|
Does it ever make sense to purchase SQL server without software assurance?
|
#
?
Sep 9, 2022 20:28
|
|
|
|
| # ? May 31, 2024 06:31 |
|
|
Potato Salad posted:Does it ever make sense to purchase SQL server without software assurance? I have a hard time thinking of a good reason not to buy SA considering the kinds of applications people are generally running on SQL server and the pace of SQL server releases/flexibility you get other than "we don't have that much money and can't do it otherwise", but at that point maybe it's worth looking at a subscription option
|
|
#
?
Sep 9, 2022 20:43
|
|
|
Maneki Neko posted:You are not correct, for SQL server running on a VM you can just license the number of cores assigned to the VM (with a minimum of 4). If you are running a bunch of VMs on your cluster it makes more sense to look at other options, but that does not sound like your case. For DRS type situations as far as I'm aware you don't even need to worry about SA but any competent Microsoft licensing vendor should be able to confirm that. Oh wow, I am completely wrong. This makes it much more digestible then. Thanks.
|
|
#
?
Sep 12, 2022 13:43
|
|
|
So, please excuse the fact that what you are about to read is infinitely dumb and mired in an endless pit of bureaucracy: I work on a team whose sole purpose is to write installers for CotS and homegrown software for deployment through SCCM/MECM. We've got around ~150k machines. Virtually everything we send out (except WSUS) goes out as a CM Application. Very rarely, as a CM Package. The 2 senior guys on my team have been locked in a cold war for years:
I know PowerShell, and I could maybe fumble my way through an MSI, but I'd need to sit with MSI guy for a bit to really get things up to speed. The 4th guy on the team is very lacking in technical background, so we usually leave him to admin tasks and small projects. He limps through basic PowerShell, and is totally lost on MSIs. So, I could have just left this well enough alone, but the MSI guy has gotten fired up lately after a couple of incidents:
I don't really have a dog in this fight. I'd be happy just pushing out PowerShell all day because it's what I know and what I'm comfortable with. But, I'm trying to objectively figure out what we should be doing. My understanding of the biggest points from each camp are:
So, I guess what I'm asking is: What am I missing? What do I not know that I don't know? What's the advantage of using one over the other? I'm in the position right now where I can direct our policy going forward, but I want to make sure I'm making the choices for the right reasons and not because "Microsoft said it's the standard", especially given how consistently how wrong and bad MS advice has been for our environment so far.
|
|
#
?
Sep 12, 2022 16:14
|
|
|
I'm on Team Powershell in this argument. Let's you leverage your typical coding tools for version control, etc., and gives you more flexibility than MSIs. Like, if you're going to do something that can't be done in the MSI, you're going to be doing it in Powershell anyways. And if you're interacting with 150k machines, you should take the time to learn Powershell regardless. You can use package deployment tools like Chocolately or winget. You can wrap things in something like PSAppDeployToolkit, which I kind of assume you're already using at that scale. Plus, when you switch to Microsoft Endpoint Manager (Intune), you can interact with all that IaC-style if folks are already comfortable with Powershell and coding tools. At least that's my opinion. [edit: said IaaS when I meant IaC] Internet Explorer fucked around with this message at 16:59 on Sep 12, 2022 |
|
#
?
Sep 12, 2022 16:27
|
|
|
Internet Explorer posted:I'm on Team Powershell in this argument. Let's you leverage your typical coding tools for version control, etc., and gives you more flexibility than MSIs. Like, if you're going to do something that can't be done in the MSI, you're going to be doing it in Powershell anyways. And if you're interacting with 150k machines, you should take the time to learn Powershell regardless. You can use package deployment tools like Chocolately or winget. You can wrap things in something like PSAppDeployToolkit, which I kind of assume you're already using at that scale. Plus, when you switch to Microsoft Endpoint Manager (Intune), you can interact with all that IaaS-style if folks are already comfortable with Powershell and coding tools. Funny story: This came to a head because we aren't using PSAppDeployToolkit, but I had decided I was going to do up one of my next apps with it so we could try it out and when I announced it at our morning meeting, MSI guy got riled up because of all things I picked to try it with, it was VLC, which came to us as an MSI.
|
|
#
?
Sep 12, 2022 16:41
|
|
|
^ Same answer I would have given. Going the powershell route -- especially Powershell App Deployment Toolkit -- gives you enormously improved logging, visibility, and pre/post install tailoring options. Creating a chocolatey pipeline is a beautiful thing, too, especially now that Choco packages can work in Intune natively. The people saying that MSIs are  industry standard haven't worked with an app deployment toolchain created in the last half decade if not longer.We actually banned raw exe/msi installation last month in our org. It's invisible and leaves no uniform paper trail. With PSADT there are no gaps in my powerbi dashboard inspecting the flow of software from policy download to assessment to caching to scheduling to execution. poo poo, look for what's really being hired right now in endpoint management roles: CD/CI engineers. Site reliability engineering skillsets. These things to do not point to msi as the way forward, or even the way of the present. Potato Salad fucked around with this message at 16:52 on Sep 12, 2022 |
|
#
?
