anyweb

Root Admin
  • Content count

    7,259
  • Joined

  • Last visited

  • Days Won

    257

anyweb last won the day on May 26

anyweb had the most liked content!

Community Reputation

393 Excellent

About anyweb

  • Rank
    Administrator
  • Birthday 11/24/1966

Contact Methods

  • Website URL
    http://www.niallbrady.com

Profile Information

  • Gender
    Male
  • Location
    Sweden
  • Interests
    Deploying Operating systems and more with System Center Configuration Manager

Recent Profile Visitors

4,128,106 profile views
  1. hi, i've updated this guide with a brand new one, so please use that one instead (shown below), but as regards your questions... 1. yes,. it's designed for Server 2016 2. works for me, what error do you get ? 3. The blog post assumes you have sql on the same server as SCCM, so it should work just fine, adjust the sql ini file to decide where it gets installed
  2. the package folder source in your case should be pointing to "some UNC path...\german" and that folder should have a sub folder in it called de-de with the appropriate cab file in it
  3. hi Kevin that is easy to repress using Custom Client settings deployed to the collection containing these computers that you want to upgrade, to hide notifications for new software, once they have upgraded they'll fall out of the collection and popup as normal in your organization...
  4. Microsoft issued a “highly unusual” patch for Windows XP last month to help prevent the spread of the massive WannaCry malware. At least 75,000 computers in 99 countries were affected by the malware which encrypts a computer and demands a $300 ransom before unlocking it. Microsoft stopped supporting Windows XP in April 2014, but the software giant is now taking the unprecedented move of including it in the company’s Patch Tuesday round of security updates today. “In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyberattacks by government organizations, sometimes referred to as nation-state actors, or other copycat organizations,” says Adrienne Hall, general manager of crisis management at Microsoft. “To address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to all customers, including those using older versions of Windows.” read the story @ TheVerge
  5. Introduction Back in March 2017, I reviewed Cireson's ConfigMgr Portal, and it is a great product, however it's not free there is a license cost involved. That said, Cireson have now released a new free version of the Portal called the free community Portal for Configuration Manager and that will make a lot of people happy. What's different between the two releases ? So what's the deal here ? well obviously if you like using the free version then you are inclined to move to the full edition, so let's see what the two versions offer. Community features: Quickly and easily know user details by viewing software and hardware information View a detailed inventory summary of any selected computer in the Computers View Understand deployment status for individual users and computers, along with other relevant organizational information with dashboards No Configuration Manager Console installation required Wizard-based installer to setup in minutes Beautiful and intuitive web interface ConfigMgr Portal edition features: Everything in Community, plus: Inventory data visibility including hardware, software, network, client information, applied updates User device affinity management from within the Portal Computer cloning and cleaning – copy/remove targeted software deployments from one computer to another Interface with external remote tools from your browser, including Remote Manage, Ping, and Remote Desktop Push software on-demand to any client with collection targeted deployments Enhanced software, OS, and MDT deployment and management Create deployment templates for software applications and OS updates Monitor the status of any deployment Simplified role-based administration to control who has access to certain features and to govern the size of deployments Built-in report viewer Dashboards to view summary information for your environment Commence integration for quick and easy computer provisioning Ability to integrate the Cireson Analyst Portal for Service Manager with the Portal for Configuration Manager to better align the support experience In addition to the Community edition, Cireson also released some updates to the ConfigMgr Portal edition: New dashboards to easily see the health of your IT systems Extended remote tools functionality A new wizard-based installer to make it easy to setup the Portal in minutes Commence integration (OS deployment frontend): Windows Pre-Execution Environment (WinPE) application that allows quick and easy computer provisioning through integration with Configuration Manager Portal templates and settings during the provisioning process. Learn more Check out this webinar which explains the new features, and gives an overview of the community edition as well: cheers ! niall
  6. Introduction Windows Information Protection or WIP (formally known as Enterprise Data Protection or EDP) is explained nicely in Microsoft's own words and i've included a quote of that below:- In other words, you can use WIP to protect enterprise data from leaving the enterprise. The prerequisites for WIP are as follows, you'll need a Windows 10 operating system (that is version 1607 or later) and you'll need a management solution such as Intune or SCCM or a 3rd party MDM solution. in addition, you'll need a license for Azure AD Premium. To gain access to the latest capabilities in Intune you should use Windows 10 Creators Update (version 1703). In this article I'm going to show you how to set this up with Intune (in Azure) and I'll give some examples of how enterprise protected data acts when in different scenarios, in addition, I'll explain how you can audit or review logs about this and have a quick glance at the reporting capabilities in Intune. I've already configured Azure for Automatic Enrollment but it's up to you whether you want to use that option (or not). In this guide I assume you've already got an Azure subscription (trial or otherwise) and Intune. If you don't have one you can sign up for a 30 day free Intune trial here. I used Enterprise Mobility + Security E3 licenses for the users in this lab. Making sure Azure is ready for WIP In Azure, select Azure Active Directory from Services and click on Mobility (MDM and MAM). Next Click on Microsoft Intune From the choices listed, choose Restore default MAM URLs and then select the scope. You can add your own urls too (for the MAM Terms of use URL and MAM Compliance URL) if you wish but in this example I did not. Save your settings when done. Create a WIP Policy Now that you've configured MAM in Azure, it's time to create your first WIP policy. To do that, in the Microsoft Intune service in Azure, select Mobile Apps then click on App protection policies. And click on Add a policy. Give the policy a descriptive name, and optionally a description of what it does, in the Platform drop down select Windows 10 from the choices available. Next choose your enrollment option for Enrollment State, select With Enrollment for this guide. In a later guide I will cover Without Enrollment where you can protect data in Enterprise apps (such as outlook) without being MDM enrolled. Next, there are two sections related to Apps. Allowed