boyjaew2

Turns out. That is just not how it's done unless you want to root your devices or something. Guess I'm over to look at MDM in sccm...

This might be completely outta bounds, but has anyone ever attempted image mgmt of android for tablets? We have a little less than 100 coming in and "they" want standardized OS across the lot and we would rather not do them all manually. Johan Arwidmark directed me to Kent Agerlund's blog and book on EMS, but I thought I'd present the question and see what if anything has been hacked together by the community. Thanks

#Failure Even with group policy set as above after letting it sit all day, rebooting, manually updating group policy as well as it being refreshed by the normal update cycle and it being fine ALL day, I just rebooted my test machine and get a pop up saying that "This app is turned off by group policy" which it isn't and nothing has changed. Am I going to have to set a manually config on that damn key to make this work? Group policy doesn't seem to care much what the hell the setting is. SOME how my test computer got moved into a different OU. All is well. As you were.

P.S. I also tested defender communication with SCCM with an EICAR file and it caught, removed and reported on the file in the SCCM console as expected.

I imagine some of you sitting back and having a good chuckle at my little saga, but I think I've found out a few things that could come in handy. I'm still waiting to see if this is the real solution or not. So, bear with me. 1) It doesn't seem to matter what version of SCEP gets pushed with the ccm client install (the install will fail anyway - at least from what I've seen. Might be different with the GPO setting corrected?) as, when everything else is configured correctly it looks like win 10 just uses whichever version of defender it has on hand. 2) I had three GPOs on the OU I was testing. From what I've found all three have to have "Turn off Windows Defender" disabled. Although it looks like it should have worked with it Not configured as well, but that didn't seem to be the case for me. The key to watch on the client side is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender - DisableAntiSpyware. If that is set to '1'. There will be problems. 3)Then, doing nothing else, I changed my Default Antimalware Policy in sccm, toggling the Real-time protection > Allow users on client computers to configure real-time protection settings: I would then update the machine policy VIA ccm client and I could see it being greyed on/off. So, I know my malware policy is still being respected VIA ccm settings. Though the settings now seem to be part of the OS and not in a tab on the defender/scep GUI. 4) I Ran gpupdate and rebooted several times and everything has stuck so far. That's all I've got. Hope it helps someone. I wasn't able to find single source anywhere that mentioned all of this in one go. So, FWIW.

I think that if I could some how magically get SCEP v. 4.8.10240.16384 into SMS_CCM\Client where my client install bits are it would maybe work. Right now I have v. 4.7.214.0 . Any idea which MS forest-gnome I have to genuflect to to get that upgrade? Is this even an accurate assumption?

So, what is the answer here? We know SCEP is replaced in win 10 with defender. I have messed with group policy to try and get it to run with no success.I previously deployed SCEP with ccm client. Now no matter what I try, short of changing the regkey for defender locally (which gets turned off again when GPO is applied regardless of a change in group policy settings) I have found no way to get access to the GUI locally on the client or see that it is being managed by sccm SCEP policy. What the heck is going on here? Thanks,

Honestly, I've been trying to figure out how to do this since day one.

With the script, are you saying I can add a TS step to go look at my existing WSUS server and get updates, during OSD, directly without creating the SUP?

I'm going to jump in here as it seems like the closest to what I'm looking for. I'm pretty sure the answer is, no you can't run both concurrently, BUT, is it possible to have WSUS for regular enterprise-wide patching, but set up a standalone SUP on sccm JUST for OSD (unknown computers collection)? What I want to do is keep our WSUS operating that way that it is, but be able to install updates to new images so that when we deploy an image it will get patched without helpdesk personnel having to run through the MS updates song and dance as well as avoid having to do a build and capture to keep the reference image patched. Is that possible? Is there a better way to do this? Thanks

That did the trick alright. Now to the root cause. I'm trying to do something that I haven't done. Helpdesk is requesting something of an LTI or ZTI that will require less of their time configuring profiles, installing/updating software, drivers etc. etc. I am trying to keep my deployment images very thin. While they want all manner of stuff baked into the image. I have given up trying to explain to them why a bloated image is a bad idea. It SEEMS like I might be best served intergrating MDT into SCCM. I have used it before, but not integrated like this. I have already tried building a custom unattend file to deploy with my image, but it failed on the specialize pass. So, I figured before I go down that rabbit hole I might take a quick peek down a diferent one. I have SCCM 2012 R2 SP1 and an installer fro MDT 2013 Update 1 (6.3.8298.1000) - most current version?. I'm confident I can get it installed and integrated. My questions are these: 1- Am i even heading in the right direction thinking MDT is going to help me with this scenario 2- Is this version of MDT going to work with my current SCCM environment 3- I have seen the guide for MDT integration, assuming I am heading down the right track and all the components are going to be compatible, is this the best guide to try and follow for what I want to do or is there something even more basic or more similar to my scenario I should look at? If there is a better place to post this question please let me know and I can move it.

Heh, heh... So, how exactly do you schedule a deployment for the day before? The wizard does not let you complete the deployment. Or, do you have to schedule it and then wait a day?

That is exactly which version I am running. I will try the workaround and see if that does the trick. Thanks, Mr. B.

OSD is one of the first things I learned how to do and it's been a LONG time since I've had issues with it. I have honestly never seen this. I build my TS to deploy a system image like I have done a hundred times. Now, no matter what I do I can not get my TS to show in the list of availble task sequences. I have built from scratch, copied other known working TSs and nothing is making the damn thing show up. All of the referenced components have been distibuted and I have deployed the TS. Nothing. I'm I missing something here? The thing that is different in this case is I am trying to deploy to a VM. Which I have also done succesfully with no issue. Now it is time to refresh or even build a new image from scratch and nothing I have done will get the TS in the list. All my current OSD TSs are listed, but those won't work because I need the custom boot image that has the VM tools drivers in it. I have even tried selecting one of those just for the heck of it and they done't work because of the drivers. I am new to this specific process so maybe I am missing something, but I've been working on it for two days now and am starting to go a bit bonkers. If it would show up and fail that would at least be SOMETHING at this point. Help me out, please.

I thought about it, but this change has to be made to about 160 machines and their psyches are fragile enough having recently completed enteprise wide removal from "everyone's an admin". I think the confusion would kill them, temporary or not. I think I'm going with a GPO scheduled task.