|
Mr. Clark2 posted:The version I got from MS tech bench seems to work but now I'm running into what looks to be driver problems. For those of you doing this, did you make a new deployment share just for Win10? I stuck my Win10 images/drivers/task sequences on the same deployment share as all my Win7 crap but I fear that may be causing me problems. All instructions that I'm finding online are starting clean in a lab environment, I'm not finding much about running it in production. I advise following this model, if you can: http://deploymentresearch.com/Research/Post/325/MDT-2013-Lite-Touch-Driver-Management Generally you want your selection profiles to only pertain to drivers of a particular operating system from within the Task Sequence context. PnP is great, but it isn't infallible; I'm a big fan of "Option 3" from the link above.
|
#
¿
Jun 28, 2016 21:17
|
|
|
|
| # ¿ Apr 25, 2024 07:56 |
|
|
Has anyone definitively figured out if LTSB or CBB is the best choice for your average office worker? I'm failing to see the downside of LTSB other than losing Edge.
|
|
#
¿
Jul 2, 2016 17:40
|
|
|
anthonypants posted:If you have licenses for 10 Enterprise, why wouldn't you run LTSB? That's basically my question. It SEEMS obvious to me, but MS' stance on it is that CBB is what you should be going for for normal use cases while LTSB should be on your outliers. What I'm trying to determine is if there is a legitimate reason for using CBB or if this is just Microsoft trying to push the platform that will present and market their new features more readily.
|
|
#
¿
Jul 2, 2016 17:58
|
|
|
Financial institutions are going to be steeped in non-Cloud processes and hierarchies for a long, long time.
|
|
#
¿
Jul 11, 2016 16:23
|
|
|
The Federal Reserve still requires faxing, so what does that tell you?
|
|
#
¿
Jul 11, 2016 16:54
|
|
|
Are the DHCP forwarders exactly identical between both Prod and Dev/Test in how they're configured? I assume WDS' version is identical between both (ie. Running on Windows Server 2012 R2). Honestly, I'd assume that it shouldn't work at all as configured. Regardless of being pre-staged, you have PXE response turned off. I'm not sure how it's initiating a PXE session if the thing is disabled. Wrath of the Bitch King fucked around with this message at 19:34 on Jul 11, 2016 |
|
#
¿
Jul 11, 2016 19:27
|
|
|
Also, to anyone out there dealing with images and still strapped to Windows 7 and Server 2008 R2, take a look at this: https://blogs.technet.microsoft.com...-you-kb3125574/ It's a "convenience rollup" that includes almost every critical/security update through April 2016. For clarity, that's a shitload of updates. This will save an enormous amount of time for image installs and/or rolling installs in a live environment.
|
|
#
¿
Jul 12, 2016 04:15
|
|
|
What is handling DHCP? Is it Windows Server or a Networking device? There are generally a number of problems with using the former, in my experience, particularly in how you often have to specify the boot file via DHCP options to get it to function at all.
|
|
#
¿
Jul 12, 2016 14:06
|
|
|
Actually yeah, that's a really good point that I somehow overlooked.
|
|
#
¿
Jul 12, 2016 14:33
|
|
|
Coredump posted:Does this mean that what I'm seeing is expected behavior in that case? I haven't had a chance to check this morning but I don't think I remember seeing that x86 boot file being pulled when I had all 3 boot images enabled. It's normal behavior if you're using legacy/non-UEFI hardware, or booting UEFI hardware in legacy mode.
