|
Major release
|
# ? Nov 22, 2017 19:52 |
|
|
# ? Jun 11, 2024 15:41 |
|
Tapedump posted:UE-V looks ideal, but I see that even though Windows 7 Pro is listed under the compatibility chart, when they upgrade to Win10 (post-1607) they'll have to change to Enterprise, correct? Honestly, it sounds like you're in the wrong thread. Likely the the small shop thread is a better spot- https://forums.somethingawful.com/showthread.php?threadid=3723832 Just because it flavors the response you're getting. In my experience, Roaming Profiles are fine if you set them up correctly, have the correct expectations, AND know how to troubleshoot when something blows up. Not trying to be offensive, but it sounds like you may be in a little over your head and I would be reluctant to recommend Roaming Profiles to you on that alone. If you go the RDS route, you'll likely still be using Roaming Profiles unless you do something silly like only have 1 RDS server and don't plan for growth/the future. Internet Explorer fucked around with this message at 20:38 on Nov 22, 2017 |
# ? Nov 22, 2017 20:24 |
|
You only install the latest definition files for whatever is out (Win10 1709 in this case) and they are backwards compatible with everything before it, Desktop or Server.
|
# ? Nov 22, 2017 20:55 |
|
BangersInMyKnickers posted:You only install the latest definition files for whatever is out (Win10 1709 in this case) and they are backwards compatible with everything before it, Desktop or Server. So win 10 admx files actually cover server 2016 as well then correct? And I do a full copy paste of all the admx files and the corresponding language folder.
|
# ? Nov 23, 2017 01:40 |
|
Yeah.
|
# ? Nov 23, 2017 01:40 |
|
Internet Explorer posted:Honestly, it sounds like you're in the wrong thread. Likely the the small shop thread is a better spot- https://forums.somethingawful.com/showthread.php?threadid=3723832
|
# ? Nov 23, 2017 01:54 |
|
Last Windows 10 related question. Is it possible to block updates and use SCCM for updating Windows 10 clients? Also is anyone using the Windows 10 LTSB branch? If so what were the main drivers behind that. Thanks!
|
# ? Nov 23, 2017 04:16 |
|
lol internet. posted:Last Windows 10 related question. Is it possible to block updates and use SCCM for updating Windows 10 clients? Yes. With later version of windows 10 however you to be vigilant in configuring your environment (GPO) to block dual scans\end users updating from microsoft directly. I think only the _latest_ SCCM let you upgrade OSes like WSUS (which lets you deploy major win10 releases). Also you need to make sure your SCCM is in lock step with window 10 releases. Never deploy LTSB unless you're the MSP for an airport. They're designed for Long term deployments (3-5+ years). incoherent fucked around with this message at 05:42 on Nov 23, 2017 |
# ? Nov 23, 2017 05:36 |
|
incoherent posted:Never deploy LTSB unless you're the MSP for an airport. They're designed for Long term deployments (3-5+ years). I’ve been fairly impressed, we’ve been working with SCADA vendors and they aren’t even jumping on the LTSB bandwagon, which says a lot.
|
# ? Nov 24, 2017 03:19 |
|
Maneki Neko posted:I’ve been fairly impressed, we’ve been working with SCADA vendors and they aren’t even jumping on the LTSB bandwagon, which says a lot.
|
# ? Nov 24, 2017 03:34 |
|
Microsoft wants everyone on Enterprise licenses, LTSB is like a added bonus. A lot of pro features were gutted and moved to enterprise in the last two versions which is bullshit.
|
# ? Nov 25, 2017 21:19 |
|
incoherent posted:Never deploy LTSB unless you're the MSP for an airport. They're designed for Long term deployments (3-5+ years). I haven't had any major issues with LTSB as of yet. It's my main Windows 10 Enterprise image for the entire org. Is there any reason to stay away from it other than missing out on features?
|
# ? Nov 28, 2017 20:32 |
|
It's fine for enterprise deployments, especially if you're using software that is slow to support new OS versions. You won't get the latest and greatest security features, but that doesn't mean much if your vendor won't answer calls for your business critical application.
