Re: [mssms] Query on "Windows 10 Update Assistant"

[Adam Juelich]

How are you handling and delivering Windows Updates?

If you're seeing this behavior then you're either not managing the updates
or you have a sort of Dual-Scan behavior enabled.

On Sat, Feb 10, 2018 at 12:52 AM, Miriyala, Vasu <
vasu.miriy...@capgemini.com> wrote:

> Hello,
>
>
>
> We observe this application (in subject) is installed on Win10 systems and
> automatically upgrading latest feature updates like 1709 etc.
>
>
>
>1. How is this software installed, what triggers it ?
>2. Is there a way to prevent this software getting auto installed,
>either GPO or using SCCM settings (not a package to uninstall 
>though)?
>3. Its already installed on some machines. How to stop machines
>installing latest feature updates ?
>
>
>
> Thanks, Vasu
> This message contains information that may be privileged or confidential
> and is the property of the Capgemini Group. It is intended only for the
> person to whom it is addressed. If you are not the intended recipient, you
> are not authorized to read, print, retain, copy, disseminate, distribute,
> or use this message or any part thereof. If you receive this message in
> error, please notify the sender immediately and delete all copies of this
> message.
>
>

Re: [External] [mssms] RE: Office 365 updates basically impossible to deploy with Configmgr

[Adam Juelich]

Just a heads-up that David James re-opened this ask to finally fix it.  See
Twitter response below:

[image: Inline image 1]

On Fri, Jan 19, 2018 at 8:20 AM, Miller, Todd  wrote:

> I’m not having trouble getting the O365 patches to appear on my clients.
> My trouble is the unacceptable user experience of how they are applied.
> There should be no circumstance where ConfigMgr allows an O365 update to
> close all Office applications without any messaging.  The 1706 ConfigMgr
> agent will do just that when applying O365 updates on any client where the
> deadline for the O365 update is in the past.  This would happen any time
> that you turn on a computer that was not on for the 48 hours preceding the
> patch deadline.
>
> I have professors that take laptops they use a couple of times a week to
> go give a lecture on Friday and PowerPoint just closes in the middle of the
> lecture because the deadline for the O365 patch was on Thursday and they
> missed the short notification window since they last used the laptop the
> previous Monday,
>
> I have 1/3 of our computers that are hot seat shared machines.  The office
> notification becomes like a hot potato.  All the users ahead of the update
> postpone the notice because they don’t want to be interrupted in their work
> on the computer.  Then whoever happens to be at the computer when the
> deadline passes gets the update without warning and office apps are closed
> right out from under them.
>
> The O365 update process as designed in ConfigMgr currently is only
> acceptable in situations where there is a one to one relationship between
> computer and user, and that computer is in use every day.   Otherwise the
> user of the computer at the time the update applies will just have the rug
> pulled out from under them.
>
> I am working with premier on this issue, and so far we have found it is
> working as designed and they calling it a product flaw -so trying to figure
> out what to do,
>
> I am  leaning towards abandoning O365 and switching to 2016 MSI.  The C2R
> O365 update process via ConfigMgr needs some rethinking, and the Office
> 2016 patch process is the same as it has been for the last 10 years.
>
> Sent from my iPad
>
> On Jan 18, 2018, at 11:03 PM, Art Flores  wrote:
>
> I am planning to start next month in production, got it working in the
> test lab using this link.
>
>
>
> https://blogs.technet.microsoft.com/askpfeplat/2017/
> 03/23/troubleshooting-office-365-proplus-patching-through-
> system-center-configuration-manager/
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Miller,
> Todd
> *Sent:* Thursday, January 18, 2018 11:48 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Office 365 updates basically impossible to deploy with
> Configmgr
>
>
>
> Has anybody started deploying Office 365 updates via Configmgr?
>
>
>
> I am finding that they are *really* problematic.  Updates seem to just
> start applying without warning, and the update will close all the running
> Office applications without notification.
>
>
>
> The user gets a notification if the update deadline is a couple of days in
> the future, but once the deadline is past, the updates just start without
> warning and the office apps just close.
>
>
>
> In many scenarios, the user will get no notification at all and office
> apps will just close without warning.
>
>
>
> So a user fires up a laptop that has been off for a couple of days and
> opens up Word and Outlook to start her day.  Unbeknownst to the user a
> patch deadline has past while here computer was off and the update starts
> downloading.  10-15 minutes into her day, the email she was just about to
> send is lost due to Outlook closing without warning.  *And this is by
> design…*
>
>
>
> There can be *many* instance where a computer comes into scope for an
> office 365 update *after* the deadline for that update has passed.
>
>
>
>  I started looking into this and much to my dismay, it is operating as
> intended or at least designed. https://docs.microsoft.com/en-us/sccm/sum/
> deploy-use/manage-office-365-proplus-updates
>
> This is some kind of sick joke.   How can an organization operate like
> this?
>
>- A notification icon displays in the notification area on the task
>bar for required apps where the deadline is within 48 hours in the future
>and the update content has been downloaded.
>- A countdown dialog displays for required apps where the deadline is
>within 7.5 hours in the future and the update has been downloaded. The user
>can postpone the countdown dialog up to three times before the deadline.
>When postponed, the countdown displays again after two hours. If not
>postponed, there is a 30-minute countdown and update gets installed when
>the countdown expires.
>- *A pop-up notification might not display until the user clicks the
>  

Re: [mssms] 1709 Compat Scan

[Adam Juelich]

a, I'm seeing that now.  That's interesting.  I'm assuming that's
associated with a Home Drive or an Apps Drive?  I would think it would
parse through items registered in Add/Remove Programs but maybe not?

On Fri, Jan 26, 2018 at 2:33 PM, Enley, Carl <cen...@arifleet.com> wrote:

> Thanks we actually have Upgrade Analytics running but that would not help
> us here. The compat scan actually found files on our network file server
> and that is what I am trying to understand…why would it search there?
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Friday, January 26, 2018 1:45 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] 1709 Compat Scan
>
>
>
> Just a heads-up that you can utilize OMS in Azure for free to grab all of
> this data, chug through it, and tell you which apps won't work in Windows
> 10, which ones will be upgrade blocks, etc.  It also integrates into
> ConfigMgr with a nice dashboard and the ability to build collections off of
> that data.
>
>
>
> On Fri, Jan 26, 2018 at 7:47 AM, Enley, Carl <cen...@arifleet.com> wrote:
>
> So we are moving along pretty good with our W10 1607 > 1709 upgrade via
> SCCM task sequence, mostly still in the IT deployment / Business pilot
> phase. I had a user contact me yesterday telling me the update failed so I
> did the usual digging through the log files in the panther directory and I
> found failure pretty quickly. There were 4 applications listed as hard
> blocks in the compatdata.xml file as shown below. I figured easy I will
> just remove the programs and go about my day or so I thought. I started
> poking around on the users machine and I couldn’t find any of the programs
> Windows was complaining about installed, nor could I even find a file or
> registry key that matched those programs.
>
>
>
>  IconId="afamgt.sys|56853beb5c5b62af"> BlockingType="Hard" StatusDetail="UpgradeBlock"/> Name="ManualUninstall" DisplayStyle="Text" ResolveState="NotRun"/> Program>
>
>
>
>  IconId="mcconsol.exe|b007179cc8857bb1"> BlockingType="Hard" StatusDetail="UpgradeBlock"/> Name="ManualUninstall" DisplayStyle="Text" ResolveState="NotRun"/> Program>
>
>
>
>  StatusDetail="UpgradeBlock"/> DisplayStyle="Text" ResolveState="NotRun"/>
>
>
>
>  StatusDetail="UpgradeBlock"/> DisplayStyle="Text" ResolveState="NotRun"/> CompatReport>
>
>
>
> I started digging deeper and found another log file in the panther
> directory called 2kP-xumRk0W++Fnb.3.8.0.0_APPRAISER_HumanReadable.xml
> that had some additional information in it like where the program that was
> being blocked was located. So it turn out all of the programs that Windows
> was finding and causing the 1709 upgrade block are files buried out on a
> network drive that everyone in the company has mapped? Why would the compat
> scan search mapped network drives for program compatibility, this can’t be
> the expected behavior can it?
>
>
>
> 
>
> 
>
>
>
> 
>
> 
>
>
>
> 
>
> 
>
> 
>
>
>
> 
>
> 
>
> 
>
>
>
>
>
>
>
> Here is the command line that my OS upgrade TS runs –
>
>
>
> Command line of Windows Setup upgrade: '"C:\windows\ccmcache\18\SETUP.EXE"
> /ImageIndex 3 /auto Upgrade /quiet /noreboot /postoobe
> "C:\windows\SMSTSPostUpgrade\SetupComplete.cmd" /postrollback
> "C:\windows\SMSTSPostUpgrade\SetupRollback.cmd" /DynamicUpdate Disable
> /compat IgnoreWarning  /compat ScanOnly
>
>
>
>
>
> Here is what I get when I run the setup.exe manually from the ccmcache
> directory.
>
>
>
>
>
>
>
>
>
>

Re: [mssms] 1709 Compat Scan

[Adam Juelich]

Just a heads-up that you can utilize OMS in Azure for free to grab all of
this data, chug through it, and tell you which apps won't work in Windows
10, which ones will be upgrade blocks, etc.  It also integrates into
ConfigMgr with a nice dashboard and the ability to build collections off of
that data.

On Fri, Jan 26, 2018 at 7:47 AM, Enley, Carl  wrote:

> So we are moving along pretty good with our W10 1607 > 1709 upgrade via
> SCCM task sequence, mostly still in the IT deployment / Business pilot
> phase. I had a user contact me yesterday telling me the update failed so I
> did the usual digging through the log files in the panther directory and I
> found failure pretty quickly. There were 4 applications listed as hard
> blocks in the compatdata.xml file as shown below. I figured easy I will
> just remove the programs and go about my day or so I thought. I started
> poking around on the users machine and I couldn’t find any of the programs
> Windows was complaining about installed, nor could I even find a file or
> registry key that matched those programs.
>
>
>
>  IconId="afamgt.sys|56853beb5c5b62af"> BlockingType="Hard" StatusDetail="UpgradeBlock"/> Name="ManualUninstall" DisplayStyle="Text" ResolveState="NotRun"/> Program>
>
>
>
>  IconId="mcconsol.exe|b007179cc8857bb1"> BlockingType="Hard" StatusDetail="UpgradeBlock"/> Name="ManualUninstall" DisplayStyle="Text" ResolveState="NotRun"/> Program>
>
>
>
>  StatusDetail="UpgradeBlock"/> DisplayStyle="Text" ResolveState="NotRun"/>
>
>
>
>  StatusDetail="UpgradeBlock"/> DisplayStyle="Text" ResolveState="NotRun"/> CompatReport>
>
>
>
> I started digging deeper and found another log file in the panther
> directory called 2kP-xumRk0W++Fnb.3.8.0.0_APPRAISER_HumanReadable.xml
> that had some additional information in it like where the program that was
> being blocked was located. So it turn out all of the programs that Windows
> was finding and causing the 1709 upgrade block are files buried out on a
> network drive that everyone in the company has mapped? Why would the compat
> scan search mapped network drives for program compatibility, this can’t be
> the expected behavior can it?
>
>
>
> 
>
> 
>
>
>
> 
>
> 
>
>
>
> 
>
> 
>
> 
>
>
>
> 
>
>  />
>
> 
>
>
>
>
>
>
>
> Here is the command line that my OS upgrade TS runs –
>
>
>
> Command line of Windows Setup upgrade: '"C:\windows\ccmcache\18\SETUP.EXE"
> /ImageIndex 3 /auto Upgrade /quiet /noreboot /postoobe
> "C:\windows\SMSTSPostUpgrade\SetupComplete.cmd" /postrollback
> "C:\windows\SMSTSPostUpgrade\SetupRollback.cmd" /DynamicUpdate Disable
> /compat IgnoreWarning  /compat ScanOnly
>
>
>
>
>
> Here is what I get when I run the setup.exe manually from the ccmcache
> directory.
>
>
>
>
>

Re: [mssms] Deploying the .NET registry entries

[Adam Juelich]

.NET Registry Keys?  Or are you talking about Meltdown/Spectre?  That third
one is for Hyper-V Hosts

On Tue, Jan 23, 2018 at 2:25 PM, Heaton, Joseph@Wildlife <
joseph.hea...@wildlife.ca.gov> wrote:

> So, I created a deployment package, with a batch file containing the 3 reg
> add commands.  I’ve deployed it to 3 test servers.  2 of the 3 reg keys are
> created, no problem, but the 3rd, under HKLM\Software, doesn’t get
> created.  If I copy the batch file locally, and run it, this key does get
> created.  The account being used to deploy the package is a local admin on
> every box in my environment.  And the oddest part, to me, is that the
> deployment comes up green, as if all 3 had been created.  Has anyone else
> had this experience?  Is there a better way of deploying these reg adds?
>
>
>
> Joe Heaton
>
> Information Technology Operations Branch
>
> Data and Technology Division
>
> CA Department of Fish and Wildlife
>
> 1700 9th Street, 3rd Floor
>
> Sacramento, CA  95811
>
> Desk:  916-323-1284 <(916)%20323-1284>
>
>
>

Re: [mssms] RE: Windows 10 servicing update showing superseded?

[Adam Juelich]

Wendell, CB and CBB no longer exist. they have been replaced by
Semi-Annual Channel (Targeted) and Semi-Annual Channel (Broad)

I was just curious if the Feature Update there was referencing that.

On Tue, Jan 23, 2018 at 11:29 AM, Kelkar, Bhushan <
bhushan.kel...@allscripts.com> wrote:

> I just checked  this under automatic deployment rules of Servicing Plans
> under Windows 10 servicing. This is still CB (Current Branch) AKA
> Semi-Annual (targeted) version.
>
>
>
> *Bhushan Kelkar*
>
> Expert Systems Engineer
> *O*: +91.207.107.8404 <+91%2020%207107%208404>   *M*: +91.954.524.0543
> <+91%2095452%2040543>
>
> bhushan.kel...@allscripts.com | allscripts.com
>  | @allscripts
> 
>
>
>
> *Allscripts: Building open, connected communities of health*
>
> __
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Wendell Hutchison
> *Sent:* Monday, January 22, 2018 6:32 PM
>
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Windows 10 servicing update showing superseded?
>
>
>
> No, CB= Current Branch, CBB= Current Branch Business, and LTSB= Long Term
> Service Branch.
>
> https://docs.microsoft.com/en-us/windows/deployment/update/
> waas-overview#servicing-channels
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Mike Murray
> *Sent:* Monday, January 22, 2018 3:39 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Windows 10 servicing update showing superseded?
>
>
>
> So business=enterprise?
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Bateman,
> Vern
> *Sent:* Monday, January 22, 2018 2:22 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Windows 10 servicing update showing superseded?
>
>
>
> There used to be 2 feature updates showing, not really knowing which one
> was what, now they have separated into Business (enterprise) and Consumer
> editions
>
>
>
> *Vern Bateman*
>
> Support Services Analyst
>
> *Affinity Credit Union | *Estevan
>
> *P* 306.385.4492 <(306)%20385-4492>  *M *306.371.3840 <(306)%20371-3840>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Mike Murray
> *Sent:* Monday, January 22, 2018 3:35 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Windows 10 servicing update showing superseded?
>
>
>
> Supersedence says this. Weird.
>
>
>
>
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Mike Murray
> *Sent:* Monday, January 22, 2018 10:51 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Windows 10 servicing update showing superseded?
>
>
>
> Anyone else have this? I can’t find a different version of the enterprise
> update in my console.
>
>
>
>
>
>
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
>
>
>
>
>
>
>
> You’ve received this email from someone at Affinity Credit Union. We
> understand – you get a lot of emails and may not want to get any more from
> us. We’ll be sad to see you go, but you can unsubscribe from our mailing
> list by clicking on this link
> 
> .
>
>
> --
>
>
> CONFIDENTIALITY STATEMENT MESSAGE: This e-mail and any attachments may
> contain confidential and privileged information. It is intended for the
> sole use of the individual(s) to whom it is specifically addressed and
> should not be read by, or delivered to, any other person. The act of having
> communicated by email in no way waives any privilege or confidentiality
> that may be claimed over these communications. If you are not the intended
> recipient, please notify the sender immediately by return e-mail, delete
> this e-mail and destroy all copies. Any dissemination or use of this
> information by a person other than the intended recipient is not authorized
> and may be illegal. We thank you in advance for your cooperation. Affinity
> Credit Union is committed to protecting personal information in a manner
> that is accurate, confidential, secure, and responsible. We have taken
> precautions against viruses, but take no responsibility for loss or damage
> that may be caused by its contents. Unless otherwise stated, opinions
> expressed in this email are those of the author 

Re: [mssms] RE: Questions around deploying with SCCM/SCUP

[Adam Juelich]

Good question, I haven't thought about this before.

If using Application Method you'd probably have to use Detection Method for
Version => xxx.xx
Otherwise, standard Package deployment would work.

On Tue, Jan 23, 2018 at 12:23 PM, Heaton, Joseph@Wildlife <
joseph.hea...@wildlife.ca.gov> wrote:

> I think the only way it would go back and forth, is if you select “Always
> rerun”.  I typically select “rerun upon failure”, or something to that
> effect.
>
>
>
> So, deploy the base app with SCCM, then import and upgrade/patch using the
> SCUP import.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Chris Carbone
> *Sent:* Tuesday, January 23, 2018 9:15 AM
> *To:* 'mssms@lists.myitforum.com' 
> *Subject:* [mssms] Questions around deploying with SCCM/SCUP
>
>
>
> Hello All,
>
>
>
> This is probably a goofy question but wanted to see how others are
> handling this. We recently purchased PatchMyPC licenses to leverage
> patching 3rd party applications. I was not aware that this will only update
> existing installed applications and you cannot use it for pushing software
> to machines that never had the software installed.
>
>
>
> How is everyone handling I guess the, “base” version of your applications
> in SCCM? Do you just update the detection method to include the newest
> build from SCUP so it will always show as compliant in software center? Or
> do you update the base version every so often? I guess if you are not
> careful and push out the base application and leave it out there, then down
> the road also push out a newer update with the SCUP version, the machine
> will go back and forth installing the old one and newer one.
>
>
>
> I also have a couple steps in my TS to install applications during OSD and
> I guess with SCUP when it imports into SCCM, shows up as a software update.
> I know how software updates and task sequences do not work all that great.
> Are you also not using SCUP/PatchMyPC for OSD applications? Or found a
> dependable way to do this?
>
>
>
> Thanks in advance!
>
>
>
> Chris
>
> This electronic mail transmission may contain confidential information
> intended only for the use of the individual(s) identified as addressee(s).
> If you are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution or the taking of any action in reliance
> on the contents of this electronic mail transmission is strictly
> prohibited. If you have received this transmission in error, please notify
> me by telephone immediately.
>
>
>
>

Re: [mssms] RE: Windows 10 servicing update showing superseded?

[Adam Juelich]

Is this a Semi-Annual Channel (Broad) versus (Targeted) thing?  AKA, CBB vs
CB?

On Mon, Jan 22, 2018 at 7:58 PM, Bateman, Vern 
wrote:

> This is how it use to show in configmgr..2 updates per each language. MS I
> take it has made it easier to distinguish the 2 updates. Makes sense..lol
>
> Http://bit.ly/2F1FIEH
>
>
> So yes. Business equals Enterprise.
>
>
> Vern Bateman
> Support Services Analyst
> Affinity Credit Union | Campus
> P 306.385.4492 <(306)%20385-4492>  M 306.371.3840 <(306)%20371-3840>
>
>
>  Original message 
> From: ODONNELL Aaron M 
> Date: 2018-01-22 5:23 PM (GMT-06:00)
> To: "'mssms@lists.myitforum.com'" 
> Subject: [mssms] RE: Windows 10 servicing update showing superseded?
>
> Is there any actual difference between the two editions, or is it just
> branding?
>
>
>
>
>
> Thanks,
>
>
>
> Aaron O’Donnell
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Bateman, Vern
> *Sent:* Monday, January 22, 2018 2:22 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Windows 10 servicing update showing superseded?
>
>
>
> There used to be 2 feature updates showing, not really knowing which one
> was what, now they have separated into Business (enterprise) and Consumer
> editions
>
>
>
> *Vern Bateman*
>
> Support Services Analyst
>
> *Affinity Credit Union | *Estevan
>
> *P* 306.385.4492 <(306)%20385-4492>  *M *306.371.3840 <(306)%20371-3840>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Mike Murray
> *Sent:* Monday, January 22, 2018 3:35 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Windows 10 servicing update showing superseded?
>
>
>
> Supersedence says this. Weird.
>
>
>
>
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Mike Murray
> *Sent:* Monday, January 22, 2018 10:51 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Windows 10 servicing update showing superseded?
>
>
>
> Anyone else have this? I can’t find a different version of the enterprise
> update in my console.
>
>
>
>
>
>
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
>
>
>
>
>
>
>
> You’ve received this email from someone at Affinity Credit Union. We
> understand – you get a lot of emails and may not want to get any more from
> us. We’ll be sad to see you go, but you can unsubscribe from our mailing
> list by clicking on this link
> 
> .
>
>
> --
>
>
> CONFIDENTIALITY STATEMENT MESSAGE: This e-mail and any attachments may
> contain confidential and privileged information. It is intended for the
> sole use of the individual(s) to whom it is specifically addressed and
> should not be read by, or delivered to, any other person. The act of having
> communicated by email in no way waives any privilege or confidentiality
> that may be claimed over these communications. If you are not the intended
> recipient, please notify the sender immediately by return e-mail, delete
> this e-mail and destroy all copies. Any dissemination or use of this
> information by a person other than the intended recipient is not authorized
> and may be illegal. We thank you in advance for your cooperation. Affinity
> Credit Union is committed to protecting personal information in a manner
> that is accurate, confidential, secure, and responsible. We have taken
> precautions against viruses, but take no responsibility for loss or damage
> that may be caused by its contents. Unless otherwise stated, opinions
> expressed in this email are those of the author and are not necessarily
> endorsed by the author's employer.
>
>
>
> You’ve received this email from someone at Affinity Credit Union. We
> understand – you get a lot of emails and may not want to get any more from
> us. We’ll be sad to see you go, but you can unsubscribe from our mailing
> list by clicking on this link
> 
> .
>
> --
>
> CONFIDENTIALITY STATEMENT MESSAGE: This e-mail and any attachments may
> contain confidential and privileged information. It is intended for the
> sole use of the individual(s) to whom it is specifically addressed and
> should not be read by, or delivered to, any other person. The act of having
> communicated by email in no way waives 

Re: [mssms] MS Office x86 or x64

[Adam Juelich]

The general recommendation is x86 due to Add-ins and such.  If you can make
x64 work, more power to you, but it's generally not recommended because
most run into an issue that requires them to pedal back.

On Wed, Jan 10, 2018 at 3:37 PM, Mike Murray  wrote:

> It's been a while since I revisited this, but is 32-bit MS Office still
> the safer bet in enterprise (instead of 64)?
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
>
>
>
>

Re: [mssms] RE: Confused - Spectre / Meltdown

[Adam Juelich]

Workstation:

   1. Registry Key set by A/V (or manually set based on A/V guidance)
   2. Windows Update
   3. BIOS/Firmware Update from vendor

Server:

   1. Registry Key set by A/V (or manually set based on A/V guidance)
   2. Window Update
   3. Push Registry Keys (2 needed, the third is for Hypver-V Hosts - I
   believe)
  1. Test and monitor performance impact
   4. BIOS/Firmware Update from vendor


That is my understanding thus far...

Good thing we have nothing else to do ;-)


On Tue, Jan 9, 2018 at 10:48 AM, Brian Illner 
wrote:

> My understanding was that those keys were just for the ServerOS?
>
>
>
> I have a Dell laptop that I completed all the tasks for and *it does not
> have the memory management keys* and yet it shows as all green in
> SpeculationControl?
>
>
>
> Come on MS, your information is changing hourly as each team contradicts
> the other
>
>
>
> *BRIAN* *ILLNER |* Canal Insurance Company
> 864.250.9227 <(864)%20250-9227>
> 864.679.2537 <(864)%20679-2537> Fax
>
>
>
>
> Visit canalinsurance.com for news and information.
>
>
> 
>
> *WARNING*:  *As the information in this transmittal (including
> attachments, if any) may contain confidential, proprietary, or business
> trade secret information, it should only be reviewed by those who are the
> intended recipients.  Unless you are an intended recipient, any review,
> use, disclosure, distribution or copying of this transmittal (or any
> attachments) is strictly prohibited.   If you have received this
> transmittal in error, please notify me immediately by reply email and
> destroy all copies of the transmittal.  While Canal believes this
> transmittal to be free of virus or other defect, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility is
> accepted by Canal (or its subsidiaries and affiliates) for any loss or
> damage arising therefrom.*
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kent, Mark
> *Sent:* Tuesday, January 9, 2018 11:00 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Confused - Spectre / Meltdown
>
>
>
> Yeah I see them at the bottom of https://support.microsoft.com/
> en-us/help/4073119/protect-against-speculative-execution-
> side-channel-vulnerabilities-in
>
>
>
> And they don’t really say what they are for.
>
>
>
> Keep refreshing the page, wait for an edit J
>
>
>
> Mark Kent
>
> Manager, Client Systems Engineering
>
> Technology Support Services
>
> Resources for Information, Technology and Education (RITE)
>
> http://rite.buffalostate.edu
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *SCCM FUN
> *Sent:* Tuesday, January 9, 2018 10:02 AM
> *To:* mssms@lists.myITforum.com
> *Subject:* [mssms] Confused - Spectre / Meltdown
>
>
>
> Can anyone confirm the following?
>
>
>
> Workstation/Servers - both need the AV key in order to do any patching
> going forward
>
>
>
> Workstation
>
> At one point in the MS article for workstation patching (4073119) I could
> of sworn there wasn't anything about having to making registry settings
> (except for AV) but now it looks like they added 2 registry keys.  Were
> these 2 reg keys always in the KB/needed?
>
>
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
> /f
>
>
>
> Server
>
> 3 reg keys need to be added for the server patch to take effect.  Are you
> enabling this on all your servers or just the 3 use cases they list in
> their article (4072698).
>
>
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
> /f
>
> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization"
> /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
>
>
>
> Thanks
>
>
>
>
>
>

Re: [mssms] Confused - Spectre / Meltdown

[Adam Juelich]

Correct, although I think that third Registry Key for Servers is only
needed for Hyper-V Hosts.

On top of all that, you would need to apply a BIOS/Firmware Update to get
the CPU Microcode Updates.

On Tue, Jan 9, 2018 at 9:01 AM, SCCM FUN  wrote:

> Can anyone confirm the following?
>
> Workstation/Servers - both need the AV key in order to do any patching
> going forward
>
> Workstation
> At one point in the MS article for workstation patching (4073119) I could
> of sworn there wasn't anything about having to making registry settings
> (except for AV) but now it looks like they added 2 registry keys.  Were
> these 2 reg keys always in the KB/needed?
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
> /f
>
> Server
> 3 reg keys need to be added for the server patch to take effect.  Are you
> enabling this on all your servers or just the 3 use cases they list in
> their article (4072698).
>
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
> Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3
> /f
> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization"
> /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
>
> Thanks
>
>

Re: [mssms] RE: Spectre/Meltdown patch breaks ConfigMgr/SQL?

[Adam Juelich]

This is a good question, Brian.

Let us know how it goes.