|
|
#
¿
Jul 12, 2016 15:20
|
|
|
Assuming you aren't using UEFI, Partition 1 is typically a hidden System Partition (~350 MB in size). Try Partition 2. As far as the ADK goes, do you have an older version installed as well as that one? I've seen instances where old/new are both installed and I've had to manually correct the ADK it points to. Not to beat a dead horse, but is there a reason you want to use only WDS and not a combined approach with MDT 2013 Update 2? Wrath of the Bitch King fucked around with this message at 19:29 on Jul 19, 2016 |
|
#
¿
Jul 19, 2016 19:26
|
|
|
Coredump posted:I'm not sure what the implications are/corner I'm painting myself into by going with just WDS. To put it simply, MDT is much better equipped for actually installing the OS and handling custom actions/scripting than WDS. WDS is excellent as a delivery system for your boot image, but beyond that it's a huge pain to deal with and the industry is moving towards SCCM/MDT as the preferred mechanism for this sort of thing. If you have any questions feel free to PM me, but I strongly encourage you to download MDT 2013 Update 2 (you'll also need the most recent OS ADK), setup a Deployment share, and give it a whirl. It has a fairly deep learning curve but once you get to a put where you feel competent in using it you'll never look back. The Task Sequence based processing will also act as a bit of a primer on SCCM based OSD deployments if you have any interest in that. In all seriousness though, WDS is horrible for anything beyond the basics.
|
|
#
¿
Jul 19, 2016 20:39
|
|
|
Sacred Cow posted:Sure it can, but all the things you're trying to do has already been wrapped up into MDT. No need to recreate the wheel when Microsoft has done all the legwork for you. There's a lot of people with MDT/SCCM OSD experience in this thread that can help if you run into trouble. I can't think of anyone who has any experience with OSD that would even think about doing it exclusively in WDS at this point. Is it worth having an OS Deployment thread or would it be too niche?
|
|
#
¿
Jul 20, 2016 18:28
|
|
|
skipdogg posted:We're in the middle of a PoC for 1E's software that bolts on to SCCM. It's not cheap but looks promising. Supposedly just their software management portion will save us more than the licensing costs annually, so the imaging part is gravy. Let us know how it looks. I was a little interested in the Nomad piece, but I'm more interested in the Windows 10 migration stuff. What exactly is the Nomad/application piece doing that makes things so much easier to manage?
|
|
#
¿
Jul 20, 2016 22:11
|
|
|
SeaborneClink posted:Anyone have a primer for MDT? I'm coming into this a little blind and would like to slim down my deployments of new hardware. We're about to do a hardware refresh with 2-3 standardized models and I'd like to do some reading before wading into it. Moey posted:The young dox turned me onto this guy. Very detailed walkthroughs. Be sure to follow the guidelines for drivers, that's the part that gets bloated and unwieldy the most quickly if you don't know what you're doing.
|
|
#
¿
Aug 27, 2016 02:02
|
|
|
I'm not gonna lie, Windows 10 Servicing has me a little scared. They're making so many bad decisions with regards to Windows 10 Enterprise...
|
|
#
¿
Sep 14, 2016 00:42
|
|
|
Has anyone ever done a large-scale migration to DFS from typical mapped drives and CIFS shares? I'm curious about the experience if so and if there were any particular pain points that stand out from the project. I'd love to get away from this poo poo setup we have, but with the nested security ACLs it's difficult to even architect it. Hell, I don't have access to a lot of the structure to parse it unless I put in a Change Control to temporarily elevate myself to do just that.
|
|
#
¿
Sep 24, 2016 00:34
|
|
|
hihifellow posted:Did one that was Novell to DFS, ended up using powershell to re-create the directory structure and ACLs in a few minutes when it would have taken weeks manually, just needed a CSV with all the info. 2012 has native DFS commandlets but there's one bit that doesn't work right, ABE I think. Whatever it was, dfsutil covered for it. The ACLs were a bit of a bear too, I have some of the script lying around if you're interested in how I ended up dealing with it. I guess I need to understand DFS a bit more before I can really try and architect a solution. This has been in-place for a very, very long time, and it's a huge amount of data (several terabytes). If you want to PM me a link to the script I'd love to take a look at it just to get an idea as to how involved it might be.
|
|
#
¿
Sep 24, 2016 19:27
|
|
|
SCOM and SCCM definitely aren't packaged together as far as licensing goes unless you have a "gently caress you, have all the products" EA. SCOM is in a higher licensing tier. Same for SCOR.