|
# ? Nov 28, 2017 20:47 |
|
I was under the impression that LTSB was for embedded devices / 'appliances' and there's no good reason to run it on end-user devices. I guess if you're happy to roll new images to get your fleet upgraded though then go for it.
|
# ? Nov 28, 2017 21:05 |
|
Thanks Ants posted:I was under the impression that LTSB was for embedded devices / 'appliances' and there's no good reason to run it on end-user devices. I guess if you're happy to roll new images to get your fleet upgraded though then go for it. Yeah, officially it's for those sorts of machines where Windows is just a means to an end to run one piece/suite of software. It's not intended to be used as a general purpose desktop. If you are firing up Office or a web browser on LTSB you're probably using it somewhere you shouldn't be.
|
# ? Nov 28, 2017 21:47 |
|
Somehow half our installed machines are on LTSB, causing all sorts of weird problems for the internal development team. I'm slowly phasing it out because there's no need for us to run it, we're a very dynamic environment. ...of course now I have to listen to people complaining that their (old) copy of visual assist doesn't work properly.
|
# ? Nov 29, 2017 13:05 |
|
Thanks Ants posted:I was under the impression that LTSB was for embedded devices / 'appliances' and there's no good reason to run it on end-user devices. I guess if you're happy to roll new images to get your fleet upgraded though then go for it. That's how Microsoft is selling it, but I'm really not that convinced anymore considering how much work it is to get a new OS release tested and running the same way as the one before it. In my opinion, if you don't need Edge, the Store, Cortana and similar stuff, you're probably better off running LTSB.
|
# ? Nov 30, 2017 13:00 |
|
Has anyone got an suggestions for a good dedi? Wanting to have Windows on it Looked on all the popular sites and the cheapest I got was £35 for a decent one. Pruney fucked around with this message at 13:16 on Nov 30, 2017 |
# ? Nov 30, 2017 13:13 |
|
peak debt posted:That's how Microsoft is selling it, but I'm really not that convinced anymore considering how much work it is to get a new OS release tested and running the same way as the one before it. Or if you only buy old computers, LTSB doesn't support the latest hardware. Part of Microsoft's push is to get you to realize that you really need to figure out your OS release testing and get it done quickly. If it takes you a year to validate a new OS, your process sucks and needs to be changed.
|
# ? Nov 30, 2017 17:29 |
|
Question about hp smart update manager for ProLiant servers. So.. I download the hp sum software, then the most recent service pack for ProLiant servers and add it as a baseline in hp sum... Does that mean when I run hp sum, it doesn't get the latest drivers from the hp site but instead only loads the drivers from the ProLiant service pack?
|
# ? Dec 3, 2017 03:13 |
|
lol internet. posted:Question about hp smart update manager for ProLiant servers.
|
# ? Dec 3, 2017 09:34 |
|
anthonypants posted:That's correct. I would also recommend using their custom SPP builder, so that your baseline doesn't take a zillion goddamn hours. https://spp.hpe.com/custom Anyway to merge the previous service packs with the current? I noticed the most recent one doesn't have any updates for Gen 7/Gen8 it looks like.
|
# ? Dec 3, 2017 10:46 |
|
lol internet. posted:Anyway to merge the previous service packs with the current? I noticed the most recent one doesn't have any updates for Gen 7/Gen8 it looks like.
|
# ? Dec 3, 2017 23:13 |
|
Anyone using bitlocker to go for removable drives? Any decent management option for making sure you have recovery keys, etc. other than plopping them in AD? I haven't seen much in the way of 3rd party management tools from our existing vendors that support it. We have situations with remote users where they may not touch the domain for weeks/months at a time
|
# ? Dec 4, 2017 18:42 |
|
AD is the way to go but Symantec Endpoint Encryption has a management layer that will also store the keys and do the recovery workflow stuff. Not worth the money in my opinion. GPO is configurable so systems can only write to encrypted drives and will only finish the creation of an encrypted volume if the key has been successfully backed up to AD so its pretty failsafe. Be aware with removable media that without the decryption data you have no idea what is there, but there's an option to tag the volume with unencrypted metadata that you configure so you can slap [COMPANY NAME - Department] in that field if that's something you want. Each unique tag will need its own layered GPO but for that's mostly upfront work.
