Here's 2 tools that can help you figure out what type of installer is being used, what switches you can use and how to unpack it
USSF
https://deployhappiness.com/the-ultimate-exe-silent-switch-finder/
UniExtract 2
We have about 100 branch offices with a couple computers in each one, all of which communicate with our SCCM server over a VPN connection through our WAN link. When I first set up SCCM, we didn't have BITS throttling configured correctly, and when I pushed a software update deployment to our workstations, the traffic from the branch offices saturated our connection. Our network guy had to block the SCCM server at the firewall to restore connectivity. And that's the story of how I inadvertently DDoS'd our organization.
Also, no discussion about SCCM blunders is complete without mentioning Emory University and Australia's CommBank.
I must have missed this. Is the ISE not included by default in 20H2?
This has the dism commands to add it:
https://winaero.com/install-or-uninstall-windows-powershell-ise-in-windows-10/
I assume would also work with:
https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=win10-ps
If all the changes are stored in the registry, you can take a regshot after install, make all the desired changes, then take another shot to compare the changes and export a .reg file.
For Configuration Manager 2012 there was the "Unleashed" text by Meyler, Sandys, and Ramsey. This book was ideal for learning best practices, "understand the data stored in the ConfigMgr site database", and etc. Here's a link: http://www.barnesandnoble.com/w/system-center-configuration-manager-reporting-unleashed-garth-jones/1123286832?ean=9780672337789#productInfoTabs
Will there be something for Configuration Manager 1511 (or 1602)? Or does "Unleashed" 2012 still apply to 1511?
Thanks for doing this AMA. Have a safe and fun Independence Day weekend.
-Kris
Assuming I understood your situation correctly, you probably want to designate one of your sites as the central site, and make the other one (in SCCM 2007 terminology) a primary child site.
http://technet.microsoft.com/en-us/library/bb693919.aspx
Where I work we currently have one domain, one central site, and a number of primary child sites that operate independently within their own boundaries and have unique site codes, and report all client data upstream. The central site administrators can have full control and administer the child sites right from the SCCM console, if they need to.
Feel free to book one with me as well: https://calendly.com/justin-chalfant/patch-my-pc-setup-and-review-session. Currently, I'm on vacation, so I won't show availability until a few weeks out. However, I'm super interested in understanding how we can get more customers on set-up calls.
We find that if a customer talked with an engineer, they are more likely to have features configured and more products enabled, and 99.55+% will renew if they had a call. My current goal is to get most new customers to jump on a setup call and to figure out how to get existing customers that never had one to get on one. We are thinking about ways to provide additional value vs. just a review of our product on these calls for existing customers. For example, maybe help set up our Power BI or SSRS dashboards with customers - just thinking out loud. - Justin
> Do lots of research before you go YOLO on something you don't fully understand. I guess this could be said for most things IT, but this software can fuck you over hard if you deploy things to the wrong boxes, and cleanup is not easy.
Pay particular attention to this. If you need reinforcement, ask Emory University what happens if you don't.
Ahh, found some data on indeed. http://www.indeed.com/salary?q1=Desktop+Engineer&l1=irvine%2C+ca
Oddly enough, it says that salary is 3% lower in Irvine than nationwide. I wonder if it's just because there aren't many desktop engineer positions open here as it's so specific.
This one is a rather easy one. I personally dislike the MSI's, they don't make the install process any easier and complicate things with the file paths.
I would package it yourself after you make whatever changes to the config file. It's a bunch of flat files (file copy) and a powershell script to install the service. Super easy to do with NSIS or advanced installer.
If you can hold out, the Elastic Agent is really promising but it's still in beta. This will make your life a lot easier if you plan to roll out other elastic solutions such as filebeat or auditbeat. Winlogbeat is not part of the agent yet https://www.elastic.co/downloads/elastic-agent
Just a small question, what site did you get an MSI installer from for greenshot?
https://getgreenshot.org/2019/01/07/fake-websites-targeting-oss-users-malware/
​
This is what I used as a reference: http://www.experts-exchange.com/articles/21679/Windows-10-Sysprep-Guide.html
But for the powershell commands I would run Get-appxpackage | remove-appxpackage and Get-appxprovisionedpackage -online | remove-appxprovisionedpackage -online
We have no need for any of the metro apps though.
Of course! Read through this VMware blog post and it will explain all you need to know plus how to size them! https://blogs.vmware.com/performance/2017/03/virtual-machine-vcpu-and-vnuma-rightsizing-rules-of-thumb.html
The disk differences are just how the storage is provisioned. Thin provisioned is where the VM only provisions what it needs at minimal levels, so if you provisioned a 40GB hard drive and the VM only uses 5GB of space, the HDD size on the VMware side is only 5GB but can expand up to 40 if needed. Usually used to save on storage space!
