RE: [mssms] Redirect VPN clients traffic to IBCM servers !

[Troy Martin]

...this is what I've seen/experienced in the number of times I've implemented 
IBCM, going back to CM07.

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
 | 
Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
 | 
YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
 | 
Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
 | 
RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII=>

[1E Local]<http://info.1e.com/1e-regional-events>

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Hyatt, Dewayne
Sent: Monday, December 11, 2017 8:21 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers !

I am confused. If this were true then blocking access to the intranet MP on VPN 
would make the clients switch. That was not the case in my experience.

Dewayne

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Troy Martin
Sent: Friday, December 8, 2017 1:47 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers !

What is the CCMSetup.exe command-line used to install the client in your 
environment?

At a minimum, it should include the following: CCMSetup.exe /UsePKICert 
CCMHOSTNAME="SMSMP01.corp.contoso.com<http://SMSMP01.corp.contoso.com>"

If you want to force the clients to "always" be Internet clients, then add the 
following to the command-line: CCMALWAYSINF=1

In short, when clients VPN in they are connected to your intranet and will have 
access to the (intranet) MP e.g. default management point.  When the CM client 
detects its connecting to a different network, it always attempts to contact 
the (intranet) MP; if it cannot, then "switches" to IBCM mode attempting to 
connect to the fqdn/site system defined in the CCMHOSTNAME property during the 
client install.

CM client also checks for the default MP during service restarts, and also 
every 25 hours

It is not based upon being able to access DC/GC.

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
 | 
Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
 | 
YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
 | 
Blogs<https://urldefense.proofpoint.com/v2/url?u=

RE: [mssms] Redirect VPN clients traffic to IBCM servers !

[Troy Martin]

What is the CCMSetup.exe command-line used to install the client in your 
environment?

At a minimum, it should include the following: CCMSetup.exe /UsePKICert 
CCMHOSTNAME="SMSMP01.corp.contoso.com"

If you want to force the clients to "always" be Internet clients, then add the 
following to the command-line: CCMALWAYSINF=1

In short, when clients VPN in they are connected to your intranet and will have 
access to the (intranet) MP e.g. default management point.  When the CM client 
detects its connecting to a different network, it always attempts to contact 
the (intranet) MP; if it cannot, then "switches" to IBCM mode attempting to 
connect to the fqdn/site system defined in the CCMHOSTNAME property during the 
client install.

CM client also checks for the default MP during service restarts, and also 
every 25 hours

It is not based upon being able to access DC/GC.

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

[1E Local]

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Miriyala, Vasu
Sent: Thursday, December 7, 2017 11:59 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers !

Thanks all for responses,

Yes, I tried blocking internal MP but client failed and gone nowhere to pick 
IBCM. DC/Global Catalog block is an obvious rule out.

Instead of tweaking firewall rules, is there any we can think of to tweak on 
clients itself when sensing it is on VPN to force to IBCM thru some script or 
that we can deploy before hand to clients... just a curious thought, sure some 
IF/BUTS will be there..

Thanks, Vasu

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne
Sent: Thursday, December 7, 2017 10:07 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers !

That is correct. If the client can talk to a global catalog then it will mark 
itself as internal. I fought this fight with Direct Access and IBCM. Creating a 
firewall rule to block access to the internal MP didn't make a difference.

Dewayne


From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of John Marcum
Sent: Thursday, December 7, 2017 11:09 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Redirect VPN clients traffic to IBCM servers !

I had some offline conversations about this I  think that documentation may 
be wrong or outdated. You'd have to test it but I think so long as the client 
can communicate with a domain controller the client will not be internet based.



Sensitivity: Confidential between partners
From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Stuart Watret
Sent: Thursday, December 7, 2017 8:09 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Redirect VPN clients traffic to IBCM servers !

What would be nice in this scenario, is the azure hosted mp/dp taking 

RE: [mssms] Automated Software Removal

[Troy Martin]

...uum
[cid:image004.jpg@01D32CB8.96470E00]

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

[HgGso4==2_1564f700aaef541fbb5931d5b75b9bfcf=1]

[1E Local]

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Augustine, Greg
Sent: Wednesday, September 13, 2017 3:20 PM
To: mssms@lists.myITforum.com
Subject: [mssms] Automated Software Removal

We are trying to use a process to remove software that is not used in so many 
days.  The current process we have a collection of machines that we consider 
for removal because we know they have had hardware inventory run in the last 7 
days and a history of at least 60 days of HWI.  We use this collection to limit 
the collections for removal.

The collections for removal query the following for example chrome.exe
SMS_G_System_INSTALLED_EXECUTABLE.ExecutableName
SMS_G_System_SoftwareFile.FileName
And also queries
SMS_G_System_CCM_RECENTLY_USED_APPS.ExplorerFileName
SMS_G_System_CCM_RECENTLY_USED_APPS.lastusedtime

We seem to have issues of it removing software that was just recently installed 
and then not used right away since the install date is not always accurate in 
ARP.

How does everyone else handle  software removal for unused applications?

Greg Augustine
Office of Administration
Information Technology Services Division - State Data Center
(573)-751-4714






Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] RE: MBR2GPT question

[Troy Martin]

https://twitter.com/mniehaus/status/761304574728679424

[cid:image001.png@01D316A7.9DE2EAC0]

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
 | 
Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
 | 
YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
 | 
Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
 | 
RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII=>

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Richard Poole
Sent: Wednesday, August 16, 2017 12:31 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: MBR2GPT question

I found the issue. Apparently someone had switched the OSDPreserveDriveLetter 
to True in the TS, and the OS volume was set to T. After flipping the variable 
back to False and seeing that the OS was now on the C: drive, MBR2GPT is 
working flawlessly.

Good that I found the issue, but weird that a system volume drive letter other 
than C would cause such an odd problem.

Thank you,
Richard Poole

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: Thursday, August 10, 2017 2:24 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] RE: MBR2GPT question

https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2017/02/23/no-mouse-cursor-during-configmgr-osd-task-sequence/<https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2017/02/23/no-mouse-cursor-during-configmgr-osd-task-sequence/>

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
 | 
Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
 | 
YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
 | 
Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
 | 
RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZK

[mssms] RE: MBR2GPT question

[Troy Martin]

https://blogs.technet.microsoft.com/system_center_configuration_manager_operating_system_deployment_support_blog/2017/02/23/no-mouse-cursor-during-configmgr-osd-task-sequence/

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Richard Poole
Sent: Thursday, August 10, 2017 2:31 PM
To: mssms@lists.myitforum.com
Subject: [mssms] MBR2GPT question

Hey everyone,

I’ve been playing around with MBR2GPT on a Win10 1703 build and keep running 
into a strange issue. No matter if I run it from the OS with /allowFullOS or 
within WinPE, and change the BIOS over to UEFI, upon booting into Windows I get 
a black screen. Mouse cursor shows up when I move it, and promptly disappears. 
I’ve tried on a laptop and two desktops, with various displays, hit Win+P+down 
arrow to try and switch displays, all experienced the same issue.

Anyone else seen this problem by chance?

Thanks,
Richard Poole


NOTICE: This message contains confidential information and is intended only for 
the individual named. If you are not the named addressee, you should not 
disseminate, distribute or copy this email. Please notify the sender 
immediately by email if you have received this email by mistake and delete this 
email from your system. Email transmission cannot be guaranteed to be secure or 
error-free, as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses. The sender, therefore, does not 
accept liability for any errors or omissions in the contents of this message. 
This email neither constitutes an agreement to conduct transactions by 
electronic means nor creates any legally binding contract or enforceable 
obligation in the absence of a fully signed written contract.





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

RE: [mssms] sccm plain image vs core apps image

[Troy Martin]

https://twitter.com/sandy_tsang/status/852172689544552448

pretty good thread debating the pros/cons of both…

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kevin Ray
Sent: Tuesday, August 8, 2017 11:43 AM
To: mssms 
Subject: [mssms] sccm plain image vs core apps image

Hi Team,

What are the advantages and dis-advantages with plain image and core apps 
(office 365,antivirus,etc)..Does it really save the time with core 
applications..

Thanks
Kevin





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

RE: [mssms] RE: Recovery Key required after SecureBoot

[Troy Martin]

https://miketerrill.net/2017/04/19/how-to-detect-suspend-and-re-enable-bitlocker-during-a-task-sequence/

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of nick aquino
Sent: Tuesday, August 8, 2017 9:13 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] RE: Recovery Key required after SecureBoot

We resolved our issue by deleting the bitlocker protectors, recreating them, 
then turning bitlocker back on.

Thanks all for your help – turned out to be an order of operations issue.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Marable, Mike
Sent: Monday, July 31, 2017 7:41 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Recovery Key required after SecureBoot

Good idea, Paul.
It seems HP is notorious for TPM issues that are fixed with BIOs updates.  We 
had some 600 G2s that were giving us fits with BitLocker recovery until HP 
released an updated BIOs revision.

Mike


From: > 
on behalf of "pwinstan...@gmail.com" 
>
Reply-To: "mssms@lists.myitforum.com" 
>
Date: Monday, July 31, 2017 at 6:28 PM
To: "mssms@lists.myitforum.com" 
>
Subject: RE: [mssms] RE: Recovery Key required after SecureBoot

Try updating your bios to latest version

On 29 Jul 2017 00:36, "nick aquino" 
> wrote:
No, not dense at all. Makes sense... but it is at win10 at this stage of the 
TS. I'll have to check the Tpm 2.0 settings on monday. There may be something 
there. These are the older models that are not happy. The 850g3 and 800g2 are 
working as expected.
Thanks Mike.

-Nick-


Sent from my Verizon 4G LTE smartphone


 Original message 
From: "Marable, Mike" >
Date: 7/28/17 16:23 (GMT-05:00)
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Recovery Key required after SecureBoot
Nick,

Are these being imaged as Win7?

SecureBoot is completely incompatible with Windows 7.  That alone could be 
tripping the recovery key request.

I’ve been finding it doesn’t take much to trip the key request.  I had a Dell 
XPS that was in Legacy BIOs mode and TPM 2.0, but Dell listed that combo as 
being unsupported and it was tripping the recovery key at every reboot.  Once I 
switched to UEFI + TPM 2.0 it ran smooth.

It's been a long day (I’ve been here since 5am) so forgive me if I’m just being 
dense and missing the obvious.

Thanks
Mike



From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of nick aquino
Sent: Friday, July 28, 2017 2:05 PM
To: 

[mssms] RE: m.2 and win10 OSD

[Troy Martin]

...missing NVME driver??

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Michael K Murray
Sent: Wednesday, May 24, 2017 6:34 PM
To: mssms@lists.myitforum.com
Subject: [mssms] m.2 and win10 OSD

Hey folks,

We're trying to image an OptiPlex 7050 that has a 500GB m.2 card. It gets to 
the partition step and fails, as it doesn't recognize any disk. Running 
diskpart at a command prompt shows no disks. I've Googled like crazy, but only 
seem to find Windows 7 articles. We're trying to image with Win10. Log attached.


Best Regards,

Mike Murray
Desktop Engineer/IT Consultant - IT Support Services
California State University, Chico
530.898.4357
mmur...@csuchico.edu

Remember, Chico State will NEVER ask you for your password via email!
For more information about recognizing phishing scam emails go to: 
http://www.csuchico.edu/isec/basics/spam-and-phishing.shtml






Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

Re: [mssms] deploy executable that opens a command prompt

[Troy Martin]

cmd / c %~dp0.exe

1E | Software Lifecycle Automation

On Mar 8, 2017, at 3:10 PM, Timothy Ransom 
> wrote:

Hi,

I have a custom executable to deploy with ConfigMgr that must be run from UNC 
path and opens a command prompt while running then closes.
This fails using a task sequence or program.

Manually, the executable fails from command prompt but runs properly from the 
Windows Run box.

Any suggestions on how to deploy from ConfigMgr ?

Thanks,
Tim



  Timothy Ransom
  System Administrator II

  Georgia Department of Labor
  Central Office
  223 Courtland St #400
  Atlanta, Georgia 30303

  Office 404 232 7542
  timothy.ran...@gdol.ga.gov



























*** GEORGIA DEPARTMENT OF LABOR ***
   ** CONFIDENTIALITY NOTICE **

This transmission may contain confidential information protected by state or 
federal law.
The information is intended only for use consistent with the state business 
discussed in this transmission.
If you are not the intended recipient, you are hereby notified that any 
disclosure, copying, distribution, or the taking of any action based on the 
contents is strictly prohibited.
If you have received this transmission in error, please delete this email and 
notify the sender immediately.
Your cooperation is appreciated.




Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] RE: SQL Query question / best practice

[Troy Martin]

Give them access to an offline (replica/log-shipped) copy of the site database, 
hosted on a remote (or other) SQL Server and let them go to town :)

No need to provide access to CAS or primary site databases.  Avoid doing that 
for a number of reasons...

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

[1E events banner]

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Enley, Carl
Sent: Wednesday, March 1, 2017 9:45 AM
To: mssms@lists.myitforum.com
Subject: [mssms] SQL Query question / best practice

I am curious is anyone has any thoughts / suggestions surrounding 3rd party 
applications / tools running queries directly against the SCCM SQL database.

In my organization depending upon the company we have a few different asset 
management systems some are home brewed and others are 3rd party (manage 
engine) vendors. One of our biggest challenges is keeping all of our inventory 
/ asset management systems in "sync" so to speak. I have been approached by a 
few different departments / companies that would like to run queries directly 
against the SCCM SQL instance rather than use any type of built in reports / 
queries. They would like to automate the export of client information in their 
home grown tool without changing their process to include running canned 
reports out of the console or website. I offered to provide subscriptions to 
those reports they feel would be valuable but was told it would require a 
change to their current process they were not prepared to make.

So my thought is it should be no problem to provide them read only access to 
the database but my real concern is surrounding performance. I don't want 
someone running a poorly written SQL query against the database and possibly 
slowing down the system speed. When I suggested this could possibly happen I 
was assured by the developers that they are very experienced in writing SQL 
queries and this would not happenyadda, yadda, yadda.


Thanks for any suggestions.






Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

RE: [mssms] Windows 7 B after Convenience Roll-up

[Troy Martin]

All that’s needed is the Convenience Roll-up from April/May and the January 
2017 Quality Update…all thanks to the efficiency of WaaS ☺, else you’d be 
applying updates from June thru January.

https://support.microsoft.com/en-us/help/3212642/january-2017-security-only-quality-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

[1E events banner]

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Tuesday, February 21, 2017 5:32 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Windows 7 B after Convenience Roll-up

Hello Everyone,

I'm working on updating my Windows 7 Base Image.  I applied the Convenience 
Roll-Ip and all CU's using DISM and then imported it into ConfigMgr.  I am now 
doing a B by including IE11, WMF5.1, dotNET 4.6.2, and Visual C++.  I want it 
to grab any remaining Windows Updates but what should I all include in that SUG?

In other words, how far should I have it look back?  I'm guessing any remaining 
updates would relate to dotNET, IE11, and Visual C++ so do I really have to 
have the SUG grab everything?  That is what I'm currently trying and it is at 
320 updates if I limit it to 64-bit.

Any other thoughts or lessons to be aware of?

Thanks!





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] RE: PKI Certificate hell

[Troy Martin]

Once the MP cert is imported into the MP's machine/computer cert store, if you 
double-click, is the certificate path OK/validated?


Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

[1E events banner]

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Mead, Renae (DTMB)
Sent: Wednesday, February 8, 2017 9:30 AM
To: mssms@lists.myitforum.com
Subject: [mssms] PKI Certificate hell

SCCM Setup: CAS with 2 primary sites running ConfigMgr 1610
Primary Site System - under Client Computer Communication tab site system 
settings is set with HTTPS or HTTP. Use PKI certificates is checked, Trusted 
Root Certificate authorities has both old root CA and new root CA.
MP & DP are setup to use HTTPS only
Setup: Domain A has a two way trust with Domain B.

Will try to make a long story short. The old root CA expires next month so we 
are in the process of updating all the intermediate certs, client certs, MP 
certs, DP certs,  etc. One year ago we setup a new PKI infrastructure and 
generated a new root CA cert and started deploying that. It has been working 
fine.
A week ago generated new management point certificates and bound them in IIS. 
Everything in Domain A works fine but all the machines in Domain B (the trusted 
domain) are now throwing errors.

Client Logs:
Location Services:
CCMVerifyMsgSignature failed.  LocationServices  2/7/2017 10:14:43 
PM   8668 (0x21DC)
Failed to verify received message 0x80090006 LocationServices  
2/7/2017 10:14:43 PM 8668 (0x21DC)
CCMVerify failed with 0x80090006   LocationServices  
2/7/2017 10:14:43 PM   8668 (0x21DC)
Failed to verify message. Could not retrieve certificate from MPCERT.  
LocationServices   2/7/2017 10:14:43 PM   8668 (0x21DC)
MPCERT requests are throttled for 00:04:54 LocationServices 
 2/7/2017 10:14:43 PM 8668 (0x21DC)
Failed to verify message. Sending MP [HCS084SCCMxxx] not in cached MPLIST.  
 LocationServices  2/7/2017 10:14:43 PM   8668 (0x21DC)
MPLIST requests are throttled for 00:59:54   LocationServices   
   2/7/2017 10:14:43 PM 8668 (0x21DC)

ClientIDManagerStatus.log
RegTask: Failed to send registration request message. Error: 0x87d00231 
  ClientIDManagerStartup2/8/2017 2:29:55 AM 8668 
(0x21DC)
RegTask: Failed to send registration request. Error: 0x87d00231  
ClientIDManagerStartup   2/8/2017 2:29:55 AM 8668 (0x21DC)

CertificateMaintenance.log
Failed to verify signature of message received from MP using name 
'HCS084SCCM.fqdn'

Management Point Logs:
Processing Registration request from Client 
'GUID:D56FFACE-0966-48D3-ADCF-68EB4A64F746'   
MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90)
Begin validation of Certificate [Thumbprint 
8379EDA0CDA8E46DFA0913E40037543D4AC08CA4] issued to 'T6000F4P6NX1.fqdn.'
   MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90)
Completed validation of Certificate [Thumbprint 
8379EDA0CDA8E46DFA0913E40037543D4AC08CA4] issued to 

RE: UPDATE: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

[Troy Martin]

Hey Adam,

Are you preferring W10 Servicing (plan) upgrade method over traditional task 
sequence deployment, or just trying it out, or other?

