|
Caf posted:If you're licensed for it, take a look at MBAM (https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25). edit - Misread the requirement. You can enforce the encryption type but not force the fixed drive to encrypt. Yeah, you need MBAM to enforce any kind of encryption compliance. I use it in my environment and its nice to have if only to show our legal/compliance team that yes, all laptops are encrypted. If you have an EA/SA or use Windows Enterprise editions then you are licensed for MBAM. All of MDOP used to be its own license but they wrapped it all up into the Enterprise OS licensing.
|
#
?
Jul 2, 2018 18:07
|
|
|
|
| # ? Apr 25, 2024 22:26 |
|
|
MF_James posted:We threw in the towel attempting to encrypt secondary drives via bitlocker and just use stuff like this: https://www.amazon.com/Apricorn-Har...CS9WXKN65KC23QB A lot of my customers use these, they seem pretty nice. Of course half of the things have the PIN on a label attached to the device.
|
|
#
?
Jul 2, 2018 18:07
|
|
|
Sacred Cow posted:edit - Misread the requirement. You can enforce the encryption type but not force the fixed drive to encrypt. Yeah, you need MBAM to enforce any kind of encryption compliance. I use it in my environment and its nice to have if only to show our legal/compliance team that yes, all laptops are encrypted. If you have an EA/SA or use Windows Enterprise editions then you are licensed for MBAM. All of MDOP used to be its own license but they wrapped it all up into the Enterprise OS licensing. Last I looked you needed an SQL server to throw MBAM on too.
|
|
#
?
Jul 2, 2018 18:17
|
|
|
The Fool posted:Last I looked you needed an SQL server to throw MBAM on too. If you have SCCM in your environment (which sounds like the case for peak debt) you can just throw it on the same SQL server. MBAM is covered in you System Center SQL license. If you're not integrating with SCCM, then yes you will need a SQL server.
|
|
#
?
Jul 2, 2018 18:25
|
|
|
BitlockerToGo does all the work for you. Non-encrypted drives lock as read-only and you have to encrypt them to make them writable, enforceable with GPOs. The iffy part in my experience are encrypting non-boot fixed data drives.
|
|
#
?
Jul 2, 2018 19:09
|
|
|
We already have third-party encrypted USB drives (Kingston DT4000s) so this is specifically only for fixed drives. I'll have a look at MBAM, thanks!
|
|
#
?
Jul 3, 2018 08:49
|
|
|
peak debt posted:I'm trying to set up Bitlocker encryption in our domain. Windows 10 actually enables bit locker by default if you have a gpo to store the keys in AD. I actually have a task sequence command to add a registry keg so it doesn't enable by default. When I was looking into enabling bit locker I could of sworn a gpo covers the extra drives lol internet. fucked around with this message at 18:56 on Jul 4, 2018 |
|
#
?
Jul 4, 2018 18:53
|
|
|
lol internet. posted:Windows 10 actually enables bit locker by default if you have a gpo to store the keys in AD. This hasn't been my experience, do you have a link?
|
|
#
?
Jul 5, 2018 03:40
|
|
|
The Fool posted:This hasn't been my experience, do you have a link? https://docs.microsoft.com/en-us/wi...file-encryption My osd task sequence adds this registry key step otherwise bitlocker is enabled when I logged in. I had to dig a bit to find out what was going on. My image is 1709 if that matters. Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker Value: PreventDeviceEncryption equal to True (1) Type: REG_DWORD Off topic but is there anyway to have users automatically login to the windows store? Doesn't appear to be a gpo for it. lol internet. fucked around with this message at 09:41 on Jul 5, 2018 |
|
#
?
Jul 5, 2018 09:37
|
|
|
lol internet. posted:https://docs.microsoft.com/en-us/wi...file-encryption I have never seen that happen before on any computer and we definitely enforce the recovery backup to AD in group policy. RE: Your Windows Store question - I don't think that's possible unless your login is a Microsoft account, in which case it should happen automatically. If you're using domain accounts then that's why Windows Store for Business exists. Caf fucked around with this message at 18:47 on Jul 6, 2018 |
|
#
?
Jul 6, 2018 18:41
|
|
|
Not sure if this is a thread for here, the VM thread, or some unknown third option but does anyone know what stopping a VM inside Azure does? I get that you can power off the machine and de-allocate resources, but does it initiate a graceful shutdown first? Or am I better off shutting down the VM from within the OS, and then stopping it? This has been surprisingly hard to google.
|
|
#
?
Jul 14, 2018 16:29
|
|
|
snackcakes posted:Not sure if this is a thread for here, the VM thread, or some unknown third option but does anyone know what stopping a VM inside Azure does? I get that you can power off the machine and de-allocate resources, but does it initiate a graceful shutdown first? Or am I better off shutting down the VM from within the OS, and then stopping it? This has been surprisingly hard to google. I believe I read that it attempts a graceful shutdown and will force it to stop after a timeout. However I'm not able to find any source for this and could easily be wrong. E: https://azure.microsoft.com/en-us/blog/linux-and-graceful-shutdowns-2/ describes a shut down request with a 5 minute timeout. Should also apply to windows vms The Fool fucked around with this message at 17:48 on Jul 14, 2018 |
|
#
?
