|
I was running my build and capture routine today and ran into this: http://ardamis.com/2014/06/12/microsoft-security-update-kb2965788-requires-multiple-restarts/ I normally get around this poo poo by using offline servicing to apply the update that causes multiple reboots. Unfortunately, it seems that offline servicing determines that this update is not required and won't install it. It does become required somehow during the build and capture routine though. The funny thing is if I run the routine without that update and then go and try to apply the update using offline servicing on the captured image, it installs. This all makes sense because...uh...Microsoft?  I get why it is marked as not applicable then becomes applicable later but nonetheless come the gently caress on Microsoft. Either fix SCCM so these updates don't break task sequences or fix the updates so they don't break SCCM. These updates are like landmines in the updates catalog that you have to be careful of lest you run into one and waste hours of your time. I need a drink. FYI: http://support.microsoft.com/kb/2894518 is a good link to have on hand as a list of lovely updates that cause this issue.
|
#
?
Aug 8, 2014 03:50
|
|
|
|
| # ? May 14, 2024 00:52 |
|
|
One of the main tricks to working with SCCM is to recognize the things it's supposed to do, but can't, and work around them accordingly. The best way to avoid the double update problem is to make a separate server with its own MDT install, and make your B&C task sequences with MDT. That is the cleaner and better way to build images, and it will load every applicable update on the WSUS reliably, and the multiple reboot bug doesn't affect it.
|
|
#
?
Aug 9, 2014 15:32
|
|
|
I work around them by offline servicing them in which has the benefit of making the build and capture routine a lot faster This one is just an oddball where it relies on a previous update. That previous update is a one of those "pending reboot" ones where it doesn't fully apply until after Windows has booted. I got around it by removing that one update from the BnC group and then offline servicing it in after the BnC had run. I really should start using MDT though.
|
|
#
?
Aug 9, 2014 18:08
|
|
|
Anti virus license at my current company is going to expire next month and was wondering if anyone had any recommendations for a corporate anti virus? Need something with remote administration, approximately 150 licenses. We're 100% Windows 7. Currently using AVG which has been fine, just curious if there's something better (for approximately the same price).
|
|
#
?
Aug 11, 2014 21:36
|
|
|
ESET
|
|
#
?
Aug 11, 2014 21:47
|
|
|
Gyshall posted:ESET Yeah, ESET.
|
|
#
?
Aug 11, 2014 21:50
|
|
|
Thalagyrt posted:Yeah, ESET. Thirding ESET. We've been on it for years with no problems.
|
|
#
?
Aug 12, 2014 17:16
|
|
|
I'm a big Sophos fan, but for only 150 seats I would go ESET as well.
|
|
#
?
Aug 12, 2014 17:18
|
|
|
Number19 posted:I was running my build and capture routine today and ran into this: You can't do those updates with "Apply Updates" but you can wrap them up in a package and put them onto the machine with "Install Package" if you select "Installer reboots the computer on its own".
|
|
#
?
Aug 12, 2014 20:20
|
|
|
peak debt posted:You can't do those updates with "Apply Updates" but you can wrap them up in a package and put them onto the machine with "Install Package" if you select "Installer reboots the computer on its own". Since I had to pull them out of the update group anyways I just left it out of the build and capture update group and offline serviced them into the built image. I've also made a note to check KB2894518 every time I do a BnC to find any of these trouble updates and pull them from the BnC update group. It's just annoying in the long run but that's part of administering Enterprise Microsoft stuff.
|
|
#
?
Aug 12, 2014 21:02
|
|
|
Has anyone implemented a proper Word macro signing solution in their domain? I've looked around but there doesn't seem to be a Microsoft step-for-step guide, or best practices FAQ for that. As far as I've seen: - The default setting is that both unsigned and signed macros pop up a warning, then execute if you confirm that warning. - You can set a group policy to run every macro, unsigned or signed, automatically. Aka the bend me over setting. - You can set a group policy to never run an unsigned macro and pop up a warning for signed ones. What you notably cannot do is set a policy to never run unsigned macros and always run signed ones. We have a shitload of macro enabled word documents, so disabling them isn't an option. Forcing people to constantly click on confirm prompts isn't going to be a popular decision, and it's not like conditioning users to automatically click on "Enable" 200 times a day is going to do positive things to security anyway. I'm kind of wondering what to do here...
|
|
#
?