|
# ? Dec 4, 2017 18:47 |
|
BangersInMyKnickers posted:AD is the way to go but Symantec Endpoint Encryption has a management layer that will also store the keys and do the recovery workflow stuff. Not worth the money in my opinion. GPO is configurable so systems can only write to encrypted drives and will only finish the creation of an encrypted volume if the key has been successfully backed up to AD so its pretty failsafe. Yeah, most of the 3rd parties I've seen that can do bitlocker key management don't seem to support bitlocker to go for some reason
|
# ? Dec 4, 2017 19:40 |
|
BangersInMyKnickers posted:AD is the way to go but Symantec Endpoint Encryption has a management layer that will also store the keys and do the recovery workflow stuff. Not worth the money in my opinion. GPO is configurable so systems can only write to encrypted drives and will only finish the creation of an encrypted volume if the key has been successfully backed up to AD so its pretty failsafe. Do you use SEP? How do you find it overall? We're looking at evaluating it instead of using Checkpoint for an endpoint agent.
|
# ? Dec 4, 2017 19:45 |
|
CLAM DOWN posted:Do you use SEP? How do you find it overall? We're looking at evaluating it instead of using Checkpoint for an endpoint agent. SEP... what exactly do you want to use in its' feature set? It used to be a steaming pile and the management side would break once every month or every other month, that's mostly straightened out now. We use it for AV, IPS and application and device control. We rarely get AV/malware/whatever events and when we do it's typically just garbage cookie/temp internet files that get quarantined/deleted immediately, we'll typically do some manual stuff like clearing out all other cookies/temp files, run another scan, and look for weird poo poo. I'm not sure how effective it actually is, but we don't get outbreaks of false positives, it doesn't attempt to kill itself and all that kind of poo poo other AV products do, I've literally never seen an IPS event in ~4 years of administering it so not sure how that side is or if it even works, but their support said we have it configured correctly. the management (SEPM) works well, it's a big cumbersome initially to setup, but once you have it done it's pretty seamless to make changes etc. The application and device control and management are really what I like about it, we have a fairly locked down environment and people can't plug unapproved USB devices into the endpoints (which in essence means any USB thing that gets plugged in), we get alerts when people do and the device gets disabled. Overall it works well* and I rarely have to touch it unless we are doing an update to the endpoints, the management side, or to policies. *Again overall usefulness is dubious but checkbox and all that for PCI Compliance. We do not use endpoint encryption though, if that's what you were going to use it for, we rolled bitlocker.
|
# ? Dec 4, 2017 19:57 |
|
CLAM DOWN posted:Do you use SEP? How do you find it overall? We're looking at evaluating it instead of using Checkpoint for an endpoint agent. The client itself is "good enough" with 14. The def set is way smaller (12.1 was 3gb and the whole set would turn over 3 times daily causing a huge amount OPs) and can be further reduced with their default "cloud defs" that only keep the latest sigs local and do whatever Symantec CDN lookup for older stuff. Expects unfiltered HTTPS outbound for a lot of reputation lookup stuff and they don't support proxying through the management server so that's kinda a kick in the balls for networks doing egress filtering unless your firewalls support DNS resolution with understanding of cnames. The heuristic engine in 14 does an okay job of catching all the polymorphic crap that they were completely failing to get before. IPS engine is good and should be enabled pretty much globally. Endpoint firewall is Meh and Dumb (IP/port only, no process awareness) and I would recommend Windows firewall with GPO over it. After a year+ of yelling they're starting to do more of the bare minimum for process hardening by opting in to stuff like DEP/SEHOP/ASLR for a loving service that is running as system and emulating loving malicious content. The management servers though... oh boy. Total dogshit. Terrible UI, clunky, bug ridden. There is no layered inheritance of policy so either everything propagates ooooooor you fork every single policy for the container and its children and manage that nightmare. There are these things they call non-shared policies which are loving impossible to track down and you should never use because of that. Java console breaks itself all the time with