On Tue, Jan 9, 2018 at 8:11 AM, Brian Illner 
wrote:

> Thanks Rod
>
>
>
> This is outside of any AV considerations. We install our AV during an OSD
> task sequence instead of including it on the reference images.
>
>
>
> I’m trying to find out if MS has (temporarily?) broken a basic feature of
> CM and MDT without manual administrator intervention because of this.
>
>
>
> Going to fire up the test environment shortly to see what happens there.
>
>
>
> *BRIAN* *ILLNER |* Canal Insurance Company
> 864.250.9227 <(864)%20250-9227>
> 864.679.2537 <(864)%20679-2537> Fax
>
>
>
>
> Visit canalinsurance.com for news and information.
>
>
> 
>
> *WARNING*:  *As the information in this transmittal (including
> attachments, if any) may contain confidential, proprietary, or business
> trade secret information, it should only be reviewed by those who are the
> intended recipients.  Unless you are an intended recipient, any review,
> use, disclosure, distribution or copying of this transmittal (or any
> attachments) is strictly prohibited.   If you have received this
> transmittal in error, please notify me immediately by reply email and
> destroy all copies of the transmittal.  While Canal believes this
> transmittal to be free of virus or other defect, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility is
> accepted by Canal (or its subsidiaries and affiliates) for any loss or
> damage arising therefrom.*
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Rod Trent
> *Sent:* Tuesday, January 9, 2018 8:23 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] RE: Spectre/Meltdown patch breaks ConfigMgr/SQL?
>
>
>
> Setting that registry works in some situations – but not all.
>
>
>
> There’s a master list of supported AV software:
>
>
>
> http://myitforum.com/myitforumwp/2018/01/09/the-master-list-of-antivirus-
> compatibility-with-microsofts-meltdownspectre-patches/
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Brian
> Illner
> *Sent:* Tuesday, January 9, 2018 8:13 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] RE: Spectre/Meltdown patch breaks ConfigMgr/SQL?
>
>
>
> Aaron – If setting that registry key is now mandatory for the time being
> for the security updates to install, how does that affect OS offline
> updates servicing in MDT and CM? Broken I assume without manually editing
> the WIM first for the key?
>
>
>
> https://support.microsoft.com/en-us/help/4072699/january-3-
> 2018-windows-security-updates-and-antivirus-software
>
>
>
>
>
>
>
> *BRIAN* *ILLNER |* Canal Insurance Company
> 864.250.9227 <(864)%20250-9227>
> 864.679.2537 <(864)%20679-2537> Fax
>
>
>
>
> Visit canalinsurance.com for news and information.
>
>
> 
>
> *WARNING*:  *As the information in this transmittal (including
> attachments, if any) may contain confidential, proprietary, or business
> trade secret information, it should only be reviewed by those who are the
> intended recipients.  Unless you are an intended recipient, any review,
> use, disclosure, distribution or copying of this transmittal (or any
> attachments) is strictly prohibited.   If you have received this
> transmittal in error, please notify me immediately by reply email and
> destroy all copies of the transmittal.  While Canal believes this
> transmittal to be free of virus or other defect, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility is
> accepted by Canal (or its subsidiaries and affiliates) for any loss or
> damage arising therefrom.*
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Aaron
> Czechowski
> *Sent:* Monday, January 8, 2018 8:40 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] RE: Spectre/Meltdown patch breaks ConfigMgr/SQL?
>
>
>
> We just published a blog post with a piece on SQL (in Config Manager
> infrastructure section): https://blogs.technet.microsoft.com/
> configurationmgr/2018/01/08/additional-guidance-to-mitigate-speculative-
> execution-side-channel-vulnerabilities/
>
>
>
> Let me know if you have any further questions/comments.
>
>
>
> Aaron
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Sherry
> Kissinger
> *Sent:* Monday, 8 January, 2018 11:52
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] RE: Spectre/Meltdown patch breaks ConfigMgr/SQL?
>
>
>
> Have you read through this yet:  https://support.microsoft.com/
> en-us/help/4073225/guidance-for-sql-server
> 

Re: [mssms] OSD problem - Failed to save environment to (80070057)

[Adam Juelich]

Which version of the ADK and which version of Windows 10?

On Wed, Nov 15, 2017 at 12:17 PM, Mike Murray <mmur...@csuchico.edu> wrote:

> Yes, I generated a site-based media ISO.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *John Marcum
> *Sent:* Wednesday, November 15, 2017 10:04 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] OSD problem - Failed to save environment to
> (80070057)
>
>
>
> Are you booting from an iso?
>
>
>
>
>
> Sensitivity: Confidential between partners
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Mike Murray
> *Sent:* Wednesday, November 15, 2017 10:22 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] OSD problem - Failed to save environment to
> (80070057)
>
>
>
> Yes, it’s one of the first steps before this error. BUT, this is a brand
> new Hyper-V VM, it’s not bitlocked.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *nick aquino
> *Sent:* Wednesday, November 15, 2017 5:55 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] OSD problem - Failed to save environment to
> (80070057)
>
>
>
> 'GetConversionStatus' failed (2150694912) = This drive is locked by
> BitLocker Drive Encryption. You must unlock this drive from Control Panel.
>
>
>
> Did you disable bitlocker for the upgrade?
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Adam
> Juelich
> *Sent:* Tuesday, November 14, 2017 11:05 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] OSD problem - Failed to save environment to
> (80070057)
>
>
>
> Which ADK version and which Windows 10 version?  If you enable testing and
> hit F8, do you see the drive?
>
>
>
> For what it's worth, I've NEVER had to insert a storage or NIC driver if
> I've kept up with the ADKs.
>
>
>
> On Tue, Nov 14, 2017 at 5:30 PM, Mike Murray <mmur...@csuchico.edu> wrote:
>
> Brand new SCCM server! CM1702. I’m trying to deploy windows 10, the task
> sequence fails. Googling seems to indicate a missing storage driver, but
> I’ve imported mass storage drivers to the boot image. If I hit F8, I can
> see the disk in diskpart. And I’m getting an IP Here are the errors in
> smsts.log (I’m attaching the full log as well). Any ideas?
>
>
>
> Failed to save environment to  (80070057)11/13/2017 4:52:42 PM
> 1772 (0x06EC)
>
> Failed to save the current environment block. This is usually caused by a
> problem with the program. Please check the Microsoft Knowledge Base to
> determine if this is a known issue or contact Microsoft Support Services
> for further assistance.
>
> The parameter is incorrect. (Error: 80070057; Source: Windows) 11/13/2017
> 4:52:42 PM 1772 (0x06EC)
>
> Failed to persist execution state. Error 0x(80070057)11/13/2017
> 4:52:42 PM 1772 (0x06EC)
>
> Failed to save execution state and environment to local hard
> disk  11/13/2017 4:52:42 PM 1772 (0x06EC)
>
> 'GetConversionStatus' failed (2150694912)11/13/2017 4:52:43 PM
> 1904 (0x0770)
>
> Failed to run the action: Run AppSelector.
>
> Class not registered (Error: 80040154; Source: Windows)
> 11/13/2017 4:53:02 PM 1772 (0x06EC)
>
> The execution of the group (Install Operating System) has failed and the
> execution has been aborted. An action failed.
>
> Operation aborted (Error: 80004004; Source: Windows) 11/13/2017 4:53:03 PM
> 1772 (0x06EC)
>
> Failed to run the last action: Run AppSelector. Execution of task sequence
> failed.
>
> Class not registered (Error: 80040154; Source: Windows)
> 11/13/2017 4:53:03 PM 1772 (0x06EC)
>
>
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
> <https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.csuchico.edu%2Fisec%2Fbasics%2Fspam-and-phishing.shtml=02%7C01%7Cnick.aquino%40hotmail.com%7Cb8adaf374ea94ec506cb08d52bdf0429%7C84df9e7fe9f640afb435%7C1%7C0%7C636463159206236740=CfXAZ%2BvZZSrnFHP7M7zxSYUYM%2Bn9gmIhSetLtaYdKho%3D=0>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Re: [mssms] OSD problem - Failed to save environment to (80070057)

[Adam Juelich]

Which ADK version and which Windows 10 version?  If you enable testing and
hit F8, do you see the drive?

For what it's worth, I've NEVER had to insert a storage or NIC driver if
I've kept up with the ADKs.

On Tue, Nov 14, 2017 at 5:30 PM, Mike Murray  wrote:

> Brand new SCCM server! CM1702. I’m trying to deploy windows 10, the task
> sequence fails. Googling seems to indicate a missing storage driver, but
> I’ve imported mass storage drivers to the boot image. If I hit F8, I can
> see the disk in diskpart. And I’m getting an IP Here are the errors in
> smsts.log (I’m attaching the full log as well). Any ideas?
>
>
>
> Failed to save environment to  (80070057)11/13/2017 4:52:42 PM
> 1772 (0x06EC)
>
> Failed to save the current environment block. This is usually caused by a
> problem with the program. Please check the Microsoft Knowledge Base to
> determine if this is a known issue or contact Microsoft Support Services
> for further assistance.
>
> The parameter is incorrect. (Error: 80070057; Source: Windows) 11/13/2017
> 4:52:42 PM 1772 (0x06EC)
>
> Failed to persist execution state. Error 0x(80070057)11/13/2017
> 4:52:42 PM 1772 (0x06EC)
>
> Failed to save execution state and environment to local hard
> disk  11/13/2017 4:52:42 PM 1772 (0x06EC)
>
> 'GetConversionStatus' failed (2150694912)11/13/2017 4:52:43 PM
> 1904 (0x0770)
>
> Failed to run the action: Run AppSelector.
>
> Class not registered (Error: 80040154; Source: Windows)
> 11/13/2017 4:53:02 PM 1772 (0x06EC)
>
> The execution of the group (Install Operating System) has failed and the
> execution has been aborted. An action failed.
>
> Operation aborted (Error: 80004004; Source: Windows) 11/13/2017 4:53:03 PM
> 1772 (0x06EC)
>
> Failed to run the last action: Run AppSelector. Execution of task sequence
> failed.
>
> Class not registered (Error: 80040154; Source: Windows)
> 11/13/2017 4:53:03 PM 1772 (0x06EC)
>
>
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
>
>
>
>

Re: [mssms] Re: Client provision mode - Task sequence Fail

[Adam Juelich]

Version of ADK?  What anti-virus?

On Sat, Nov 4, 2017 at 11:17 PM, Kevin Ray <kevinalive...@gmail.com> wrote:

> TS method.
> 1703 sccm version
>
>
>
> On Friday, November 3, 2017, Adam Juelich <acjuel...@gmail.com> wrote:
>
>> Version of ConfigMgr?  Version of ADK? What method are you utilizing to
>> upgrade them? TS? WSUS? Servicing Model?
>>
>> Just a side-note, you should look at upgrading to 1703, otherwise you'll
>> be doing all of this over again in a few months.
>>
>> On Fri, Nov 3, 2017 at 7:34 AM, Kevin Ray <kevinalive...@gmail.com>
>> wrote:
>>
>>> any help
>>>
>>> On Wed, Nov 1, 2017 at 10:03 PM, Kevin Ray <kevinalive...@gmail.com>
>>> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I'm upgrading 1511 to 1607, Very few machines are getting  failed with
>>>> Client provision mode,
>>>>
>>>> If i rebuild WMI,repair the client then when i re attempt the Upgrade
>>>> going successfully
>>>>
>>>> But Is their any way i fix the issue or what causing that client is out
>>>> of provision mode or its unable to keep the provision mode
>>>>
>>>>
>>>> [image: Inline image 1]
>>>>
>>>>
>>>
>>>
>>
>>
>

Re: [mssms] Client provision mode - Task sequence Fail

[Adam Juelich]

Version of ConfigMgr?  Version of ADK? What method are you utilizing to
upgrade them? TS? WSUS? Servicing Model?

Just a side-note, you should look at upgrading to 1703, otherwise you'll be
doing all of this over again in a few months.

On Fri, Nov 3, 2017 at 7:34 AM, Kevin Ray  wrote:

> any help
>
> On Wed, Nov 1, 2017 at 10:03 PM, Kevin Ray 
> wrote:
>
>> Hi All,
>>
>> I'm upgrading 1511 to 1607, Very few machines are getting  failed with
>> Client provision mode,
>>
>> If i rebuild WMI,repair the client then when i re attempt the Upgrade
>> going successfully
>>
>> But Is their any way i fix the issue or what causing that client is out
>> of provision mode or its unable to keep the provision mode
>>
>>
>> [image: Inline image 1]
>>
>>
>
>

Re: [mssms] RE: Patching & Reboot Servers

[Adam Juelich]

I haven't seen that to be the case but maybe I'm not the norm?  Really
depends on your Maintenance Window and it's settings, as well as the
settings you specify in your Deployments.

On Fri, Oct 27, 2017 at 10:57 AM, Erno, Cynthia M (ITS) <
cynthia.e...@its.ny.gov> wrote:

>
>
> Brian,
>
>
>
> We’ve found sccm to be notoriously unreliable on forcing reboots after
> patching as well.
>
> Even when sccm clearly shows a reboot is needed.
>
> I don’t know if your company uses nessus or qualys or a similar product,
> but a simple scan
>
> would show you that your servers are not considered patched, most of the
> time,
>
> until your servers have rebooted.
>
>
>
> *Cynthia Erno*
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Brian McDonald
> *Sent:* Friday, October 27, 2017 7:39 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Patching & Reboot Servers
>
>
>
> *ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.*
>
> Good morning,
>
>
>
> We have been working extremely hard getting our patch compliance numbers
> up. We recently, for the first time, hit over 90% compliance for last month.
>
>
>
> A question came up recently about scheduling reboots on servers. I decided
> to run a last reboot / uptime report against all servers in the
> environment. I found a good handful of servers that had not removed since
> August. And several servers that has not removed since last month. One
> suggestion brought the table was to schedule an automated refill for the
> servers to help increase our paths one effort.
>
>
>
> Management is telling me they see no reason to schedule reboot as long as
> patching work. I am looking to justify this need.
>
>
>
> I’d be interested to hear what other folks would suggest would be
> legitimate reasons for scheduled reboots. Basically they are saying SCCM
> how do you must not be working if servers aren’t getting rebooted. I have,
> for example, found some servers don’t receive patches if there are
> disconnected user logged into the server. By bouncing the server, I was
> able to deploy patches no problem. Any other use cases samples to support
> this would be extremely helpful.
>
>
>
> I appreciate any help or suggestions with this.
>
>
>
> Thanks!
>
>
>
> Brian
>
>
>
> Sent from my iPhone
>
>
>
>

Re: [mssms] Windows 10 Feature Updates status "stuck" on In Progress

[Adam Juelich]

Provisioning Mode?

On Wed, Oct 11, 2017 at 5:28 PM, ODONNELL Aaron M <
aaron.m.odonn...@odot.state.or.us> wrote:

> The clients are active and functional in SCCM before and after the 1703
> update, but the status never changes even after several reboots and forcing
> a client repair. If this were just a couple PCs then I wouldn’t be
> concerned about this but it’s happening well over half my test systems.
>
>
>
>
>
> Thanks,
>
>
>
> Aaron O’Donnell
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Meluso, Anthony
> *Sent:* Wednesday, October 11, 2017 12:09 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] Windows 10 Feature Updates status "stuck" on In
> Progress
>
>
>
> Aaron,
>
>
>
> I have.  It usually means it timeout installing.  Make sure that the
> client is active in SCCM.  If it's not you may have to repair the client on
> the workstation.
>
>
>
> Take care,
>
> Anthony Meluso
> Network and Computer System Administrator
> Passaic Valley Regional High School
> 100 East Main St.
> 
> Little Falls, NJ 07424
> 973-890-2500 x2501 <(973)%20890-2500>
> http://www.pvhs.k12.nj.us
>
>
>
> On Wed, Oct 11, 2017 at 2:56 PM, ODONNELL Aaron M <
> aaron.m.odonn...@odot.state.or.us> wrote:
>
> We’ve been testing using the Windows 10 Servicing component to push out
> the 1703 upgrade to our 1607 workstations. The upgrade itself has worked
> great, I haven’t had any failures in the 10-15 PCs tested so far. The
> problem is that when I look at the feature update deployment under
> Monitoring in SCCM, almost every one of them has a status of “downloaded
> updates” or “Pending system restart” in the in progress tab, when in fact
> the PCs have updated successfully, rebooted several times, and even gone on
> to apply the new 1703 cumulative update after SCCM picks up that it needs
> it now. Has anyone seen this before and have any ideas on how to resolve
> it?
>
>
>
>
>
> Thanks,
>
>
>
> Aaron O’Donnell
>
>
>
>
>
>
>
>
>
>

Re: [mssms] definition updates today

[Adam Juelich]

The think best practices is not to sync more than 3 times a
day..Leverage some of the other sources for updates in unique
situations.

On Thu, Oct 12, 2017 at 10:41 AM, Stuart Watret 
wrote:

> Defender has been fine, Endpoint has downloaded no definition updates
> today.
>
> Anyone else seeing this?
>
> My wsus is set to sync every hour.
>
> Thanks
>
> Stuart
>
>
>
>
>

Re: [mssms] Question about device affinity

[Adam Juelich]

If you manually set it, it is 'Administrator-Defined' and will stick no
matter what you do, unless the User or Device gets deleted.  Others,
correct me if I'm wrong.

With all of the methods in defining UDA, none of them are perfect.  I think
we are in the process of moving a certain direction but even that has
caveats and issues.  You generally have a few options:


   1. Have it defined based on usage
  1. Issues with this when you replace a user's computer
  2. Multi-use environments, like labs, can assign Primary when it
  really isn't
   2. Import from CSV
  1. I haven't come up with a great way to create this that doesn't
  give a bunch of overhead.  Maybe from a Inventory/CMDB?
   3. Have user set their Primary
  1. User can set this on multiple devices which makes 'licensed'
  applications tricky
   4. Assign manually
  1. Can be a lot of administration depending on how many users/devices
  and how many user-based deployments you're doing.

I've made requests regarding all of these but they haven't gone anywhere,
including improving the Application Approval Request Process.

On Wed, Oct 11, 2017 at 11:44 AM, Chris Carbone <
chris.carb...@fairmountsantrol.com> wrote:

> Hello All,
>
>
>
> As I understand it when a device is set as a primary device for a user it
> needs to maintain the threshold set by policy or that device will be
> removed as a primary device for that user.
>
>
>
> If I go in and set the primary device manually under SCCM console does
> this policy still apply? Is there a way to assign a user to a device and
> force it to stick? My google skills have failed to find this answer.
>
>
>
> Thanks!
>
>
>
> Chris
>
>
>
>
>
>
>
>
> This electronic mail transmission may contain confidential information
> intended only for the use of the individual(s) identified as addressee(s).
> If you are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution or the taking of any action in reliance
> on the contents of this electronic mail transmission is strictly
> prohibited. If you have received this transmission in error, please notify
> me by telephone immediately.
>
>
>

Re: [mssms] Moving away from image installation?

[Adam Juelich]

I can't speak for everyone but I would believe most people are doing 'wipe
and loads.'  I think everyone's eventual goal is to get to that
MDM/Co-Management state and start utilizing Auto-Pilot on stock devices
straight from the vendor.  How quickly you can get there, though, depends
on business needs.

On Thu, Oct 5, 2017 at 6:37 AM,  wrote:

> MS is promoting a lot to upgrade existing systems, like Win 7 to 10 or
> even using out of the box installations from vendors, instead of wipe and
> load.
>
>
>
> e.g. us: We are on Win 7 with Office 2013 and a few language packs in the
> image.
>
> Upgrading to Win 10, now with office 2016 and the same language packs
> would take much longer than just wiping it with the image having all that
> already (and patched).
>
>
>
> But how many of you are actually using upgrade, like from win7, or even
> using HP/Dell out of the box systems and just integrate them?
>
>
>
> -Roland
>
>
>
>
>
>
>
>
>
>

Re: [mssms] RE: HELP - Windows Defender updates not working

[Adam Juelich]

Gotcha.

On Thu, Sep 28, 2017 at 10:49 AM, Mike Murray  wrote:

> This is not the issue. Please see my other message. Thanks!
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Gannon, Todd
> *Sent:* Wednesday, September 27, 2017 11:43 PM
>
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: HELP - Windows Defender updates not working
>
>
>
> Check:
>
>- Windows Defender Product is checked in the Software Update Point
>Component
>- ADR is configured for “windows Defender”
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Mike Murray
> *Sent:* Thursday, 28 September 2017 6:05 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: HELP - Windows Defender updates not working
>
>
>
> Oops, forgot the log.  :/
>
>
>
> *From:* Mike Murray
> *Sent:* Wednesday, September 27, 2017 3:02 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* HELP - Windows Defender updates not working
>
>
>
> We have a small number of clients on a PCI network, so they’re pretty
> restricted to where they can communicate. We have firewall rules allowing
> communication to our management point, and Windows updates are working
> fine. But Defender updates are not. I have an Endpoint Protection policy
> assigned to these machines that specifies to use our server as the first
> update source, but these machines keep trying to connect to some version of
> *.update.microsoft.com, which gets blocked. Even then, it never tries any
> other sources, even though I have them all checked (see below). I’m
> attaching the WindowsUpdate.log from one of these machines. You can see
> there are errors when I tries to update. There is a successful update near
> the end, this is when we disconnected it from the PCI network and connected
> to a regular port.
>
>
>
> Any advice appreciated!
>
>
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
>
>
>
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this mail in error please notify the originator of the
> message. This footer also confirms that this email message has been scanned
> for the presence of computer viruses.
>
> Any views expressed in this message are those of the individual sender,
> except where the sender specifies and with authority, states them to be the
> views of the CBH Group.
>
>
>
>

Re: [mssms] RE: HELP - Windows Defender updates not working

[Adam Juelich]

Are you just doing this for Windows 10/8.x?  If not, you need to enable the
Forefront Endpoint Protection 2010 for Windows 7.

[image: Inline image 1]

On Thu, Sep 28, 2017 at 1:42 AM, Gannon, Todd 
wrote:

> Check:
>
>- Windows Defender Product is checked in the Software Update Point
>Component
>- ADR is configured for “windows Defender”
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Mike Murray
> *Sent:* Thursday, 28 September 2017 6:05 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: HELP - Windows Defender updates not working
>
>
>
> Oops, forgot the log.  :/
>
>
>
> *From:* Mike Murray
> *Sent:* Wednesday, September 27, 2017 3:02 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* HELP - Windows Defender updates not working
>
>
>
> We have a small number of clients on a PCI network, so they’re pretty
> restricted to where they can communicate. We have firewall rules allowing
> communication to our management point, and Windows updates are working
> fine. But Defender updates are not. I have an Endpoint Protection policy
> assigned to these machines that specifies to use our server as the first
> update source, but these machines keep trying to connect to some version of
> *.update.microsoft.com, which gets blocked. Even then, it never tries any
> other sources, even though I have them all checked (see below). I’m
> attaching the WindowsUpdate.log from one of these machines. You can see
> there are errors when I tries to update. There is a successful update near
> the end, this is when we disconnected it from the PCI network and connected
> to a regular port.
>
>
>
> Any advice appreciated!
>
>
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
>
>
>
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this mail in error please notify the originator of the
> message. This footer also confirms that this email message has been scanned
> for the presence of computer viruses.
>
> Any views expressed in this message are those of the individual sender,
> except where the sender specifies and with authority, states them to be the
> views of the CBH Group.
>
>

Re: [mssms] HP BIOS automation

[Adam Juelich]

Usually the recommendation is to do the BIOS Config Setup in WinPE and then
after the 'Client Install & Restart' have the BIOS Update step go in.  At
the end just throw in a reboot to have it go into effect.  You don't want
the BIOS Update to automatically reboot so you should have a switch there
to disable that.

On Fri, Aug 25, 2017 at 8:39 AM, Jeff Poling <jeffrey.d.pol...@outlook.com>
wrote:

> Further investigation this morning found that the issue may have been an
> issue staging WinPE during the Restart step immediately following the BIOS
> step.
>
>
>
> I am fighting an issue now with a “no bootable image found” message after
> a subsequent restart.  It is really difficult to find information as to the
> exact UEFI settings that are required….
>
>
>
> Thanks,
>
>
>
> Jeff
>
>
>
> Sent from my Windows 10 phone
>
>
>
> *From: *Adam Juelich <acjuel...@gmail.com>
> *Sent: *Friday, August 25, 2017 8:15 AM
> *To: *mssms@lists.myitforum.com
> *Subject: *Re: [mssms] HP BIOS automation
>
>
> What is the exact error message your get when it fails?  Some of those
> BIOS Updates do not play nicely within WinPE and you have to run it within
> the OS-context, after the 'Client Install' portion of the TS.  Are you
> ensuring the BIOS Update is newer than what is on the machine?  Sometimes
> they also want to automatically reboot which can break the TS.
>
>
>
> On Thu, Aug 24, 2017 at 4:05 PM, Jeff Poling <jeffrey.d.pol...@outlook.com
> > wrote:
>
>> I am trying to automate installation of HP bios updates in a task
>> sequence.  I have a package with the BIOS update files and a Run Command
>> Line step that executes hpbiosupdrec64.exe -s -r -lc:\Windows\temp\bios.log
>> in WinPE.  The bios update log shows successful completion with return code
>> 3010.  That return code is listed as success on the run command line step,
>> but the task sequence fails with an unknown error.
>>
>>
>>
>> Has anyone seen this before? Any thoughts on how to fix it?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Jeff
>>
>>
>>
>> Sent from my Windows 10 phone
>>
>>
>>
>>
>
>

Re: [mssms] HP BIOS automation

[Adam Juelich]

What is the exact error message your get when it fails?  Some of those BIOS
Updates do not play nicely within WinPE and you have to run it within the
OS-context, after the 'Client Install' portion of the TS.  Are you ensuring
the BIOS Update is newer than what is on the machine?  Sometimes they also
want to automatically reboot which can break the TS.



On Thu, Aug 24, 2017 at 4:05 PM, Jeff Poling 
wrote:

> I am trying to automate installation of HP bios updates in a task
> sequence.  I have a package with the BIOS update files and a Run Command
> Line step that executes hpbiosupdrec64.exe -s -r -lc:\Windows\temp\bios.log
> in WinPE.  The bios update log shows successful completion with return code
> 3010.  That return code is listed as success on the run command line step,
> but the task sequence fails with an unknown error.
>
>
>
> Has anyone seen this before? Any thoughts on how to fix it?
>
>
>
> Thanks,
>
>
>
> Jeff
>
>
>
> Sent from my Windows 10 phone
>
>
>
>

Re: [mssms] RE: Updating BIOS during imaging.

[Adam Juelich]

Whoops, thought you were talking about BIOS Configurations.

I have the BIOS Updates configured during the latter half of the TS (after
Client Install) so it is technically running within the OS.

On Tue, Aug 22, 2017 at 9:30 PM, Adam Juelich <acjuel...@gmail.com> wrote:

> This is the best blog I found for using the Dell CCTK in WinPE.  Be sure
> to match the right CCTK with the bit-depth of your WinPE OS.  I use 64-bit
> for everything.  CCTK in WinPE, and then the EXE within the OS.
>
> https://4sysops.com/archives/dell-bios-update-with-sccm-
> and-dell-command-configure/
>
> On Tue, Aug 22, 2017 at 11:17 AM, Ed Aldrich <ed.aldr...@1e.com> wrote:
>
>> Are all of your systems Dell, or do you need logic to a) determine HW
>> type; then B) branch to vendor specific tools to perform the work?
>>
>>
>>
>> *[image: Ed]*
>>
>> *Ed Aldrich* *| Technology Enablement Lead*
>>
>> www.1e.com/mms
>>
>> Mobile: (401) 924-2293
>>
>> ed.aldr...@1e.com | www.1e.com
>>
>>
>>
>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com] *On Behalf Of *Ortega, Clint
>> *Sent:* Monday, August 21, 2017 5:05 PM
>> *To:* mssms@lists.myitforum.com
>> *Subject:* [mssms] Updating BIOS during imaging.
>>
>>
>>
>> Hello all,
>>
>> I’m trying to figure out how to upgrade my BIOS during imaging.
>> Information online does suggest that it can be done from a task sequence,
>> however I don’t know if this requires it to be from within the Operating
>> System, or if I can do it from a PXE Boot.  I’m trying to accomplish this
>> from a PXE Boot, without much success.  Has anyone tried this successfully?
>>
>>
>>
>>
>>
>> Thanks,
>>
>> *Clint Ortega*
>>
>> Client Device Engineer I
>>
>> CHRISTUS Health
>>
>> Information Management
>>
>> 469-282-0295 <(469)%20282-0295>
>>
>> clint.ort...@christushealth.org
>>
>>
>>
>> *Nothing makes an Engineer more productive, than the “Last Minute”*
>>
>>
>>
>>
>>
>> *CONFIDENTIALITY NOTICE:  Confidential information, such as identifiable
>> patient health information or business information, is subject to
>> protection under state and federal law.  If you are not the intended
>> recipient of this message, you may not disclose, print, copy or disseminate
>> this information.  If you have received this in error, please reply and
>> notify the sender (only) and delete the message.  Unauthorized interception
>> of this e-mail is a violation of federal criminal law. *
>>
>>
>>
>> --
>>
>>
>> Legal Notice: This email is intended only for the person(s) to whom it is
>> addressed. If you are not an intended recipient and have received this
>> message in error, please notify the sender immediately by replying to this
>> email or calling +44(0) 2083269015 <+44%2020%208326%209015> (UK) or +1
>> 866 592 4214 <(866)%20592-4214> (USA). This email and any attachments
>> may be privileged and/or confidential. The unauthorized use, disclosure,
>> copying or printing of any information it contains is strictly prohibited.
>> The opinions expressed in this email are those of the author and do not
>> necessarily represent the views of 1E Ltd. Nothing in this email will
>> operate to bind 1E to any order or other contract.
>>
>>
>

Re: [mssms] RE: Updating BIOS during imaging.