Aug 12, 2014 21:16
|
|
|
peak debt posted:Has anyone implemented a proper Word macro signing solution in their domain? I've looked around but there doesn't seem to be a Microsoft step-for-step guide, or best practices FAQ for that. Yeah not too sure on that one. I went with the "bend me over setting" to be perfectly honest because of the sheer amount of applications in use at our company. A lot of them are applications that are tightly integrated with Excel/VBS scripting. The one thing we've recently been using GPO for though is to add new Trusted Locations for Excel & Word via a .reg file that points to an HKCU modification. Basically we locate the users in ADUC that need this change, add them to a custom ADUC group, then tell GPO to apply the .reg file to any user that's a member of that ADUC group. This way when the end-user logs in to any domain PC, GPO applies the modification to HKCU upon logging in. Don't know if that gives you any ideas, but that might work for you if you want to go that route. Obviously you would need to know what your Trusted Locations should be for those macros.
|
|
#
?
Aug 14, 2014 04:15
|
|
|
I tried the Trusted Locations thingy too. Unfortunately it takes precedence over macro signing so if you add the standard file drive to the trusted locations, and somebody saves an unsigned macro there, it runs, even if you have the group policy "Only run signed macros" activated. What happened to deny over allow, Microsoft 
|
|
#
?
Aug 14, 2014 10:36
|
|
|
Moving to Win 8.1 soon. What's the easiest way to customize the start menu for the end user? I basically want to just add the Office 2013 icons.. it doesn't look like I can just drag it into a folder during deployment..
|
|
#
?
Aug 14, 2014 18:35
|
|
|
lol internet. posted:Moving to Win 8.1 soon. What's the easiest way to customize the start menu for the end user? I basically want to just add the Office 2013 icons.. it doesn't look like I can just drag it into a folder during deployment.. Howabout with a GPO? http://technet.microsoft.com/en-us/library/dn467928.aspx Here is another link that details how to export the xml of a Start screen that you setup perfectly: http://www.grouppolicy.biz/2013/06/customising-windows-8-1-start-screen-layout-with-group-policy/ This one is really good too: http://stealthpuppy.com/customizing-the-windows-8-1-start-screen-dont-follow-microsofts-guidance/ GreenNight fucked around with this message at 18:39 on Aug 14, 2014 |
|
#
?
Aug 14, 2014 18:37
|
|
|
I have a server 2012 vm that throws a bunch of weird errors in the windows event log when the unitrends backup box tells vcenter 5.5 to take a snapshot so it can do a backup of the VM. See below for the errors. http://kb.vmware.com/selfservice/mi...ernalId=2006849 Basically the fix seems to be to migrate the disks from MBR to GPT. If it wasn't a pretty non standard server and we hadn't already eaten a bunch of consultant time doing the install of the LOB tools I'd just nuke and start over. Since it's a sql server it has two virtual disks on the system drive is on RAID1 and the DB drive RAID 10 both internal sas 10K drives. It looks like I could take a bare metal backup of the server using the unitrends box and restore it to GPT disks using the unitrends unit or I could pick up the server version of this partition tool http://www.disk-partition.com/compare-edition.html (server ed) I have no problem dropping $ 140 on the tool because doing it automated is much cheaper than wasting a bunch of time. I just want to make sure that it's not something that will lead to poo poo later down the line. FWIW the VMDK's are thick provisioned eager zeroed.
|
|
#
?
Aug 16, 2014 20:04
|
|
|
Just in case anyone missed it, there's a bad batch of Windows Updates this month: http://www.infoworld.com/t/microsof...-2975331-248582 They have the potential to get machines stuck in a bluescreen loop so be sure to back them out if you've already approved them for install.
|
|
#
?
Aug 18, 2014 16:54
|
|
|
With regards to my earlier question is it possible to convert a windows server 2012 vm (ESX 5.5) with an MBR boot volume to a GPT boot volume?
|
|
#
?
Aug 19, 2014 05:45
|
|
|
Testing SCCM 2012 R2 for Window 8.1 with the install.wim Once it applies the install.wim all it does is add drivers, reboot and I get a blank screen. Anyone run into this problem before? I'm wondering if it has to do with the computer not set to use UEFI or something. (Testing on a pre-win8 machine as I don't have one handy at the moment.)
|
|
#
?