Jul 14, 2018 17:30
|
|
|
edit: nevermind!
lol internet. fucked around with this message at 06:42 on Jul 24, 2018 |
|
#
?
Jul 21, 2018 09:10
|
|
|
Okay goons, maybe someone can help me answer this question: How do I force Virtual Machine Manager 2012 R2 to change a MAC Address Pool range when the change will cause existing allocated MAC addresses to fall outside the new range? We have a single MAC Address Pool, and the current range is 00-1D-D8-E0-10-00 to 00-1D-D8-E7-FF-FF and I want to change it to 00-1D-D8-E0-13-00 to 00-1D-D8-E7-FF-FF The PowerShell I'm using is posted below, and it's barking at me that I can't change it because there are machines currently holding MAC addresses that are inside the "10, 11, and 12" quintets. The thing is, I don't care that those MACs will stay allocated forever - I just want to make sure that any new VMs are allocated in the "13" and upwards quintet. It is untenable to consider changing ~300 production server VM MAC addresses to fall within my new pool scope before changing the scope itself.  Does my question make sense? There's no -force parameter for the set-scmacaddresspool cmdlet unfortunately. Thanks in advance for even considering helping me, a humble idiot. code:
|
|
#
?
Jul 24, 2018 18:04
|
|
|
madmatt112 posted:Does my question make sense? There's no -force parameter for the set-scmacaddresspool cmdlet unfortunately. Thanks in advance for even considering helping me, a humble idiot. Just script it.
|
|
#
?
Jul 24, 2018 18:26
|
|
|
Jeoh posted:Just script it. Yeah this, I'm not sure if you can get around the limitation of changing the pool, but if you can't, it wouldn't be too hard to script changing the MAC address of every machine
|
|
#
?
Jul 24, 2018 18:29
|
|
|
drat. I was worried you'd say that. All the documentation I can find from MS indicates it's not possible to work around this. Well, this change item just got a whole fuckton bigger than a 5 minute script. gently caress. What a pain - I know the script wouldn't be too difficult to produce and run, but it represents a colossal Change in our environment by our standards, and is going to get picked apart for safety and surety. Or, it'll be handled by someone more senior and it won't be my problem 
|
|
#
?
Jul 24, 2018 18:51
|
|
|
As long as there isn't any weird software running on those boxes that's tied to the MAC, it should be a matter of updating the MAC addresses and the DHCP reservations.
|
|
#
?
Jul 24, 2018 22:06
|
|
|
Anyone here using Intune to manage Windows Defender and get reports? Our Kaspersky license is up soon and we're not going to renew, so we're looking for replacements. I've created a test policy in Intune and I've applied it to a group. I've got a test PC running Windows 10 1803 in that group. When I evaluate the policy, I'm told that 1 device will be impacted. Azure AD shows this device as having a join type of "Hybrid Azure AD joined", the Microsoft Intune Center software is installed on the PC...but for the life of me I cannot get this PC to either take the policy I've applied to the group, or to even show up in the Intune dashboard. I'm missing something, or doing something wrong, anyone have any ideas or could point me in the right direction? Thanks.
|
|
#
?
Jul 24, 2018 22:21
|
|
|
Never ever use intune. I'm currently attempting to use it for mdm and it's got so many problems. Even worse is their support knows nothing about intune. They know absolutely nothing about it, and will ask you basic questions on how it works. I'm currently in month three of trying to get them to troubleshoot an app we have deployed through intune's company portal. It fails after a while on one app. I give all that and the error it gives, etc. After two weeks they get a remote session going to look at my PC... Last week they asked what error message I'm getting. Today they scheduled a phone call about it for 3, changed to 4 this morning in a, "confirming our meeting for 4pm" email, no previous suggestion. After I question it, he changes it to 12:30, finally calls at 1:30 but won't respond after I pick up, then calls right back to leave a 30 second blank voicemail. They only exist to frustrate you until you switch to a different product.
|
|
#
?
Jul 26, 2018 01:41
|
|
|
I did a 3 day course on SCCM and Intune about a year ago, and out of the maybe 10 Intune exercises in the coursework, about 3 worked properly for every student. Every other exercise either didn't work at all because the menu you were supposed to use had either disappeared completely (and not even the online copy had been updated) or you could click what the guide told you to and what was supposed to happen simply didn't. The weirdest poo poo was when one student was able to follow the guide and everything worked out, but the one next to him couldn't even though he followed the exact same steps.
|
|
#
?