[Adam Juelich]

This is the best blog I found for using the Dell CCTK in WinPE.  Be sure to
match the right CCTK with the bit-depth of your WinPE OS.  I use 64-bit for
everything.  CCTK in WinPE, and then the EXE within the OS.

https://4sysops.com/archives/dell-bios-update-with-sccm-and-dell-command-configure/

On Tue, Aug 22, 2017 at 11:17 AM, Ed Aldrich  wrote:

> Are all of your systems Dell, or do you need logic to a) determine HW
> type; then B) branch to vendor specific tools to perform the work?
>
>
>
> *[image: Ed]*
>
> *Ed Aldrich* *| Technology Enablement Lead*
>
> www.1e.com/mms
>
> Mobile: (401) 924-2293
>
> ed.aldr...@1e.com | www.1e.com
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Ortega, Clint
> *Sent:* Monday, August 21, 2017 5:05 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Updating BIOS during imaging.
>
>
>
> Hello all,
>
> I’m trying to figure out how to upgrade my BIOS during imaging.
> Information online does suggest that it can be done from a task sequence,
> however I don’t know if this requires it to be from within the Operating
> System, or if I can do it from a PXE Boot.  I’m trying to accomplish this
> from a PXE Boot, without much success.  Has anyone tried this successfully?
>
>
>
>
>
> Thanks,
>
> *Clint Ortega*
>
> Client Device Engineer I
>
> CHRISTUS Health
>
> Information Management
>
> 469-282-0295 <(469)%20282-0295>
>
> clint.ort...@christushealth.org
>
>
>
> *Nothing makes an Engineer more productive, than the “Last Minute”*
>
>
>
>
>
> *CONFIDENTIALITY NOTICE:  Confidential information, such as identifiable
> patient health information or business information, is subject to
> protection under state and federal law.  If you are not the intended
> recipient of this message, you may not disclose, print, copy or disseminate
> this information.  If you have received this in error, please reply and
> notify the sender (only) and delete the message.  Unauthorized interception
> of this e-mail is a violation of federal criminal law. *
>
>
>
> --
>
>
> Legal Notice: This email is intended only for the person(s) to whom it is
> addressed. If you are not an intended recipient and have received this
> message in error, please notify the sender immediately by replying to this
> email or calling +44(0) 2083269015 <+44%2020%208326%209015> (UK) or +1
> 866 592 4214 <(866)%20592-4214> (USA). This email and any attachments may
> be privileged and/or confidential. The unauthorized use, disclosure,
> copying or printing of any information it contains is strictly prohibited.
> The opinions expressed in this email are those of the author and do not
> necessarily represent the views of 1E Ltd. Nothing in this email will
> operate to bind 1E to any order or other contract.
>
>

Re: [mssms] Patch Deployment Device Restart Behavior

[Adam Juelich]

You control that with Maintenance Windows.

On Mon, Aug 14, 2017 at 7:40 AM, Matt Gerding 
wrote:

> Hello,
>
>
>
> I was hoping to get some feedback for what people are doing to suppress
> reboots for Windows patch deployments via SCCM. More specifically, if your
> patch deployment is scheduled, specified as “Required” with no device
> restart behavior suppression set, how do you stop a client machine or a
> server from forcefully restarting?
>
>
>
> In our environment we create separate monthly patch deployments for
> clients and servers. We set a system restart suppression for workstations
> when deploying patches to our clients, so user machines never forcefully
> reboot. However, for our server environment, we do not set any suppression
> because we don’t want to manually reboot all of the 100 + servers. I
> schedule the server patch deployments on the weekends, and we rarely have
> issues, but we’ve seen a couple random servers that have downloaded the
> patches but for whatever reason the servers don’t reboot over the weekend.
> When I come in on Monday, I’ll check the status of the servers and find
> that these random servers are still “In Progress”, and then these servers
> will forcefully reboot mid-day.
>
>
>
> In a situation where the server(s) in question are critical system
> servers, and are attempting to reboot mid-day, people obviously freak out.
> Is there a way to override this so I don’t have a server rebooting mid-day?
>
>
>
>
>
> Regards,
>
>
>
> *Matthew Gerding*
>
> Information Technology
>
> Centurion Medical Products
>
> 517.540.1618 <(517)%20540-1618>
>
> www.centurionmp.com
>
> •
>
> *PATIENT CARE WITHOUT COMPROMISE™*
>
>
>
>

Re: [mssms] sccm plain image vs core apps image

[Adam Juelich]

The general consensus is your image should have:


   1. All updates
   2. Visual C++ Redistributables
   3. .NET Updates
   4. Office (if you have that)

Other than that, keep other things out of it.  Most other things change
versions and such so often that it will be a pain to manage.

On Tue, Aug 8, 2017 at 10:42 AM, Kevin Ray  wrote:

> Hi Team,
>
> What are the advantages and dis-advantages with plain image and core apps
> (office 365,antivirus,etc)..Does it really save the time with core
> applications..
>
> Thanks
> Kevin
>
>

Re: [mssms] Migration Question / Software Centre Branding

[Adam Juelich]

Yes, it should ;-)

Does Resultant Client Settings show that the setting applies correctly?

On Thu, Aug 3, 2017 at 10:31 AM, Stuart Watret <stu...@offshore-it.co.uk>
wrote:

> 1610 to 1702.
>
> yes the clients are updated, it’s like sc doesn’t pickup colour changes
> post install - no biggy, just checking if it should.
>
> Stuart Watret
>
> On 3 Aug 2017, at 15:21, Adam Juelich <acjuel...@gmail.com> wrote:
>
> What version of ConfigMgr?  The clients are updated?
>
> On Thu, Aug 3, 2017 at 5:12 AM, Stuart Watret <stu...@offshore-it.co.uk>
> wrote:
>
>> Morning,
>>
>> Moving CM to our new 2016 host.
>> Was going to change the Software Centre colour (Via Application Catalog
>> customisation)
>>
>> What I’m noticing is that unless you reinstall the client as part of the
>> migration the old Software Centre colour is retained.
>> i.e if you just swap the site code, (my original plan) everything works,
>> but no colour change in SC.
>>
>> I appreciate this isn’t the most important thing in the world, I’m just
>> checking my observations are correct and normal.
>>
>> Ta
>>
>> Stuart Watret
>>
>>
>
>
>
>

Re: [mssms] Migration Question / Software Centre Branding

[Adam Juelich]

What version of ConfigMgr?  The clients are updated?

On Thu, Aug 3, 2017 at 5:12 AM, Stuart Watret 
wrote:

> Morning,
>
> Moving CM to our new 2016 host.
> Was going to change the Software Centre colour (Via Application Catalog
> customisation)
>
> What I’m noticing is that unless you reinstall the client as part of the
> migration the old Software Centre colour is retained.
> i.e if you just swap the site code, (my original plan) everything works,
> but no colour change in SC.
>
> I appreciate this isn’t the most important thing in the world, I’m just
> checking my observations are correct and normal.
>
> Ta
>
> Stuart Watret
>
>

[mssms] Windows 10 Remote Control

[Adam Juelich]

Hello Everyone,

Currently on ConfigMgr CB 1610, managing some Windows 10 1703 Clients.  I'm
finding that I cannot use Remote Control on them unless a user is logged
in.  All of the client settings that I've used before are the same in
regards to Remote Control.

Any ideas?

Thanks!

Re: [mssms] RE: Problems imaging a Surface Studio

[Adam Juelich]

Does that version of ConfigMgr even support deploying Windows 10?  I
thought it only supported managing Windows 10 with Software & Updates?

On Thu, Jul 20, 2017 at 8:30 AM, Jerousek, Jeff 
wrote:

> We’ve built one recently without any extra storage drivers.
>
>
>
> I would try a “diskpart; select disk #; clean”, first.
>
>
>
> Thanks,
>
> Jeff Jerousek 
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Mike Murray
> *Sent:* Wednesday, July 19, 2017 5:37 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Problems imaging a Surface Studio
>
>
>
> I’m assuming we need to import that storage driver for it, can anyone
> confirm?
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Mike Murray
> *Sent:* Wednesday, July 19, 2017 2:16 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Problems imaging a Surface Studio
>
>
>
> We got our first Surface Studio (with a 2TB drive) and have been having
> trouble imaging it (CM2012 R2 SP1, CU4). It’s pretty unresponsive over the
> wire, and then bombs out with this error in the SMSTS.log:
>
>
>
> The execution of the group (Install Operating System) has failed and the
> execution has been aborted. An action failed.
>
> Operation aborted (Error: 80004004; Source: Windows) TSManager
> 7/19/2017 11:38:49 AM 1916 (0x077C)
>
> Failed to run the last action: Run AppSelector. Execution of task sequence
> failed.
>
> The request could not be performed because of an I/O device error. (Error:
> 8007045D; Source: Windows)TSManager 7/19/2017
> 11:38:49 AM 1916 (0x077C)
>
>
>
> This seems to be a disk corruption type error.
>
>
>
> We tried again with standalone media and it blue screened with “stop code
> NTFS_FILE_SYSTEM”.
>
>
>
> Are there any special steps we need to take to image these?
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
>
>
>
>
>
>
>
>

Re: [mssms] Query about x86 & x64 bit content deployment

[Adam Juelich]

Are the content locations for these Deployment Types the same, or are they
different for each (x64 and x86).  It sounds like you are using the same
content path for both, encompassing both installer contents.

On Wed, Jul 12, 2017 at 8:41 AM, Thelen, Chris 
wrote:

> Have you verified in the AppEnforce log of what deployment type it is
> running and then what both deployment types have set for the content folder
> and verified that the folder does not have both x86 and x64 content in it?
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Haritwal, Dhiraj
> *Sent:* Wednesday, July 12, 2017 9:08 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] Query about x86 & x64 bit content deployment
>
>
>
> This is what exactly I have done, Chris but issue is, it’s downloading
> both x86 & x64 content on clients which should not happen. Ideally it
> should download only x64 content to a 64bit OS & x86 content to a 32bit OS.
>
>
>
>
>
> Dhiraj
>
>
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Thelen,
> Chris
> *Sent:* 12 July 2017 18:04
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] Query about x86 & x64 bit content deployment
>
>
>
> Since you are doing this as an application why not let SCCM handle the OS
> type detection?
>
>
>
> In your one application, create 2 deployment types that point to different
> source folders.  One for x86 and another for x64.  Then set the OS
> requirements for each deployment type to only run on that specific OS bit
> version, x86 deployment type requires an x86 OS and x64 deployment type
> requires a x64 OS.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Haritwal,
> Dhiraj
> *Sent:* Wednesday, July 12, 2017 7:45 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Query about x86 & x64 bit content deployment
>
>
>
> Hi,
>
>
>
> I have to deploy an application which has separate module for x86 & x64. I
> have created two deployment type for both versions along with OS
> requirement. My query is, I want to copy only platform specific content to
> any device.
>
> ie,  only x64 bit version should get copy on a 64bit device & only x86
> should get copy on a 32bit device. Is there any option in SCCM2012 to do
> the same.
>
>
>
> By default it’s copying both x64 & x86 content which takes time & chock
> WAN BW for small remote locations.
>
>
>
> I was using traditional way through a batch file to check OS Type
> (x86/x64), Copy specific content & install.
>
>
>
>
>
> Dhiraj
>
>
> --
>
>
> This email is confidential and intended only for the use of the individual
> or entity named above and may contain information that is privileged. If
> you are not the intended recipient, you are notified that any
> dissemination, distribution or copying of this email is strictly
> prohibited. If you have received this email in error, please notify us
> immediately by return email or telephone and destroy the original message.
> - This mail is sent via Sony Asia Pacific Mail Gateway..
>
>
>
>
>
>
> --
>
>
> This email is confidential and intended only for the use of the individual
> or entity named above and may contain information that is privileged. If
> you are not the intended recipient, you are notified that any
> dissemination, distribution or copying of this email is strictly
> prohibited. If you have received this email in error, please notify us
> immediately by return email or telephone and destroy the original message.
> - This mail is sent via Sony Asia Pacific Mail Gateway..
>
>
>
>

Re: [mssms] HP Elitedesk 800 G3 Drivers

[Adam Juelich]

I don't use MDT but isn't there a separate MDT WinPE Boot image outside of
the standard WinPE from the ADK?

I'm running WinPE 1607 as well.  I've never had to inject NIC drivers into
WinPE as long as I continue to update the ADK.

On Tue, Jul 11, 2017 at 9:58 AM, Matt Gerding <mgerd...@centurionmp.com>
wrote:

> Thanks for the quick response. I don’t get an IP, so I’m sure it’s the NIC
> driver.. I have an MDT Boot image OS Version 10.0.10240.16384, which was
> installed with the ADK ver before Win 10 1607. I know I’m running an old
> version and I intend on upgrading, but up until now, we have had no issues
> with hardware or Windows 10 1607 deployments.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Tuesday, July 11, 2017 9:55 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] HP Elitedesk 800 G3 Drivers
>
>
>
> When you get into WinPE, if you hit F8 do you have an IP Address?  If no,
> then your NIC isn't in your Boot Image.  Which ADK/Boot Image version are
> you using?
>
>
>
> On Tue, Jul 11, 2017 at 8:24 AM, Matt Gerding <mgerd...@centurionmp.com>
> wrote:
>
> Looking for some troubleshooting guidance -
>
>
>
> I’ve set up driver packages for multiple devices in SCCM before (HP, Dell,
> Lenovo) and have run into almost no issues adding the drivers or deploying
> images. However, we recently received new HP hardware (HP EliteDesk 800 G3
> mini desktop), the successor to the 800 G2, which we were using perfectly
> fine. I can’t get an image to deploy to the 800 G3.
>
>
>
> I grabbed the driver pack from the HP site, went through the normal
> process of importing the drivers, adding a package, distributing content to
> my OSD distribution point, added drivers to the TS..etc. I noticed a
> notification when importing the drivers suggesting that some of the drivers
> may not be compatible. I went through the drivercatalog.log file and found
> the following:
>
>
>
> The INF file data is invalid. Cannot initialize driver information.
>
>
>
> \\centurionmp.com\sccm\sourcefiles\OSD\Drivers\Source
> \HPEliteDesk800G3MiniWin10_x64\Network\Intel\IntelI219_
> KKMEB2\21.1_12.15.23.7\src\DRIVERS\iqvw64e.inf does not contain any
> supported hardware information.
>
>
>
> \\centurionmp.com\sccm\sourcefiles\OSD\Drivers\Source
> \HPEliteDesk800G3MiniWin10_x64\Network\Intel\IntelI219_
> KKMEB2\21.1_12.15.23.7\src\DRIVERS\iqvw64e.inf does not contain any
> supported hardware information.
>
>
>
> I thought that maybe I just had a corrupted file. Bad NIC driver. Grabbed
> the drivers a second time, but still no luck. Took the drivers off of the
> DVD that are packaged with the hardware to see if those would work.. still
> no luck. Individually downloaded the NIC driver and tried to inject it into
> the boot image. I still have the same issue.
>
>
>
> When I PXE boot the machine, it acquires an IP and starts loading winPE.
> The process gets to the MDT splash screen, hangs for about 2 minutes and
> then the machine reboots and goes back to the PXE network boot. I’ve tried
> more than one G3 computer, we have secure boot turned off, the drivers are
> x64, we deploy win 10 1607, running SCCM current branch.
>
>
>
> Any thoughts? Suggestions? As always, thanks in advance for your help and
> insight.
>
>
>
>
>
> Regards,
>
>
>
> *Matthew Gerding*
>
> Information Technology
>
> Centurion Medical Products
>
> 517.540.1618 <(517)%20540-1618>
>
> www.centurionmp.com
>
> •
>
> *PATIENT CARE WITHOUT COMPROMISE™*
>
>
>
>
>
>
>
>
>
>

Re: [mssms] HP Elitedesk 800 G3 Drivers

[Adam Juelich]

When you get into WinPE, if you hit F8 do you have an IP Address?  If no,
then your NIC isn't in your Boot Image.  Which ADK/Boot Image version are
you using?

On Tue, Jul 11, 2017 at 8:24 AM, Matt Gerding 
wrote:

> Looking for some troubleshooting guidance -
>
>
>
> I’ve set up driver packages for multiple devices in SCCM before (HP, Dell,
> Lenovo) and have run into almost no issues adding the drivers or deploying
> images. However, we recently received new HP hardware (HP EliteDesk 800 G3
> mini desktop), the successor to the 800 G2, which we were using perfectly
> fine. I can’t get an image to deploy to the 800 G3.
>
>
>
> I grabbed the driver pack from the HP site, went through the normal
> process of importing the drivers, adding a package, distributing content to
> my OSD distribution point, added drivers to the TS..etc. I noticed a
> notification when importing the drivers suggesting that some of the drivers
> may not be compatible. I went through the drivercatalog.log file and found
> the following:
>
>
>
> The INF file data is invalid. Cannot initialize driver information.
>
>
>
> \\centurionmp.com\sccm\sourcefiles\OSD\Drivers\Source
> \HPEliteDesk800G3MiniWin10_x64\Network\Intel\IntelI219_
> KKMEB2\21.1_12.15.23.7\src\DRIVERS\iqvw64e.inf does not contain any
> supported hardware information.
>
>
>
> \\centurionmp.com\sccm\sourcefiles\OSD\Drivers\Source
> \HPEliteDesk800G3MiniWin10_x64\Network\Intel\IntelI219_
> KKMEB2\21.1_12.15.23.7\src\DRIVERS\iqvw64e.inf does not contain any
> supported hardware information.
>
>
>
> I thought that maybe I just had a corrupted file. Bad NIC driver. Grabbed
> the drivers a second time, but still no luck. Took the drivers off of the
> DVD that are packaged with the hardware to see if those would work.. still
> no luck. Individually downloaded the NIC driver and tried to inject it into
> the boot image. I still have the same issue.
>
>
>
> When I PXE boot the machine, it acquires an IP and starts loading winPE.
> The process gets to the MDT splash screen, hangs for about 2 minutes and
> then the machine reboots and goes back to the PXE network boot. I’ve tried
> more than one G3 computer, we have secure boot turned off, the drivers are
> x64, we deploy win 10 1607, running SCCM current branch.
>
>
>
> Any thoughts? Suggestions? As always, thanks in advance for your help and
> insight.
>
>
>
>
>
> Regards,
>
>
>
> *Matthew Gerding*
>
> Information Technology
>
> Centurion Medical Products
>
> 517.540.1618 <(517)%20540-1618>
>
> www.centurionmp.com
>
> •
>
> *PATIENT CARE WITHOUT COMPROMISE™*
>
>
>
>

Re: [mssms] HP Elitedesk 800 G3 Drivers

[Adam Juelich]

When you get into WinPE, if you hit F8 do you have an IP Address?  If no,
then your NIC isn't in your Boot Image.  Which ADK/Boot Image version are
you using?

On Tue, Jul 11, 2017 at 8:24 AM, Matt Gerding 
wrote:

> Looking for some troubleshooting guidance -
>
>
>
> I’ve set up driver packages for multiple devices in SCCM before (HP, Dell,
> Lenovo) and have run into almost no issues adding the drivers or deploying
> images. However, we recently received new HP hardware (HP EliteDesk 800 G3
> mini desktop), the successor to the 800 G2, which we were using perfectly
> fine. I can’t get an image to deploy to the 800 G3.
>
>
>
> I grabbed the driver pack from the HP site, went through the normal
> process of importing the drivers, adding a package, distributing content to
> my OSD distribution point, added drivers to the TS..etc. I noticed a
> notification when importing the drivers suggesting that some of the drivers
> may not be compatible. I went through the drivercatalog.log file and found
> the following:
>
>
>
> The INF file data is invalid. Cannot initialize driver information.
>
>
>
> \\centurionmp.com\sccm\sourcefiles\OSD\Drivers\Source
> \HPEliteDesk800G3MiniWin10_x64\Network\Intel\IntelI219_
> KKMEB2\21.1_12.15.23.7\src\DRIVERS\iqvw64e.inf does not contain any
> supported hardware information.
>
>
>
> \\centurionmp.com\sccm\sourcefiles\OSD\Drivers\Source
> \HPEliteDesk800G3MiniWin10_x64\Network\Intel\IntelI219_
> KKMEB2\21.1_12.15.23.7\src\DRIVERS\iqvw64e.inf does not contain any
> supported hardware information.
>
>
>
> I thought that maybe I just had a corrupted file. Bad NIC driver. Grabbed
> the drivers a second time, but still no luck. Took the drivers off of the
> DVD that are packaged with the hardware to see if those would work.. still
> no luck. Individually downloaded the NIC driver and tried to inject it into
> the boot image. I still have the same issue.
>
>
>
> When I PXE boot the machine, it acquires an IP and starts loading winPE.
> The process gets to the MDT splash screen, hangs for about 2 minutes and
> then the machine reboots and goes back to the PXE network boot. I’ve tried
> more than one G3 computer, we have secure boot turned off, the drivers are
> x64, we deploy win 10 1607, running SCCM current branch.
>
>
>
> Any thoughts? Suggestions? As always, thanks in advance for your help and
> insight.
>
>
>
>
>
> Regards,
>
>
>
> *Matthew Gerding*
>
> Information Technology
>
> Centurion Medical Products
>
> 517.540.1618 <(517)%20540-1618>
>
> www.centurionmp.com
>
> •
>
> *PATIENT CARE WITHOUT COMPROMISE™*
>
>
>
>

[mssms] Multiple 'Windows Boot Manager' Entries

[Adam Juelich]

Hello Everyone,

I'm currently doing my first UEFI and Windows 10 deployments.  I was
testing a few different Task Sequence structures on a test machine and
after each imaging/TS process I see an additional 'Windows Boot Manager'
entry.

Is there something I'm missing?  It's a pretty simple and straight-forward
Task Sequence.  I install the Dell HAPI Driver, Configure BIOS, apply BIOS
Password, then Format/Partition Disk 0 and then it moves on from there with
rather standard tasks.

I've seen some others have this with a few other Dell models and apparently
Dell was working on the issue as it doesn't seem to happen on all machines,
just certain models.

I found a PowerShell script but I currently couldn't get it to give me the
results I was expecting.  Before I put more time into that I thought I'd
ask the community.

These are Dell Precision Tower 3620's.

Thanks!

Re: [mssms] Software updates - possible to increase default maximum run time?

[Adam Juelich]

Sorry, missed your qualifier.

I don't know of a way but it would be nice to have a global mechanism based
on classification.

On Thu, Jun 15, 2017 at 3:00 PM, Mike Murray <mmur...@csuchico.edu> wrote:

> I know, I’m looking for a way to not have to do this every month.
>
>
>
> “Since MS has moved to the cumulative update model, we’re seeing timeout
> failures. I have to go in each month and increase the maximum run time
> from 10 minutes in order to get them to install. Is there some way for
> either MS to increase this or for me to change my default maximum run time?”
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Thursday, June 15, 2017 12:46 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] Software updates - possible to increase default
> maximum run time?
>
>
>
> Yes.  If you go to properties on the specific update, you can modify the
> Maximum Runtime:
>
>
>
> [image: Inline image 1]
>
>
>
> On Thu, Jun 15, 2017 at 1:40 PM, Mike Murray <mmur...@csuchico.edu> wrote:
>
> Since MS has moved to the cumulative update model, we’re seeing timeout
> failures. I have to go in each month and increase the maximum run time from
> 10 minutes in order to get them to install. Is there some way for either MS
> to increase this or for me to change my default maximum run time?
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
>
>
>
>
>
>
>
>
>
>

Re: [mssms] Software updates - possible to increase default maximum run time?

[Adam Juelich]

Yes.  If you go to properties on the specific update, you can modify the
Maximum Runtime:

[image: Inline image 1]

On Thu, Jun 15, 2017 at 1:40 PM, Mike Murray  wrote:

> Since MS has moved to the cumulative update model, we’re seeing timeout
> failures. I have to go in each month and increase the maximum run time from
> 10 minutes in order to get them to install. Is there some way for either MS
> to increase this or for me to change my default maximum run time?
>
>
>
>
>
> Best Regards,
>
>
>
> Mike Murray
>
> Desktop Engineer/IT Consultant - IT Support Services
>
> California State University, Chico
>
> 530.898.4357 <(530)%20898-4357>
> mmur...@csuchico.edu
>
>
>
> Remember, Chico State will NEVER ask you for your password via email!
>
> For more information about recognizing phishing scam emails go to:
> http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml
>
>
>
>

Re: [mssms] RE: Auto reboots of servers during patching

[Adam Juelich]

Aren't the 'countdown settings' only in effect if someone is logged in,
otherwise it reboots right away?

Size your Maintenance Windows appropriately and specify for
Installs/Restarts to ONLY happen during MWs.

On Wed, Jun 14, 2017 at 6:12 PM, Magnus Tveten 
wrote:

> “But isn’t that reboot based on client settings, like for desktops?  Or
> does the maintenance window override that?”
>
> Do you mean the Countdown setting ?
>
> If so then yes this setting does apply to it as well, but just ensure that
> you have Client settings deployed to servers that have settings that are
> tailored to server J and a different one for workstations.
>
>
>
>
> --
>
> *Magnus Tveten*
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Heaton, Joseph@Wildlife
> *Sent:* Thursday, 15 June 2017 7:28 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Auto reboots of servers during patching
>
>
>
> But isn’t that reboot based on client settings, like for desktops?  Or
> does the maintenance window override that?
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Mote, Todd
> *Sent:* Wednesday, June 14, 2017 11:47 AM
> *To:* 'mssms@lists.myitforum.com' 
> *Subject:* [mssms] RE: Auto reboots of servers during patching
>
>
>
> Nothing to add to anything.  If the server has a maintenance window and an
> updates deployment advertised to it (and is correctly configured to allow
> the reboot during MWs) then when it’s done installing updates it will just
> reboot.  I patch 500 servers this way every month.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Heaton,
> Joseph@Wildlife
> *Sent:* Wednesday, June 14, 2017 12:43 PM
> *To:* 'mssms@lists.myitforum.com' 
> *Subject:* [mssms] Auto reboots of servers during patching
>
>
>
> How do you handle this?  In past questions, I’ve related that currently I
> manually reboot all of my 200+ servers.  We’re revamping how we’re doing
> the server patching, with a couple of maintenance windows, and auto
> reboots.  However, I’m not sure the “best” method of doing the reboot.  Do
> I just change the client settings to reboot in a couple of minutes, or do I
> add a shutdown –r to the package, or some other method?
>
>
>
> Thanks,
>
>
>
> Joe Heaton
>
> Information Technology Operations Branch
>
> Data and Technology Division
>
> CA Department of Fish and Wildlife
>
> 1700 9th Street, 3rd Floor
>
> Sacramento, CA  95811
>
> Desk:  (916) 323-1284
>
>
>
> Every Californian should conserve water.  Find out how at:
>
> [image: SaveOurWater_Logo] 
>
> SaveOurWater.com  · Drought.CA.gov
> 
>
>
>
>
>
>
>
> _
>
> The information transmitted in this message and its attachments (if any)
> is intended
> only for the person or entity to which it is addressed.
> The message may contain confidential and/or privileged material. Any
> review,
> retransmission, dissemination or other use of, or taking of any action in
> reliance
> upon this information, by persons or entities other than the intended
> recipient is
> prohibited.
>
> If you have received this in error, please contact the sender and delete
> this e-mail
> and associated material from any computer.
>
> The intended recipient of this e-mail may only use, reproduce, disclose or
> distribute
> the information contained in this e-mail and any attached files, with the
> permission
> of the sender.
>
> This message has been scanned for viruses.
> _
>
>

Re: [mssms] Pre-Deploy to UDA Relationship

[Adam Juelich]

The Application has a dependency for '.NET 4.6.2' but I have the
requirements for that to be Windows 7 and Windows 8.1.  This deployment is
to Windows 10 so the dependency isn't fulfilled but I still get
'Requirements not met.'  Wouldn't it bypass the Dependency if it doesn't
fulfill the requirements for the targeted device?

On Fri, Jun 2, 2017 at 8:45 AM, Adam Juelich <acjuel...@gmail.com> wrote:

> Hello Everyone,
>
> I have an Application with 'Primary Device equals True' as a requirement.
> I have a User collection with the proper user who has his Primary Device
> defined.  I deployed to this Collection stating 'Pre-Deploy to User's
> Device' and I'm not seeing it install or in Software Center.  The user has
> never logged into this laptop before but I believe this process has worked
> for me in the past with these settings defined.
>
> Is there anything I'm missing?
>
> Thanks!
>
>

[mssms] Pre-Deploy to UDA Relationship

[Adam Juelich]

Hello Everyone,

I have an Application with 'Primary Device equals True' as a requirement.
I have a User collection with the proper user who has his Primary Device
defined.  I deployed to this Collection stating 'Pre-Deploy to User's
Device' and I'm not seeing it install or in Software Center.  The user has
never logged into this laptop before but I believe this process has worked
for me in the past with these settings defined.

Is there anything I'm missing?

Thanks!

Re: [mssms] Anyone have experience with Java Deployment Rulesets or point me that way?

[Adam Juelich]

How are you deploying them?  Really, from an Enterprise stand-point, Oracle
only supports their Java Enterprise Suite which includes the supported MSI
with relevant switches, management console, and ruleset  and version
management and deployment.

Other than that, you're stuck extracting your own MSI and testing switches
and leveraging user-based GP Prefs for ruleset type stuff.

On Wed, May 31, 2017 at 7:52 AM, Burke, John 
wrote:

> We have deployed a ruleset and it’s working pretty well, but I can’t
> really find other companies or orgs that are using them.
>
> I’ve tried to get some help from oracle but  it seems very difficult to
> get support there .
>
>
>
> I’ve written rules based on url’s and they work great in many cases but
> there are a few that simply never work no matter what I do.
>
>
>
>
>
>
>
>
>
>

Re: [mssms] Win 10 upgrading without installed apps

[Adam Juelich]

Do you want your users going to Microsoft Update?

On Fri, May 26, 2017 at 11:17 AM, Mote, Todd 
wrote:

> So I have Windows 10 Enterprise 1607 that I deployed without built-in
> Store apps, like Candy Crush.  I have one user who contacted Microsoft
> Update and upgrade Windows and Candy Crush returned.  I had thought this
> was resolved in 1607?  Or am I remembering wrong?  What's the best way to
> upgrade these to 1703 and keep Candy Crush and others off?
>
>
> Todd
>
>

Re: [mssms] Machine name change after the image - any issue ?