Thick are full provisioned VMs, the lazy zero vs eager zero is how the disk is zeroed and presented to the VM - https://www.nakivo.com/blog/thick-and-thin-provisioning-difference/ :)
Where'd you go, OP, i just see you copying and pasting the same whiney BS to most replies in this thread.
If you're getting weird errors in SCCM, ignore them. The general troubleshooting practice for SCCM in a taskSequence is that you start at the top of the log, not the bottom. Actions in SCCM recieve error codes from programs or tools that are called, and sometimes the incorrect error code will get passed along. The out of printer error in particular is a dead-giveaway.
Find that error, scroll up and see what failed close by.
To learn some more, watch this video from a MS event a few years ago.
TechED - Everything you wanted to know about Windows, but were afraid to ask
Putting things into batch scripts is done probably 50% of the time for me, even in applications that already come as an msi. There's often some registry key or config file that needs to be copied over, necessitating taking a few steps to get the install working correctly.
In case wou want to add pie charts of compatible Intel CPUS. you can play with this CASE. To have an "easy" CPU list. I've used the TXT file in WHYNOTWIN11 source code. You could do the same with AMD.
Yes, simply set a condition. If you are using MDT, then MDT sets a TS variable called ISLaptop that you can easily check. If you are using UI++ then it sets a variable called XHWChassisType that gets set to the value of Laptop.
If you are not using either of these, then you'll need to add some other logic to detect whether the system is a laptop, set a variable based on the results of that logic, and then use that variable in your condition. There are lots of example scripts on the web for this detect laptop script .
I generally stick with the logic found in MDT even if using not using MDT which is similar to this post on the scripting guy blog: https://blogs.technet.microsoft.com/heyscriptingguy/2010/05/15/hey-scripting-guy-weekend-scripter-how-can-i-use-wmi-to-detect-laptops/
Are there maintenance windows on your problem devices? If the maintenance window is too small the package will not even try to install. There is a formula used that I can't remember the exacts of, but it is something like if the MW is less than the number of minutes estimated for the package + 10, don't install. Packages default to 120 minutes I think. Here is a link to a MW helper script I obtained from somewhere I cannot recall and then modified a bit. Change lines 4 and 5 to match your environment. https://onedrive.live.com/redir?resid=FFA05116D1E58E71!163689&authkey=!AFKvCvZB4j13eoI&ithint=file%2cps1
There isn't a lot of documentation on what the Prereq checkers are actually doing behind the scenes. You can view the error documentation here (it's pretty sparse, and it looks like you've already read the output it gave you, so you probably won't gain anything from this).
You should also check the root of C:\ for the ConfigMgrPrereq.log (and ConfigMgrSetup.log and ConfigMgrSetupWizard.log, if they exist) and see if they provide any further information.
This is the correct way to do this, using Site Maintenance Tasks
Make sure whatever discovery methods you use are set to trigger more often than the age you set in Delete Aged Discovery Data.
Thanks for posting this, it was very helpful!
I'm still in the middle of the upgrade, but I thought I'd contribute something for Step 4. During the ADK installation, it asks which components to install. According to this TechNet article, the required components are:
Also, Step 7 is not required if you obtained the SP1 media after Jan. 25 since they've included the hotfix in the installation media. (source)
A client can be a member of multiple collections, each with its own maintenance window.
If your client is a member of "All Desktops" with a maintenance window on Saturday and also a member of "XP Collection" with a maintenance window on Wednesday, your client will have two maintenance windows.
Source: http://technet.microsoft.com/en-us/library/hh508762.aspx
http://technet.microsoft.com/en-us/library/gg682071.aspx
>Application management in Microsoft System Center 2012 Configuration Manager allows you to upgrade or replace existing applications by using a supersedence relationship. When you supersede an application, you can specify a new deployment type to replace the deployment type of the superseded application and also configure whether to upgrade or uninstall the superseded application before the superseding application is installed.
>When you supersede an application, this applies to all future deployments and Application Catalog requests. This will not affect the existing installations of the application.
In addition to the uninstall stuff, I think it just expires deployments for the superseded application.
I would say you would be fine without a CAS, and in your position I would go with a standalone primary site. I will be migrating our 2007 env to 2012 soon and with ~5000 clients (also a University), I will be avoiding using the overkill that is a CAS.
Also an important thing to note: With SP1 Microsoft added the ability to add a standalone primary site to a CAS after the fact, so you aren't 'locked' into it anymore like some people under the impression of. 2012 RTM 'locked' you in, but SP1 has removed that limitation.
