anyweb

i'll reword it, simply edit the Install SCCM Current Branch version 1606.ps1 script, it contains the bits that create the configuration.ini file.

and i'd add, why keep sql remote, i know you dont want it remote, take that fight again, having it remote only causes problems, keep it on the primary and things will be much better

and thank you for thanking me for creating it ! it's probably possible to separate those and if you are lucky I may release that in the next version of this blog post, so look out for the 1706 version of this blog post coming in the future, hopefully I will have that capability added then, by the way, did you see that ive released a 1702 version of this guide here ? cheers niall

This list of guides (think of it as a living index) will be updated by me whenever I write a new guide for Microsoft Deployment Toolkit (MDT). If you are looking for some of my other guides then please check below: Microsoft Intune (hybrid) guides look here (over 61,103 views as of July 2017) SCCM (Current Branch) and SCCM (Technical Preview) guides are here (over 63,821 as of July 2017) Configuration Manager 2012 guides then look here (over 1 million views as of July 2017) Configuration Manager 2007 guides then look here (over 948388 views as of July 2017) SMS 2003 guides are here (over 10423 views as of July 2017) cheers niall How can I use PowerShell to automatically deploy Windows 10 version 1903 with MDT How can I automate the deployment of Windows 10 version 1709 (Fall Creators Update) using MDT and PowerShell ? How can I automate the deployment of Windows 10 (Creators Update) using MDT and PowerShell ? How can I deploy Windows 10 x64 to the Microsoft Surface Pro 4 using MDT 2013 Update 1 How can I deploy Windows 10 x64 Enterprise to the Microsoft Surface Pro 3 using MDT 2013 Update 1 Updated Powershell script with June 2015 drivers for deploying the Surface Pro 3 with MDT 2013 How can I use PowerShell to deploy Windows 10 x64 to the Microsoft Surface Pro 4 using MDT 2013 Update 2 How can I deploy Windows 8.1 x64 to the Microsoft Surface Pro 3 using MDT 2013 ? Updated Powershell script with May 2015 drivers for deploying the Surface Pro 3 with MDT 2013 Updated Powershell script with March 2015 drivers for deploying the Surface Pro 3 with MDT 2013 Updated Powershell script with January 2015 drivers for deploying the Surface Pro 3 with MDT 2013 Updated Powershell script with November drivers for deploying the Surface Pro 3 with MDT 2013 Guide: Multiple Operating Systems from UDI wizard

Please refer to this link from this point forward.

what hardware are you running this on and have you tried upgrading the computer bios version prior to the upgrade ?

yes of course you can

the order is wrong, you need to upgrade to SCCM 1702 (Current Branch) first and then upgrade the operating system, here's a couple of posts that should help:- https://social.technet.microsoft.com/Forums/en-US/ef2ea9a9-5d0d-4c03-ae14-3eb936fdbfb6/os-upgrade-on-sccm-servers-from-2k8r2-to-2016?forum=configmanagergeneral http://ccmexec.com/2016/03/configmgr-cb-1602-server-2008-r2-in-place-upgrade-to-2012-r2/ https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/upgrade-to-configuration-manager https://sccmentor.com/2016/09/21/in-place-upgrade-sccm-cb-1602-site-server-from-windows-2008-r2-to-2012-r2/

did you validate your account ?

yes but you'd have to edit the powershell script and change the function that displays the message box, the link below has a function to generate what you want https://stackoverflow.com/questions/32827376/how-to-create-a-popup-message-in-powershell-without-buttons

and are you using the latest and greatest version of MBAM ?

we've deployed Windows 7 with UEFI enabled, TPM enabled and with CSM mode enabled, but of course Secure boot DISABLED, on Lenovo laptops so something else is going wrong for you, maybe you need to share some logs...

good luck, but you'll still need to disable Secure boot in the bios in order to boot Windows 7, Windows 7 can work with UEFI mode when the CSM option is set in the bios, but you must disable Secure boot which while related to UEFI, is a separate component

Windows 7 does not support Secure boot in any way, so that's a big no no, you need Windows 8 or later to work with Secure Boot.

is something removing the update, does windowsupdate.log or the event log give you any clues

3. will only work if you've a backup of the site created using the maintenance task, do you ?

yes with some work and editing of the scripts you could

this is the supported way to recover a site https://docs.microsoft.com/en-us/sccm/protect/understand/recover-sites When you use DPM to back up your site database, use the DPM procedures to restore the site database to a specified location before you continue the restore process in Configuration Manager. For more information about DPM, see the Data Protection Manager Documentation Library on TechNet.

