logs, checked permissions... can't figure it out. I know it's something stupid too... edit: it's fixed. I had already started ripping out reporting services and reinstalling it when I came across a blog post about SPN's and running reporting services under a user account instead of the system account. The consultant had setup reporting services to run under a user account, and without the proper spn's registered it wouldn't auth... could have been an easier fix than ripping out reporting and reinstalling it (and then patching it), but whatever. Reporting actually works now. skipdogg fucked around with this message at 20:22 on Aug 22, 2012 |
# ? Aug 22, 2012 15:03 |
|
So I'm getting annoyed with SCCM2012. I've turned a server into a software update point. Synchronized all my updates, changed group policy so everyone points to the sccm WSUS server and waited. Things started to update but they're completely wrong. I'm looking at IE9 deployments and it says that 81 are compliant, 148 not required and 3 required. What's the difference between not required and required? How does it pick up that differential? I know that 148 do not have IE9. What I do???
|
# ? Aug 23, 2012 18:12 |
|
Cpt.Wacky posted:Thanks. Takeown.exe is giving me some trouble with recursing so it looks like I'll have to try something with powershell tomorrow. It turns out that takeown.exe has issues running over the network and craps out after a few folders. I ended up logging in to the server hosting the profiles and running these two commands: code:
|
# ? Aug 23, 2012 18:35 |
|
I've got a KMS Server question for everyone. I don't have one installed yet and I have been relying on MAK instead. We've got some old XP computers that we want to update to Windows 7 and I figured it was a great time to put in the KMS server and get switched over. As I was going through the documentation I saw that you need to have at least 25 clients trying to activate before a client will activate successfully. So my question is, if we can't do this complete rollout in 30 days and say we have 24 clients switched over on KMS, what's going to happen? Are they going to go into unlicensed mode since they haven't been activated?
|
# ? Aug 23, 2012 22:33 |
|
Yeah, they'll complain about not being genuine software. I believe you can use the rearms to extend it by 30 days if you still have any left.
|
# ? Aug 24, 2012 00:02 |
|
Noghri_ViR posted:I've got a KMS Server question for everyone. I don't have one installed yet and I have been relying on MAK instead. We've got some old XP computers that we want to update to Windows 7 and I figured it was a great time to put in the KMS server and get switched over. As I was going through the documentation I saw that you need to have at least 25 clients trying to activate before a client will activate successfully. So my question is, if we can't do this complete rollout in 30 days and say we have 24 clients switched over on KMS, what's going to happen? Are they going to go into unlicensed mode since they haven't been activated? You can always create W7 virtual machines to increase the KMS client count.
|
# ? Aug 24, 2012 00:22 |
|
Has that changed recently? I swear when I was first setting it up a while ago that virtual servers didn't count and I wasn't sure about virtual 7 counting. Now I'm finding an MS page that says they all count.
|
# ? Aug 24, 2012 01:46 |
|
Attempting to deploy my first software update group to a collection of ~260 workstations tonight, hopefully this doesn't blow everything up! It did work properly on my test collection of two workstations, and my admin collection of 10 workstations, so I have some mild faith. Tomorrow I begin work on trying to get our mess of Java installs controlled.
|
# ? Aug 24, 2012 03:49 |
|
Today watching Don Jones give a crash course into powershell and powershell remoting has finally gotten me to understand what I'm missing by not using it so much. Time to say byebye to cmd.exe and replace it on the taskbar with powershell.
|
# ? Aug 24, 2012 04:24 |
|
Moey posted:Attempting to deploy my first software update group to a collection of ~260 workstations tonight, hopefully this doesn't blow everything up! Heh, so much for that software update group deploying smoothly. Failed on every workstation. I got back an error description of "Group Policy Conflict". A little google work is showing me that it may relate to a GPO that we have applied to that specific OU that points Windows Update on those workstations to our existing WSUS server. I have not changed this since I am not handling MS patches with SCCM yet. Looks like I may have to get that changed sooner than later.