[Adam Juelich]

If you are, indeed, logging in and renaming the machine and rebooting then
that is not expected behavior.  Are you doing it while wired?  I know doing
it on wireless can give weird behaviors occasionally.

On Tue, May 23, 2017 at 9:33 AM, Kevin Ray  wrote:

> im not removing the from AD before rename.. but still apearing old and new
> machine records in AD
>
> On Tue, May 23, 2017 at 10:03 AM, Ron DeLorenzo 
> wrote:
>
>> Are you removing from the domain, before you rename?  This will leave the
>> old name in AD.  Do not remove from the domain, simply rename the PC and
>> restart.
>>
>> Ron
>>
>> Sent from my Verizon, Samsung Galaxy smartphone
>>
>>  Original message 
>> From: Kevin Ray 
>> Date: 5/23/17 9:36 AM (GMT-05:00)
>> To: mssms 
>> Subject: Re: [mssms] Machine name change after the image - any issue ?
>>
>> Thanks Sebastien, i'm expected the same. However it seems to be creating
>> new record on AD. .So i'm not sure..Is it it something wrong on my AD, i
>> need to check..I will wait for some more guys to respond
>>
>> 2017-05-23 9:30 GMT-04:00 Chobeaux, Sebastien 
>> :
>>
>>> In those cases we don’t do anything specific, we just rename the
>>> computer from Windows and reboot, the object in AD gets renamed, in SCCM it
>>> will take more time (depending on the next DDR I believe?) but it will be
>>> renamed eventually, and since it’s the same guid there won’t be any
>>> leftover to clean.
>>>
>>> Hope it helps, please correct me if I’m wrong.
>>>
>>> thanks
>>>
>>>
>>>
>>> *--*
>>>
>>> *Sébastien Chobeaux*
>>>
>>>
>>>
>>> *De :* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>>> orum.com] *De la part de* Kevin Ray
>>> *Envoyé :* lundi 22 mai 2017 11:20
>>> *À :* mssms 
>>> *Objet :* [mssms] Machine name change after the image - any issue ?
>>>
>>>
>>>
>>> Hi All,
>>>
>>>
>>>
>>> we have some small image lab where we build the Machines with bulk
>>> machine at a time with ramdom machine names
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> When we got the request for any machine, We will rename the machine and
>>> send to them.(since we dont the machine name till last mint)
>>>
>>>
>>>
>>>
>>>
>>> I guess something we are doing wrong . What are things i need to do a
>>> cleanup activity in AD
>>>
>>>
>>>
>>> so my questions are :
>>>
>>>
>>>
>>> Is any issue with SCCM client ?
>>>
>>> Any cleanup i need to do on Domain (deleting old record,etc)
>>>
>>> Any cleanup i need to do on SCCM ?
>>>
>>>
>>>
>>>
>>>
>>> any best practices
>>>
>>>
>>>
>>> --
>>>
>>> AVIS IMPORTANT:
>>> Les renseignements contenus ou joints à ce courriel sont pour l'usage
>>> exclusif du destinataire ou de l'institution à qui ce courriel s'adresse et
>>> peuvent contenir des renseignements privilégiés, confidentiels et exempts
>>> de divulgation conformément à la Loi sur l'accès à l'information municipale
>>> et la protection de la vie privée.
>>> Dans l'éventualité que le récepteur du présent courriel n'est pas le
>>> destinataire concerné ou la personne autorisée à acheminer le message au
>>> destinataire concerné, vous êtes, par la présente, avisé(e), que toute
>>> divulgation, diffusion, distribution ou reproduction de la présente
>>> communication est strictement interdite.
>>> Si vous recevez ce message par erreur, veuillez immédiatement en
>>> informer l'expéditeur ou l'expéditrice par courriel et détruire celui-ci
>>> ainsi que toutes les pièces jointes qu'il comporte.
>>> Merci de votre collaboration.
>>>
>>>
>>
>>
>>
>
>

Re: [mssms] RE: SCCM 1606 Updates Sync Interval with Microsoft

[Adam Juelich]

3 times per day.

On Tue, May 23, 2017 at 8:02 AM, Kent, Mark  wrote:

> Once per day.
>
>
>
> Mark Kent
>
> Manager, Client Systems Engineering
>
> Technology Support Services
>
> Resources for Information, Technology and Education (RITE)
>
> http://rite.buffalostate.edu
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Daniel Ratliff
> *Sent:* Tuesday, May 23, 2017 8:48 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: SCCM 1606 Updates Sync Interval with Microsoft
>
>
>
> Once a day, no change after WannaCry.
>
>
>
> *Daniel Ratliff*
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Trond
> Karstensen
> *Sent:* Tuesday, May 23, 2017 7:02 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: SCCM 1606 Updates Sync Interval with Microsoft
>
>
>
> Every 6 hours (for defender/endpoint signatures)
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *
> henry.wil...@sanofi.com
> *Sent:* tirsdag 23. mai 2017 12.46
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] SCCM 1606 Updates Sync Interval with Microsoft
>
>
>
> Hello All
>
> Just taking a quick poll here:
>
>
>
> How often do you Sync your SCCM environment with Microsoft for Catalog
> Updates?
>
>
>
> Has this changed since the WannaCry outbreak?
>
>
>
> Thanks for your answers.
>
>
>
>
>
>
>
>
> The information transmitted is intended only for the person or entity to
> which it is addressed
> and may contain CONFIDENTIAL material. If you receive this
> material/information in error,
> please contact the sender and delete or destroy the material/information.
>
>
>
>

Re: [mssms] RE: Managing Server 2016

[Adam Juelich]

Are you disabling Windows Updates via GPO on your Servers?  Many do it on
Clients but often overlook Servers

On Thu, May 11, 2017 at 10:21 AM, Mote, Todd 
wrote:

> Sure it’s not going out to MS via GPO or something?  I’ve got several
> 2016’s in our 1606 and they’re working as expected.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Heaton, Joseph@Wildlife
> *Sent:* Thursday, May 11, 2017 10:02 AM
> *To:* 'mssms@lists.myitforum.com' 
> *Subject:* [mssms] Managing Server 2016
>
>
>
> I’m running CM 1610 at the moment, planning the upgrade to 1702.
>
>
>
> We are starting to build a few test servers using Server 2016.  I have the
> SCCM client installed, Defender is managed, etc  However, I have a couple
> of these 2016 boxes, that when I log in, I get the notification “You need
> some updates.  Select this message to install.”When I go look at what
> updates are there, it’s the May updates.  I haven’t deployed the May
> updates to any of my servers.  Am I missing something with Server 2016?
> Have I forgotten some setting in CM?
>
>
>
>
>
> Joe Heaton
>
> Information Technology Operations Branch
>
> Data and Technology Division
>
> CA Department of Fish and Wildlife
>
> 1700 9th Street, 3rd Floor
>
> Sacramento, CA  95811
>
> Desk:  (916) 323-1284
>
>
>
> Every Californian should conserve water.  Find out how at:
>
> [image: SaveOurWater_Logo] 
>
> SaveOurWater.com  · Drought.CA.gov
> 
>
>
>
>

Re: [mssms] System Center Endpoint Protection

[Adam Juelich]

This is what I have:

[image: Inline image 1]

What is your Sync Schedule for your ADR, and what is the Sync Schedule for
your SUP?



On Tue, May 2, 2017 at 1:41 PM, Kevin Ray <kevinalive...@gmail.com> wrote:

> While creating the ADR choosen  below products .Any thing wrong ?
>
> Forefront Endpoint Protection 2010
> Windows Defender
>
> On Tue, May 2, 2017 at 2:14 PM, Kevin Ray <kevinalive...@gmail.com> wrote:
>
>> Yes I have setuped ADR
>>
>> On Tue, May 2, 2017 at 2:03 PM, Adam Juelich <acjuel...@gmail.com> wrote:
>>
>>> Anti-malware Policy is separate from Update Deployments.
>>>
>>> Do you have an ADR set for Updates?
>>>
>>> On Tue, May 2, 2017 at 12:33 PM, Kevin Ray <kevinalive...@gmail.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> Any Idea Why its showing as 8 days past. Even though its applied the
>>>> policy today
>>>>
>>>> [image: Inline image 1]
>>>>
>>>> On Wed, Apr 26, 2017 at 10:42 PM, Adam Juelich <acjuel...@gmail.com>
>>>> wrote:
>>>>
>>>>> Nothing is necessary in GPO, although there are templates for managing
>>>>> SCEP/Defender but it's unnecessary since the ConfigMgr Client handles that
>>>>> with Client and Antimalware Policy.  Make sure you are choosing 'Windows
>>>>> Defender' as well for your Product Classification for your ADR.
>>>>>
>>>>> In terms of your 'Required' issue, I had the same thing on some
>>>>> items.  Haven't looked into it much more but I removed the 'Require>=0'
>>>>> from my ADR.
>>>>>
>>>>> On Wed, Apr 26, 2017 at 3:58 PM, Kevin Ray <kevinalive...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Thanks Jimmy for responses, few questions below
>>>>>>
>>>>>>
>>>>>>
>>>>>>- its fresh installation of SCEP..no previous AV..
>>>>>>- Yes , Its all Windows 10 Machines... so as you said... it is
>>>>>>showing only defender  Do I need to configure any other extra
>>>>>>in GPO (to Route only SCCM server not internet etc) ?
>>>>>>- Yes i created test ADR showing as below ...not showing any
>>>>>>required... is it expecting behavior.. I have 20 machines as i am 
>>>>>> testing
>>>>>>
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>>
>>>>>> On Wed, Apr 26, 2017 at 11:47 AM, Jimmy Martin <
>>>>>> jimmy.mar...@bmhcc.org> wrote:
>>>>>>
>>>>>>> Inline responses
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Jimmy Martin
>>>>>>> (901) 227-8209
>>>>>>>
>>>>>>> *From:* listsad...@lists.myitforum.com [mailto:
>>>>>>> listsad...@lists.myitforum.com] *On Behalf Of *Kevin Ray
>>>>>>> *Sent:* Wednesday, April 26, 2017 10:36 AM
>>>>>>> *To:* mssms <mssms@lists.myitforum.com>
>>>>>>> *Subject:* [mssms] System Center Endpoint Protection
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I'm new to SCEP. I have did following things
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I have  SCCM environment with SCCM 1610
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -- Enables SCEP role
>>>>>>>
>>>>>>> -- Added Difination updates clasification on SUP Components
>>>>>>>
>>>>>>> -- On Client Agents setting enables SCEP
>>>>>>>
>>>>>>> -- Created Antimalware Policy called . "SCEP_Test"
>>>>>>>
>>>>>>> -- Synchronized and shown some updates related to SCEP but all
>>>>>>> updates showing 0 required
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> My question is about SCEP client.. Do i need to deploy SCEP agent. I
>>>>>>> hope its automatically will get enabled when i enabled client agents. 
>>>>>>> but
>>>>>>> i'm not sure ...
>>>>>>>
>>>>>>> ***if you enable, it will be installed.  If your previous av product
>>>>>>> had an uninstall password or used tamper protection, you need to change 
>>>>>>> the
>>>>>>> previous av product policy to remove pw and disable tamper for the scep
>>>>>>> install to smoothly uninstall the former av
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Also on client side Windows DEfender only showing.. Not the SCEP
>>>>>>> agent... So is their any change ? How to make sure SCEP client agent is
>>>>>>> installed my clients ?
>>>>>>>
>>>>>>> ***depends on OS, win7, scep agent is installed.  Win10, scep agent
>>>>>>> is not installed, defender is maintained.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Also on Windows Defender, When i go Help its showing my Antimalware
>>>>>>> policy " SCEP_Test" it means is it working ?  means it is
>>>>>>> getting the policy you assigned
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> You will need to setup ADR (auto deployment rule) for AV defs,
>>>>>>> google it…
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> This message and any files transmitted with it may contain legally
>>>>>>> privileged, confidential, or proprietary information. If you are not the
>>>>>>> intended recipient of this message, you are not permitted to use, copy, 
>>>>>>> or
>>>>>>> forward it, in whole or in part without the express consent of the 
>>>>>>> sender.
>>>>>>> Please notify the sender of the error by reply email, disregard the
>>>>>>> foregoing messages, and delete it immediately.
>>>>>>>
>>>>>>>
>>>>>>> P *Please consider the environment before printing this email...*
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

[mssms] CU's for 1607 not showing

[Adam Juelich]

Hi Everyone,

For whatever reason I am not seeing any CU's for Windows 10 1607 in
WSUS/SUP.  I see them for 1507, 1511, and 1703, but not 1607 which is what
the majority of our Windows 10 machines are on.

Any ideas?

ConfigMgr 1610

Thanks!

Re: [External] [mssms] RE: Driver management - opinions?

[Adam Juelich]

It seems silly that, after all these years, we're still dealing with
bundles of INF's and stuff like that.  Can't they all just move to an MSI
format or something?  I wish some focus was put on stuff like this instead
of more trivial things.

On Wed, Apr 19, 2017 at 12:41 PM, Marable, Mike 
wrote:

> In theory that sounds good, in actual practice not so much.
>
>
>
> We have a small group using a standalone MDT build for some special case
> machines.  They rely on Microsoft Update for their drivers and it is
> painfully slow downloading them from Microsoft’s servers.  So dynamically
> trying to pull drivers down from Dell, HP or Lenovo’s sites would most
> likely be an exercise in frustration.
>
>
>
> Mike
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Jerousek, Jeff
> *Sent:* Wednesday, April 19, 2017 1:30 PM
>
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [External] [mssms] RE: Driver management - opinions?
>
>
>
> So you still need the packages on all of the remote DPs?
>
>
>
> It would be cool if you could just have it download the drivers directly
> from the vendor’s website.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Marable,
> Mike
> *Sent:* Wednesday, April 19, 2017 10:38 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [External] [mssms] RE: Driver management - opinions?
>
>
>
> Actually, it works fairly well for non-conforming models.  That’s exactly
> the situation we are in.  The hospital I work for has a very controlled
> process for acquiring hardware.  All the models are known, limited and
> configured identically.  We’re absorbing the medical school where they have
> been allowed to purchase freely what-ever they please.
>
>
>
> What I’ve done is to create packages of drivers for known models just like
> the article says.  For the “dummy” package I use a package that contains
> just those network and MSD drivers that I need to get WinPE (v 10) to
> function (to be able to access the network and the hard drive).  If a
> driver package specific for that model cannot be found, it falls back on
> the same set of drivers that allowed WinPE to function.  That generally
> gets any non-conformist machine through the build.  The tech building the
> machine may have to download and manually add drivers for video and other
> components post-build.  We have a process for them to provide feedback so
> that I can continue to create model specific packages of drivers when
> needed.
>
>
>
> Mike
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Miller,
> Todd
> *Sent:* Wednesday, April 19, 2017 10:54 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [External] [mssms] RE: Driver management - opinions?
>
>
>
> Is it unclear to me what you do about non-conforming computer models in
> this method.  With no drivers loaded into Configmgr directly, there is no
> “chaos theory” for *unsupported* models to fall back to.
>
> This seems like it would work perfectly for a perfectly managed
> organization, but my reality is a bit more dystopian.  We have 20,000
> computers and 90% of them fall into less than 20 models but the remaining
> 2000 computers cover over 200 more models.  And that is after trying very
> hard  and being very resistant to folks purchasing non-conforming models.
> I see you are also at an EDU – so I imagine your make/model list has
> similarly long tail.
>
>
>
> How could this method be enhanced to support the unsupported?
>
>
>
>
>
> BIOS updating is mentioned in the comments of that blog post and that
> seems pretty intriguing.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Murray,
> Mike
> *Sent:* Tuesday, April 18, 2017 4:59 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [External] [mssms] RE: Driver management - opinions?
>
>
>
> Biggety Bump
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Murray,
> Mike
> *Sent:* Monday, April 17, 2017 4:22 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Driver management - opinions?
>
>
>
> We’re thinking of testing the tool linked below. Anyone have experience
> with it? Are there any other tools you prefer that can accomplish similar?
>
>
>
> http://www.scconfigmgr.com/2017/03/29/modern-driver-
> management-using-web-services-during-osd-with-configmgr/
> 

[mssms] Driver Import Issues

[Adam Juelich]

Hi Everyone,

Firstly, the driver catalog I inherited is a complete mess and this
environment didn't believe in 'refresh cycles' so I am inundated with
models.

I am currently looking to update a few packages for a few models until I
have some down time this Summer to blow away the whole catalog and start
over.  The issue I am running into is that the wizard detects all of the
drivers to import, I assign the category, and create the new package but
when I go to the package location nothing is there.  This is only happening
on one model.  I tried using the 'Driver Pack' as well as downloading each
item separately but the same thing happens.

Also, has anyone had issues importing via a DFS UNC Path?  For whatever
reason I kept receiving a '.NET StringLength' error and I, instead, had to
utilize the direct UNC path and bypass the DFS Namespace.

Any ideas?

Thanks!

Re: [mssms] RE: Opinions Local Admin

[Adam Juelich]

Yep.  LAPS is the only recommended solution from MSFT, outside some special
third-party tool.  With the new ADMX Templates I don't even think you can
set a Local Admin Password, at least not without getting a warning.  LAPS
was created because of a security flaw identified with that older method.

On Wed, Apr 12, 2017 at 11:42 AM, Chris Barnes <
chris.bar...@coretekservices.com> wrote:

> Not sure I am understanding you fully on this, but the point of LAPS is
> that you don’t have 1 password, as once that password is compromised, and
> it will be, it can be used on every other machine on your network.
>
>
>
> If a machine running LAPS has its local admin password compromised, it is
> useless on the network, as its unique and random.
>
>
>
>
>
> *Chris Barnes*
>
> *MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure*
>
> *Coretek Services | Microsoft Delivery Manager *
>
> ( 248.767.4415 <(248)%20767-4415> cell
>
> * chris.bar...@coretekservices.com
>
> :   http://www.coretekservices.com
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Burke, John
> *Sent:* Wednesday, April 12, 2017 12:12 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Opinions Local Admin
>
>
>
> So it would seem everyone agrees that it should be done. I was even
> questioning that. It seems pretty easy to change it regularly via  SCCM or
> GPO and have 1 password.
>
>
>
> I’ll look into that solution for sure though.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Chris
> Barnes
> *Sent:* April-11-17 6:18 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Opinions Local Admin
>
>
>
> Totally agree on LAPS.
>
>
>
> Probably the best ROI on effort for anything security related. Very easy
> to rollout.
>
>
>
> This is probably the best guide I have seen on rolling it out.
>
>
>
> https://flamingkeys.com/deploying-the-local-administrator-password-
> solution-part-1/
> 
>
>
>
> 2nd Place would be Credential Guard.
>
>
>
>
>
> *Chris Barnes*
>
> *MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure*
>
> *Coretek Services | Microsoft Delivery Manager *
>
> ( 248.767.4415 <(248)%20767-4415> cell
>
> * chris.bar...@coretekservices.com
>
> :   http://www.coretekservices.com
> 
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Daniel
> Ratliff
> *Sent:* Tuesday, April 11, 2017 2:17 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] RE: Opinions Local Admin
>
>
>
> Use LAPS, no question.
>
>
>
> https://technet.microsoft.com/en-us/mt227395.aspx
> 
>
>
>
> https://www.microsoft.com/en-us/download/details.aspx?id=46899
> 
>
>
>
> *Daniel Ratliff*
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Burke, John
> *Sent:* Tuesday, April 11, 2017 1:37 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Opinions Local Admin
>
>
>
> Hi,
>
>
>
> We are talking about creating unique local admin passwords for our systems
> (vs changing it regularly).  I’m wondering how many folks actually create
> unique local admin passwords vs just changing it regularly?
>
>
>
>
> The information transmitted is intended only for the person or entity to
> which it is addressed
> and may contain CONFIDENTIAL material. If you receive this
> material/information in error,
> please contact the sender and delete or destroy the material/information.
>
>
>
>
>
>
>
>

Re: [mssms] GPO Update Disable Manual MS checks

[Adam Juelich]

>
>
>
> J
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Hyatt,
> Dewayne
> *Sent:* Tuesday, April 11, 2017 10:34 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] GPO Update Disable Manual MS checks
>
>
>
> So since it’s patch Tuesday it looks like I’m going to have to tear down
> all of my Windows 10 servicing in SCCM so that my clients don’t go to MS
> for updates today… what fun. I was hoping that something would be fixed at
> least by 1703 but your comments don’t make me very confident in that. I
> guess we’ll see?
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Jason
> Sandys
> *Sent:* Tuesday, April 11, 2017 11:13 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] GPO Update Disable Manual MS checks
>
>
>
> And of course, it’s changed in 1703 – the “defer” option is gone and now
> there is a “pause” option. No one knows if these are the same, different,
> or something else.
>
>
>
> J
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Hyatt,
> Dewayne
> *Sent:* Tuesday, April 11, 2017 10:01 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] GPO Update Disable Manual MS checks
>
>
>
> I’ll admit that I have been off task for a little while with other
> projects. I didn’t realize this was a daily thing L
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Adam
> Juelich
> *Sent:* Tuesday, April 11, 2017 10:49 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] GPO Update Disable Manual MS checks
>
>
>
> The fact that we are still having this conversation daily over the past
> few months means that Microsoft is really screwing the pooch here.
>
>
>
>
>
>
>
> On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne <dehy...@ufl.edu> wrote:
>
> Whoops… I had read that blog a while back but apparently not well enough.
>
>
>
> I am confused now though. I am using a GPO to define what branch our
> Windows 10 clients are in for Windows 10 servicing in SCCM. I thought that
> was the correct way to do it. I saw 1607 used different policies but it
> looked like it was doing the same thing. This blog said not to enable those
> policies.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Niall Brady
> *Sent:* Monday, April 10, 2017 3:37 PM
>
>
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] GPO Update Disable Manual MS checks
>
>
>
> read this
>
> https://blogs.technet.microsoft.com/windowsserver/
> 2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-
> out-to-microsoft-online/
>
> dual scan is the cause
>
>
>
> On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne <dehy...@ufl.edu> wrote:
>
> Sorry to hijack but this is somewhat relevant.
>
>
>
> Since we rolled out 1607 we have noticed machines are automatically
> getting updates from Microsoft update even though we have a GPO defining
> our SUP as the WSUS server. I was looking into blocking Microsoft update
> entirely (not sure that is what I want to do in our environment) and I ran
> across this thread.
>
>
>
> Has anyone else seen behavior like this? We’ve had a few different
> locations report this, then my own workstation did it this morning, at that
> point I started to believe them J.
>
>
>
> Thanks,
>
>
>
> Dewayne
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Thursday, March 30, 2017 8:46 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] GPO Update Disable Manual MS checks
>
>
>
> Yes, other than the GP setting to 'Disable Automatic Updates,' don't
> configure anything else related to it.
>
>
>
> There is the User-Side GP Setting:
>
> "Remove access to use all Windows Update features"
>
>
>
> That should do the trick.
>
>
>
> On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff <dratl...@humana.com>
> wrote:
>
> Never configure any of your windows update settings with GPO, let SCCM
> handle that via local policy.
>
>
>
> I believe the setting you want is here for Win10:
> https://miketerrill.net/2016/10/11/disable-check-online-
> for-updates-from-microsoft-up

Re: [mssms] GPO Update Disable Manual MS checks

[Adam Juelich]

The fact that we are still having this conversation daily over the past few
months means that Microsoft is really screwing the pooch here.



On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne <dehy...@ufl.edu> wrote:

> Whoops… I had read that blog a while back but apparently not well enough.
>
>
>
> I am confused now though. I am using a GPO to define what branch our
> Windows 10 clients are in for Windows 10 servicing in SCCM. I thought that
> was the correct way to do it. I saw 1607 used different policies but it
> looked like it was doing the same thing. This blog said not to enable those
> policies.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Niall Brady
> *Sent:* Monday, April 10, 2017 3:37 PM
>
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] GPO Update Disable Manual MS checks
>
>
>
> read this
>
> https://blogs.technet.microsoft.com/windowsserver/
> 2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-
> out-to-microsoft-online/
>
> dual scan is the cause
>
>
>
> On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne <dehy...@ufl.edu> wrote:
>
> Sorry to hijack but this is somewhat relevant.
>
>
>
> Since we rolled out 1607 we have noticed machines are automatically
> getting updates from Microsoft update even though we have a GPO defining
> our SUP as the WSUS server. I was looking into blocking Microsoft update
> entirely (not sure that is what I want to do in our environment) and I ran
> across this thread.
>
>
>
> Has anyone else seen behavior like this? We’ve had a few different
> locations report this, then my own workstation did it this morning, at that
> point I started to believe them J.
>
>
>
> Thanks,
>
>
>
> Dewayne
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Thursday, March 30, 2017 8:46 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] GPO Update Disable Manual MS checks
>
>
>
> Yes, other than the GP setting to 'Disable Automatic Updates,' don't
> configure anything else related to it.
>
>
>
> There is the User-Side GP Setting:
>
> "Remove access to use all Windows Update features"
>
>
>
> That should do the trick.
>
>
>
> On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff <dratl...@humana.com>
> wrote:
>
> Never configure any of your windows update settings with GPO, let SCCM
> handle that via local policy.
>
>
>
> I believe the setting you want is here for Win10:
> https://miketerrill.net/2016/10/11/disable-check-online-
> for-updates-from-microsoft-update-in-windows-10/
>
>
>
> For Win7, we just disable the ability to check online:
> https://weikingteh.wordpress.com/2012/09/20/how-to-disable-
> the-check-online-for-updates-from-microsoft-update-link-in-
> the-windows-update-icon-in-control-panel/
>
>
>
> *Daniel Ratliff*
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *S ConfigMgr
> *Sent:* Thursday, March 30, 2017 12:12 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] GPO Update Disable Manual MS checks
>
>
>
> Hello all,
>
>
>
> I have deployed SUP and Patching is working as expected.
>
>
>
> However my end users are able to use windows update, How can i block end
> users to stop installing patches from internet, I have windows 10
> Enterprise and Professional Machines as end users.
>
>
>
>
>
> I have tried to deploy a group policy to disable
>
>
>
> Computer Configuration\Administrative Templates\Windows Components\Windows
> Update.
>
> 1.Find and double-click *Configure Automatic Updates*
> [image: 0711 group policy step 3]
> <https://cms-images.idgesg.net/images/article/2016/06/0711-group-policy-step-3-100666831-orig.jpg>
>
>
>
> 2.In the resulting dialog box, select *Enabled.*
>
> 3.In the Options box, pull down the *Configure automatic updating* menu
> and select your preferred option.
> [image: 0711 group policy step 4 and 5]
>
> 4.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ​
>
> Still Updates are able to scan by user with ms site, How  can I achieve
> this ?
>
>
>
>
>
> --
>
> Thanks,
>
> ED
>
>
>
>
> The information transmitted is intended only for the person or entity to
> which it is addressed
> and may contain CONFIDENTIAL material. If you receive this
> material/information in error,
> please contact the sender and delete or destroy the material/information.
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Re: [mssms] Windows 7 Start menu and Task bar customization

[Adam Juelich]

I thought 'CopyProfile' wasn't recommended after XP.

