|
What is everybody who isn't using SCCM/Forefront using for enterprise anti-virus? We are currently using Symantec Endpoint Protection and surprise, it sucks. I'd love to go with Forefront, but our network/server admin doesn't want the headache of setting up/supporting SCCM (I'm in charge of the desktop environment). It was like pulling teeth just to get him to let me build a MDT with WDS server (which I'm currently setting up now and loving). I'd like something that is centrally managed, without being a resource hog on the clients.
|
#
?
May 21, 2013 03:55
|
|
|
|
| # ? May 13, 2024 21:54 |
|
|
We're currently using Sophos and moving to Forefront due to it being included in our CAL. Sophos is pretty great, the central admin works very well, and the client footprint is small. Was very easy to push down the AV to all my clients when we first moved from McAfee 5 years ago. Also Sophos AV let's you block and log apps which is a nice bonus feature.
|
|
#
?
May 21, 2013 04:05
|
|
|
Sophos here as well. I think it's the best option out there for large enterprise AV software suites. I'm not sure how some of the smaller players like ESET or Vipre are in larger environments. Trend or Kaspersky might be worth a look. Both of those are in the 'CIO approved' Gartner quadrant.
|
|
#
?
May 21, 2013 04:30
|
|
|
Sophos is sounding pretty good. I should point out that we aren't a very large institution, just a small private school, with only about 250 or so Windows machines (and another 150 or so Macs).
|
|
#
?
May 21, 2013 05:33
|
|
|
CapMoron posted:Sophos is sounding pretty good. If you need to sell it, it does handle administering mac quite well. Also, you do get to extend a home-license of the AV (Providing you set up your own relay server. But nobody does that, they just have everything call home to sophos). quackquackquack posted:Would AD+GP+WSUS be sufficient for the Windows PCs? WSUS is perhaps the only software microsoft ever got right. For the task it has to tackle, it does it very well. Personally, I've never had luck pushing installs and updates via the core Group Policy that wasn't Microsoft own software. WSUS and GPO are deliberately "ok, but limited in scope" products. This is where SCCM steps in. If you want to keep an entire network up to date on adobe and java, this is what you'll want. incoherent fucked around with this message at 06:07 on May 21, 2013 |
|
#
?
May 21, 2013 06:01
|
|
|
CapMoron posted:Sophos is sounding pretty good. We only have about 250 users as well, all Windows machines. Sophos worked quite well. We also use their email and web appliances. While spendy, they are pretty awesome too.
|
|
#
?
May 21, 2013 12:42
|
|
|
I can't find it anymore, but I thought I read that SCCM 2012 for small environments doesn't require full-blown SQL. Am I crazy, or can you run a standalone site for ~250 clients off of express somehow?
|
|
#
?
May 21, 2013 14:48
|
|
|
SQL Standard or Enterprise is required for the primary site. Secondary sites can use SQL Express.
|
|
#
?
May 21, 2013 14:55
|
|
|
GreenNight posted:SQL Standard or Enterprise is required for the primary site. Secondary sites can use SQL Express. I'm crazy; got it. edit: now I remember, SCCM 2012 client MLs give you rights to run SQL 2012 Standard for SCCM only. I knew there was some reason I didn't need to pay for SQL, I just forgot what that reason was.
|
|
#
?
May 21, 2013 15:36
|
|
|
Mierdaan posted:I can't find it anymore, but I thought I read that SCCM 2012 for small environments doesn't require full-blown SQL. Am I crazy, or can you run a standalone site for ~250 clients off of express somehow? If you own the license to install SCCM it should come with the rights for whatever SQL you need as long as you just use that SQL installation for SCCM e;fb
|
|
#
?
May 21, 2013 16:23
|
|
|
incoherent posted:If you want to keep an entire network up to date on adobe and java, this is what you'll want. Yeah. Technically you can patch Adobe and Java with just group policy but it is a pain in the rear end, very fragile and will basically become your full-time job with how often those two get updated.
|
|
#
?
May 21, 2013 17:24
|
|
|
I would rather patch Adobe and Java with Group Policy instead of SCCM. I would rather Java especially install at startup, when no programs are open. Otherwise I have to set logic in SCCM to warn people to close their browsers, kill them if they don't, and cross my fingers that no other program is using Java. Which isn't to say Java/Adobe play nice no matter how you deploy them, but I don't think it's worse with GP than SCCM.
|
|
#
?