Source: http://technet.microsoft.com/en-us/library/jj591552.aspx
That's where I would start troubleshooting. First make sure the package really is on the distribution point. If you know it's there, I'd move on to a client and take a peek at the logs. If they are having trouble reaching the content on the DP, you will find errors there. This might help you find out what log records what:
http://technet.microsoft.com/en-us/library/hh427342.aspx
And if you do decide to poke around in the logs, make sure you use the CMTrace application. I'm pretty sure it's on the install disk at \SMSSETUP\TOOLS\CMTrace.exe. Without this, SCCM logs are not exactly human readable.
You should look into setting the Windows Installer source data functionality of SCCM. I haven't played around with 2012 enough to be sure how to do this in that version, but in 2007, you could specify the MSI file in the "Windows Installer" information tab. Here is the link to the 2007 Doc:
http://technet.microsoft.com/en-us/library/bb892810.aspx
When you set that up on one of the programs, then the SCCM Client will enter a fallback source path for the MSI on the Distribution Points that you have pushed it to, and thus additional configurations of the software can access this path and read from it to complete the setup.
In theory this would allow all users of the systems to access one of those source paths, instead of the locally downloaded and cached copy of the software.
Thank you, yes im able to download source with that link no issue. I will give a shot with the verbose flag tomorrow and see if i gives any information. I tried doing "Invoke-WebRequest -uri https://zoom.us/client/latest/ZoomRoomsInstaller.msi" and received "The underlying connection was closed: An unexpected error occurred on a send." Dont know if that is related. As i see that error regardless of it downloading or not.
Appears to be packaged via NullSoft Install System (NSIS), run it with a /S (note that's a CAPITOL S).
A handy utility to figure out how to install software is the Universal Silent Switch Finder (USSF). You can get it here http://www.softpedia.com/get/System/Launchers-Shutdown-Tools/Universal-Silent-Switch-Finder.shtml. Yes the download link is sketchy, and the app itself looks even sketchier, but it gets the job done 90% of the time.
For a good document on installing software silently and the different software packaging technologies, take a look at http://unattended.sourceforge.net. In fact, bookmark it, I reference it all the time.
There's several solutions out there; I'd suggest searching this subreddit for threads discussing them.
Flexera (formerly Secunia), Ivanti/Shavlik, and Patch My PC are all players in this spacle. However, be aware that SCUP integration (highest voted uservoice item) was recently marked as started. If the team really does this it's going to shake up this niche industry something fierce.
Also take a look at RuckZuck (http://ruckzuck.tools/) ... it's been on my list for a while now to look at.
If stumped I personally would check with chocolatey to see if there is a package deployment there. If there is you can check the powershell script right from the page to scroll through what commands were run to do an unattended install. Here is the link to mysql community server on chocolatey: https://chocolatey.org/packages/mysql
That's pretty loaded... I'd start by looking at the MS Docs for Bitlocker, since the questions you asked depend on the OS you're running:
BitLocker (Windows 10) - Microsoft 365 Security | Microsoft Docs
Once you're on Windows 10, you'd want to be running TPM 2, UEFI w/ Secure Boot.
If you're not using ConfigMgr, you can still use MBAM for compliance monitoring
Microsoft BitLocker Administration and Monitoring 2.5 - Microsoft Desktop Optimization Pack | Microsoft Docs
You'd use Group Policies for Management
I am applying a layout modification template built for 1607 to 1703 devices without a problem. We deploy via group policy. Its undocumented but you can in fact host the layout modification xml file on a network share. This is a working copy of my file that I added comments to for ease of use later.
Top Tip: Make a new file every time you make a change. I think there's a bug in there somewhere and editing the file doesnt trigger desktops to update the start menu.
CMDB is not the same thing as Asset Management. You ideally use whatever CMDB your ITSM tool natively has so you can interact with the CIs when doing RFCs and tickets.
Asset management is separate and can be used to populate the CMDB. If you don't have an ITSM tool and don't have a need or process to link CIs to tickets than you may only need an asset management system. You should also look at what value ITSM and CMDB can bring to your current processes if you don't use them already.
Like another here recommended, LanSweeper is a pretty great tool for asset management.
https://freshservice.com/it-asset-management-software/cmdb-vs-asset-management-wrong-blog/
1) Assuming you are taking about software updates, like a patch, then yes, you can integrate System Center Update Publisher (SCUP) with SCCM and deploy custom, third party updates to clients which will then use the same update model as normal Windows Updates when scanning/deploying to clients. Or you can just deploy them as a normal application. Have a watch of this - http://channel9.msdn.com/Events/MMS/2013/UD-B326
2) I have not heard of this 10k minimum (and I do consider myself an SCCM expert :)) but for less then 10k clients, without knowing some additional information I typically run the following in small environments;
This gives nice segregation in the environment as client facing roles are kept separate from the 'core' SQL box. It makes troubleshooting performance easier, particularly as SCCM is SQL intensive.