Just curious to get your thoughts why W10 Servicing (plan) as it is the least 
flexible deployment method e.g. no pre/post-deployment functionality available.

Thanks ☺

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
 | 
Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
 | 
YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
 | 
Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
 | 
RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII=>

[1E events banner]<http://info.1e.com/1e-regional-events>

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Wednesday, February 8, 2017 8:30 AM
To: mssms@lists.myitforum.com
Subject: Re: UPDATE: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

I would be curious to see whether it is a bug or not.  I'm planning and hoping 
to use the Servicing Method when we start deploying Windows 10.

On Wed, Feb 8, 2017 at 7:19 AM, Kamerman, Sol 
<skamer...@babson.edu<mailto:skamer...@babson.edu>> wrote:
All:

I decided to go the Task Sequence route to update the system and so far it has 
been able to install 1607 upgrade.  I am curious as to why it wasn’t working 
using the other method.  I realized after testing the TS route it is much 
better than the other way, but do you think that I should reach out to 
Microsoft to see if this is a bug, or is the other method just not supported 
and that TS is the better way to go?

Sol

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Kamerman, Sol
Sent: Tuesday, February 7, 2017 12:16 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

That’s what I thought.  I didn’t think Bitlocker should interfere with this and 
that the setup/install process should take care of it.





From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: Tuesday, February 7, 2017 12:03 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

Regardless of using Feature Update package, Windows 10 Servicing or In-Place 
Upgrade…Windows setup/install process will take care of BitLocker e.g. 
suspend/(re)enable.

No experience with MBAM.

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147<tel:(678)%20898-6147> | UK Phone : +44 208 326 
9141<tel:+44%2020%208326%209141>
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQ

RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

[Troy Martin]

Regardless of using Feature Update package, Windows 10 Servicing or In-Place 
Upgrade…Windows setup/install process will take care of BitLocker e.g. 
suspend/(re)enable.

No experience with MBAM.

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
 | 
Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
 | 
YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
 | 
Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
 | 
RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII=>

[1E events banner]<http://info.1e.com/1e-regional-events>

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kamerman, Sol
Sent: Tuesday, February 7, 2017 10:38 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

So, I should not update the system using the Feature Update software package 
with systems that have Bitlocker and do an in-place upgrade using  a task 
sequence?  If I am using MBAM I am assuming this will work the same, correct?

Sol



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: Tuesday, February 7, 2017 10:18 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

If doing In-Place Upgrade, Windows will automatically disable/(re)enable 
BitLocker during the deployment.

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
 | 
Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
 | 
YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
 | 
Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
 | 
RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII=>

[1E events banner]<http://info.1e.com/1e-regional-events>

From: listsad...@lists.myitforum.com<

RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

[Troy Martin]

If doing In-Place Upgrade, Windows will automatically disable/(re)enable 
BitLocker during the deployment.

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

[1E events banner]

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kamerman, Sol
Sent: Tuesday, February 7, 2017 8:25 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

I believe this log is created if you’re using a Task Sequence to do the update. 
 I am using the Windows 10 Servicing Feature to update the system.  Will I need 
to use a TS  to update the system to 1607 if I have BL enabled?  Is there 
another log I can provide to help troubleshoot?



From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Niall Brady
Sent: Tuesday, February 7, 2017 8:09 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Upgrading 1511 to 1607 w/ Bitlocker

the error means

Element not found.

Source: Windows
-
but without more info (like your smsts.log) it's hard to guess why it's saying 
that, can you attach the log

On Tue, Feb 7, 2017 at 1:59 PM, Kamerman, Sol 
> wrote:
All:

Just pinging the group to get some ideas as I am all out.  I am trying to 
upgrade a laptop that currently has W10 1511, I was able to download the 1607 
Feature Update from my SCCM Server (1606, I haven’t upgraded to latest Branch 
but will soon).  The test system downloads the file, but when it tries to 
install I get an error code 8x80070490.  I’ve done a lot of Googling but 
nothing has come of it.   The only thing that has change with that the target 
system is that I have enabled Bitlocker using MBAM 2.5sp1.  Could this be 
causing the patch to fail the install?  I have tried suspending bitlocker but 
still the same error.  I am trying to avoid disabling BL all together, but 
before I do this I thought I would reach out to the group.

Thanks in advance for any help you can provide.

Sol Kamerman
Babson College









Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

RE: [External] Re: [mssms] W10 Upgrade & Printer Issues

[Troy Martin]

In-Place upgrade is a ‘false sense of security’.  Great for consumers…not for 
the enterprise.

For the enterprise, getting to W10 is 99% about taking advantage of the new 
security features/support in W10 e.g. Secure Boot, Device Guard, Credential 
Guard, etc

If those are not desired goals for your organization then yes, go with In-Place 
Upgrades.  If you’re looking to take advantage of the new security features AND 
have all applications “intelligently” reinstalled during the W10 migration, 
there’s an app a suite for that…

Check out 1e.com if you’re interested in knowing more about it ☺

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
 | 
Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
 | 
YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
 | 
Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
 | 
RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII=>

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Bradley, Matt
Sent: Tuesday, December 6, 2016 9:15 AM
To: mssms@lists.myitforum.com
Subject: RE: [External] Re: [mssms] W10 Upgrade & Printer Issues

So far every newly imaged machine works ok with these same printers.  We were 
really banking on the in-place upgrade being our go-to solution for switchover. 
 The labor savings of not having to reinstall all the users applications is 
immense.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: Monday, December 5, 2016 12:48 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [External] Re: [mssms] W10 Upgrade & Printer Issues

…and what happens when wipe/load?

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com<mailto:troy.mar...@1e.com> | 
www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs=>

Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE=>
 | 
Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI=>
 | 
YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U=>
 | 
Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_=BQMFAg=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg=>
 | 
RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_=BQ

RE: [External] Re: [mssms] W10 Upgrade & Printer Issues

[Troy Martin]

…and what happens when wipe/load?

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Bradley, Matt
Sent: Monday, December 5, 2016 9:34 AM
To: mssms@lists.myitforum.com
Subject: RE: [External] Re: [mssms] W10 Upgrade & Printer Issues

I’ve tried that and about everything else I can think of.  Microsoft Premier 
support is stumped too.  This was part of our Windows 10 readiness project.  Of 
the 21 machines I that successfully processed the in-place upgrade, 4 of them 
have this printing problem.  That’s a 25% failure rate.  Huge, game-stopping 
issue.  At this point our entire in-place upgrade strategy is on halt, and we 
will not move forward with Windows 10 without Microsoft fixing the problem.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Adam Juelich
Sent: Wednesday, November 16, 2016 9:45 AM
To: mssms@lists.myitforum.com
Subject: [External] Re: [mssms] W10 Upgrade & Printer Issues

Did you update your drivers on the Print Server for Windows 10?

On Mon, Nov 14, 2016 at 1:45 PM, Bradley, Matt 
> wrote:
I’ve got a few users, after doing the W10 in-place upgrade, that are 
experiencing a strange printer issue.  When they go to print from Word, 
Notepad, whatever, it says there are no printers installed.  Printers do show 
up in Devices & Printers, though, and you can print a test page.  I’ve tried 
uninstalling and reinstalling the printers, restarting the printer spool, 
nothing.  Strangely enough, if you go ahead and click print, it still prints.  
But you can’t select different printers to print from, because it says there 
are none installed.  I’m getting ready to open up a ticket with premier support 
(not hopeful there), but wanted to touch base with the collective first.









Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

Re: [mssms] Optiplex 7010 Windows 10 imaging problems

[Troy Martin]

Are you doing a Bios-to-UEFI conversion as part of the task sequence?  If so - 
as a test -, before the conversion add another "Restart in WinPE" step.

I understand that the machine is already PE at that time, but just try and see 
how that goes.

1E | Software Lifecycle Automation

On Sep 22, 2016, at 11:34 AM, Thelen, Chris 
> wrote:

I’m having an issues with imaging Dell OptiPlex 7010s and was hoping to get 
some help.  Issues are only with the Windows 10 task sequence.  Everything 
works fine with Windows 8.1.

First issue:  7010s will fail to join the domain when I use a custom Windows 10 
reference image.  This same reference image works perfectly fine for every 
other Dell model, it only causes domain join issues for the 7010.  The error in 
the panther logs is that it cannot find a domain controller.  If I use the wim 
file from the Win 10 ISO, then it works fine.  I’ve updated the 7010 driver 
package with the latest drivers and also updated the Intel LAN drivers to the 
latest version from Intel.

Second issue:  When using the Win 10 ISO wim file, everything works fine in the 
WinPE stages.  It formats C drive, applies the image to C drive, but when it 
reboots during setting up the SCCM client, it switches C drive to X drive and 
then fails the task sequence as we have steps that are hard coded to point to C 
drive folders.  Same thing as above, this only happens on the OptiPlex 7010.

I’ve attached the logs from running a TS with the second issue.  I can provide 
other logs if needed.
Thanks in advanced for any help.


Thanks,

CHRIS THELEN
Server Engineer


www.dawnfoods.com | 
chris.the...@dawnfoods.com







Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

RE: [mssms] New Software Center old client

[Troy Martin]

Old = CCM\SCClient.exe
New = CCM\ClientUX\SCClient.exe

Both exists, but only one is actually registered (to be used/opened).

To determine which one is registered: Start -> Run -> softwarecenter:

The colon “:” is included

The registered one will be the one that will open.

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Tuesday, August 9, 2016 10:16 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] New Software Center old client

No, no issues. The policy just swaps out executables on supported clients. No 
actual functionality changes.

J

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jay Marsett
Sent: Tuesday, August 9, 2016 2:14 PM
To: mssms@lists.myitforum.com
Subject: [mssms] New Software Center old client

Hope everyone is well.  Just wanted to see if we had heard or seen any issues 
with enabling the “New software center” client feature, before the client is 
upgraded to 1511 or newer?

EG., recently upgraded a 2012 R2 site, will enabling this new client feature 
cause any issues for clients that don’t yet have the new client version?  Is it 
backwards compatible (in the sense that it won't break anything), or should we 
take care to target only systems with the upgraded client?

Please and thank you.






Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] RE: Moving IP's

[Troy Martin]

...it's all about name resolution and routing: If DNS (public and intra') has 
been updated accordingly, there should not be any problems.  If routing to the 
new IP addresses is working, should not be any problems.

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of John Aubrey
Sent: Monday, July 25, 2016 4:25 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Moving IP's

I have a simple SCCM Server that houses everything minus the DP, and that is on 
a separate box. We are getting our static IP's in order for Azure site 
recovery, and the 2 SCCM boxes are outside the new range of IP address for 
servers.  Will changing the IP's to a different address hurt anything in SCCM?





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

Re: [mssms] CS.ini SQL without NAMED PIPES

[Troy Martin]

Create a .udL file, double-click and use the wizard to create the connection 
string.  Open the .udL in notepad to see the connection string.

1E | Software Lifecycle Automation

On Jul 6, 2016, at 2:06 PM, Todd Hemsell 
<hems...@gmail.com<mailto:hems...@gmail.com>> wrote:

Well, if they can give you a connection string they say will work, we can try 
to get MDT to create one the same.

On Wed, Jul 6, 2016 at 3:42 PM, Giroux, Eric J 
<egir...@unum.com<mailto:egir...@unum.com>> wrote:
Ha!  They don’t deal in WinPE.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Marcum, John
Sent: Wednesday, July 6, 2016 4:17 PM
To: 'mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>' 
<mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>>
Subject: RE: [mssms] CS.ini SQL without NAMED PIPES

Silly question but….If they are the DBA’s and they are making the rules why 
aren’t they ones figuring out how to make it work?




From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Giroux, Eric J
Sent: Wednesday, July 6, 2016 2:49 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] CS.ini SQL without NAMED PIPES

Negative.  Has to be NT authentication.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Todd Hemsell
Sent: Wednesday, July 6, 2016 2:48 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] CS.ini SQL without NAMED PIPES

will they let you use a SQL user and password?

On Wed, Jul 6, 2016 at 1:20 PM, Giroux, Eric J 
<egir...@unum.com<mailto:egir...@unum.com>> wrote:
Yes I can.  I can connect into the target database and select from the view 
successfully.  The ID definitely has access.  The problem seems to be with the 
connection from WinPE trying to connect as anonymous rather than with the NAA 
credentials.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Todd Hemsell
Sent: Wednesday, July 6, 2016 1:46 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] CS.ini SQL without NAMED PIPES

Can you log into a workstation with SQL Management studio on it using those 
credentials and connect to the DB?

On Wed, Jul 6, 2016 at 9:44 AM, Giroux, Eric J 
<egir...@unum.com<mailto:egir...@unum.com>> wrote:
Confirmed those are all configured as they should be.  Here is the SQL section 
from my CS.ini:

[DB_WIAT]
SQLServer=MYSERVER\INSTANCE
Database=MYDB
Netlib=DBMSSOCN
SQLShare=MYSHARE
Table=MYVIEW
Parameters=SerialNumber

The SQLShare is on the SQL server and UNC connection is made successfully in 
the logs.  This is not the MDT database but a db for an internal app we use to 
populate some deployment variables.



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Troy Martin
Sent: Tuesday, July 5, 2016 11:17 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: Re: [mssms] CS.ini SQL without NAMED PIPES

This message originated outside of Unum. Use caution when opening attachments, 
clicking links or responding to requests for information.

In the SQL server configuration tools, TCP/IP protocol is required to be 
enabled on the server as well.  Also, the ConfigMgr Network Access Account 
needs a SQL login and granted db_datareader perms to the MDT database.

1E | Software Lifecycle Automation

On Jul 5, 2016, at 1:05 PM, Giroux, Eric J 
<egir...@unum.com<mailto:egir...@unum.com>> wrote:
I need a bit of guidance to make SQL connection from CustomSettings.ini using 
NT Authentication (network access account) vs named pipes.  Have always used 
named pipes successfully but DBAs are putting their foot down on dis-allowing 
use of named pipes.

Adding Netlib=DBMSSOCN to my SQL section of my CS.ini is giving me a return of:

ZTI error opening SQL Connection: Login failed for user ‘NT AUTHORITY\ANONYMOUS 
LOGON’. (-2147217843).  I assumed by adding Netlib=DBMSSOCN it would 
authenticating using network access account credentials but this feels as 
though it is needing a SQL ID and pwd to make the connection, which I do not 
want to use.

Is anyone using Netlib=DBMSSOCN successfully?

Thanks,

Eric Giroux
Solutions Engineer
Unum Group
E-mail: egir...@unum.com<mailto:egir...@unum.com> | Office: (207) 575-2482
Mobile: (207) 239-5190 | Fax: (207) 575-2158






Legal Notice: This email is inten

Re: [mssms] CS.ini SQL without NAMED PIPES

[Troy Martin]

In the SQL server configuration tools, TCP/IP protocol is required to be 
enabled on the server as well.  Also, the ConfigMgr Network Access Account 
needs a SQL login and granted db_datareader perms to the MDT database.

1E | Software Lifecycle Automation

On Jul 5, 2016, at 1:05 PM, Giroux, Eric J 
> wrote:

I need a bit of guidance to make SQL connection from CustomSettings.ini using 
NT Authentication (network access account) vs named pipes.  Have always used 
named pipes successfully but DBAs are putting their foot down on dis-allowing 
use of named pipes.

Adding Netlib=DBMSSOCN to my SQL section of my CS.ini is giving me a return of:

ZTI error opening SQL Connection: Login failed for user 'NT AUTHORITY\ANONYMOUS 
LOGON'. (-2147217843).  I assumed by adding Netlib=DBMSSOCN it would 
authenticating using network access account credentials but this feels as 
though it is needing a SQL ID and pwd to make the connection, which I do not 
want to use.

Is anyone using Netlib=DBMSSOCN successfully?

Thanks,

Eric Giroux
Solutions Engineer
Unum Group
E-mail: egir...@unum.com | Office: (207) 575-2482
Mobile: (207) 239-5190 | Fax: (207) 575-2158






Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] A "true" offline silent install of Google Chrome

[Troy Martin]

Although Google documents having an .msi installer to do "offline" installs of 
the browser, it still requires the device to have Internet access.  Apparently 
Chrome still needs to download bits over the Internet during the install.  In 
addition, I have not found an actual Chrome .msi for download that Google says 
exists.

1st request - Has anyone figured out how to install Chrome without having 
Internet access?
2nd request - Does there truly exist a Chrome .msi?  Not one that you may have 
created, but one that is downloaded from Google

Thanks :)

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] Application installs not happening automatically

[Troy Martin]

I've noticed on two ConfigMgr 1602 environments that application installs are 
not occurring automatically and (near) immediately after/once the client 
downloads policy.  The only way to have the application installs begin is to 
trigger an Application Deployment Evaluation Cycle client action.  Once done, 
the install begins immediately.  During my evaluation and testing of this 
behavior, I've purposely waited a couple of days on about 10 clients before 
triggering the client action.

However, if deploying a legacy package to the same devices, those begin the 
installs (near) immediately after receiving policy.  I've only seen this with 
Applications.

Of the two sites where this behavior is occurring, one is a (lab) new 1602 
install and the other is an (production/live) 2012->1511->1602 migration.

Anyone else seeing this in their environment(s)?


Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

[1E @ 
MMS]





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] Application installs not happening automatically

[Troy Martin]

I've noticed on two ConfigMgr 1602 environments that application installs are 
not occurring automatically and (near) immediately after/once the client 
downloads policy.  The only way to have the application installs begin is to 
trigger an Application Deployment Evaluation Cycle client action.  Once done, 
the install begins immediately.  During my evaluation and testing of this 
behavior, I've purposely waited a couple of days on about 10 clients before 
triggering the client action.

However, if deploying a legacy package to the same devices, those begin the 
installs (near) immediately after receiving policy.  I've only seen this with 
Applications.

Of the two sites where this behavior is occurring, one is a (lab) new 1602 
install and the other is an (production/live) 2012->1511->1602 migration.

Anyone else seeing this in their environment(s)?

Troy L. Martin | Technical Architect
1E | Software Lifecycle Automation for the Digital Business
US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141
troy.mar...@1e.com | 
www.1e.com

Facebook
 | 
Twitter
 | 
YouTube
 | 
Blogs
 | 
RSS

[1E @ 
MMS]





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] RE: (OT) Vendor list for Ignite?

[Troy Martin]

Hey Ivan,

Have them stop by the 1E booth.  In the meantime, check out our site - 
http://www.1e.com/appclarity-software-asset-management/


Thanks :)

Troy L. Martin | Product Manager, Endpoint Automation
Provision software, not infrastructure
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

[cid:image003.png@01D0422A.F408EE30]http://www.1e.com/  [Blog_Bling_Connect] 
http://ignite.microsoft.com/
[cid:image010.png@01D0422A.F408EE30]https://www.facebook.com/1Eglobal[cid:image011.png@01D0422A.F408EE30]https://twitter.com/1E_Global/[cid:image012.png@01D0422A.F408EE30]http://www.linkedin.com/company/1e[cid:image013.png@01D0422A.F408EE30]http://www.1e.com/blogs/index.php[cid:image014.png@01D0422A.F408EE30]http://blogs.1e.com/feed/[cid:image015.png@01D0422A.F408EE30]https://plus.google.com/+1EGlobal/posts

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Lindenfeld, Ivan
Sent: Thursday, February 19, 2015 10:57 AM
To: mssms@lists.myitforum.com
Subject: [mssms] (OT) Vendor list for Ignite?

I have a colleague in the ITAM space wanting to shop but needs to make sure 
hunting will be rich.  We don't see a vendor list on the Ignite web site.

It would go a long way toward justifying the trip.

Thanks for any pointers.

Ivan Lindenfeld


NOTICE: The information contained in this message is proprietary and/or 
confidential and may be privileged. If you are not the intended recipient of 
this communication, you are hereby notified to: (i) delete the message and all 
copies; (ii) do not disclose, distribute or use the message in any manner; and 
(iii) notify the sender immediately.





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

RE: [mssms] RE: (OT) Vendor list for Ignite?

[Troy Martin]

As of Saturday, 5 ConfigMgr sessions - http://bit.ly/1Etbsab


Troy L. Martin | Product Manager, Endpoint Automation
Provision software, not infrastructure
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

[cid:image003.png@01D0422A.F408EE30]http://www.1e.com/  [Blog_Bling_Connect] 
http://ignite.microsoft.com/
[cid:image010.png@01D0422A.F408EE30]https://www.facebook.com/1Eglobal[cid:image011.png@01D0422A.F408EE30]https://twitter.com/1E_Global/[cid:image012.png@01D0422A.F408EE30]http://www.linkedin.com/company/1e[cid:image013.png@01D0422A.F408EE30]http://www.1e.com/blogs/index.php[cid:image014.png@01D0422A.F408EE30]http://blogs.1e.com/feed/[cid:image015.png@01D0422A.F408EE30]https://plus.google.com/+1EGlobal/posts

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Harjit Dhaliwal
Sent: Thursday, February 19, 2015 11:44 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] RE: (OT) Vendor list for Ignite?

I think you are being a little swift with your assumptions.  The full session 
catalog has not been completed and Ignite has mentioned that they are going to 
be adding much more to the catalog including System Center stuff.  There are 
quite a few of us from the ConfigMgr community who will be attending the 
conference.

-Harjit
On 2/19/2015 11:36 AM, Andreas Hammarskjöld wrote:
Hey Ivan,

If you are looking for ConfigMgr integration Ignite might not be your best 
place to hunt. The total lack of ConfigMgr sessions have led to the ConfigMgr 
community already renamed the conference MS Ignore (for several reasons).

Might change, although unlikely, but damage is already done.

//A

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: den 19 februari 2015 17:24
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: (OT) Vendor list for Ignite?

Hey Ivan,

Have them stop by the 1E booth.  In the meantime, check out our site - 
http://www.1e.com/appclarity-software-asset-management/


Thanks :)

Troy L. Martin | Product Manager, Endpoint Automation
Provision software, not infrastructure
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

[cid:image003.png@01D0422A.F408EE30]http://www.1e.com/  [Blog_Bling_Connect] 
http://ignite.microsoft.com/
[cid:image010.png@01D0422A.F408EE30]https://www.facebook.com/1Eglobal[cid:image011.png@01D0422A.F408EE30]https://twitter.com/1E_Global/[cid:image012.png@01D0422A.F408EE30]http://www.linkedin.com/company/1e[cid:image013.png@01D0422A.F408EE30]http://www.1e.com/blogs/index.php[cid:image014.png@01D0422A.F408EE30]http://blogs.1e.com/feed/[cid:image015.png@01D0422A.F408EE30]https://plus.google.com/+1EGlobal/posts

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Lindenfeld, Ivan
Sent: Thursday, February 19, 2015 10:57 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] (OT) Vendor list for Ignite?

I have a colleague in the ITAM space wanting to shop but needs to make sure 
hunting will be rich.  We don't see a vendor list on the Ignite web site.

It would go a long way toward justifying the trip.

Thanks for any pointers.

Ivan Lindenfeld


NOTICE: The information contained in this message is proprietary and/or 
confidential and may be privileged. If you are not the intended recipient of 
this communication, you are hereby notified to: (i) delete the message and all 
copies; (ii) do not disclose, distribute or use the message in any manner; and 
(iii) notify the sender immediately.





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.








Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying

Re: [mssms] Transactional replication of CM database

[Troy Martin]

Transactional replication of the site database is only supported for the MP 
role.  This is so because only a subset of the site database is used by an MP, 
and not the entire database.

Consider using Log Shipping instead - 
https://msdn.microsoft.com/en-us/library/ms151224.aspx

Sent from my iPhone

On Jan 20, 2015, at 5:40 PM, Corkill, Daniel 
danielcork...@logan.qld.gov.aumailto:danielcork...@logan.qld.gov.au wrote:

There's a push here to enable transactional replication of the ConfigMgr 
database for an enterprise reporting project. I just wanted to know if 
transactional replication of the database is supported, any adverse effects I 
should be aware of and if anyone has some recommended reading for me to get a 
further understanding.

Daniel.



*
This email, including any attachment, is confidential to the intended 
recipient.  It may also be privileged and may be subject to copyright.  If you 
have received this email in error, please notify the sender immediately and 
delete all copies of the email.  Any confidentiality or privilege is not 
waived.  Neither the Council nor the sender warrant that this email does not 
contain any viruses or other unsolicited items.

This email is an informal Council communication.  The Council only accepts 
responsibility for information sent under official letterhead and duly signed 
by, or on behalf of, the Chief Executive Officer.

Privacy Collection Notice
Logan City Council may collect your personal information, e.g. name, 
residential address, phone number etc, in order to conduct its business and/or 
meet its statutory obligations. The information will only be accessed by 
employees and/or Councillors of Logan City Council for Council business related 
activities only. If your personal information will be passed onto a third 
party, Council will advise you of this disclosure, the purpose of the 
disclosure and reason why. Your information will not be given to any other 
person or agency unless you have given us permission or we are required by law.








Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

Re: [mssms] RE: Distribution Bottleneck

[Troy Martin]

If you're seriously considering BranchCache as the alternate content provider 
for your organization, be sure to do your homework, by first reading a white 
paper Paul Thomsen has written:

http://www.1e.com/blog/all_resources/branchcache-right-organisation/

In the white paper, we look at the key reasons why BranchCache is not suitable 
for SCCM content distribution and examine why the expectation that BranchCache 
could be appropriate for SCCM content distribution should be questioned and 
compared to alternatives before deploying in your organization. The paper also 
reviews how BranchCache works, how it has changed over the years, and where to 
learn more.

So while BranchCache works, the bigger question is whether it's right for 
your organization's needs.

Again, do your homework first...

Sent from my iPhone

On Dec 4, 2014, at 8:53 AM, Andreas Hammarskjöld 
jun...@2pintsoftware.commailto:jun...@2pintsoftware.com wrote:

Even better, use BranchCache since its free and works great?

//Andreas

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Magnus Tveten
Sent: den 4 december 2014 04:03
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] RE: Distribution Bottleneck

AdaptivaOnesite is really good to... the way it uses the network without 
interfering with anything.

We used that to push Win7 Image (+ all the needed software packages) to 
machines at all the different sites with very small links and not once did 
anyone from the business find the network slow..




MAGNUS TVETEN
SERVER SUPPORT ENGINEER
CO CITRIX/SERVER
Insurance Australia Group Limited
Lvl 1, 23 Lakeside Drive, Burwood
Burwood East VIC 3151
Australia

T +61 3 8804 3226   M +61 411 010 460
E magnus.tve...@iag.com.aumailto:magnus.tve...@iag.com.au
www.iag.com.auhttp://www.iag.com.au
PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL.


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Marable, Mike
Sent: Thursday, 4 December 2014 12:02 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Distribution Bottleneck

Perhaps, something like NomadBranch?  ;)


From: 'Michael Mott' michael.m...@1e.commailto:michael.m...@1e.com
Reply-To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com 
mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Date: Wednesday, December 3, 2014 at 6:00 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com 
mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Distribution Bottleneck

Use a product that invokes the ACP.

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Schwan, Phil
Sent: Wednesday, December 03, 2014 2:46 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Distribution Bottleneck

No. Once you make it a Pull DP, it essentially becomes a sort of slaved client 
and uses BITS for the transfers.

DistMgr won’t move on to other packages until the PkgXferMgr reports back that 
the one it’s working on is done, so one very large package like this can tie 
everything up.

Here’s a paraphrase from Todd about how the Pull DP is supposed to work:


-  Pull content from source DP and do the processing of the content 
locally

-  DistMgr creates a snapshot and calculates the HASH

-  PkgXferMgr sends a package info bundle (XML inside of .tar) to the 
PullDP

-  PullDP opens the XML and gets a list of content from the DPLocation 
DPUrl

-  PullDP component on the DP checks to see how many of the files are 
already loaded

-  PullDP component passes list of files to DTS

-  DTS creates BITS download job

-  CCMEXEC gets the files form BITS download location and writes them 
to disk

-  SMSDPProv imports the content into the Content Library

-  PullDP creates status messages and sends to Site Server

However, you can end up encountering issues with large packages timing out, 
refreshes causing the already copied files to be deleted (meaning the whole 
thing starts over), and so on.

Among his (supported) recommendations were increasing the DistMgr thread limit, 
increasing the query interval and timeout values, and making sure you’re at 
R2CU3 (some of the issues have been fixed over the course of the last few CUs).

Hope that helps!

-Phil

_
Phil Schwan | Technical Architect, Enterprise Windows Services
Microsoft VTSP (b-phs...@microsoft.commailto:b-phs...@microsoft.com)
Project Leadership Associates|2000 Town Center, Suite 1900, Southfield, MI 48075
Lync: 312.756.1626  Mobile: 419.262.5133

Re: [mssms] RE: Distribution Bottleneck

[Troy Martin]

Well, your perspective is conjecture at best.

This is actually the second white paper in the series.  We've done much more 
than just say it works or it doesn't work.

Sounds like you know a lot more about the future of BranchCache and OSD than 
most... maybe even more than Microsoft.

Stay tuned

Sent from my iPhone

On Dec 4, 2014, at 5:27 PM, Andreas Hammarskjöld 
jun...@2pintsoftware.commailto:jun...@2pintsoftware.com wrote:

Yeah, that old chestnut! Not only does that whitepaper have a lot of 
misconceptions/confusion on how BranchCache works, with the upcoming 
BranchCache for OSD pretty much all of those arguments fall. And then we 
haven’t even covered the points where BranchCache kick butts! :)

Once we got “BranchCache for OSD” 1.0 out the door we will make an updated 
whitepaper. And yeah, did I mention its free? :)

//Andreas

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: den 4 december 2014 22:59
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Distribution Bottleneck

If you're seriously considering BranchCache as the alternate content provider 
for your organization, be sure to do your homework, by first reading a white 
paper Paul Thomsen has written:

http://www.1e.com/blog/all_resources/branchcache-right-organisation/

In the white paper, we look at the key reasons why BranchCache is not suitable 
for SCCM content distribution and examine why the expectation that BranchCache 
could be appropriate for SCCM content distribution should be questioned and 
compared to alternatives before deploying in your organization. The paper also 
reviews how BranchCache works, how it has changed over the years, and where to 
learn more.

So while BranchCache works, the bigger question is whether it's right for 
your organization's needs.

Again, do your homework first...

Sent from my iPhone

On Dec 4, 2014, at 8:53 AM, Andreas Hammarskjöld 
jun...@2pintsoftware.commailto:jun...@2pintsoftware.com wrote:
Even better, use BranchCache since its free and works great?

//Andreas

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Magnus Tveten
Sent: den 4 december 2014 04:03
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] RE: Distribution Bottleneck

AdaptivaOnesite is really good to... the way it uses the network without 
interfering with anything.

We used that to push Win7 Image (+ all the needed software packages) to 
machines at all the different sites with very small links and not once did 
anyone from the business find the network slow..




MAGNUS TVETEN
SERVER SUPPORT ENGINEER
CO CITRIX/SERVER
Insurance Australia Group Limited
Lvl 1, 23 Lakeside Drive, Burwood
Burwood East VIC 3151
Australia

T +61 3 8804 3226   M +61 411 010 460
E magnus.tve...@iag.com.aumailto:magnus.tve...@iag.com.au
www.iag.com.auhttp://www.iag.com.au
PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS EMAIL.


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Marable, Mike
Sent: Thursday, 4 December 2014 12:02 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] RE: Distribution Bottleneck

Perhaps, something like NomadBranch?  ;)


From: 'Michael Mott' michael.m...@1e.commailto:michael.m...@1e.com
Reply-To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com 
mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Date: Wednesday, December 3, 2014 at 6:00 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com 
mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Distribution Bottleneck

Use a product that invokes the ACP.

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Schwan, Phil
Sent: Wednesday, December 03, 2014 2:46 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Distribution Bottleneck

No. Once you make it a Pull DP, it essentially becomes a sort of slaved client 
and uses BITS for the transfers.

DistMgr won’t move on to other packages until the PkgXferMgr reports back that 
the one it’s working on is done, so one very large package like this can tie 
everything up.

Here’s a paraphrase from Todd about how the Pull DP is supposed to work:


-  Pull content from source DP and do the processing of the content 
locally

-  DistMgr creates a snapshot and calculates the HASH

-  PkgXferMgr sends a package info bundle (XML inside of .tar) to the 
PullDP

-  PullDP opens the XML and gets a list of content from the DPLocation 
DPUrl

-  PullDP component on the DP checks to see how many of the files

[mssms] RE: Pre-Flight Check TS is now available!!

[Troy Martin]

Thanks, I'm glad to hear :)

Please provide any feedback you have along the way...

Troy L. Martin | Product Manager, Management Infrastructure
1E | Run IT For Less
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Giroux, Eric J
Sent: Wednesday, October 8, 2014 11:49 AM
To: mdt...@lists.myitforum.com
Cc: mssms@lists.myitforum.com
Subject: [mssms] RE: Pre-Flight Check TS is now available!!

Nice work!

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Troy Martin
Sent: Tuesday, October 7, 2014 2:40 PM
To: mdt...@lists.myitforum.com
Cc: mssms@lists.myitforum.com
Subject: [MDT-OSD] Pre-Flight Check TS is now available!!

http://bit.ly/1BJjQiV


Troy L. Martin | Product Manager, Management Infrastructure
1E | Run IT For Less
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail
[1E-SuccessNow-logo]





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] RE: Pre-Flight Check TS is now available!!

[Troy Martin]

Thanks Eric :)

Troy L. Martin | Product Manager, Management Infrastructure
1E | Run IT For Less
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Giroux, Eric J
Sent: Wednesday, October 8, 2014 11:49 AM
To: mdt...@lists.myitforum.com
Cc: mssms@lists.myitforum.com
Subject: [mssms] RE: Pre-Flight Check TS is now available!!

Nice work!

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: Tuesday, October 7, 2014 2:40 PM
To: mdt...@lists.myitforum.commailto:mdt...@lists.myitforum.com
Cc: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [MDT-OSD] Pre-Flight Check TS is now available!!

http://bit.ly/1BJjQiV


Troy L. Martin | Product Manager, Management Infrastructure
1E | Run IT For Less
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail
[1E-SuccessNow-logo]





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

[mssms] Pre-Flight Check TS is now available!!

[Troy Martin]

http://bit.ly/1BJjQiV


Troy L. Martin | Product Manager, Management Infrastructure
1E | Run IT For Less
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail
[1E-SuccessNow-logo]





Legal Notice: This email is intended only for the person(s) to whom it is 
addressed. If you are not an intended recipient and have received this message 
in error, please notify the sender immediately by replying to this email or 
calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any 
attachments may be privileged and/or confidential. The unauthorized use, 
disclosure, copying or printing of any information it contains is strictly 
prohibited. The opinions expressed in this email are those of the author and do 
not necessarily represent the views of 1E Ltd. Nothing in this email will 
operate to bind 1E to any order or other contract.