On Wed, Apr 5, 2017 at 1:41 PM, Chobeaux, Sebastien <
schobe...@csdccs.edu.on.ca> wrote:

> If you did all your installations and configs using the built-in profile
> can’t you just set the copy profile to true in your unattended.xml so it
> will copy those stuff to the default profile?
>
>
>
> *--*
>
> *Sébastien Chobeaux*
>
> *.*
>
>
>
>
>
> *De :* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *De la part de* Marable, Mike
> *Envoyé :* mercredi 05 avril 2017 14:27
> *À :* mssms 
> *Objet :* RE: [mssms] Windows 7 Start menu and Task bar customization
>
>
>
> Are you talking specifically deploying your Start Menu and Taskbar layouts
> as part of your Windows 7 OS deployment?
>
>
>
> You will need to script the pinning of items.
>
>
>
> Here is a blog that the DeploymentGuys wrote.  It’s a bit old, but it
> explains it well.
>
> https://blogs.technet.microsoft.com/deploymentguys/
> 2009/04/08/pin-items-to-the-start-menu-or-windows-7-taskbar-via-script/
>
>
>
> -Mike
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Kevin Ray
> *Sent:* Wednesday, April 5, 2017 2:11 PM
> *To:* mssms 
> *Subject:* Re: [mssms] Windows 7 Start menu and Task bar customization
>
>
>
> Looking for Windows 7
>
>
>
> On Wed, Apr 5, 2017 at 1:28 PM, Melin, Cordell (BAC/LAC) <
> cordell.me...@canada.ca> wrote:
>
> https://technet.microsoft.com/itpro/windows/configure/
> customize-and-export-start-layout
>
>
>
> Cordell Melin
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kevin Ray
> *Sent:* April 5, 2017 1:09 PM
> *To:* mssms 
> *Subject:* [mssms] Windows 7 Start menu and Task bar customization
>
>
>
> Hi Team
>
>
>
> For widnows 7 i have reference machine where i have configured all desired
> startmenu and Taskbar pin icons.. Looking for script or any method where i
> can deploy using task sequence in image
>
>
>
>
>
>
>
>
>
> **
> Electronic Mail is not secure, may not be read every day, and should not
> be used for urgent or sensitive issues
>
>
>
> --
>
> AVIS IMPORTANT:
> Les renseignements contenus ou joints à ce courriel sont pour l'usage
> exclusif du destinataire ou de l'institution à qui ce courriel s'adresse et
> peuvent contenir des renseignements privilégiés, confidentiels et exempts
> de divulgation conformément à la Loi sur l'accès à l'information municipale
> et la protection de la vie privée.
> Dans l'éventualité que le récepteur du présent courriel n'est pas le
> destinataire concerné ou la personne autorisée à acheminer le message au
> destinataire concerné, vous êtes, par la présente, avisé(e), que toute
> divulgation, diffusion, distribution ou reproduction de la présente
> communication est strictement interdite.
> Si vous recevez ce message par erreur, veuillez immédiatement en informer
> l'expéditeur ou l'expéditrice par courriel et détruire celui-ci ainsi que
> toutes les pièces jointes qu'il comporte.
> Merci de votre collaboration.
>
>

Re: [mssms] RE: Query for users with multiple primary devices

[Adam Juelich]

Wouldn't this be a great feature?  ::wink wink::

https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/15040527-option-to-specify-maximum-number-of-primary-device

On Thu, Mar 30, 2017 at 2:28 PM, Enley, Carl  wrote:

> You could use this and just filter excel to show the duplicates in the
> name field?
>
>
>
>
>
> SELECT UMR.MachineResourceID, UMR.MachineResourceName, UMR.UniqueUserName,
> Mail0
>
> FROM v_R_User U
>
> JOIN v_UserMachineRelationship UMR ON UMR.UniqueUserName = U.
> Unique_User_Name0
>
>
>
> I also believe there is a built in report where you can specify a
> collection and the number of UDA relationships > greater than 1 for example.
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Beardsley, James
> *Sent:* Thursday, March 30, 2017 1:02 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Query for users with multiple primary devices
>
>
>
> Anyone have a SQL query that’ll show me all users with more than one
> primary device assigned to them through UDA?
>
>
>
> Thanks,
>
> James
>
>
> --
>
> *Confidentiality Notice:* This e-mail is intended only for the addressee
> named above. It contains information that is privileged, confidential or
> otherwise protected from use and disclosure. If you are not the intended
> recipient, you are hereby notified that any review, disclosure, copying, or
> dissemination of this transmission, or taking of any action in reliance on
> its contents, or other use is strictly prohibited. If you have received
> this transmission in error, please reply to the sender listed above
> immediately and permanently delete this message from your inbox. Thank you
> for your cooperation.
>
>
>
>

Re: [mssms] Recommended process for moving SCCM CB to new server?

[Adam Juelich]

Just to piggy-back on this.  What if the previous Systems Administrator
named the server something stupid.  How would one then migrate to a new
Server with a new naming convention?

On Wed, Mar 29, 2017 at 8:41 PM, Jason Sandys  wrote:

> I’ve never had an issue with it rebuilding – it’s a lot faster to simply
> copy the content library over though which is another reason to keep the
> old server online though (with a new name and services shutdown). As a note
> here, you need to **update** all of your content; redistributing it is not
> sufficient as that has nothing to do with the content library.
>
>
>
> J
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Andrew Sanders
> *Sent:* Wednesday, March 29, 2017 9:53 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] Recommended process for moving SCCM CB to new
> server?
>
>
>
> Jason-
>
>
>
> If I may ask, what do you do about the SCCMContentLib directory that is on
> the primary site server? I tried this migration a few weeks ago and did not
> move that directory. I found documentation/blog posts online that said you
> didn't have to move it, and that you could redistribute all of your content
> and it would rebuild. I tried that, and it did not rebuild. The system
> could not refresh content that was already in ConfigMgr. I used the content
> library explorer tool to look in the content library on my DP's, and almost
> all of the content was marked as invalid. I ended up punting and going back
> to my old primary site server.
>
>
>
> On Tue, Mar 28, 2017 at 5:16 PM, Jason Sandys  wrote:
>
> IMO, yes.
>
>
>
> Except, I don’t typically shut down the old, server, I shutdown the SQL
> and ConfigMgr services and rename it so then when (not if) I need something
> off of it, it’s still on the network.
>
>
>
> J
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Steve Whitcher
> *Sent:* Tuesday, March 28, 2017 2:29 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Recommended process for moving SCCM CB to new server?
>
>
>
> It looks like I need to make some changes in order to install CB v1702.
> Both the SQL server version and the OS version it's running on are no
> longer supported.
>
>
>
> The primary site server is also getting low on disk space, and could stand
> to be upgraded to server 2016, so I'm thinking that this might be a good
> time to build up a new server and migrate SCCM over to it.  For 2012R2, I
> understand that the process boiled down to:
>
>
>
> Backup the Site DB
>
> Shut down the server
>
> Build a new server using the same IP, hostname, etc
>
> Install the same version of SCCM
>
> Recover the DB to the new server
>
>
>
> Is that still the way to go?
>
>
>
> Rather than upgrading the current SQL server, I'd like to install SQL on
> the primary site server and use that for the configmgr db instead.  Does
> that need to be done separately?  As in, first move the site server as
> above, then after SCCM is functional on the new server install SQL and move
> the db?
>
>
>
> Anything else I need to watch out for?
>
>
>
> Thanks!
>
> Steve
>
>
>
>
>
>
>
>
>
> --
>
> *Andrew Sanders* | *IT Manager, Client Computing **Architecture*
>
> Systems & Networks | Information Technology Services | The University of
> North Carolina at Greensboro
>
> (336) 334-5028 (p) | (336) 334-5932 (f)
>
> 107A McNutt Center | 1400 Spring Garden Street | Greensboro, NC | 27403
>
> apsan...@uncg.edu | http://its.uncg.edu
>
> Microsoft Certified IT Professional | Microsoft Certified Technical
> Specialist
>
>
>
>
>
>

Re: [mssms] GPO Update Disable Manual MS checks

[Adam Juelich]

Yes, other than the GP setting to 'Disable Automatic Updates,' don't
configure anything else related to it.

There is the User-Side GP Setting:
"Remove access to use all Windows Update features"

That should do the trick.

On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff  wrote:

> Never configure any of your windows update settings with GPO, let SCCM
> handle that via local policy.
>
>
>
> I believe the setting you want is here for Win10:
> https://miketerrill.net/2016/10/11/disable-check-online-
> for-updates-from-microsoft-update-in-windows-10/
>
>
>
> For Win7, we just disable the ability to check online:
> https://weikingteh.wordpress.com/2012/09/20/how-to-disable-
> the-check-online-for-updates-from-microsoft-update-link-in-
> the-windows-update-icon-in-control-panel/
>
>
>
> *Daniel Ratliff*
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *S ConfigMgr
> *Sent:* Thursday, March 30, 2017 12:12 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] GPO Update Disable Manual MS checks
>
>
>
> Hello all,
>
>
>
> I have deployed SUP and Patching is working as expected.
>
>
>
> However my end users are able to use windows update, How can i block end
> users to stop installing patches from internet, I have windows 10
> Enterprise and Professional Machines as end users.
>
>
>
>
>
> I have tried to deploy a group policy to disable
>
>
>
> Computer Configuration\Administrative Templates\Windows Components\Windows
> Update.
>
> 1.Find and double-click *Configure Automatic Updates*
> [image: 0711 group policy step 3]
> 
>
>
>
> 2.In the resulting dialog box, select *Enabled.*
>
> 3.In the Options box, pull down the *Configure automatic updating* menu
> and select your preferred option.
> [image: 0711 group policy step 4 and 5]
>
> 4.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ​
>
> Still Updates are able to scan by user with ms site, How  can I achieve
> this ?
>
>
>
>
>
> --
>
> Thanks,
>
> ED
>
>
>
> The information transmitted is intended only for the person or entity to
> which it is addressed
> and may contain CONFIDENTIAL material. If you receive this
> material/information in error,
> please contact the sender and delete or destroy the material/information.
>
>

Re: [mssms] Maintenance Windows & Restart Behavior

[Adam Juelich]

Thanks, guys.

Daniel, how has 1E Nightwatchman been?  Our WoL isn't perfect.  It has
gotten better since I configured compliance settings for NIC Power
Management.  Since we are smaller they won't do a PoC with us but until I
can see proof that this gives us a better success-rate, I can't justify the
cost to management.

On Wed, Mar 29, 2017 at 8:58 PM, Marable, Mike <mmara...@med.umich.edu>
wrote:

> Well, we have the agreements as to when we can deploy software,
> essentially after hours.  We don’t use Maintenance Windows for them, we
> just set up a deployment to run as a specific time (maybe 11:00 pm for
> example) and fire it off.  We will divide up the deployment into multiple
> days.  Typically we’ll do a 3 day with maybe 10% of the intended machines
> on day 1, 25% on day 2 and the remainder on day 3.
>
>
>
> Mike
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Wednesday, March 29, 2017 4:07 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] Maintenance Windows & Restart Behavior
>
>
>
> Thanks, Mike.
>
>
>
> So you guys strictly use Windows Embedded?  If you have traditional
> clients, how do you manage them differently?
>
>
>
> On Wed, Mar 29, 2017 at 2:27 PM, Marable, Mike <mmara...@med.umich.edu>
> wrote:
>
> Hi Adam,
>
>
>
> 1.   Maintenance Windows
>
> a.   We use these only on our embedded devices and not on traditional
> clients.  We have a window set once a week (like 2 am on Sunday mornings)
> so that SCCM turns off the write filter on the device, runs our deployments
> and then re-enables the write filter.
>
> 2.   Restart Behavior / Communications
>
> a.   We actually have written our own utility to handle reboots.  It
> allows us to display a message to the end user, countdown timer, users can
> delay the reboot, we can have it check for running executables before
> attempting to reboot, etc.
>
> b.   We have agreements in place with critical areas, such as
> emergency rooms, and other 24hour clinics to limit reboots to specific days
> and times.  Otherwise the understanding with the users is that we will do
> our deployments and maintenance outside of business hours.  Combine that
> with our reboot tool and the users are pretty happy.
>
>
>
> We do use WOL very heavily.  Different clinics have varying office
> hours/days and we have collections set up to wake machines up about 15
> minutes before the beginning of business for them.  We’ve been very
> successful with that.  The WOL issues that we have run into in the past
> have usually been attributed to either mis-configured BIOs settings or
> users hard-powering off machines.
>
>
>
> Mike
>
>
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Wednesday, March 29, 2017 2:55 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Maintenance Windows & Restart Behavior
>
>
>
> Hello Everyone,
>
>
>
> This isn't as much of a question as much as a poll on how people are doing
> this.  I know everyone is in charge of different environments, different
> sizing, and other complex variables.  I'd like to know what settings you
> specify for the following items:
>
>
>
>1. Maintenance Windows
>
>
>1. What are your MW for Windows Clients?
>   2. Do you usually just do it for 'Restarts' or 'Installs' as well?
>   3. Are you leveraging WoL and/or AMT?
>   4. If so, what is your success rate?
>
>
>1. Restart Behavior
>
>
>1. What do you specify for the two Client Notifications?
>
>
>1. Communication
>
>
>1. How have you communicated this to end-users?  It's obviously a
>   delicate balance between security and end-user convenience.  Every
>   environment is different but I'm curious.
>
>
>
> Anything else that I missed in this realm, I would appreciate knowing!
>
>
>
> Thanks!
>
>
>
> **
> Electronic Mail is not secure, may not be read every day, and should not
> be used for urgent or sensitive issues
>
>
>
>
>
>
>
> **
> Electronic Mail is not secure, may not be read every day, and should not
> be used for urgent or sensitive issues
>
>

Re: [mssms] Maintenance Windows & Restart Behavior

[Adam Juelich]

Thanks, Mike.

So you guys strictly use Windows Embedded?  If you have traditional
clients, how do you manage them differently?

On Wed, Mar 29, 2017 at 2:27 PM, Marable, Mike <mmara...@med.umich.edu>
wrote:

> Hi Adam,
>
>
>
> 1.   Maintenance Windows
>
> a.   We use these only on our embedded devices and not on traditional
> clients.  We have a window set once a week (like 2 am on Sunday mornings)
> so that SCCM turns off the write filter on the device, runs our deployments
> and then re-enables the write filter.
>
> 2.   Restart Behavior / Communications
>
> a.   We actually have written our own utility to handle reboots.  It
> allows us to display a message to the end user, countdown timer, users can
> delay the reboot, we can have it check for running executables before
> attempting to reboot, etc.
>
> b.   We have agreements in place with critical areas, such as
> emergency rooms, and other 24hour clinics to limit reboots to specific days
> and times.  Otherwise the understanding with the users is that we will do
> our deployments and maintenance outside of business hours.  Combine that
> with our reboot tool and the users are pretty happy.
>
>
>
> We do use WOL very heavily.  Different clinics have varying office
> hours/days and we have collections set up to wake machines up about 15
> minutes before the beginning of business for them.  We’ve been very
> successful with that.  The WOL issues that we have run into in the past
> have usually been attributed to either mis-configured BIOs settings or
> users hard-powering off machines.
>
>
>
> Mike
>
>
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Wednesday, March 29, 2017 2:55 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Maintenance Windows & Restart Behavior
>
>
>
> Hello Everyone,
>
>
>
> This isn't as much of a question as much as a poll on how people are doing
> this.  I know everyone is in charge of different environments, different
> sizing, and other complex variables.  I'd like to know what settings you
> specify for the following items:
>
>
>
>1. Maintenance Windows
>
>
>1. What are your MW for Windows Clients?
>   2. Do you usually just do it for 'Restarts' or 'Installs' as well?
>   3. Are you leveraging WoL and/or AMT?
>   4. If so, what is your success rate?
>
>
>1. Restart Behavior
>
>
>1. What do you specify for the two Client Notifications?
>
>
>1. Communication
>
>
>1. How have you communicated this to end-users?  It's obviously a
>   delicate balance between security and end-user convenience.  Every
>   environment is different but I'm curious.
>
>
>
> Anything else that I missed in this realm, I would appreciate knowing!
>
>
>
> Thanks!
>
>
>
> **
> Electronic Mail is not secure, may not be read every day, and should not
> be used for urgent or sensitive issues
>
>

[mssms] Maintenance Windows & Restart Behavior

[Adam Juelich]

Hello Everyone,

This isn't as much of a question as much as a poll on how people are doing
this.  I know everyone is in charge of different environments, different
sizing, and other complex variables.  I'd like to know what settings you
specify for the following items:


   1. Maintenance Windows
  1. What are your MW for Windows Clients?
  2. Do you usually just do it for 'Restarts' or 'Installs' as well?
  3. Are you leveraging WoL and/or AMT?
  4. If so, what is your success rate?
   2. Restart Behavior
  1. What do you specify for the two Client Notifications?
   3. Communication
  1. How have you communicated this to end-users?  It's obviously a
  delicate balance between security and end-user convenience.  Every
  environment is different but I'm curious.


Anything else that I missed in this realm, I would appreciate knowing!

Thanks!

Re: [mssms] Office 365 License not evaluating

[Adam Juelich]

Some clarification..

Did you deploy Office 2016 or Office 365?  They are two differences
licenses.  The former would be licensed via MAK and KMS, the latter would
be a user-based subscription.

On Tue, Mar 28, 2017 at 12:20 PM, Kevin Ray  wrote:

> Hi All,
>
> I'm Facing license expire issue for Office product
>
> Initially I have created the Office 2016 package using OCT
> custumizations-Use KMS (https://prajwaldesai.com/how-
> to-deploy-office-2016-using-sccm-2012-r2/)...
> Later I came to know that in my environment,they have Office 365 based
> license..
>
> Each user has the Office 365 license. And user using the Laptop which has
> deployed using SCCM Office 2016 OCT method..
>
> Now User Is not getting Activated the license from Office 365?
>
> Is it something wrong on Office 365 OR SCCM Office 365 Packging
>
> any help please
>
>
>
>
>

Re: [mssms] 2012 to 2016 upgrade with step issues

[Adam Juelich]

What is STEP?

Is your SCEP Client Policy set to install to those Windows Defender
machines, or did you deploy 'SCEP_Install.exe' to them separately?

They still need the 'Install' to be managed.  I found this out a month ago
as well.

On Fri, Mar 24, 2017 at 10:40 AM, Stuart Watret 
wrote:

> Someone on site did an in place upgrade of server 2012 r2 to 2016 server.
>
> Now defender and step are in a twist.
>
> I removed sccm, step and reinstalled sccm, this got defender back to being
> managed.
>
> He just came back to me to say step is back, sure enough defender is back
> to unmanaged.
>
> Anyone seen this, have any thoughts?
>
> Thanks
>
> Stuart
>
>

Re: [mssms] Windows Update Issues

[Adam Juelich]

Have you done WSUS Clean-up and re-indexing?

On Thu, Mar 23, 2017 at 8:56 AM, Collin Murphy 
wrote:

> Hello,
>
>
>
> Site: SCCM 1610 w/ KB3214042
>
>
>
> I am experiencing significant issues with clients receiving updates.  Out
> of 1500 systems 201 are compliant, 131 are non-compliant, and the remaining
> 1200 are all in an Unknown State.
>
>
>
> I have uninstalled WSUS, installed again, re-index, WSUS cleanup tasks,
> and still the same issue.  The IIS WSUS App Pool is taking up almost 32GB
> of RAM which seems very odd.
>
>
>
> From the WUAHandler.log I am seeing these errors on a client:
>
>
>
> OnSearchComplete - Failed to end search job. Error = 0x80244007.
>
> Scan failed with error = 0x80244007.
>
>
>
> OnSearchComplete - Failed to end search job. Error = 0x8024401c.
>
> Scan failed with error = 0x8024401c.
>
>
>
> OnSearchComplete - Failed to end search job. Error = 0x80240440.
>
> Scan failed with error = 0x80240440.
>
>
>
> OnSearchComplete - Failed to end search job. Error = 0x8024402c.
>
> Scan failed with error = 0x8024402c.
>
>
>
>
>
> From the ScanAgent.log I am seeing these errors on the same client as the
> previous WUAHandler.log
>
>
>
> CScanAgent::ScanCompleteCallback - failed at OnScanComplete with
> error=0x87d00631
>
>
>
>
>
> I have also run this PS
>
>
>
> get-hotfix | Where-Object {$_.installedon -gt (get-date).addmonths(*-5*)}
> | Sort-Object -property installedOn -Descending
>
>
>
> The only results that are showing are updates installed from November of
> 2016.
>
>
>
>
>
> I can provide more information or log snips at any time.
>
>
>
> Any ideas would be greatly appreciated.
>
>
>
> Thank you
>
>
>
>
>
>
>
>
>
>
>
>

Re: [mssms] RE: Rights needed for image creation

[Adam Juelich]

Are you trying to have them import computers into the 'All Systems'
Collection?  If so, can't do itit's a built-in Collection that you
can't mess with, for good reason.

On Tue, Mar 21, 2017 at 6:31 PM, Schultz, Michael A <
michael.schu...@providence.org> wrote:

> What does the adminui log on their machine say the error is?
>
>
>
> Michael Schultz
>
> Client Systems Engineering, SCCM Engineer
>
> Information Systems
>
> Providence Health & Services
>
> *michael.schu...@providence.org *
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Heaton, Joseph@Wildlife
> *Sent:* Tuesday, March 21, 2017 3:15 PM
> *To:* 'mssms@lists.myitforum.com' 
> *Subject:* [mssms] Rights needed for image creation
>
>
>
> I’m trying to setup a couple of guys from our Helpdesk to be able to
> create our Win10 image within SCCM (1610).  I’ve given them the Operating
> Systems Deployment Manager role, put the All Systems collection, and
> Default Security Scope.  They’re telling me that when they try to manually
> import a computer, they get to the point of selecting a collection to put
> it in, and the collection window is blank, no collections listed.  Can
> anyone help me get them where they need to be without giving them Full
> Admin?
>
>
>
> Joe Heaton
>
> Information Technology Operations Branch
>
> Data and Technology Division
>
> CA Department of Fish and Wildlife
>
> 1700 9th Street, 3rd Floor
>
> Sacramento, CA  95811
>
> Desk:  (916) 323-1284
>
>
>
> Every Californian should conserve water.  Find out how at:
>
> [image: SaveOurWater_Logo]
> 
>
> SaveOurWater.com
> 
> · Drought.CA.gov
> 
>
>
>
> --
>
> This message is intended for the sole use of the addressee, and may
> contain information that is privileged, confidential and exempt from
> disclosure under applicable law. If you are not the addressee you are
> hereby notified that you may not use, copy, disclose, or distribute to
> anyone the message or any information contained in the message. If you have
> received this message in error, please immediately advise the sender by
> reply email and delete this message.
>
>

Re: [mssms] UEFI transfering

[Adam Juelich]

Again, I think it depends on the organization and protocols in place.  But
yes, you're correct.

LAPS doesn't require UEFI so that is a moot point.

On Tue, Mar 21, 2017 at 8:32 AM, Chris Barnes <
chris.bar...@coretekservices.com> wrote:

> I would disagree with that. If you are undertaking a Windows 10
> deployment, you should be doing everything in your power to get to UEFI,
> and turning on Credential Guard. (And using LAPS).
>
>
>
> Those two items will provide you with protection against Pass the Hash /
> Pass the Ticket attacks, which are used in almost all / most reported
> breaches.
>
>
>
> Especially with the MGR2GPT tool in Win 10 1703, getting to UEFI is even
> easier as you can do it along with In Place upgrades.
>
>
>
> I think the biggest reason to upgrade to Win10 is security, and why would
> you upgrade to Win10, and leave it just as open to attack as Win 7?
>
>
>
> Device Guard is a different topic. Very secure, but at a cost of
> administrative overhead that I haven’t seen many take on yet.
>
>
>
>
>
> *Chris Barnes*
>
> *MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure*
>
> *Coretek Services | Microsoft Delivery Manager *
>
> ( 248.767.4415 <(248)%20767-4415> cell
>
> * chris.bar...@coretekservices.com
>
> :   http://www.coretekservices.com
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Tuesday, March 21, 2017 8:57 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] UEFI transfering
>
>
>
> You do not NEED to move to UEFI at this point.  You DO however if you want
> to leverage things like Device Guard and Credential Guard.  That is up to
> your organization to decide.
>
>
>
> If some of those secure things aren't a priority or necessity I would
> start leveraging UEFI for newer machines and support Legacy BIOS on your
> old machines until they are refreshed.
>
>
>
> Just my opinion, as every industry is different and has different
> priorities.
>
>
>
> On Mon, Mar 20, 2017 at 3:46 PM, Kevin Ray <kevinalive...@gmail.com>
> wrote:
>
> Hi All,
>
>
>
> I don't have knowledge on Bios upgrades. I would like to get more
> understanding on UEFI.
>
>
>
> So if a company wants to migrate windows 10 .. Do i need to check their
> machines current BIOS Setting related to UEFI ..What kind of instruction i
> need to check related to BIOS
>
>
>
>
>
>
>
>

Re: [mssms] UEFI transfering

[Adam Juelich]

You do not NEED to move to UEFI at this point.  You DO however if you want
to leverage things like Device Guard and Credential Guard.  That is up to
your organization to decide.

If some of those secure things aren't a priority or necessity I would start
leveraging UEFI for newer machines and support Legacy BIOS on your old
machines until they are refreshed.

Just my opinion, as every industry is different and has different
priorities.

On Mon, Mar 20, 2017 at 3:46 PM, Kevin Ray  wrote:

> Hi All,
>
> I don't have knowledge on Bios upgrades. I would like to get more
> understanding on UEFI.
>
> So if a company wants to migrate windows 10 .. Do i need to check their
> machines current BIOS Setting related to UEFI ..What kind of instruction i
> need to check related to BIOS
>
>

Re: [mssms] Catching up on patching

[Adam Juelich]

Well, yes.  But that doesn't address the currently 1500 clients I have out
there that have been neglected for months/years.

On Sun, Mar 19, 2017 at 11:29 AM, Eric Morrison <eric.morri...@outlook.com>
wrote:

> I'd wrap it in a TS.
>
> Get Outlook for iOS <https://aka.ms/o0ukef>
>
> --
> *From:* listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>
> on behalf of Adam Juelich <acjuel...@gmail.com>
> *Sent:* Sunday, March 19, 2017 11:03:09 AM
>
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] Catching up on patching
>
> Thinking about this more, it may be better to utilize the Application
> Method.  That way I can chain the Dependencies in the proper order.
> Otherwise, I'd have to craft the SUG's accordingly, deploy them and wait
> for compliance, and then deploy the next one.
>
>
>1. .NET 4.6.2
>2. WMF 5.1
>3. WUA Update
>4. Servicing Stack
>5. Convenience Roll-up
>6. March Rollup
>7. Start ADR
>
>
> On Fri, Mar 17, 2017 at 10:44 AM, Adam Juelich <acjuel...@gmail.com>
> wrote:
>
>> So, I created a SUG with the Servicing Stack Updates (Which was
>> superseded with a newer one) and the July WUA.  I then created another SUG
>> with the Convenience Rollup.  Can I deploy both of these at the same time
>> or should I do the first one, once I hit good compliance then deploy the
>> Rollup?
>>
>> On Fri, Mar 17, 2017 at 8:27 AM, Adam Juelich <acjuel...@gmail.com>
>> wrote:
>>
>>> Are your classifications correct in your SUP settings?
>>>
>>> On Fri, Mar 17, 2017 at 1:15 AM, Shane Alexander <
>>> shane_alexan...@hotmail.com> wrote:
>>>
>>>> Update regarding importing Convenience Rollup Update KB3125574 into
>>>> WSUS, and then sync'ing expecting to see it in ConfigMgr SUP.
>>>>
>>>>
>>>> It imports OK to WSUS, but doesn't seem to sync across into ConfigMgr
>>>> SUP.
>>>>
>>>>
>>>> Was expecting it would just like KB2775511, as per below link.
>>>>
>>>> https://blogs.technet.microsoft.com/michaelgriswold/2013/03/
>>>> 13/kb2775511-deployment-for-the-sccm-admin/
>>>>
>>>>
>>>> However have just done this for KB3125574, but cannot see it.
>>>>
>>>> Did same steps for KB2775511, which I can see.
>>>>
>>>>
>>>> Shane
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> *From:* listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>
>>>> on behalf of Shane Alexander <shane_alexan...@hotmail.com>
>>>> *Sent:* Friday, 17 March 2017 10:51 AM
>>>>
>>>> *To:* mssms@lists.myitforum.com
>>>> *Subject:* Re: [mssms] Catching up on patching
>>>>
>>>>
>>>> Agree getting WUA updated would be a good place to start, then you have
>>>> a known baseline for scanning against.
>>>>
>>>>
>>>> Thing is, latest unique individual update for the WUA on W7 SP1 is
>>>> KB3138612 from March 2016.
>>>>
>>>> The Convenience Rollup Update actually has a newer WUA in it, and after
>>>> that WUA, e.g. from June 2016 onwards, the WUA is updated as it is included
>>>> in the Monthly Update Rollups
>>>>
>>>> Versions below.
>>>>
>>>> http://www.potentengineer.com/windows-update-agent-build-num
>>>> bers-for-windows-7/
>>>>
>>>>
>>>> Agree that installing Convenience Rollup Update KB3125574 on all
>>>> existing W7 SP1's would create a good known baseline and then you can patch
>>>> from there onwards, like with IE, .Net, & Monthly Rollups.
>>>>
>>>> Something to note is the "Known issues" listed in KB3125574, you can
>>>> stop most of the issues before installing KB3125574.
>>>>
>>>>
>>>> Regarding installing KB3125574 as an Update (through Software Updates
>>>> vs as an Apllication), you'd have to import KB3125574 directly into your
>>>> top WSUS (yes WSUS), and ensure you are sync'ing for the "Updates"
>>>> Classification, and ensure a full sync is done.
>>>>
>>>> You'll also then have many individual updates appearing as Superseded
>>>> (a good thing).
>>>>
>>>>
>>>>
>>&g

Re: [mssms] Catching up on patching

[Adam Juelich]

Thinking about this more, it may be better to utilize the Application
Method.  That way I can chain the Dependencies in the proper order.
Otherwise, I'd have to craft the SUG's accordingly, deploy them and wait
for compliance, and then deploy the next one.


