Jump to content


Established Members
  • Posts

  • Joined

  • Last visited

Everything posted by boyjaew2

  1. Turns out. That is just not how it's done unless you want to root your devices or something. Guess I'm over to look at MDM in sccm...
  2. This might be completely outta bounds, but has anyone ever attempted image mgmt of android for tablets? We have a little less than 100 coming in and "they" want standardized OS across the lot and we would rather not do them all manually. Johan Arwidmark directed me to Kent Agerlund's blog and book on EMS, but I thought I'd present the question and see what if anything has been hacked together by the community. Thanks
  3. #Failure Even with group policy set as above after letting it sit all day, rebooting, manually updating group policy as well as it being refreshed by the normal update cycle and it being fine ALL day, I just rebooted my test machine and get a pop up saying that "This app is turned off by group policy" which it isn't and nothing has changed. Am I going to have to set a manually config on that damn key to make this work? Group policy doesn't seem to care much what the hell the setting is. SOME how my test computer got moved into a different OU. All is well. As you were.
  4. P.S. I also tested defender communication with SCCM with an EICAR file and it caught, removed and reported on the file in the SCCM console as expected.
  5. I imagine some of you sitting back and having a good chuckle at my little saga, but I think I've found out a few things that could come in handy. I'm still waiting to see if this is the real solution or not. So, bear with me. 1) It doesn't seem to matter what version of SCEP gets pushed with the ccm client install (the install will fail anyway - at least from what I've seen. Might be different with the GPO setting corrected?) as, when everything else is configured correctly it looks like win 10 just uses whichever version of defender it has on hand. 2) I had three GPOs on the OU I was testing. From what I've found all three have to have "Turn off Windows Defender" disabled. Although it looks like it should have worked with it Not configured as well, but that didn't seem to be the case for me. The key to watch on the client side is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender - DisableAntiSpyware. If that is set to '1'. There will be problems. 3)Then, doing nothing else, I changed my Default Antimalware Policy in sccm, toggling the Real-time protection > Allow users on client computers to configure real-time protection settings: I would then update the machine policy VIA ccm client and I could see it being greyed on/off. So, I know my malware policy is still being respected VIA ccm settings. Though the settings now seem to be part of the OS and not in a tab on the defender/scep GUI. 4) I Ran gpupdate and rebooted several times and everything has stuck so far. That's all I've got. Hope it helps someone. I wasn't able to find single source anywhere that mentioned all of this in one go. So, FWIW.
  6. I think that if I could some how magically get SCEP v. 4.8.10240.16384 into SMS_CCM\Client where my client install bits are it would maybe work. Right now I have v. . Any idea which MS forest-gnome I have to genuflect to to get that upgrade? Is this even an accurate assumption?
  7. So, what is the answer here? We know SCEP is replaced in win 10 with defender. I have messed with group policy to try and get it to run with no success.I previously deployed SCEP with ccm client. Now no matter what I try, short of changing the regkey for defender locally (which gets turned off again when GPO is applied regardless of a change in group policy settings) I have found no way to get access to the GUI locally on the client or see that it is being managed by sccm SCEP policy. What the heck is going on here? Thanks,
  8. Honestly, I've been trying to figure out how to do this since day one.
  9. With the script, are you saying I can add a TS step to go look at my existing WSUS server and get updates, during OSD, directly without creating the SUP?
  10. I'm going to jump in here as it seems like the closest to what I'm looking for. I'm pretty sure the answer is, no you can't run both concurrently, BUT, is it possible to have WSUS for regular enterprise-wide patching, but set up a standalone SUP on sccm JUST for OSD (unknown computers collection)? What I want to do is keep our WSUS operating that way that it is, but be able to install updates to new images so that when we deploy an image it will get patched without helpdesk personnel having to run through the MS updates song and dance as well as avoid having to do a build and capture to keep the reference image patched. Is that possible? Is there a better way to do this? Thanks