RE: [mssms] Re: IBCM not working after CM12 R2 upgrade

[Troy Martin]

No problem ☺

myITforum is a great resource to helping you get IBCM going.  More 
specifically, ping Brian McDonald 
(mcdonald...@hotmail.commailto:mcdonald...@hotmail.com) directly to see if 
you can pick his brain on his experiences.

He recently completed implementing IBCM, and gained a lot of valuable advice 
and tips from this list.

I’m sure some of the pains he’s gone through to getting it working are fresh in 
his mind, and probably wouldn’t mind sharing to make things a little easier for 
you ☺

Take care ☺

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jeff Burke
Sent: Tuesday, June 3, 2014 5:24 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Re: IBCM not working after CM12 R2 upgrade

I definitely will.  Thanks Troy.

Jeff

On Mon, Jun 2, 2014 at 4:47 PM, Troy Martin 
troy.mar...@1e.commailto:troy.mar...@1e.com wrote:
Disabling CRL checking is not a best practice and would be a bad thing to do.

I would give that a second thought, and research what it would take to so that 
CRL checking can be enabled.

Essentially, clients need to be able to access the CRL Distribution Points 
whether they’re on the intranet and/or Internet.

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147tel:%2B1%20%28678%29%20898-6147
UK Phone : +44 208 326 9141tel:%2B44%20208%20326%209141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] 
On Behalf Of Jeff Burke
Sent: Monday, June 2, 2014 2:24 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] Re: IBCM not working after CM12 R2 upgrade

Forgot to post the resolution - CRL checking was enabled for PKI after upgrade. 
Once disabled, internet clients were able to communicate with the internet 
facing MP.

On Mon, Jun 2, 2014 at 2:17 PM, Jeff Burke 
jeffburk...@gmail.commailto:jeffburk...@gmail.com wrote:
Please disregard. Problem has been resolved.

Thanks,


On Mon, Jun 2, 2014 at 11:08 AM, Jeff Burke 
jeffburk...@gmail.commailto:jeffburk...@gmail.com wrote:
Hello,

I'm fairly new to SCCM.  Currently running CM12 R2, one primary and one 
internet facing MP, DP, SUP (both on Server 2008 R2).  Before upgrading to R2 
from SP1, IBCM was functioning using PKI. After upgrade, internet clients are 
not communicating.

On the clients, CcmMessaging.log states Post to 
https://ibcmsiteserver.domain.com/ccm_system/request failed with 0x87d00231

LocationServices.log shows LSUpdateInternetManagementPoints: Failed to 
retrieve internet MPs from MP 
ibcmsiteserver.domain.comhttp://ibcmsiteserver.domain.com with error 
0x87d00231, retaining previous list

Anyone run into this after the R2 upgrade?  And how did you resolve it?

Thanks,
Jeff







DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] CS.ini processes rules but doesn't install apps in ZTI deployment

[Troy Martin]

…have you tried using the Application GUID, instead of the name?

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian McDonald
Sent: Monday, June 2, 2014 9:17 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] CS.ini processes rules but doesn't install apps in ZTI 
deployment

So do the install application or install packages step(s) need to actually 
point to the app/pkg?

If so, what's the point of using the .ini file?

Brian

Sent from my iPhone

On Jun 1, 2014, at 10:45 PM, Roland Janus 
roland.ja...@hispeed.chmailto:roland.ja...@hispeed.ch wrote:
Do you actually have “multiple install” steps in the TS?
The ini will only define the variables. For installing you need steps referring 
to those.

Have you checked the smsts.log for a reference to those variables for those 
install steps?

-R


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Donnerstag, 29. Mai 2014 17:53
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com; 
mdt...@lists.myitforum.commailto:mdt...@lists.myitforum.com
Subject: [mssms] CS.ini processes rules but doesn't install apps in ZTI 
deployment

I'm using a CM12R2/MDT 2013 Integrated TS for OS deployment. Deployment to 
target HW seems to be working well, but one thing that isn't is installation of 
applications dynamically via the CS.ini file.

The ZTIGather.log shows that the rules are processed, but my apps don't 
install.  Now, if I add the steps directly to the Task Sequence using the 
Install Application or Install Package step, the apps install just fine.

Is there something wrong with my rules file? See below.

Thanks!

Brian

[Settings]
Priority=Model, ByDesktopType, ByLaptopType
Properties=MyCustomProperty

[HP ProBook 6470b]
Packages001=PS10002D:Install FingerPrint

[HP ProBook 6570b]
Packages001=PS10002D:Install FingerPrint

[HP ProBook 6460b]
Packages001=PS10002D:Install FingerPrint

[ByDesktopType]
Subsection=%DefaultGateway%-Desktop-%IsDesktop%

[ByLaptopType]
Subsection=%DefaultGateway%-Laptop-%IsLaptop%

[10.20.0.1-Desktop-True]
OSDComputerName=XYZDT-#Left(%SerialNumber%,8)#
MachineObjectOU=
Packages001=PS100016:Install FireFox
Packages002=PS100038:Install Java x64
Applications001=Google Chrome 65.223.114
Applications002=Adobe Flash Player 12.0.0.43
Applications003=Adobe Reader 11.0.0.3

[10.20.0.1-Laptop-True]
OSDComputerName=YZLT-#Left(%SerialNumber%,8)#
MachineObjectOU=
Packages001=PS100016:Install FireFox
Packages002=PS100038:Install Java x64
Applications001=Google Chrome 65.223.114
Applications002=Adobe Flash Player 12.0.0.43
Applications003=Adobe Reader 11.0.0.3







DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] Re: IBCM not working after CM12 R2 upgrade

[Troy Martin]

Disabling CRL checking is not a best practice and would be a bad thing to do.

I would give that a second thought, and research what it would take to so that 
CRL checking can be enabled.

Essentially, clients need to be able to access the CRL Distribution Points 
whether they’re on the intranet and/or Internet.

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jeff Burke
Sent: Monday, June 2, 2014 2:24 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Re: IBCM not working after CM12 R2 upgrade

Forgot to post the resolution - CRL checking was enabled for PKI after upgrade. 
Once disabled, internet clients were able to communicate with the internet 
facing MP.

On Mon, Jun 2, 2014 at 2:17 PM, Jeff Burke 
jeffburk...@gmail.commailto:jeffburk...@gmail.com wrote:
Please disregard. Problem has been resolved.

Thanks,


On Mon, Jun 2, 2014 at 11:08 AM, Jeff Burke 
jeffburk...@gmail.commailto:jeffburk...@gmail.com wrote:
Hello,

I'm fairly new to SCCM.  Currently running CM12 R2, one primary and one 
internet facing MP, DP, SUP (both on Server 2008 R2).  Before upgrading to R2 
from SP1, IBCM was functioning using PKI. After upgrade, internet clients are 
not communicating.

On the clients, CcmMessaging.log states Post to 
https://ibcmsiteserver.domain.com/ccm_system/request failed with 0x87d00231

LocationServices.log shows LSUpdateInternetManagementPoints: Failed to 
retrieve internet MPs from MP 
ibcmsiteserver.domain.comhttp://ibcmsiteserver.domain.com with error 
0x87d00231, retaining previous list

Anyone run into this after the R2 upgrade?  And how did you resolve it?

Thanks,
Jeff







DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] CCMEVALTASK issue

[Troy Martin]

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM304

Description:
=
Security-conscious organizations often lock down their systems based on 
prescriptive guidance from Microsoft, US Federal government agencies or other 
security organizations. Sometimes these settings can lead to unpleasant 
surprises and unexpected side effects. This session describes and demonstrates 
some of the common issues that can arise, and whether and how those settings 
actually help or hurt.  Is there benefit to not granting Administrators the 
Debug privilege? Does Hide mechanisms to remove zone information break 
anything? Is the Require trusted path for credential entry setting worth the 
inconvenience?


Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail
[Signature Banner v2]

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Thursday, May 8, 2014 8:37 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] CCMEVALTASK issue


Technically, you should be able to edit the xml file and remove the check.



although, the whole point of running ccmeval using task scheduler is so that 
the client agent or its dependencies can be checked and fixed --that can't 
happen when it's being run by the client agent itself so it doesn't really make 
sense to do it as an advert. For example, if WMI is broken on the client, how 
will the deployment ever run to fix it?



Who's idea was it to disable the task scheduler? Let me guess, it was done in 
the name of security? Misguided are most security folks (quote from Yoda).



J


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com on 
behalf of Jason Wallace jaso...@outlook.commailto:jaso...@outlook.com
Sent: Thursday, May 8, 2014 4:40 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] CCMEVALTASK issue

Hi there folks

I have an issue with CCMEVAL and CCMEVALTASK which I would appreciate some 
input on please.

I have a number of Windows XP (yes, I know) systems.  On these Task Scheduler 
is disabled.

Of course this means that CCMEVAL is not going to run so we run it through an 
advertisement.  When we do that however all of the XP systems report an error 
back to the console.

Checking the clients it seems that CCMEVAL itself runs through the checks in 
its XML file and reports no significant issues but it's CCMEVALTASK which then 
kicks off and throws an error, masking any errors in the console.

Yes, the obvious thing is to enable Task Scheduler but that cannot be done on 
the XP estate so I am wondering if we can somehow prevent the check on the Task 
Scheduler component?

Thanks






DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] CCMEVALTASK issue

[Troy Martin]

Ditto...I refer to often as well :)


Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail
[Signature Banner v2]

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Thursday, May 8, 2014 12:56 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] CCMEVALTASK issue


I loved that session (saw it in person) and often link to it when folks try to 
lock down their systems.



J


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com on 
behalf of Troy Martin troy.mar...@1e.commailto:troy.mar...@1e.com
Sent: Thursday, May 8, 2014 11:40 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] CCMEVALTASK issue

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM304

Description:
=
Security-conscious organizations often lock down their systems based on 
prescriptive guidance from Microsoft, US Federal government agencies or other 
security organizations. Sometimes these settings can lead to unpleasant 
surprises and unexpected side effects. This session describes and demonstrates 
some of the common issues that can arise, and whether and how those settings 
actually help or hurt.  Is there benefit to not granting Administrators the 
Debug privilege? Does Hide mechanisms to remove zone information break 
anything? Is the Require trusted path for credential entry setting worth the 
inconvenience?


Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail
[Signature Banner v2]

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Thursday, May 8, 2014 8:37 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] CCMEVALTASK issue


Technically, you should be able to edit the xml file and remove the check.



although, the whole point of running ccmeval using task scheduler is so that 
the client agent or its dependencies can be checked and fixed --that can't 
happen when it's being run by the client agent itself so it doesn't really make 
sense to do it as an advert. For example, if WMI is broken on the client, how 
will the deployment ever run to fix it?



Who's idea was it to disable the task scheduler? Let me guess, it was done in 
the name of security? Misguided are most security folks (quote from Yoda).



J


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com on 
behalf of Jason Wallace jaso...@outlook.commailto:jaso...@outlook.com
Sent: Thursday, May 8, 2014 4:40 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] CCMEVALTASK issue

Hi there folks

I have an issue with CCMEVAL and CCMEVALTASK which I would appreciate some 
input on please.

I have a number of Windows XP (yes, I know) systems.  On these Task Scheduler 
is disabled.

Of course this means that CCMEVAL is not going to run so we run it through an 
advertisement.  When we do that however all of the XP systems report an error 
back to the console.

Checking the clients it seems that CCMEVAL itself runs through the checks in 
its XML file and reports no significant issues but it's CCMEVALTASK which then 
kicks off and throws an error, masking any errors in the console.

Yes, the obvious thing is to enable Task Scheduler but that cannot be done on 
the XP estate so I am wondering if we can somehow prevent the check on the Task 
Scheduler component?

Thanks






DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] Question about DP's

[Troy Martin]

Yes, 1E Nomad and other 3rd party options are more than capable at solving the 
problem being described.

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.com | www.1e.com

Facebook | Twitter | YouTube | Blogs | RSS
Please consider the environment before printing this e-mail


-Original Message-
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Todd Hemsell
Sent: Tuesday, May 6, 2014 10:08 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] Question about DP's

or 1e I think. not positive

On Tue, May 6, 2014 at 8:48 AM, Jeff Poling jeffpol...@yahoo.com wrote:
 PXE requires a server OS.

 Jeff


 On Tue, May 6, 2014 at 8:40 AM, Chris Carbone
 chris.carb...@fmsand.com
 wrote:

 We have a bunch of Windows 7 DP’s and wanted to start using PXE on
 some of them. Can you use Windows 7 DP and enable PXE or is at least
 server 2008 required for WDS etc?

 This electronic mail transmission may contain confidential
 information intended only for the use of the individual(s) identified as 
 addressee(s).
 If you are not the intended recipient, you are hereby notified that
 any disclosure, copying, distribution or the taking of any action in
 reliance on the contents of this electronic mail transmission is
 strictly prohibited. If you have received this transmission in error,
 please notify me by telephone immediately.












DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] So basic Application question

[Troy Martin]

+1

Sent from my iPad

 On May 2, 2014, at 9:24 AM, Matt Wilkinson mwilkin...@lcb.ac.uk wrote:

 +1

 -Original Message-
 From: Daniel Ratliff [mailto:dratl...@humana.com]
 Sent: 02 May 2014 13:58
 To: mssms@lists.myitforum.com
 Subject: RE: [mssms] So basic Application question

 +1.

 Daniel Ratliff

 -Original Message-
 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
 On Behalf Of Schwan, Phil
 Sent: Friday, May 02, 2014 8:15 AM
 To: mssms@lists.myitforum.com
 Subject: RE: [mssms] So basic Application question

 Same here...I'd definitely be interested.

 -Phil

 -Original Message-
 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
 On Behalf Of Marcum, John
 Sent: Friday, May 2, 2014 8:02 AM
 To: mssms@lists.myitforum.com
 Subject: RE: [mssms] So basic Application question

 I'd like to see this too. I'd setup a WebEx if you want to present this to a 
 couple of us.

 -Original Message-
 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
 On Behalf Of Todd Hemsell
 Sent: Friday, May 02, 2014 5:41 AM
 To: mssms@lists.myitforum.com
 Subject: Re: [mssms] So basic Application question

 Kim, Jason, and anyone else that is interested I would be glad to explain 
 this in depth to you using visio diagrams and internal email threads, but 
 only offline. I seem to be incapable of explaining this succinctly. I would 
 be glad to explain to you so you guys could explain to others.
 I even have SQL queries you can run to find these issues in your database.

 if interested email me at todd-DOT-hemsell-AT-exterran-DOT-com

 /Todd

 On Wed, Apr 30, 2014 at 2:13 PM, Todd Hemsell hems...@gmail.com wrote:
 So when a computer receives the policy for old app, and the the user
 receives it for the new app, you don't have supersedence

 sure you do provided the superseded app is deployed simulate and not
 mandatory OR if the detection rule on the older version says this
 version or greater
 In either case it will deploy the newer app, but if the older version
 is mandatory, it will then remove the newer version and install the
 older version (if the install supports it) It will go into a loop.
 Seen that a few times.

 We strictly deploy applications to EITHER users OR computers, but
 never the same app to both.

 If you deploy an app to a user and deploy the superseded version to
 the system as simulated then the app will upgrade.

 All of the scenarios I am listing out I have verified by forcing M$ to
 answer the question resulting in them going into the lab and
 reproducing the behavior. Only after they reproduce it do I add it to
 our polies and procedures.

 On Wed, Apr 30, 2014 at 1:46 PM, Kim Oppalfens kim.oppalf...@oscc.be 
 wrote:
 I'll try to explain what I know in the simplest way possible.
 (although that is hard)

 Supersedence in itself only kicks in when a resource receives a policy for 
 both the old and the new app.
 (There's some exceptions here, that I'll leave out because I am
 trying the simple approach, but a user or computer needs to receive both.) 
 So when a computer receives the policy for old app, and the the user 
 receives it for the new app, you don't have supersedence.

 On the other hand, if you only receive the new app. Supersedence will 
 uninstall the old app when detected. Even when not installed by cm.
 I think Todd is referring to the option of making a mandatory deployment to 
 users that have the available app installed, which is yet another special 
 case.

 Supersedence is actually a breeze, it gets complicated when you
 involve uninstalls :-)

 -Original Message-
 From: listsad...@lists.myitforum.com
 [mailto:listsad...@lists.myitforum.com] On Behalf Of Marcum, John
 Sent: Wednesday, April 30, 2014 5:51 PM
 To: 'mssms@lists.myitforum.com'
 Subject: RE: [mssms] So basic Application question

 That's just plain silly. Is this classified as a bug




 -Original Message-
 From: listsad...@lists.myitforum.com
 [mailto:listsad...@lists.myitforum.com] On Behalf Of Todd Hemsell
 Sent: Wednesday, April 30, 2014 10:48 AM
 To: mssms@lists.myitforum.com
 Subject: Re: [mssms] So basic Application question

 no.

 Bear in mind my deployments are to users optional as was intended.
 None of this applies if it is to system. Or some of it might apply, but I 
 do not do deployments to systems except our 60 core apps.
 The other 1,100 apps are user optional via the software center

 So for user deployments the policy comes down to the users. So for the case 
 of superseded apps SCCM only sends the policy down to a USER + COMPUTER 
 combination that it knows has the application.

 Interestingly enough it actually does send all supersedance rules to all 
 users, but those are discarded by the client and never processed.
 There is a different flag on the ones where it knows the user + computer 
 has the app.

 Yes, incredibly complicated. This is the result of a 4 

Re: [mssms] Sccm 2012 R 2 known issues related to OSD

[Troy Martin]

IIS logs will provide further information.