May 21, 2013 17:38
|
|
|
I have tried to deploy VNC in group policy but have no luck. It works fine on my test machine with or without a previous version but not a single computer got the install.  You could always buy 3rd party software that hooks into WSUS and get updates that way. Yaos fucked around with this message at 18:48 on May 21, 2013 |
|
#
?
May 21, 2013 18:45
|
|
|
Yaos posted:I have tried to deploy VNC in group policy but have no luck.
|
|
#
?
May 22, 2013 15:58
|
|
|
Docjowles posted:Yeah. Technically you can patch Adobe and Java with just group policy but it is a pain in the rear end, very fragile and will basically become your full-time job with how often those two get updated. If anyone really doesn't want to use or pay for SCCM and doesn't mind an unsupported open source solution... I've been using WPKG for a few years now to handle my software deployment and patching. First on XP with regular WPKG and now on 7 with WPKG-GP.
|
|
#
?
May 22, 2013 17:47
|
|
|
quackquackquack posted:I would rather patch Adobe and Java with Group Policy instead of SCCM. Adobe updates are pretty easy on SCCM with System Center Update Publisher. Just subscribe to the Adobe update feeds and publish to SCCM. Java on the other hand is still a huge pain in the rear end. Trying to get 32-bit v7 Java to deploy on a x64 OS was a nightmare.
|
|
#
?
May 22, 2013 18:48
|
|
|
Is anyone using USMT to migrate from Office 2007 (or 2010) to Office 2013? I'm using USMT5, but looking at the MigApp.xml, Office 2013 is not mentioned. And nobody else on the internet seems to be talking about it.
|
|
#
?
May 22, 2013 18:57
|
|
|
Sacred Cow posted:Adobe updates are pretty easy on SCCM with System Center Update Publisher. Just subscribe to the Adobe update feeds and publish to SCCM. Java on the other hand is still a huge pain in the rear end. Trying to get 32-bit v7 Java to deploy on a x64 OS was a nightmare. Have you ever configured the System Center Update Published on a Windows 2012 server? I have WSUS and SCUP on the same box but SCUP won't connect to WSUS.
|
|
#
?
May 22, 2013 20:07
|
|
|
Sacred Cow posted:Adobe updates are pretty easy on SCCM with System Center Update Publisher. Just subscribe to the Adobe update feeds and publish to SCCM. Java on the other hand is still a huge pain in the rear end. Trying to get 32-bit v7 Java to deploy on a x64 OS was a nightmare. Nightmare as in "extract the MSI then install that"?
|
|
#
?
May 22, 2013 20:12
|
|
|
I've got a Kyocera 4300DN printer that I'm going to throw out the window. What are you guys using for printers? This one is 60PPM, so I'm looking for something in the similar speed range. I've got to have 4 paper drawers, plus the MP tray. Duplex, black and white only... I know I can go read reviews online, but I have no idea if those amazon reviews are from the manufacturer's employees or not.
|
|
#
?
May 22, 2013 20:55
|
|
|
Spermy Smurf posted:I've got a Kyocera 4300DN printer that I'm going to throw out the window. That's a pretty fast printer. I've had no issues with Ricoh or Toshiba printers. An HP at that level won't be complete trash either. Won't be cheap either though.
|
|
#
?
May 22, 2013 21:06
|
|
|
GreenNight posted:Have you ever configured the System Center Update Published on a Windows 2012 server? I have WSUS and SCUP on the same box but SCUP won't connect to WSUS. I haven't done it on a 2012 box (running on 2008R2) but you have to install a self-signed certificate for SCUP to work with WSUS/SCCM. When going through the setup options on SCUP you have to "Enable publishing to an update server". On that same option screen there is a "Signing Certificate" section. You have the option to create one that you deploy to your environment either through a CA or GPO under the computers "Trusted Publishers".  peak debt posted:Nightmare as in "extract the MSI then install that"? It took me some time to figure out how to get that to work properly in silent mode with SCCM self-service. It was confusing for me (before I actually tried looking up the issue) since Java v6 deployed as an .exe without any issues....mostly.
|
|
#
?
May 23, 2013 15:03
|
|
|
Sacred Cow posted:I haven't done it on a 2012 box (running on 2008R2) but you have to install a self-signed certificate for SCUP to work with WSUS/SCCM. When going through the setup options on SCUP you have to "Enable publishing to an update server". On that same option screen there is a "Signing Certificate" section. You have the option to create one that you deploy to your environment either through a CA or GPO under the computers "Trusted Publishers". Yeah, I got it working. I didn't realize that I'd have to integrate WSUS with SCCM to be able to use SCUP. Currently WSUS runs on it's own.
|
|
#
?
