Warning with 2211 MECM Build A warning appear when I verify prerequisites for Configuration Manager 2211 Hotfix Rollup. Three warnings appear. Co-management workload slider for ressource access policies Network Access Account account usage alert
Among the many products that FEITIAN offers, it is possible to use a Fingerprint card. I receive my kit yesterday and i can write this blog post.
Windows Update for Business allows you to perform maintenance on Windows devices. The post has the latest security features. Updates are retrieved directly from Windows Update Service. The different Windows 10 and Windows 11 workstations can be configured using a group policy or via Microsoft Endpoint Manager (MEM) With Windows Update for Business, the IT department no longer needs to manage the approval of updates. The workstations automatically retrieve the patches from the Microsoft servers. However, it is possible via…
Why send Event log Security is an important issue these days. Sending security event logs to Sentinel provides an additional level of security for onPrem servers. For this, we rely on Azure Sentinel, the SIEM from Microsoft. However, this operation has an Azure cost, so it is preferable to limit the events sent to the necessary logs (security, defender, etc.) In this post we will first set up the transfer of events on a collector via WinRMS and then configure…
In Best practice, it is important to have an offline root certificate authority and an Subordinate certificate authority that distributes certificates. We will look at how to migrate these two server (Windows Server 2012 R2 servers to Windows Server 2019).
Microsoft Endpoint Configuration Manager 2107 permit to convert the CMG (Cloud Management Gateway) with classic cloud service to virtual machine scale set. I write a post few month ago here for configure CMG with virtual machine scale set. Change parameter When you convert to virtual machine scale set, you can proceed to change some parameters.
After several years of use, it is necessary to migrate the SCCM infrastructure to one or more other servers. It is possible to migrate the server to another server or to migrate role by role. If the infrastructure remains the same, the first solution is preferable because it is faster. In the case where the roles are redistributed, it is preferable to use role by role.
Customers with an Azure subscription through a CSP (Cloud Solution Provider) could encounter a lot of problems to set up the CMG. Since the 2010 version of Configuration Manager, it is possible to set up the functionality Cloud management gateway with Azure VM scale set.
The deployment of a task sequence to customers can be done via the Internet. This scenario, which has already been present for several versions of Configuration Manager, has been improved with the 2010 version. It is now possible to start the update or installation of a Windows 10 workstation from a boot media.
Orchestration groups start with Configuration Manager 2002. This features permit to create a group for control the deployment of Software update. With this orchestration group, you can update devices based on percentage, explicit order, etc…. The member can be any Configuration Manager client. You can apply rules to any collections and all software update groups.
Recently one of my customers want to change KRBTGT password for security reason. This account present in Active Directory is used by Key Distribution Centre. He is disabled and he can’t be deleted or enlabled. It’s recommanded to change his password two or four times by year.
Since version 1906 of Configuration Manager, it is possible to install a Microsoft Connected Cache server on distribution points. This functionnality has been renamed Microsoft Connected Cache with version 1910 of Configuration Manager. This server is a Transparent on-demand caching server for uploaded content through distribution optimization. It is possible to limit the use of this server using client settings. So it is easy to limit access to this feature only to the local Configuration Manager client.
What is Tenant attach ? The tenant attach solution allows devices present in SCCM to be managed by Microsoft Intune. This will make it possible to manage them in Microsoft Intune as well. The tenant attach functionality requires the following prerequisites. An account with Global administrator rights in the Intune tenant. The AD user is synchronised with Azure AD
With sccm, it is possible to use reports natively using SQL reporting. If you want more advanced reports, more ergonomic, … It is possible to integrate Power BI with SCCM. This way you will be able to use all the power of Power Bi with SCCM.
The Configuration Manager solution is enriched with a new functionality at the application deployment level. Introduced with the latest versions of Configuration Manager, feature Approve Application request feature can now be used.
This functionnality is implemented from sccm 1906. He permit to deploy multiple application as a single deployment. With SCCM 1910, users can uninstall the app group. The App group can be deployed to a user collection. It is possible to specify the order in which the applications are installed in the group.