as Garth says, can you link to the post in question please ?

can you attach your cmupdate.log please

Introduction Security is a big focus for many companies, especially when it comes to data leakage (company data). Encrypting data on Windows 10 devices using BitLocker means that data is protected ("data at rest") . Microsoft Intune got yet more updates on June 30th, 2017, one of which was the ability to configure BitLocker settings detailed here. This ability was initially raised as a uservoice item. So let's take a look at how it works. Step 1. Create a Device Configuration Profile In the Azure Portal, navigate to Intune, and select Device Configuration, then click on Profiles and then click on Create Profile, and fill in the following details: Name: Configure BitLocker Settings Platform: Windows 10 and later Profile type: Endpoint Protection Note: Endpoint Protection is the profile type for BitLocker configuration, not to be confused with System Center Endpoint Protection. as shown below. Step 2. Configure Settings in the profile Next, in the Windows Encryption pane that appears, make your choices for Windows Settings, Set the Require devices to be encrypted (Desktop only) option to Enable. Make note of the note (the 'i', you can hover over it to see the info it contains), and I've bolded part of that statement below: So by requiring BitLocker encryption, your users will need to confirm the above prior to encryption taking place. Hopefully in the future we'll be able to automate it 100% so that no user interaction is required. For BitLocker base settings, set Configure encryption methods to Enable and then set the desired encryption level via the drop down menus for each drive connected. For BitLocker OS drive settings make your choices after setting Require additional authentication at startup to Enable. Note: For Enable OS drive recovery, although it states that you can Save BitLocker recovery information to AD DS it actually saves the recovery information to Azure AD if you enable the option (and you should). In other words, if you want to be able to retrieve a BitLocker key from an Azure AD and MDM enrolled device, make sure to Enable OS drive recovery and Save BitLocker recovery information to AD DS. For BitLocker fixed data-drive settings, you can deny write access to drives not BitLockered by enabling the option. And for BitLocker removable data-drive settings, make your choices. Once you've finished configuring the settings, click on OK and then click on Create, to Create the device configuration profile. Step 3. Assign the profile to a group Now that you've created the profile, you need to deploy it (assign it) to a Group containing Windows 10 devices. Select the profile created above, and click on Assignments, next click on Select groups to Include. Select a previously created Group (or groups if you wish), I selected one which I previously created called BitLocker Configuration but you can select whichever Group you want, and then click on the Select button at the bottom of that pane, if it's not visible, zoom out (browser zoom). Finally, click on Save to save the changes. If you haven't done so already, add some Windows 10 Device members to the Group. Step 4. Monitor the device configuration on a Windows 10 device Login to a MDM connected (and in this case Azure AD joined) device that is not yet encrypted, and trigger a Sync. To trigger a policy sync, select All Settings Accounts, select Access Work or School, select your MDM account and click on Info. Next, click on Sync Once the sync is done you should see an Encryption Needed notification in the systray. Click on the notification and you'll see the following screen. Select I don't have any other disk encryption before clicking on Yes. and off it goes... And you can open an administrative command prompt to verify the encryption algorithm using the following manage-bde -status As you can see from the above, encryption is in progress and the Encryption method matches the XTS-AES 256 setting selected in the device configuration. After it's done encrypting, you'll be notified. And in Windows File Explorer you can see the BitLocker icon on the operating system drive. Step 5. Verify device is configured with BitLocker in Azure At this point trigger another Sync on the device. After the sync is complete, click on the Device configuration profile, and select Device status as shown below. Devices targeted by the profile will be listed along with the Deployment Status of the configuration profile. If the user has allowed BitLocker to complete the deployment status will be listed as "Succeeded" as shown below. If the user did not start encryption (or if there was some other problem), it will be listed with a Deployment Status of "Error". If the Deployment Status is listed as Error, you can click on the device listed, and it will take you to the devices' properties. From there click on Device configuration and then click on the Device Configuration error on the right side of this screenshot. Here you see that it mentions the user needs to click on Yes to start the encryption, so it's likely (in this case) that the user ignored the notifications which is why an error is reported. To enforce this, or rather to force the user to do what we want (in regards to starting the BitLocker encryption via the notification), please see the comments in the summary at the bottom of this guide. Step 6. Retrieving the BitLocker key as the admin in Azure AD To locate the BitLocker protector key, select the User that enrolled into MDM, and click on Devices. Then select the device in question. The BitLocker key id and BitLocker recovery key will be listed. Which can be double checked against the actual computer using this command (in an administrative command prompt on the client computer that is BitLocker encrypted) manage-bde -protectors -get c: Note: If the user un-enrolls the device, the BitLocker recovery keys will be removed from Azure AD. Step 7. Retrieving the BitLocker key as the user The user can also check their BitLocker keys on any of their enrolled devices by clicking on Settings, Accounts, Access work or school, highlight the connection, and select Manage your account or by going to https://myapps.microsoft.com in a web browser and clicking on their username, and then clicking on Profile, select the device and then click on Get BitLocker Keys. From there they can click select the device in question, and click on Get BitLocker Keys and the BitLocker keys will be listed Note: If you want to automate this and remove user choice then use the windows-noob.com custom MSI in Part 2. Recommended reading https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10 https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-management-for-enterprises https://en.wikipedia.org/wiki/Data_at_rest https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access https://nhogarth.net/2017/07/17/intune-denying-access-to-windows-10-without-bitlocker-enabled/ https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2017/06/07/hardware-independent-automatic-bitlocker-encryption-using-aadmdm/ Summary It's great that we've finally got the ability to enable BitLocker in Intune but forcing encryption is not that straight forward. To force your users to be compliant you can either use Conditional Access (1) to deny those machines access to email and associated office applications unless they are encrypted, to do that you'll need to configure a Device Compliance policy (2) to verify that the device is encrypted, and based on that the user can access the applications specified. Or, you can automate the encryption like I do in Part 2 of this series of blog posts about BitLocker in Intune. (1) Thanks Jan Ketil Skanke (2) Thanks Nick

