|
Mute_Fish posted:Not sure if its the default or not because its its been far too long since I originally set up SCCM but in my environment the UDI wizard files are here: "D:\Sources\OSD\SW\MDT\Scripts" on the SCCM server. Also there is a program on the SCCM server called "UDI Wizard Designer" if you open the XML with that you can edit the the standard / optional applications fairly easily. I think you can also edit the .xml.app file directly but I have not done that my self. Not sure what the original question was but this is all MDT stuff, not SCCM. Presumably you've integrated them (which is a good thing to do) but by default SCCM doesn't have any of this stuff.
|
#
¿
Jan 26, 2019 15:41
|
|
|
|
| # ¿ May 22, 2024 10:41 |
|
|
So, speaking of Hyper-V. I'm doing some testing with DHCP and PXE with some VMs on my work machine. I've got my NIC setup as a "bridged" switch so my VMs are on the same network as my physical machine. I want to be able to sniff all the traffic my VMs are generating with wireshark. I've found lots of information on port-mirroring where I can set a VM as the "source" and another VM as the "destination" and I've even found how to use Hyper-V host as the "source" and a VM as the "destination" but I can't find a way to use a VM as the "source" and the physical NIC as the "destination." I found this: https://cloudbase.it/hyper-v-promiscuous-mode/ I want the monitormode to be 1 instead of 2, but I can't do that just by changing the number from 2 to 1. I tried the module there and it also failed. This seems simple but maybe I'm missing something? I basically just want to capture all traffic that touches my virtual switch.
|
|
#
¿
Jan 29, 2019 05:25
|
|
|
FISHMANPET posted:So, speaking of Hyper-V. I'm doing some testing with DHCP and PXE with some VMs on my work machine. I've got my NIC setup as a "bridged" switch so my VMs are on the same network as my physical machine. I want to be able to sniff all the traffic my VMs are generating with wireshark. I've found lots of information on port-mirroring where I can set a VM as the "source" and another VM as the "destination" and I've even found how to use Hyper-V host as the "source" and a VM as the "destination" but I can't find a way to use a VM as the "source" and the physical NIC as the "destination." It turns out it was simple. I was using Wireshark against the HyperV vEthernet adapter (because this is the adapter that I had a connection through. I ran a command to see which if any of my ports were in promiscuous mode (Get-NetAdapter |fl -Property ifAlias,PromiscuousMode) and it showed that my physical Ethernet port was in promiscuous mode. If I point Wireshark at that adapter it sees all the traffic that's passing through the physical adapter. Seems simple and obvious when I put it that way.
|
|
#
¿
Feb 1, 2019 21:54
|
|
|
There is a traverse permission that exists. One other thing that probably doesn't apply but I'll mention it anyway, you can't make multiple connections to a single file server with different connect-as values. So if you're logged in as userA and map a drive to SERVER then try to map another share as userB that will fail. It's a client side thing, so if you make that mapping as UserB to the ip address or a cname it will be fine.
|
|
#
¿
Feb 16, 2019 01:45
|
|
|
I'm trying to help someone out with some group management tasks. For reasons beyond my control, when when someone is no loner eligible for their AD account, it gets deactivated and moved into an OU that only admins have access to. So I can see it, but the person I'm helping can't. He's doing some adding and removing of users from groups in bulk - up to 70k at a time. In the ADUC console, he can open a group and find one of these deactivated members and remove it from the group, without having read access to the actual account object. But that doesn't scale. I'm trying to figured out if there's some way to remove an account from a group that doesn't involve trying to read the group. Because of the size of the groups, Get-ADGroupMember doesn't work, I'm using the Member property of Get-ADGroup. This is a list of DNs of users, which I then pass into Remove-ADGroupMember. But what the cmdlet does is take that DN and try and retrieve the full user object and then fail. Is there any voodoo magic I can do remove the users in the same way ADUC is, without actually trying to retrieve them?