   1. .NET 4.6.2
   2. WMF 5.1
   3. WUA Update
   4. Servicing Stack
   5. Convenience Roll-up
   6. March Rollup
   7. Start ADR


On Fri, Mar 17, 2017 at 10:44 AM, Adam Juelich <acjuel...@gmail.com> wrote:

> So, I created a SUG with the Servicing Stack Updates (Which was superseded
> with a newer one) and the July WUA.  I then created another SUG with the
> Convenience Rollup.  Can I deploy both of these at the same time or should
> I do the first one, once I hit good compliance then deploy the Rollup?
>
> On Fri, Mar 17, 2017 at 8:27 AM, Adam Juelich <acjuel...@gmail.com> wrote:
>
>> Are your classifications correct in your SUP settings?
>>
>> On Fri, Mar 17, 2017 at 1:15 AM, Shane Alexander <
>> shane_alexan...@hotmail.com> wrote:
>>
>>> Update regarding importing Convenience Rollup Update KB3125574 into
>>> WSUS, and then sync'ing expecting to see it in ConfigMgr SUP.
>>>
>>>
>>> It imports OK to WSUS, but doesn't seem to sync across into ConfigMgr
>>> SUP.
>>>
>>>
>>> Was expecting it would just like KB2775511, as per below link.
>>>
>>> https://blogs.technet.microsoft.com/michaelgriswold/2013/03/
>>> 13/kb2775511-deployment-for-the-sccm-admin/
>>>
>>>
>>> However have just done this for KB3125574, but cannot see it.
>>>
>>> Did same steps for KB2775511, which I can see.
>>>
>>>
>>> Shane
>>>
>>>
>>>
>>>
>>>
>>> --
>>> *From:* listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>
>>> on behalf of Shane Alexander <shane_alexan...@hotmail.com>
>>> *Sent:* Friday, 17 March 2017 10:51 AM
>>>
>>> *To:* mssms@lists.myitforum.com
>>> *Subject:* Re: [mssms] Catching up on patching
>>>
>>>
>>> Agree getting WUA updated would be a good place to start, then you have
>>> a known baseline for scanning against.
>>>
>>>
>>> Thing is, latest unique individual update for the WUA on W7 SP1 is
>>> KB3138612 from March 2016.
>>>
>>> The Convenience Rollup Update actually has a newer WUA in it, and after
>>> that WUA, e.g. from June 2016 onwards, the WUA is updated as it is included
>>> in the Monthly Update Rollups
>>>
>>> Versions below.
>>>
>>> http://www.potentengineer.com/windows-update-agent-build-num
>>> bers-for-windows-7/
>>>
>>>
>>> Agree that installing Convenience Rollup Update KB3125574 on all
>>> existing W7 SP1's would create a good known baseline and then you can patch
>>> from there onwards, like with IE, .Net, & Monthly Rollups.
>>>
>>> Something to note is the "Known issues" listed in KB3125574, you can
>>> stop most of the issues before installing KB3125574.
>>>
>>>
>>> Regarding installing KB3125574 as an Update (through Software Updates vs
>>> as an Apllication), you'd have to import KB3125574 directly into your top
>>> WSUS (yes WSUS), and ensure you are sync'ing for the "Updates"
>>> Classification, and ensure a full sync is done.
>>>
>>> You'll also then have many individual updates appearing as Superseded (a
>>> good thing).
>>>
>>>
>>>
>>> Shane
>>>
>>>
>>>
>>>
>>> --
>>> *From:* listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>
>>> on behalf of Sherry Kissinger <sherrylkissin...@gmail.com>
>>> *Sent:* Friday, 17 March 2017 4:36 AM
>>> *To:* mssms@lists.myitforum.com
>>> *Subject:* Re: [mssms] Catching up on patching
>>>
>>> Todd has a very good point:  windows update agent--if they haven't been
>>> patching, they possibly haven't been paying attention to their windows
>>> update agent version.  There are some updates which just don't install or
>>> detect correctly unless you have the latest WUA.  So research what versions
>>> of that you have out there, and get that to the latest version; otherwise
>>> you might be chasing patching installation issues that end up being "latest
>>> wua required"
>>>
>>> On Thu, Mar 16, 2017 at 10:45 AM,

Re: [mssms] Catching up on patching

[Adam Juelich]

So, I created a SUG with the Servicing Stack Updates (Which was superseded
with a newer one) and the July WUA.  I then created another SUG with the
Convenience Rollup.  Can I deploy both of these at the same time or should
I do the first one, once I hit good compliance then deploy the Rollup?

On Fri, Mar 17, 2017 at 8:27 AM, Adam Juelich <acjuel...@gmail.com> wrote:

> Are your classifications correct in your SUP settings?
>
> On Fri, Mar 17, 2017 at 1:15 AM, Shane Alexander <
> shane_alexan...@hotmail.com> wrote:
>
>> Update regarding importing Convenience Rollup Update KB3125574 into
>> WSUS, and then sync'ing expecting to see it in ConfigMgr SUP.
>>
>>
>> It imports OK to WSUS, but doesn't seem to sync across into ConfigMgr SUP.
>>
>>
>> Was expecting it would just like KB2775511, as per below link.
>>
>> https://blogs.technet.microsoft.com/michaelgriswold/2013/03/
>> 13/kb2775511-deployment-for-the-sccm-admin/
>>
>>
>> However have just done this for KB3125574, but cannot see it.
>>
>> Did same steps for KB2775511, which I can see.
>>
>>
>> Shane
>>
>>
>>
>>
>>
>> --
>> *From:* listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>
>> on behalf of Shane Alexander <shane_alexan...@hotmail.com>
>> *Sent:* Friday, 17 March 2017 10:51 AM
>>
>> *To:* mssms@lists.myitforum.com
>> *Subject:* Re: [mssms] Catching up on patching
>>
>>
>> Agree getting WUA updated would be a good place to start, then you have a
>> known baseline for scanning against.
>>
>>
>> Thing is, latest unique individual update for the WUA on W7 SP1 is
>> KB3138612 from March 2016.
>>
>> The Convenience Rollup Update actually has a newer WUA in it, and after
>> that WUA, e.g. from June 2016 onwards, the WUA is updated as it is included
>> in the Monthly Update Rollups
>>
>> Versions below.
>>
>> http://www.potentengineer.com/windows-update-agent-build-num
>> bers-for-windows-7/
>>
>>
>> Agree that installing Convenience Rollup Update KB3125574 on all existing
>> W7 SP1's would create a good known baseline and then you can patch from
>> there onwards, like with IE, .Net, & Monthly Rollups.
>>
>> Something to note is the "Known issues" listed in KB3125574, you can stop
>> most of the issues before installing KB3125574.
>>
>>
>> Regarding installing KB3125574 as an Update (through Software Updates vs
>> as an Apllication), you'd have to import KB3125574 directly into your top
>> WSUS (yes WSUS), and ensure you are sync'ing for the "Updates"
>> Classification, and ensure a full sync is done.
>>
>> You'll also then have many individual updates appearing as Superseded (a
>> good thing).
>>
>>
>>
>> Shane
>>
>>
>>
>>
>> --
>> *From:* listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>
>> on behalf of Sherry Kissinger <sherrylkissin...@gmail.com>
>> *Sent:* Friday, 17 March 2017 4:36 AM
>> *To:* mssms@lists.myitforum.com
>> *Subject:* Re: [mssms] Catching up on patching
>>
>> Todd has a very good point:  windows update agent--if they haven't been
>> patching, they possibly haven't been paying attention to their windows
>> update agent version.  There are some updates which just don't install or
>> detect correctly unless you have the latest WUA.  So research what versions
>> of that you have out there, and get that to the latest version; otherwise
>> you might be chasing patching installation issues that end up being "latest
>> wua required"
>>
>> On Thu, Mar 16, 2017 at 10:45 AM, Adam Juelich <acjuel...@gmail.com>
>> wrote:
>>
>>> Nope.  Just me, myself, and I.
>>>
>>> On Thu, Mar 16, 2017 at 10:36 AM, Todd Hemsell <hems...@gmail.com>
>>> wrote:
>>>
>>>> I thought you were with tanium?
>>>>
>>>>
>>>> On Thu, Mar 16, 2017 at 9:17 AM, Daniel Ratliff <dratl...@humana.com>
>>>> wrote:
>>>>
>>>>> Why deploy the convenience rollup as an Application? Why not an update?
>>>>>
>>>>>
>>>>>
>>>>> *Daniel Ratliff*
>>>>>
>>>>>
>>>>>
>>>>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>>>>> orum.com] *On Behalf Of *Adam Juelich
>>>>>

Re: [mssms] Enabling/Disabling SUP

[Adam Juelich]

That I'm unsure of.  I know it needs it to be enabled to function, so I
would say 'yes.'

On Fri, Mar 17, 2017 at 9:49 AM, David Jones <dkjones9...@gmail.com> wrote:

> Actually, yes I meant the Windows Updates service on the Exchange servers.
> My understanding is it wasn't disabled by GP, just manually disabled.
>
> So could the ConfigMgr Client re-enable a manually disabled Windows
> Updates service on a client if SUP was set to yes in the client settings?
>
> On Fri, Mar 17, 2017 at 9:49 AM, Adam Juelich <acjuel...@gmail.com> wrote:
>
>> The actual Service?  That shouldn't be disabled.
>>
>> The only thing you want to disable in Group Policy is 'Automatic Updates.'
>>
>> The service is still leveraged for WU through the ConfigMgr Client.
>>
>> On Fri, Mar 17, 2017 at 8:28 AM, David Jones <dkjones9...@gmail.com>
>> wrote:
>>
>>> I have found the same to be true.  But does anyone know, is it
>>> expected/normal behavior for the SCCM client to enable Windows Updates
>>> service on a computer/server that has it disabled if the SUP policy is
>>> enabled in the client settings?
>>>
>>> On Thu, Mar 16, 2017 at 4:26 PM, Todd Hemsell <hems...@gmail.com> wrote:
>>>
>>>> I have found the best approach to take when accused of something is to
>>>> own it.
>>>> Oops, yes.. I certainly is possible that there was an unintended
>>>> consequence of what I did. Let me go and investigate.
>>>>
>>>> Then come back to them with the names of logs, and screenshots or
>>>> copy/paste of the relevant lines of the logs that either makes you think it
>>>> wasn't you, or it was you but you found the solution on how to prevent it
>>>> from happening again.
>>>>
>>>> Once you lay down that for sure it wasn't you it is hard to get out of
>>>> if it turns out it was you.
>>>> Sometimes it will be you. That is just the nature of the business. Make
>>>> sure you find the solution on how to prevent it from happening again and
>>>> include that along with your confession. :)
>>>>
>>>> Doing this seems to disarm people and remove their desire to kill you
>>>> over it. If you make them feel like (emotion) that you really care and are
>>>> sincerely trying to help, most will lay off of you.
>>>>
>>>>
>>>> On Thu, Mar 16, 2017 at 2:49 PM, David Jones <dkjones9...@gmail.com>
>>>> wrote:
>>>>
>>>>> Thanks Todd!
>>>>>
>>>>> On Thu, Mar 16, 2017 at 3:36 PM, Todd Hemsell <hems...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> For the exchange servers, look in the event logs, specifically the
>>>>>> setup log. It will be in there.
>>>>>> SCCM can install something and not reboot, THEN the AU agent on the
>>>>>> server kicks in, sees it needs a reboot, and bounces the machine.\
>>>>>>
>>>>>> For the WSUS, look in the C:\Windows\WindowsUpdate.log for URL's
>>>>>> You will see their server and possibly yours.
>>>>>>
>>>>>> What you find there should give you hints where to go next.
>>>>>>
>>>>>> On Thu, Mar 16, 2017 at 12:57 PM, David Jones <dkjones9...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I hope someone can give me an answer or refer me to something by
>>>>>>> tomorrow.
>>>>>>>
>>>>>>> situation:
>>>>>>> 1. SCCM CB 1606hf2, 1 Primary only, Server 2012R2. Only using it for
>>>>>>> Apps/Packages/Inventory/Software Center.  Only other server is a
>>>>>>> 2012R2 DP.
>>>>>>> 2. SUP Client Setting set to No and SCCM has no SUP role installed.
>>>>>>> 2. Decide to use SUP. Set Client Setting to Yes. Install WSUS,
>>>>>>> Install SUP role on Primary, no SSL. Configure SUP/WSUS settings. 
>>>>>>> Create NO
>>>>>>> groups or packages yet. this is all. A list of updates populates all
>>>>>>> updates.
>>>>>>> 3. Sits this way for about 5 days. Nothing else is done. In the
>>>>>>> background, a WSUS is still running in production and it's GP is still
>>>>>>> active on the domain. Can't get numbers in the All Updates for
>>>>>>> required/installed

Re: [mssms] Enabling/Disabling SUP

[Adam Juelich]

The actual Service?  That shouldn't be disabled.

The only thing you want to disable in Group Policy is 'Automatic Updates.'

The service is still leveraged for WU through the ConfigMgr Client.

On Fri, Mar 17, 2017 at 8:28 AM, David Jones  wrote:

> I have found the same to be true.  But does anyone know, is it
> expected/normal behavior for the SCCM client to enable Windows Updates
> service on a computer/server that has it disabled if the SUP policy is
> enabled in the client settings?
>
> On Thu, Mar 16, 2017 at 4:26 PM, Todd Hemsell  wrote:
>
>> I have found the best approach to take when accused of something is to
>> own it.
>> Oops, yes.. I certainly is possible that there was an unintended
>> consequence of what I did. Let me go and investigate.
>>
>> Then come back to them with the names of logs, and screenshots or
>> copy/paste of the relevant lines of the logs that either makes you think it
>> wasn't you, or it was you but you found the solution on how to prevent it
>> from happening again.
>>
>> Once you lay down that for sure it wasn't you it is hard to get out of if
>> it turns out it was you.
>> Sometimes it will be you. That is just the nature of the business. Make
>> sure you find the solution on how to prevent it from happening again and
>> include that along with your confession. :)
>>
>> Doing this seems to disarm people and remove their desire to kill you
>> over it. If you make them feel like (emotion) that you really care and are
>> sincerely trying to help, most will lay off of you.
>>
>>
>> On Thu, Mar 16, 2017 at 2:49 PM, David Jones 
>> wrote:
>>
>>> Thanks Todd!
>>>
>>> On Thu, Mar 16, 2017 at 3:36 PM, Todd Hemsell  wrote:
>>>
 For the exchange servers, look in the event logs, specifically the
 setup log. It will be in there.
 SCCM can install something and not reboot, THEN the AU agent on the
 server kicks in, sees it needs a reboot, and bounces the machine.\

 For the WSUS, look in the C:\Windows\WindowsUpdate.log for URL's
 You will see their server and possibly yours.

 What you find there should give you hints where to go next.

 On Thu, Mar 16, 2017 at 12:57 PM, David Jones 
 wrote:

> I hope someone can give me an answer or refer me to something by
> tomorrow.
>
> situation:
> 1. SCCM CB 1606hf2, 1 Primary only, Server 2012R2. Only using it for
> Apps/Packages/Inventory/Software Center.  Only other server is a
> 2012R2 DP.
> 2. SUP Client Setting set to No and SCCM has no SUP role installed.
> 2. Decide to use SUP. Set Client Setting to Yes. Install WSUS, Install
> SUP role on Primary, no SSL. Configure SUP/WSUS settings. Create NO
> groups or packages yet. this is all. A list of updates populates all
> updates.
> 3. Sits this way for about 5 days. Nothing else is done. In the
> background, a WSUS is still running in production and it's GP is still
> active on the domain. Can't get numbers in the All Updates for
> required/installed because of the GP pointing to the WSUS server.
>
> Question 1. Is this a safe scenario so far? Could I have something in
> place at this point that would interfere with the WSUS in production? The
> only thing I could think of is the local GP for pointing to the SCCM 
> server
> that should be overridden by the domain policy pointing to the WSUS 
> server.
> That should create no problem for the WSUS in production as it's GP has
> precedence.
>
> 4. WSUS folks claiming I have done something to kill some computers
> from getting WSUS updates. Remove the SUP role. Leave the SUP Client
> Setting at Yes. Remove WSUS from SCCM server. Reinstall the WSUS role on
> the server this time putting it in SQL 2014 with SCCM instead of using 
> WID.
> 5. Exchange servers folks claim that has caused their servers to
> reboot in the middle of the day. Say is may be because they had the 
> Windows
> Updates server disabled and the SCCM client enabled it and caused mid day
> reboots.
>
> Question 2:  Is there any kind of way at all this could happen?
>
> Ar
> Dave the scapegoat
>
>
>
>


>>>
>>>
>>
>>
>
>

Re: [mssms] Catching up on patching

[Adam Juelich]

Are your classifications correct in your SUP settings?

On Fri, Mar 17, 2017 at 1:15 AM, Shane Alexander <
shane_alexan...@hotmail.com> wrote:

> Update regarding importing Convenience Rollup Update KB3125574 into WSUS,
> and then sync'ing expecting to see it in ConfigMgr SUP.
>
>
> It imports OK to WSUS, but doesn't seem to sync across into ConfigMgr SUP.
>
>
> Was expecting it would just like KB2775511, as per below link.
>
> https://blogs.technet.microsoft.com/michaelgriswold/2013/03/13/kb2775511-
> deployment-for-the-sccm-admin/
>
>
> However have just done this for KB3125574, but cannot see it.
>
> Did same steps for KB2775511, which I can see.
>
>
> Shane
>
>
>
>
>
> --
> *From:* listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>
> on behalf of Shane Alexander <shane_alexan...@hotmail.com>
> *Sent:* Friday, 17 March 2017 10:51 AM
>
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] Catching up on patching
>
>
> Agree getting WUA updated would be a good place to start, then you have a
> known baseline for scanning against.
>
>
> Thing is, latest unique individual update for the WUA on W7 SP1 is
> KB3138612 from March 2016.
>
> The Convenience Rollup Update actually has a newer WUA in it, and after
> that WUA, e.g. from June 2016 onwards, the WUA is updated as it is included
> in the Monthly Update Rollups
>
> Versions below.
>
> http://www.potentengineer.com/windows-update-agent-build-
> numbers-for-windows-7/
>
>
> Agree that installing Convenience Rollup Update KB3125574 on all existing
> W7 SP1's would create a good known baseline and then you can patch from
> there onwards, like with IE, .Net, & Monthly Rollups.
>
> Something to note is the "Known issues" listed in KB3125574, you can stop
> most of the issues before installing KB3125574.
>
>
> Regarding installing KB3125574 as an Update (through Software Updates vs
> as an Apllication), you'd have to import KB3125574 directly into your top
> WSUS (yes WSUS), and ensure you are sync'ing for the "Updates"
> Classification, and ensure a full sync is done.
>
> You'll also then have many individual updates appearing as Superseded (a
> good thing).
>
>
>
> Shane
>
>
>
>
> --
> *From:* listsad...@lists.myitforum.com <listsad...@lists.myitforum.com>
> on behalf of Sherry Kissinger <sherrylkissin...@gmail.com>
> *Sent:* Friday, 17 March 2017 4:36 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] Catching up on patching
>
> Todd has a very good point:  windows update agent--if they haven't been
> patching, they possibly haven't been paying attention to their windows
> update agent version.  There are some updates which just don't install or
> detect correctly unless you have the latest WUA.  So research what versions
> of that you have out there, and get that to the latest version; otherwise
> you might be chasing patching installation issues that end up being "latest
> wua required"
>
> On Thu, Mar 16, 2017 at 10:45 AM, Adam Juelich <acjuel...@gmail.com>
> wrote:
>
>> Nope.  Just me, myself, and I.
>>
>> On Thu, Mar 16, 2017 at 10:36 AM, Todd Hemsell <hems...@gmail.com> wrote:
>>
>>> I thought you were with tanium?
>>>
>>>
>>> On Thu, Mar 16, 2017 at 9:17 AM, Daniel Ratliff <dratl...@humana.com>
>>> wrote:
>>>
>>>> Why deploy the convenience rollup as an Application? Why not an update?
>>>>
>>>>
>>>>
>>>> *Daniel Ratliff*
>>>>
>>>>
>>>>
>>>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>>>> orum.com] *On Behalf Of *Adam Juelich
>>>> *Sent:* Thursday, March 16, 2017 10:07 AM
>>>> *To:* mssms@lists.myitforum.com; Patch Management Mailing List <
>>>> patchmanagem...@listserv.patchmanagement.org>
>>>> *Subject:* [mssms] Catching up on patching
>>>>
>>>>
>>>>
>>>> Hello Everyone,
>>>>
>>>>
>>>>
>>>> A hypothetical scenario for you that I am actually facing, assuming
>>>> Windows 7 SP1:
>>>>
>>>>
>>>>
>>>> What would you do if you came into an environment where patching was
>>>> sparse and erratic over the past few years and documentation and historical
>>>> knowledge was uncertain?
>>>>
>>>>
>>>>
>>>> I was thinking about depl

Re: [mssms] Catching up on patching

[Adam Juelich]

Nope.  Just me, myself, and I.

On Thu, Mar 16, 2017 at 10:36 AM, Todd Hemsell <hems...@gmail.com> wrote:

> I thought you were with tanium?
>
>
> On Thu, Mar 16, 2017 at 9:17 AM, Daniel Ratliff <dratl...@humana.com>
> wrote:
>
>> Why deploy the convenience rollup as an Application? Why not an update?
>>
>>
>>
>> *Daniel Ratliff*
>>
>>
>>
>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com] *On Behalf Of *Adam Juelich
>> *Sent:* Thursday, March 16, 2017 10:07 AM
>> *To:* mssms@lists.myitforum.com; Patch Management Mailing List <
>> patchmanagem...@listserv.patchmanagement.org>
>> *Subject:* [mssms] Catching up on patching
>>
>>
>>
>> Hello Everyone,
>>
>>
>>
>> A hypothetical scenario for you that I am actually facing, assuming
>> Windows 7 SP1:
>>
>>
>>
>> What would you do if you came into an environment where patching was
>> sparse and erratic over the past few years and documentation and historical
>> knowledge was uncertain?
>>
>>
>>
>> I was thinking about deploying the Convenience Roll-up as an Application
>> in ConfigMgr.  After that is complete create a Software Update Group for
>> the roll-ups since then.  After that, create the monthly ADRs to stay
>> compliant.
>>
>>
>>
>> Does that sound like a good plan or would you guys attack it in a
>> different manner?
>>
>>
>>
>> Thanks!
>>
>>
>>
>> The information transmitted is intended only for the person or entity to
>> which it is addressed
>> and may contain CONFIDENTIAL material. If you receive this
>> material/information in error,
>> please contact the sender and delete or destroy the material/information.
>>
>>
>
>

Re: [mssms] Defualt "Google Chromo & IE" homepage setup

[Adam Juelich]

Why would you not use a GPO?

In terms of IE, you can use the IEAK.

In terms of Chrome, there are Preference files that you can manipulate and
copy down/overwrite.

On Wed, Mar 15, 2017 at 12:19 PM, Kevin Ray  wrote:

> Hi All,
>
> In reference image i have set Chromo and IE to my custom homepage,
>
> When i captured the image its not sticked and changes are not showing
>
> Is their any way I setup Homepage on chromo and IE to my custom
> homepage(not with GPO).Can i add any script or any step in task sequence ?
>
>

[mssms] Catching up on patching

[Adam Juelich]

Hello Everyone,

A hypothetical scenario for you that I am actually facing, assuming Windows
7 SP1:

What would you do if you came into an environment where patching was sparse
and erratic over the past few years and documentation and historical
knowledge was uncertain?

I was thinking about deploying the Convenience Roll-up as an Application in
ConfigMgr.  After that is complete create a Software Update Group for the
roll-ups since then.  After that, create the monthly ADRs to stay compliant.

Does that sound like a good plan or would you guys attack it in a different
manner?

Thanks!

Re: [mssms] Re: CM 1606hf2 SUP Setup

[Adam Juelich]

Did you do the following, as one of the Hotfixes references?

Update enables ESD decryption provision in WSUS in Windows Server 2012 and
Windows Server 2012 R2
<https://support.microsoft.com/en-us/help/3159706/update-enables-esd-decryption-provision-in-wsus-in-windows-server-2012-and-windows-server-2012-r2>

On Tue, Mar 14, 2017 at 8:47 AM, David Jones <dkjones9...@gmail.com> wrote:

> Yes changed the policy back to Yes last week.  SUP is on Server 2012R2
>
> On Tue, Mar 14, 2017 at 9:30 AM, Adam Juelich <acjuel...@gmail.com> wrote:
>
>> Assuming you changed it back, no.
>>
>>
>> Again...which version of Server is your SUP on?
>>
>> On Tue, Mar 14, 2017 at 8:13 AM, Adam Juelich <acjuel...@gmail.com>
>> wrote:
>>
>>> No, you shouldn't.  Which version of Server is your SUP on?  If it is
>>> older than 2016, there are steps in addition to the hotfixes that you must
>>> perform.  The details should be on their associated KB article.
>>>
>>> On Tue, Mar 14, 2017 at 6:30 AM, David Jones <dkjones9...@gmail.com>
>>> wrote:
>>>
>>>> Upgrades are checked. Checked it last Friday after installing the 2
>>>> hotfixes it called for.  The server version is 2012R2 and SQL is 2014
>>>> (12.0.5203).  SUP is on the Primary with SCCM and SQL.  Do you have to have
>>>> a Win10 servicing plan for upgrades to show up? Is there an Update and
>>>> Servicing Feature that needs to be installed?
>>>>
>>>>
>>>> [image: Inline image 1]
>>>> [image: Inline image 2]
>>>>
>>>>
>>>> On Mon, Mar 13, 2017 at 4:03 PM, Adam Juelich <acjuel...@gmail.com>
>>>> wrote:
>>>>
>>>>> Have you enabled 'Upgrades' under your SUP Classifications?
>>>>>
>>>>> On Mon, Mar 13, 2017 at 3:01 PM, Adam Juelich <acjuel...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> What Server Version is your SUP on?
>>>>>>
>>>>>> On Mon, Mar 13, 2017 at 2:27 PM, David Jones <dkjones9...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I am so used to our using Pro instead of Enterprise that I never
>>>>>>> think of it. Does Windows 10 Servicing even work for Windows 10 Pro?
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Mar 13, 2017 at 3:00 PM, David Jones <dkjones9...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I haven't setup or used SUP in 3 1/2 years. I suspect I am either
>>>>>>>> doing something simple incorrectly or some new feature is spanking me.
>>>>>>>>
>>>>>>>> I have installed WSUS with SSL (8530/1). I have installed the SUP
>>>>>>>> roles and setup products and classifications. It has downloaded 3584
>>>>>>>> updates but no Windows 10 updates under windows 10 servicing.  I 
>>>>>>>> thought we
>>>>>>>> were never going to do SUP so I disabled that in client settings a 
>>>>>>>> couple
>>>>>>>> of years ago. I re-enabled it last week. HW/SW inventories are 1 day. 
>>>>>>>> WSUS
>>>>>>>> sync sched is 1 day for now.  I have set both SUP re-eval and scan to 
>>>>>>>> 1 day
>>>>>>>> for now. Summarization is set to 1 day for now.  Have created no SUP 
>>>>>>>> groups
>>>>>>>> or packages yet. Only one Primary pointing to MS Updates. We have a
>>>>>>>> thousand win 10 computers.
>>>>>>>> so...
>>>>>>>> 1. Why no Win10 updates under Windows 10 Servicing?
>>>>>>>> 2. Why no numbers under Required after the updates in All Software
>>>>>>>> Updates?
>>>>>>>>
>>>>>>>>
>>>>>>>> [image: Inline image 1]
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: [mssms] Re: CM 1606hf2 SUP Setup

[Adam Juelich]

Assuming you changed it back, no.


Again...which version of Server is your SUP on?

On Tue, Mar 14, 2017 at 8:13 AM, Adam Juelich <acjuel...@gmail.com> wrote:

> No, you shouldn't.  Which version of Server is your SUP on?  If it is
> older than 2016, there are steps in addition to the hotfixes that you must
> perform.  The details should be on their associated KB article.
>
> On Tue, Mar 14, 2017 at 6:30 AM, David Jones <dkjones9...@gmail.com>
> wrote:
>
>> Upgrades are checked. Checked it last Friday after installing the 2
>> hotfixes it called for.  The server version is 2012R2 and SQL is 2014
>> (12.0.5203).  SUP is on the Primary with SCCM and SQL.  Do you have to have
>> a Win10 servicing plan for upgrades to show up? Is there an Update and
>> Servicing Feature that needs to be installed?
>>
>>
>> [image: Inline image 1]
>> [image: Inline image 2]
>>
>>
>> On Mon, Mar 13, 2017 at 4:03 PM, Adam Juelich <acjuel...@gmail.com>
>> wrote:
>>
>>> Have you enabled 'Upgrades' under your SUP Classifications?
>>>
>>> On Mon, Mar 13, 2017 at 3:01 PM, Adam Juelich <acjuel...@gmail.com>
>>> wrote:
>>>
>>>> What Server Version is your SUP on?
>>>>
>>>> On Mon, Mar 13, 2017 at 2:27 PM, David Jones <dkjones9...@gmail.com>
>>>> wrote:
>>>>
>>>>> I am so used to our using Pro instead of Enterprise that I never think
>>>>> of it. Does Windows 10 Servicing even work for Windows 10 Pro?
>>>>>
>>>>>
>>>>> On Mon, Mar 13, 2017 at 3:00 PM, David Jones <dkjones9...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I haven't setup or used SUP in 3 1/2 years. I suspect I am either
>>>>>> doing something simple incorrectly or some new feature is spanking me.
>>>>>>
>>>>>> I have installed WSUS with SSL (8530/1). I have installed the SUP
>>>>>> roles and setup products and classifications. It has downloaded 3584
>>>>>> updates but no Windows 10 updates under windows 10 servicing.  I thought 
>>>>>> we
>>>>>> were never going to do SUP so I disabled that in client settings a couple
>>>>>> of years ago. I re-enabled it last week. HW/SW inventories are 1 day. 
>>>>>> WSUS
>>>>>> sync sched is 1 day for now.  I have set both SUP re-eval and scan to 1 
>>>>>> day
>>>>>> for now. Summarization is set to 1 day for now.  Have created no SUP 
>>>>>> groups
>>>>>> or packages yet. Only one Primary pointing to MS Updates. We have a
>>>>>> thousand win 10 computers.
>>>>>> so...
>>>>>> 1. Why no Win10 updates under Windows 10 Servicing?
>>>>>> 2. Why no numbers under Required after the updates in All Software
>>>>>> Updates?
>>>>>>
>>>>>>
>>>>>> [image: Inline image 1]
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: [mssms] Re: CM 1606hf2 SUP Setup

[Adam Juelich]

No, you shouldn't.  Which version of Server is your SUP on?  If it is older
than 2016, there are steps in addition to the hotfixes that you must
perform.  The details should be on their associated KB article.