Jul 26, 2018 10:14
|
|
|
Your cloud is our future.
|
|
#
?
Jul 26, 2018 10:46
|
|
|
Microsoft has a cute view on what software as a service is : provide as lovely an experience as they did on-premise, but this time on the cloud. This leads to x different customers having y different versions of a product - Intune is an example. You might or might not (???) have some features, we'll decide. orange sky fucked around with this message at 11:33 on Jul 26, 2018 |
|
#
?
Jul 26, 2018 11:29
|
|
|
I don't actually mind Intune, but there's a huge problem with people making their own assumptions of what Azure AD / Intune are actually capable of and geared towards, and making assumptions based on what they'd done with Active Directory and Group Policy. EM+S E5 has a 90-day trial, there's loads of opportunity there to shake the service down before committing.
|
|
#
?
Jul 26, 2018 11:53
|
|
|
I'm just happy they finally got some of the Hybrid Join functions working on 1803. I'm getting ready to deploy self service password reset on the logon screen after a false start on 1709 (only supported in pure Azure Join). If I can convince my company to pay for a cloud ConfigMan Gateway and Distribution Point, I'd give Autopilot a chance. The only thing that would make my life easier is if they allowed Azure VDI without needing to go through Citrix.
|
|
#
?
Jul 26, 2018 14:14
|
|
|
orange sky posted:Microsoft has a cute view on what software as a service is : provide as lovely an experience as they did on-premise, but this time on the cloud. Or they make decisions not based on what customers need/want, like when they removed remote control from intune, and their only suggestion was "I dunno, buy teamviewer?"
|
|
#
?
Jul 26, 2018 23:15
|
|
|
Not quite a Windows question, but does HPE have any product like Dell's OME that is used to centrally scan for & create media for system firmware patches? I'd put the emphasis on free
|
|
#
?
Jul 27, 2018 18:30
|
|
|
Wicaeed posted:Not quite a Windows question, but does HPE have any product like Dell's OME that is used to centrally scan for & create media for system firmware patches?
|
|
#
?
Jul 27, 2018 18:44
|
|
|
SSM Seems to be for Notebooks, Workstations & laptops, this would be for a server environment.
|
|
#
?
Jul 27, 2018 18:52
|
|
|
SPP?
|
|
#
?
Jul 27, 2018 19:01
|
|
|
SUM?
|
|
#
?
Jul 27, 2018 19:11
|
|
|
https://www.dell.com/en-uk/work/learn/openmanage-essentials ?
|
|
#
?
Jul 27, 2018 19:17
|
|
|
Thanks, SUM looks to be what I'm looking for. I'll get that 3-letter acronym software a shot 
|
|
#
?
Jul 27, 2018 19:19
|
|
|
A place I do maintenance for recently brought on an IT guy that I believe is more of a developer. Hard to tell exactly. He's kinda come in with this 'everything must go to the cloud, why are there servers here?!' attitude without really getting the lay of the land first. I disagree, but quietly because most of my experience in this area is on a MUCH smaller scale and a couple years old. This is a place with a 750gb sql database with ~50-100 concurrent users. 6 terabytes of file storage that is being churned so hard that block level backups over their 100mbit fiber to cloud backup is a bit of a mess to keep current, and a lot of their data files are large cad files(40-100megs). This guy was talking about ms one drive... Am I that out of date? The second opinion I got agreed with me, but I don't wanna but heads with this guy based on my limited\old experience.
|
|
#
?
Jul 27, 2018 19:27
|
|
|
He's being ignorant. It's often not that straight forward.
|
|
#
?
Jul 27, 2018 19:36
|
|
|
Internet Explorer posted:He's being ignorant. It's often not that straight forward. I should have elaborated. I can't be sure if he really though it would be 'dropbox on their desktops' easy(although its possible he was). I'm more curious if it's even realistic, and if so, are we talking 'realistic if you continuously throw money at it.'
|
|
#
?
Jul 27, 2018 20:01
|
|
|
CAD files and 6TB of unstructured files on OneDrive would be a complete clown show
|
|
#
?
Jul 27, 2018 20:07
|
|
|
That is exactly what I wanted to hear. This guys resume + opinions had me worried I was an idiot.
|
|
#
?
Jul 27, 2018 20:14
|
|
|
I'm glad intune just came up. We just moved our first ever client to Azure AD and all the computers are demanding users enter a PIN. I do not want this. I read that you can go to windows enrollments and disable windows hello but the computers are ignoring this. Anyone know what I must do to... say goodbye to hello? 
|
|
#
?
Jul 27, 2018 22:22
|
|
|
|
| # ? Apr 25, 2024 22:26 |
|
|
https://docs.microsoft.com/en-us/intune/windows-helloquote:On the All Users pane, click Settings and then choose from the following for Configure Windows Hello for Business:
|
|
#
?
Jul 27, 2018 22:31
|
|