|
|
#
¿
Feb 19, 2019 01:03
|
|
|
Extended support generally means "we'll fix the security vulnerabilities and nothing else" and also why in the hell are you running a million year old install of SCOM
|
|
#
¿
Mar 5, 2019 14:34
|
|
|
Assuming you mean Semi-Annual Channel as opposed to doing the Long Term Servcing Channel that releases every few years, yeah we're doing that for SCCM and now SCOM. We just went through a SCOM upgrade, from 2016 to 1801 then 1807 and it was pretty painless. And looks like you can do an inplace upgrade from SCOM 2012R2 U12 to either 1801 or 1807 (the language here is kinda vague) but even if it's only to 1801, the 1807 upgrade is pretty simple. https://docs.microsoft.com/en-us/system-center/scom/deploy-upgrade-overview?view=sc-om-1807#in-place-upgrade
|
|
#
¿
Mar 6, 2019 19:03
|
|
|
Are you sure those parts of the TS are actually running? Are there conditions on those steps that are evaluating to false? Are those steps failing but they're set to continue on error? Those are the easy ones you've probably got out of the way... The way we package all our apps is using a wrapper powershell script that includes logging so we can see if the applications actually ran or not. If you don't have anything like that you could maybe stick some steps in the parts of the TS that aren't running that would write some log files to the machine so you can maybe get a better idea what state a machine is in when it runs?
|
|
#
¿
Apr 5, 2019 23:14
|
|
|
lol internet. posted:How's everyone dealing with rsat when your in a sccm environment. If you're ok with your clients reaching out to Microsoft Update you can set a policy that will let them do so for additional content and repair content: https://www.stephenwagner.com/2018/10/08/enable-windows-update-features-on-demand-and-turn-windows-features-on-or-off-in-wsus-environments/ (that also exists in local policy) If you can't/don't want your clients to reach out then yeah I guess you're stuck making a package, or if it's for a few smart admin staff just dumping this on a network share and giving them instructions: https://blogs.technet.microsoft.com/askpfeplat/2018/12/18/rsat-on-windows-10-1809-in-disconnected-environments/
|
|
#
¿
Jun 29, 2019 02:39
|
|
|
2016 has both security only and security & quality, install only one. And wsus maintenance will have an impact on how long your client spends "checking" for updates it won't have any impact on how long it takes to install.
|
|
#
¿
Jul 10, 2019 00:30
|
|
|
If you're running sccm the wsus database maintenance keeps getting better with every release. If you're running standalone wsus then I just feel bad for you. I ended up with two SUPs (software update points in sccm, backed by wsus) with a shared database for 20k clients and things have been pretty fine. *knock on wood* OH but I once upon a time used an sql express database because Johan said it would be fine and then I hit that 10gb limit and boy was that a fun problem to track down.
|
|
#
¿
Jul 11, 2019 03:46
|
|
|
That's a really good resource, it's where I started from nothing and now I'm where I am now where I've built out multiple instances as large as 20k clients etc etc.
|
|
#
¿
Aug 18, 2019 01:40
|
|
|
kiwid posted:Does anybody else's boss hate OSS? I once had someone ask me to find an NTP client they could pay for.