  11. That did the trick alright. Now to the root cause. I'm trying to do something that I haven't done. Helpdesk is requesting something of an LTI or ZTI that will require less of their time configuring profiles, installing/updating software, drivers etc. etc. I am trying to keep my deployment images very thin. While they want all manner of stuff baked into the image. I have given up trying to explain to them why a bloated image is a bad idea. It SEEMS like I might be best served intergrating MDT into SCCM. I have used it before, but not integrated like this. I have already tried building a custom unattend file to deploy with my image, but it failed on the specialize pass. So, I figured before I go down that rabbit hole I might take a quick peek down a diferent one. I have SCCM 2012 R2 SP1 and an installer fro MDT 2013 Update 1 (6.3.8298.1000) - most current version?. I'm confident I can get it installed and integrated. My questions are these: 1- Am i even heading in the right direction thinking MDT is going to help me with this scenario 2- Is this version of MDT going to work with my current SCCM environment 3- I have seen the guide for MDT integration, assuming I am heading down the right track and all the components are going to be compatible, is this the best guide to try and follow for what I want to do or is there something even more basic or more similar to my scenario I should look at? If there is a better place to post this question please let me know and I can move it.
  12. Heh, heh... So, how exactly do you schedule a deployment for the day before? The wizard does not let you complete the deployment. Or, do you have to schedule it and then wait a day?
  13. That is exactly which version I am running. I will try the workaround and see if that does the trick. Thanks, Mr. B.
  14. OSD is one of the first things I learned how to do and it's been a LONG time since I've had issues with it. I have honestly never seen this. I build my TS to deploy a system image like I have done a hundred times. Now, no matter what I do I can not get my TS to show in the list of availble task sequences. I have built from scratch, copied other known working TSs and nothing is making the damn thing show up. All of the referenced components have been distibuted and I have deployed the TS. Nothing. I'm I missing something here? The thing that is different in this case is I am trying to deploy to a VM. Which I have also done succesfully with no issue. Now it is time to refresh or even build a new image from scratch and nothing I have done will get the TS in the list. All my current OSD TSs are listed, but those won't work because I need the custom boot image that has the VM tools drivers in it. I have even tried selecting one of those just for the heck of it and they done't work because of the drivers. I am new to this specific process so maybe I am missing something, but I've been working on it for two days now and am starting to go a bit bonkers. If it would show up and fail that would at least be SOMETHING at this point. Help me out, please.
  15. I thought about it, but this change has to be made to about 160 machines and their psyches are fragile enough having recently completed enteprise wide removal from "everyone's an admin". I think the confusion would kill them, temporary or not. I think I'm going with a GPO scheduled task.
  16. The problem: I need to copy a new .exe file down to the client. Easy enough, but then I need to run SOMETHING to copy that .exe and overwrite an existing .exe of the same name that resides the ProgramFiles(x86) folder. I can do everything except the overwrite because it has to be done AS Administrator (such that you get by right clicking and choosing "Run as Administrator"). I have tried everything I can think of with a .cmd, .bat script (using xcopy and copy) which works fine once everything lands and you right click run as administrator. Anything else even robocopy gets "Access Denied". Is there no way around this? I have also tried a task sequence which also runs into permission problems using the same local admin account which is also a domain account. I really don't want to have to run all of these manually. Any help would be greatly appreciated. Thanks