Aug 19, 2014 11:33
|
|
|
What graphics card is in the system? If it doesn't have an EFI option ROM then you'll need to enable the legacy video support option in the UEFI setup
|
|
#
?
Aug 19, 2014 14:09
|
|
|
Number19 posted:What graphics card is in the system? If it doesn't have an EFI option ROM then you'll need to enable the legacy video support option in the UEFI setup It's built in intel video. I'll check the BIOS setting. Thanks!
|
|
#
?
Aug 19, 2014 14:18
|
|
|
lol internet. posted:Testing SCCM 2012 R2 for Window 8.1 with the install.wim this can happen when you image while secureboot is turned on, check on that.
|
|
#
?
Aug 19, 2014 14:58
|
|
|
That's almost exactly it. I have to turn SecureBoot off on any Windows 8.1 machines that I'm going to image.
|
|
#
?
Aug 19, 2014 16:05
|
|
|
CISADMIN PRIVILEGE posted:With regards to my earlier question is it possible to convert a windows server 2012 vm (ESX 5.5) with an MBR boot volume to a GPT boot volume? I dont think so. Full data migration appears to be the only solutions, or the fancy software. The only way to convert will purge all the data on the volume.
|
|
#
?
Aug 19, 2014 22:30
|
|
|
Anyone using DSC in production yet? I feel it's very much a 1.0 and prob won't be in enterprises for a few years. It is super interesting. Especially for someone who hasn't played with puppet.
|
|
#
?
Aug 19, 2014 22:49
|
|
|
So just so i'm on the same page with windows 8. My example: I have a dell box with 8. Can I reimage with a 8.1 Dell cd OR do I have to use the 8 cd, and download through the store for my installs.
|
|
#
?
Aug 22, 2014 21:03
|
|
|
My boss just told me he got a call from Microsoft Licensing and we're being audited. I have no idea what the best way is to prepare for this, or what to expect. I've never had to deal with an audit before. I assumed we were too small for Microsoft to worry about coming after us. Not that I'm afraid we're out of compliance, because I'm pretty good about making sure we have licenses for anything we install. Some information on our network that might help with advice giving: * We're almost entirely virtualized from a server standpoint, with 2 VMware vSphere hosts running anything that Microsoft would be worried about. * We run 2 Active Directory domain servers each on a different VM Host * Almost all of our Windows Servers and Workstations are on the domain. There are a few exceptions of stand alone servers that aren't connected to the domain, but they're all on one of the two VM Hosts * We do run a few full SQL Server instances. As far as I know those should be legit, though since we've rebuilt those VMs from scratch a few times I'm not 100% certain unique license keys were used, despite the fact that we do have valid licenses. Only one of those servers is in production, the other is just for staging and testing. No idea if that makes a difference or not. * We use ManageEngine ServiceDesk Plus for helpdesk and asset tracking, and mostly keep it up to date. * ServiceDesk reports 120 total workstations/servers, Has anyone here gone through an audit that can give some tips and advice?
|
|
#
?
Aug 22, 2014 22:06
|
|
|
Does asset tracking mean software licensing? If not, you can spin up a copy of spiceworks and let it do the inventory.
|
|
#
?
Aug 22, 2014 22:45
|
|
|
Frozen-Solid posted:My boss just told me he got a call from Microsoft Licensing and we're being audited. I have no idea what the best way is to prepare for this, or what to expect. I've never had to deal with an audit before. I assumed we were too small for Microsoft to worry about coming after us. Not to start a witch hunt, but got any current or recently-departed disgruntled employees? An audit out of the blue on a small company is often kicked off by a report. For actual helpful advice, make sure you are not running MSDN or Action Pack licenses in production. Those are the biggest gotchas I've encountered in small business. Some joker thinks "I can license the entire MS ecosystem for $300?!?!?  " and doesn't read the fine print. Then before you know it you're running more production SQL Server instances off Action Pack licenses than you can possibly afford to buy legitimately and there's no way out.
|
|
#
?