update and the HTML one has issues all over the place but they're at least putting some work in to. The latest release manages to conflict with the loving popup blocker on Safari/Firefox/Chrome and breaks stuff like building installer packages. All communications to the management server are done via cert but you have to use a self-signed 10yr one because there is no ability to stage a new cert and the process to update it in some janky horseshit where you intentionally break communications to one server and force the clients over to a secondary so they can download to updated cert info. Reporting can only happen with canned reports (can't create custom ones) and the filters are neigh on useless. Monitor and client management are split in to two different sections that make the workflow openly hostile for anyone trying to manage the thing. The logs are so noisy and poo poo that the only way we can get a good idea of what is going on is by syslog forwarding everything in to Splunk and parsing for there. It will give you summary graphs that management can jack off over all day long but if you actually want to figure out what is generating the activity and fix it then buckle up because you're going to be swearing for the next hour. It's poo poo. Don't use it. I'm really eager to get a demo of MS's endpoint suite now that they support Linux the next time this contract comes up for bid. e: Oh yeah, more stupid poo poo. The SEP management server can only update Windows clients. Linux/Mac run through a parallel LiveUpdate protocol that it also supports and Symantec will tell you to deploy LiveUpdate servers to host content for those. DO NOT LISTEN TO THEM. LUAs are dogshit and will silently fail to distribute content and will require daily manual intervention and support won't know what the gently caress to do besides rebuilding them from scratch. Configure the reverse proxy from this KB instead: https://support.symantec.com/en_US/article.HOWTO85034.html Ignore their sizing poo poo, I'm running thousands like this and its fine. The 1gb cache in their config is too small and I would recommend bumping it to 10gb. e:e: More dumb poo poo on the client side. I've seen a ongoing issue for YEARS now where auto-protect will quarantine a file, put it in the quarantine location buried in programdata, then scan the file it just put there and detect it as a virus, and get stuck in an endless loop of quarantining its own quarantining. Absolutely no explanation for this behavior. I've also seen it quarantine its own IPS sigs. Update content will randomly break in ways it can't recover from without a full-reinstall but 14 has been better about that. BangersInMyKnickers fucked around with this message at 20:28 on Dec 4, 2017 |
# ? Dec 4, 2017 20:09 |
|
If you want AD then is DirectAccess not an option? Either that or Azure AD if you're happy to go all cloudy and run Windows 10.
|
# ? Dec 4, 2017 20:17 |
|
We haven't had an issue with liveupdate admin since upgrading to 2.3.2? I think that's what we're at, we also haven't run into most of the issues you have, though we're still back in 12.1.6 or 12.1.7? Something like that. The reporting is fairly bad, we do push all information via syslog to splunk and watch stuff that way, we also do not have linux/mac clients in that environment. I did forget about the policy stuff, it's definitely a lot of work to setup at first, but once you've got it done (inheritance worked out etc) it's fine, unless you're making massive changes to your AD all the time, but provided you have a sane AD structure and aren't doing weird poo poo all the time it's fine imo.
|
# ? Dec 4, 2017 20:35 |
|
The best way I can summarize the SEP Management console is this: anytime I want information, I query the DB directly for it rather than use the console. It's that much easier even if I have to cobble together the query. Don't even bother with LUA; Symantec sure doesn't. BIMK summarized it pretty well, but overall SEP is a dumpster fire that should be avoided unless you're depending on stuff like SONAR or using it for something stupid like blocking USB write access. Get System Center Endpoint Protection/Windows Defender and don't look back. If you're on Windows 10/2016 then you mostly have feature parity with SEP (SmartScreen, Win. Firewall, heuristics). Symantec also has some of the worst support I've ever encountered working in IT.
|
# ? Dec 4, 2017 20:55 |
|
I guess we just got lucky with SEP. I dunno, it doesn't seem too bad at least in our environment, compared to the dumpster fires other people deal with. This isn't to say it's great software or something, but it seems a bit shinier than a lot of the other turds out there.