On Tue, Mar 14, 2017 at 6:30 AM, David Jones <dkjones9...@gmail.com> wrote:

> Upgrades are checked. Checked it last Friday after installing the 2
> hotfixes it called for.  The server version is 2012R2 and SQL is 2014
> (12.0.5203).  SUP is on the Primary with SCCM and SQL.  Do you have to have
> a Win10 servicing plan for upgrades to show up? Is there an Update and
> Servicing Feature that needs to be installed?
>
>
> [image: Inline image 1]
> [image: Inline image 2]
>
>
> On Mon, Mar 13, 2017 at 4:03 PM, Adam Juelich <acjuel...@gmail.com> wrote:
>
>> Have you enabled 'Upgrades' under your SUP Classifications?
>>
>> On Mon, Mar 13, 2017 at 3:01 PM, Adam Juelich <acjuel...@gmail.com>
>> wrote:
>>
>>> What Server Version is your SUP on?
>>>
>>> On Mon, Mar 13, 2017 at 2:27 PM, David Jones <dkjones9...@gmail.com>
>>> wrote:
>>>
>>>> I am so used to our using Pro instead of Enterprise that I never think
>>>> of it. Does Windows 10 Servicing even work for Windows 10 Pro?
>>>>
>>>>
>>>> On Mon, Mar 13, 2017 at 3:00 PM, David Jones <dkjones9...@gmail.com>
>>>> wrote:
>>>>
>>>>> I haven't setup or used SUP in 3 1/2 years. I suspect I am either
>>>>> doing something simple incorrectly or some new feature is spanking me.
>>>>>
>>>>> I have installed WSUS with SSL (8530/1). I have installed the SUP
>>>>> roles and setup products and classifications. It has downloaded 3584
>>>>> updates but no Windows 10 updates under windows 10 servicing.  I thought 
>>>>> we
>>>>> were never going to do SUP so I disabled that in client settings a couple
>>>>> of years ago. I re-enabled it last week. HW/SW inventories are 1 day. WSUS
>>>>> sync sched is 1 day for now.  I have set both SUP re-eval and scan to 1 
>>>>> day
>>>>> for now. Summarization is set to 1 day for now.  Have created no SUP 
>>>>> groups
>>>>> or packages yet. Only one Primary pointing to MS Updates. We have a
>>>>> thousand win 10 computers.
>>>>> so...
>>>>> 1. Why no Win10 updates under Windows 10 Servicing?
>>>>> 2. Why no numbers under Required after the updates in All Software
>>>>> Updates?
>>>>>
>>>>>
>>>>> [image: Inline image 1]
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>
>

Re: [mssms] Re: CM 1606hf2 SUP Setup

[Adam Juelich]

What Server Version is your SUP on?

On Mon, Mar 13, 2017 at 2:27 PM, David Jones  wrote:

> I am so used to our using Pro instead of Enterprise that I never think of
> it. Does Windows 10 Servicing even work for Windows 10 Pro?
>
>
> On Mon, Mar 13, 2017 at 3:00 PM, David Jones 
> wrote:
>
>> I haven't setup or used SUP in 3 1/2 years. I suspect I am either doing
>> something simple incorrectly or some new feature is spanking me.
>>
>> I have installed WSUS with SSL (8530/1). I have installed the SUP roles
>> and setup products and classifications. It has downloaded 3584 updates but
>> no Windows 10 updates under windows 10 servicing.  I thought we were never
>> going to do SUP so I disabled that in client settings a couple of years
>> ago. I re-enabled it last week. HW/SW inventories are 1 day. WSUS sync
>> sched is 1 day for now.  I have set both SUP re-eval and scan to 1 day for
>> now. Summarization is set to 1 day for now.  Have created no SUP groups or
>> packages yet. Only one Primary pointing to MS Updates. We have a thousand
>> win 10 computers.
>> so...
>> 1. Why no Win10 updates under Windows 10 Servicing?
>> 2. Why no numbers under Required after the updates in All Software
>> Updates?
>>
>>
>> [image: Inline image 1]
>>
>
>
>

Re: [mssms] Re: CM 1606hf2 SUP Setup

[Adam Juelich]

Have you enabled 'Upgrades' under your SUP Classifications?

On Mon, Mar 13, 2017 at 3:01 PM, Adam Juelich <acjuel...@gmail.com> wrote:

> What Server Version is your SUP on?
>
> On Mon, Mar 13, 2017 at 2:27 PM, David Jones <dkjones9...@gmail.com>
> wrote:
>
>> I am so used to our using Pro instead of Enterprise that I never think of
>> it. Does Windows 10 Servicing even work for Windows 10 Pro?
>>
>>
>> On Mon, Mar 13, 2017 at 3:00 PM, David Jones <dkjones9...@gmail.com>
>> wrote:
>>
>>> I haven't setup or used SUP in 3 1/2 years. I suspect I am either doing
>>> something simple incorrectly or some new feature is spanking me.
>>>
>>> I have installed WSUS with SSL (8530/1). I have installed the SUP roles
>>> and setup products and classifications. It has downloaded 3584 updates but
>>> no Windows 10 updates under windows 10 servicing.  I thought we were never
>>> going to do SUP so I disabled that in client settings a couple of years
>>> ago. I re-enabled it last week. HW/SW inventories are 1 day. WSUS sync
>>> sched is 1 day for now.  I have set both SUP re-eval and scan to 1 day for
>>> now. Summarization is set to 1 day for now.  Have created no SUP groups or
>>> packages yet. Only one Primary pointing to MS Updates. We have a thousand
>>> win 10 computers.
>>> so...
>>> 1. Why no Win10 updates under Windows 10 Servicing?
>>> 2. Why no numbers under Required after the updates in All Software
>>> Updates?
>>>
>>>
>>> [image: Inline image 1]
>>>
>>
>>
>>
>

Re: [mssms] windows 10 OS Build Licence question

[Adam Juelich]

Yes.  Windows ones are backwards compatible for many OS's but I believe
Office is not.

On Sat, Mar 11, 2017 at 9:52 AM, Kevin Ray <kevinalive...@gmail.com> wrote:

> thanks All, I will go for KMS server.. Can i use the same KMS Server for
> Office License also ?
>
> On Fri, Mar 10, 2017 at 7:51 PM, Adam Juelich <acjuel...@gmail.com> wrote:
>
>> Installing Volume Activation Services Role in Windows Server 2012 to
>> setup a KMS Host
>> <https://blogs.technet.microsoft.com/askcore/2013/03/14/installing-volume-activation-services-role-in-windows-server-2012-to-setup-a-kms-host/>
>>
>> On Fri, Mar 10, 2017 at 3:53 PM, Eric Morrison <eric.morri...@outlook.com
>> > wrote:
>>
>>> I just rolled out a 2016 KMS server and used SLMGR.VBS still. I don’t
>>> believe there is a role for KMS, it’s all tied to the license key you
>>> activate the server with.
>>>
>>>
>>>
>>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>>> orum.com] *On Behalf Of *Adam Juelich
>>> *Sent:* Friday, March 10, 2017 3:44 PM
>>> *To:* mssms@lists.myitforum.com
>>>
>>> *Subject:* Re: [mssms] windows 10 OS Build Licence question
>>>
>>>
>>>
>>> With Server 2012 and newer, isn't there actually a Role/Feature that
>>> walks you through it?  I don't even know if you need to utilize those
>>> scripts any longer.
>>>
>>>
>>>
>>> On Fri, Mar 10, 2017 at 3:26 PM, Eric Morrison <
>>> eric.morri...@outlook.com> wrote:
>>>
>>> This should help: http://www.techieshelp.com/ste
>>> p-by-step-guide-to-setup-kms/
>>>
>>>
>>>
>>>
>>>
>>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>>> orum.com] *On Behalf Of *Kevin Ray
>>> *Sent:* Friday, March 10, 2017 3:16 PM
>>>
>>>
>>> *To:* mssms <mssms@lists.myitforum.com>
>>> *Subject:* Re: [mssms] windows 10 OS Build Licence question
>>>
>>>
>>>
>>> I have never done and i have windows server 2016 which has DC/DNS..
>>>
>>>
>>>
>>> is their any guide for installation and configuration .. I will try in
>>> my Lab then I will go for Prod
>>>
>>>
>>>
>>> On Fri, Mar 10, 2017 at 2:43 PM, Jason Sandys <ja...@sandys.us> wrote:
>>>
>>> Why would you not want to use a KMS? MAK keys make everything more
>>> difficult. Settings up a KMS is drop-dead easy and requires no additional
>>> infrastructure as most folks use existing DCs, DNS servers, or other
>>> existing infrastructure systems. Not using a KMS makes no sense honestly in
>>> almost all scenarios.
>>>
>>>
>>>
>>> J
>>>
>>>
>>>
>>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>>> orum.com] *On Behalf Of *Kent, Mark
>>> *Sent:* Friday, March 10, 2017 10:51 AM
>>> *To:* mssms@lists.myitforum.com
>>> *Subject:* RE: [mssms] windows 10 OS Build Licence question
>>>
>>>
>>>
>>> Yes, that’ll do it.  Usually when you get a MAK key it will tell you how
>>> many activations you have.  You may have to keep an eye on it in case you
>>> run over that number.
>>>
>>>
>>>
>>> Mark Kent
>>>
>>> Manager, Client Systems Engineering
>>>
>>> Technology Support Services
>>>
>>> Resources for Information, Technology and Education (RITE)
>>>
>>> http://rite.buffalostate.edu
>>>
>>>
>>>
>>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>>> orum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Kevin Ray
>>> *Sent:* Friday, March 10, 2017 11:40 AM
>>> *To:* mssms <mssms@lists.myitforum.com>
>>> *Subject:* Re: [mssms] windows 10 OS Build Licence question
>>>
>>>
>>>
>>> thanks for the information
>>>
>>>
>>>
>>>  if i don't want to setup a KMS server, If my sales people provide the
>>> MAK Key(from Microsoft they will get it i hope)..
>>>
>>>
>>>
>>> in below Task sequence step at "Applying windows Settings" do i need to
>>> provide.. .. So this 1 single MAK will get activated to all my machines
>>> (yes based my company purchased license count )  or  any other things do i
>>> need to do if i don

Re: [mssms] windows 10 OS Build Licence question

[Adam Juelich]

Installing Volume Activation Services Role in Windows Server 2012 to setup
a KMS Host
<https://blogs.technet.microsoft.com/askcore/2013/03/14/installing-volume-activation-services-role-in-windows-server-2012-to-setup-a-kms-host/>

On Fri, Mar 10, 2017 at 3:53 PM, Eric Morrison <eric.morri...@outlook.com>
wrote:

> I just rolled out a 2016 KMS server and used SLMGR.VBS still. I don’t
> believe there is a role for KMS, it’s all tied to the license key you
> activate the server with.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Friday, March 10, 2017 3:44 PM
> *To:* mssms@lists.myitforum.com
>
> *Subject:* Re: [mssms] windows 10 OS Build Licence question
>
>
>
> With Server 2012 and newer, isn't there actually a Role/Feature that walks
> you through it?  I don't even know if you need to utilize those scripts any
> longer.
>
>
>
> On Fri, Mar 10, 2017 at 3:26 PM, Eric Morrison <eric.morri...@outlook.com>
> wrote:
>
> This should help: http://www.techieshelp.com/step-by-step-guide-to-setup-
> kms/
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kevin Ray
> *Sent:* Friday, March 10, 2017 3:16 PM
>
>
> *To:* mssms <mssms@lists.myitforum.com>
> *Subject:* Re: [mssms] windows 10 OS Build Licence question
>
>
>
> I have never done and i have windows server 2016 which has DC/DNS..
>
>
>
> is their any guide for installation and configuration .. I will try in my
> Lab then I will go for Prod
>
>
>
> On Fri, Mar 10, 2017 at 2:43 PM, Jason Sandys <ja...@sandys.us> wrote:
>
> Why would you not want to use a KMS? MAK keys make everything more
> difficult. Settings up a KMS is drop-dead easy and requires no additional
> infrastructure as most folks use existing DCs, DNS servers, or other
> existing infrastructure systems. Not using a KMS makes no sense honestly in
> almost all scenarios.
>
>
>
> J
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kent, Mark
> *Sent:* Friday, March 10, 2017 10:51 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] windows 10 OS Build Licence question
>
>
>
> Yes, that’ll do it.  Usually when you get a MAK key it will tell you how
> many activations you have.  You may have to keep an eye on it in case you
> run over that number.
>
>
>
> Mark Kent
>
> Manager, Client Systems Engineering
>
> Technology Support Services
>
> Resources for Information, Technology and Education (RITE)
>
> http://rite.buffalostate.edu
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Kevin Ray
> *Sent:* Friday, March 10, 2017 11:40 AM
> *To:* mssms <mssms@lists.myitforum.com>
> *Subject:* Re: [mssms] windows 10 OS Build Licence question
>
>
>
> thanks for the information
>
>
>
>  if i don't want to setup a KMS server, If my sales people provide the MAK
> Key(from Microsoft they will get it i hope)..
>
>
>
> in below Task sequence step at "Applying windows Settings" do i need to
> provide.. .. So this 1 single MAK will get activated to all my machines
> (yes based my company purchased license count )  or  any other things do i
> need to do if i don't want to go for KMS?
>
>
>
> [image: Inline image 1]
>
>
>
> On Fri, Mar 10, 2017 at 10:51 AM, Kent, Mark <ken...@buffalostate.edu>
> wrote:
>
> If you have a volume version it will prefer to get a license from a KMS
> server that you will have to setup in our environment.  Once you have the
> KMS server setup, there is nothing you need to do.  The OS will seek out a
> KMS server for activation and when found, will do everything automagically.
>
>
>
> If you do not have a volume license, or do not feel like setting up a KMS
> server, you will need MAK key.  With that you can either manually put in
> the MAK key or use it during a task sequence deployment, if you are using
> SCCM or MDT for deployment, you can populate the key field and it will
> install the key during deployment.
>
>
>
> Mark Kent
>
> Manager, Client Systems Engineering
>
> Technology Support Services
>
> Resources for Information, Technology and Education (RITE)
>
> http://rite.buffalostate.edu
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kevin Ray
> *Sent:* Friday, March 10, 2017 10:36 AM
> *To:* mssms <mssms@lists.myitforum.com>
> *

Re: [mssms] windows 10 OS Build Licence question

[Adam Juelich]

With Server 2012 and newer, isn't there actually a Role/Feature that walks
you through it?  I don't even know if you need to utilize those scripts any
longer.

On Fri, Mar 10, 2017 at 3:26 PM, Eric Morrison 
wrote:

> This should help: http://www.techieshelp.com/step-by-step-guide-to-setup-
> kms/
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kevin Ray
> *Sent:* Friday, March 10, 2017 3:16 PM
>
> *To:* mssms 
> *Subject:* Re: [mssms] windows 10 OS Build Licence question
>
>
>
> I have never done and i have windows server 2016 which has DC/DNS..
>
>
>
> is their any guide for installation and configuration .. I will try in my
> Lab then I will go for Prod
>
>
>
> On Fri, Mar 10, 2017 at 2:43 PM, Jason Sandys  wrote:
>
> Why would you not want to use a KMS? MAK keys make everything more
> difficult. Settings up a KMS is drop-dead easy and requires no additional
> infrastructure as most folks use existing DCs, DNS servers, or other
> existing infrastructure systems. Not using a KMS makes no sense honestly in
> almost all scenarios.
>
>
>
> J
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kent, Mark
> *Sent:* Friday, March 10, 2017 10:51 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] windows 10 OS Build Licence question
>
>
>
> Yes, that’ll do it.  Usually when you get a MAK key it will tell you how
> many activations you have.  You may have to keep an eye on it in case you
> run over that number.
>
>
>
> Mark Kent
>
> Manager, Client Systems Engineering
>
> Technology Support Services
>
> Resources for Information, Technology and Education (RITE)
>
> http://rite.buffalostate.edu
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Kevin Ray
> *Sent:* Friday, March 10, 2017 11:40 AM
> *To:* mssms 
> *Subject:* Re: [mssms] windows 10 OS Build Licence question
>
>
>
> thanks for the information
>
>
>
>  if i don't want to setup a KMS server, If my sales people provide the MAK
> Key(from Microsoft they will get it i hope)..
>
>
>
> in below Task sequence step at "Applying windows Settings" do i need to
> provide.. .. So this 1 single MAK will get activated to all my machines
> (yes based my company purchased license count )  or  any other things do i
> need to do if i don't want to go for KMS?
>
>
>
> [image: Inline image 1]
>
>
>
> On Fri, Mar 10, 2017 at 10:51 AM, Kent, Mark 
> wrote:
>
> If you have a volume version it will prefer to get a license from a KMS
> server that you will have to setup in our environment.  Once you have the
> KMS server setup, there is nothing you need to do.  The OS will seek out a
> KMS server for activation and when found, will do everything automagically.
>
>
>
> If you do not have a volume license, or do not feel like setting up a KMS
> server, you will need MAK key.  With that you can either manually put in
> the MAK key or use it during a task sequence deployment, if you are using
> SCCM or MDT for deployment, you can populate the key field and it will
> install the key during deployment.
>
>
>
> Mark Kent
>
> Manager, Client Systems Engineering
>
> Technology Support Services
>
> Resources for Information, Technology and Education (RITE)
>
> http://rite.buffalostate.edu
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kevin Ray
> *Sent:* Friday, March 10, 2017 10:36 AM
> *To:* mssms 
> *Subject:* [mssms] windows 10 OS Build Licence question
>
>
>
> Hi All,
>
>
>
> I'm new to License part. I have done is Got the Windows ISO from My sales
> team who has downloaded from Microsoft website...
>
>
>
> Then i have taken the ISO and did the customization and deployed for
> pre-pilot machines..
>
>
>
> showing as Windows is not activated...
>
>
>
> So How it will get activated .. I would like to know more about on this..
> is their any thing I need to machine in image preparation ? or we should
> some  server in my environment to activate it ?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Re: [mssms] Applications stuck in Software Center

[Adam Juelich]

I think I MAY have figured it out.  It looks like I had an errant
requirement got added that could never be fulfilled.  The Application still
showed in the App Catalog, just not in Software Center.

I think initially WMI got corrupt on these two test boxes somehow and this
was just icing on the cake as to trying to resolve that.

I will report back on whether this did the trick or not.

Thanks, everyone!

On Tue, Mar 7, 2017 at 3:42 PM, Sherry Kissinger <sherrylkissin...@gmail.com
> wrote:

> Just thinking of a possible scenario.  You don't list the Detection
> Method, or the requirements, or the user experience.
> Is the Detection Method the MSI?
> and then... you are deploying MULTIPLE versions of "the same MSI, just
> with a different switch"... to the SAME machines/Users?
> So... when I, Machine #1, receive multiple policies, where the detection
> method for all of them is "MSI GUID {39204756-5C62-4483-AAA0-9FFBD92B8273}
> ... would I be confused based on the Requested policies... what I should
> actually list in Actual Policies, and list in Software center?  ...Maybe...
>
> Just a possibility... it's not something I've tested personally.
>
> On Tue, Mar 7, 2017 at 1:35 PM, Adam Juelich <acjuel...@gmail.com> wrote:
>
>> Hah!  I wish it was something exciting!
>>
>> It is Faronics Insight software.  Basically lab management software for
>> instructors.  Each application is the same installer, just has a different
>> switch so that other Teacher machines can't discover labs or machines from
>> other buildings if that makes sense.
>>
>> I can only see it in the Application Catalog.  It will not show in
>> Software Center whether I do a User or Device-based Deployment.
>>
>> On CB 1610 with New Software Center.  It seems that everything else I am,
>> and have been, deploying is showing correctly at this moment.
>>
>> [image: Inline image 1]
>>
>> On Tue, Mar 7, 2017 at 12:55 PM, Sherry Kissinger <
>> sherrylkissin...@gmail.com> wrote:
>>
>>> fun!  what are they?  anything sensitive about them that you can't send
>>> screen shots (or take screen shots and edit out servernames, etc) ?  Maybe
>>> someone here will notice the missing comma or something like that.  :)
>>>
>>> On Tue, Mar 7, 2017 at 10:02 AM, Adam Juelich <acjuel...@gmail.com>
>>> wrote:
>>>
>>>> Thanks.
>>>>
>>>> I ended up imaging the machines.  Things look fine except for two
>>>> Applications.  These were the ones I was working on when I had issues
>>>> initially.  No matter what I do, I cannot get them to show up in Software
>>>> Center.Device or User Deployment.  I've 'retired' them and
>>>> 'deleted' and created them anew and nothing
>>>>
>>>>
>>>> On Tue, Mar 7, 2017 at 9:12 AM, Andrew Sanders <apsan...@uncg.edu>
>>>> wrote:
>>>>
>>>>> I had this same issue a few months ago with hung deployments. Totally
>>>>> deleting the application also did not work, and only created more 
>>>>> problems.
>>>>> I reset the client on the affected machines, which fixed the issue. I'm 
>>>>> not
>>>>> exactly sure how you could run this command on a bunch of machines at 
>>>>> once.
>>>>> We had a separate agent on the system that we could use to remotely 
>>>>> execute
>>>>> commands, so I used that. It also seemed like it took 30 minutes to an 
>>>>> hour
>>>>> for the SCCM client to totally resync and get back to working correctly.
>>>>>
>>>>> To reset the client, run this command:
>>>>> wmic /namespace:\\root\ccm path SMS_Client CALL ResetPolicy 1
>>>>> /NOINTERACTIVE
>>>>>
>>>>>
>>>>> On Tue, Mar 7, 2017 at 9:30 AM, Adam Juelich <acjuel...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Still having issues.  I see the Applications correctly in the
>>>>>> Application Catalog but they do not show in Software Center even though 
>>>>>> I'm
>>>>>> using the New Software Center and have been for months.  The only thing I
>>>>>> was doing when this started with copying several Applications, and
>>>>>> modifying/renaming them and distributing them.
>>>>>>
>>>>>> Under Site Status there is a 'Critical' on 'Application Web Service
>>>>>> Point' but no errors show up and the last one

Re: [mssms] Applications stuck in Software Center

[Adam Juelich]

Thanks.

I ended up imaging the machines.  Things look fine except for two
Applications.  These were the ones I was working on when I had issues
initially.  No matter what I do, I cannot get them to show up in Software
Center.Device or User Deployment.  I've 'retired' them and
'deleted' and created them anew and nothing


On Tue, Mar 7, 2017 at 9:12 AM, Andrew Sanders <apsan...@uncg.edu> wrote:

> I had this same issue a few months ago with hung deployments. Totally
> deleting the application also did not work, and only created more problems.
> I reset the client on the affected machines, which fixed the issue. I'm not
> exactly sure how you could run this command on a bunch of machines at once.
> We had a separate agent on the system that we could use to remotely execute
> commands, so I used that. It also seemed like it took 30 minutes to an hour
> for the SCCM client to totally resync and get back to working correctly.
>
> To reset the client, run this command:
> wmic /namespace:\\root\ccm path SMS_Client CALL ResetPolicy 1
> /NOINTERACTIVE
>
>
> On Tue, Mar 7, 2017 at 9:30 AM, Adam Juelich <acjuel...@gmail.com> wrote:
>
>> Still having issues.  I see the Applications correctly in the Application
>> Catalog but they do not show in Software Center even though I'm using the
>> New Software Center and have been for months.  The only thing I was doing
>> when this started with copying several Applications, and modifying/renaming
>> them and distributing them.
>>
>> Under Site Status there is a 'Critical' on 'Application Web Service
>> Point' but no errors show up and the last ones I saw were in relation to a
>> WSUS Sync Failure.  I did reinstall the Application Catalog roles to no
>> avail.
>>
>> Any ideas?  Otherwise it looks like I'll be opening up a case with
>> MSFT
>>
>> Thanks.
>>
>> On Fri, Mar 3, 2017 at 2:02 PM, Adam Juelich <acjuel...@gmail.com> wrote:
>>
>>> Unfortunately, that does not appear to have worked.
>>>
>>> We had two DP's.  We didn't really need the second one but I kept it
>>> there for redundancy until we decided how to re-design the environment.
>>> Found out the content storage for DP1 was 2TB and 300GB on the second.  I
>>> just removed the second DP and there hasn't been a change.  There were
>>> errors a few weeks back in regards to distributing larger SUG Packages but
>>> that was due to the low storage amount on DP2.
>>>
>>>
>>>
>>> On Fri, Mar 3, 2017 at 1:20 PM, Pewterbaugh, Josiah P. <
>>> jpewterba...@mcguirewoods.com> wrote:
>>>
>>>> I had a similar issue. If you ‘retire’ the application and run policy
>>>> updates does that fix it?
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>>
>>>>
>>>> *Josiah P. Pewterbaugh*
>>>> T: +1 804 775 7657 <(804)%20775-7657>
>>>>
>>>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>>>> orum.com] *On Behalf Of *Adam Juelich
>>>> *Sent:* Friday, March 3, 2017 1:08 PM
>>>> *To:* mssms@lists.myitforum.com
>>>> *Subject:* [mssms] Applications stuck in Software Center
>>>>
>>>>
>>>>
>>>> Hello Everyone,
>>>>
>>>>
>>>>
>>>> On ConfigMgr CB 1610 on Server 2012 R2.
>>>>
>>>>
>>>>
>>>> I'm seeing a weird issue where Applications are remaining in Software
>>>> Center long after the deployment has been deleted.  This is applying to
>>>> both Device and User-Based Deployments.
>>>>
>>>>
>>>>
>>>> Looking under Site Status I do have a 'Critical' for 'Application
>>>> Catalog web service point.'
>>>>
>>>>
>>>>
>>>> This is the error I see there:
>>>>
>>>>
>>>>
>>>> *Microsoft SQL Server reported SQL message 547, severity 16:
>>>> [23000][547][Microsoft][SQL Server Native Client 11.0][SQL Server]The
>>>> INSERT statement conflicted with the FOREIGN KEY constraint
>>>> "Intel_AMT_ConfigurationInfo_RootCertificates_Certificate_3_DATA_FK". The
>>>> conflict occurred in database "CM_KSD", table "dbo*
>>>>
>>>>
>>>>
>>>> SQL is currently on a different Server than the Site Server, which is
>>>> something I need to change but it is what it is right now.
>>>>
>>>>
>>>>
>>>> Any recommendations on what I can look further into?
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>>
>>>> --
>>>> *This e-mail from McGuireWoods may contain confidential or privileged
>>>> information. If you are not the intended recipient, please advise by return
>>>> e-mail and delete immediately without reading or forwarding to others.*
>>>>
>>>>
>>>
>>>
>>
>>
>
>
> --
> *Andrew Sanders* | *IT Manager, Client Computing **Architecture*
> Systems & Networks | Information Technology Services | The University of
> North Carolina at Greensboro
> (336) 334-5028 (p) | (336) 334-5932 (f)
> 107A McNutt Center | 1400 Spring Garden Street | Greensboro, NC | 27403
> apsan...@uncg.edu | http://its.uncg.edu
> Microsoft Certified IT Professional | Microsoft Certified Technical
> Specialist
>
>
>
>
>

Re: [mssms] Applications stuck in Software Center

[Adam Juelich]

Still having issues.  I see the Applications correctly in the Application
Catalog but they do not show in Software Center even though I'm using the
New Software Center and have been for months.  The only thing I was doing
when this started with copying several Applications, and modifying/renaming
them and distributing them.

Under Site Status there is a 'Critical' on 'Application Web Service Point'
but no errors show up and the last ones I saw were in relation to a WSUS
Sync Failure.  I did reinstall the Application Catalog roles to no avail.

Any ideas?  Otherwise it looks like I'll be opening up a case with MSFT

Thanks.