3) Typically very little. Even when I designed a solution for a 300,000 client project load on AD was small. You should always benchmark this yourself though as every environment is different. For example, run discovery and watch the load on both the SCCM and Domain controller.
4) Not difficult - http://technet.microsoft.com/en-us/library/dn186177.aspx
This might help a little. https://powerbi.microsoft.com/en-us/blog/sccm-solution-template/
I found it and got it implemented to test phase. Since I handle a lot of reporting, I needed something that allowed quick views for numbers without having to open multiple reports.
Still in testing, it's giving me a better general idea where we stand with updates and deployments and it's customizable to where you can add more pages/tables based on custom SCCM SQL queries.
I'm hoping over the course of the next 2-3 weeks to take it out of testing and live to production.
Well, depending on the size of those desktops, it might be even easier to set them up than laptops ;) . If you are lucky enough to be using something like Lenovo ThinkCentre Tiny's or Dell micro's, then it's just a matter of stacking them on the shelf, and getting a bag of EDID emulators, so the video on Intel AMT would function without a monitor connected ;) .
I've used those a lot and never had any problems: https://www.amazon.com/gp/product/B075PTQ4NH .
We recently ran into this issue where an employee's machine had his data drive in the first SATA port, and was overwritten in a task sequence.
To resolve the issue, I made a package within our WinPE wim that runs diskpart and if more than one drive is detected it displays a prompt to inform the technician. At that point they can either continue or abort and shutdown to unplug or disable the extra disk.
Downside to using diskpart, is it detects card readers and flash drives so they will also initiate the prompt even if there is only one physical disk installed.
Another method might be detecting total capacity of drives, and setting the smallest drive as the OSDisk. However in our environment we have to be sure, so every machine is checked manually.
Edit: Powershell might be an easier solution than diskpart: https://stackoverflow.com/questions/36763311/get-disks-count-via-powershell
MSDN seems like you will need to use the registry.
StackOverflow Use cmd line to query registry.
I created this role (feel free to use) and combined it with the read only role (limited by various scopes) to give report access. Might need some tweaking to work for you but hope it helps.
http://superuser.com/questions/947873/disable-windows-defender-in-windows-10
Browse the registry to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Look for services starting with "wd" that have "Windows Defender" in the Description value. A possibly incomplete list is: wdboot, wdfilter, wdnisdrv, wdnissvc, windefend. Change the Start value for each service to 0x4 (hex 4, decimal 4). Reboot.
No luck. I'm getting the same error as this other guy, ""Error writing start. Error writing the value's new contents." And I am running services.msc elevated.
http://superuser.com/questions/947873/disable-windows-defender-in-windows-10
net stop windefend
Didn't work. Same access denied error.
I'm trying to figure the wd services idea on this same page....
If I consider our engineers, they have 4 mice: Their USB mouse, touchpad, the erase mouse, and the 3D mouse for solidworks. Obviously if you flag it, you can then filter in on those, but don't think there is a good way around it.
This is also a neat way: https://play.google.com/store/apps/details?id=mousemover.droid&hl=en_US&gl=US you just set the mouse on your old cell phone and it reads the changes.
Your assumption would be incorrect. I'm referring to this type, though not limited to this specific device, there are many like it.
I wasn't asked to block anything, I was only asked if they could be identified via hardware inventory.
Though I agree with with the general idea that technology isn't a substitute for management, when I hinted at that after being initially being asked, I was reminded that I was only asked if they could be identified, and nothing else.
Prior to today, I didn't know this type of product exited, and while it looks like a generic USB mouse, I'm not sure there's anything unique about it that would cause it to stand out in hardware inventory, which is why I asked if anyone else had been tasked with something similar.
I'm assuming you're looking at trying to detect like these things. If so, these don't even talk to the PC, just the mouse on top. You'd be chasing your tail trying to find anyone with a mouse who might be using one.
Even then, a majority of the hardware emulators use borderline-open-source hardware. You may find yourself able to detect and block them, but don't be surprised when the $30,000 CNC machine in the warehouse stops working.
YYou'll also find that most people who use Teams status as a mark of productivity, don't know there's dozens of way to trick the application itself without needing a mouse, or even a PC in some cases.
You will not solve this HR problem with IT solutions.
Mastering Microsoft Endpoint Manager: Deploy and manage Windows 10, Windows 11, and Windows 365 on both physical and cloud PCs https://www.amazon.com/dp/1801078998/ref=cm_sw_r_awdo_navT_a_3HK3NTRW5T3XSSN5SDPH
For Configuration Manager 2012 there was the "Unleashed" text by Meyler, Sandys, and Ramsey. This book was ideal for learning best practices, "understand the data stored in the ConfigMgr site database", and etc. Here's a link: http://www.barnesandnoble.com/w/system-center-configuration-manager-reporting-unleashed-garth-jones/1123286832?ean=9780672337789#productInfoTabs
Will there be something for Configuration Manager 1511 (or 1602)? Or does "Unleashed" 2012 still apply to 1511?