Using MBAM with SCCM SCCM 1910 provides full BitLocker lifecycle management. He replace MBAM(Microsoft BitLocker Administration and Monitoring). Configuration Manager provides these capabilities for BitLocker Drive Encryption:
Site Server high availability With System Center Configuration Manager, you can have redunndancy role with multiple instance of role (Distribution point, …). Configuration Manager 1806 permit to have high availability for Site Server role (it’s not possible before 1806 version of Configuration Manager). For the central administration site and child primary site, you need have 1810 version of Configuration Manager.
SCCM PXE without WDS SCCM 1806 brings an interesting new feature for anyone wishing to deploy workstations at a remote site. Before this version, it’s necessary to have a server to perform a PXE boot. Indeed, this type of startup requires to use a WDS (Windows Deployment Service) server. Since version 1806 of SCCM, it is possible to do a PXE boot without a WDS server.However, it is not possible to do a Multicast deployment without WDS. So if you…
CMPivot into SCCM SCCM contains a large amount of data, which can be used to create reports. CMPivot was introduced in SCCM with version 1806 of SCCM. This feature has the advantage of accessing the status of the devices in real time. This feature has the advantage of accessing the status of the devices in real time. A query is executed on a target group (computer), then the result is returned.
Secure your desktop with BitLocker Today, mobility means securing your workstations. BitLocker functionality has been integrated into operating systems for many years. This functionnalitty permit to ensures data confidentiality in the event of computer is loss or theft.
Configure cloud distribution Point A cloud Distribution Point allows to own a distribution point in the cloud. With this type of distribution point, it is possible to have the following features : manage cloud distribution points individually or as members of distribution point groups Use this DP as a fallback content location
Configure Cloud Management Gateway This feature has been introduced in SCCM in order to manage SCCM clients over the Internet. Note that this feature requires an azure subscription to work. Thereafter, the customers have the possibility of reaching the SCCM system sites wherever they are. Client certificates and SSL certificates are required. with this article you can configure the Cloud Management Gateway.
Install and configure Windows Server Role With Windows Server 2012 R2, it is necessary to install the Volume Activation Services role from the Server Manager console.
What is Honolulu Honolulu is a new way to manage servers. He consist in performing operations from a web interface instead of the different MMC consoles. How Honolulu works The Honolulu application works through a web browser. It is possible to manage servers Windows Server 2016, 2012 R2 and 2012. All of these servers are manage with an Honolulu gateway. It can be installed on a server running Windows Server 2016 or on a Windows 10 workstation. All operation is…
SCCM 2012 to SCCM CB SCCM 2012 R2 is approaching the end of its lifes, so it is important to upgrade to the new version (SCCM Current Branch). Depending on the ADK and SQL version used, it may be necessary to update them as well.So we will first update ADK Windows 8.1 to ADK Windows 10. The boot images will then be read-only, it will be necessary to update them. In a second step, we will update SCCM.
Data Warehouse service point From the version 1702 of SCCM, you can enable and use Data Warehouse service point. This feature allows you to save any desired data and create date with this data. The feature supports up to 2To of data. The timestamp are present for tracking any information. The data is stored with automatic synchronisation between ConfgMgr site database and the database of Data Warehouse. This information has available from the reporting services point. After the installation of…
Antivirus exceptions for SCCM I installed recently a SCCM 1702. With the agent, the anti-virus was installed on the different servers and workstations. SCCM now uses the Windows servicing model. It is therefore necessary to configure the exceptions to the levels of the anti-virus scans if you want to avoid certain problems.
SetupConfig.ini file When creating a master Windows 10, it is common to remove part or all of universal apps Windows Update. During the update of 10 Windows Builds with WSUS or SCCM, previously deleted applications are installed again. To avoid the problem, it is necessary to use the Setupconfig.ini file
Windows Hello Feature Windows Hello is a feature of Windows 10. She is use to open a session using facial recognition (face recognition) to open a session.Solution that complements the different ways to open a session with Windows 10 (password and Pin Code). For its activation, it is necessary firstly to enable and configure the PIN code authentication.
Nano Server Image Builder With Windows Server 2016, Microsoft has implemented a new feature called Nano Server. Very light operating system, just a few mega bytes to make it work. This “mini operating system” allows to install roles such as HyperV, Server DNS, web server,…
Why set up a subscription ? If you have computer in workgroup, it may be interesting to centralize events in the event logs. This allows to facilitate the analysis of different events log. The computer being in workgroup, we use authentication based on certificates. In order to secure exchange, we will proceed to the use of the HTTPS protocol.