May 23, 2013 15:08
|
|
|
GreenNight posted:Yeah, I got it working. I didn't realize that I'd have to integrate WSUS with SCCM to be able to use SCUP. Currently WSUS runs on it's own. When you're doing updates via SCCM, my understanding is you need a WSUS instance sitting somewhere so it can sync updates from Microsoft. I'm looking into migrating over to SCCM for update deployments due to the limitations of WSUS starting to get really annoying.
|
|
#
?
May 23, 2013 17:28
|
|
|
We're not doing updates via SCCM at all, that's part of it. It seemed more of administrative headache. I would love to do 3rd party updates via SCCM and zero MS updates.
|
|
#
?
May 23, 2013 17:52
|
|
|
This is only sort of a Windows question, so I apologize if it doesn't really fit here, but I hope it's relevant enough to be of interest. I work for a small company with about 25 desktops. I'm looking for a full-disk encryption solution for us. Bitlocker looks pretty great, but if your computers don't have a TPM (most of ours don't), users have to remember their Bitlocker PIN in addition to their password - something I'd like to avoid if I can. Is there a way to buy TPM-enabled desktops at our scale? I'm happy to spend a bit more and go through a real vendor, but I honestly don't know if they'd even return my emails if I just want to buy one or two systems at a time (something we do here fairly regularly).
|
|
#
?
Jun 14, 2013 22:09
|
|
|
vlack posted:Is there a way to buy TPM-enabled desktops at our scale? I'm happy to spend a bit more and go through a real vendor, but I honestly don't know if they'd even return my emails if I just want to buy one or two systems at a time (something we do here fairly regularly). I work for an integrator / VAR. While we normally do servers, we have been known to build workstations for certain customers. We generally don't like selling workstations because workstations tend to get less expensive consumer-grade hardware, which is more prone to failure and has worse warranties, which translates into being a higher cost for us long-term. Our current generation of internal workstations (the ones we use ourselves) is based on the Intel DQ77MK, which includes a TPM. They're pretty nifty. UEFI based, everything and the kitchen sink, legacy-free. They're also part of Intel's long-term production plans, so we can probably get them well into Haswell's lifetime. Alternatively, very frankly, you can get the same hardware off of Newegg if you want to make the trade-off of lower initial price for more spotty warranty coverage and having to deal with individual RMA departments yourself. We currently build ours in the In-Win EM013, but have used the Z583T and Z589T in the past. They're cheap and amazing, never had a power supply fail on one in over eight years of use. We also currently use the quad-core i5 3470S, which is totally overkill for most tasks, but as we use the same build for everyone, and some people need VT-d, etc, hey, why not? Drop me an email at my username at pleh.net and I'll point you at our sales folks. McGlockenshire fucked around with this message at 22:35 on Jun 14, 2013 |
|
#
?
Jun 14, 2013 22:25
|
|
|
McGlockenshire posted:Drop me an email at my username at pleh.net and I'll point you at our sales folks. Cool, email sent. Thanks for the info.
|
|
#
?
Jun 14, 2013 22:53
|
|
|
What are you doing for workstation backups on the LAN? Environment doesn't trust the users at all to use the network drives so they insist on backing up workstations. Using the previous version of Retrospect right now, but the vendor says we're one of their biggest users at ~ 80 server+workstations and I find that hard to believe. Very unreliable so they're currently okay with having basically a weekly backup. Backups should be done every day so I'd like to change that.
|
|
#
?
Jun 18, 2013 00:44
|
|
|
Who the gently caress backs up workstations? Sounds like a terrible idea beyond automating the usual folders to their home directory on the network and backing that up.
|
|
#
?
Jun 18, 2013 00:50
|
|
|
GreenNight posted:Who the gently caress backs up workstations? Sounds like a terrible idea beyond automating the usual folders to their home directory on the network and backing that up. I think that's part of the problem - some people have enough trouble just backing up a handful of servers which they control.
|
|
#
?
Jun 18, 2013 00:52
|
|
|
I'm not sure I'd backup workstations on the LAN, if the policy says save your important poo poo here and people don't then there's not a lot you can do about that - you can't go around making everything IT's problem to solve. For laptops however, gently caress roaming profiles/folder redirection so hard. I've been bitten so many times with it just not working. CrashPlan Enterprise back to your own servers. Hopefully Windows 8.1 with Work Folders should solve this one at last, but I can't be so sure the rest of the OS will be usable in any way.
|
|
#
?