Thanks for doing this AMA. Have a safe and fun Independence Day weekend.
-Kris
Either user needs to be local admin and the app needs to be run in user context instead of system, or you work around this by letting the system look for the appinstallercli.exe and execute it as system:
https://github.com/microsoft/winget-cli/discussions/962#discussioncomment-1634178
I sanitized, zipped and uploaded the logfiles CAS.log, ContentTransferManager.log, DataTransferService.log, UpdatesDeployment.log, UpdatesHandler.log, UpdatesStore.log and WUAHandler.log: https://gofile.io/d/bItw1J (password = reddit).
Fails right after the "Apply Network Settings" step in the OSD which all that's doing is joining the domain, which it does successfully. As soon as it transitions to the "Setup Windows and ConfigMgr" step, it throws the error.
SMSTS.log (scrubbed):
SMSTS-date.log:
There isn't a ccmsetup log file for the client during OSD. It doesn't get to even installing the client.
To nip network access acount mentions in the bud: I already tried updating and verifying the account. It all checks out. IIS Windows auth is disabled though.
Edit: Just did the network access acount. Again (5th time's the charm, I guess). And the package suddenly works. Now to get WSUS fixed.
The only real gpo you need to setup as far as the clients are concerned is one to configure the firewall to allow SCCM traffic.:
http://technet.microsoft.com/en-us/library/hh427328.aspx
Aside from that, here are the guides that you will see linked all over the place: http://www.windows-noob.com/forums/index.php?/topic/4045-system-center-2012-configuration-manager-guides/
The guides are a bit dated but most of the information is still sound. Best of luck.
That makes a tiny bit more sense...depending on the number of virtualized servers. Still pretty extravagant for such a small environment.
So, in that case, I'd recommend two things:
Read the WindowsNoob guides by Niall Brady linked by /u/jtechs above (though they're actually hosted here).
Setup a development environment (including AD and everything else jtechs listed) and build and develop that FIRST. Do this BEFORE even setting up the Production environment.
You will probably also want to bookmark the Technet documentation for System Center 2012 here. And that includes the documentation for ConfigMgr and VMM. Be aware that ConfigMgr is a HUGELY complicated product and will take years of use to master. The documentation alone at this point is (in downloaded .docx format) 2,670 pages (comprising 794,310 words).
If you're working on this by yourself with no distractions, I'd say it'd take you at least a week to get all of the VMs setup in a dev environment, and then another week or two to get ConfigMgr and VMM installed. Add in a couple more weeks to do a build-out in OSD (including USMT!). A few more weeks to package applications. Starting from the ground up like this is a several month project. Even if you aren't working on anything else. Particularly since this is your first time deploying any of these technologies.
I do see this in the documentation though:
To support domain computers in a forest that is not trusted by your site server’s forest, you can install site system roles in that untrusted forest, with the option to publish site information to the client’s Active Directory forest.... When you install site system servers in the client’s forest, the client-to-server communication is kept within the client’s forest and Configuration Manager can authenticate the computer by using Kerberos.
From http://technet.microsoft.com/en-us/library/gg712701.aspx#Plan_Com_X_Forest
I believe I found mention in the documentation yesterday that you can only deploy a CAS and Primary sites in the same Forest. Cross forest deployment of a Primary in a hierarchy is not supported. This page should be your first stop in researching this question.
It's probably easier to just setup a trust between the two forests...
It's practically cheating, but you could try ninite (https://ninite.com/itunes/.) We pay for pro, so I'd personally use that, but I've deployed the free executables in the past. Just add /silent to the end of the exe.
Actually, if you deploy a Package as Available, "Always rerun" is the only option. After the user has performed the initial installation through the Software Center, the installation button will change to "Reinstall", which does exactly what you would expect.
For your use case, deploying as a package is the best way to proceed. In fact, this is the method suggested on Ninite's web site.
80070002
The task sequence I'm trying to run is a from scratch install, using a Windows 7 ISO.
I found the following article that seems similar to what I'm trying to do but I'm pretty certain I did this exactly (extracted an ISO completely).
I've been using SCCM 2007 extensively, but it's primarily building/distributing packages, drivers, etc. Haven't done much image building, so I'm probably just doing something dumb.