Sent from my iPad

On Apr 23, 2014, at 11:11 AM, Hun boy 
hun@outlook.commailto:hun@outlook.com wrote:

It was the file block setup.vbs
This vbs is in the root of the folder


And in other situation the file type is .cat this is in a sub folders...

Not have any special characters.


Yes I had come across issues with special characters specially when we have (r) 
in the name... But in this case I do not see any...

Sent from iPhonesorry for typos

On 23-Apr-2014, at 8:37 pm, JONES, RICK J 
rj7...@att.commailto:rj7...@att.com wrote:

IIS may be blocking it if the files are in a subfolder and the name of the 
subfolder had special characters or spaces in the name.


Rick J. Jones
Wireless from ATT
Domestic Desktop Application Management
D: (425) 288-6240
C: (206) 419-1104

From: Hun boymailto:hun@outlook.com
Sent: ?4/?23/?2014 7:37 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] Sccm 2012 R 2 known issues related to OSD

Ok... I need to get the logs ... Give me some time ... Pls...

Sent from iPhonesorry for typos

On 23-Apr-2014, at 8:00 pm, Niall Brady 
any...@gmail.commailto:any...@gmail.com wrote:

that is:-

The system cannot find the file specified.

Source: Windows
-

which could be for many reasons including you mistyping it's location, can you 
show us the failure in the smsts.log please to get a better hint...


On Wed, Apr 23, 2014 at 4:00 PM, Hun boy 
hun@outlook.commailto:hun@outlook.com wrote:
It is failing with error no 2... When cross verified the expected vbs file is 
not downloaded I have tried to update dp and redistribute still same


Sent from iPhonesorry for typos

On 23-Apr-2014, at 6:56 pm, Niall Brady 
any...@gmail.commailto:any...@gmail.com wrote:

what does your smsts.log file say about the missing files ?


On Wed, Apr 23, 2014 at 3:16 PM, Hun boy 
hun@outlook.commailto:hun@outlook.com wrote:
Does any one aware of sccm 2012 r2 have any bug or known issues Related to 
OSD task sequence packages are not  able download some files in packages 
folder???

Am facing a strange issues that are similar that I use to get it in sccm2007 
with WebDAV.

In sccm 2012 r2 packages are not able to download... I mean in few packages few 
files are not able to download this resulted  to failed my TS .

c:\_smstasksequence\pacakages\sitecodepackagecode.   Folder

I have already included below two TS variables even though am getting content 
downloading issues...

smstsdownloadretrycount 5
Smstsdownloadretrydelay 15

Above are included at top of the TS... Am working on bare metal TS



Sent from iPhonesorry for typos















DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] IBCM clients go to Microsoft Update for patches

[Troy Martin]

It's not so much of a need, as it is a Plan B or backup.

If for whatever reason, those clients cannot get to Microsoft Update website, 
then the DP (in DMZ) is an option is the only alternative.

My thinking is about minimizing risk - avoid orphaning IBCM clients (e.g. not 
being able to access site systems).  To do this, you build redundancy and HA 
into the design...for site systems on the Intranet AND those in the DMZ.

Along with Microsoft Update, putting a DP in the DMZ would be part of that 
design/plan.

Restating Jason's point, but in a question - If you're only distributing 
software updates to IBCM clients, then you could get away with not having a DP 
in the DMZ...but I seriously doubt that was the only use-case considered for 
your design to support.

With that said - unless Cloud DPs are part of the design -, what's the plan for 
deploying non-software updates to IBCM clients if you don't have a DP in the 
DMZ?

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian McDonald
Sent: Tuesday, April 15, 2014 7:32 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches

If the clients are going to Microsoft Update, what is the need for the DP as 
you have mentioned in your email below?

I don't want my clients going to the DP (in DMZ) to get updates.

Thanks,
Brian

From: troy.mar...@1e.commailto:troy.mar...@1e.com
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches
Date: Tue, 15 Apr 2014 21:20:25 +
Before they go to Microsoft to download the update binaries, where would they 
get the catalog from to scan against?

You need an Internet-facing SUP so IBCM clients can still download the catalog.

WSUS Catalog = SUP (in DMZ)
Binaries = 1st - Microsoft Update, 2nd- DP (in DMZ)

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Tuesday, April 15, 2014 5:10 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches

Jason,

Much appreciated.

One more question around this. What happens if I don't have a WSUS instance and 
SUP on the internet facing MP? Will my internet clients still go to Microsoft 
Update?

Thanks,

Brian

From: ja...@sandys.usmailto:ja...@sandys.us
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches
Date: Tue, 15 Apr 2014 20:54:19 +
Updates don't come from the SUP (or the WSUS instance) in ConfigMgr, they come 
from the DP (for internal clients). The WSUS instance provides the update 
catalog (and EULAs), and not updates.

For clients on the Internet however, they will get the updates from Microsoft 
instead of the DP - the SUP (and its underlying WSUS instance) plays no part in 
clients getting the updates. This is simply the defined behavior. I said 
default before although that's not accurate because default implies that you 
can change this behavior which you can't.

So, as mentioned, you still need an Internet facing MP to deliver policy and an 
internet facing WSUS instance (with the SUP role installed to control and 
communicate with that WSUS instance) to deliver your organization's update 
catalog to clients on the Internet.

J


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Tuesday, April 15, 2014 3:01 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches

I'm a little confused by this.

I have an IBCM MP/DP right now and IBCM clients are working properly.

I want my clients while on the internet to go to Microsoft Update (not my 
internet facing MP/DP/SUP).

Are you saying the default behavior is for my internet clients to 

RE: [mssms] IBCM clients go to Microsoft Update for patches

[Troy Martin]

Before they go to Microsoft to download the update binaries, where would they 
get the catalog from to scan against?

You need an Internet-facing SUP so IBCM clients can still download the catalog.

WSUS Catalog = SUP (in DMZ)
Binaries = 1st - Microsoft Update, 2nd- DP (in DMZ)

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian McDonald
Sent: Tuesday, April 15, 2014 5:10 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches

Jason,

Much appreciated.

One more question around this. What happens if I don't have a WSUS instance and 
SUP on the internet facing MP? Will my internet clients still go to Microsoft 
Update?

Thanks,

Brian

From: ja...@sandys.usmailto:ja...@sandys.us
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches
Date: Tue, 15 Apr 2014 20:54:19 +
Updates don't come from the SUP (or the WSUS instance) in ConfigMgr, they come 
from the DP (for internal clients). The WSUS instance provides the update 
catalog (and EULAs), and not updates.

For clients on the Internet however, they will get the updates from Microsoft 
instead of the DP - the SUP (and its underlying WSUS instance) plays no part in 
clients getting the updates. This is simply the defined behavior. I said 
default before although that's not accurate because default implies that you 
can change this behavior which you can't.

So, as mentioned, you still need an Internet facing MP to deliver policy and an 
internet facing WSUS instance (with the SUP role installed to control and 
communicate with that WSUS instance) to deliver your organization's update 
catalog to clients on the Internet.

J


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Tuesday, April 15, 2014 3:01 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches

I'm a little confused by this.

I have an IBCM MP/DP right now and IBCM clients are working properly.

I want my clients while on the internet to go to Microsoft Update (not my 
internet facing MP/DP/SUP).

Are you saying the default behavior is for my internet clients to go to 
Microsoft Update to get updates, not my IBCM SUP? Is this correct?

How does it know to go to Microsoft Update and not my IBCM SUP?

Finally, my requirements would be an internet facing MP/DP/SUP and clients 
would still go to Microsoft Update?

Thanks,

Brian

From: ja...@sandys.usmailto:ja...@sandys.us
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches
Date: Tue, 15 Apr 2014 19:54:44 +
Yes, MPs are mandatory. All ConfigMgr clients must be able to communicate with 
an MP to retrieve policy and submit inventory, state messages, status messages, 
etc.. For Internet based clients, this must be an Internet-facing MP.

And yes, for software updates, a SUP with an underlying WSUS is also mandatory. 
All ConfigMgr clients that you wish to update using Software Updates must be 
able to communicate with the WSUS instance to download the update catalog for 
your organization and EULAs. For Internet based clients, this must be an 
Internet facing SUP  WSUS instance.

These don't have to be on the same system but certainly can be and usually are 
in many organizations.

J

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Tuesday, April 15, 2014 2:42 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches

For clarification, I need to have WSUS installed/configured on the internet 
facing MP? What is this mandatory?

Brian

From: ja...@sandys.usmailto:ja...@sandys.us
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] IBCM clients go to Microsoft Update for patches
Date: Tue, 15 Apr 2014 19:36:52 +
This is default behavior in 2012. They still need access to the Internet facing 
MP and WSUS instance, but actual binaries for the updates will come from 
Microsoft.

J

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 

Re: [mssms] SQL query to get status messages?

[Troy Martin]

Take a look/search on John Nelson's blog on myITforum...

Sent from my iPhone

On Mar 28, 2014, at 10:45 AM, Daniel Ratliff 
dratl...@humana.commailto:dratl...@humana.com wrote:

Has anyone ever done any SQL queries to gather status messages?  Any ideas on 
how I can get this data?

I can get just about any columns I need, but not the actual message itself!

My query
select top 1000 *
from v_statusmessage MSG INNER JOIN
 v_statmsgattributes ATT ON MSG.RecordID = ATT.RecordID INNER JOIN
   v_StatMsgInsStrings INS ON MSG.RecordID = INS.RecordID INNER JOIN
   v_StatMsgWithInsStrings WINS ON MSG.RecordID = WINS.RecordID

If I look at the canned report All messages for a specific message ID in SSRS, 
they are using an expression to populate the column, that's pulling all kinds 
of strings in?

SSRS expression
=SrsResources.Localization.GetStatusMessage(Fields!MessageID.Value, 
Fields!Severity.Value, Fields!MsgDLLName.Value,  User!Language, 
Fields!InsString1.Value, Fields!InsString2.Value, Fields!InsString3.Value, 
Fields!InsString4.Value, Fields!InsString5.Value, Fields!InsString6.Value, 
Fields!InsString7.Value, Fields!InsString8.Value, Fields!InsString9.Value, 
Fields!InsString10.Value)

Canned SQL Query
select top 1000 smsgs.RecordID,
CASE smsgs.Severity
WHEN -1073741824 THEN 'Error'
WHEN 1073741824 THEN 'Informational'
WHEN -2147483648 THEN 'Warning'
ELSE 'Unknown'
 END As 'SeverityName',
smsgs.MessageID, smsgs.Severity, modNames.MsgDLLName, smsgs.Component, 
smsgs.MachineName, smsgs.Time, smsgs.SiteCode, smwis.InsString1, 
smwis.InsString2, smwis.InsString3, smwis.InsString4, smwis.InsString5, 
smwis.InsString6, smwis.InsString7, smwis.InsString8, smwis.InsString9, 
smwis.InsString10
from fn_rbac_StatusMessage(@UserSIDs)  smsgs
join fn_rbac_StatMsgWithInsStrings(@UserSIDs)  smwis on smsgs.RecordID = 
smwis.RecordID
join fn_rbac_StatMsgModuleNames(@UserSIDs)  modNames on smsgs.ModuleName = 
modNames.ModuleName
where smsgs.MessageID = @msgId
Order by smsgs.Time DESC



Daniel Ratliff


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.





DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] CU1 available...

[Troy Martin]

I thought using WinPE 3.1 was the workaround for the bootsect isssue.

Are you saying that after installing CU1, WinPE 3.1 boot images is no longer 
required when migrating Windows XP machines?

Sent from my iPhone

On Mar 28, 2014, at 3:03 PM, Michael Niehaus 
michael.nieh...@microsoft.commailto:michael.nieh...@microsoft.com wrote:

For #2, CU1 does solve the BOOTSECT.EXE issue when using Windows PE 3.x to do 
Windows XP-Windows 8.1 using the process Aaron posted to the ConfigMgr blog.  
But otherwise, the process is unchanged and will soon be completely unsupported 
as Rod mentioned.

Thanks,
-Michael

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Rod Trent
Sent: Friday, March 28, 2014 11:51 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] CU1 available...

Per the description page (http://support.microsoft.com/kb/2938441), yes those 
KBs are included.

As for USMT 8.1, not sure what you're asking there. Windows XP support ends on 
April 8, 2014. Enterprises using System Center will still be able to support 
Windows XP migrations, but I assume even that will expire at some point.


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Radu Bogdan
Sent: Friday, March 28, 2014 2:45 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] CU1 available...

Hi,

Two questions please:

1. This CU1 also include KB2905002 or KB2910552 ?

2. Installing CU1, in case of migration scenarios, USMT 8.1 brings back support 
for Windows XP now ?

Thank you.


From: Rod Trentmailto:rodtr...@myitforum.com
Sent: Friday, March 28, 2014 4:58 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] CU1 available...

Also, includes new PowerShell functionality and fixes...

http://windowsitpro.com/configuration-manager/cu1-system-center-configuration-manager-2012-r2-released








DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] CU1 available...

[Troy Martin]

Ok...thanks

Sent from my iPhone

On Mar 28, 2014, at 5:41 PM, Michael Niehaus 
michael.nieh...@microsoft.commailto:michael.nieh...@microsoft.com wrote:

Windows PE 3.1 is required to support some deployment scenarios.

The BOOTSECT issue exists even when using Windows PE 3.1; CU1 fixes that so it 
correctly uses the older BOOTSECT.

Thanks,
-Michael

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: Friday, March 28, 2014 2:26 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] CU1 available...

I thought using WinPE 3.1 was the workaround for the bootsect isssue.

Are you saying that after installing CU1, WinPE 3.1 boot images is no longer 
required when migrating Windows XP machines?

Sent from my iPhone

On Mar 28, 2014, at 3:03 PM, Michael Niehaus 
michael.nieh...@microsoft.commailto:michael.nieh...@microsoft.com wrote:
For #2, CU1 does solve the BOOTSECT.EXE issue when using Windows PE 3.x to do 
Windows XP-Windows 8.1 using the process Aaron posted to the ConfigMgr blog.  
But otherwise, the process is unchanged and will soon be completely unsupported 
as Rod mentioned.

Thanks,
-Michael

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Rod Trent
Sent: Friday, March 28, 2014 11:51 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] CU1 available...

Per the description page (http://support.microsoft.com/kb/2938441), yes those 
KBs are included.

As for USMT 8.1, not sure what you're asking there. Windows XP support ends on 
April 8, 2014. Enterprises using System Center will still be able to support 
Windows XP migrations, but I assume even that will expire at some point.


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Radu Bogdan
Sent: Friday, March 28, 2014 2:45 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] CU1 available...

Hi,

Two questions please:

1. This CU1 also include KB2905002 or KB2910552 ?

2. Installing CU1, in case of migration scenarios, USMT 8.1 brings back support 
for Windows XP now ?

Thank you.


From: Rod Trentmailto:rodtr...@myitforum.com
Sent: Friday, March 28, 2014 4:58 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] CU1 available...

Also, includes new PowerShell functionality and fixes...

http://windowsitpro.com/configuration-manager/cu1-system-center-configuration-manager-2012-r2-released








DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] MP Issue

[Troy Martin]

When using HTTPS, the servername and SANs used to create the certificate should 
be used.

Also, when browsing to the HTTPS URL, the browser session (in IE or whatever 
browser being used) needs to have a Client Authentication certificate assigned 
to it.

Let me explain...

When an IBCM client connects to the site systems in the DMZ, this is happening 
under the local system account of the OS - which has access to the Client 
Authentication certificate and is able to present it to the site system during 
the mutual authentication process e.g. The IBCM client authenticates the site 
system using the site system's Server Authentication certificate, and the site 
system authenticates the IBCM client using the client's Client Authentication 
certificate.

Well, when you (Brian) attempt to do the same by browsing to 
https://server/SMS_mp/.sms_aut?mplist, you're doing so NOT by the local system 
account of the operating system of the computer browsing from, but under your 
own account used to logon to the computer.  When you do that, your account 
(used to open the browser) does not have access to the Client Authentication 
certificate in the local computer's certificate cert store.  The Client 
Authentication cert was imported into the Certificate computer store (e.g. 
Local system) during the PKI enrollment process...however that's being 
accomplished.

So when you browse to the URL, the site system presents the browser (e.g. You) 
it's Server Authentication certificate...but your browser session (e,g. You) do 
not have a Client Authentication certificate to present to the site system 
server.

...and hence, your denied access to the page with a 403.7 Forbidden error.  The 
key to the error message below is in the bolded-underlined parts of the error 
below.


The page you are attempting to access requires your browser to have a Secure 
Sockets Layer (SSL) client certificate that the Web server recognizes.

To get around this, you need to create or enroll with your PKI to have a Client 
Authentication cert created for yourself and then imported into your the User 
certificate store on the computer browsing from.

Then you should be able to browse to the HTTPS URL...

Sent from my iPad

On Mar 27, 2014, at 11:04 PM, Brian McDonald 
mcdonald...@hotmail.commailto:mcdonald...@hotmail.com wrote:

Basically when I change the MP setting to HTTPS it stops working. If configured 
with HTTP all errors go away.

Hmmm...

Brian

Sent from my iPhone

On Mar 27, 2014, at 5:21 PM, Brian McDonald 
mcdonald...@hotmail.commailto:mcdonald...@hotmail.com wrote:

I have just installed a MP in my DMZ and have a few errors in the MPcontrol.log 
I'm troubleshooting.

If I browse to https://server/sms_mp/.sms_aut?/mplist or 
http://server/sms_mp/.sms_aut?mpcert from my browser I'm getting an HTTP Error 
403.7 Forbidden error.

The page you are attempting to access requires your browser to have a Secure 
Sockets Layer (SSL) client certificate that the Web server recognizes.