|
|
#
¿
Sep 4, 2019 04:49
|
|
|
OK, I'm wondering if anyone else is seeing problems with their Windows Server 2016 systems and long reboots. I can find lot's of general griping about updates being "slow" on 2016 but I'm talking about something that's started happening recently and it's got some pretty narrow symptoms that I can identify. Wondering if I should open a support case. Basically, if I reboot a Sever 2016 system twice in a relatively short period of time (I've seen it with an hour and a half between reboots) the second reboot will take about an hour to actually happen. It has something to do with the Delta Compression that Windows does for the cumulative updates. The system doesn't actually power off during this hour, and the console just has the helpful "Getting Windows ready Don't turn off your computer" spinner. The machine is still basically on during this time, so our monitoring hasn't caught it. But you can't connect to it with remote desktop and potentially if it's running some services I think they'd be off. But i can connect to the admin share, which is why I can see that the CBS.log file is freaking out with messages like this: code:code:
|
|
#
¿
Jan 8, 2020 19:28
|
|
|
The Server 2016 key on the KMS licenses Windows 10 and below (as well as Server 2016 and below). I don't have access to our volume licensing portal but when i was helping someone else with updating our KMS keys, there was a single key for both desktop and server OS, and you could only have one loaded at a time. So that Server 2016 Key in your KMS is the correct license key to activate Windows 10 in addition to Server 2016. E: If the devices all came with OEM licenses and you want to use those I suspect it's going to be some combination of removing the existing key info (slmgr /upk), installing a Windows 10 "default" key (I don't think this is  but I'm not going to link to one just in case, but they're easy to find online) and then ensure that device can activate.It looks like the OEM key will also be burnt into the BIOS if the device came with Win 10, so you may have to extract that key for each device and install it (instead of a default key). this site has a number of ways to get at that OEM key, but the easiest way is probably the WMI method there. So you'd remove the existing KMS install key, install the devices OEM key, then activate it. Should be pretty easy to script out. FISHMANPET fucked around with this message at 17:41 on Feb 20, 2020 |
|
#
¿
Feb 20, 2020 17:30
|
|
|
I don't know enough about what you actually need to purchase to be in compliance (vs what is needed to just make the activation warnings go away...) but the easiest is probably going to be what I added in my edit, to reactivate the devices with their OEM key. Although part of that will be that the edition they're running now has to match what the OEM version was, you won't be able to activate an Enterprise install with the Pro key, but I would imagine if you re imaged with Pro you should be able to activate with the OEM pro key.
|
|
#
¿
Feb 20, 2020 17:43
|
|
|
Yeah i'd throw in a big caveat of "try it first before you decide it's the plan you're going to implement" because i'm just theorycrafting from my incomplete knowledge of activation.
|
|
#
¿
Feb 20, 2020 17:46
|
|
|
Oh we had that, you can just readd the KMS key and they should activate. Too late now but I think you can be a bit more surgical about what keys you're removing to keep from removing the KMS key in the first place, but yeah MS support just tells you to flatten the keys because they dgaf. Exact same thing happened to us with our air gapped systems.
|
|
#
¿
Mar 18, 2020 02:42
|
|
|
Yeah we learned the hard way ours lost activation when they rebooted for patches over the weekend, and they're for processing credit card transactions for the parking system, and we're a campus that has events on the weekend... Glad I wasn't on call that weekend!
|
|
#
¿
Mar 18, 2020 14:40
|
|
|
I don't know how exactly Nessus does it's scans or what it's detection methods are, but the move to cumulative patching has broken a lot of things. We use Rapid7 Insight VM and have had false positives for older vulnerabilities because the client didn't have the specific KB for the Office vulnerability installed but it did have the latest cumulative update installed, which means it was was actually patched. Rapid7 fixed their definitions and the vulnerability went away. So maybe Nessus is doing some like that? Does it give you specific advice on what you need to do to remediate the specific vulnerabilities it's finding?
|
|
#
¿
Mar 20, 2020 23:43
|
|
|
They're so determined to make it live in userland that all that MSI does is install into the profile of everybody that logs on. Which may or may not get around that app restriction policy. But you said that and the space issue were surmountable, whereas "no grid in webview" may be insurmountable so you'll have to pick your poision.
|
|
#
¿
Mar 27, 2020 22:50
|
|
|
You don't need to do anything with gpo, when the sccm client applies policy it will set those keys for you. There is however a good setting that will let the client go directly to Microsoft for "additional content" if it's not available on the update server it's pointed to. You might need that to allow store downloads.
|
|
#
¿
Apr 2, 2021 14:01
|
|
|
The Semi-Annual Channel (that's the official name for those releases) doesn't support a GUI period. They're also only supported for 18 months, so they're intended for a fairly specific use case which is totally different from the Long Term Servicing Channel releases.
|
|
#
¿
Aug 13, 2021 02:33
|
|
|
You don't want to install LTSC branches on desktops, the official word is that Windows 10 LTSC is for, like, aircraft control computers. I think there are some technical limitations why certain apps won't work on LTSC, but also I think it's a ploy by Microsoft (that I happen to agree with) to make LTSC as painful to use as possible, otherwise every enterprise would just install LTSC and do big fleet-wide upgrades every 5 years like they did with XP/Vista/7/8/ etc instead of sticking with the rolling releases. But that's just on the desktop side, servers, vast majority are LTSC, and the SAC failed to take off so much that they're just ditching it entirely apparently.