Sep 12, 2022 16:43
|
|
|
Toshimo posted:Funny story: This came to a head because we aren't using PSAppDeployToolkit, but I had decided I was going to do up one of my next apps with it so we could try it out and when I announced it at our morning meeting, MSI guy got riled up because of all things I picked to try it with, it was VLC, which came to us as an MSI. MSI guy is a curmudgeon. I bet if you open up space for other people, they'll do a good job modernizing stuff. Our installers for stuff like VLC was literally a Powershell script that ran "choco install vlc". We never had to touch it again. And at your scale, I'd look into running private repos and packaging anything specific to your company. It'll be worth the effort.
|
|
#
?
Sep 12, 2022 16:51
|
|
|
Potato Salad posted:poo poo, look for what's really being hired right now in endpoint management type tools: CD/CI engineers. Site reliability engineering skillsets. These things to do not point to msi as the way forward, or even the way of the present. Yup. Get your team trained up on Microsoft's modern desktop stuff or you'll be fighting technical debt forever.
|
|
#
?
Sep 12, 2022 16:52
|
|
|
Nexus + chocolatey is out-of-the-box easy EASY you can even make a proactive remediation in Intune or a CI/CB in SCCM that weekly runs Choco update shits so good, gently caress
|
|
#
?
Sep 12, 2022 16:54
|
|
|
I used to strip MSIs from EXEs and make transforms for deployment via sccm, running powershell scripts. I don't really understand the fighting. The above was miles easier than getting anything msix in Azure virtual desktop to work. Just seems like different skillsets and we can all get along.
|
|
#
?
Sep 12, 2022 17:03
|
|
|
yeah there's honestly no fight needed if what you're being given is a bunch of MSIs, deploy them (preferably with some visibility) if you wanna stop touching individual fucken files, migrate your deployments to Chocolatey or at least build a CD/CI pipeline. I will never stop simping for Choco, fight me it's whatever
|
|
#
?
Sep 12, 2022 17:06
|
|
|
Internet Explorer posted:MSI guy is a curmudgeon. I bet if you open up space for other people, they'll do a good job modernizing stuff. Our installers for stuff like VLC was literally a Powershell script that ran "choco install vlc". We never had to touch it again. And at your scale, I'd look into running private repos and packaging anything specific to your company. It'll be worth the effort. We are probably 10 years off from any of that (which means we'll be getting to it right about the time it's obsolete). I'm pulling us ahead as fast as I can, but there's so much wrong that I have to pace myself. My big project for the last few months has been "hey, you know how we never, ever delete any apps, packages, or deployments, instead just superseding them or expiring them, turns out that's real bad and now I have thousands of items to review, clean up, export, and remove". I'm literally dying to our inability to muster the political capital to kill the last 9 Win7 machines in the agency before Dec 31st, so I still have hundreds of Win7-only apps/packages to clear out January 1st. And we are getting geared up to start testing W11/Server22, so oh boy, can't wait. Let's not get into the fact that at some point, I'm going to have to single-handedly learn how to set up, manage, and import all our stuff into Bitbucket from scratch, because we have absolutely no source control (and I've yet to see any useful material on "Here's how you plan babby's firs source control", because it's not something I've ever had to plan before, and our poo poo is wild because everything is its own project, there is no versioning, and once something hits prod, it is locked in stone, never to be touched again). Don't read that.
|
|
#
?
Sep 12, 2022 17:09
|
|
|
Potato Salad posted:if what you're being given is a bunch of MSIs, deploy them (preferably with some visibility) To be clear, there is probably never going to be a "just send the MSI out as-is", here. We have too many logging/tracking requirements from too many levels of management, and we are far too removed from whoever is troubleshooting this stuff for clerks in Podunk, Arkansas. Even our MSI guy has a massive MST to kinda replicate the logging our PS scripts do.
|
|
#
?
Sep 12, 2022 17:12
|
|
|
I read that! It raised my blood pressure! I have no experience at that scale, but I think getting together folks who want to make improvements and showing off how much easier/better stuff is with new tools and having them be champions for that change is the way to go. Not always easy to make that call of cleaning up old poo poo or just migrating to something new, but I think at least in some of these cases migrating to something new might be the way to go. Just gotta put that team together. Easier said than done. Internet Explorer fucked around with this message at 18:18 on Sep 12, 2022 |
|
#
?