How to manage machines in a workgroup If you have machines in a domain, it is easy to execute remote administration (through gpo, script,…). Regarding the positions in workgroup, the task turns out to be more complex. Indeed, the latter only contain their own GPOs and their account base.Thus it is possible to use winrm to perform remote administration. In order to secure the communications betweens the two computers (or computer and server) it is possible to encrypt exchanges using…
Update build Windows 10 After you implement WIndows 10 on your workstations, it is necessary to manage the deployment of Builds. Thus three different management have emerged (CB, CBB and LTSB). Management and deployment can be operate by Windows Update / Windows Update for Business, SCCM or WSUS. His support for the deployment of 10 Windows Builds by the WSUS or SCCM and WSUS server, can be done only in certain conditions.
Why manually delete a PKI? When you remove a pki since the wizards Windows will scavenge records in Active Directory. However if the server is reinstalled or the VM deleted unless the certification authority role is deleted beforehand, these records remain present in the Active Directory directory. It is therefore necessary to carry out the cleaning of it before any new installation of an enterprise certification authority. This article details the different steps for cleaning of the Active Directory.
Fix KB3148812 problem The KB3148812 update installation problems. In fact after installing the administration console WSUS becomes inaccessible. Moreover customers no longer have the opportunities to contact the WSUS server. Initially Microsoft recommended not to install or remove it for those who carry out the installation of the update.
Licensing Server 2016 Windows Server 2016 will consist of two editions as Windows Server 2012 and 2012 R2. Standard Edition: Concerns them little or no virtualized environments. Datacenter editions: Used for private and hybrid cloud environments.
CmdLets SCCM A SCCM server administration will be generally to add new drivers, images of boot or to installations and applications. This will also be to monitor the State of health of the infrastructure by looking at the logs file.Using PowerShell with CmdLets SCCM is justified because it is thus possible to script some action and therefore to industrialize the process which some may be “heavy” when there are executed manually. For this Microsoft provides to people wishing Cmdlets to…
Sysprep fails At the launch of the sysprep with the Generalize option, an error appears. The error occurs at the execution of the sysprep.exe in command-line or through the GUI…
Manage Local Account Password An element that is rarely changed it’s the password of local accounts. It is common to put the same password for a local administrator on all workstations and servers. This has created an impact of a security breach.
What is Windows As A Service ? Before Windows 10, Microsoft implemented a major version of an operating system through a package service.A new version of the system appeared after several years.It was common to have significant differences in the nucleus of different operating system.With Windows 10 , a new management of major release appeared. Indeed every 4 months (for Current Branch – CB) or eight months ( Current Branch For Business – CBB), Microsoft provides a new release of…
Problem Bitlocker During a Bitlocker project at a customer I had a problem with the storage of bitlocker recovery key in Active DirectoryAfter you set up group policy which configured the desktop and laptop client (store in AD the recovery key, use tpm,…), I launched the script which enabled BitLocker on the system partition or opther partition.
Problem Active Directory Migrating Active Directory at one of my clients, it seems interesting to share a solution to a problem. When you update the schema to add the RODC objetcts (adprep /rodcprep), an error 0x3 appears. At the time of depromote domain controller, the error messages appear informing me of a problem.
Windows 10 deploy guide How to deploy “upgrade” has been greatly improved. This is to allow upgrading of posts to Windows 10 in easier way. To help you in this task Microsoft has updated layout a very practical guide.
Remove universal apps You want to remove one or more universal applications in the start menu of Windows 10. This can now be done with PowerShell. Thanks to the team technet for the development of this PowerShell sctipt.
Disable first animation Since Windows 8, an animation is present when first connecting to a local or domain user. In order to reduce the time of connection on the first logon, it is necessary to disable the animation
RSAT Windows 10 Administration can be performed locally on the servers (domain controller, file server, print,…). However it is often easier to proceed with the configuration of the server since its local post or a central server. This allows to avoid multiplying connections on multiple servers.