|
# ? Aug 24, 2012 12:24 |
|
Noghri_ViR posted:I've got a KMS Server question for everyone. I don't have one installed yet and I have been relying on MAK instead. We've got some old XP computers that we want to update to Windows 7 and I figured it was a great time to put in the KMS server and get switched over. As I was going through the documentation I saw that you need to have at least 25 clients trying to activate before a client will activate successfully. So my question is, if we can't do this complete rollout in 30 days and say we have 24 clients switched over on KMS, what's going to happen? Are they going to go into unlicensed mode since they haven't been activated? My team ran into this a few weeks ago while prepping for 2012. Turns out you can activate currently running machines against it. No need to spin up a bunch of VMs. Slmgr.vbs /skms *New KMS IP:Port*), then /ato. It worked for us, but im not sure about XP-to-7. You can force it that way, or wait for everything else to reactivate.
|
# ? Aug 27, 2012 03:50 |
|
FISHMANPET posted:The way do maintenance windows is we have a set of nested collections that set them. There's WSUS Final, inside of that is WSUS General, inside of that is WSUS Test (they're called WSUS because it was setup by an old grey beard and it will forever be WSUS). Final has the smallest maintenance window, general slightly bigger, and test is always in a maintenance window for testing. If you start setting maintenance windows all over you could get confused about how a maintenance window is being set on a particular client (because your clients will be in multiple collections). You can't do nested Collections with ConfigMgr 2012. You can however do rules to progressively expand your patch deployments. Details here: http://technet.microsoft.com/en-us/library/gg712673.aspx
|
# ? Aug 27, 2012 08:52 |
|
Nitr0 posted:So I'm getting annoyed with SCCM2012. I've turned a server into a software update point. Synchronized all my updates, changed group policy so everyone points to the sccm WSUS server and waited. Things started to update but they're completely wrong. I'm looking at IE9 deployments and it says that 81 are compliant, 148 not required and 3 required. What's the difference between not required and required? How does it pick up that differential? I know that 148 do not have IE9. What I do??? ConfigMgr uses a local policy that's applied to the workstations as part of the client install to point the client to the Software Update point. You shouldn't have a group policy for WSUS defined or it won't work correctly.
|
# ? Aug 27, 2012 08:54 |
|
I pointed it to the same server that the configmgr sets it to but just for kicks I got rid of it and it didn't change anything. Machines still point to the same location but for example I wanted to deploy IE9 however a bunch of machines with IE8 say they're compliant. POUR QUIIIIIII
|
# ? Aug 27, 2012 15:50 |
|
Nitr0 posted:I pointed it to the same server that the configmgr sets it to but just for kicks I got rid of it and it didn't change anything. Machines still point to the same location but for example I wanted to deploy IE9 however a bunch of machines with IE8 say they're compliant. You need to find out what the IE 9 "patch" is looking for to verify compliance. Because that's on the computers.
|
# ? Aug 28, 2012 02:06 |
|
Quick question for those patching Windows with SCCM 2012. When you are breaking up your Windows patches, do you break them up by OS (XP, 7), then distribute them to a collection that is limited by corresponding OS? Or is that overkill and just apply all those patches to all workstations, and let SCCM figure it out? Any advantages/disadvantages to either way?
|
# ? Sep 3, 2012 17:29 |
|
Has anyone effectively used an Managed Service Account at all? Every time I read about them it seems like they are silver bullet for creating service accounts, but nothing Microsoft makes uses them. Can't use them for SQL, can't use them for AD RMS.
|
# ? Sep 5, 2012 08:09 |
|
|
# ? May 21, 2024 15:13 |
|
incoherent posted:Has anyone effectively used an Managed Service Account at all? Every time I read about them it seems like they are silver bullet for creating service accounts, but nothing Microsoft makes uses them. SQL Server 2012 added support for the Managed Service Account.
|
# ? Sep 5, 2012 19:26 |