apps - These are the apps that must adhere to the policy Exempt apps - These apps are exempt from the policy and can access enterprise data freely. Click on Allowed apps and then click on Add apps to add one or more apps that you want to adhere to the policy. There's a drop down with Recommended apps selected as default and those apps are listed below the drop down. If you want to add your own Store apps or Desktop apps manually then you'll need to select the appropriate option and fill in the blanks. Recommended apps: a pre-populated list of (mostly Microsoft Office) apps that allow admins easily import into policy. Store apps: Admin can add any app from the Windows store to policy. Windows desktop apps: Admin can add any traditional Windows desktop apps to the policy (e.g. exe, dll, etc.) To get information about how to generate the info needed for manually adding Store and Windows desktop apps see this post. You can also import apps from an XML file generated in AppLocker by clicking on Import Apps. But before doing so you'll need to create an AppLocker policy and then export the policy. To create an AppLocker policy follow this advice. To export an AppLocker policy to an XML file do as follows: Click Start, type secpol.msc in the Search programs and files box, and then press ENTER. In the console tree, expand Application Control Policies, right-click AppLocker, and then click Export Policy. Browse to the location where you want to save the XML file. Below you can see the process of selecting some apps from the list of the Recommended apps. Next you might want to exempt some apps from this WIP policy, to do so click on Exempt apps and add apps the same way as you did above except this time select those apps that you do NOT want the WIP policy to apply to. After adding apps to your WIP policy, you need to configure required settings, so click on Required Settings. In this guide I selected Allow Overrides which means that the user will be prompted when they try to relocate data from a protected to a non-protected app. Corporate identify should be auto-populated. You can add more domains by separating them using the | symbol. The 4 available Windows Information Protection mode settings are listed below. Hide Overrides WIP looks for inappropriate data sharing practices and stops the user from completing the action. This can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization. Allow Overrides WIP looks for inappropriate data sharing, warning users if they do something deemed potentially unsafe. However, this mode lets the user override the policy and share the data, logging the action to your audit log. Silent WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped. Off (not recommended) WIP is turned off and doesn't help to protect or audit your data. After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on. After configuring the Required Settings, click on Create to Create the WIP Policy. Note: There are also Advanced settings that you can configure which control things like Network Boundary, IP ranges, DRA certificate and other options, however we are not using any of these settings in this blog post. Deploying the policy Now that you've created your WIP policy, it needs to be deployed (assigned) to a group of users that you intend to target with this policy. To deploy the policy, select it and then click on Assignments. Next click on Select Groups to select a previously created Azure Group containing one or more users. Select a User Group containing the users you want to target this policy to and then click on Select. The policy is now deployed. Review how WIP works Logon to a device as a user that is a member of the WIP Users user group (the user group that you deployed the WIP policy to). In this example I am reviewing how WIP works on an Azure AD registered device that is auto-MDM enrolled into Intune. Using Windows File Explorer, browse a bunch of documents. If the File Ownership column is not present you can add it. In this example, You can see that some files are marked with the Enterprise name, and some or not. Those that are not are considered personal documents. You can right click any file and change file ownership from Enterprise (work) to Personal or vice versa. Here we are making a document 'Work' owned. The other option will always be greyed out. Now that we have a mix of Personal and Work documents, let's see what happens when the user attempts to copy Enterprise data from Word Mobile to Notepad. Right click on a protected document and choose Open with, select Word Mobile. As we can see, this application opens both Work and Personal files as we have assigned the WIP policy to it. Mark some text and right click, choose Copy. Next open Notepad. Right click in a new document and choose Paste. Thanks to WIP, and the Required Settings you configured, the user is prompted about pasting this data. In this case, clicking on Give access allows you to copy the data but the action will be logged and can be reported on. If you attempt to open the same protected document with Notepad directly you'll see this. Next, try copying a protected document to somewhere personal, such as OneDrive personal. You'll be informed that OneDrive can't sync the file. If you look at a protected files' Properties (right click the file), and then click on Advanced in the General tab, you should see that the file is encrypted. Clicking on the Details button will give you more info. What about reporting ? Both Intune SA (Standalone) and Intune in Azure have reporting for WIP, however the abilities between them are noticeable and no doubt will change soon. In Intune Standalone you can review the built in WIP report in Reports, Windows Information Protection reports, View Report. and you'll see something like this: Note: You'll need to wait about 24 hours before WIP data shows up. To see similar data in Intune in Azure, select Mobile Apps, and in the Monitor section select Mobile apps - Windows Information Protection learning. As you can see the data is quite different in terms of content and columns but I'm guessing (hoping) that this will change soon in Intune in Azure. Note: There is an App Protection status node that contains reports for users and apps but it is currently only applicable to iOS and Android. To get more data on the clients, you can peruse event viewer logs in the Applications and Services logs, see below. EDP-Applearning EDP-Audit-Regular EDP-Audit-TCP Well that's it, I hope this gives you a good overview of WIP in Intune. Until next time, adios. Recommended reading 30 day Intune trial Protect Enterprise data with WIP Enterprise Mobility and Security Blog Set up Windows device management with Microsoft Intune Windows Information Protection Policy create How to setup MAM for Windows 10 1703 Windows 10 MAM Without Enrollment and Office Desktop Apps
  7. sounds like it, try the same thing without copyprofile, I havent tested this with LTSB, so maybe that could be part of your issue also...
  8. you are looking at the SCCM client logs, you need to look at the server logs
  9. if it's missing on Server 2012r2 then you must not have the correct updates applied to the server, double check the updates i've listed and see did you miss any
  10. of course you can do it using ConfigMgr, most people do it using MDT as it's quick and easy and well documented
  11. we patch office after the task sequence is finished