Sep 12, 2022 17:15
|
|
|
Toshimo posted:Buttbucket hey, if you name your agency, I'll split half the ransomware take with you  Edit: In all seriousness, that sounds stressful and I really hope you get what you need Potato Salad fucked around with this message at 17:54 on Sep 12, 2022 |
|
#
?
Sep 12, 2022 17:17
|
|
|
Anyone who has anything to do with managing Windows should know Powershell at this point. It's 2022. I work at a big rear end highly regulated company with somewhere in the neighborhood of 140K endpoints. We've moved packaging over to Chocolatey for the most part, but all our software used to get wrapped in a powershell wrapper that does the sets up the logging, and other deployment stuff. I'm not in that department, but our IT software lifecycle/asset management department manages things with an iron fist. I can't even download an .exe or .msi myself. I have to go through them. It's a complicated system of verifying contracts, entitlements, keeping audit trails, etc. MSI guy needs to get with the times. I've had to customize MSI's and create MST's in the past. It's a pain in the rear end, but effective. There's better ways to do it now though.
|
|
#
?
Sep 12, 2022 17:32
|
|
|
skipdogg posted:Anyone who has anything to do with managing Windows should know Powershell at this point. It's 2022.
|
|
#
?
Sep 12, 2022 18:17
|
|
|
Friendship with Powershell ended. Azure cli, ARM, and bicep are my new best friends.
|
|
#
?
Sep 12, 2022 21:57
|
|
|
As an aside, one of my favorite developments while cleaning up and removing hundreds of apps/packages in CM: If you make an application, make another application that supersedes it, then delete the original application, you get an orphaned supersedence chain in the 2nd application that looks like this:  If the remaining app is put into a task sequence, the orphaned supersedence will cause it not to run. Why? Who knows. Microsoft claims they've never seen this before, even though it is 100% replicable, and because it isn't supposed to happen, that means it doesn't happen, as far as they are concerned, and have given us zero help in finding a way to identify and address it. So, every week, I'd have to call my DBA and get him to run a query to find all the apps we broke with deletions the prior week, and manually go in and remove the orphaned supersedence.
|
|
#
?
Sep 13, 2022 17:45
|
|
|
You're running into hash validation issues when the superseded content is deleted from your DPs but its correlating object in sms is still extant and superseded Microsoft knows this fake edit: literally right now, as we talk, I'm writing a script to go through objects and content one at a time to establish orphans in either side of the house and remove them via powershell
|
|
#
?
Sep 13, 2022 17:58
|
|
|
Potato Salad posted:You're running into hash validation issues when the superseded content is deleted from your DPs but its correlating object in sms is still extant and superseded Welp, they claim to not know and have no fix, so it's just another thing on my pile, for now.
|
|
#
?
Sep 13, 2022 18:00
|
|
|
the fix is exactly what you're doing content selection and object deletion needs to be done together 💖 in harmony 💖, so following up content cleanup with a SQL query or script to
|
|
#
?
Sep 13, 2022 19:11
|
|
|
Maybe the right place to post, so here goes. Man, do I ever hate kerberos/ntlm problems. Infrastructure seems to be right, SPNs in place, many systems can access SQL web reports but some get the dreaded "Anonymous" error because the workstation (seems) to refuse to use kerberos and ntlm cannot do the second hop to the database machine. Anyone experienced this problem before? We have had to configure an RD App to just load a the page in a browser on one of our session hosts for those with machines that cannot get the page to load. These are Windows 10 and some Windows 11 AD joined (hybird) machines. Kerberos works for other auth needs, and if the user were to login to a server and load the web reports page .. their laptop then starts to work for a period of time.
|
|
#
?
Sep 13, 2022 22:02
|
|
|
I think "infrastructure seems to be in the right place" is doing some heavy lifting. See if effected machines have similar ipconfigs and go from there.
|
|
#
?
Sep 13, 2022 22:09
|
|
|
Submarine Sandpaper posted:I think "infrastructure seems to be in the right place" is doing some heavy lifting. See if effected machines have similar ipconfigs and go from there. Nothing linked to a specific subnet, really seems to be some sort of machine configuration issue at this point. I've captured a few more logs and I am seeing kerberos doing auth at the reporting server, but report services never passes the connection onto the database as a kerberos connection, it's always trying to do it via NTLM.
|
|
#
?