The MPcontrol.log states the following:

Failed to retrieve client certificate. Error -2147467259
SMS_MP_CONTROL_MANAGER3/27/2014 4:44:40 PM244 (0x00F4)
Call to HttpSendRequestSync failed for port 443 with -2147467259 error code.
SMS_MP_CONTROL_MANAGER3/27/2014 4:44:40 PM244 (0x00F4)
Http test request failed, error code is -2147467259.SMS_MP_CONTROL_MANAGER  
  3/27/2014 4:54:40 PM244 (0x00F4)

This is an IBCM MP/DP that has the following certs installed: ConfigMgr Client 
Cert, ConfigMgr Web Cert and ConfigMgr DP Cert.

I have attempted to restart the SMS Executive Service on the MP.  I have also 
restarted the IIS service.

Any input would be greatly appreciated.

Thanks,

Brian






DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] DMZ CM servers

[Troy Martin]

+1




From: listsad...@lists.myitforum.com listsad...@lists.myitforum.com on behalf 
of Rich Coulter rich.coul...@aos5.com
Sent: Saturday, February 08, 2014 5:36 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] DMZ CM servers


There’s no hard and fast rule about which needs to be setup first, but it 
usually helps the have the PKI setup with the servers being built and the certs 
issued after the servers are up.


Rich

Sent from my iPhone

On Feb 7, 2014, at 9:17 AM, Brian McDonald 
mcdonald...@hotmail.commailto:mcdonald...@hotmail.com wrote:

Thanks Troy - yup this is the plan.


Question - should I implement PKI before building out the two servers in the 
DMZ? Does it matter?


Thanks,
Brian


From: troy.mar...@1e.commailto:troy.mar...@1e.com
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] DMZ CM servers
Date: Thu, 6 Feb 2014 18:03:04 +


For security reasons, I would strongly consider splitting the site roles across 
multiple servers…based upon the type of protocol used to communicate with IIS:



• All HTTP-enabled roles on Server A

o   FSP

o   PKI CRL-DP (Note: this is not a ConfigMgr site role.  However, it is 
required if you the site is configured with CRL Checking enabled (and you 
absolutely should if you want the best security scenario :))

• All HTTPS-enabled roles on Server B

o   DP

o   MP

o   SUP



Troy L. Martin | Principal Consultant

1E | Empowering Efficient IT

US Mobile: +1 (678) 898-6147[X]

UK Mobile : +44 782 655 0296[X]

troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/



Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/

Please consider the environment before printing this e-mail



From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Thursday, February 6, 2014 3:27 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] DMZ CM servers



I'm going to be building two servers in the DMZ to support IBCM.



One server will host FSP and the CRL website. I'm going to have another server 
that will have Software Update Point, Management Point and Distribution Point 
roles. Would these servers be best served with Client or Server OS? I don't 
have a need for PXE booting to these servers, so not sure why I wouldn't just 
throw Windows 7 or Windows 8.1 on these two machines. Unless there are other 
requirements I am overlooking.



Thanks everyone,



Brian






DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.




CONFIDENTIALITY NOTICE: This electronic mail transmission (including any 
accompanying attachments) is intended solely for its authorized recipient(s), 
and may contain confidential and/or legally privileged information. If you are 
not an intended recipient, or responsible for delivering some or all of this 
transmission to an intended recipient, be aware that any review, copying, 
printing, distribution, use or disclosure of the contents of this message is 
strictly prohibited. If you have received this electronic mail message in 
error, please delete it from your system without copying it, and contact sender 
immediately by Reply e-mail, or by calling 913-307-2300, so that our address 
records can be corrected.

Although this e-mail and any attachments are believed to be free of any virus 
or other defect that might negatively affect any computer system into which it 
is received and opened, it is the responsibility of the recipient to ensure 
that it is virus free and no responsibility is accepted by the sender for any 
loss or damage arising in any way in the event that such a virus or defect 
exists.

RE: [mssms] Clients ignoring boundaries

[Troy Martin]

Multiple nics (wired/wireless)...connected to two different subnets?  If so, 
make sure the nic connected to the desired boundary the preferred DP(s) 
connected to, is the only nic that is ENABLED.

Is the site/location/subnet behind a Nat'ed firewall, masking/spoofing all the 
client's IP?

Is the Proxy Settings configured in the ConfigMgr control panel applet?

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Mobile : +44 782 655 0296
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of David O'Brien
Sent: Friday, February 7, 2014 7:45 AM
To: mssms@lists.myitforum.com
Subject: [mssms] Clients ignoring boundaries

Hi all,

clients in a site are all ignoring the configured boundaries.

1 central DP in biggest location
lots of remote DPs

All boundaries are IP ranges, all boundaries are members of respective Boundary 
Groups and remote DP is assigned to Boundary Group as FAST Site System for 
Content Location.
All DPs have fallback disabled!

Client in remote location now asks MP for content location and MP_Location.log 
shows me this:
adding client's assigned site as FALLBACK

This means that the MP thinks the client is outside of any boundary, still the 
MP tells the client to go to the central DP and get the content.

First: I already tried IP range for that one client, IP Subnet and even AD 
Site, that client is always put into FALLBACK.
Second: If that would be the case, why is it redirected to the central DP?

The MP seems to work fine. I can create new collections, put machines into 
those, create new Deployments and those machines will get the deployment. So I 
believe I can rule out a misbehaving MP, at least for that part.

Version is 2012 SP1 CU3.

Any idea?

---
David
http://www.david-obrien.net





DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] DMZ CM servers

[Troy Martin]

For security reasons, I would strongly consider splitting the site roles across 
multiple servers...based upon the type of protocol used to communicate with IIS:


* All HTTP-enabled roles on Server A

o   FSP

o   PKI CRL-DP (Note: this is not a ConfigMgr site role.  However, it is 
required if you the site is configured with CRL Checking enabled (and you 
absolutely should if you want the best security scenario :))

* All HTTPS-enabled roles on Server B

o   DP

o   MP

o   SUP

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Mobile : +44 782 655 0296
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian McDonald
Sent: Thursday, February 6, 2014 3:27 PM
To: mssms@lists.myitforum.com
Subject: [mssms] DMZ CM servers

I'm going to be building two servers in the DMZ to support IBCM.

One server will host FSP and the CRL website. I'm going to have another server 
that will have Software Update Point, Management Point and Distribution Point 
roles. Would these servers be best served with Client or Server OS? I don't 
have a need for PXE booting to these servers, so not sure why I wouldn't just 
throw Windows 7 or Windows 8.1 on these two machines. Unless there are other 
requirements I am overlooking.

Thanks everyone,

Brian





DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] SCCM 2012, PKI and ICBM

[Troy Martin]

Scenario 4: Internet connections into the intranet - 
http://technet.microsoft.com/en-us/library/bb632529.aspx

...but is also arguably the least secure, because your allowing IBCM clients to 
communicate directly with site systems over the Internet.  Intranet clients are 
also communicating with the same.

I prefer Scenario 3 with SQL Server 
Replicahttp://technet.microsoft.com/en-us/library/bb694250.aspx because IBCM 
client traffic is isolated/restricted to communicating only with site systems 
in the DMZ.  Also in this scenario, site systems in the DMZ (should be) are 
restricted from initiating communications with the site server and site 
database sever on the intranet.  This is achieved in three ways:

- no firewall rules should be configured allowing inbound traffic originating 
from the site systems in the DMZ

- All site systems should be configured to Allow site server initiated 
communications with this site system

- SQL Server Replication should be configured for Push Replication, where the 
SQL Server (on the intranet) hosting the site database initiates communication 
with the SQL Server in the DMZ that is hosting the replica copy of the site 
database.  The MP site system in the DMZ communicates with directly with the 
SQL Server in the DMZ when reading the replica site database.

When dealing with traffic initiated (from devices) over the Internet, it's not 
about what's the easiest, but what is the most secure.

Sent from my iPad

On Feb 1, 2014, at 5:39 PM, Brian McDonald 
mcdonald...@hotmail.commailto:mcdonald...@hotmail.com wrote:

Thanks Troy - any recommendations on which one is the 'easiest' to setup?

Brian

From: troy.mar...@1e.commailto:troy.mar...@1e.com
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM 2012, PKI and ICBM
Date: Sat, 1 Feb 2014 11:45:28 +


…there are several 
optionshttp://technet.microsoft.com/en-us/library/bb693824.aspx to consider, 
with – I believe - Scenario 3 with SQL Server 
Replicahttp://technet.microsoft.com/en-us/library/bb694250.aspx being the 
most secure and the one I’ve successfully implemented at several customers.



Don’t worry about the documentation being for ConfigMgr 2007…everything still 
applies to 2012.



Microsoft did not include the IBCM supported scenarios documentation in 2012.



Troy L. Martin | Principal Consultant

1E | Empowering Efficient IT

US Mobile: +1 (678) 898-6147

UK Mobile : +44 782 655 0296

troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/



Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/

Please consider the environment before printing this e-mail



From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Friday, January 31, 2014 10:36 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM 2012, PKI and ICBM



So, it's official. The decision has been made PKI and ICBM. :(

I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain.

The requirement is to be able to leverage PKI and ICBM for internet clients.

Therefore, my requirements would be:

1) PKI Infrastructure
2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any 
workgroup clients in the DMZ?

Seems to me there would be another way or methods to accomplish this w/o having 
to install a DP in the DMZ. Please correct me if I'm wrong.
Thanks,

Brian




From: t3chn...@hotmail.commailto:t3chn...@hotmail.com
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM 2012, PKI and ICBM
Date: Sun, 26 Jan 2014 13:32:01 -0700

Another good resource that I keep on hand …



http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx





From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Friday, January 24, 2014 8:05 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM 2012, PKI and ICBM



Discussing this with my counterpart now.



No, we do not have a PKI infrastructure. I came across this recently. There may 
be other sources out there but this does seem fairly straight forward.



http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx



I'm entirely new to PKI, so any direction would be nice.



Thanks,

Brian



From: eric.morri...@hotmail.commailto:eric.morri...@hotmail.com
To: 

RE: [mssms] SCCM 2012, PKI and ICBM

[Troy Martin]

...there are several 
optionshttp://technet.microsoft.com/en-us/library/bb693824.aspx to consider, 
with - I believe - Scenario 3 with SQL Server 
Replicahttp://technet.microsoft.com/en-us/library/bb694250.aspx being the 
most secure and the one I've successfully implemented at several customers.

Don't worry about the documentation being for ConfigMgr 2007...everything still 
applies to 2012.

Microsoft did not include the IBCM supported scenarios documentation in 2012.

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Mobile : +44 782 655 0296
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Brian McDonald
Sent: Friday, January 31, 2014 10:36 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM 2012, PKI and ICBM

So, it's official. The decision has been made PKI and ICBM. :(

I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain.

The requirement is to be able to leverage PKI and ICBM for internet clients.

Therefore, my requirements would be:

1) PKI Infrastructure
2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any 
workgroup clients in the DMZ?

Seems to me there would be another way or methods to accomplish this w/o having 
to install a DP in the DMZ. Please correct me if I'm wrong.
Thanks,

Brian


From: t3chn...@hotmail.commailto:t3chn...@hotmail.com
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM 2012, PKI and ICBM
Date: Sun, 26 Jan 2014 13:32:01 -0700
Another good resource that I keep on hand ...

http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Friday, January 24, 2014 8:05 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM 2012, PKI and ICBM

Discussing this with my counterpart now.

No, we do not have a PKI infrastructure. I came across this recently. There may 
be other sources out there but this does seem fairly straight forward.

http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx

I'm entirely new to PKI, so any direction would be nice.

Thanks,

Brian

From: eric.morri...@hotmail.commailto:eric.morri...@hotmail.com
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM 2012, PKI and ICBM
Date: Wed, 22 Jan 2014 09:29:09 -0600
Setting up IBCM in 2012 is a breeze compared to the 2007 days.

I've configured IBCM in both versions and as long as you have basic PKI 
understanding, you shouldn't have too many roadblocks.

In the environment you are going to use to set it up, do you already have PKI 
setup with machine certificates deployed, specifically workstations to be 
managed over the internet? You'll also need to either stand up a new site 
system server in your DMZ, or have the ports reverse proxy to your primary site 
server. If you're going to do Software Distribution, Software Updates, and App 
Catalog, then you'll need to make sure those roles are setup as HTTPS and the 
appropriate web server cert in IIS and make sure the roles allow intranet and 
internet. After that it's just a matter of making sure the clients have the 
public fqdn configured for IBCM and that the firewall ports are open.

Now, if DA is the option like so many suggested, definitely go that route... :)

Thanks,

Eric Morrison

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Tuesday, January 21, 2014 2:52 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com; 
mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] SCCM 2012, PKI and ICBM

Hey everyone,

Just out of curiosity, how many hours would you estimate it would take to setup 
a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to 
implement and I have no idea what to guestimate for hours. Looking for someone 
who has experience with implementing both PKI and ICBM that might be able to 
give me a rough idea of how many hours this would take. From what I've read 
ICBM is complex to setup, but that was back in CM07. Not sure how much has 
changed with CM12.

Thanks,

Brian

[mssms] RE: Rolling with SCCM 2012 SP1 tonight

[Troy Martin]

...you can leave it blank.  ConfigMgr SUP agent will know how to install it.

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Linkey, Mike
Sent: Tuesday, January 7, 2014 2:56 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Rolling with SCCM 2012 SP1 tonight

Do you have to put any special command line parameters in there for this or 
just leave it blank?

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: Monday, January 06, 2014 3:36 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Rolling with SCCM 2012 SP1 tonight

+1

Save yourself the hassle and use SCUP to deploy SP1 and CU3

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Barnes,Chris
Sent: Monday, January 6, 2014 3:09 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Rolling with SCCM 2012 SP1 tonight

Correct, it will only work to upgrade to SP1, or R2, not the CU's in between.

That one bit me as well. I used SCUP to deploy the CU with no issues.


Chris Barnes
Senior Technical Specialist - Penske Automotive Group

cbar...@penskeautomotive.commailto:cbar...@penskeautomotive.com
Desk:  (248) 648-2528
Cell: (248) 767-4415

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Ewing, Scott L
Sent: Monday, January 6, 2014 3:02 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Rolling with SCCM 2012 SP1 tonight

Automatic Client Upgrade will not deploy Cumulative Update client upgrades. It 
only works for Service Pack upgrades (I think).

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Lindenfeld, Ivan
Sent: Monday, January 06, 2014 2:39 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Rolling with SCCM 2012 SP1 tonight

We are rolling SP1 no CU tonight to workstations, same to servers Sunday then 
upgrading to CU3 and enabling Automatic Client Upgrade that day as well.

We told our users not to expect stability until CU 3 is deployed.

Is it that bad without it?  We don't use OSD.

Ivan Lindenfeld
Sr. Systems Engineer
Enterprise Deployment / SCCM

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dzikowski, Michael
Sent: Monday, January 06, 2014 2:10 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Rolling with SCCM 2012 SP1 tonight

Are you going to CU3 at least?

http://support.microsoft.com/kb/2882125


Michael Dzikowski
Senior Systems Engineer |  Ally Technical Infrastructure - Windows Hosting
[cid:image002.gif@01CDF887.776259A0]

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Lindenfeld, Ivan
Sent: Monday, January 06, 2014 12:31 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Rolling with SCCM 2012 SP1 tonight

Many thanks.

Ivan Lindenfeld
Sr. Systems Engineer
Enterprise Deployment / SCCM
Fidelity National Financial | Jacksonville, Florida
ivan.lindenf...@fnf.commailto:ivan.lindenf...@fnf.com | 904 854 8178

Team email: enterprisedeploym...@fnf.commailto:enterprisedeploym...@fnf.com
Teamsite: Enterprise Deployment / 
SCCMhttps://teamsites.fnf.com/sites/technology/apps/sccm/Pages/default.aspx

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dzikowski, Michael
Sent: Monday, January 06, 2014 12:15 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: Rolling with SCCM 2012 SP1 tonight

You'll want this handy:
http://myitforum.com/myitforumwp/docs/configuration-manager-2012-sp1-issues-and-resolutions

[mssms] RE: RBAC question

[Troy Martin]

Is DEFAULT security scope still associate with the Administrative Users in 
question?  DEFAULT security scope is applied to all newly created objects - by 
default, of course - unless you change/(re)set Security Scopes on the object(s).

If DEFAULT security scope is still set on an object, then ALL Administrative 
Users that have DEFAULT security scope assigned to them will be able to see 
the object(s).

Administrative Users = WHO
Security Scope = WHAT is VISIBLE to WHO
Security Role = what WHO can DO to the VISIBLE object(s)


Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Kent, Mark
Sent: Monday, December 9, 2013 8:57 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: RBAC question

I did not, I will check that out!

It's not a big deal if they can see the items, I just thought less clutter in 
their console the better...less confusion.

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing  Technology Services - SUNY Buffalo State

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dzikowski, Michael
Sent: Friday, December 6, 2013 11:51 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: RBAC question

Have you checked out the RBA Viewer?

http://www.microsoft.com/en-us/download/details.aspx?id=29265
http://anoopcnair.com/2012/06/29/sccm-configmgr-2012-how-to-use-rba-viewer-rbaviewer-exe/

Michael Dzikowski


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Wednesday, December 04, 2013 3:59 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RBAC question

I have been doing some testing with this and noticed that, even though 
restricted groups don't have access to certain objects, they still see 
virtually everything in the console and open the items and look them over.  For 
example, if I give someone just the Remote Control role, they still see 
Administration, Monitoring, etc.  I thought with RBAC it was only supposed to 
show what they have access to?  Am I missing something here?  Thanks.

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing  Technology Services - SUNY Buffalo State








DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] RE: RBAC question

[Troy Martin]

Np...thanks Mark

Sent from my iPhone

On Dec 10, 2013, at 11:47 AM, Mark Mears 
mark.me...@cireson.commailto:mark.me...@cireson.com wrote:

Troy,
That is probably the best explanation of that I have heard.  Nice job!