|
|
#
¿
Oct 2, 2016 15:38
|
|
|
I can tell you that in my organization we only own SCCM, nothing else. We didn't itemize for it either, it was part of the EA. The System Center product family gives you SQL entitlement for their products, meaning you can have a single SQL instance (full) that all of their stuff rides on. Not an instance per product, but a single instance for ALL of them. The lovely thing is that this means you can't set the WSUS DB on that instance, so you either use the WID or throw it on another SQL box that you pay a license for.
|
|
#
¿
Oct 2, 2016 17:02
|
|
|
Number19 posted:If WSUS, SCCM and SQL are all running on the same server you are allowed to use SQL for WSUS. Also for parts of MDT is it is also all hosted on the same server. I'll have to check that out if true. I remember reading some article online (or reddit, its been a long time since implementation) that said they couldn't be on the same machine.
|
|
#
¿
Oct 4, 2016 01:26
|
|
|
Weird issue with Group Policy, specifically with Server 2008 SP2 clients. These machines fail to pull machine policy, meaning they never update, change, or remove policy that they have from whenever they initially DID pull it. This is unilaterally all Server 2008 SP2 clients. 2003, 2008 R2, 2012, and 2012 R2 don't have this issue. Anyone familiar with this problem? Google is failing me so far. Domain is 2008 R2 functional level.
|
|
#
¿
Oct 12, 2016 01:52
|
|
|
I've gone through most of the common steps, the scope is highly unusual. You can build a brand new 2008 SP2 server and attach it to the domain. It will initially pull policy, but after that initial pull it becomes completely unable to change any of those policies ever again. No updates, no removals, nothing. Only 2008 SP2. No filters are in place, these servers share a common OU/container with other server variants and are subject to identical policies. Guess I'll keep digging. My guess is there is an ADMX template that 2008 SP2 is choking on; GPResult is displaying the normal results you'd expect for a working instance barring any changes made after the initial pull. User policy is functioning, but machine policy isn't. Wrath of the Bitch King fucked around with this message at 18:16 on Oct 12, 2016 |
|
#
¿
Oct 12, 2016 18:12
|
|
|
Looks like it's a singular policy causing the issue, at least for now. Only the 2008 SP2 servers are citing an error (specifically, a permissions issue). All other server types (2003, 2008 R2, etc.) are perfectly fine. Was hoping for a silver bullet like a KB to fix some weird 2008 SP2 specific problem, but it doesn't look like that's the case for now. An example server passes everything perfectly in modeling with no modifications, as well. Wrath of the Bitch King fucked around with this message at 03:54 on Oct 14, 2016 |
|
#
¿
Oct 14, 2016 03:38
|
|
|
Internet Explorer posted:That's odd. I don't think I've ever seen a single bad GPO cause GPOs to stop processing. Neither have I. And only for a specific flavor of Windows Server.
|
|
#
¿
Oct 14, 2016 04:42
|
|
|
Query for the key using Powershell and feed it to the MSI. Something I typically do: code:Just bear in mind win32_product is a huge pile of poo poo as far as registry classes go. You can alternatively use win32reg_addremoveprograms but in my experience it isn't as encompassing.
|
|
#
¿
Oct 14, 2016 16:55
|
|
|
The problem with using win32_product or wmic is that they both utilize msiexec to function; take a look at your application event log the next time you either query the former or use the latter to execute an uninstall. Every product on the machine will have a reconfiguration event, flooding the log. Like I said, you can use win32reg_addremoveprograms to get around this, but the data isn't there as consistently. Your other option is to crawl the Uninstall registry to look for what you want, which is the best way really but not helpful in a pinch. There are a few PS scripts out there that will do exactly that for you, taking into account WOW6432Node and everything.
|
|
#
¿
Oct 14, 2016 17:09
|
|
|
History is a hidden folder.
|
|
#
¿
Oct 16, 2016 04:40
|
|
|
Just curious, anyone looking at doing large scale migrations to Windows 10? So far my testing with the in-place upgrade process looks really good, but I'm wondering if there are any gotchas that people have encountered.