Jun 18, 2013 01:55
|
|
|
We use Syncplicity which is expensive as poo poo but simple for our mobile users. It's basically corporate Dropbox. The rest? We aren't responsible for what you save to your C drive. We make people sign a piece of paper saying so. Gotta have upper management buy in for that though which can be difficult.
|
|
#
?
Jun 18, 2013 02:47
|
|
|
GreenNight posted:We aren't responsible for what you save to your C drive. We make people sign a piece of paper saying so. Gotta have upper management buy in for that though which can be difficult. Seriously this. Backing up workstations is not scalable/sustainable. It's expensive and users will constantly gently caress up the PCs and break your backup agent. It should be policy that important stuff is saved to NAS (which you backup) or tough cookies.
|
|
#
?
Jun 18, 2013 16:40
|
|
|
We're having some issues getting our logon scripts to work without a ugly hack. We have a 2008 domain with Win7 Pro clients; for some reason the guy that was running things decided not to use group policy to map drives. (I am working to change this but it takes a while to get things through the system.) Our network is security with AnyConnect/NAC & ISE. Initially the workstations are on one VLAN; after the user logs in there is a delay (typically 30s but ranging up to 2.5m) while authentication with ISE occurs before the workstation transitions to its "real" VLAN for work. The initial VLAN doesn't have access to any servers except the DCs and some connections for AV and monitoring. The logon script doesn't really work without a big fixed delay (3m currently) due to the lengthy auth period for ISE, as when it normally run the workstation can't actually see any of the servers it's trying to map shares on. The initial "fake" VLAN seems real to the workstation, so waiting for network doesn't work. My initial efforts were to try to minimize the fixed delay by checking periodically to see if the real network was available and then map drives, but for some reason my powershell script (launched via batch file or vbs, didn't seem to matter) didn't execute. (Ran fine when launched directly, just not during logon). So, is there any way to delay execution of logon scripts? If not, am I on the right track with the launch script->wait until real network available->map drives? What could be preventing execution of the second script when called by the first? Thanks.
|
|
#
?
Jun 19, 2013 13:01
|
|
|
That sounds ugly as gently caress. Are your PS scripts are being kicked off via GPO? Microsoft really, really wants PS scripts to be ran in a specific way at login especially if you're not signing and set to execute-all. Too bad you're not running R2 and using DFS-R for netvol and sysvol, you could speed it all up by enabling client fallback to local sysvol and netvol. incoherent fucked around with this message at 09:29 on Jun 20, 2013 |
|
#
?
Jun 20, 2013 09:26
|
|
|
incoherent posted:That sounds ugly as gently caress. Are your PS scripts are being kicked off via GPO? Microsoft really, really wants PS scripts to be ran in a specific way at login especially if you're not signing and set to execute-all. No, they're not currently being kicked off by GPO. That's on the way, but it's not here yet (there's a lot of process and meetings to go through to get a GPO change put in place). Checking, we are actually at 2008 R2 functional level, but I'm not seeing how client fallback helps me. The same domain controllers are used to authenticate no matter what network the clients are on, so they're not failing to other DCs.
|
|
#
?
Jun 20, 2013 12:44
|
|
|
I'm working on building something of a VDI using Hyper-V (Yeah, I know it might not be ideal but just roll with it) and I can't figure out how licensing will work. I'll be building a Windows Server 2012 based back-end, with a few machines handling domain and file server capabilities, then with 5+ Hyper-V Server 2012 hosts connected to those two. If the Hyper-V hosts are running the operating systems that each user will be connecting to, would I need a User CAL for each person connecting to those systems, or can I operate under the impression that it's the guest OS they're using, which won't be directly or indirectly connected to the server back-end? EDIT: I suppose they would "be connected" as they're running on the Hyper-V Hosts, but they'll be operating independently of the domain and network entirely, connecting to a separate network setup for remote access. The current setup is those same OSes running on physical hardware, this is just a transition to a more manageable virtualized setup. CanOfMDAmp fucked around with this message at 20:00 on Jun 20, 2013 |
|
#
?
Jun 20, 2013 18:48
|
|
|
Ever since Vista came out you should have been using GPPs for network drives http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx
|
|
#
?
Jun 20, 2013 22:48
|
|
|
|
| # ? May 13, 2024 21:54 |
|
|
peak debt posted:Ever since Vista came out you should have been using GPPs for network drives Yeah I love this. Mapping drives based on security groups is awesome.
|
|
#
?
Jun 20, 2013 23:15
|
|