Sep 13, 2022 22:18
|
|
|
Toshimo posted:So, please excuse the fact that what you are about to read is infinitely dumb and mired in an endless pit of bureaucracy: Everybody has already replied about this, and they are right, so I'm going to add the following comments: PSAppDeploy Toolkit is designed to wrap over other installers, including MSI, and provide additional functionality and logging for SCCM deployments. It can prompt the user with several options about installs, including conflicts with running applications, and take that back to SCCM in a meaningful way to retry later and report it all back to the console for measuring compliance. If you want to spring for a bit extra, there are GUIs for PSAppDeploy, like Master Packager, that make it all drag and drop with basic templates for branding or behaviour. The licensed version can also automatically make MST files if you need to adjust the install options of an MSI. Speaking of, MSI is an industry standard, and that has valuable benefits as a consumer of them:
* MSI files are a published standard. You can use third party tools to examine a Vendor MSI and check/confirm any behaviour. * You can create a transform (MST) for any MSI that alters the behaviour to your liking, without altering the main MSI and breaking the chain of trust. Everything from basic checkbox options all the way to core install steps can be modified this way. No need to know a vendors specific setup.exe command line options. This does not mean you should turn everything into MSI files. That's stupid, because you don't gain any benefit from doing so. You are already finding that writing powershell wrappers helps you manage installs, and that's just an continuation of batch files and vbs files that helped with installs in previous generations of windows/dos. PSAppDeploy just takes this to a logical conclusion, providing a generic wrapper for any type of install that does all the heavy lifting (logging, sccm interaction, app conflict detection, multi language support, etc) for you, and you can just drop some stuff in the Files directory and focus on the options you want. Take what the vendor gives you, and spend as little time as possible with it. Get on with more interesting things.
|
|
#
?
Sep 13, 2022 23:45
|
|
|
mAlfunkti0n posted:Maybe the right place to post, so here goes. Credential Guard hates unconstrained kerberos delegation and will wreak all sorts of havoc if you haven't been really diligent with your delegation.
|
|
#
?
Sep 14, 2022 03:24
|
|
|
Potato Salad posted:the fix is exactly what you're doing My dude, I am loving howling right now. In a meeting where we are trying to run down this insanity: 7/7 - I identify a superseded app to remove. Delete all deployments. 7/13 - I forward the App to our migration team and they export it and remove the app from CM. 7/13 - I clean up the orphaned super defence chain in CM. 7/18 - Half a dozen machines rerun the removed superseded app from cache. Microsoft rep: I'm what this is. I've never seen it before.
|
|
#
?
Sep 14, 2022 19:23
|
|
|
Thanks Ants posted:Holy poo poo at last I know this post is months old, but Sharepoint got dumped in my lap and holy gently caress have dynamic groups based on job title = title and account enabled = true made managing permissions in Sharepoint so much easier (still a pain in the rear end but less so)
|
|
#
?
Oct 8, 2022 00:05
|
|
|
New expensive services coming to azure for confused admins to enable.
|
|
#
?
Oct 12, 2022 17:13
|
|
|
2 new Defender products. Intune Premium. Entra looks cool as hell (we just spent millions on Sailpoint IG). There's going to be an E7 license soon to cover all these premium products.
|
|
#
?
Oct 12, 2022 19:14
|
|
|
high 5 just spent a ton of money on sailpoint buddy
|
|
#
?
Oct 12, 2022 19:26
|
|
|
Nutanix in the Azure cloud... ugh. Why?
|
|
#
?
Oct 12, 2022 19:39
|
|
|
Oh wow that temporary elevation to local admin thing in Intune Premium looks greatskipdogg posted:Nutanix in the Azure cloud... ugh. Why? Nutanix get to receive license revenue from customers ditching on-prem setups, Microsoft get people onto Azure easier than it might otherwise be. Not something I'll ever use but I can see why it's there. Thanks Ants fucked around with this message at 19:43 on Oct 12, 2022 |
|
#
?
Oct 12, 2022 19:41
|
|
|
I chuckled "NEW: Microsoft announces Windows rebrand, to be called Windows for Defender." https://twitter.com/GossiTheDog/status/1579971440962842624
|
|
#
?
Oct 12, 2022 20:01
|
|
|
Has anybody come up against what seem to be replication issues in Office 365? Trying to manage Exchange Online and getting the following back out of it:code:I've tried reasonably obvious things like removing the license from the user account for a bit and adding it back hoping it rebuilds the mailbox, but that doesn't make a difference.
|
|
#
?
Oct 20, 2022 11:10
|
|
|
What version of the exchange online poweshell module are you using?
|
|
#
?
Oct 20, 2022 15:30
|
|
|
3.0.0
|
|
#
?
Oct 20, 2022 17:16
|
|
|
|
| # ? May 31, 2024 06:31 |
|
|
Anybody know where the hell you would pull a history of license assignment/unassignment for things like Power BI or Visio Pro? For some reason all our licenses were unassigned, and know I'm trying to figure out who the hell to assign back to again
|
|
#
?
Oct 26, 2022 23:44
|
|