can you check your Redist folder for any non-downloaded files, or files with 0 bytes, such as the file listed below .. due to WindowsUpdateAgent x86 version not being downloaded the Redist folder will be in a path such as ...but the GUID will most likely be different. D:\Program Files\Microsoft Configuration Manager\CMUStaging\7B7E6E7B-3A61-4E84-A5E1-B5DCB514ADED\redist

The return of EternalBlue On June 27th 2017, another RansomWare attack took hold targeting the same eternal blue (SMBv1) vulnerabilities as WannaCry before it. This attack however doesn't reach out to the internet like WannaCry did, it's an internal network attack. However, this attack seems to have deliberately targeted businesses in Ukraine, and as the email address used for encryption keys was disabled almost immediately, there's no point in anyone paying ransom if their files are encrypted as they'd never get a reply (with the decryption info). Patch Patch Patch If you haven't done it already (and if you have not, why not especially after WannaCry), head over to this Technet link and apply the patches, do it. Stopping the damage That said, a security researcher found a way of stopping the ransomware from encrypting machines affected by placing a read-only file called Perfc in the Windows directory, eg: C:\Windows\Perfc The presence of that file will be enough to stop the contents of the hard disc from being encrypted by this malware, however the reason this malware spread in the first place is down to vulnerabilities (unpatched) in the operating system. Those vulnerabilities include two from the leaked NSA exploits, so if you've patched your operating systems against those known vulnerabilities you should be safe. Protection against this new ransomware attack Microsoft have advised the following to keep you protected against this (and similar) RansomWare attacks: "We recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface: Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 As the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and apply definition updates. Windows Defender Antivirus detects this threat as Ransom:Win32/Petya as of the 1.247.197.0 update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats. For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running. Monitor networks with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook." Recommended Reading https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?utm_campaign=windows-noob.com https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/ https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ https://www.binarydefense.com/petya-ransomware-without-fluff/ http://blog.coretech.dk/swo/petya-ransomware-the-attack-method-and-preventing-it/ https://azure.microsoft.com/en-us/blog/petya-ransomware-prevention-detection-in-azure-security-center/ https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ http://blog.uk.fujitsu.com/information-security/petya-medoc-and-the-delivery-of-malicious-software/#.WVeKWCmxXD4 https://www.1e.com/blogs/2017/06/30/stop-future-petya-attacks/?utm_content=56869130&utm_medium=social&utm_source=windows-noob.com

so did you make a mistake when you edited the script, can you post it here ?

hi, i've updated this guide with a brand new one, so please use that one instead (shown below), but as regards your questions... 1. yes,. it's designed for Server 2016 2. works for me, what error do you get ? 3. The blog post assumes you have sql on the same server as SCCM, so it should work just fine, adjust the sql ini file to decide where it gets installed