Edit: I'm going to join a client to this lab and attempt to distribute a few apps just to make sure distribution is setup properly. After that is verified, I'll try doing images/imaging.
u/Aperture_Kubi - Have you been having issues re: Waves AudioMaxx where sound is not available to the proper outputs? Example: plug in a pair of headphones, but the computer speakers kept working.
If so, my colleagues and I are working on the exactly same application and issue. We are deploying Dell Latitude 7400 2-in-1 models. We contacted Dell via our enterprise support contract. They provided the proper files from the .APPX components of the Windows Store-based installer.
Dell's initial update for AudioMaxx was - literally - a batch file that would generate Windows Store
AudioMaxx app was here (Windows Store)
Using MS Store Auto Link Generator, the .appx, etc. files are available for download. NOTE: Commercial apps are an entirely different beast (one's with licenses, etc.)
Dell Support provided us with specific files from this. We had already been through these AppX bundles so were familiar.
Putting the relevant components into a folder for testing (C:\Waves) we ran the following:
dism /online /add-provisionedappxpackage /packagepath:C:\waves\ea3ae0bb10e647e78388a78ffc60f4a2.appxbundle /dependencypackagepath:C:\waves\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64_8wekyb3d8bbwe.appx /dependencypackagepath:C:\waves\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64_8wekyb3d8bbwe.appx /licensepath:C:\waves\ea3ae0bb10e647e78388a78ffc60f4a2_License1.xml /Region="all"
Following this up with a rebot, we were good to go. You plug in your audio output device, and the AudioMaxx utility appears.
YMMV - also, regarding the /licensepath parameter mentioned above - I don't think I ever saw it when I went down the rabbit hole of the APPX containers. There is a parameter to skip the license, no idea if it works.
I always check ghacks. http://www.ghacks.net/2016/03/09/microsoft-security-bulletins-for-march-2016/
I feel like they do a really good job of writing up a summary of the patches and what issues they address.
maybe something here will assist:
https://winaero.com/generate-new-guid-in-windows-10/
edit:
Additionally, do you guys have intune?
Dang. http://serverfault.com/questions/350503/sccm-recurring-osd-task-sequence Saw the part about "always rerun." I made a new task sequence. Had to be required to free options on the rerun box. For available, that's greyed out but still set on always rerun anyway. I made it required, immediately, and had it "always rerun." No change. PXE boots on the machine but fails. syspxe.log says 'no advertisements found' though for that MAC. It even says no advertisements, no boot action, not serviced.... but it still did actually PXE boot. permalinksaveeditdisable inbox repliesdeletereply
haha... dammit... http://serverfault.com/questions/720154/pxe-boot-advertisement-found-but-there-are-no-task-sequences-available-for-t
There are no other messages for this MAC address after "found optional advertisement" in the SMSPXE.log.
Thanks for this information. In talking to them and explaining more on how CMG is a reverse proxy practically they have backed off on this one however they are still asking if this can be put behind Microsoft WAF. Mainly they are concerned if the CMG VM is vulnerable to any of the attacks that a WAF would help mitigate. They gave me this link to understand what they are looking to protect against.
https://www.cloudflare.com/learning/security/threats/owasp-top-10/
here's a link for gits and shiggles I tried this without the logging line and the package works as it should. so weird that it would throw an error in when wrapped in psadt but not by itself.
http://www.filedropper.com/scxcm_1
I have reinstalled the client with the public trusted root key defined. ./install -mp WS12R2-SCCM12R2.testdom.be -sitecode TST -rootkeypath /windows-share/trustedrootkey.txt ccm-Universalx64.tar
Reinstalled the CfgMgr client with the FQDN of the MP rather than the NetBIOS name but I am still not able to retrieve hardware inventory information. The MP IIS log however holds the IP of the Ubuntu server (192.168.0.19). I have also checked the MP_Hinv log but it does not mention the Ubuntu server. MP IIS log: http://www.filedropper.com/uex140521 scxcm log: http://www.filedropper.com/scxcm The scxcm log holds quite a few various errors.
Yes, you can app-v Firefox but you can't lock down user settings. The only way to do that is through packaging Firefox as non app-v and using GPOs. You can download the admx templates from here:
This is the way. The only things I would add:
Free 70-703 braindumps proved to be my best choice. It is not only free but it gives a strong hold of the knowledge
about each topic. I went through Free Microsoft 70-703 dumps and was ready to appear in the final IT exam. I am happy that I
solved all the questions.
Build a Lab. You got Hyper-V embedded in windows 8 or later, and all the windows products are free for 180 days which is plenty of time. Try getting your hands on the CBT Nuggets. and just follow that through.
Mine image is about 10.5G but I have our most commonly used apps in the image. To free up more space, as a last step before capturing run http://www.homedev.com.au/free/patchcleaner and "dism /online /cleanup-image /startcomponentcleanup /resetbase". you should reclaim about 1.5G or so.