Thanks,



Mark Mears
mark.me...@cireson.commailto:mark.me...@cireson.com%0d
Phone: (757) 945-2651


image005.pnghttp://www.cireson.com/


image006.jpghttp://twitter.com/teamcireson  Check out our System Center App 
Store: www.cireson.com/app-store






From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin
Sent: Tuesday, December 10, 2013 10:30 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: RBAC question

Is DEFAULT security scope still associate with the Administrative Users in 
question?  DEFAULT security scope is applied to all newly created objects - by 
default, of course - unless you change/(re)set Security Scopes on the object(s).

If DEFAULT security scope is still set on an object, then ALL Administrative 
Users that have DEFAULT security scope assigned to them will be able to see 
the object(s).

Administrative Users = WHO
Security Scope = WHAT is VISIBLE to WHO
Security Role = what WHO can DO to the VISIBLE object(s)


Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 (678) 898-6147
UK Phone : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Monday, December 9, 2013 8:57 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: RBAC question

I did not, I will check that out!

It's not a big deal if they can see the items, I just thought less clutter in 
their console the better...less confusion.

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing  Technology Services - SUNY Buffalo State

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dzikowski, Michael
Sent: Friday, December 6, 2013 11:51 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RE: RBAC question

Have you checked out the RBA Viewer?

http://www.microsoft.com/en-us/download/details.aspx?id=29265
http://anoopcnair.com/2012/06/29/sccm-configmgr-2012-how-to-use-rba-viewer-rbaviewer-exe/

Michael Dzikowski


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kent, Mark
Sent: Wednesday, December 04, 2013 3:59 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: [mssms] RBAC question

I have been doing some testing with this and noticed that, even though 
restricted groups don't have access to certain objects, they still see 
virtually everything in the console and open the items and look them over.  For 
example, if I give someone just the Remote Control role, they still see 
Administration, Monitoring, etc.  I thought with RBAC it was only supposed to 
show what they have access to?  Am I missing something here?  Thanks.

Mark Kent (MCP)
Sr. Desktop Systems Engineer
Computing  Technology Services - SUNY Buffalo State








DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.





inline: image005.pnginline: image006.jpg

RE: [mssms] SCCM 2007 - Control versioning

[Troy Martin]

What about using ZTITatoo.wsf and ZTITatoo.mof, found in MDT?  You could 
modify/copy from this to make your own solution.

All the work is already done :)

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 758 530 0940
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Dean Cunningham
Sent: Thursday, November 21, 2013 8:54 AM
To: mssms@lists.myitforum.com
Subject: [mssms] SCCM 2007 - Control versioning

Hi!

I would like to put something in the main WIM build (Major version) and 
something in the task sequence (minor version) so I can keep track of the build 
version of the SOE.
The idea is that I can run a SCCM report against al systems and work out the 
build level of servers and workstations.
The idea is that if there is a known problem with a certain build, we can 
identify all affected machines and remediate
I was looking at doing something like this and tweak the registry at the end of 
the task sequence
http://www.techrepublic.com/blog/user-support/change-the-oem-information-in-the-windows-system-properties-panel-to-your-own/

but , out of the box SCCM does not appear to report on this.
How can I get it to report on this?
or alternatively...

How do the rest of you keep track of versions?

I want to stamp the version at the task sequence level, not at the WIM

SCCM 2007 SP2 (yes I know) and MDT

cheers









DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] 1E nomad documentation - help

[Troy Martin]

help.1e.com

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 0758 530 0940
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Hun boy
Sent: Friday, November 8, 2013 7:57 AM
To: mssms lists.myitforum.com
Subject: [mssms] 1E nomad documentation - help

Can any one help me to share the product documentation for 1E nomad 2012?

I am trying to understand the implementation ...hence looking for 
the Nomad 1E 2012 documentation...





DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: [mssms] ConfigMgr 2012 SP1 CU3: OSD Client fails to communicate with MP

[Troy Martin]

Trevor,

To confirm that the client is truly communicating with IIS on the MP - from 
the MP -, go to and open Inetpub\Logs\W3SVC1\most recent logfile.   
Starting from the bottom, look for lines with the vidr/URL entry like 
CCM_System_WindowsAuth/Request.

Most likely you're going to see 401 (unauthorized access) entries/return codes. 
 That's telling you that the client is trying to register (and is able to 
communicate with the MP), but the MP is not authorizing the registration 
request.

I think what you're seeing is an authentication issue, where the client being 
built is not trusted by the MP because it (the client) is in a Workgroup.

By default, that vdir only has Windows Authentication (trusted/domain-joined) 
enabled...For kicks, configure the Authentication property of the vdir above to 
enable Anonymous Authentication.

If the client still does not get registered with Anonymous enabled, then if you 
have AD Sites as boundaries, trying changing them to IP ranges instead.

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 758 530 0940
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Trevor Sullivan
Sent: Friday, November 1, 2013 5:51 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] ConfigMgr 2012 SP1 CU3: OSD Client fails to communicate 
with MP

Andrew,

Thanks for the response. Yes, I was aware that the SLP is still configured in 
the registry. I did verify that it was being configured, as long as I specified 
the SMSMP client installation property in the Setup Windows and ConfigMgr step. 
I believe that the SMSSLP registry value was left blank if I did not specify 
SMSMP.

Here's the PowerShell command to verify the SMSSLP value:

(Get-ItemProperty -Path HKLM:\Software\Microsoft\CCM -Name SMSSLP).SMSSLP;

Even with the SMSSLP registry value configured, the workgroup client fails 
automatic site assignment in the full operating system.

Another symptom I noticed was in the CIDownloader.log file. I think you're on 
to something with the whole thing around CI-based task sequence items, but I 
still think the root cause is somehow related to client site assignment.

GenerateDCMUrlPrefix failed (0x80004005).
CIDownloaderJob({70F1A50C-CAE6-4021-8287-88876E5EDFFE}): DownloadPackages 
failed (0x80004005).
CIDownloaderJob({70F1A50C-CAE6-4021-8287-88876E5EDFFE}): StartDownload failed 
(0x80004005).

Cheers,
Trevor Sullivan

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Craig Andrew (OIZ)
Sent: Friday, November 1, 2013 11:06 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: AW: [mssms] ConfigMgr 2012 SP1 CU3: OSD Client fails to communicate 
with MP

Hi Trevor,

Yeah, I picked up on the point of the package working but not the application 
or updates. You're right, the variable doesn't apply pre-R2 and I also missed 
that you are running a BC. Running training courses affects my brain. :)

Still, it's interesting that just the CI based steps are failing. Did you know 
that although the SLP is deprecated in 2012, the entry still exists in the 
registry? I'm not exactly sure how it influences the client - I gave up on 
testing it because the benefits were not enough to justify the time. But I did 
notice that it affected the site assignment when I tried to remotely reassign 
the site of a client.

Good luck anyway.

Andrew


Von: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] Im Auftrag von Trevor Sullivan
Gesendet: Freitag, 1. November 2013 14:57
An: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Betreff: RE: [mssms] ConfigMgr 2012 SP1 CU3: OSD Client fails to communicate 
with MP

Hello Andrew,

Thanks for your response. I'm running a Build  Capture task sequence on a 
Lenovo ThinkPad T430, which does not have a SSD in it. Additionally, since I am 
running ConfigMgr 2012 SP1 CU3, I do not have the SMSTSMPListRequestTimeout 
task sequence variable available to me. It looks like, based on the How fast 
are SSDs? thread that, that variable is only available in ConfigMgr 2012 R2.

While I'm not entirely ruling out the possibility that adding a wait might 
help things, on the other hand, I am seeing some error messages in the logs 
that indicate communication failures between the client and Management Point. 
These have me somewhat concerned.

I'm going to test out with a 60 second wait, and see what happens.

FYI: This is a build  capture task sequence. The computer never touches Active 
Directory.

Re: [mssms] Exclude IP range from ALL SCCM deployments\updates

[Troy Martin]

Sounds extreme, but I may not completely understand what the goal is.

As the admin, you control what clients are targeted for advertisements.  Since 
collections are the source for targeting clients, how about a query that 
excludes the undesired subnet(s)?

Can you elaborate a little more on what the goal is?

Sent from my iPhone

On Oct 7, 2013, at 6:58 AM, Mann, Brendan 
brendan.m...@kpmg.iemailto:brendan.m...@kpmg.ie wrote:

Hi Guys,

Running on SCCM 2007 R2

I'm looking for some advice in relation to blocking SCCM clients (who are all 
in one IP subnet) from downloading any SCCM deployments for software updates. 
Looking at removing IP subnet from site system protected DP's which work I 
think. Any ideas or tips would be great.
Thanks!
Bren




Follow KPMG in Ireland via:

[LinkedIn]http://www.kpmg.ie/EMAIL/linkedin.htm   [Twitter] 
http://www.kpmg.ie/EMAIL/twitter.htm[YouTube] 
http://www.kpmg.ie/EMAIL/youtube.htm



Email Disclaimer

The information in this email is confidential and may be legally privileged. It 
is intended solely for the addressee. Access to this email by anyone else is 
unauthorised. If you are not the intended recipient, any disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on it, is 
prohibited and may be unlawful. When addressed to our clients any opinions or 
advice contained in this email are subject to the terms and conditions 
expressed in the governing KPMG client engagement letter.





DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] SUP Switching with ConfigMgr 2012

[Troy Martin]

What SP1 provides is redundancy and HA (e.g. multiple active SUPs per primary), 
and delayed failover (e.g. intelligence of SUP agent in ConfigMgr client, but 
only 2hrs 2 min after losing contact with current SUP).  The new capabilities 
of the SUP role does not provide load-balancing...only redundancy and HA of the 
role.

If you're looking for automatic failover (e.g. no delay) and load-balancing, 
your best best is to use SUP in an NLB cluster, or F5.

Just for clarity - when using NLB or F5 - all of the SUPs in the site share/use 
a single virtual name for the cluster/farm, so clients only use the one single 
virtual name of the SUP(s) to communicate with.  This is actually what provides 
the automatic failover mechanism...the NLB or F5 redirecting clients to the 
next available SUP in the cluster/farm when one or more SUPs become unavailable.

If the delayed failover is of concern and/or there is a compelling need for the 
SUP role to load-balanced, then go with the NLB cluster (e.g. Windows or F5).  
If not, then stick with the simpler native SP1 functionality.

Sent from my iPad

On Oct 4, 2013, at 7:59 PM, Matt Tinney 
mnt2...@gmail.commailto:mnt2...@gmail.com wrote:



In SP1 of ConfigMgr2012, update point switching provides fault tolerance 
between multiple update points at a single site. I believe the biggest concern 
I have is the time it takes a client to go from its active SUP to another SUP 
in the event its not online/available?

How many of you are using this and allowing ConfigMgr 2012 to manage the load 
balancing and fault tolerance between multiple SUP's.

Originally, was looking at utilizing F5 to configure the SUP in an NLB Cluster 
but wanted to also explore the possibility of the native functionality.

Any experiences to share would be wonderful!


--
Matthew Tinney
(206) 778 4432
Windows Management Experts, Inc
www.windowsmanagementexperts.comhttp://www.windowsmanagementexperts.com/




DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

RE: AW: [mssms] Migrating Objects from 2012 to 2012

[Troy Martin]

Now if only we had the ability to mark UAT objects as approved and keep the 
admins right out of PROD :) . . . .

On the surface, you could absolutely do this in RBAC, setting the desired and 
appropriate security scopes on the UAT objects.

Can you elaborate on your statement?

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Wallace
Sent: Tuesday, September 24, 2013 8:24 AM
To: mssms@lists.myitforum.com
Subject: RE: AW: [mssms] Migrating Objects from 2012 to 2012

Fab - and thank you for your help in this from the other week.

I know that you are doing exactly what we are doing here.  Just wondering if 
you have separate domains from which you are migrating and any gotchas on that? 
 I'm guessing the respective answers are Ja and Nein :)

Now if only we had the ability to mark UAT objects as approved and keep the 
admins right out of PROD :) . . . .


From: andrew.cr...@zuerich.chmailto:andrew.cr...@zuerich.ch
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Date: Tue, 24 Sep 2013 13:36:40 +0200
Subject: AW: [mssms] Migrating Objects from 2012 to 2012
To your first point:

The following items are new for migration in Configuration Manager SP1:
* Beginning with System Center 2012 Configuration Manager SP1, you can 
merge data from other hierarchies that run the same version of Configuration 
Manager as your hierarchy. This includes migrating data from a test environment 
into your production environment.

Not just supported but as of SP1, recommended, I would say.

Von: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] Im Auftrag von Jason Wallace
Gesendet: Dienstag, 24. September 2013 13:14
An: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Betreff: [mssms] Migrating Objects from 2012 to 2012

Hello folks

I am writing a process document on migrating objects from Test to UAT and UAT 
to PROD in SCCM 2012 SP1.  I am planning to use the migration tool included in 
2012 as this appears to work  some very kind folks on here have confirmed that 
it does.  My testing also shows that this is the case.

So, Diolch, Danke, Merci and Thanks so far.  Just a couple of questions which I 
have so far though:

1. Support.  As is often the case we need to provide a solution that is 
supported by Microsoft.  Yes, I know that Microsoft would never not support a 
Premier customer etc. and can justify the use of the tool but I know that I 
shall be asked why the tool is a 2007 to 2012 tool and whether the use in 2012 
to 2012 is supported.  Has anyone managed to get a support statement on this 
please?

2. Other Objects.  A couple of things won't be migrated - the SUP categories 
etc.  Is there a kind soul who would be prepared to share an extract / import 
pair of scripts for this please?

Thanks very much
Jason







DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] Client install issue

[Troy Martin]

Just a hunch...

Right-click CCMsetup.exe and select properties.

Make sure the file is not blocked. If you see the Unblock button, then it 
is being blocked.

Sent from my iPhone

On Sep 19, 2013, at 9:18 PM, Daniel Ratliff 
dratl...@humana.commailto:dratl...@humana.com wrote:

Install ended prematurely...sounds like something is blocking the install. 
Disable any AV or DLP software?

-Daniel Ratliff

-Original Message-
From: Lutz, Ken [kl...@spokanecounty.orgmailto:kl...@spokanecounty.org]
Sent: Thursday, September 19, 2013 05:24 PM Eastern Standard Time
To: SMS List
Subject: [mssms] Client install issue

I have a Windows 7 machine that will not install the client (SCCM 2012 PS1 CU1).

The CCMSetup.log file has this generic error:
File C:\Windows\ccmsetup\{59A0EA77-D28C-4286-83A6-04BB57B9CDD6}\client.msi 
installation failed. Error text: ExitCode: 1603

The Client.MSI.log file has this error:
Internal Exception during install operation: 0xc005 at 0x07FEFEE535E1.
MSI (s) (40:E4) [13:28:10:103]: WER report disabled for silent install.
MSI (s) (40:E4) [13:28:10:103]: WER report disabled for non-console install.
MSI (s) (40:E4) [13:28:10:103]: Internal MSI error. Installer terminated 
prematurely.
MSI (s) (40:E4) [13:28:10:103]: MainEngineThread is returning 1603

The Client.MSI_Uninstall.log has this error:
MSI (s) (7C:A0) [13:13:13:971]: Internal Exception during install operation: 
0xc005 at 0x07FEFEE535E1.
MSI (s) (7C:A0) [13:13:13:971]: WER report disabled for silent install.
MSI (s) (7C:A0) [13:13:13:971]: Internal MSI error. Installer terminated 
prematurely.

MSI (s) (7C:A0) [13:13:13:971]: MainEngineThread is returning 1603
MSI (s) (7C:E0) [13:13:13:971]: No System Restore sequence number for this 
installation.
Unexpected Termination

I deleted all SCCM related folders, went into the registry and removed the 
usual SCCM entries (CCM, CCMSetup etc.).
I ran the following WMI commands, and they all came back clean.
WINMGMT.exe /verifyrepository
Winmgmt.exe /salvagerepository
Winmgmt.exe /resetrepository %windir%\System32\wbem

I tried to run ccmsetup.exe with the CCMLOGLEVEL=0 switch to try to get more 
log info, again with no luck.  No additional info in the log files.

Can someone point me the right direction to try to get the client to load on 
this machine?

Thanks!


image001.png
Ken Lutz
Senior Systems Administrator
Information Systems Department
Spokane County
815 N. Jefferson
Spokane, Washington  99260




The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.





DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.



inline: image001.png

RE: [mssms] CM12, Multiple SUPs questions

[Troy Martin]

...reread my reply and realized I didn't finish my thought

So although, you have 5 SUPs, clients will only ever be able to use one of them 
at any given time...and you have to consider that clients/SU agent will not be 
able to scan against a SUP until the offline one comes back online OR 2hrs and 
2 minutes after attempting to continue communicating with it's original SUP, 
the SU agent will then fail-over to another SUP.

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Troy Martin
Sent: Friday, September 6, 2013 10:21 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] CM12, Multiple SUPs questions

Hey Roland,

I realize the goal is to spread the load across all of them.  But it sound 
like you may not understand how the new SUP role (in SP1) and existing MP role 
works.

Although the SUP role itself in SP1 is HA/redundant/fault-tolerant (e.g. 
simply meaning there is more than one SUP for clients to choose from), what 
also needs to be considered and factored into the solution is the behavior of 
the software update agent on the client when it's SUP becomes unavailable.

During client install, the process in-which the SUP/WSUS server chosen by the 
client is a non-deterministic process...it's completely random, and as an admin 
you have no influence over the decision/choice.  Once the client selects a 
particular SUP/WSUS server, it uses it exclusively from that point one.  
If/When that SUP becomes unavailable, the client will NOT fail-over right away 
or instantaneously to use one of the other SUPs...yet.  This part is key to 
understand.