|
|
#
¿
Oct 22, 2016 17:33
|
|
|
It's going to be either in-place upgrade or a reimage with USMT. Our field techs bitch relentlessly whenever they have to do anything remotely resembling work, so the transition has to be as seamless as possible. We don't have any user libraries or directories redirected, it's all held locally. Policy is that if you have something important you keep it on the SAN, but I'm sure you all know how that one goes.
|
|
#
¿
Oct 23, 2016 00:56
|
|
|
CLAM DOWN posted:SCCM is a goldmine for career advancement because no one wants to deal with that poo poo anymore so you're a rare find, grats Depends on how much you enjoy packaging, data analytics, etc. It's great for that. I could probably move somewhere else making a ton of money being "the SCCM guy" but I'm not sure I'd ever want to be 100% focused on just the product. That said, it can do a million different things. All the MDM stuff for Windows Phone on the SCCM exam is hilarious.
|
|
#
¿
Nov 1, 2016 22:28
|
|
|
Imaging is basically magic to management. And if you're a guy that can implement configuration baselines? Hooboy.
|
|
#
¿
Nov 2, 2016 00:00
|
|
|
Something in last month's security patches caused Bitlocker to prompt our users for a password until a Suspend/Resume was done (on like 50 of 500 laptops), so this next month should be fun.
|
|
#
¿
Nov 8, 2016 19:54
|
|
|
GreenNight posted:Check out Cisco Web Security too. We use that and the reporting is pretty good. We ditched Sophos for it. Is this agent based? I'm not terribly familiar with it. We use Ironport WSAs for content filtering (including HTTPS) and the whole platform and how it operates makes me want to die. All those tickets about bad certs...
|
|
#
¿
Feb 8, 2017 04:44
|
|
|
GreenNight posted:Not agent based. You forward all port 80 traffic to it. There is only an agent if you want it to filter traffic when the device is outside your network such as laptops. Oh, you're not bothering with SSL traffic? Lucky...
|
|
#
¿
Feb 8, 2017 19:02
|
|
|
Orcs and Ostriches posted:So I checked out LAPS, and it's not going to quite cut it for us. Is there anything else out there that lets me actually pick the password it resets the local admin account to, or does it have to be randomized? It stores the credential in AD similar to how it stores Bitlocker keys. What's the problem?
|
|
#
¿
Feb 27, 2017 19:30
|
|
|
Hopefully you have RSAT on whatever your primary machine is so you can pull the password at your leisure when necessary. Sorry, still not seeing the difficulty. It's easier than having some kind of password vault that you have to fetch things out of, even.
|
|
#
¿
Feb 27, 2017 19:35
|
|
|
I take it you don't have any sort of domain authentication at these sites? It all requires local for some reason? That's the only setup I can think of where this would be remotely inconvenient.
|
|
#
¿
Feb 27, 2017 19:42
|
|
|
Well, based on what you're saying there is no tenable admin password solution for your situation considering the entire infrastructure is broken down dilapidated poo poo. I mean, cached credentials with a domain account should still work even if the domain goes poof, but I digress.
|
|
#
¿
Feb 27, 2017 19:51
|
|
|
|
| # ¿ Apr 25, 2024 07:56 |
|
|
Orcs and Ostriches posted:Cached domain credentials don't work because I never need to log in to most of the stuff with a domain account. I image it, SCCM installs poo poo, and then it's out the door. poo poo's not even in my office most of the time. So lets circle back: what exactly are you trying to accomplish? If you're building this stuff out with OSD it should be incredibly simple to provide yourself a backdoor into the systems unless you're running into some sort of security compliance headache about the credentials, which I'd find doubtful considering the shoestring infrastructure you've alluded to. It should be easy to have a cached login with a domain account of your choice as well if you're using OSD to stage and build these things. Just make a login with X account the last step of the build. It's not ideal of course but with what you're working with it sounds like the only reasonable option if the SYSVOL issue is so worrisome. Anyway, every real management solution for this is going to be domain dependent unless you use something that throws agents all over the place, so if you can't consider the availability of your domain to be reliable then you're pretty much hosed. Wrath of the Bitch King fucked around with this message at 20:09 on Feb 27, 2017 |
|
#
¿
Feb 27, 2017 20:06
|
|