Erreur Code 0x80070661 Pilots are essential when deploying workstations with SCCM. It is therefore necessary to ensure that pilots are imported before deployment. Importing Windows 10 drivers with SCCM 2012 R2 SP1 and SCCM 2012 SP2 can cause problems
During the AD audit at a client’s site, I encountered the following problem: The gpo tool command does not raise replication issues at GPO levels. However, when preparing a Group Strategy Result report, a warning appears: AD/SYSVOL version Mismatch.
Enroll Windows 10 on AAD Microsoft offers the possibility to integrate a workstation under Windows 10 directly into Azure AD. The first operation will be to create the AD database in Azure or to use the one already present
Create PSO An AD domain contains a password policy that is applied to all users. However, in some cases, it is necessary to apply a different policy to one or more users.
Deploy MBAM MBAM (microsoft bitlocker administration and monitoring) permit to secure and protect your desktop and laptop. You can deploy it from operating system and store key on Active Directory. However, if you have MBAM licenses, you will be able to implement it. This product allows you to implement portals for the management of these recovery keys. Thus it is no longer necessary to have domain administrator rights to have the bitlocker recovery key. Deployment Guide for MBAM 2.0 Deployment…
Security fix Microsoft has issued a security bulletin for a flaw in the Secure Channel. With this vulnerability the attacker has the possibility to force the downgrade of the SSL/TLS version used.
Techdays session Microsoft has made available the Powerpoint slideshows used during the techdays. So you can find the one of my session co-hosted with Yann SEYROLLES (Microsoft TSP) on Windows Intune news. What’s new in Microsoft Intune from Microsoft Décideurs IT
Thanks to the Technet team for this great article: “Configuring Scheduled Tasks in Powershell”. The creation of a task planned by GPO is not always feasible, the workstation may not be a member of the domain or may never be connected to the network. To overcome this problem, it is possible to perform the creation directly in Powershell. So we have at our disposal two applets: One for creating configuration options One to apply configuration options http://blogs.technet.com/b/heyscriptingguy/archive/2015/01/14/use-powershell-to-configure-scheduled-task.aspx
SCCM 2012 R2 offers many advantages, including the ability to provide users with an application portal. Application portal is based on two roles in SCCM : Application Catalog website point Application Catalog web service point
Backup data with MDT While trying to back up the data of a Windows XP workstation with MDT, I realized that the UNC path entered in the CustomSettings.ini file was ignored.
Update not approval on WSUS downstream server After synchronizing a downstream server, updates appear in the Unapproved category.
After installing SP2 of WSUS (KB2720211) and if you activate SSL, IIS application for WSUS not working. There is a lot of error in event viewer. Error id 12052, DSS Authentification web service is not working For fix this error, you must install KB2734608. You can download file here.. When the installation is complete, run the following commands on the WSUS server : iisreset net stop wsusservice net start wsusservice From the WSUS Server, run wsusutil /checkhealth. You can see…
WDS is closely linked to the DHCP server, however if the two roles are installed on different servers a slight modification to the DHCP needs to be made. In this case it is necessary to add options 67 and 68 at the DHCP level. Option 66 : IP Address of the server Option 67 : boot\x86\wdsnbp.com After this modification, pxe boot functions properly.
The lastlogon attribute can help to do some cleanup in its AD database. The recovery of the ldap attribute value can be done in powershell, vbs or dos.
If you want deploy Operating System with MDT (Microsoft Deployment Toolkit) or with with SCCM (System Center Configuration Manager). Driver is more important. You can capture driver on desktop/laptop or download package of driver. This package can be downloaded on web site of HP or Dell for example. Package driver for Dell : Download here Package driver for HP 32 bits : Download here Package driver for HP 64 bits : Download here
When booting in PXE, a boot image is loaded. This may take several minutes to complete. To reduce the loading time, it is necessary to make a change in the registry.
Following a problem encountered at a customers, I’m sharing with you my findings. When you activate folder redirections (documents,…), an offline synchronization is activated. If you subsequently change the path of the redirection, it is possible that some profiles do not migrate to the new path and keep in the synchronization management console the old path in addition to the new one.
The first time a user logs on to a Windows 8 workstation, an animation lasting several minutes takes place. In order to avoid this animation which can very quickly become quite painful, it is useful to modify a DWORD value in the registry.