This is a great free repackager from itninja: http://www.itninja.com/file/view/2
Also nirsoft has a great tool for grabbing regkeys touched by a launched app: http://www.nirsoft.net/utils/reg_file_from_application.html
They are on NuGet as stated in the docs here:
NuGet packages:
If you don't know why you need something then maybe you don't need it as much as you think.
Focus on your problem: Imaging 800 PCs "by hand" the way you describe is ludicrous; with the best will in the world it will be slower and more error-prone than an automated process.
That doesn't mean you want SCCM, or rather it doesn't mean that the benefits to you outweigh the costs to the organisation. If all you need is imaging then maybe focus on that
There are lots of alternatives to SCCM for automating builds many of which have been discussed here already, so I'll add Chocolatey for post-build scripted package install tasks just to keep things interesting.
dont deploy updates to them, instead, run
#run once to install Set-PSRepository -Name PSGallery -InstallationPolicy Trusted set-ExecutionPolicy Bypass -force Install-Module PSWindowsUpdate Import-Module PSWindowsUpdate Get-Command –module PSWindowsUpdate Add-WUServiceManager -ServiceID 7971f918-a847-4430-9279-4a52d1efe18d -Confirm:$false
then to trigger....
Install-WindowsUpdate –MicrosoftUpdate -Verbose -Category 'Critical Updates', 'security updates' –AcceptAll -IgnoreReboot or use –AutoReboot
you can also install pswindowsupdate from chocolaty..
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
choco feature enable -n allowGlobalConfirmation choco upgrade powershell -y choco upgrade pswindowsupdate -y
Thanks for the comments, but I have Chocolatey down pretty well. I also have a bunch of Chocolatey-package-based applications successfully deploying in SCCM (each one with a -y
switch) for over a year now.
This problem is NOT Chocolatey. As discussed on the other branch of this thread, it appears to be a (short-sighted) design limitation of TS in that the applications MUST have local content (even if that content is empty and meaningless). When I establish some dummy content for applications, the TS error goes away.
Has it ever worked?
How was choclatey installed? In base image or pre-step? did it install correctly? Are you using the correct method (zti wrapper): https://keithga.wordpress.com/2014/11/25/new-tool-chocolatey-wrapper-for-mdt/
And how are you calling/installing chocoinstaller.ps1? As a package with the single powershell script? (obviously youve checked this package?). Or are you just running the one liner:
@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin
Once installed are you just using cmd: "choco install app1 app2"? Have you set global conditions to install without prompt for 'y' each time? Otherwise the script is just going to sit there and not proceed, timeout-> ERROR FAIL FAIL.
If all above checks checks out, then all i can add is check preceding app installers arent the culprit, SCCM can be a bit vague in the error logs. make sure every step has 'continue on error'.
SCUP has some functionality for Adobe but you can't seem to fully automate this. You could try using Chocolaty (https://chocolatey.org/). You can use this to deploy the app then use it's own functionality to keep the app up to day.
e.g. SCCM calls Chocolatey to perform the install, then use a chocolatey command as part of your app detection to determine if it is up to date.
Chrome can self update itself without you needing to do much.
I think Chocolatey would be an alternative for you. Chocolatey packages contains powershell scripts.
Also take a look at Deployify. It's a service that let you distribute these choco packages fast and easy, and without using CLI.
App Catalog only works if the same user is logged in on the PC as well as authenticated to the site. The page will load, but you can't actually run anything. Can't find the official source but this should help.
Is it possible that its permission related?
Can you give me some of the logs to look at? Also are you looking at the server logs for any clues?
I would also create a new client policy that has the Endpoint configuration settings in them and weight it the highest then deploy that to your group.
It could also be that you don't have the policy deployed if you already have it in a separate policy.
References - http://serverfault.com/questions/519094/system-center-configuration-manager-endpoint-protection-client-install-error
Hello Nick,
Go to Udemy.com and take my course System Center Configuration Manager (SCCM) For Beginners. You will learn everything you need to get that job.
Thanks,
Robert
I like PDQ Deploy for situations like this. The free version will let you build out a package to use and it has good feedback on each deployment. https://www.pdq.com/pdq-deploy/
Like Fendulon said, it seems you may have a larger issue with the clients and software updates but this will get you to a patched state.
Did you get ahold of that c:.Bin\S-1-5-21-1708537768-823518204-1801674531-218703.exe file from the quarantine? Check the hash it might be writing itself to that location. Any other modifications to the system? Check out this analysis of the download: https://malwr.com/analysis/M2NkMjJiZTUzYzkwNGE5MTg2NzIwZDVjOGZjNTIzMjQ/
You could submit it to Mcafee as a suspected false and they can tell you exactly why it's being detected by their heuristics engine.