The client will continue to try and communicate with the offline SUP for 2hrs 
(retry 4 times = 1 attempt every 30 minutes) plus an additional 2 minutes.  
Only after that time has expired will the client then automatically fail-over 
to use one of the other SUPs in the site.

Yvette OMeally wrote an excellent blog on this - 
http://blogs.technet.com/b/configmgrteam/archive/2013/03/27/software-update-points-in-cm2012sp1.aspx

So although, you have 5 SUPs, clients will only ever be able to use one of them 
at any given time...and you have to consider that clients/SU agent will not be 
able to scan against a SUP until the offline one comes back online.  And 
definitely, the load will most likely not be load-balanced or evenly spread 
across all SUPs.

If you're looking for 100% HA/load-balanced solution (e.g. meaning no need for 
the client/SU agent to fail-over.  It will always have a SUP/WSUS server to 
scan against and the agent will not  wait 2hrs and 2 minutes), then you're best 
bet and only other option IS to configure the SUP role in an NLB cluster.  But 
even then, you can only have up to 4 nodes in the cluster.

So in the end, I would reconsider whether 5 SUPs (and even MPs) are needed in 
the design...


Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Roland Janus
Sent: Friday, September 6, 2013 9:11 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] CM12, Multiple SUPs questions

150'000 clients, so yeah, although it would work fine with a single primary, as 
proven by others with even more clients, it is not supported and we can't 
ignore that, hence two primaries.

Mostly 5 SUPs to reduce the impact on the server itself, split the load (they 
are MP and DP also) and if one of them should go down to have less clients 
impacted moving to another.
Split the max of 100'000 clients to those, so 20'000 on each for all roles.

NLB is not an alternative. Mostly it is a hassle because we can't use MS but 
3rd party and that is a nightmare with CM07 already.
What we get with multiple SUPs is good enough.

Yeap, that is core only, ignoring local DPs for now.

I'm looking for details on how to set the SUPs up in regards to WSUS and the 
(shared) DB.
Especially since when I installed another WSUS using the DB on SQL, for one of 
those 5, the log stated it went into single user mode. Didn't continue with 
that yet

RE: [mssms] ConfigMgr 2012 meets tablets - The case of the Unknown

[Troy Martin]

What you're describing is an edge-case scenario which is probably being 
impacted by an environmental condition.

I've seen new objects replicated between a CAS and single primary within a 
couple of minutes, if not less.

What you've described is not the norm...

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Daniel Ratliff
Sent: Tuesday, September 3, 2013 10:56 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] ConfigMgr 2012 meets tablets - The case of the Unknown

If you have a CAS, it takes approximately 5-15 minutes because it has to 
replicate down and back up from your primaries. A huge pain for any immediate 
updates needed for collections.

Daniel Ratliff

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Craig Andrew (OIZ)
Sent: Tuesday, September 03, 2013 10:45 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: AW: [mssms] ConfigMgr 2012 meets tablets - The case of the Unknown

Works well for me. What problems have you encountered?

Von: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] Im Auftrag von Marcum, John
Gesendet: Dienstag, 3. September 2013 16:40
An: 'mssms@lists.myitforum.com'
Betreff: RE: [mssms] ConfigMgr 2012 meets tablets - The case of the Unknown

Adding machines on the fly to collections for OSD in 2012 doesn't work well.


John Marcum
Sr. Desktop Architect
Bradley Arant Boult Cummings LLP


From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Craig Andrew (OIZ)
Sent: Tuesday, September 03, 2013 9:33 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: AW: [mssms] ConfigMgr 2012 meets tablets - The case of the Unknown

You could use a pre-execution staging hook, build a script into the hook that 
queries the mac address and the computer manufacturer/model. Then use the hook 
to pull the machine into a collection. Then it will receive an advertisement. 
You can use a similar step at the end of the ts to remove the machine from the 
collection.

Von: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com]mailto:[mailto:listsad...@lists.myitforum.com]
 Im Auftrag von Koster, Maik
Gesendet: Dienstag, 3. September 2013 16:26
An: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Betreff: RE: [mssms] ConfigMgr 2012 meets tablets - The case of the Unknown

It has to be executed with the dongle/Docking station detached. So you would 
need to remember what dongle/docking station was used, check if it's still 
connected and if so re-schedule.

Regards
Maik Koster
Cameron Flow Control Technology GmbH - Sitz der Gesellschaft: Celle - 
Handelsregister: Amtsgericht Lüneburg HRB 204184 - Geschäftsführung: Cheryl 
Roberts, Grace Holmes

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com]mailto:[mailto:listsad...@lists.myitforum.com]
 On Behalf Of Hedges, Dustin
Sent: Dienstag, 3. September 2013 16:07
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: RE: [mssms] ConfigMgr 2012 meets tablets - The case of the Unknown

What about leveraging the _SMSTSPostAction Variable (ConfigMgr 2012 SP1)?  Or 
even setting a RunOnce Registry setting to execute a script with those commands?


Dustin Hedges
Sr. Systems Engineer

eBay Inc.
dhed...@ebay.commailto:dhed...@ebay.com ebayinc.com

[cid:image001.jpg@01CEA89F.EC3425B0]

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Ryan
Sent: Tuesday, September 3, 2013 7:38 AM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] ConfigMgr 2012 meets tablets - The case of the Unknown

Three options come to mind... First off, you could delete any records that show 
up in the collection with those MAC addresses. You'd lose the imaging 
information on the computer though, so it probably isn't the best idea.

Another option is changing the MAC address in WinPE... Change it before the TS 
runs and have it automatically generated based on the wifi MAC. I'm not sure if 
that will fool ConfigMgr into thinking it is a different device.

Another thought is to add 802.11x support and just use the dongle to boot into 
WinPE...  

RE: [mssms] CM12 - Inventory Cache Size and Usage

[Troy Martin]

...you may find this valuable as well.

http://blogs.msdn.com/b/alex_semi/archive/2011/12/15/increase-cm-cache-and-clean-it.aspx

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Todd Hemsell
Sent: Monday, July 15, 2013 7:41 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] CM12 - Inventory Cache Size and Usage

nice! Thanks!
On Mon, Jul 15, 2013 at 4:32 PM, Daniel Ratliff 
dratl...@humana.commailto:dratl...@humana.com wrote:
Keep in mind you cannot raise the cache size above 80 or 100 GB (can't 
remember) via the UI, batch, or .vbs. Actually opened a call with Microsoft and 
found out it works with PowerShell!

Here is the script we use to set the cache to 150GB. Name the file 
CacheSize.ps1 and we just run a 'Run Command Line' task in a task sequence. 
Should also work as a package/app. Defaults to 50GB if you don't specify a 
parameter.

powershell.exe -executionpolicy bypass -file CacheSize.ps1 153600

param(
[int]
$cachesize = 51200
)

$cache = Get-WmiObject -Namespace root\ccm\SoftMgmtAgent -Class CacheConfig

write-host Current SCCM Cache Size:$cache.sizeMB. -foregroundcolor cyan
write-host 
if ($cachesize -ge 51200) {
write-host Changing SCCM Cache Size to $cachesize MB... -foregroundcolor 
cyan
$cache.Size = $cachesize
$cache.Put() | out-null
write-host Restarting CCMEXEC service... -foregroundcolor cyan
restart-service ccmexec
write-host Current SCCM Cache Size: $cache.size  -foregroundcolor green
} elseif ($cachesize -lt 51200) {
write-host Changing SCCM Cache Size to 51200 MB... -foregroundcolor cyan
$cache.Size = 51200
$cache.Put() | out-null
write-host Restarting CCMEXEC service... -foregroundcolor cyan
restart-service ccmexec
write-host Current SCCM Cache Size: $cache.size  -foregroundcolor green
}

Daniel Ratliff

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] 
On Behalf Of Todd Hemsell
Sent: Monday, July 15, 2013 5:22 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] CM12 - Inventory Cache Size and Usage

God bless!

No, I need this one in particular because I am going to use the persist 
content in cache to handle self healing. So I need to know when the cache is 
getting full so I can raise it.

I will write a sscript to send the the Full machines that removes content not 
marked as persist, and if there is not enough room left after that, raise the 
cache size.

Other suggestions welcomed!

thanks again!

/Todd
On Mon, Jul 15, 2013 at 3:52 PM, Sherry Kissinger 
slkissin...@sbcglobal.netmailto:slkissin...@sbcglobal.net wrote:
[ SMS_Report (TRUE),
  SMS_Group_Name (SMS Advanced Client Cache),
  SMS_Class_ID (SMS_ADVANCED_CLIENT_CACHE),
  Namespace (rootccmsoftmgmtagent) ]
class CacheConfig : SMS_Class_Template
{
[ SMS_Report (TRUE), key ]
String ConfigKey;
[ SMS_Report (TRUE) ]
Boolean InUse;
[ SMS_Report (TRUE) ]
String Location;
[ SMS_Report (TRUE) ]
UInt32 Size;
};

Just save that as whatever-you-want.mof,  import that, if you have a CAS (I 
hope you don't but if you do), do so at the CAS.

need/want anything else?  what SQL puts in WMI? the LocalGroupmembers one? Dot 
Net versions?  Those are the most popular...

Sherry Kissinger
Microsoft MVP - ConfigMgr
mofmas...@myitforum.commailto:mofmas...@myitforum.com

From: Todd Hemsell hems...@gmail.commailto:hems...@gmail.com
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Sent: Monday, July 15, 2013 3:36 PM
Subject: [mssms] CM12 - Inventory Cache Size and Usage

Has anyone edited the CM12 mof to collect information about the SCCM client 
cache?

TIA,

Todd





The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.






DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative 

RE: [mssms] CM12 - Inventory Cache Size and Usage

[Troy Martin]

...and this one

http://blogs.msdn.com/b/alex_semi/archive/2011/12/20/increase-cm-cache-and-clean-it-2.aspx


Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Todd Hemsell
Sent: Wednesday, July 17, 2013 10:26 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] CM12 - Inventory Cache Size and Usage

nice, thanks.
On Wed, Jul 17, 2013 at 8:57 AM, Troy Martin 
troy.mar...@1e.commailto:troy.mar...@1e.com wrote:
...you may find this valuable as well.

http://blogs.msdn.com/b/alex_semi/archive/2011/12/15/increase-cm-cache-and-clean-it.aspx

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] 
On Behalf Of Todd Hemsell
Sent: Monday, July 15, 2013 7:41 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] CM12 - Inventory Cache Size and Usage

nice! Thanks!
On Mon, Jul 15, 2013 at 4:32 PM, Daniel Ratliff 
dratl...@humana.commailto:dratl...@humana.com wrote:
Keep in mind you cannot raise the cache size above 80 or 100 GB (can't 
remember) via the UI, batch, or .vbs. Actually opened a call with Microsoft and 
found out it works with PowerShell!

Here is the script we use to set the cache to 150GB. Name the file 
CacheSize.ps1 and we just run a 'Run Command Line' task in a task sequence. 
Should also work as a package/app. Defaults to 50GB if you don't specify a 
parameter.

powershell.exe -executionpolicy bypass -file CacheSize.ps1 153600

param(
[int]
$cachesize = 51200
)

$cache = Get-WmiObject -Namespace root\ccm\SoftMgmtAgent -Class CacheConfig

write-host Current SCCM Cache Size:$cache.sizeMB. -foregroundcolor cyan
write-host 
if ($cachesize -ge 51200) {
write-host Changing SCCM Cache Size to $cachesize MB... -foregroundcolor 
cyan
$cache.Size = $cachesize
$cache.Put() | out-null
write-host Restarting CCMEXEC service... -foregroundcolor cyan
restart-service ccmexec
write-host Current SCCM Cache Size: $cache.size  -foregroundcolor green
} elseif ($cachesize -lt 51200) {
write-host Changing SCCM Cache Size to 51200 MB... -foregroundcolor cyan
$cache.Size = 51200
$cache.Put() | out-null
write-host Restarting CCMEXEC service... -foregroundcolor cyan
restart-service ccmexec
write-host Current SCCM Cache Size: $cache.size  -foregroundcolor green
}

Daniel Ratliff

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] 
On Behalf Of Todd Hemsell
Sent: Monday, July 15, 2013 5:22 PM
To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] CM12 - Inventory Cache Size and Usage

God bless!

No, I need this one in particular because I am going to use the persist 
content in cache to handle self healing. So I need to know when the cache is 
getting full so I can raise it.

I will write a sscript to send the the Full machines that removes content not 
marked as persist, and if there is not enough room left after that, raise the 
cache size.

Other suggestions welcomed!

thanks again!

/Todd
On Mon, Jul 15, 2013 at 3:52 PM, Sherry Kissinger 
slkissin...@sbcglobal.netmailto:slkissin...@sbcglobal.net wrote:
[ SMS_Report (TRUE),
  SMS_Group_Name (SMS Advanced Client Cache),
  SMS_Class_ID (SMS_ADVANCED_CLIENT_CACHE),
  Namespace (rootccmsoftmgmtagent) ]
class CacheConfig : SMS_Class_Template
{
[ SMS_Report (TRUE), key ]
String ConfigKey;
[ SMS_Report (TRUE) ]
Boolean InUse;
[ SMS_Report (TRUE) ]
String Location;
[ SMS_Report (TRUE) ]
UInt32 Size;
};

Just save that as whatever-you-want.mof,  import that, if you have a CAS (I 
hope you don't but if you do), do so at the CAS.

need/want anything else?  what SQL puts in WMI? the LocalGroupmembers one? Dot 
Net versions?  Those are the most popular...

Sherry Kissinger
Microsoft MVP - ConfigMgr
mofmas...@myitforum.commailto:mofmas...@myitforum.com

From: Todd

[mssms] RE: OT: Johan Webinar for BDNA

[Troy Martin]

A demo of how BDNA can reduce your overall time to migrate by over 70%

WOW!?!?

Troy L. Martin | Principal Consultant
1E | Empowering Efficient IT
US Mobile: +1 678-898-6147
UK Mobile : +44 208 326 9141
troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/

Facebookhttp://www.facebook.com/1eglobal | 
Twitterhttps://twitter.com/1e_global/ | 
YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | 
RSShttp://blogs.1e.com/index.php/feed/
Please consider the environment before printing this e-mail

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Marcum, John
Sent: Wednesday, July 10, 2013 3:55 PM
To: SMS List (mssms@lists.myITforum.com); mdt...@lists.myitforum.com
Subject: [mssms] OT: Johan Webinar for BDNA

Looks like BDNA is starting the Guru series back up but under a different 
name. They aren't pulling out any stops on this one, they have Johan as the 
first speaker. See this site for registration info:

http://info.bdna.com/201307WindowsMigrationWebinarJuly17_RegistrationLP.html







Confidentiality Notice: This e-mail is from a law firm and may be protected by 
the attorney-client or work product privileges. If you have received this 
message in error, please notify the sender by replying to this e-mail and then 
delete it from your computer.





DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] Automating package replication

[Troy Martin]

I would start by reviewing the package distribution or software distribution 
workflows.  You can find all the different workflows under config manager 2007. 
 Reverse engineer those and I believe that would be a good start for figuring 
out what it is you want to do.

Just search Google for those keywords package distribution workflow you should 
find what you're looking for.

Sent from my iPhone

On Jun 15, 2013, at 3:07 PM, Sam George 
ronaldo.geo...@live.commailto:ronaldo.geo...@live.com wrote:

Hi All,

I am looking at automating package replication (CM 2012 SP1) issues would like 
to know if someone has done any kind of work on this.

What I am looking for:-

1.   Is there a way to catch package replication failure at the time it 
occurs?

2.   What all things should we consider before triggering an package refresh

3.   What all could be reason for package replication failure

4.   Programmatically fix the issue


Any pointers or help

Regards,

SAM\






DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.

Re: [mssms] SCCM 2012 and Software Updates

[Troy Martin]

...to add to that, you can only have one Active SUP per site.

If you have multiple, then they all have to be members nodes in the same NLB 
cluster farm.

I believe you can only have up to 4 SUPs in a cluster farm and they have to 
share the same SUP database...

I haven't done this in a couple if years, so not 100% sure on the last part.

Sent from my iPhone

On Jun 14, 2013, at 11:22 AM, Jason Sandys 
ja...@sandys.usmailto:ja...@sandys.us wrote:

It’s not just that though, client selection of SUPs is *not* location aware for 
the exact same reason that client selection of MPs is *not* location aware. 
Multiple SUPs and MPs within a single primary site are only for high 
availability and cross-forest scenarios.

J

From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Mark Gailey
Sent: Friday, June 14, 2013 5:04 AM
To: Suzzie
Cc: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com
Subject: Re: [mssms] SCCM 2012 and Software Updates

IMO - Based on your information I would say no.  It complicates things and adds 
additional considerations, such as downstream server catalog syncs on that low 
bandwidth connection.

On Fri, Jun 14, 2013 at 12:43 AM, Suzzie 
itsuz...@googlemail.commailto:itsuz...@googlemail.com wrote:
Hello Mark

It is a single site with 800 clients, the DPs are at the end of low bandwidth, 
I am trying to minimise bandwidth traffic without putting secondary site 
servers in, is there any point making the DPs software update points? Will 
there be any benefit?

Suz x

On 14 Jun 2013, at 01:01, Mark Gailey 
markagai...@gmail.commailto:markagai...@gmail.com wrote:
Depends on network topology and client counts.  10 DPs could mean 40k clients 
in a single site.  It could also mean 400 clients at 10 sites.  To answer your 
question we need more information.  Why are you considering installing WSUS or 
a SUP on a DP?

Thanks

On Thu, Jun 13, 2013 at 2:36 PM, Suzzi Williams 
itsuz...@googlemail.commailto:itsuz...@googlemail.com wrote:
Hey all

In a single site, with a primary site server and 10 DPs, is there any point 
installing the WSUS role on the DPs?

Suz x











DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.