  17. Answered my own question, posting in case there are any other "query noobs" looking for a hint. Please comment if you have anything to add or any corrections. My original post kinda answers this. My process looked like this Queries>Create Query (this puts you in the "Query Design" view) Name - something that makes sense Limit to collection - if you want to limit set that here Object Type - System Resource Edit Query Statement General tab r-click in whitespace> New>Select The first attribute I wanted was System Resources.Active Directory Site Name Attribute class:System Resource Alias as: <No Alias> - not sure how this works yet Attribute:Active Directory Site Name click "Ok" click "Ok" You'll see the first attribute set. The rest follow the same pattern. This all seems silly and obvious in retrospect, but hey, if it helps someone. I don't mind seeming silly. Since I was looking for specific software I added where SMS_G_System_INSTALLED_SOFTWARE.ProductName = "Cabinet" to the end of the query. I admit it was a shot in the dark, but it worked. This gave me back just the info I wanted and prevented my console from hanging while it found every single attribute most of which I didn't want. Here's what I ended up with: select SMS_R_System.Name, SMS_R_System.ADSiteName, SMS_R_System.LastLogonUserName, SMS_R_System.IsAssignedToUser, SMS_G_System_INSTALLED_SOFTWARE.ProductName, SMS_G_System_INSTALLED_SOFTWARE.ProductVersion, SMS_G_System_INSTALLED_SOFTWARE.Publisher from SMS_R_System inner join SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_INSTALLED_SOFTWARE.ProductName = "Cabinet" Hope it helps anyone that was in the same situation.
  18. ...it's gotta be the '*' wildcard, right?
  19. I have a query built to find a particular software installed. It takes FOREVER to run and spits back way too much. Below is my query. I barely understand these things and I must be doing something wrong here. I only need a few coulumns. I guess it will work for my end goal which will be a collection based on this query. It just seems a little verbose. It's basically giving me back every attribute. All I really want is: System Resources.Active Directory Site Name System Resource.Name System Resource.Last Logon User Name System Resource.Machine Assigned to User Installed Software.Product Name Installed Software.Product Version Installed Software.Publishers Also, is there really no way to deselect multiple columns after the results are displayed or is one at a time the only way? Any help would be much appreciated. select * from SMS_R_System inner join SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceId = SMS_R_System.ResourceId where SMS_G_System_INSTALLED_SOFTWARE.ProductName = "Cabinet"
  20. Weird. So, I'm looking at "Client Push Installation Properties/Accounts" This is the account I'm talking about. This one says it must be a member of the local admin group on the destination computer. I'm I getting my lines crossed here? I'm using the same account for both Client push and Network Access Account. Probably bad? I'm trying to think of a good way to delegate control. It seems like I probably need two accounts, which is probably mentioned in the tutorials, but it's been ages since I set it up. I'm thinking I need to have two acocounts (at least).
  21. Strating with this - http://www.windows-noob.com/forums/index.php?/topic/6274-how-to-set-proper-user-rights-permissions-for-sccm-2012s-service-accounts/
  22. I'm taking a run at Microsoft’s Local Administrator Password Solution (LAPS) https://www.microsoft.com/en-us/download/details.aspx?id=46899 I am wondering, if I implement LAPS isn't it's effectiveness going to be hindered by having the ccm network account located in the local admin group on all pcs? It has been a long time since I set up ccm. So, I have probably done something stupid here. I know the account has to be in the local admin group, but I also have it in the domain admins group. I'm guessing it is the second part that is the stupid bit. Correct? It is a system account, but I should probably go ahead and pull it out of the domain admin group, right? Any guidance on setting permissions/access for that account? I'm assuming the way I have it is very dangerous. Thanks
  23. Crap! I did not know that. I've migrated from the business intelligence version of SQL to std., for the reason stated keeping it local. I don't suppose there's a way to use the included license ex post facto? Would I be able to find that through the MS licensing site for our EA stuff? I don't usually get involved with licensing at that level and it's been a while since the initial deployment. Now I just feel like a dolt...(BAD admin).
  24. Ok. That's kinda what I was fishing for. I thought I remembered that being the case. We just went through some SQL license wrangling because MS has changed licensing models... again. Anyway, thanks for the input I will keep it local.
  25. I found this set of instructions for moving the sccm database off the primary site server to an actual (remote) SQL server in our environment and am just wondering if the instructions seem accurate to you guys before I actually attempt it. http://sccm2o12.blogspot.com/2011/05/move-sccm-database-to-remote-sql-server.html I will be working with our DBA to accomplish this, but thought it wise to double check with the experts in the forum first. Thanks!
  • Create New...