You're doing two things at once here, converting to UEFI and enabling BitLocker.
UEFI mode is not a prerequisite of BitLocker.
Do you existing laptops have the separate reserved system partition outlined here? https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
Looking into the ccm.log. It seems that there is an account issue, do you know what may be the cause?
The service account can login on the sandbox server, the service account group has admin rights under the local Administrators group on the machine, but I can't seem to get it to install. Also the firewall is off.
I made a minor modification to the Lenovo warranty script so that it would only run if the manufacturer in Win32_BIOS is LENOVO. I then created a deployment for my new Warranty package, and pushed it to all our systems. It ran really fast, but it isn't updating SQL Server (I used your SQL query). I'm guessing this is because it won't update until SCCM does its hardware inventory. Is that correct?
sure
here are the cab files you can inport
one for Dell, one for lenovo and one that enables WoL inside windows on intel network adapters (which was apparantly not enough on its own)
the Lenovo configuration item only sets the value for Wake on lan to "primary", as i never could get it to work when it was set to "automatic"
keep in mind that you need to install openmanage client instrumentation on your dell clients before you can run the wmi commands that do their magic
please test this out before you deploy it to the all systems collection.....
I've seen quite a few of the TrueSec trainers at TechEd Europe and I've always enjoyed their presentations. You can watch some here: Kent Agerlung and Johan Arwidmark
I'm a little jealous you get to go to Miami though :-) I'm sure you'll enjoy it and plenty from it.
SQL Management Studio will likely already be installed on your SCCM server. It's the tool used to manage SQL Server, it depends a bit on where your SQL DB is, but a lot of installations of SCCM have SQL and SCCM on the same box. You can find out where SQL is in the console. Go to the admin node. Click Site Configuration. In here you'll see a list of servers and site system roles. One of these will have a role of "Site Database Server". That's your SQL server. If this server doesn't have SQL Management Studio installed on it, you can just put it on by downloading it from here Download SQL Server Management Studio (SSMS) - SQL Server Management Studio (SSMS) | Microsoft Docs
This could all vary based on your environment.
AutoIt definitely supports COM:
From https://www.autoitscript.com/site/autoit/
>AutoIt was initially designed for PC “roll out” situations to reliably automate and configure thousands of PCs. Over time it has become a powerful language that supports complex expressions, user functions, loops and everything else that veteran scripters would expect.
>
>Easy to learn BASIC-like syntax
>
>Simulate keystrokes and mouse movements
>
>Manipulate windows and processes
>
>Interact with all standard windows controls
>
>Scripts can be compiled into standalone executables
>
>Create Graphical User Interfaces (GUIs)
>
>COM support
>
>Regular expressions
>
>Directly call external DLL and Windows API functions
>
>Scriptable RunAs functions
>
>Detailed helpfile and large community-based support forums
>
>Compatible with Windows XP / 2003 / Vista / 2008 / Windows 7 / 2008 R2 / Windows 8 / 2012 R2 / Windows 10
>
>Unicode and x64 support
>
>Digitally signed for peace of mind
>
>Works with Windows Vista’s User Account Control (UAC)
I think the Powershell App Deployment Toolkit can send keystrokes to an application, but I've never tried this.
Another method is to use something like AutoITScript ( https://www.autoitscript.com/site/ ) which can send mouse clicks and type text automatically in an application. I've never seen this work 100% reliably but it's something to consider if the vendor can't help you.
Neither of these are good solutions. Try every other method you can think of first including contacting the vendor before you try either of these.
Mandatory Deployments like this I always do at logon. (Even if that has its own issues)
Are you familiar with AutoIt?
In the past when I've had apps that were "too silent" I built out an Autoit script that displayed warnings and then ran the install.
I believe you could pop a warning and a countdown then ProcessClose everything you needed to and ran the updates.
>Then you can use Charles proxy to inspect the http traffic to find the URL of their files repository.
gotcha, I wil look into that, thanks!!
sounds similar to this FIDDLER tool that i just found, so hopefully one way or another we can capture that.. https://www.telerik.com/fiddler/fiddler-classic
thanks
A yearly Visual Studio Professional subscription includes test licenses, these licenses remain valid (as in actually valid, not quasi legal) after the subscription ends (just remember to grab your keys before hand).
No, dual scan is not enabled. (it was enabled a long time ago, but since disabled) I uploaded the updatestore log. It seems to say missing initially, then says not needed?
https://expirebox.com/download/32ad0c6c3aa926bb6b6d54d0f5118607.html
Can the users see any part of the Deployment? I googled the error code and install silent and found that this could be related to a cmd window being terminated prematurely.
Do you have the dialog hidden from users?