|
# ? Dec 4, 2017 20:58 |
|
What are the storage requirements for a Cluster Shared Volume / Scale-Out Fileserver? Namely, does each server in the cluster have it's own copy of the data, or is it required that they both have access to a shared array somewhere else? I'm in a somewhat new environment, having used Linux almost exclusively for the last two years and we are deploying an application that requires a shared folder on the network to act as cluster storage, accessible from multiple nodes at the same time. The vendor is being loving thick and telling us "You can use SAN, NFS, or NAS file sharing protocols for your shared file systems". Now, ignoring the obvious retardedness of the statement, we are also trying to fulfill the requirement that the shared storage itself is clustered so it's either active-active or active-passive. Unfortunately, we don't have licenses for NFS for our storage vendor (3Par) and our newly purchased array is a few months out from being installed, leaving me with extremely few options on how to cluster this mofo. Right now the Dev environment we have is configured to use an SMB UNC path between two servers, and this works fine, so much next logical conclusion would be to try DFS for the HA mechanism, however it's explicitly unsupported via the vendor documentation.
|
# ? Dec 5, 2017 00:58 |
|
Since we're on the topic of SEP, were you able to import the MAC client into the admin console? I get errors when I try to import the latest zip or extracted dmg. Is there anyway to make the mac clients manageable? I only tried it today to test.
|
# ? Dec 5, 2017 07:32 |
|
Wicaeed posted:What are the storage requirements for a Cluster Shared Volume / Scale-Out Fileserver? Namely, does each server in the cluster have it's own copy of the data, or is it required that they both have access to a shared array somewhere else? You need to use shared storage for CSVs, I don't have 2016 in my environments yet, but I would assume Scale-Out Fileserver is the same since it's clustered as well, then you add them to failover clustering so when the active needs a reboot or takes a poo poo, one of the other machines picks it up and no one notices. Here are a few useful links (applies to 2012 r2, probably the same in 2016 with some added features or something): https://technet.microsoft.com/en-us/library/jj612869(v=ws.11).aspx https://technet.microsoft.com/en-us/library/jj612868(v=ws.11).aspx https://blogs.technet.microsoft.com/filecab/2016/03/25/smb-transparent-failover-making-file-shares-continuously-available-2/
|
# ? Dec 5, 2017 11:05 |
|
lol internet. posted:Since we're on the topic of SEP, were you able to import the MAC client into the admin console? I get errors when I try to import the latest zip or extracted dmg. Is there anyway to make the mac clients manageable? I only tried it today to test. it derps out and only half worked (I have two undeletable copies now) but a linux/mac 14RU1 client won't talk to a non-14RU1 server anyway so its kinda moot. Newer windows client will talk backwards to an older server though.
|
# ? Dec 5, 2017 16:25 |
|
MF_James posted:You need to use shared storage for CSVs, I don't have 2016 in my environments yet, but I would assume Scale-Out Fileserver is the same since it's clustered as well, then you add them to failover clustering so when the active needs a reboot or takes a poo poo, one of the other machines picks it up and no one notices. SOFS in Win2016 has a shared nothing configuration using Storage Spaces Direct. Its nifty.
|
# ? Dec 6, 2017 04:13 |
|
FISHMANPET posted:If it takes you a year to validate a new OS, your process sucks and needs to be changed. I've heard that argument from Microsoft too but it kinda loses its punch once we realized that Microsoft obviously stopped testing its releases too. How else could they release 1703 with nonworking OOBE or forget the DNS snapin in 1709. 1709 was so far relatively benign, I have that working properly with maybe 50 hours invested but I must have wasted 300+ on 1703 trying to hack together a system that allowed multilanguage deployments.
|
# ? Dec 6, 2017 11:13 |
|
|
# ? Jun 11, 2024 15:41 |
|
What’s the concern over not being able to trigger a full-backup on demand with Azure Backup targeting Azure VMs? For example, Azure Backup takes an initial full Backup and then differentials indefinitely. As far as I’m aware there’s no risk to performance on restores but supposedly this isn’t the same with On-Premise Virt? Sorry, I haven’t touched VMware/Hyper-V in years.
|
# ? Dec 7, 2017 16:29 |