On Fri, Mar 3, 2017 at 2:02 PM, Adam Juelich <acjuel...@gmail.com> wrote:

> Unfortunately, that does not appear to have worked.
>
> We had two DP's.  We didn't really need the second one but I kept it there
> for redundancy until we decided how to re-design the environment.  Found
> out the content storage for DP1 was 2TB and 300GB on the second.  I just
> removed the second DP and there hasn't been a change.  There were errors a
> few weeks back in regards to distributing larger SUG Packages but that was
> due to the low storage amount on DP2.
>
>
>
> On Fri, Mar 3, 2017 at 1:20 PM, Pewterbaugh, Josiah P. <
> jpewterba...@mcguirewoods.com> wrote:
>
>> I had a similar issue. If you ‘retire’ the application and run policy
>> updates does that fix it?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> *Josiah P. Pewterbaugh*
>> T: +1 804 775 7657 <(804)%20775-7657>
>>
>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com] *On Behalf Of *Adam Juelich
>> *Sent:* Friday, March 3, 2017 1:08 PM
>> *To:* mssms@lists.myitforum.com
>> *Subject:* [mssms] Applications stuck in Software Center
>>
>>
>>
>> Hello Everyone,
>>
>>
>>
>> On ConfigMgr CB 1610 on Server 2012 R2.
>>
>>
>>
>> I'm seeing a weird issue where Applications are remaining in Software
>> Center long after the deployment has been deleted.  This is applying to
>> both Device and User-Based Deployments.
>>
>>
>>
>> Looking under Site Status I do have a 'Critical' for 'Application Catalog
>> web service point.'
>>
>>
>>
>> This is the error I see there:
>>
>>
>>
>> *Microsoft SQL Server reported SQL message 547, severity 16:
>> [23000][547][Microsoft][SQL Server Native Client 11.0][SQL Server]The
>> INSERT statement conflicted with the FOREIGN KEY constraint
>> "Intel_AMT_ConfigurationInfo_RootCertificates_Certificate_3_DATA_FK". The
>> conflict occurred in database "CM_KSD", table "dbo*
>>
>>
>>
>> SQL is currently on a different Server than the Site Server, which is
>> something I need to change but it is what it is right now.
>>
>>
>>
>> Any recommendations on what I can look further into?
>>
>>
>>
>> Thanks!
>>
>>
>> --
>> *This e-mail from McGuireWoods may contain confidential or privileged
>> information. If you are not the intended recipient, please advise by return
>> e-mail and delete immediately without reading or forwarding to others.*
>>
>>
>
>

Re: [mssms] Managing a Surface Hub with ConfigMgr

[Adam Juelich]

Someone else asked this same question a month or so ago.  I don't think it
was ever resolved.  He was unable to utilize the ConfigMgr Client on it.

On Sun, Mar 5, 2017 at 4:49 PM, Corkill, Daniel <
danielcork...@logan.qld.gov.au> wrote:

> Can this be done? In the documentation it only talks about using MDM or
> ConfigMgr w/ Intune. Can I install the ConfigMgr client on this thing and
> manage it normally?
>
>
>
> Daniel.
>
>
> *
> The contents of this email message and any attachments are intended only for 
> the addressee and may be confidential, private or the subject of copyright. 
> If you have received this email in error please notify Logan City Council, by 
> replying to the sender or calling +61 7 3412 3412 <+61%207%203412%203412>  
> and delete all copies of the e-mail and any attachments.
>
> To view Logan City Council's Privacy Collection Notice, please visit 
> www.logan.qld.gov.au or click on the following link 
> http://www.logan.qld.gov.au/home/terms-of-use.
>
>
>
>
>

Re: [mssms] Applications stuck in Software Center

[Adam Juelich]

Unfortunately, that does not appear to have worked.

We had two DP's.  We didn't really need the second one but I kept it there
for redundancy until we decided how to re-design the environment.  Found
out the content storage for DP1 was 2TB and 300GB on the second.  I just
removed the second DP and there hasn't been a change.  There were errors a
few weeks back in regards to distributing larger SUG Packages but that was
due to the low storage amount on DP2.



On Fri, Mar 3, 2017 at 1:20 PM, Pewterbaugh, Josiah P. <
jpewterba...@mcguirewoods.com> wrote:

> I had a similar issue. If you ‘retire’ the application and run policy
> updates does that fix it?
>
>
>
> Thanks,
>
>
>
> *Josiah P. Pewterbaugh*
> T: +1 804 775 7657 <(804)%20775-7657>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Friday, March 3, 2017 1:08 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Applications stuck in Software Center
>
>
>
> Hello Everyone,
>
>
>
> On ConfigMgr CB 1610 on Server 2012 R2.
>
>
>
> I'm seeing a weird issue where Applications are remaining in Software
> Center long after the deployment has been deleted.  This is applying to
> both Device and User-Based Deployments.
>
>
>
> Looking under Site Status I do have a 'Critical' for 'Application Catalog
> web service point.'
>
>
>
> This is the error I see there:
>
>
>
> *Microsoft SQL Server reported SQL message 547, severity 16:
> [23000][547][Microsoft][SQL Server Native Client 11.0][SQL Server]The
> INSERT statement conflicted with the FOREIGN KEY constraint
> "Intel_AMT_ConfigurationInfo_RootCertificates_Certificate_3_DATA_FK". The
> conflict occurred in database "CM_KSD", table "dbo*
>
>
>
> SQL is currently on a different Server than the Site Server, which is
> something I need to change but it is what it is right now.
>
>
>
> Any recommendations on what I can look further into?
>
>
>
> Thanks!
>
>
> --
> *This e-mail from McGuireWoods may contain confidential or privileged
> information. If you are not the intended recipient, please advise by return
> e-mail and delete immediately without reading or forwarding to others.*
>
>

[mssms] Applications stuck in Software Center

[Adam Juelich]

Hello Everyone,

On ConfigMgr CB 1610 on Server 2012 R2.

I'm seeing a weird issue where Applications are remaining in Software
Center long after the deployment has been deleted.  This is applying to
both Device and User-Based Deployments.

Looking under Site Status I do have a 'Critical' for 'Application Catalog
web service point.'

This is the error I see there:

*Microsoft SQL Server reported SQL message 547, severity 16:
[23000][547][Microsoft][SQL Server Native Client 11.0][SQL Server]The
INSERT statement conflicted with the FOREIGN KEY constraint
"Intel_AMT_ConfigurationInfo_RootCertificates_Certificate_3_DATA_FK". The
conflict occurred in database "CM_KSD", table "dbo*

SQL is currently on a different Server than the Site Server, which is
something I need to change but it is what it is right now.

Any recommendations on what I can look further into?

Thanks!

Re: [mssms] *.bin files not being copied to ccmcache

[Adam Juelich]

Have you verified content on the DP?  I've seen weird issues with HP BIOS
that stung me a few times.  I would test things manually, create the
Application, and then deploy only to find out it is missing files.  It is
standard behavior with HP BIOS to delete some of the files after it has run
because some of them contain sensitive information (Passwords, etc.).

On Wed, Mar 1, 2017 at 6:21 AM, Stuart Watret 
wrote:

> New morning, new app, two bin files included for good measure.
>
> Deployed and ran, both bin files in the cache, job failed anyway, the bin
> files are not compatible between different bios update exe’s (who knew).
> Made a new compatible bin file copied it into the ccmcache ran the command
> manually with out the silent switch and it worked (well it would have if
> bitllocker was suspended - no worries) BUT, now there are no BIN files in
> the cache, bear in mind I’ve just run manual command trying all of them, so
> what, running it deletes the bin, and this was the behaviour I was seeing
> all along?
>
> Yes it was !
>
> A snoop round google for hpqflash.exe and its treatment of bin files
> didn’t provide a definitive answer, but that is the observed behaviour it
> seems.
>
> Thanks all
>
> On 28 Feb 2017, at 23:58, Stuart Watret  wrote:
>
> This sender failed our fraud detection checks and may not
> be who they appear to be. Learn about spoofing
>  Feedback
> 
> I checked out the request filtering as suggested and found the following,
> I've removed the bin line for now and will test in the am with new
> packages/apps.
>
> Also had a chance to test on a separate setup, similar behaviour, bin file
> stripped out, it appeared again once we did an 'update content'
>
> 
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] On Behalf Of Stuart Watret
> Sent: 28 February 2017 23:07
> To: mssms@lists.myitforum.com
> Subject: [mssms] RE: *.bin files not being copied to ccmcache
>
> Thissenderfailedourfraud
> detectionchecksandmaynotbe&
> nbsp;whotheyappeartobe.Learnabout href="http://aka.ms/LearnAboutSpoofing;>spoofing
>
> I'll check those out, bit more info from testing this afternoon..
>
> Did a bit more on it this afternoon but it's very strange. I'm sending hp
> bios updates out. If I run these as packages with unc command lines to
> network locations as programs everything is fine. I wanted to use the app
> model instead and supply a nice icon etc.
>
> However the files that go to the dp and eventually the ccmcache are
> missing the bin file which is hp's file for storing the bios password.
>
> I thought maybe the file was corrupt so deleted everything, dropped a
> second bin file in the source then re- created the App. This time the
> original bin file was present but the new one was not!!!
>
> Pretty strange eh?
>
> I've deleted everything and will leave it overnight before trying again.
> I'd have to conclude it's not bin files exactly but some other content
> syncing weirdness.
>
> Stuart
> Sent from a dog and bone.
>
> -Original Message-
> From: listsad...@lists.myitforum.com[mailto:listsad...@lists.myitforum.com
> ] On Behalf Of Schultz, Michael A
> Sent: 28 February 2017 17:38
> To: mssms@lists.myitforum.com
> Subject: [mssms] RE: *.bin files not being copied to ccmcache
>
> IIS is most likely blocking the file extension
>
> https://sccm2oo7.blogspot.com/2015/04/how-to-configure-
> request-filtering-for.html
>
>
> Michael Schultz
> Client Systems Engineering, SCCM Engineer Information Systems Providence
> Health & Services michael.schu...@providence.org
>
>
> -Original Message-
> From: listsad...@lists.myitforum.com[mailto:listsad...@lists.myitforum.com
> ] On Behalf Of Stuart Watret
> Sent: Tuesday, February 28, 2017 5:45 AM
> To:  
> Subject: [mssms] *.bin files not being copied to ccmcache
>
> is this a thing?
>
> I have an app in sccm 1607 / it has a *.bin file as part of the content,
> when clients download to the ccmcache, it isn’t part of the download.
>
> Install fails…….
>
> Never come across it before, anyone else?
>
> Ta
>
> Stuart
>
> 
>
> This message is intended for the sole use of the addressee, and may
> contain information that is privileged, confidential and exempt from
> disclosure under applicable law. If you are not the addressee you are
> hereby notified that you may not use, copy, disclose, or distribute to
> anyone the message or any information contained in the message. If you have
> received this message in error, please immediately advise the sender by
> reply email and delete this message.
>
>
>
>

Re: [mssms] If i replace install.wim file with my captured WIM file(MDT based captured wim file). Will it work ?

[Adam Juelich]

why would you do that?

On Tue, Feb 28, 2017 at 1:13 PM, Kevin Ray  wrote:

> Hi All,
>
> In windows 7/8/10 Source files. If i replace  "install.wim" file with
> mycaptured WIM file(MDT based captured wim file). Will it work when i do
> Bootable ISO/USB based OS installation  ?
>
> kevin
>
>

Re: [mssms] Windows 7 B after Convenience Roll-up

[Adam Juelich]

So those would include all of the IE and .NET Updates?  I thought at one
point they were pulling apart IE updates again.next month, maybe?

On Wed, Feb 22, 2017 at 3:27 PM, Troy Martin <troy.mar...@1e.com> wrote:

> All that’s needed is the Convenience Roll-up from April/May and the
> January 2017 Quality Update…all thanks to the efficiency of WaaS J, else
> you’d be applying updates from June thru January.
>
>
>
> https://support.microsoft.com/en-us/help/3212642/january-
> 2017-security-only-quality-update-for-windows-7-sp1-and-
> windows-server-2008-r2-sp1
>
>
>
> *Troy L. Martin* | Technical Architect
>
> *1E | Software Lifecycle Automation for the Digital Business*
>
> US Mobile: +1 (678) 898-6147 <(678)%20898-6147> | UK Phone : +44 208 326
> 9141
>
> troy.mar...@1e.com | www.1e.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>
>
>
>
> Facebook
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
> | Twitter
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
> | YouTube
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
> | Blogs
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
> | RSS
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII=>
>
>
>
> [image: 1E events banner] <http://info.1e.com/1e-regional-events>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Tuesday, February 21, 2017 5:32 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] Windows 7 B after Convenience Roll-up
>
>
>
> Hello Everyone,
>
>
>
> I'm working on updating my Windows 7 Base Image.  I applied the
> Convenience Roll-Ip and all CU's using DISM and then imported it into
> ConfigMgr.  I am now doing a B by including IE11, WMF5.1, dotNET 4.6.2,
> and Visual C++.  I want it to grab any remaining Windows Updates but what
> should I all include in that SUG?
>
>
>
> In other words, how far should I have it look back?  I'm guessing any
> remaining updates would relate to dotNET, IE11, and Visual C++ so do I
> really have to have the SUG grab everything?  That is what I'm currently
> trying and it is at 320 updates if I limit it to 64-bit.
>
>
>
> Any other thoughts or lessons to be aware of?
>
>
>
> Thanks!
>
>
>
> --
>
>
> Legal Notice: This email is intended only for the person(s) to whom it is
> addressed. If you are not an intended recipient and have received this
> message in error, please notify the sender immediately by replying to this
> email or calling +44(0) 2083269015 <+44%2020%208326%209015> (UK) or +1
> 866 592 4214 <(866)%20592-4214> (USA). This email and any attachments may
> be privileged and/or confidential. The unauthorized use, disclosure,
> copying or printing of any information it contains is strictly prohibited.
> The opinions expressed in this email are those of the author and do not
> necessarily represent the views of 1E Ltd. Nothing in this email will
> operate to bind 1E to any order or other contract.
>
>

[mssms] Windows 7 B after Convenience Roll-up

[Adam Juelich]

Hello Everyone,

I'm working on updating my Windows 7 Base Image.  I applied the Convenience
Roll-Ip and all CU's using DISM and then imported it into ConfigMgr.  I am
now doing a B by including IE11, WMF5.1, dotNET 4.6.2, and Visual C++.  I
want it to grab any remaining Windows Updates but what should I all include
in that SUG?

In other words, how far should I have it look back?  I'm guessing any
remaining updates would relate to dotNET, IE11, and Visual C++ so do I
really have to have the SUG grab everything?  That is what I'm currently
trying and it is at 320 updates if I limit it to 64-bit.

Any other thoughts or lessons to be aware of?

Thanks!

Re: [mssms] after Windows 10 upgrade - Microsoft auto updates are slowing network

[Adam Juelich]

If you're doing all Updates through ConfigMgr you should also have this set:


Windows Components/Windows Update




Configure Automatic Updates

Disabled

On Thu, Feb 16, 2017 at 11:43 AM, Niall Brady  wrote:

> also to troubleshoot use powershell and get-windowsupdate.log to see where
> the updates are coming from
>
> and verify that you really have got those GPO's applied on an affected
> workstation using gpresult /h mygpos.html
>
> On Thu, Feb 16, 2017 at 6:16 PM, Niall Brady  wrote:
>
>> have you followed the advice here ?
>>
>> https://blogs.technet.microsoft.com/windowsserver/2017/01/
>> 09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-
>> microsoft-online/
>>
>> On Thu, Feb 16, 2017 at 6:03 PM, Timothy Ransom <
>> timothy.ran...@gdol.ga.gov> wrote:
>>
>>>
>>>
>>> Hi,
>>>
>>>
>>>
>>> After Windows 10 upgrade from Windows 7 is deployed with ConfigMgr  -
>>> Microsoft auto updates are slowing our T1 sites with Internet traffic to a
>>> crawl.
>>>
>>>
>>>
>>> I have enabled these additional settings in Group Policy, but the
>>> problem persists.
>>>
>>>
>>>
>>> *Computer Configuration\ Policies\** Administrative Templates\**
>>> Windows Components\Store\* *Turn off Automatic Download and Install of
>>> updates*
>>>
>>> *Computer Configuration\ Policies\** Administrative Templates\**
>>> Windows Components\** Windows Components/Windows Update\* *Do not
>>> connect to any Windows Update Internet locations*
>>>
>>>
>>>
>>> Internet traffic is a critical issue at some sites now.
>>>
>>>
>>>
>>> Any suggestions on ensuring all misc Windows 10  auto updates are
>>> disabled and/or stopping all the updates.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Tim
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *  Timothy Ransom*
>>>
>>>   System Administrator II
>>>
>>>
>>>
>>>   Georgia Department of Labor
>>>
>>>   Central Office
>>>
>>>   223 Courtland St #400
>>>
>>>   Atlanta, Georgia 30303
>>>
>>>
>>>
>>>   Office 404 232 7542 <(404)%20232-7542>
>>>
>>>   timothy.ran...@gdol.ga.gov
>>>
>>>
>>>
>>> [image: cid:image002.gif@01D1964B.6F88E090]
>>>
>>> [image: cid:image003.gif@01D1964B.6F88E090]
>>> 
>>>
>>> [image: cid:image004.gif@01D1964B.6F88E090]
>>> 
>>>
>>> [image: cid:image005.gif@01D1964B.6F88E090]
>>> 
>>>
>>> [image: cid:image006.gif@01D1964B.6F88E090]
>>> 
>>>
>>> [image: cid:image007.gif@01D1964B.6F88E090]
>>>
>>> [image: cid:image008.gif@01D1964B.6F88E090]
>>> 
>>>
>>> [image: cid:image009.gif@01D1964B.6F88E090]
>>> 
>>>
>>> [image: cid:image010.gif@01D1964B.6F88E090]
>>> 
>>>
>>> [image: cid:image011.gif@01D1964B.6F88E090]
>>> 
>>>
>>> [image: cid:image012.gif@01D1964B.6F88E090]
>>>
>>> [image: cid:image001.gif@01D1964B.6F88E090]
>>>
>>>
>>>
>>>
>>> *** GEORGIA DEPARTMENT OF LABOR ***
>>>** CONFIDENTIALITY NOTICE **
>>>
>>> This transmission may contain confidential information protected by
>>> state or federal law.
>>> The information is intended only for use consistent with the state
>>> business discussed in this transmission.
>>> If you are not the intended recipient, you are hereby notified that any
>>> disclosure, copying, distribution, or the taking of any action based on the
>>> contents is strictly prohibited.
>>> If you have received this transmission in error, please delete this
>>> email and notify the sender immediately.
>>> Your cooperation is appreciated.
>>>
>>>
>>
>>
>
>

Re: [mssms] Off Topic: Windows 10 LTSB or CBB

[Adam Juelich]

Microsoft pushes CBB for most environments pretty hard.  The fact that we
are still having this conversation means that something still isn't ideal
for us.  When 1511 CBB does go EoL, yes, Microsoft will stop publishing
updates for it.  The big issue, as you state, is the interruption this
update has on the end-users.  That, and the fact that it breaks stuff like
drivers and previous settings makes it very hard for shops to manage this
going forward.

I'm not sure really what route to take.  A lot of people are moving to CBB
and disabling all the stuff that makes it CBB so it is a tough call.  Since
updates are cumulative, though, does that mean that having an LTSB that is
2 years old is going to have a 1GB or more Cumulative Update?  I know they
are working on that Express Servicing that is supposed to help with that
but I'm not sure what the consensus is on it.

On Tue, Feb 14, 2017 at 8:04 AM, Kamerman, Sol  wrote:

> All:
>
>
>
> I have been doing a lot of reading over the last several weeks and I still
> haven’t come to a conclusion on which direction I want to go in regards to
> which Windows 10 version I should install in the coming months.  I
> currently have 1800 laptops on 1511 CBB, and will be upgrading these
> laptops to 1607 CBB over the next few weeks.  This is challenging in it of
> itself because the update takes about an hour or more and is extremely
> disruptive to our end-users.  I am fighting with the option to move to
> Windows 10 Enterprise LTSB because all of the articles I have read about
> this particular version and how it’s designed for mission critical systems
> i.e. ATM’s, or factory type systems.  The advantage I see is that I don’t
> have to worry about upgrading these systems every 12 to 18 months and the
> disruption to the user is minimal.  We have a total of 3,500 systems
> consisting or laptops and desktops.  Our laptop hardware gets changed out
> every two years to a new model, and our desktops models are every 3 and may
> possibly change to 2 years.
>
>
>
> Here are some questions I have:
>
>
>
> Since we have a more aggressive hardware cycle is it worth going to LTSB
> or just stay with CBB?
>
>
>
> How are other admins handling the cycle change when they are dealing with
> many systems that will need be updated? Over 3,500 and up to 100K depending
> on the size of your company i.e. disrupting users, on-prem / off-prem?
>
>
>
> If we don’t care for using the app store or having the Edge browser
> installed, are there any other drawbacks from using LTSB?
>
>
>
> Is Microsoft really going to stop creating security updates for 1511 when
> it goes end of life? Are you concerned about this if your company isn’t
> ready to go to 1607 and you need stay on 1511 past its life cycle?
>
>
>
> Have you made the decision to go to LTSB and not look back?
>
>
>
> Any other info you can provide is appreciated.
>
>
>
>
>
>
>
> Thanks,
>
> Sol
>
>
>
>

Re: UPDATE: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

[Adam Juelich]

We haven't deployed or started to manage Windows 10 yet.  We are K-12
Education so some of the special custom settings and Bitlocker do not
really apply to us.  I'd like to test the Servicing Option and see how it
works and if it would work for us.  Summer time is probably the best time
for us to do our Branch upgrades so we may end up using a TS but our
environment doesn't require a lot of customization so it may not be a
necessity.

On Wed, Feb 8, 2017 at 10:42 AM, Troy Martin <troy.mar...@1e.com> wrote:

> Hey Adam,
>
>
>
> Are you preferring W10 Servicing (plan) upgrade method over traditional
> task sequence deployment, or just trying it out, or other?
>
>
>
> Just curious to get your thoughts why W10 Servicing (plan) as it is the
> least flexible deployment method e.g. no pre/post-deployment functionality
> available.
>
>
>
> Thanks J
>
>
>
> *Troy L. Martin* | Technical Architect
>
> *1E | Software Lifecycle Automation for the Digital Business*
>
> US Mobile: +1 (678) 898-6147 <(678)%20898-6147> | UK Phone : +44 208 326
> 9141
>
> troy.mar...@1e.com | www.1e.com
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>
>
>
>
> Facebook
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
> | Twitter
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
> | YouTube
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
> | Blogs
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
> | RSS
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII=>
>
>
>
> [image: 1E events banner] <http://info.1e.com/1e-regional-events>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Wednesday, February 8, 2017 8:30 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: UPDATE: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker
>
>
>
> I would be curious to see whether it is a bug or not.  I'm planning and
> hoping to use the Servicing Method when we start deploying Windows 10.
>
>
>
> On Wed, Feb 8, 2017 at 7:19 AM, Kamerman, Sol <skamer...@babson.edu>
> wrote:
>
> All:
>
>
>
> I decided to go the Task Sequence route to update the system and so far it
> has been able to install 1607 upgrade.  I am curious as to why it wasn’t
> working using the other method.  I realized after testing the TS route it
> is much better than the other way, but do you think that I should reach out
> to Microsoft to see if this is a bug, or is the other method just not
> supported and that TS is the better way to go?
>
>
>
> Sol
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kamerman, Sol
> *Sent:* Tuesday, February 7, 2017 12:16 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker
>
>
>
> That’s what I thought.  I didn’t think Bitlocker should interfere with
> this and that the setup/install process should take care of it.
>
>
>
>
>
>
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com <listsad...@lists.myitforum.com>] *On Behalf Of *Troy Martin
> *Sent:* Tuesday, February 7, 2017 12:03 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker
>
>
>
> Regardless of using Feature Update package, Windows 10 Servicing or
> In-Place Upgrade…Windows setup/install process wi

Re: UPDATE: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

[Adam Juelich]

I would be curious to see whether it is a bug or not.  I'm planning and
hoping to use the Servicing Method when we start deploying Windows 10.

On Wed, Feb 8, 2017 at 7:19 AM, Kamerman, Sol  wrote:

> All:
>
>
>
> I decided to go the Task Sequence route to update the system and so far it
> has been able to install 1607 upgrade.  I am curious as to why it wasn’t
> working using the other method.  I realized after testing the TS route it
> is much better than the other way, but do you think that I should reach out
> to Microsoft to see if this is a bug, or is the other method just not
> supported and that TS is the better way to go?
>
>
>
> Sol
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kamerman, Sol
> *Sent:* Tuesday, February 7, 2017 12:16 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker
>
>
>
> That’s what I thought.  I didn’t think Bitlocker should interfere with
> this and that the setup/install process should take care of it.
>
>
>
>
>
>
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Troy Martin
> *Sent:* Tuesday, February 7, 2017 12:03 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker
>
>
>
> Regardless of using Feature Update package, Windows 10 Servicing or
> In-Place Upgrade…Windows setup/install process will take care of BitLocker
> e.g. suspend/(re)enable.
>
>
>
> No experience with MBAM.
>
>
>
> *Troy L. Martin* | Technical Architect
>
> *1E | Software Lifecycle Automation for the Digital Business*
>
> US Mobile: +1 (678) 898-6147 <(678)%20898-6147> | UK Phone : +44 208 326
> 9141 <+44%2020%208326%209141>
>
> troy.mar...@1e.com | www.1e.com
> 
>
>
>
> Facebook
> 
> | Twitter
> 
> | YouTube
> 
> | Blogs
> 
> | RSS
> 
>
>
>
> [image: 1E events banner] 
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Kamerman,
> Sol
> *Sent:* Tuesday, February 7, 2017 10:38 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker
>
>
>
> So, I should not update the system using the Feature Update software
> package with systems that have Bitlocker and do an in-place upgrade using
>  a task sequence?  If I am using MBAM I am assuming this will work the
> same, correct?
>
>
>
> Sol
>
>
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com ] *On Behalf Of *Troy Martin
> *Sent:* Tuesday, February 7, 2017 10:18 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker
>
>
>
> If doing In-Place Upgrade, Windows will automatically disable/(re)enable
> BitLocker during the deployment.
>
>
>
> *Troy L. Martin* | Technical Architect
>
> *1E | Software Lifecycle Automation for the Digital Business*
>
> US Mobile: +1 (678) 898-6147 <(678)%20898-6147> | UK Phone : +44 208 326
> 9141 <+44%2020%208326%209141>
>
> troy.mar...@1e.com | www.1e.com
> 

Re: [mssms] Windows 10 & SCEP

[Adam Juelich]

Anybody know of a 'detection method' for SCEP on Windows 10?  Windows
Defender is already there.  Is the 'Managed Defender' folder under Program
Files the ticket?

On Sat, Jan 28, 2017 at 8:01 PM, Adam Juelich <acjuel...@gmail.com> wrote:

> Oh, ok.  Gotcha.  I thought we just needed to deploy the Endpoint
> Protection 'Managed' Client Setting to those.
>
> Thanks!
>
> On Sat, Jan 28, 2017 at 8:50 AM, Jason Sandys <ja...@sandys.us> wrote:
>
>> You do need to install SCEP on these. The installer though doesn’t
>> install the full AV client though, it only installs the management
>> component which does not exist on Win 10. So it’s really no different than
>> deploying SCEP to Win 7 from an admin perspective.
>>
>>
>>
>> J
>>
>>
>>
>> *From: *<listsad...@lists.myitforum.com> on behalf of Adam Juelich <
>> acjuel...@gmail.com>
>> *Reply-To: *"mssms@lists.myitforum.com" <mssms@lists.myitforum.com>
>> *Date: *Friday, January 27, 2017 at 3:33 PM
>> *To: *"mssms@lists.myitforum.com" <mssms@lists.myitforum.com>
>> *Subject: *Re: [mssms] Windows 10 & SCEP
>>
>>
>>
>> Yep, 1610.
>>
>>
>>
>> Actually, I may have answered my own question.  When I look at that
>> client I see the following:
>>
>>
>>
>> [image: nline image 1]
>>
>>
>>
>> It must need a reboot or something.  Stay tuned!
>>
>>
>>
>> On Fri, Jan 27, 2017 at 3:13 PM, Heaton, Joseph@Wildlife <
>> joseph.hea...@wildlife.ca.gov> wrote:
>>
>> Mine definitely show an Antimalware version in my SCCM console.  Are you
>> using SCCM CB?
>>
>>
>>
>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com] *On Behalf Of *Adam Juelich
>> *Sent:* Friday, January 27, 2017 1:03 PM
>> *To:* mssms@lists.myitforum.com
>> *Subject:* [mssms] Windows 10 & SCEP
>>
>>
>>
>> Hello Everyone,
>>
>>
>>
>> Just starting to pilot SCEP in our environment and we have a handful of
>> Windows 10 clients.  I understand that you do not deploy the SCEP client to
>> them, that it just flips the management switch on Windows Defender as they
>> leverage the same engine.
>>
>>
>>
>> I have done this but I do not see in the console that it lists an
>> 'Antimalware Version.'  When I look at a machine I see Windows Defender in
>> the bottom stating it is protected but when I look at properties within
>> there I do not see the 'Antimalware Policy' listed.
>>
>>
>>
>> Am I missing something?  They are in my test collection along with
>> Windows 8.1 and Windows 7 clients.  I deployed SCEP to them, have the
>> client setting for Endpoint Protection set to 'Manage' and I have a custom
>> Antimalware Policy deployed to it.
>>
>>
>>
>> Thanks!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>