Aug 22, 2014 23:40
|
|
|
Any of you used SSL certificates to encrypt a SQL Server 2012/2014 connection? I'm about to go postal on this drat thing.
|
|
#
?
Aug 23, 2014 00:07
|
|
|
We use IPSEC, it seems weird to do your encryption on layer 5 if you can do it on layer 3...
|
|
#
?
Aug 23, 2014 01:28
|
|
|
peak debt posted:We use IPSEC, it seems weird to do your encryption on layer 5 if you can do it on layer 3... We don't use IPSEC at all here, not my idea 
|
|
#
?
Aug 23, 2014 01:44
|
|
|
Frozen-Solid posted:Has anyone here gone through an audit that can give some tips and advice? Might be worth checking out the MAP tool to try to see what it comes up with for licensing information. I BELIEVE this is what they may start with in the audit anyway. http://technet.microsoft.com/en-us/solutionaccelerators/dd537566.aspx On the good side, one of our customers got audited and thought they were going to be hosed to the tune of a couple million in SQL licenses, but it turned out they were actually over licensed and dropped the size of their SA renewal in retaliation for the audit.
|
|
#
?
Aug 23, 2014 04:20
|
|
|
Does microsoft even "care" about their customers when it comes to stuff like that? Oops we bad, here is a sweeheart deal.
|
|
#
?
Aug 23, 2014 05:50
|
|
|
They'd probably argue that if you had millions for software licensing you should be able to afford to hire a licensing specialist for a week every year...
|
|
#
?
Aug 23, 2014 13:55
|
|
|
incoherent posted:Does microsoft even "care" about their customers when it comes to stuff like that? Oops we bad, here is a sweeheart deal. It's a back and forth thing with them apparently. Microsoft is also a customer of the Auditee (to the tune of 70+mil/year) and I suspect they were trying to even up the score a little bit.
|
|
#
?
Aug 23, 2014 20:34
|
|
|
Docjowles posted:Not to start a witch hunt, but got any current or recently-departed disgruntled employees? An audit out of the blue on a small company is often kicked off by a report. We're a 5 person IT team. We've only had 2 people leave since I started here 6 years ago, and both were and still are on good terms. They left for better paying jobs, not for being treated like poo poo here. Both of them were 3+ years ago now. incoherent posted:Does asset tracking mean software licensing? If not, you can spin up a copy of spiceworks and let it do the inventory. ManageEngine does everything that Spiceworks does. It's not quite as pretty, but it gets the job done and is more powerful from a helpdesk perspective. We've only ever used it for inventory and helpdesk tickets, but it has licensing capabilities. We've just never done anything with the licensing.
|
|
#
?
Aug 25, 2014 14:02
|
|
|
Frozen-Solid posted:Has anyone here gone through an audit that can give some tips and advice? My place had it done like 3 months ago. It was done through a third party. Basically they give you a list of what you're licensed for in an excel sheet. You agree or disagree with it, if you feel you have more, you provide them with the PO\vendor information on which it was purchased. They then update their excel sheet and send it to you for the total count of licenses you have. I think they wanted to put an appliance onsite but we said no, so they just asked us to do a count on what we had through SCCM. So we ended up being short like 20k worth of licenses, we made an order with our vendor, and sent the PO to them. The auditors, confirmed the license was purchased and said see you in 3 years. It's not that bad, but someones going to get some crap from finance if the amount is a lot. In our case, it was the old IT department, so it was out of our control.
|
|
#
?
Aug 25, 2014 18:36
|
|
|
Since Server 2003 leaves extended support in July 2015, does anyone know if that applies to the 2003 domain functional level? Like, if I had a bunch of 2012R2 domain controllers running at the 2003 functional level do I need to raise the functional level before July or risk problems? Any reason to not go hog-wild and jump all the way up to 2012R2?
|
|
#
?
Aug 25, 2014 20:51
|
|
|
|
| # ? May 14, 2024 00:52 |
|
|
Dr. Arbitrary posted:Any reason to not go hog-wild and jump all the way up to 2012R2? No. Raising the domain functional level doesn't change* anything, just enables features on the DCs that wouldn't work with older DCs. *okay it does but it's like switching ovens, you put dough in and you'll always get cookies out
|
|
#
?
Aug 25, 2014 22:29
|
|