This procedure allows the activation of a Windows 7 using a MAK key. Depending on the number of workstations, it may be useful to ask MDT/SCCM to carry out the activation.
Windows ADK allows the creation of Winpe, however it uses by default an English language pack. This implies a qwerty keyboard. In order to find an azerty keyboard, it is necessary to follow the steps presented in the file (this last one references all the commands for the creation of a WinPE CD). Create WinPE
After setting up the VPN connection in Windows 8, it is impossible to connect. Error 850 is returned.
It is sometimes necessary to rename a server, depending on the role installed some steps are to be applied. Let’s take the example of a domain controller running Windows Server 2012. It is necessary to ensure first of all the functional level. This must be at least Windows Server 2003 level.
An AD forest may contain one or more AD domains, depending on your situation the placement of FSMO roles may be different. In order to carry out a good positioning of the different roles, Microsoft provides documentation on their site that allows you to make the right decision.
It has happened to all administrators to find themselves with an isolated domain controller. In this case, after performing a dcpromo /forceremoval, all AD and DNS databases should be cleaned. For this purpose Microsoft gives the procedure that has been carried out. For Windows Server 2003 : http://technet.microsoft.com/en-us/library/cc736378(v=ws.10).aspx For Windows Server 2008 R2 : http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
When migrating a server, it is necessary to retrieve network shares and authorisations.
In order to activate Windows 8, it is necessary to enter the product key. Once entered, it cannot be changed using the graphical interface.
After starting the workstation in pxe, mdt 2012 returns the wizard windows which will allow the selection of the task sequence, the entry of the name of the workstation,…
Despite the entry in the msp d’office 2010 file, it will be necessary to start the activation the first time an Office suite software is started.
Since Windows 2000, a user of a domain can be enter up to 10 machines on the domain. When joining to the domain, a login and password is requested. It will be sufficient for a user to enter his username and password. He will be able to do the same for 9 other stations.
It is convenient to have a USb key bootable with WinPE as well as all these tools. This to be able to very simply troubleshoot a workstation / server without the need to bring a cd.
Microsoft has confirmed the presence of Hyper V in its new OS “Windows 8”. It will now be possible to create, add and manage virtual machines. The hypervisor interface will be similar to the one currently found on Windows Server 2008 R2. By default, the system will offer dynamic RAM allocation (the virtual machine will call RAM as needed), but it will be possible to reallocate it manually, hot (without interrupting the virtual machine).
A very interesting feature of Windows 7 is the possibility to change the language of the interface. Unfortunately not all versions are compatible, you will need to have an Ultimate or Enterprise version to benefit from it.
Gpo’s are replicated by two systems : AD replication (GPC, the GPO console) and file system replication (GPT contained in SYSVOL, the different components configured). It happens nevertheless that the AD replication goes badly, so we will have a difference between the GPC and the GPT.
It is difficult to talk about deployment without saying the word WAIK. This tool allows us to use tools such as Imagex but above all allows us to create a custom WinPE image.
Since Windows Server 2003 SP2, we have a great tool at our disposal: the Windows Deployment Service. This allows us to deploy WIM images. It can be interesting to deploy an OS automatically. This is possible with WDS (Windows deployment service) using response files.
Using an automated script, it is possible to send an E-mail when the job sequence is completed. The contents of the script (click here for download the wsf file). This file contain the following code :
Since Windows XP, an IPv6 stack is integrated in the OS.
A very interesting but unfortunately hidden feature. Its name: God Mode. This tool provides access to all the features of Windows 7.
In some cases, we may receive more response from WDS. The stations do not receive any response from the TFTP server and fall out in timed out.
There is a procedure to test the customsettings.ini file before starting the deployment. This is to ensure that the settings are OK.
One of the new features of Windows Server 2008 R2 is the Active Directory Recycle Bin. We can now “restore” a user account that has been deleted. However, this requires a functional Windows Server 2008R2 level.
Since Windows 7 SP1, it is impossible to reinstall the Remote Server Administration Tools files (if the service pack was installed on the workstation). Microsoft has made available the versions compatible with SP1, knowing that it is impossible to install the old ones. For download, use the link : RSAT file
If the option pin a shortcut in the taskbar is missing from the context menu