|
|
#
¿
Aug 13, 2021 21:20
|
|
|
My account is in "Protected Users" which does some stuff like disable NTLM auth. Out VMware admins are switching from "AD" auth to accessing AD via LDAPS, and nobody in Protected Users is able to login.
|
|
#
¿
Dec 12, 2021 01:22
|
|
|
Despite having "Active Directory" in the name, Azure AD is not "AD but in the cloud". It's mostly just a coincidence that it shares a name, you should carry forward no expectations of specific functionality or practices that you're used to form on-prem AD just because it has "AD" in the name.
|
|
#
¿
Aug 30, 2022 15:43
|
|
|
This all started as me having some ConfigMgr questions as I was just getting started with the tool, and since then I've changed jobs to one where I was the highest tier SME in the entire org around ConfigMgr. And then I've slowly transitioned off that into more general "Microsoft Server" stuff with a big healthy dollop of Azure stuff. I know there's an AWS thread, but no generic "cloud" thread, and no "Azure" thread. "Enterprise Microsoft Q&A: Hello for Buttprint" probably encompasses Azure as a cloud platform plus managing devices in a "modern" way, although it'd be nice if it had Azure in the title. Maybe "Enterprise Microsoft/Azure Q&A: Hell for Buttprint". There's no OP and I couldn't be arsed to write one anyways. But I could throw some more links there, I guess write a few words about the "scope" of the thread. Or hell we could make a new one.
|
|
#
¿
Aug 31, 2022 20:31
|
|
|
Wait Azure Automation still has PMs?
|
|
#
¿
Feb 3, 2023 03:44
|
|
|
I once used OBS for a work presentation with a green screen. Outputting to a virtual camera will probably miss a step (it did with Zoom). I was using OBS to put my talking head in the bottom corner of the screen while my content was being shared. OBS could set that scene up well enough, but I ended up setting it to display on a 3rd monitor, and then I shared that screen via Zoom. So I had my main monitor for what I was showing off, my left monitor had OBS and zoom running, and then OBS played its output on my right monitor, and that's the screen I shared in Zoom. Outputting to a virtual camera doesn't work that great because Zoom optimizes the experience of a camera feed for faces, which is different from the experience of a shared screen.
|
|
#
¿
Feb 7, 2023 00:41
|
|
|
They can co-exist just fine, if you want them to. I think it's a somewhat common pattern to have InTune just install the ConfigMgr client and then rely on ConfigMgr (properly set up to allow connections from outside your private network) for software. There are a lot of benefits to intune outside of software deployment. But it's really not meant to be a drop-in replacement for ConfigMgr, it is a new paradigm of managing things, and I think if you try your old ConfigMgr paradigm with intune things are going to be rough. I think you'd be totally justified saying "Hey, wait a minute, what about our existing set of applications, are we going to be given time and staff to migrate those?" They might be planning on doing hybrid and still using that existing investment. Or be totally unaware of the huge pile of pain they're dropping on you. It sounds like you're pretty far away from where the decision is made though, so you might just end up eating poo poo. E: I've been out of the game a while, so listen to IE also about how easy or hard it would be to move your existing deployments to InTune. The stuff about hybrid is still true as far as I know, but InTune may have more functionality now to the point where it's much easier to ditch ConfigMgr altogether. FISHMANPET fucked around with this message at 19:42 on May 31, 2023 |
|
#
¿
May 31, 2023 19:39
|
|
|
I read that as there being some one time sync happening behind the scenes on first login, maybe the system registering something on the AD computer object that gets pushed up to Azure AD. I don't have much experience with HfB, but my coworker set it up for a different complex scenario and I spent a fair amount of time with him digging through docs and Woof, it is some complex poo poo.
|
|
#
¿
Aug 3, 2023 23:23
|
|
|
|
| # ¿ May 22, 2024 10:41 |
|
|
There definitely is, because we limit it, but I don't know off hand how it's done exactly. I think there's an RBAC role for creating subscriptions, maybe everybody is in a group that has that role assigned?
|
|
#
¿
Oct 15, 2023 05:45
|
|